From: ssch at wheel.dk (Steffen Schumacher)
Subject: MS Anti Virus?

On 17.06.2004 10:11:06 +0000, joe wrote:
> My initial thought of a response to this was something along the lines of do
> you wear an aluminum foil helmet as you seem to fit the profile... I decided
> against that. I mean I still think it but I think this response is
> better....
> 
> Antivirus software will probably always be around. Why? Because it is mostly
> software to prevent uneducated users from hurting themselves and it is
> probably impossible to get to a point that all users will be educated and
> there won't be ways to hurt themselves and people specifically trying to
> hurt them. While AV is simply an extension of the user interface of the OS,
> at this point in the game if the OS vendor treats it that way it would
> simply result in lawsuits by the AV vendors against the OS vendors which is
> why MS will have to sell what they have.
> 
> It is possible now to run without AV software and be safe, if you are fully
> educated user and take precautions and patch when the patches are available,
> you will be pretty safe even if you don't run AV and there are probably many
> users on this list that fit that category and don't run AV. 
> 
> Many of the recent viruses hitting the corporate world haven't been holes in
> MS products causing the problem. It has been good social engineering. One of
> the more recent ones that had me laughing was an email that came through
> with a password protected zip file with the password in the email and the
> note sounding like it came from the IT dept. People all over the world
> opened that up and ran it. If they would have had to have downloaded it,
> chmod'ed it, and then run it they would have done so if the instructions had
> said so. Yes you could probably stop this with a simple note in a small
> company, maybe 50,100,1000 people. This was a company comprising 250k people
> from around the world and no simple note was going to do the trick. You
> could also lock machines down to the point that they are merely kiosks as
> well but this isn't realistic except in a tightly controlled corporate
> environment and even still you would have considerable bitching by users who
> wanted more control. 
> 

While I have no numbers to back this up, I do think that worms are far worse
when it comes to the extent of which viruses spread, and speed.
It is my belief that most worms are based upon MS exploits, rather then social
engineering. 

It is my belief that we will simply have to wait untill MS cleans up their act,
which they should be doing, before the world becomes a better place to live.

I realize that this doesn't clear situtations like the one above, but in general
such situations can't really be solved unless all mails are scanned extensively,
and / or the people are educate enough so that they never should run executeables
recieved from mail (its actually quite simple to me). The *real* IT department
could then link to the executeable and place it on an intranet server which 
would be secure.

/Steffen



> I don't care what OS you run, if it is a user popular OS and if that OS gets
> targeted by someone with a clever social engineering scheme, it will have
> impact. 
> 
> I have pretty close ties to MS so most of your post simply make me smirk. I
> have met and talked with many developers there and know how busy they are
> and that they are mostly good guys trying to do a good job. Now that the
> company has switched to a more secure stance they are allowed to do more
> good whereas before they didn't have a hammer in terms of security. 
> 
> I have had "official" access to MS OS source now for almost a year and can
> say that the code base is huge. While it is possible that someone could bury
> something in there purposely it is more likely that someone makes a mistake
> and doesn't understand all of the different ways that their function or
> module could be used. This is changing, the new code being written is being
> looked at very closely for security now and not just functionality. I know I
> know... "MS did a complete security review of all code when they made this
> decision and....". Again this code base is huge, no way they could catch
> everything. I am, however, not happy about some of the things that have
> gotten through such as the various USN/BER encoding and RPC issues but it is
> getting better whether you want to admit it or not. 
> 
> 
>   joe
> 
> 
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Todd Burroughs
> Sent: Thursday, June 17, 2004 5:04 AM
> To: Chris Cappuccio
> Cc: Andre Ludwig; slacker; full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] MS Anti Virus?
> 
> They are planning to get into a market that gaurds against the failures in
> their own product.  I don't like this, as it seems that they are going to be
> in a position to intentionally make holes that their "anti-virus"
> software will fix.  If we had a more competitive market in this type of
> software there would be no market for AV software and the AV companies would
> be making better operating systems.  Remember, Microsoft is a marketing
> company and they are very good at it and very powerful.
> 
> Educate your friends and family.  Unfortunately, there isn't much choice
> right now, but someone will do for Linux (or *BSD) what Apple has done.
> If Apple was smart, they would make an OS for PCs.  Maybe they will...
> 
> It's sad that we are wasting so much resources on what should be a
> non-problem.
> 
> Todd Burroughs
> ---
> The Internet has given us unprecedented opportunity to communicate and share
> on a global scale without borders; fight to keep it that way.
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists