PDA

View Full Version : Windows virus?



Pages : [1] 2

cyberfish
07-14-2008, 09:13 AM
I am dealing with a strange what-I-suspect-to-be-virus and could use some help. I have been spoiled by Linux for so long that I am clueless with virii now.

The machine is a cheap prebuilt Acer branded Pentium D 3ghz with SiS chipset. Running Windoze XP.

The machine has been used primarily for word processing and web surfing for the past 1 year.

The symptoms -
Upon booting, a few dialogues pop up, saying "Memory cannot be "read"". Name of the binary is different every time (that's why I suspect it to be a virus).

I formatted (quick option) the drive, and reinstalled Windows XP SP2 using a trusted media (XP CD with slipstreamed SP2 that I have been using for years). The problem remains upon the first boot.

I do have a second partition that I kept my data in, which might have carried the virus over, but I haven't accessed it since reformatting.

I have not installed anything yet. It was the very very first boot, not even drivers, and the dialogue shows up immediately after I log in.

The computer functions normally otherwise.

Suggestions?

Thanks

Elysia
07-14-2008, 09:23 AM
Check your startup list and untick any programs you don't know.
Most of the times, this is a harmless message about a program screwing up and thus being closed by Windows.

Greenhorn__
07-14-2008, 09:45 AM
Did you made a (slow) memory check from the BIOS ?

Is it a(n) (old) notebook ? Maybe the memory begins to die, notebooks don't have long life.


Greetz
Greenhorn

matsp
07-14-2008, 09:52 AM
Whilst I agree to some extent with Greenhorn, it may simply be a case of "you need to reseat the memory". Running a memory test (perhaps you can find Linux CDROM with memtest86, or download a CD/Floppy of it from somewhere). It is a thorough memory test that will show if your memory is OK or not. If it's OK then it's likely something else that has gone wrong. If it shows errors, it may be time to open the machine up and unplug the memories and plug them back in.

Memory chips in themselves should last tens of years, but the connections can go old.

--
Mats

cyberfish
07-14-2008, 11:30 AM
Thanks for the suggestions!


Check your startup list and untick any programs you don't know.

Assuming you are referring to "start -> All Programs -> Startup", it's empty.

Most of the times, this is a harmless message about a program screwing up and thus being closed by Windows.

Hopefully that is the case. Seems strange, though. It's a fresh install.



Is it a(n) (old) notebook ? Maybe the memory begins to die, notebooks don't have long life.

It's a one-year old desktop. Could be that it's cheaply built, though, as it's a prebuilt machine. I usually build my machines myself.



Whilst I agree to some extent with Greenhorn, it may simply be a case of "you need to reseat the memory". Running a memory test (perhaps you can find Linux CDROM with memtest86, or download a CD/Floppy of it from somewhere). It is a thorough memory test that will show if your memory is OK or not. If it's OK then it's likely something else that has gone wrong. If it shows errors, it may be time to open the machine up and unplug the memories and plug them back in.

I will try memtest86. It's Orthos (prime95) blend test stable for 8 hours, though.

I have ran SeaTools full disk surface scan on the Seagate harddrive, too.

Elysia
07-14-2008, 11:34 AM
I mean check ALL startup programs. You know Windows is too complex for its own good ;)
Use the msconfig utility to find and disable startup programs or alternatively some 3rd party utility.

cyberfish
07-14-2008, 11:40 AM
Use the msconfig utility to find and disable startup programs or alternatively some 3rd party utility.

That's it! Thanks so much.

There are two binaries in the startup list, jvvo and kxvo.

Googling reveals that they are virii spread by USB drives. I happen to have one attached :).

It's still strange, though. How did ANYTHING on the USB get run without me accessing the USB drive at all?

cyberfish
07-14-2008, 11:52 AM
Googling revealed something even crazier.

Apparently the virus creates an autorun.inf and a downloader on the USB drive.

Upon attaching the USB drive, autorun gets executed and runs the downloader which downloads (from the USB drive or internet) and installs the virus.

Hmm. Microsoft? User friendliness comes first?

Sometimes it really puzzles me how Windows can survive so long and so popular being so insecure. This is beyond poor design - running anything on a USB drive upon attaching? Even I can write a virus like this, knowing this behaviour of Windoze.

Sorry, just had to let it out :).

Greenhorn__
07-14-2008, 12:55 PM
Save the following code as "yxz.reg" and doubleclick it. This will disable autostart from DRIVE_UNKNOWN, DRIVE_REMOVABLE, DRIVE_REMOTE, DRIVE_CDROM.


Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000B5


Greetz

VirtualAce
07-14-2008, 06:17 PM
In Window's defense security is a bit difficult when 90% of the world's PC's use it. Other OS's have it far easier. Why write a virus for a system that no one uses? I have far fewer complaints about XP having been to Vista and back. XP is a very nice operating system and is very fast save for startup like most Microsoft apps. There are legit complaints about XP but I don't feel yours is one of them. In the end, it is the user's responsiblity to protect their system from threats. I'd rather have XP lean and mean and rely on third party apps to secure my system. Trying to make Windows do everything comes off to me like a video game that wants to do everything. It might be able to do everything but it does nothing well. I'd rather have a few components that do their job very well than ten thousand that just suck.

But there are sooo many tools out there available for free that I have a hard time believing this virus just 'crept' in. Complete scans of your system and carefuly monitoring of what you install and plug into your computer will thwart any virus. I will not use someone else's USB flash drive if they do not have virus software on their computer and if they do not perform regular scans. I deny every application or script that wants to run on a site including possible spyware in ads. Spybot S&D will silently block this stuff and firewalls like Comodo Pro and Zone Alarm will help you guard your system.

