Re: Online THREATS
From: cquirke (MVP Windows shell/user) (cquirkenews_at_nospam.mvps.org)
Date: Sun, 29 May 2005 14:46:54 +0200
On Sat, 28 May 2005 08:37:38 -0600, Bruce Chambers
> Neither adware nor spyware, collectively known as scumware,
>magically install themselves on anyone's computer. They are almost
>always deliberately installed by the computer's user, as part of some
>allegedly "free" service or product.
> While there are some unscrupulous malware distributors out there,
>who do attempt to install and exploit malware without consent, the
>majority of them simply rely upon the intellectual laziness and
>gullibility of the average consumer, counting on them to quickly click
>past the EULA in his/her haste to get the latest in "free" cutesy
>cursors, screensavers, "utilities," and/or wallpapers.
You're drifting in the right direction, Bruce - from "Neither adware
nor spyware" through "almost always" to "While there are some" to
"the majority of them". This is better than previous "blame the
victim" posts that failed to acknowledge clickless attack at all.
That commercial malware installs "by user's consent" is the
cornerstone of what makes it commercial; it allows an entity to remain
visible enough to be paid, while being able to plausibly deny that
they are malware vendors and should be shut down.
However, the distinction between commercial and traditional malware is
blurring, for two reasons. Firstly, legal defence of the rights of
users has been so poor, that cm vendors are emboldened to act more
like traditional malware; persistance in Safe Mode, resistance to
detection and removal, and yes, clickless attack. Secondly, some
things that pose as commercial malware may not be, or are hosted by
businesses beyond legal jusrisdiction.
Clickless attack is facilitated by IE, by design. Web-generated
content can spoof system dialog boxes, paint over the status bar or
page content, hook "close window" to actually launch themselves, and
so on. If a cm vendor wants to bypass user control, act against the
user's intent, or misrepresent themselves, IE provides all the tools.
Clickless attack is also facilitated by defect. Commercial malware
regularly exploits known code defects to get traction, such as those
within Java. That such behavior has not led to legal sanction is
proof of my earlier point, that cm vendors are not limited to "nice"
behavior because no-one is legally enforcing this behavior.
>> WHEN can Computer Users, find GOOD PROGRAMMES, Which are FOOLPROOF, at a
>> Reasonable Cost?
> Just as soon as those computer users accept responsibility for the
>consequences of their own actions.
When the system takes risk on behalf of the user, without giving the
user a chance to say no, then the full blame should be borne by the
system. Quick list: BadTrans.B, Kak, Melissa, Lovesan, Sasser,
Sapphire/Slammer, OpaServ... what do these have in common? ALL of
them are clickless attacks, where the only user blame you can
attribute is poor choice of software, and using it in default form.
>Just as soon as computer users stop expecting a computer to be no
>more complicated to use than a toaster oven.
And that will stop when vendors stop creating that expectation.
Windows hides risk info the user needs to see (e.g. file name
extensions) in order to make informed decisions. Then having
(reluctantly) displayed a risk indication such as file type, that the
user sees and consents to, the OS may act beyond that level of risk if
the actual material is at variance with the risk description.
For example, confronted with an .RTF file containing Word macros, the
OS concludes this is simply a benign error made in good faith, and
runs those macros automatically without extra user warnings. It's
like a cop who says "you'll never break into the house that way, just
by fiddling the locks; here, let be force open a window for you".
>But, as for "foolproof?" Never - fools are so damned ingenious;
>they're always finding new ways to screw up.
Yup. And the geniuses who write our OS are so foolish, they keep
offering new opportunities for the bad guys to screw us up.
The user makes no pretence of being technical genuises; in fact,
marketing keeps telling them not to worry about all that. It's the
system that beats its chest about how secure it is. So yes, while one
can blame both users and system, the expectations differ.
> Firewalls and anti-virus applications, which should always be used
>and should always be running, are important components of "safe hex,"
>but they cannot, and should not be expected to, protect the computer
>user from him/herself. Ultimately, it is incumbent upon each and
>every computer user to learn how to secure his/her own computer.
I do agree with you there. I see av as the "goalie of last resort",
not a license to be a drooling fool clicking everything in sight and
expecting your ass to be covered.
But a user can practive "safe hex" only if:
- they are asked
- accurate risk info is displayed
- the system acts no further than the risk consented to
If the system takes risk without asking the user (web site active
content, inserted disks, file content not being "opened" but merely
listed, ToolTip'd etc.) then the user cannot be blamed.
If the system provides no risk info at all ("here's an arbitrary file;
do you want to 'open' it?" or "here's an ActiveX control, which could
do absolutely anything; do you want to run it?") then the user has no
choice other than to risk everything, or deny interaction. Given the
Internet is about interacting with strangers, absent risk information
makes it impossible to do anything at all there.
If the system displays a low level of risk, then actually takes a high
level of risk, then once again, it's the system's "fault". If I say
"eat this cake", implying it's edible food, and it acts as a lethal
toxin, have you suicided or been murdered?
A problem is that XP is NT, and NT was designed to be a network client
within professionally-managed corporate installations. Several
ASSumptions flow naturally from that...
- the user's rights are trumped by the system administrator's
- the system administrator controls the PC from the network
- each user has a clearly-defined role
- so each user's login is shrik-wrapped around that role
- risk management is done by system administrator on user's behalf
- the system administrator is trained in the IT security model
- the PC doesn't matter, because all data is on the server
When you take an OS designed for those conditions, and drop it as-is
into consumerland, it's not suprising things don't work, because:
- user's rights are trumped by any notional "system administrator"
- the Internet is treated as just another big network
- so any fake "sysadmin" controls the PC from the Internet
- user may do many different things of varying risk
- so one login role doesn't fit all the things they want to do
- so everyone ends up running as administrator; maximum risk
- the user is not trained in the IT security model
- so user has no idea on how to manage risk
- the PC does matter, because all data is on it alone
If an OS is to be deployed in consumerland, it has to be shaped around
what the user knows and how the user operates. It's useless to expect
the user to behave as if they were an ant within a corporation.
I may start up Windows (why should I "log in", I'm the only user, duh)
and I may do my accounting, buy some stuff online, play a game, and
visit a few arbitrary web sites. The needs of those tasks differ
considerably; one set of access rights applied at logon misses the
spot entirely. I'd want my web browser to have zero access to my data
and zero rights to run stuff on my PC, but I'd want my accounting app
to access my data, and I'd want my game to have fast hardware access
bu no access to the Internet or my data at all.
So at home, LUA isn't about the User, but the application. It's
pathetic to expect me to log in as a notional untrusted user to view
web sites, log out and back in as a trusted user to do my accounting,
and then log out and log in again as administrator in order to run a
game that requires fast access to hardware.
Some of the most dangerous things I may do - quickly visit a web site
while waiting for something - and some of the most data-dengerous
things I may do - quickly look up and edit a client's account in
response to a phone call - I may do while in the middle of other
things that differ in risk profile.
Yes, I *could* pretend to be a bunch of cubicle dwellers, and add an
extra 512M RAM so I can do fast user switching between accounts, but
it's still a clumsy and inappropriate way of doing things. Like
pretending my car is still a horse-drawn cart, and having to get an
annual vetinarian certificate for the "horse".