The problem is the need to allow interesting applications to appear in a web browser. This is at odds with actual web browsing.
IT shops want applications in a browser, and they want those applications to appear like and behave like applications everywhere. That means being able to do things like resize windows from script, eliminate chrome, and more.
I don’t want web sites I’m browsing to do that, but it’s hard to turn that on/off. Maybe we need more zone-specific security settings?
Microsoft is partly to blame, by numbing us with endless dialog boxes asking us if we’re sure. They think it’s safer, but it adds to the dialog numbness. Then it says you need some crap to get rid of other crap. who’s the boss here??? who pays the damn electric bill, the net bill, who owns the pc?? You do. tell it NO, under no circumstances do you want anything it offers. Not well maybe if it’s free and good - nothing. That’s how you have to think to survive. Your own attitude and behavior is the only protection.
You combat that very easy: Mark every webpage as a webpage and do it in such a way, that the webpage itself cannot (under no circumstances) remove this mark 
I’m surprised the browser vendors never came up with that concept.
E.g. draw a border around every webpage and offer no way for JS code to remove this border. Then you only need to educate the user If you see this border around something on the screen, it is a webpage, not an application, don’t fall for it claiming otherwise! And being a webpage, it has no access to your local system (files or hardware devices), no matter what it claims.
This way hackers could only fake it the other way round. They could intentionally draw a border around their app window looking alike - but why would they do so? What advantage do they have to pretend they are just a webpage if they are in fact a local app and already have full access to your system? In that case they better present no UI at all, so users never detect that this app is even there and running.
However, no attacking website can remove this border and thus they will always be clearly marked as web content. Or use a semi-transparent icon in the upper right corner. Maybe put a transparent watermark over the page - it’s always the same concept.
The real problem though is that all current operating systems are not secure enough. In a perfectly secure operating system, all code needs to be signed (as Apple started in Leopard). You can say that you trust a vendor and thus you trust their signature. If you trusted a signature, the app gets full access as every app gets right now. But if you never trusted a signature or the code is not even signed, the app shouldn’t be allowed to access anything. No network, no files, no hardware devices, nothing. Whenever the app tries to do anything, the user is prompted for permission by the system, even if it just wants to read its own config file, doesn’t matter. That way the app can’t do anything without the users permission and the user will get exactly informed about every action of this app (e.g. which file it tries to read, which Internet server it tries to contact).
In practice most users will download software from vendors they know and make their signature trust and never get bothered again. The OS itself is trusted by default and all default binaries of the OS are signed with a trusted signature. But as soon as you download any application from the Internet (possibly without even knowing that it got downloaded and executed), the app is like in a sandbox and only the user can remove it from there.
Then it’s only a question of educating users to not just allow apps they don’t know anything about to jump out of the sandbox and to educate them, that rejecting an app request usually has no negative consequences. Very often I see users clicking on Allow because they are afraid, if they don’t allow it, they break something and their system cease working. This is ridiculous. If a system stops working just because you once disallow a certain action, the system is a pile of crap and should be replaced by a decent system.
A good example of software that works according to a similar concept (but not for file or device access, only for network access) is LittleSnitch for Mac (one of the little utility apps I have actually bought as all freeware alternatives suck). Thanks to LS no app on my system (not even command line ping) can send any network traffic anywhere without LS popping up and asking me for permission. Then I can choose to allow this access once, till the app terminates or forever (because I trust it). Further if it says Firefox tries to access www.google.com on port 80, I can generalize the request. Instead of just allowing this, I can say Allow all ports on this server (so 443, HTTPS would now work with Google, too) or I can say Allow all servers on this port (so all port 80 requests will work, not just those to Google) or I can say Allow any request, any server, any port to completely remove the protection of the app (again, just for the session or forever). If I made a mistake and allowed an app more than I should have or if I blocked it permanently and now certain features won’t work, I can always modify the list of my permanent entries (and those for the current session as well) using a config tool. Further it detects if the hash of the binary changes, as someone could have replaced the app with another app to circumvent LS. Last but not least, LS works on kernel level using a kernel extension. A malicious tool could simply unload this kext (kexts can be unloaded at runtime in MacOS X), however, if it does so, network won’t work at all anymore (this is an intentional protection of LS; it modifies the network stack in such a way, that no packets can go anywhere anymore if it’s unloaded at runtime).
Don’t do anything about FUIs.
Each infected computer brings its tech ignorant user one little step closer to a heart attack.
So hackers and FUIs are only a part of God’s evolutionary plan to wither away tech ignorance and eventually – make world a better place.
I work at a computer shop, and I can’t tell you how many times I have seen similar viruses on customer’s computers. From what I can gather, most of them dont’ even READ dialogs before they click ok. They don’t care. They just want to play their free online poker or whatever silly thing they’re doing.
I have had several customers who have ACTUALLY BOUGHT vundo/virtumonde variants such as WinAntivirus Pro, XPAntivirus, VistaAntivirus, etc.