I haven't had a virus that actually threatened my PC in years. AVG found one about a month ago while I was browsing gamedev.net and it quickly killed it. Before that time the last serious virus I had was about 4 years ago.

cyberfish
07-14-2008, 08:15 PM
Other OS's have it far easier. Why write a virus for a system that no one uses?

I don't think there is any less interest in cracking UNIX than Windows. True, Windows is run on 99% of all computers, but the remaining 1% are the mission critical ones. If equally difficult, I would rather crack a bank server rather than 99 personal computers.



In the end, it is the user's responsiblity to protect their system from threats

But all virii exploit a bug in the OS (except social engineering ones). If there are no bugs (or if fixed rapidly enough), there won't need to be anti-viruses. Anti-viruses are like third party Windows bug fixing packs. Looking around the computer world, Windows is the only OS in the whole universe that needs a third party program to keep it safe.



I'd rather have a few components that do their job very well than ten thousand that just suck.

Also known as the UNIX philosophy.
http://en.wikipedia.org/wiki/UNIX_philosophy#Mike_Gancarz:_The_UNIX_Philosophy

Except in UNIX, when an exploit is found, the OS designers fix the bug, instead of irresponsibly redirecting their users to buy (or get) third party anti-viruses that use pattern matching and heuristics to do damage control.



But there are sooo many tools out there available for free that I have a hard time believing this virus just 'crept' in. Complete scans of your system and carefuly monitoring of what you install and plug into your computer will thwart any virus. I will not use someone else's USB flash drive if they do not have virus software on their computer and if they do not perform regular scans. I deny every application or script that wants to run on a site including possible spyware in ads. Spybot S&D will silently block this stuff and firewalls like Comodo Pro and Zone Alarm will help you guard your system.

Sure, but as said above, the fault lies in Windows. Anti-viruses/Anti-Spywares are just damage control devices.

I am not saying Windows can't be safe (which is debatable) with all precautions, regular scans, tweaks, and third party softwares. What I am saying is, why is it necessary?

Compare it to, say, any popular Linux distribution. They are all more secure than necessary for home and small office use out of box. As far as I am aware, all Linux virii are proof of concept ones (that Linux can be infected, too), and there were only a few, the last one couple years ago. Linux people responded by fixing the bugs in the OS, not redirecting users to get third party bugfixes.

zacs7
07-14-2008, 09:16 PM
By that theory it's the OS's fault that you can delete the entire thing, ie "rm -rf /" on Linux.

> But all virii exploit a bug in the OS
That's a huge stereotype. I'd say very, very few exploit the bugs. They usually rely on the user playing a big part, ie how is an virus attachment in an email which, when run emails your private documents away anything to do with an OS bug? And this isn't classed as Social Engineering... What, are programs not supposed to be able to read files? Must be a bug...

> I don't think there is any less interest in cracking UNIX than Windows.
Who said anything about cracking? Windows is targeted because it holds a larger userbase, at least for personal computing. If you're planning to spread ads or havok why would you go for the smaller userbase?

And if you're going to get that technical, there is more 3rd party software in Linux than Windows...

Mario F.
07-14-2008, 09:27 PM
Virus writers have been targeting Microsoft operating systems for decades since the DOS days. It won't change if the OS becomes more secure... search google for "Linux virus", and you'll see that malware is being written for Linux too and in great part due to the increased popularity of this operating system.

Every operating system offers it's own approach to security. Windows is no less secure than Linux or Mac. What it does is delegate security to third party tools, some embed on the operating system (windows firewall, user management,...) others made by 3rd party sources.

What you have to reason instead is if a whole blooming market that has been created to support windows security can't handle the amount of threats, what makes you think Microsoft alone could do? There's no magic feature that would suddenly turn Microsoft into a foolproof operating system. Root Access alone is no guarantee of success since that alone doesn't secure against many types of malware... again check google. Besides I'm pretty sure Windows architecture isn't geared towards root and it would be a difficult feature to implement in the presence of the current core. A good example is sad Vista attempt (http://www.youtube.com/watch?v=80sWifG40B0). You can argue that's an example of bad implementation... perhaps. I'd prefer to think instead it's an example of the difficulty of Windows to implement a root-like feature.

One day will come when computer users will realize that part of their tasks to use a computer is to maintain a computer, much like they do with their car. It's not only about pressing the pedal, it's also about regular inspections. Complaining about Windows security when outside the context of a bug, is complaining about our inability to use our computers. Sorry, but that's just the way it is. Every virus that we allow to enter our systems, every hijacker or trojan, every successful hacking, is a written letter to our incompetence first and foremost. And this is like so today as it was 15 years ago. And is true on Windows as it is on any other operating system.

cyberfish
07-14-2008, 10:14 PM
They usually rely on the user playing a big part, ie how is an virus attachment in an email which, when run emails your private documents away anything to do with an OS bug

Sure, if you need to execute the attachment to get infected, I wouldn't blame Windows.
It's a different story, though, if you only need to open the email to get infected. When I open an email, I am not expecting to run anything. It's like you don't expect anything to be run when you enter a drive. Yet, that is what Windows does (autorun).



By that theory it's the OS's fault that you can delete the entire thing, ie "rm -rf /" on Linux.

You have to type and run the command.

I only need to insert the USB disk to run whatever is written in autorun.inf.



Who said anything about cracking? Windows is targeted because it holds a larger userbase, at least for personal computing. If you're planning to spread ads or havok why would you go for the smaller userbase?

Because you get a bigger prize for cracking a bank server than 100 PCs.



And if you're going to get that technical, there is more 3rd party software in Linux than Windows...

Huh?... what does it have to do with this?



Virus writers have been targeting Microsoft operating systems for decades since the DOS days. It won't change if the OS becomes more secure... search google for "Linux virus", and you'll see that malware is being written for Linux too and in great part due to the increased popularity of this operating system.

