lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20050112012826.GA30841@specialk>
From: fd.lists.dmargoli at af0.net (Dan Margolis)
Subject: Microsoft AntiSpyware: Will it be free and
	Vulnerable

On Tue, Jan 11, 2005 at 10:03:30PM +0100, devis wrote:
> It is prooved matter that spywares do exploits IE holes ( Iframes bugs, 
> Active X etc etc ). Do your work on a few and you will see. 

Perhaps some do, but generally speaking this is unnecessary for spyware
to exist, as I said before; spyware exists regardless of such
vulnerabilities. 

> Beside, you 
> missed the point entirely: if an user, just by clicking, can install 
> spyware on his machine, then the OS / browser is to blame, not the 
> actual (bad) code (exploiting it) floating around websites.

A user can install spyware with one click for the same reason he can
install a *good* application with one click. Having the user run every
day with install privileges is relatively irrelevant; if he owns the
machine, he will have the ability to install things. Being prompted for
an admin password (as in the case of OSX) hardly prevents a stupid user
from installing crap. 


> Once again, you are missing the point completely, if M$ didn't 'slack 
> code' their OS, spyware would :
> 1) not install

How do you intend to make spyware not install while still allowing the
user to install other things?

> 2) therefore not exist in the form, numbers and variety we know them

See above. 

> I'll give you a clue:
> try to get a 'tool bar' or some 'other added bonus' automagically on 
> bsd/unix/linux/solaris using any browser, on any site, clicking randomly.

I cannot do so from "clicking randomly," but I quite easily can simply
from clicking "OK" to the download prompt. Firefox installs plugins and
toolbars just as easily as IE does. 

> As you said,
> 'It's very, very difficult to prevent people from voluntarily installing 
> spyware on their own systems.' yes indeed, because MS made it that the 
> average joe is an admin therefore has supreme powers out of the box.

So we don't give the *owner* admin privileges? Mac does this, as does
Linux. I don't know of a single OS where the machine's owner does not,
by default, have admin access. 

> Usability costs security. Always has, always will.

Of course. But the ability to execute code is pretty much
non-negotiable. I will never buy a general purpose PC on which I cannot
run programs of my choosing. And if MS sold one as such, you would be
here complaining about that instead. 

The point is, spyware does not require OS vulnerabilities to be spyware,
and it likely, for a long time to come, never will. I never argued that
Windows is the most secure OS, however, only that spyware does not imply
bugs. And that point should, by now, be crystal clear. 
-- 
Dan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