Some thoughts about security
Saturday, December 24, 2016 by anotherside | Discussion: Personal Computing
I wanted to write something about security, especially related to automatic updates. Automatic updates are pushed as a security measure. Is having an updated system important? I don't have the answer, I just throw out the question.
From what I can see there are much bigger threats than viruses etc. The biggest threat is social engineering:
1 You get a support call from “Microsoft” and someone wants to help you “fix your computer”.
2 You get an e-mail from “Apple”, “Paypal” or any other big company asking you to click a link and log in to your account. I get these e-mail all the time and they are very dangerous.
Creating a successful virus takes a lot of skill and distributing it takes even more. Those with that kind of skills seem to prefer hacking large corporations like Yahoo etc. So never reuse passwords on many sites. Ransomware exists, but is it a big problem? Didn't those users install an infected file themselves? Just throwing out the question.
When Microsoft released Windows XP SP2 they urged users to install an antivirus product.
Vista and later never suffered the same virus problems XP did before SP2. Windows viruses still exist but compared to social engineering or hacked user accounts it's a small risk.
I ran unpatched Windows 7 without antivirus for six months surfing the web as an experiment. Then I scanned my computer with a couple of tools. Nothing found. I don't recommend anyone doing this. It was just an experiment.
If you use Android you are basically doing the same thing. Most Android devices run unpatched/not updated and without antivirus software. So why don't we hear about Android exploits? Maybe it isn't that easy to create a successful virus.
Windows XP has been unpatched for almost 3 years. They said massive attacks would happen to Windows XP users after April 8 2014. I haven't heard about massive Windows XP attacks. Windows XP is the third biggest Windows OS. Bigger than Windows 8.1. Bigger than MacOS and Linux combined.
https://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0
An OS that has been unpatched for almost three years. Wouldn't this OS be like a sitting duck for malware creators? I don't recommend Windows XP, but it's probably no worse than using an average Android phone.
I see fear mongering surrounding the topic of updates. It's better to run an updated system than something old and unpatched.
But compared to social engineering and hacked user accounts, malware is by far the lesser threat I think.
Good antivirus software and sane computer habits go a long way. That's basically what keeps all those Windows XP users safe.
Feel free to agree or not agree Merry Christmas!
Reply #2 Saturday, December 24, 2016 6:12 AM
I have been running Windows 7 for a couple years with only the Service pack 1 installed, and that is only because some software I use requires the service pack to function properly. I never install any other windows updates or security updates. I use a paid anti-virus (Avast) and have recently added Cybereason anti-ransomeware. I run an automatic backup program that does a backup everyday at a certain time. I also have an additional extra disk for redundant storage. After these many years, I have never had an issue and my Desktop runs as snappy as it ever has.
--Ace--
Reply #3 Saturday, December 24, 2016 8:14 AM
When I ran XP it was SP3. I had one problem and that was entirely my fault, being such a noob back then. Win 7 ran like a dream. Never had any serious problems, none that I couldn't fix anyway. All the anti-virus apps I used and still use, are free ones. That was during a time when both Semantic and the other guy were nearly written off. After that not one virus got through. Then along comes Win 8, a disaster looking for a place to happen. And it happened to a lot of people forcing MS to put 8.1 out there. Now there's Win 10, MS's wild west OS. Same a/v apps since Win 7 and they work, having displayed what they caught. I'm satisfied.
Reply #4 Saturday, December 24, 2016 8:34 AM
Yeah, I get those calls from people saying they are a Computer Technician from Microsoft sometimes. But what they don't know is that I was a Technician for 12 years too. So I politely tell them that "Oh wow! I am a Computer Technician too! This is so cool, so shove it up your ass!
Reply #5 Saturday, December 24, 2016 12:08 PM
Last 'tech' call I got from 'MS', I just turned my head slightly from the mouthpiece and said: "Officer, I've got one of those technical support scammers on the line. Do you want me to keep him talking like last time?"
"Click".... beep, beep, beep.....
Mongrel hung up before I could ask how to stop BSODs [Brazen Sons Of Dicks] from calling me and pretending to be MS support.
Reply #6 Sunday, December 25, 2016 1:03 AM
@ OP
You raise good points about social engineering being a large threat in your OP however your post misses some very important marks. Bear with me while I illustrate.
1. You say you ran an unpatched Windows 7 machine for months with no antivirus and nothing. Ok well what does the edge of your network look like? I'm pretty sure you're running at least a simple SOHO router (60-dollar piece of shit from Best Buy) which while 'crappy' (when compared to real firewalls) still does perform the basics of NAT and some limited packet inspection/validation. Even if you're not running your own router, these days I know of NO ISP's who's modems don't do at least an 'adequate' job of same. If you were to have tried your 'experiment' even say as recently as 4-5 years ago you would have had dramatically different results. Back then most ISP modems were just straight pass-through connections (no NAT, no packet inspection etc.) and many home users had no idea what a router even was. So I put forward, it is not that the threat isn't there, it is more so that the threat is mitigated (at least in part) by newer network gear provided by the ISP's and home users getting default protection by using routers (even if the REASON they got the router was only to share WiFi with their 7 children).
2. Your friendly neighborhood switches and routers have also become smarter and have heuristics running against their traffic patterns (if the ISP is worth anything at all) so virii (even really damn dangerous beasts) can be somewhat more contained and isolated BEFORE the DNS server your systems use gets poisoned and silently re-directs your web requests through China or Russia.
Yes, social engineering still (as always) plays a large part; but it would be unwise to think that because a threat is 'less visible' (to the layperson) that it has been dealt with, was over-blown, or worse yet.....wasn't there at all.
Reply #7 Sunday, December 25, 2016 4:53 AM
Yes, social engineering still (as always) plays a large part; but it would be unwise to think that because a threat is 'less visible' (to the layperson) that it has been dealt with, was over-blown, or worse yet.....wasn't there at all.
Exactly! I use common sense and try to avoid situations where I could become infected or held for ransom, etc, but I still would never run a machine without anti malware/antivirus software. And just because I've not been infected since 2004-05, during my computing infancy, I do not assume the threats aren't out there. Quite the opposite, in fact, which is why I run the protections, delete suspicious/unknown emails and avoid suspicious sites/pages/downloads.
Yup, there's always some asshat out there who's willing to do harm or rip people off.
Reply #8 Sunday, December 25, 2016 5:50 PM
It's good you are giving me a chance to explain this better. I know I wasn't 100 % correct in my OP.
I shouldn't have written “unpatched”. I should have written “not up to date”. My experiment was done a few years ago, let's say around 2012. Windows wasn't unpatched, it had SP1 on it. So basically it was Windows 7 SP1 that hadn't been updated for a year or so. I was only visiting “safe sites” and Windows firewall was on.
There was no additional hardware in my home. It was an Ethernet cable straight from the Ethernet port of the computer to an Ethernet port mounted on the wall of my apartment. I know there is a room full of hardware in the basement of the house and additional hardware at the ISP level. Very possible it gave me some protection.
I don't suggest anyone run Windows without anti-virus. As you know anti-virus is built into Windows 8 and newer.
I might add that my current anti-virus (Panda Free) never warns me about anything. Maybe it's a bad anti-virus, maybe there is nothing to warn me about. For most viruses you do have to “click on them” for them to be able to activate. Otherwise it's just an infected file.
I just wanted to provide some sane arguments against the update-hysteria pushed by Windows 10. Microsoft is sometimes speaking like they are holding the golden key to computer safety. Because computer safety is so much more than binary code no OS maker can “keep their users safe”.
Having a patched/up to date OS is good. Having anti-virus installed is even more important.
Most important is to not execute/install files that you do not trust. If you do you are relying on your anti-virus to catch it. In the case of ransomware most anti-virus products might not handle that.