I just googled it. All the virii I found require the user to explicitly run an untrusted binary. Not like just inserting a USB drive. And then the virus would perhaps exploit a bug in Linux to get root access. Yes, it would be a bug of Linux, just as Linux developers would openly admit, and be willing to fix.



The Linux operating system, Unix and other Unix-like computer operating systems are generally regarded as well-protected against computer viruses.[1] There have been successful attacks, however, on both Linux and Unix systems, the most notable perhaps being the Cuckoo's Egg attacks on Unix systems in the 1980s.

There has not yet been a single widespread Linux malware threat of the type that Microsoft Windows software currently faces, this is commonly attributed to the malware's lack of root access and fast updates to most Linux vulnerabilities.[2]

The number of viruses specifically written for Linux has been on the increase in recent years and more than doubled during 2005 from 422 to 863.[3]
- Wikipedia


The whole blooming market cannot support the number of threats because of the fundamental design problems in Windows, making it particularly easy to exploit. Both bugs and "features" like autorun.

The Vista attempt at imitating what UNIX has for decades (sudo) has been a step towards the right direction IMHO. I won't comment on the implementation, because I have not used it extensively.



I'd prefer to think instead it's an example of the difficulty of Windows to implement a root-like feature.

I think that is because Microsoft is keeping the core design from decades ago, when MS cared nothing about security. I think the only way to make Windows as secure as UNIX would be to rewrite the whole thing from ground up, with security in mind. But of course, that is not possible, as it will break all existing programs, and will be financially suicidal for Microsoft. It's a business afterall. As for why was UNIX designed from day 1 with security in mind, I wouldn't know. I wasn't born at that time.

As for the future, I haven't lived long enough to know. However, as of now, in UNIX/Linux, every exploit is considered a bug, and is fixed by the respective software developer. This approach has been working fine for Linux, and I am sure people want to break into UNIX systems (due to them being mission critical servers) as badly as they want to break into personal computers running Windows.

VirtualAce
07-14-2008, 10:51 PM
If there are no bugs (or if fixed rapidly enough),


Hehe. If only it were that easy. Sometimes it's not so much of the issue of the bug but the issue of how recurring and how dangerous it is. You very well could waste weeks and weeks of dev time on a bug that might occur 1% of the time. If the bug is a nuisance and not harmful then in my view it's a waste of time to address when there are plenty of other high priority bugs in the line to be fixed.



By that theory it's the OS's fault that you can delete the entire thing, ie "rm -rf /" on Linux.

You have to type and run the command.

I only need to insert the USB disk to run whatever is written in autorun.inf.


To get a virus on Windows you must give permission for a file to run, download, etc. Opening an email that has a script in it is pretty much giving it permission. Even then Outlook will warn you and allow you to not allow the script to run. IE also has this feature where you can block scripts from running. And the beautiful thing about autorun is you can shut it off completely from the control panel. I personally have never experienced any issues with autorun and certainly would not put the blame on it for a virus entering my system.



I think that is because Microsoft is keeping the core design from decades ago, when MS cared nothing about security. I think the only way to make Windows as secure as UNIX would be to rewrite the whole thing from ground up, with security in mind. But of course, that is not possible, as it will break all existing programs, and will be financially suicidal for Microsoft. It's a business afterall. As for why was UNIX designed from day 1 with security in mind, I wouldn't know. I wasn't born at that time.


And guess what keeping that core design did for them? It prevented catastrophes like Vista. I'm not so sure they kept the core design from ages ago and from what I know they did quite a bit of restructure and refactor between 95, 98, and XP. Vista looks pretty much like an overhaul and man does it blow chunks. Everything I liked about XP is either missing, doesn't work, or just plain sucks in Vista. My point is this is a big claim unless you have some affiliation with the company or the huge dev team for the OS. I don't know how much they kept and how much they left but I do know that XP is by far the best they have produced to date.



The whole blooming market cannot support the number of threats because of the fundamental design problems in Windows, making it particularly easy to exploit. Both bugs and "features" like autorun.

Again we are stuck on this autorun thing. Autorun has nothing to do with the problem. Autorun only runs when a .inf is present meaning you either installed the program in question, copied it piecemeal to your USB drive, or you inserted a CD/DVD. Using autorun to install a virus is a sad attempt in my book since it is so simple to bypass. Hold down left shift and autorun will not execute.

So in the end if you have a virus it's your fault. Blaming the OS won't help matters and it won't help you rid yourself of bad habits that allowed the virus in. Just take it as a learning experience and stop trying to blame the OS. You certainly have not produced any evidence to support your claims that it is the OS's fault you have a virus.

cyberfish
07-14-2008, 11:13 PM
To get a virus on Windows you must give permission for a file to run, download, etc. Opening an email that has a script in it is pretty much giving it permission. Even then Outlook will warn you and allow you to not allow the script to run. IE also has this feature where you can block scripts from running. And the beautiful thing about autorun is you can shut it off completely from the control panel. I personally have never experienced any issues with autorun and certainly would not put the blame on it for a virus entering my system.

It's like the Outlook version of autorun. I am not famaliar with email scripting, but I though Javascript does not allow accessing local filesystems. Ah, unless it's ActiveX. Why is opening email giving it permission to run whatever's in the mail? By that logic, when opening a Word document, you can expect it to format your harddrive?

Sure, you can disable autorun. But how would a Windows "newbie" like me know? Why not make it default to disabled? Ah, user friendliness, of course. How amazed would the user be when he inserts a usb drive and everything runs automatically?



Again we are stuck on this autorun thing. Autorun has nothing to do with the problem. Autorun only runs when a .inf is present meaning you either installed the program in question, copied it piecemeal to your USB drive, or you inserted a CD/DVD.

In Linux, I can confidently insert a USB stick from an unknown source containing whatever there is, and navigate in it, knowing that nothing will be run until I explicitly issue a command to run a binary or script on the drive.



