I think you need to do a post on why are there spammers and virus creators in the first place? Why do we have such a huge industry built around stopping these people? Who are they really? They can’t all be pimply faced teenagers who are just trying to be annoying. Where is the market for creating trojans and viruses?
I admit I don’t understand it, there are so many good productive open-source projects people can get into and then they can say they were part of something good instead.
I must admit I just don’t understand the motivation behind it all. Do you?
And thanks for you posts, I read religiously. Keep up the good work.
Shane, you’re like I was, in that you don’t * THINK * like criminals do since you ask that question (a good sign, meaning you’re no scumbag).
I was exposed to it once I took the job I am presently in, which is helping out folks daily with their PC hassles, which today, is mostly removing malware infestations.
As an example, as to WHY it is done?
Well - You should look up the “Russian Business Network” as to some insights as to the “how/why” of WHY they are out there doing this stuff (malware creation):
It’s to make money, via stealing YOURS (or, your identity) via spyware/virus/trojans/rootkits/malwares of today, as to their motives…
Especially since folks are into online shopping (credit card # stealing here), OR, online banking (self-explanatory as to what they want to keystroke monitor here send to their servers, to sell to those that make fake charge plates etc.)…
Maybe I missed it, but does Jeff’s article say whether Admin + UAC on Vista is sufficient? Jeff, do you run Vista with UAC enabled? Has the security industry weighed in on whether Vista and UAC really addresses the issue?
Running VS.NET 2005 as a non-elevated admin resulted in all sorts of warnings the first time I ran it, suggesting I should run it elevated for any kind of web development. I’m not getting that kind of warning with VS.NET 2008. Did they fix that?
But what is the solution then? I read the whole thing interested and looking for a final comment like, that’s why in my opinion if you are running Windows Vista you should…
What’s wrong with snake oil?!
The only killer virus I ever got was a pop-up add that advised me I had a virus and that I should buy their anti-virus product right away. When I refused to buy the product, it locked up the computer. When I tried to reboot fresh and reformat the drive, it shut down the computer. I guess they were going to get you one way or the other. Anyway, I’ve seen more than one AV or ASpyware ad that was a malware in disguise. So, be careful from where you get your AV!
Anyway, why don’t we just set up international clearing houses for all internet traffic, so that everything can be scanned and approved?
To falsify the argument about virus proliferation being due to market share, compare the number of viruses available for Macintosh System 7 versus Mac OS X. Max OS X has a much bigger market share, so it would be expected to have more viruses — it has none in the wild.
If you’re running as a non-administrator you can’t accidentally infect the computer with a virus - you can run a trojan which goes and deletes every file you have access to, but that’s a different matter.
I have Sophos installed as part of the SoE for my iMac, and it’s a pain in the arse. Most of the mail I receive that gets tagged as “spam” causes Sophos to have a cry - it pops up a dialog box telling me that a particular file had a virus, so it’s going to deny me access. Unfortunately it uses the actual file name, not the name of the message or what mailbox it exists in. It also denies Mail the right to manage that file, so my Mail folder is getting filled with files I can’t delete (except by opening a terminal and issuing a sudo command).
I wasn’t going to open the files anyway (a spam announcing Russian brides, with a file attached called “postcard.exe” - I’m not that stupid, as evidenced by the fact that I use a Mac in the first place).
"Blacklists Don’t Work"
Every time I use virus software the “blacklist” takes files from my legitimate programs due to “guilty by association (similar file names)”, and then I have to repair the damage…
I have had at several people ask me to help them sort out some kind of problem, connecting to printers or installing software, because they had recently bought a computer with Vista and were not running as administrator. Unfortunately I have not worked with Vista enough to support it over the phone… Anyway, obviously the core problem is not that they are not running as administrator, since Macs manage to make it super easy to install stuff even without having a user always be administrator. But it seems like Vista gets it painfully wrong for the average user…
I agree with the last comment - I think that the “future” of security will be a combination of whitelisting and virtualization (AKA sandboxing).
Actually, the .NET Framework already handles the whitelisting in a variety of ways. And while there’s nothing preventing spammers from obtaining digital certificates from Verisign for all their new worms, it would break down their economic model very quickly. The entire world does not run on .NET, of course, but a simplified model (without CAS) could be adopted for ordinary Win32/Win64 stuff.
Spam in email has been largely defeated by Bayesian spam filters. Maybe it’s about time we started doing something similar for comments. There is the possibility of false positives but comments marked as spam could just be marked and sent off to the blog author for review. This would work equally well flame comments.
There is another reason Macs and other *nix machines are less susceptible to viruses. Not everything is executable. Windows decides what can be executed based on filename. *nix uses permissions for executing. That needs to be addressed in Windows, but it would break so many applications.
At the core of it, Windows was designed to be a single user, isolated system. *nix were designed to be a multi-user and on a network. They had the opportunity to fix it with the move to NT (3.5.1) but decided not to. Now it is so entrenched that there is no way to fix it an retain backward compatibility. If they break that, there is no reason for people to stay on Windows, and they will have to compete on the merits of the system, which is not something they have ever been good at.
P.S. Many of the applications I am required to use for my work will not execute as a normal user, and work only as admin. The registry was a poorly conceived concept, and whoever came up with it should be taught the most important phrase for their new profession “Would you like fries with that?”
This is all true, until you find someone with no anti-virus software who has a problem. Someone I knew had a problem with there machine and when we installed AVG and rab it, it found 197 viruses!
His computer ran OK after that!
But I get your point and it’s a valid one, to a degree - just take my example above.
To be honest, one of the first things that I do when I boot up, is pause the scanning, so that I can get on with things. It takes an age to scan everything and at the speed the machine runs at, sometimes I’d be better of with an Abacus! But on the odd occasion that I do let it run I’m relieved to find that there were “No threats found”.
I know this article is about blacklists. However I would like to point something out. Almost all software can be run as a non-admin, it is part of my job to figure out what needs to be adjusted in the system or the application to allow an application to work in our enterprise environment without administrator privs. Often it is simply a case of requiring access to a very specific resource that normally isn’t available to an unpriv user.
Developers need to learn how to test their software with ordinary user accounts. You can even develop as an ordinary user, we do it in our environment. You do it the same way you would in the Unix world, you use RUNAS to run specific operations as Administrator, and when you don’t need to be admin, you aren’t.
I really don’t believe that developers “need” to be admins, especially when what they are producing really DOES need to run as an ordinary user.
What about white-lists? More often than not the software that stays on your machine is very static.
Even developers do not change their software stack all too often. You need to white list build output folders though but since there is no consistency as to where these are from machine to machine, a virus writer would have trouble exploiting that weakness.
I’ve found that a good counter-measure is to use XP Pro’s built in functionality called Software Restriction Policies. Let Google be your guide.
It works beautifully on my parent’s machine and has kept them Virus free for a couple of years now.
I work on a team of three developers that has been developing ASP.NET web sites, WCF services, and ClickOnce WinForms apps for the past 18 months in the following environment:
The reason why admin rights is such an issue is because of the deployment strategies of many programs.
In my workplace, I had to get admin rights because I needed to install a newer version of Java Development Kit. Compare that to Digital Mars C++ Compiler, which can be installed by unzipping the folder, and adding the bin directory to the path.