These things are fairly nasty and we usually have to scan with several tools before it’s all gone.
The very first thing this page does is minimize the browser (Firefox 3, in this case) and present us with this JavaScript alert:
Certain irony in this sentence after your previous post extolling the virtues of JavaScript.
Possible solutions are blocklists at either the PC or the router level and the NoScript and plug-in for FF.
Themes, fonts, spelling errors, exclamation marks, textual style - using these to distinguish FUIs is a dead end. The FUIs will just start to emulate the native style more accurately. And pretty much any Windows machine contains applications with such widely varying visual themes anyway that the pick your own theme solution won’t be of any use. (I don’t remember when I last saw a media player of any kind that looked anything like the rest of the applications).
Remember how some years ago filtering messages with wrong To: field got rid of the vast majority of spam because the spammers didn’t bother to forge that? They got smarter and now they put in not only the correct To: field, but often try to also use a plausible From: field too.
NoScript is a very useful extension to Firefox that would prevent this sort of attention diversion and spoofing. It’s very easy to train users to temporarily allow a site to use Javascript; most of the time very little is added via scripts anyway.
I say this as a professional web developer who dearly loves Javascript.
I surf with scripting disabled and opt-in as needed. The world needs NoScript. The UI is fairly easy to use; clicking on a disabled section of the page will allow you to enable it. The only thing lacking IMHO is a good tutorial/walkthrough for new users.
Hmm… This simply could not happen on a real os. Even if the UI was more convincing than these and someone was going to enter their admin password for it, you just can’t run code like this without the user knowing. ActiveX == BeyondFail.
I agree with Anti-sexist Pig. The You and I may understand that distinction juxtaposed with Your wife? (and no Your husband?) seems to imply that the we who understand this distinction and are reading this article are by default heterosexual males. I am not. As a female, I find this pattern of your wife/your mother/your grandmother (but not your husband/your father/your grandfather) as examples of noobs annoying.
Werd. I don’t think it’s an unlikely scenario that there’s a number of chicks reading this blog who get a bit irked at the way this is constantly used - certainly we’ve already found two (plus a sympathetic bloke-with-a-blog) who’ve commented.
Is it any wonder there’s no girls on the internets when standard discourse about teching the tech tech all leans towards the ubiquitous suggestion that women are, like, totally thick and wouldn’t know a tech if it teched right up to them and teched them in the face?
I don’t think anyone has mentioned yet about the ultimate type of sandbox – a VMWare appliance that (a) is linux based, and (b) starts from a clean image every time. I find it really useful if I’m ever in dancing bunny territory:
http://www.vmware.com/appliances/directory/browserapp.html
For those suggesting that changing the chrome will help: well, yes, it’ll help a savvy user a bit, but consider the usual smattering of desktop apps and their popup windows that are skinnable, captioned vs captionless, odd-shaped, etc. I have my own choice of background texture, fonts and colours, but many apps have their own ‘exciting’ UI that takes no account of my preferences.
Yes, it looks like a Windows dialog. Well, it’ll be pretty trivial to make it look like a Mac instead if they could be bothered. Your average mac user might bask in the glory of thinking they don’t need a virus scanner, but if a message pops up telling them their computer is slowing down or has a virus, then huge amounts of them are going to hit the ‘yes’ button.
mandrill
Alt-F4 will save you all.
Maybe we need two sorts of browsers.
One would be used only for browsing, and would only allow a limited amount of safe scripting. Nothing that could change the browser window, or open pop ups.
The other sort for web apps. This would allow the usual amount of scripting, but would only work with pages that had been specifically marked as an application. It might also require you to register a site before it could be accessed.
Sandbox those user accounts for your wife, baby.
And Virtualize. I liked your post on that And keep your docs on servers so you can access them from anywhere.
For those who say that MS should build an AntiVirus into Windows, could you imagine the lawsuits this would cause: Microsoft has an AV built into the OS and people aren’t installing my program! WAHHH!!!
Just use SD - Spybot - http://www.safer-networking.org/index2.html
Has an app called TeaTimer which helps to prevent unwanted registry entries.
As a female, I find this pattern of your wife/your mother/your
grandmother (but not your husband/your father/your grandfather)
as examples of noobs annoying.
I agree that he probably should have said spouse, but he never said grandmother. Let’s not make the poor guy out to be worse than he was.
As for the mother bit, he was talking about doing a web search for flowers (that was the specific site that was hacked). Perhaps your family’s different than mine, but I can’t imagine my dad ever visiting the Michigan Regional Lily Society website. Mom, om the other hand, I could see.
And while we are on the subject, let’s not forget that women can have wives too.
I suggest a minimum skills test and a licensing program before people are allowed to use a computer…
Wow. I had Norton doing a search in the background that I’d forgotten about. It popped up as finished about half way through the article and scared the cr*p out of me.
@kyle: That alone is the best idea ever created.