So in the end if you have a virus it's your fault. Blaming the OS won't help matters and it won't help you rid yourself of bad habits that allowed the virus in. Just take it as a learning experience and stop trying to blame the OS.

Sure, I am blaming the OS. It just seems that you need to know a lot more about Windows to make it secure than you need to know about Linux to make it secure.



You certainly have not produced any evidence to support your claims that it is the OS's fault you have a virus.

Well, if autorun is not the default on a freshly installed XP, I wouldn't have that virus :). It's a problem in the OS's design.

cyberfish
07-14-2008, 11:16 PM
I have an idea. How about someone famaliar with the ins and outs of Windows write a script that change the settings of Windows to make it secure for security conscious Windows newbies?

And then people would just need to run the script on a fresh install, and have the settings set to sane defaults, just like a fresh Linux install.

whiteflags
07-14-2008, 11:59 PM
Well since the only thing you've mentioned is auto-run:
http://www.annoyances.org/exec/show/article03-018

Good source for whatever other annoyances you think of, but I think Bubba is on to something. Don't go blaming the OS for every bumdass mistake you make.

Elysia
07-15-2008, 01:07 AM
I'm siding with Bubba on the autorun thingy.
If we made a system all-secure, we wouldn't allow running ANY program at all. Clearly, that destroys the purpose of computers and user friendliness, as well (they would have to do everything themselves OMG).
No sir, the problem is not a bug or a flaw, but rathera malicious attempt to attack your computer which you failed to thwart.
One feature I like about Vista is that it pops up the autorun dialog whenever you insert something. It lets you select to run autorun or not. The reason I like is because maybe I don't want to run autorun everytime I insert something.

There will always be viruses as long as there is executable code and it's as simple as that. If that's a flaw, then Linux is guilty, as well. It has nothing to do with OS vulnerability.
You should always use a 3rd party security solution to prevent nastiness. This is true for any good (big) operating system.
Microsoft churns out a lot of patches each month to patch holes. Are they not concerned about security then?

Oh and, Vista's UAC was not an attempt at a root system like in Linux but to annoy users and force developers to design programs to run under limited accounts. They made it to break the habit of creating Admin-only programs that assume you have control everywhere.
Perhaps it may evolve into a root system in the future, though. Who knows.

cyberfish
07-15-2008, 02:25 AM
I am certainly not saying Microsoft doesn't care about security. Just that it values user friendliness more.



One feature I like about Vista is that it pops up the autorun dialog whenever you insert something. It lets you select to run autorun or not. The reason I like is because maybe I don't want to run autorun everytime I insert something.

That, I think, is a good idea, along with the UAC thing. Microsoft is finally doing something about security.



You should always use a 3rd party security solution to prevent nastiness. This is true for any good (big) operating system.

Hmm, I think you are generalizing a bit too much here. AFAIK, Windows is the only OS that needs third party security programs. Since when have you seen Mac or Linux users install anti-virus? Sure, some people run anti-viruses on Linux servers, but that is to scan Windows viruses in user mailboxes and windows shares, to prevent virii from getting to Windows users.

I guess Windows is too much for me to take. I will just go back to my trusty Linux. Practically, for home use, no one needs to even think about security on Linux. The defaults are sane and good enough. If not behind a NAT, perhaps spending 3 minutes configuring iptables to block incoming connections would be a good idea. But that's about it. If running a server, add automatic update to the list.

I have switched to Linux about 4 years ago. I only keep my Windows installation for gaming now, and do all my serious work on Linux. It's a lot less "moody".

This is just an office machine my dad threw at me to fix.

Needless to say, I am inexperienced in Windows, so I guess it's all my fault that my Windows gets all kinds of nasty stuff.

Elysia
07-15-2008, 02:48 AM
I am certainly not saying Microsoft doesn't care about security. Just that it values user friendliness more.
I could agree somewhat with that.
Microsoft have been known to value user friendlines over security at times... Although, I don't know if I'd classify Autorun as one such thing.


Hmm, I think you are generalizing a bit too much here. AFAIK, Windows is the only OS that needs third party security programs. Since when have you seen Mac or Linux users install anti-virus? Sure, some people run anti-viruses on Linux servers, but that is to scan Windows viruses in user mailboxes and windows shares, to prevent virii from getting to Windows users.
Well, maybe, but I'm just implying that any operating system can be infiltrated with viruses. Run too many executables from where you don't know where they came from, on any operating system, and you're bound to get infected.


Needless to say, I am inexperienced in Windows, so I guess it's all my fault that my Windows gets all kinds of nasty stuff.
:)
Well, I guess there's some truth in that, too. Windows is too popular for its own good, which makes it so that you have to be careful in what you do and what you don't.
Anyway, a good AV software that checks when executables are run will do wonders for security.

cyberfish
07-15-2008, 03:04 AM
Run too many executables from where you don't know where they came from, on any operating system, and you're bound to get infected.

That is true. But the problem is whether they run with your permission or not. I classify autorun as the latter, but I see your point.

Greenhorn__
07-15-2008, 03:37 AM
I have an idea. How about someone famaliar with the ins and outs of Windows write a script that change the settings of Windows to make it secure for security conscious Windows newbies?

And then people would just need to run the script on a fresh install, and have the settings set to sane defaults, just like a fresh Linux install.

Maybe try this ...
http://www.ntsvcfg.de/ntsvcfg_eng.html


Greetz

matsp
07-15-2008, 04:07 AM
It is perfectly possible to build a secure OS. Just require all executables to be certified by a third party agent. However, if MS suggests this, they would be immediately shot down by every developer that isn't paid by MS for restricting the ability to develop applications...

--
Mats

Greenhorn__
07-15-2008, 06:05 AM
I'm not so sure they kept the core design from ages ago and from what I know they did quite a bit of restructure and refactor between 95, 98, and XP.

