(WAS: Re: Fwd: SF new column announcement: Microsoft Anti-Spyware?)

[Sebastian <sebastian () helsinki fi eu org>]

Just another 2 cents of whichever currency:
3. Educating users about what is good and what is not (basically meaning 
not clicking okay to everything)
5. Not giving users any rights they don't need. This means basic 
grouping (not by username but by function) and given access only when 
necessary.
6. Catering for the known holes (If wild VB controls, browser 
extensions, ActiveX etc. aren't really needed, disable)

Eves n such,

-Sebastian




Caeser Augustus wrote:

> Here's my 2 cents:
> Nothing really is unexploitable if you try hard enough.
> If by some real chance an average user in the world was using Linux,
> you can be sure that people who make spyware would have made it for
> that platform as well. It's just isn't plain business sense to do that
> as of now.
>
> And really, I heard so much hohum about MS's security record. OK I
> understand that MS maybe not into security that much till very
> recently. But when they did (SP2) this is what I see happened:
> 1) The average user : feels good about security but is confronted by a
> learning curve. Whatever it is, but I'm sure that an information bar
> is easier to configure than a hosts file.
> 2) The IT guys shout: "Don't install it".
>   - It breaks stuff.
>   - It's got security issues( My companies IT policy )
>   - Not stable.
> I'd say Hello. Wake up. Just because you're incompetent enough not to
> know about it, you term something bad. I mean a sheer amount of IT
> staff that I've knows is just point and click types. Boot off the CD
> Press enter thrice, click next next next, when you get password box,
> type admin or password and lo behold, you have Windows 2003 running.
> I'm not saying all are like that. There are serious professionals(btw,
> i'm not) who DO this job. Bust most aren't.
> 3) The crackers: It's got holes: it's exploitable. I think: off
> course. Everything is. Including the Linux Kernel. That's what makes
> this field fun.
>
> I'm sure, given enough motivation (read money), you can have as many
> spyware as you want for Linux/Unix/Freebsd whatever. It's just that
> not most of  supridentdents/Operations
> Managers/Nurses/Clerks/Executives/Sales Executives/Accountants who
> sits at his office/SOHO desk reading mail, does it on Konquror (even
> though it's free). So, no spyware.
>
> And oh, all this may be localised to India only, I dunno. But I have
> worked for an International Support Center, catering to THE average
> and the Admin level american/uk computer user. And that was the
> impression I got.
>
>
> On Fri, 07 Jan 2005 13:47:55 -0700, Kelly Martin <kel () securityfocus com> wrote:
>  
>
> > Matvei Kliuchnikov wrote:
> >
> > > From the article:
> >    
> >
> > > "because it's holes in Microsoft's operating system that built the
> > > entire spyware industry to begin with"
> > >
> > > That's just plain wrong. Spyware, by it's nature, is installed along
> > > with other applications that the user manually installs. Download
> > > KaZaa, for example, and you'll find that several other "spyware" apps
> > > are installed along with it. This has nothing to do with security
> > > vulnerabilites.
> > >
> > >
> > >      
> > You should really do a bit more reading before making such a definitive
> > statement. Only a portion of spyware is installed this way. Most of the
> > time the inclusion of spyware along with a legitimate application is
> > clearly indicated in the user agreement, but these click-through
> > agreements are rarely read and thus, the users gets a little more than
> > he is expecting.
> >
> > A huge amount of spyware gets installed in an entirely different way,
> > however, and has everything to do with vulnerabilities and/or unpatched
> > machines. I'm referring to bits of code that are installed without a
> > user's permission, just by visiting a website -- via security problems
> > with ActiveX, Javascript, JAVA, and unpatched vulnerabilities in
> > Internet Explorer. There are many, many examples of this. Have you never
> > seen a .DLL downloaded while visiting a website using IE? What about the
> > users that you support? It's pretty hard to surf the web nowadays using
> > IE without getting some kind of spyware.
> >
> > Things to watch for:
> > - has your browser's homepage been hijacked?
> > - do you see any unwanted toolbars in IE?
> > - do you see unwanted pop-up windows when you start IE?
> > - are you unable to reach Google.com or Yahoo.com, and get redirected to
> > another search engine instead?
> > - is there a trojan or keylogger reporting statistics about you back to
> > another location
> > - [the list goes on, and on...]
> >
> >    
> >
> > > Obviously, Microsoft has a shoddy record of security problems, but
> > > don't confuse the issue and continue spreading FUD.
> > >
> > >
> > >
> > >      
> > I can recommend that you read up on CoolWebSearch as an excellent
> > example of nasty spyware that is *not* user-installed, and does in fact
> > attempt to exploit vulnerabilities. There are many others.
> >
> > Regards,
> >
> > Kelly Martin
> >