And another one just for fun!

Discussion in 'Computer Security' started by Lohkee, Aug 24, 2003.

  1. Lohkee

    Jim Watt Guest

    There is that view. However at present there is no alternative for
    most business applications.
     
    Jim Watt, Sep 18, 2003
    #41
    1. Advertisements

  2. Lohkee

    Mark Crispin Guest

    There is nothing intrinsic in the Windows OS that makes it more virus
    friendly. The flaw is in the email program that most Windows users run.
    Similar flaws have been found in MacOS email programs and even some UNIX
    email programs.

    It's slightly harder to convince a UNIX email program to run a UNIX binary
    or shell script due to the need for the x bit. But only slightly. In one
    highly amusing flaw that I remember from about 14 years ago, it was
    possible for a well-crafted message to set /etc/crontab.local since the
    agent that did the detaching ran setuid root.

    Additionally, it was not the Evil Empire which invented the concept of
    "just do the file's double-click action when all the user wants to do is
    open it." That particular bit of idiocy was around in non-Windows email
    programs at a time when you had to use a third-party TCP stack for Windows
    because Microsoft hadn't created Winsock yet.

    The entire culture from the mid-1980s until the mid-1990s was very
    anti-security. Security was considered to be an annoyance that got in the
    way of doing work, and one which could be discarded in the personal
    computer revolution. It was a *feature*, not a bug, that a personal
    computer user was effectively root.

    I will blame Microsoft for playing "catch-up" and copying what everybody
    else at the time was doing, instead of recognizing the obvious flaw and
    doing something better.

    Now we are all playing catch-up with the mainframe systems which were so
    gleefully shut down in the 1980s because they were big, expensive, and had
    this annoying security that got in the way.

    -- Mark --

    http://staff.washington.edu/mrc
    Science does not emerge from voting, party politics, or public debate.
    Si vis pacem, para bellum.
     
    Mark Crispin, Sep 18, 2003
    #42
    1. Advertisements

  3. Lohkee

    Dave J Guest

    Seems like you're missing the point there. There is no such thing as
    to 'open a file as a program', what there is is document formats that
    include methods of scripting that allow illicit access to the shell.
    Any document has to be opened by a program, and it's inside those
    programs, and the OS that contains them, that the vulnerabilities lie.

    Admittedly, OTTOMH many of those formats were microsoft designs, and
    an even larger proportion of incorrect implementations were products
    of the microshaft barbarians, but there is no such thing as 'running a
    file as a program' so of that much they are innocent.
     
    Dave J, Sep 19, 2003
    #43
  4. Lohkee

    Dave J Guest

    I still can't understand this thing of blaming the OS for the brain
    failures that allow people to open unknown executables or to view
    exploitable files using a vulnerable viewer (like IE or MS Word).

    I think that the local user being root *is* a feature. It's my
    computer and if I'm sat in front of it then I '0wn' it.

    First thing I do with any system is to smack down the restrictions
    until I always have access to everything on it.
    Why on earth wouldn't I?
     
    Dave J, Sep 19, 2003
    #44
  5. I remember trying to convince someone that I was avoiding using WinAmp
    because of its very popularity - that someone would some day find a buffer
    overflow or some such error in it, and then the next Britney Ferries MP3
    file that you fetch from that naughty p2p file-"sharing" initiative becomes
    a virus carrier. Scoff, scoff, scoff, was all I heard. "MP3s are just
    data, they don't contain executable content".

    Then the buffer overflow in WinAmp was discovered, and MP3s came out with
    executable content in them as a result. Silence all around (because I don't
    usually say "I told you so").

    Alun.
    ~~~~

    [Please don't email posters, if a Usenet response is appropriate.]
     
    Alun Jones [MS MVP], Sep 19, 2003
    #45
  6. Lohkee

    Dave J Guest

    A long as you don't allow the mp3 file_id.diz equivalent (whatever
    it's called) there isn't a known hole in any implementation of the mp3
    reader itself. I don't think a vulnerable mp3 player (only) would last
    long before the vulnerability was found by accident.
    It never goes down well if you do so probably a wise move..

    You are quite right though, part of the disparity between windows and
    other OSs is just down to the popularity breeding the new discoveries.

    The other part is down to microsod not caring enough to review their
    own source and being too 'PLC greedy' (and sneaky) to open it up for
    peer review.
     