I know there are drive-by viruses, but how much damage can they really do? I don't really know.
What I do know is that I don't like being a beta tester. I always install updates when they have been out for a while and “their consequences” are known. This can save you a lot of trouble regardless which OS you are using. It's about peace of mind and a stable computer. Anti-virus makers (including Microsoft's own Windows Defender) tend to address threats faster than Microsoft patches the OS itself so it's not like you are without protection by delaying updates.
Reply #9 Monday, December 26, 2016 12:41 AM
I just wanted to provide some sane arguments against the update-hysteria pushed by Windows 10. Microsoft is sometimes speaking like they are holding the golden key to computer safety. Because computer safety is so much more than binary code no OS maker can “keep their users safe”.
One thing Microsoft surely doesn't hold is the golden key to computer safety. Yes, it's great that they issue security patches when exploits expose vulnerable code, but I would never put my faith entirely in MS's antivirus/antimalware software. No, it [Windows defender] has been rated rather lowly rated by various testers, so I opt for a 3rd party solution there.
For several years I trusted Avast free and never had an issue, but I got a discounted offer from IOBit and now use the pro version of its Malware Fighter, with no issues thus far. What I like is that it automatically scans for threats thrice daily and will update daily, sometimes twice or more, to accomodate new exploits, etc. The golden key to computer safety, however, is user common sense [not that sense is too common these days].
As you say, avoid opening unknown/untrusted exe files, and anything else for that matter, including emails from unknown sources. Safe surfing is another thing to help one stay safe, though I don't see too much of that when people bring me their infected machines to fix. Surprisingly, porn sites are not the leading source of malware. I've lost count of how many machines I've fixed for people who experienced issues immediately after visiting music related sites for research, sheet music and other downloads.
Reply #10 Monday, December 26, 2016 1:35 AM
The single most important aspect with regard to security in computing is 'least privilege'. If you or (in the case of OS operations) the OS functions do not explicitly require elevated privileges to complete the current set of tasks those privileges should not be in use, period. I have no problem confidently running a patched or unpatched system of ANY OS with a straight connection to the internet as long as a policy of 'least privilege' is being strictly enforced on said machine.
That actually is the 'golden key' to computer security. Of course most people working in the world of IT like to keep that part hush hush since people who don't know that simple fact pay their bills.
EDIT:
***DISCLAIMER*** (the following is my own personal experience only and not to be taken as anything more/less)
I have always employed the 'least privilege computing principle' on any/all systems within my own personal control. I have never installed any additional anti-virus, anti-malware, or other third-party 'security' software (of course anything 'included' with the later versions of Windows has remained installed). I prefer not to give away system resources to software I'm reasonably sure does a shittier job of protecting me than employing that simple principle and I have never had any issue relating in any way to malware, ever.
Reply #11 Monday, December 26, 2016 7:55 AM
I'd often thought about using a non-Administrator account to prevent drive-by exploits and etc infecting my machine. However, I was always been dissuaded by various article and comments that suggest disadvantages to running a PC that way; such as not being able to install desired, wanted, needed software unless switching back to an administrator account with elevated priveleges. Mind you, it was some time ago when I last considered it and things may have changed since then.
Thing is, I run the UAC function in Windows on full so that I have to give permissions for everything to be installed. Some people think that's a pain in the proverbial and disable UAC to save a few mouse clicks, but I think that is unwise and don't mind the going to the few extra steps to install programs I want or need.
Another thing I find helpul in avoiding 'less desirable' sites is Ublock Origin; a browser add-on that uses compiled lists of 'bad' sites to block redirects and the like. I mean, I don't know all of the unsavoury sites out there, so I don't mind a bit of help to block them. Just the other day I was doing some research on older actors like Robert Mitchum and Burt Lancaster, and when I clicked on links to pages I wanted I kept getting this pop-ups which Ublock Origin recognised as being less than desirable and thus blocked their content. I do have a pop-up blocker which is usually effective in preventing undesirable pop-ups and unders, but lately a few of these 'seemingly legitimate sites' have been successful in bypassing it.