The evidence ..., but psssst -> Top Secret! ;)

Vista src (http://xs329.xs.to/xs329/08292/10gidzr104.gif)

...

Mario F.
07-15-2008, 06:20 AM
Gosh... how lamely old.

CornedBee
07-15-2008, 06:26 AM
It is perfectly possible to build a secure OS. Just require all executables to be certified by a third party agent.

That might work. Or not. After all, even certified applications can have bugs. Code injection through a buffer overflow in a data file? Well, you could require certification of every file in the operating system ;)

Take, for example, the Vista driver certification requirement. A company actually snuck a piggyback driver through the certification process - in other words, a driver that can load arbitrary other (uncertified) drivers.
When the license was revoked, people went on to exploit a bug in some real driver to do exactly the same thing.

Certification is no guarantee for quality.

matsp
07-15-2008, 06:38 AM
That might work. Or not. After all, even certified applications can have bugs. Code injection through a buffer overflow in a data file? Well, you could require certification of every file in the operating system ;)

Take, for example, the Vista driver certification requirement. A company actually snuck a piggyback driver through the certification process - in other words, a driver that can load arbitrary other (uncertified) drivers.
When the license was revoked, people went on to exploit a bug in some real driver to do exactly the same thing.

Certification is no guarantee for quality.

Good point, the certification would only be as good as the certification company makes it, and that could well allow arbitrary bugs and/or arbitrary holes in the security.

However, my point was more to the extent that we do not necessarily WANT a system that only allows "approved" applications, because it makes developing applications really hard work, and it would probably make most open source applications disappear from that architecture, making that OS a dead-end in the evolution of software.

--
Mats

Mario F.
07-15-2008, 07:43 AM
I think I see your point, matsp... but that is the final killing blow on the whole certification process.

Assuming Microsoft did a real check on submissions - instead of cursory checks with thin checklists as it apparently is been doing - "harder" would mean better quality. As it is however, the Microsoft Certification Process is nothing but hot air as it always has been.

No company is required to certify their drivers, if they don't want to. So... where's exactly the pressure on Microsoft? On the other hand Microsoft could up their current standards and demand better quality for those makers who decided to go certified. The whole process currently is a waste of time and, worst, gives a false sense of security to those users who look at Microsoft Certified as a seal of quality (as advertised).

Maybe Microsoft is on the hands of driver makers, as you seem to suggest. But I think it is the other way around; that the Certification Process is a stillborn still being rocked. It completely failed its objectives since day 1, except for maybe one... marketing.

matsp
07-15-2008, 07:51 AM
I think I see your point, matsp... but that is the final killing blow on the whole certification process.

Assuming Microsoft did a real check on submissions - instead of cursory checks with thin checklists as it apparently is been doing - "harder" would mean better quality. As it is however, the Microsoft Certification Process is nothing but hot air as it always has been.

No company is required to certify their drivers, if they don't want to. So... where's exactly the pressure on Microsoft? On the other hand Microsoft could up their current standards and demand better quality for those makers who decided to go certified. The whole process currently is a waste of time and, worst, gives a false sense of security to those users who look at Microsoft Certified as a seal of quality (as advertised).

Maybe Microsoft is on the hands of driver makers, as you seem to suggest. But I think it is the other way around; that the Certification Process is a stillborn still being rocked. It completely failed its objectives since day 1, except for maybe one... marketing.

Having worked with said certification process for video drivers, I do agree to some extent, but saying that it's completely pointless is probably a slight exaggeration. No, it doesn't catch all potential problems (and I know the driver I worked with actually "cheated" the API that MS provided by passing function pointers from one driver component to another - and MS didn't spot that with their tests).

But I do agree that it doesn't by far reveal all and every potential security hole in the system [I managed to fix some in our driver, because I randomly spotted "bad code" in our driver - not because the WHQL test showed them up].

--
Mats

--
Mats

Elysia
07-15-2008, 07:53 AM
While it may be good in theory to demand certification, I don't know if it holds in reality.
How much does it cost to have such checks? Lots of money.
Does that means that open source applications and those from individual developers are poor quality just because they aren't certified? I think not. They would, nevertheless, get the benefit of doubt by many and would probably be avoided in the end.

No, what they should focus on is building good free tools to help programs in quality testing and make a stable operating system which will not crumble from poorly written software/drivers.
Those are my thoughts.
I would love to see prompts that asks for suspicious behavior from programs, on the note that I can allow permanently, of course. If a program tries to delete files, I want to know WHAT files.

Although, I could see certification programs that are FREE to go a long way, provided they are fast, done by many and under the same rules. They could even have a certification-in-progress to ensure or calm users that the program is indeed going through certification but has not yet received it, since it would a way against fears when they see a program is not certificated (one might thing they would skip certification otherwise).

Mario F.
07-15-2008, 08:19 AM
I would love to see prompts that asks for suspicious behavior from programs, on the note that I can allow permanently, of course. If a program tries to delete files, I want to know WHAT files.

This type of functionality is again better left for 3rd party tools. Certain personal firewalls, for instance, already offer system level protection on an application, and even file, basis that will handle that and many other issues, if the user so wishes. At the cost of a download.

Meanwhile, remember that wish when you realize temporary files are created and destroyed on windows all the time.

What I want is an operating system that does little for me and asks me to do much for it. Linux and Windows XP offer that type of balance. Each in their own way (although my fav i still Windows 2000). There's nothing inherently insecure about Windows XP that hasn't been fixed with later service packs. Conversely, there's nothing inherently more secure about Vista that will not be exploited to exhaustion invariably subjugating it to Yet Another Microsoft Operating System.

