Re: [Fwd: Re: Microsoft AntiSpyware: Will it be free and Vulnerable]

[Dan Margolis <fd.lists.dmargoli () af0 net>]

On Wed, Jan 12, 2005 at 05:30:08AM +0100, devis wrote:
> Thats is where we do not agree. I do not beleive an user should be able 
> to install anything. I have set up few unfortunates of my clients that 
> get bugged randomly, with a 'user' limited user account and an admin 
> account. 

Sorry, I think I was unclear. I meant home users, which is why I
referred to the PC's owner. I fully agree that in a
corporate/educational/enterprise setting, users should not be admins. I
merely intended to point out that a large percentage of PCs out there
have "admins" who are ordinary users, and hence are prey to banner ads
that promise to speed up one's connection, e-mails claiming to be from
Microsoft, and the like. 

> Write a POC if it doesn't exist and please show that unix 
> spywares in the home directory of the user are efficient.

It'd be trivial for me to write, say, a Perl script that daemonizes and
uploads IP address information (in fact, these exist, as clients for
services like DynDNS), who is logged on, etc. Or that uploads available
logfiles (browser history, etc). Please don't make me go to the trouble
to actually write this. 

And yes, it'd require a user to execute the code. But my point all along
is that user privileges alone, so long as they are able to execute code
(which they are on nearly every major Linux distro), are sufficient for
running spyware. 

In other words, so long as there are ignorant users, there will be
spyware and viruses and worms. This in no way is to say that OS security
is not important, but, as I said before, to blame it solely on OS
(in)security, or to assume that spyware -> insecurity, is incomplete. 

> but it does to install and therefore do its task.

How so? Not if an ignorant user runs it voluntarily. You may be entirely
right that much spyware on Windows exploits software holes, but much of
it also does not (even I, a non-Windows user, knows of Kazaa,
RealPlayer, and similar). 

> Not trusting the user to improve is a big mistake. not explaining why is 
> equally a big mistake. The products got to change, and the users will 
> learn. Education is the key, not covering the bad tracks of the OS writer.

This is basically what I've been saying: user ignorance circumvents most
software security. As long as the user (who is, of course, the admin as
well on a home computer) is uneducated, he is vulnerable, hence my point
before: software security is insufficient to prevent malware. 

It seems we agree, after all. :)
-- 
Dan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html