Re: Microsoft AntiSpyware: Will it be free and Vulnerable

[Dan Margolis <fd.lists.dmargoli () af0 net>]

On Tue, Jan 11, 2005 at 10:03:30PM +0100, devis wrote:
> It is prooved matter that spywares do exploits IE holes ( Iframes bugs, 
> Active X etc etc ). Do your work on a few and you will see. 

Perhaps some do, but generally speaking this is unnecessary for spyware
to exist, as I said before; spyware exists regardless of such
vulnerabilities. 

> Beside, you 
> missed the point entirely: if an user, just by clicking, can install 
> spyware on his machine, then the OS / browser is to blame, not the 
> actual (bad) code (exploiting it) floating around websites.

A user can install spyware with one click for the same reason he can
install a *good* application with one click. Having the user run every
day with install privileges is relatively irrelevant; if he owns the
machine, he will have the ability to install things. Being prompted for
an admin password (as in the case of OSX) hardly prevents a stupid user
from installing crap. 


> Once again, you are missing the point completely, if M$ didn't 'slack 
> code' their OS, spyware would :
> 1) not install

How do you intend to make spyware not install while still allowing the
user to install other things?

> 2) therefore not exist in the form, numbers and variety we know them

See above. 

> I'll give you a clue:
> try to get a 'tool bar' or some 'other added bonus' automagically on 
> bsd/unix/linux/solaris using any browser, on any site, clicking randomly.

I cannot do so from "clicking randomly," but I quite easily can simply
from clicking "OK" to the download prompt. Firefox installs plugins and
toolbars just as easily as IE does. 

> As you said,
> 'It's very, very difficult to prevent people from voluntarily installing 
> spyware on their own systems.' yes indeed, because MS made it that the 
> average joe is an admin therefore has supreme powers out of the box.

So we don't give the *owner* admin privileges? Mac does this, as does
Linux. I don't know of a single OS where the machine's owner does not,
by default, have admin access. 

> Usability costs security. Always has, always will.

Of course. But the ability to execute code is pretty much
non-negotiable. I will never buy a general purpose PC on which I cannot
run programs of my choosing. And if MS sold one as such, you would be
here complaining about that instead. 

The point is, spyware does not require OS vulnerabilities to be spyware,
and it likely, for a long time to come, never will. I never argued that
Windows is the most secure OS, however, only that spyware does not imply
bugs. And that point should, by now, be crystal clear. 
-- 
Dan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html