Buffer overruns and such only offer backdoors when exploited by malicious tools we allowed to creep in our system. That is the line of defense we tend to overlook and then blame it on the operating system alone, forgetting about our share of responsibility. I haven't be caught in a buffer overrun exploit for maybe a decade. And behold, I can sometimes skip 6 months without making a windows update.

These malicious tools meanwhile are acquired from many sources, the most common ones being warez and pornographic websites... and again we blame it on the operating system when we don't even try and observe rudimentary internet safety pratices.

Windows is as secure as Linux from a home computer point of view. That is by far not the reason I recently switched to Linux. And we don't need to be told what application deletes what file.

cyberfish
07-15-2008, 09:03 AM
With a considerable amount of tweaking settings, installing and configuring third party security programs, taking precautions like having to avoid warez and porn sites, Windows can arguably be as secure as out of box Linux.

As for warez and porn sites, why should we try and observe ruimentary internet safety practices in the first place? If I don't give explicit permission to run a binary, I should be able to assume I am safe. I don't consider visiting a website giving it permission to run anything. That I guess is IE's problem, but it is hard to separate from Windows, being an integral part of the OS.



Windows is as secure as Linux from a home computer point of view.

Sure, but Windows just requires a lot more tweaking and installing and experience/knowledge. An average Joe is a lot safer with Linux than Windows.

Elysia
07-15-2008, 09:23 AM
This type of functionality is again better left for 3rd party tools. Certain personal firewalls, for instance, already offer system level protection on an application, and even file, basis that will handle that and many other issues, if the user so wishes. At the cost of a download.
I know. I have certain such protections installed, actually. I don't really care if it's 3rd part or the OS itself, just that the functionality should be there.


Meanwhile, remember that wish when you realize temporary files are created and destroyed on windows all the time.

So true, but here's why there's need for advanced rules. For example, I can I want to allow creation and deleting of files inside the temporary directories.
But the biggest point is that we should be able to configure it to allow stuff we want and only ask if it's a suspicious ask we have not allowed.
So if I suddenly get a virus of my computer, I instantly get popups that a strange program is doing something.
Otherwise it just runs in the background, watching without interrupting.
That's the kind of security I like.


And behold, I can sometimes skip 6 months without making a windows update.
Me too :)
I only download service packs!

cyberfish
07-15-2008, 09:26 AM
So if I suddenly get a virus of my computer, I instantly get popups that a strange program is doing something.

I guess someone will have to write a good AI first that can distinguish between strange and normal activities (by human definitions). This is starting to sound a lot like Hollywood :).

nvoigt
07-15-2008, 10:00 AM
But all virii exploit a bug in the OS (except social engineering ones). If there are no bugs (or if fixed rapidly enough), there won't need to be anti-viruses. Anti-viruses are like third party Windows bug fixing packs. Looking around the computer world, Windows is the only OS in the whole universe that needs a third party program to keep it safe.


That's not quite fair. If people would spent a fraction of what they spend on *nix security on Windows security, they'd have a pretty stable, pretty good and virus proof operating system. But they don't. The same guy that spent the weekend installing a new *nix system will totally hose his Windows box, because obviously creating a second, non-root user even with GUI assistance is too much of a hassle when running Windows.

Windows is pretty secure. But the security is turned off by default to appeal to the masses. I don't know why anyone running without administrative priviledges would need a virus scanner or other third party software. I do know people who blindly click on stuff and execute it. You could probably send them format.com by email and they'd format their harddisc, just because it seemed to be a good idea. No amount of security will prevent this. Dumb people are dumb people.

The last years have shown a vast amount of virii and worms. And very few were actually worth worrying about. Most of them were simply fishing for the 90% of clueless users out there. Malware is on the rise because dumb people using computers are on the rise. Security in Windows has improved tremendously from '95 to Vista. Average user education has gone down the drain at an even steeper rate. That's the problem and no software will ever fix it, the same way nobody can produce a knife that is both useful and safe enough for idiots to not cut themselves. There is no way this will work.

cyberfish
07-15-2008, 10:11 AM
That's not quite fair. If people would spent a fraction of what they spend on *nix security on Windows security, they'd have a pretty stable, pretty good and virus proof operating system. But they don't. The same guy that spent the weekend installing a new *nix system will totally hose his Windows box, because obviously creating a second, non-root user even with GUI assistance is too much of a hassle when running Windows.

Hmm. Ubuntu installation takes ~ half an hour on my machine. I spend an additional hour or so installing programs I need. I don't need to consciously do anything to improve security.

On Windows, especially before Vista, it's practically impossible to use a limited user account (the UNIX way), simply because programs were designed assuming the user has admin priviledge, which has pretty much always been the case. I have tried it, and with so many programs requiring admin priv for normal operation, I was pretty much running as admin.

It's more of a practical thing than a theoretical thing. On Linux, no one runs root, and it has been like that for decades, and softwares are designed with that in mind. It's the contrary on Windows.



You could probably send them format.com by email and they'd format their harddisc, just because it seemed to be a good idea. No amount of security will prevent this. Dumb people are dumb people.

That is what I meant by social engineering - the part that I am not blaming the OS about.

cyberfish
07-15-2008, 10:11 AM
That's not quite fair. If people would spent a fraction of what they spend on *nix security on Windows security, they'd have a pretty stable, pretty good and virus proof operating system. But they don't. The same guy that spent the weekend installing a new *nix system will totally hose his Windows box, because obviously creating a second, non-root user even with GUI assistance is too much of a hassle when running Windows.

Hmm. Ubuntu installation takes ~ half an hour on my machine. I spend an additional hour or so installing programs I need. I don't need to consciously do anything to improve security.

On Windows, especially before Vista, it's practically impossible to use a limited user account (the UNIX way), simply because programs were designed assuming the user has admin priviledge, which has pretty much always been the case. I have tried it, and with so many programs requiring admin priv for normal operation, I was pretty much running as admin.