Luckily I have a second line of defence in Ublock Origin; and if that fails I manually shut down pages I didn't ask for, as well as wiping my browsing history and internet cache when I close my browser. I have a simple rule for unsolicited web pages: either somebody is up to no good or they want something I'm not willing to give; eg, money.
Reply #12 Monday, December 26, 2016 10:29 PM
@the_Monk and starkers
Thanks for an interesting discussion. I started thinking about privileges, not running as administrator, UAC and more. I use administrator account in Windows 7 because it is the default account after installation and it makes me feel like an important person In Windows 8 and newer you are not using an administrator account by default I think. Thinking about these things made my head feel heavy. So I wrote about something else instead. It was still supposed to be about security. It became more of a Chrome OS rant and then a more general rant.
The malware problem is tied to the fact you are allowed to install applications outside a store/repository. A store may also contain malware, especially if it contains 2.6 million applications like Google Play Store. It's a crazy number so I provide this link as proof:
https://www.appbrain.com/stats/number-of-android-apps
I don't consider malware to be the biggest threat, but Chrome OS has probably solved the malware problem. Chrome OS is said to perform an OS integrity check every boot. Since you can't install anything on Chrome OS, only system processes are running.
From a technological perspective Chrome OS is interesting. From any other perspective it is uninteresting I think.
Chrome OS would be the OS of choice for a lot of people if it could do the basics. Like printing (like normal Linux), having local storage, and a few essential “offline” applications (screened applications in a Google repository). Just the basics.
Instead Chrome OS is so barebones it's almost useless for most people. Marketshare is pretty telling. Linux has a 2.31 % share (see link in OP) and that includes Chrome OS.
Desktop Linux doesn't really have any backing in the marketplace. Chrome OS has massive backing. Every OEM makes a Chromebook. Chrome OS is available on nice hardware at low prices.
In a desperate move Google is going to bring Android applications to Chrome OS. Is that what people want?. How about basics like printing and local storage?
Instead of just adding a few missing pieces to Chrome OS, Google will bring Android junk to the platform. For those who want Android and a keyboard there are already other solutions.
I think Chrome OS is a missed opportunity to create a malware-free mainstream platform. It's clear that after 6 years on the market with massive backing and a marketshare around 1 % this platform is not doing well.
Chrome OS has achieved 1 % market-share in a time when:
People aren't happy with the latest version of Windows
Mac has its most unimpressive/most expensive lineup ever
Desktop Linux continues to reinvent itself and suffers stability problems
This is my take on the current situation:
There is nothing holding back Windows 10 adoption except Windows 10
There is nothing holding back Mac adoption except Apple
There is nothing holding back Desktop Linux adoption except Desktop Linux
There is nothing holding back Chrome OS adoption except Chrome OS
Those willing to provide consumer improvements will gain market-share. However, the desktop is probably done. Now it's about virtual reality, augmented reality, Internet of Things, bots, talking to your computer and running malware scans on your fridge. Internet of Things might prove that today we are actually living in blissful simplicity. Who would have known?
Reply #13 Tuesday, December 27, 2016 12:34 AM
Once upon a time I had [still have] a demo install of 'QNX' ....a self-contained OS that could do pretty much anything 'needed' by an average user.
It fitted entirely [on a compressed 1.44meg floppy] and simply loaded into ram and ran from there.
Back in the days when a Win OS install was measured in megs, not gigs ... and 256 meg of ram was HUGE....
http://www.qnx.com/products/neutrino-rtos/neutrino-rtos.html
Have a look at RTOS systems some time...
Reply #14 Tuesday, December 27, 2016 2:55 AM
In a desperate move Google is going to bring Android applications to Chrome OS. Is that what people want?. How about basics like printing and local storage?