    Dave J, Sep 20, 2003
    #46
  7. Lohkee

    Guest Guest

    Tell that to IBM, Lockheed (who have just completed their move to Linux),
    the president of India (cf. the paragraph "Think different" of
    http://presidentofindia.nic.in/S/html/speeches/others/may28_2003_2.htm),
    and the city of what you call Munich:
    Subject: [blore-linux] Germany to replace 15 000 Windows desktops with Linux (fwd)
    From: "Frederick Noronha (FN)" <>
    Newsgroups: comp.os.linux.announce
    Date: 29 May 2003 19:35:02 GMT
    Message-ID: <>

    Even Steve Balmer couldn't spread enough FUD in the last case. Why then
    do you still try?
     
    Guest, Sep 21, 2003
    #47
  8. Lohkee

    Guest Guest

    According Microsoft, IE (or OE or whatever) is an unseparable part of
    the OS.
    The drag- and drooling GUI-users will never understand what you are
    talking about, so they'll never do it.
    It's a tiny step for a computer-literate person, but an unsurmountable
    obstacle to a virus/worm/...
    We are into distributed systems now, not mainframes and dumb (compared
    to PCs) terminals. So some concepts from that area won't work in this
    context.

    OTOH most users of PCs _need_ terminals like (say) an IBM3279 from
    days of yore.
     
    Guest, Sep 21, 2003
    #48
  9. Lohkee

    Guest Guest

    I didn't write that it was. Besides "Don't open attachments!" appears
    to be the Windows users' mantra if what I read in Usenet is a
    representative sample. They always use "open" when they mean "open, or
    maybe execute, or whatever".
    ^^^^^^
    That's as meaningless as GRÖFAZ to you. AKÜFI, anybody?
     
    Guest, Sep 21, 2003
    #49
  10. Lohkee

    Guest Guest

    Awmegoat! Because you don't want to be the almighty Zeus, who snips
    his finger and cities vanish in smoke. And that's because you are
    _not_ infallible, and not in 100.0000000% control of what you do. Even
    the Pope is considered infallible (by catholics) only when speaking ex
    officio. Most of the time you're best off with the restrictions of a
    normal user who can't do much damage.
     
    Guest, Sep 21, 2003
    #50
  11. Lohkee

    Dave J Guest

    Indeed so, I certainly understand my own fallibility, I keep multiple
    copies of most of the important stuff.

    The only way I've ever lost anything vital was in the days when I only
    had one harddrive and a hardware crash demonstrated that I should have
    been backing my news archive along with everything else :(

    I have *never* deleted a vital file or directory, I *have* lost hings
    to hardware failure. I have *always* '0wned' my system.

    Anything important is duplicated between HD's, anything vital is
    backed to CD, I've never needed those backups except for after an 'act
    of god'. Where's the problem?
     
    Dave J, Sep 21, 2003
    #51
  12. Lohkee

    Dave J Guest

    Sorry. Bad habits. - Off The Top Of My Head.
     
    Dave J, Sep 21, 2003
    #52
  13. In uk.comp.security, spamtrap(do not spam)@xivic.prima.de (Wolfgang
    True, but that does not counter the phenomenon where 'modern' systems
    are hitting the same (or very similar) problems that mainframe
    programmers encountered and solved many years ago - and often finding
    themselves re-inventing the wheel rather than learning from the
    solutions that the mainframe world came up with more than 20 years
    ago.
     
    Graham Murray, Sep 24, 2003
    #53
  14. Lohkee

    Lohkee Guest

    I agree. The control objectives that were around twenty years ago (I&A,
    DAC/MAC, Accountability and Assurance) are just as relevant today as they
    were yesterday, perhaps more so given the widespread use of personal
    computers for mission critical applications. The wide-open-anything-goes
    environment promoted by the PC industry was wonderful for growth within the
    industry in 1981 but it will never achieve a meaningful degree of security
    within the business environment simply because one is the antithesis of the
    other. This is not to say that PCs cannot or should not be used, only that
    people need to rethink their idea of how a PC should operate with regard to
    the business environment. Should a wordprocessor have the ability to imbed
    or execute code (thereby giving anyone with access the ability to write
    programs) on a corporate network? Should a company be taken seriously with
    regard to trusted computing when they routinely imbed games in their
    "professional" applications? Should an unidentified individual be allowed to
    load and run programs at will on your mission critical production system
    without your knowledge or consent (thinking email here)? Security is easy
    from a technological perspective, it is the damned PC mentality fostered by
    the industry that prevents it from happening (God forbid we give up the
    ability to surf for porn at work).

    Lohkee!
     
    Lohkee, Sep 25, 2003
    #54
  15. Lohkee

    Peter O Guest

    Pretty sobering comment.
    But what are the alternatives to crap AV SW?
    Pete
     
    Peter O, Nov 21, 2003
    #55
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.