It's more of a practical thing than a theoretical thing. On Linux, no one runs root, and it has been like that for decades, and softwares are designed with that in mind. It's the contrary on Windows.



You could probably send them format.com by email and they'd format their harddisc, just because it seemed to be a good idea. No amount of security will prevent this. Dumb people are dumb people.

That is what I meant by social engineering - the part that I am not blaming the OS about.

Mario F.
07-15-2008, 10:24 AM
Ok cyberfish. It's pretty obvious you have your mind made up. I just find it ironic that while you lament over windows apparent complexity, many windows users lament over *nix complexity. It's a case to say I've seen it all on what comes to unfounded criticism. Have it your way...

But one word of advise; Admitting your lack of skill with Windows should at least make you ponder the arguments been used here and not summarily dismiss them. Especially when done by people with two decades of experience with Microsoft operating systems.

As for me, I'm going out for an icecream while leaving windows online. Just because I can.

cyberfish
07-15-2008, 06:24 PM
I have openly admitted my lack of skill with Windows, which made my Windows insecure.

What I was trying to say is, we need skill and effort to make Windows secure, and any Linux newbie can already enjoy the priviledge of secure Linux.



With a considerable amount of tweaking settings, installing and configuring third party security programs, taking precautions like having to avoid warez and porn sites, Windows can arguably be as secure as out of box Linux.

I never said that Windows cannot be made secure, just that it takes a lot more effort.

VirtualAce
07-15-2008, 08:22 PM
Especially when done by people with two decades of experience with Microsoft operating systems.

Are we really getting that old? My first OS was 2.10 with a copyright of 1980 (79, 80, 81?). You were lucky then if the OS did 'anything' for you except hook interrupt 21h and run your disk drive. Thanks now I feel really old.

Now people are complaining about how much the OS does 'for' you. I'm happy with XP. It's intrusive enough to be safe and secure yet not intrusive enough to be downright annoying.

Here's to hoping they produce a lean and mean version of the next Windows (post-Vista) so I can choose how much bloat I need for my little corner of the world.

VirtualAce
07-15-2008, 09:23 PM
Ah, unless it's ActiveX. Why is opening email giving it permission to run whatever's in the mail? By that logic, when opening a Word document, you can expect it to format your harddrive?


This is most likely using VBA and another thing about that is you can turn this off in Outlook, Powerpoint, Excel, and Word. When it's off it will be in permission mode and will say that the file has scripts that want to run and will ask you if it's ok. At that point the VBA code will execute. Last I worked with VBA there were not any functions that could format a drive. VBA is a nice feature but I really don't like coding with it.

cyberfish
07-15-2008, 09:27 PM
This is most likely using VBA and another thing about that is you can turn this off in Outlook, Powerpoint, Excel, and Word. When it's off it will be in permission mode and will say that the file has scripts that want to run and will ask you if it's ok. At that point the VBA code will execute. Last I worked with VBA there were not any functions that could format a drive. VBA is a nice feature but I really don't like coding with it.

That's what I meant. The default is not safe. With so many unsafe default settings, one needs to be very experienced/knowledgeable with it to make it secure.

The formatting was just a random guess. How about randomly deleting files? I am guessing there is local filesystem access in VBA, just to make it user friendly, unlike Javascript.

VirtualAce
07-15-2008, 09:37 PM
To be honest I don't remember much about VBA except that it was application-centric. Basically if the application did not expose it you couldn't access it. Very different from programming in VB but allowed you to make use of some nice APIs in Word, Excel, and PowerPoint. You could also mix in some database stuff through Accel although I never messed with any of that.

Mario F.
07-16-2008, 06:47 AM
Admittedly VBA was not built with security in mind. Thank goodness the technology has been dropped for a few years already.


With so many unsafe default settings, one needs to be very experienced/knowledgeable with it to make it secure.

Drop the "very", and you'll basically hit it.

Yes, one needs to be knowledgeable about the operating system in order to use it safely. What I question is why you question this? Where exactly is the problem in being knowledgeable about the operating system? I'm even more surprised when this argument comes from a Linux user who are reportedly very knowledgeable people about their own operating systems.

Let me try and break it down to you in the following manner - If anyone sees some flaw in my reasoning please do correct me.

Up until recently (up until mid-life of the XP operating system, I would wager) Microsoft strategy was to place security features out of the way of the user. They were still built at the core, and through OS internal tools, but for the most part they were set so that that they didn't interfere with the user day to day operations. If a security feature could be turned on without affecting user experience, it would. Otherwise its default would be off. All this in the name of a friendlier user experience. This strategy had its pros and cons. Power users liked it, newcomers didn't know what to think, and other platform evangelists used it to blurb about Windows not being secure. All in all, Windows kept on moving which is more or less what mattered.

It was then the task of the user to set those features they wanted. In the meantime, the Windows operating system always spawned a considerable market of commercial and non-commercial 3rd party tools which addressed many security concerns and established themselves through time as the standard means of securing your computer. Anti-virus, personal firewalls (don't confuse with software firewalls which don't offer application level protection), system maintenance tools, etc...

This is the way we do it in Windows. And you better get used to it, instead of complaining about it, since the latter will get you nowhere. Except for...

Somewhere down the line, and along the life of Windows XP, it became noticeable that Microsoft started to shift their position regarding OS security. On behalf of so many complaints like the ones you do, Microsoft started to push security in front of user experience and forcing us to work the other way around (disable security features, instead of enabling them). This culminated in the Vista operating system which is, right after installation, arguably the least user friendly operating system Microsoft ever developed.

In fact, because people always preferred to complain about the non existing lack of security in the windows operating system, instead of educating themselves on those features and learn how to use them, is the reason we have Vista the way it is... a dumb down operating system that tries to think for you, obviously can't, and shuns away from power users who, in the face of so much "simplicity", can't understand how to work with it.