That's why I'd never bother with Chrome OS... no matter how low the cost of hardware was. I was never fond of Android on phones, so I'd certainly never entertain it on the desktop. Besides, how can they call it an OS when it is so sadly lacking in functionality and features?
Sadly, there is no real competition to Windows, which is why MS does what it wants and "screw the consumer". Apple prices its products way too high, like it's an exclusive club or something; Linux is years off being a mainstream OS that's easy to use for the average user; and Chrome OS/Android, well they're little more than glorified app launchers that seriously compromise the user's ability to get any serious work done. Hence we're stuck with Windows as being the dominant [almost only viable] OS to work with... and that's not good from a consumers point of view.
Microsoft's dominant market position over the years has allowed it to pretty much do what it wants... like forcing users to upgrade to Win 10 when they didn't want to. For mine, that was a Windows security breach right there, with users finding their machines were altered overnight and opening a new OS they neither wanted or consented to.
Yup, sometimes the greatest security threat to Windows is Microsoft itself
Reply #15 Tuesday, December 27, 2016 7:39 AM
I said before SD should create their own OS. At least it would work.
Reply #16 Tuesday, December 27, 2016 10:06 PM
Have a look at RTOS systems some time...
I actually felt better about software when things measured in megs instead of gigs. Of course some things like the size of textures will naturally grow to accommodate the demands of 4K.
I'm not a gamer, but I have read that some modern “AAA” games can use as much as 60 GBs of your storage. Mind-boggling and also somewhat unsettling I think.
Another tiny (RT)OS is Menuet OS, written entirely in assembly language. Please note skinnable windows and that it fits on a floppy. Just gained support for 32 GB of RAM.
Some nice screenshots on their homepage:
http://menuetos.net/screens.htm
There's something nice about the fact that so many features can fit on a floppy.
@starkers
Completely agree.
I said before SD should create their own OS. At least it would work.
React OS is trying to create an open source clone of Windows XP/Server 2003. They have been making progress for many years, but it will probably take 10 more years before a solid Windows XP clone is done, if ever.
The future will probably be rather uneventful. Windows 10 will gain 100-200 million users per year. Oops, I see now that over 200 million PCs are sold each year. It's down from 350 million in 2010 and 2011. Well, I see a lot of negative forum comments about Windows 10 so I still think the future of this OS is hard to predict. I think Windows 10 will struggle to reach 1 billion. Enterprise and Small and Medium sized Business (SMB) adoption is still unclear.
Chrome OS can reach 5 % (max) if people like Android apps and a keyboard. Linux can reach 5 % (max) if people are troubled enough by Windows 10. Windows 7/8.1 users will cling on to their OSes for the foreseeable future.
Apple seems happy to just cruise along, not even bringing touchscreens to Macs. Apple may actually sell a few Macs to SMBs. Between Apple, Google and Microsoft I would rather trust Apple with my data. Tim Cook may lack vision, but he seems unusually trustworthy for a high level businessman. From a consumer perspective MacOS seems like a boring product. Apple needs that “reality distortion field” to bring some magic to its products.
Many are using Windows 10 and are happy with it. Microsoft is at the forefront of gaming, peripherals and supporting new standards. If you have brand new hardware and want to get maximum value you almost need Windows 10. So it's hard to ignore or even completely dislike Windows 10.
And as discussed earlier in this thread; Locking down an OS and running without updates isn't a big deal with good AV software and some common sense online. Not running as administrator and setting UAC to highest level also help. Just think about those XP users, soon 3 years without updates and still going strong.
Please login to comment and/or vote for this skin.
Welcome Guest! Please take the time to register with us.
There are many great features available to you once you register, including:
- Richer content, access to many features that are disabled for guests like commenting on the forums and downloading skins.
- Access to a great community, with a massive database of many, many areas of interest.
- Access to contests & subscription offers like exclusive emails.
- It's simple, and FREE!
Reply #1 Saturday, December 24, 2016 4:39 AM
The best anti-malware is simply good common sense when online.Good post.