| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: devis at easynix.net (devis) Subject: Microsoft AntiSpyware: Will it be free and Vulnerable Dan Margolis wrote: >On Tue, Jan 11, 2005 at 06:51:16PM +0100, devis wrote: > > >>Buahwuahwuahwuawa ... you have to be gullible to think that M$ will not >>NOT cash on their own slack coding. >> >> > >I'm confused. Are are you saying that "slack coding" by Microsoft is >responsible for spyware/adware? Seems a bit of an odd interpretation. >Here's mine: > >- It's very, very difficult to prevent people from voluntarily > installing spyware on their own systems. There's no way to write a > heuristic that can distinguish between an application that accesses > the 'net on a regular basis for spying and one that does so for, say, > monitoring a buddy list or checking for mail. > >- You can certainly whitelist applications, but this would prevent > useres from being able to install obscure shareware apps, custom apps, > etc. > >- Were MS to restrict access to their API in order to prevent spyware > makers from doing obscure tricks with the registry and whatnot, they'd > be accused, quite rightly, of anti-competitive tactics. > >Certainly some spyware results from poor restriction of web controls or >something--I don't know the details, as I don't even use Windows--but >I'd bet you the vast majority comes from users installing stuff they >shouldn't--Kazaa, Snood, whatever--or from users clicking "OK" on banner >ads that promise to speed your Internet connection. > >Much of the same goes for e-mail worms: so long as a user has permission >to execute untrusted code and so long as that user has permission to >send code to other people, he is easy prey for e-mail born worms. > >So, here's the question: does most spyware exploit some actual bug or >design flaw? Or does it just use the user's gullibility? I suspect the >latter. > >Flame on. >-- >Dan >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.netsys.com/full-disclosure-charter.html > > It is prooved matter that spywares do exploits IE holes ( Iframes bugs, Active X etc etc ). Do your work on a few and you will see. Beside, you missed the point entirely: if an user, just by clicking, can install spyware on his machine, then the OS / browser is to blame, not the actual (bad) code (exploiting it) floating around websites. Once again, you are missing the point completely, if M$ didn't 'slack code' their OS, spyware would : 1) not install 2) therefore not exist in the form, numbers and variety we know them I'll give you a clue: try to get a 'tool bar' or some 'other added bonus' automagically on bsd/unix/linux/solaris using any browser, on any site, clicking randomly. As you said, 'It's very, very difficult to prevent people from voluntarily installing spyware on their own systems.' yes indeed, because MS made it that the average joe is an admin therefore has supreme powers out of the box. Usability costs security. Always has, always will. No Flames, Just information.
Powered by blists - more mailing lists