That is the price of... ermm... success. Because so many use it, and because the vast majority doesn't want to become computer savvy, the operating system is made to be stupid, pretty and with big buttons. Vista is pretty much the archetypal blond.

So, if you want that kind of stuff cyberfish, there you go. Get Vista and some (not all) of your security concerns will be addressed right of the box. You'll love UAC. Meanwhile, windows XP is not for you. It has been built differently, in a different time when Microsoft was still walking with its arms outstretched in search of the user-friendly and secure paradigms.

If on the other hand, you decide to draw from your Linux experience and understand that:

a) Windows was just created to be like this and that is the acceptable way of working with it (up until Vista that is. Lets see if they drop all this nonsense with the next version);

b) Complexity is only apparent. It's a false perspective. You change the way you do things and that seems complicated, when it isn't in fact. Complexity is just the result of lack of training. Being myself a newcomer to Linux I could report to you the fact the damn thing was so confusing in the beginning, I messed up three times already forcing me to reinstall it. And yet, you don't hear no whining from me, do you? "Oh Linux is so complicated. Buaah!"

c) You don't want to be another numbered Duh in the wold of computer users. We are creating a generation of big Duhs with all this ridiculous User-Friendly pop culture byproduct. By complaining about how complicated it is, you are effectively telling your teacher you don't want to learn philosophy because your head is too small and you are more interested on iPods and 3rd season TV series.

You'll pull up your sleeves and stop the whining, mate.

cyberfish
07-16-2008, 06:55 AM
Thanks for the detailed breakdown.

I am no way knowledgeable with Linux. I am just a user. Not even a "power user" at that.

I am just comparing Windows to Linux. Windows requires knowledge to make it safe. Linux doesn't.

Sure, you can't do too much in Linux being a complete newbie, but you are safe, with all settings at safe defaults. That cannot be said for Windows.

Mario F.
07-16-2008, 07:03 AM
Nah... I'm not that safe on Linux when being a newb. In fact, there's nothing more dangerous to Linux than a newb with computer knowledge, as my latest menu.lst edit revealed when I realized I couldn't boot the computer anymore.

That's more devastating than what many computer virus can do these days.

If there is a price for newbness, on Windows you pay it in network security, on linux I pay it in system integrity.

cyberfish
07-16-2008, 07:55 AM
Well... a newb that messes with system files... you can kill any OS that way

on Windows it's both network security and system integrity :). If you go around changing random settings in Windows being a newb... I don't think it will be better than Linux.

By newb, I mean the average Joe, that surfs the web and checks emails.

nvoigt
07-16-2008, 08:11 AM
Hmm. Ubuntu installation takes ~ half an hour on my machine. I spend an additional hour or so installing programs I need. I don't need to consciously do anything to improve security.


But you have paid for this extra security over a Windows system with user friendliness. Just for a second, be my mom. Go to your local library, grab a 7-year-old WeightWatchers CD with a leaflet read so often you are afraid it will turn to dust if you touch it, take the CD, insert it into your drive and have it running in 5 minutes without any knowledge about your computer, sudo, a root password or even the fact that just because it's a "computer CD", it doesn't have to work on every computer/OS.

Yes, the fact that autorun is enabled because she wouldn't know how to start the executable on the CD otherwise and the fact that she is running as administrator because I won't give a three-hour-lecture about running a system with different users are tearing a security hole in the system that's the size of a small moon. But that's the price people pay.



On Windows, especially before Vista, it's practically impossible to use a limited user account (the UNIX way), simply because programs were designed assuming the user has admin priviledge.


That's true. But don't blame the OS. The operating system itself is safe. Applications are crappy. And your desire to run them is greater than your desire for security. Your email client is running arbitrary code and requires admin priviledges ? Well, throw it in the bin and get a better mail client. But people don't want that. Because running OEx is so simple right ?

Windows (NT upwards) wasn't a bad operating system. It was pretty secure. If you used it. If you abused it, you'd experience the same problems you'd have with a *nix system having a totally clueless user running as root all time installing buggy software.

cyberfish
07-16-2008, 08:21 AM
But you have paid for this extra security over a Windows system with user friendliness. Just for a second, be my mom. Go to your local library, grab a 7-year-old WeightWatchers CD with a leaflet read so often you are afraid it will turn to dust if you touch it, take the CD, insert it into your drive and have it running in 5 minutes without any knowledge about your computer, sudo, a root password or even the fact that just because it's a "computer CD", it doesn't have to work on every computer/OS.

Yes, the fact that autorun is enabled because she wouldn't know how to start the executable on the CD otherwise and the fact that she is running as administrator because I won't give a three-hour-lecture about running a system with different users are tearing a security hole in the system that's the size of a small moon. But that's the price people pay.

That I agree. It's the price one has to pay for having a secure system. If Linux is to be as easy as Windows, Microsoft will be out of business in no time :). It has every other advantage - price, security, speed, stability, openness. Compatibility won't be an issue if people start trying it en mass. Software makers will have to adapt to that.



That's true. But don't blame the OS. The operating system itself is safe. Applications are crappy. And your desire to run them is greater than your desire for security. Your email client is running arbitrary code and requires admin priviledges ? Well, throw it in the bin and get a better mail client. But people don't want that. Because running OEx is so simple right ?

Windows (NT upwards) wasn't a bad operating system. It was pretty secure. If you used it. If you abused it, you'd experience the same problems you'd have with a *nix system having a totally clueless user running as root all time installing buggy software.

Of course, but it's a practical thing. It is like that because it wasn't until recently (vista) that Microsoft promoted the idea of running as a limited user.

Any half decent book on UNIX/Linux will tell you to run as a user and not root. All Linux installers I have used do that, too. The result? every program is written with that in mind, and only ask for admin priv when really necessary.