M$ Leaves Front Door Open, Complains About Bad Guys

M$’s vulnerable operating system hosts millions of malware instances but they have made some PR of identifying and eliminating a few command-and-control systems on the web. I wish they would spend as much time making good code rather than foisting their stuff on the world and messing with competition. The latest flurry is about the Zeus botnet which infects that other OS since 2009 doing $millions of damage… 55% of Zeus-infected PCs had uptodate anti-virus software in one survey. The malware exists in many versions, uses stealth and is constantly evolving. It uses a large repertoire of M$’s vulnerabilities.

see Microsoft takes down ZeuS botnets – Disrupted … but not Dismantled

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

58 Responses to M$ Leaves Front Door Open, Complains About Bad Guys

  1. oldman says:

    “Do I get to see this magical page? I think not. You, Sir, are a total wuss.”

    þu stunge álærest þæs bearges forgrindet, ic anades ándaga ond tmendes þæs bearges!

    Goodbye Mr. A…

  2. oldman says:

    “And you will continue to be ethically challenged @ldman.”

    And you will continue to be a bigoted little ignorant a$$hole.

  3. Kozmcrae says:

    “I will continue to get what I want to get done on windows desktops., and you will continue to use your desktop.”

    And you will continue to be ethically challenged @ldman.

  4. aardvark says:

    Nice try with the belated HTML 4.0 reference, Mr Pogson, but I think we both know what you were implying. You used the phrase “HTML page,” not the more obvious “Web page.” Clearly that is intended to imply something.

    But we’re still both on the same page, as it were. Anything that can be copied into a browser (as you know, a browser can be served from a local file system).

    I’m looking forward to this. I’m sure you have the perfect example of something with HTML, scripting, absolutely anything, a bunch of links and so on.

    I promise you that I will first turn off my AV (in fact, I will reboot, just to make sure) and then click on anything and everything. Having done that, I will check on the “view source” to make sure I haven’t missed a single opportunity to infect myself.

    I hereby warrant that all possible consequences are my own responsibility.

    Do I get to see this magical page? I think not. You, Sir, are a total wuss.

  5. oldman says:

    “I still pity you @ldman.”

    you can pity me all you want. I will continue to get what I want to get done on windows desktops., and you will continue to use your desktop.

    Its all good, you see.

    Yip Yap Yip…! 😉

  6. Kozmcrae says:

    @ldman said:

    “I give you the answer you deserve Mr. K as the yapping little doggie that you are.”

    I still pity you @ldman.

  7. oldman says:

    “@ldman regurgitates his pitiful defense for his lack of ethics. I feel sorry for you @ldman. No ethics and no intelligence to hide the fact.”

    I give you the answer you deserve Mr. K as the yapping little doggie that you are.

    As are as your opinion of me is concerned, you know where you can put it.

  8. aardvark says:

    I’m sort of late to the party here, but what sort of an insult is “@ldman,” Mr McCrae? Is it meant to suggest that Mr Oldman is a TLD all of his own, for email purposes?

    Or perhaps you stood under the Hollywood sign as an impressionable youth and suffered an unfortunate and traumatic accident when the big letter O fell on you?

    I’m genuinely curious. Is it actually meant to be clever? It looks like the sort of “joke” a six year old would come up with, just after they’ve got through the poo and wee phase.

  9. Kozmcrae says:

    @ldman:

    “Yap @ldman Yip yip hide yap yap yip yip yip yip games.”

    @ldman regurgitates his pitiful defense for his lack of ethics. I feel sorry for you @ldman. No ethics and no intelligence to hide the fact.

  10. oldman says:

    Yap @ldman Yip yip hide yap yap yip yip yip yip games.

  11. Kozmcrae says:

    @ldman said:

    ““I don’t spread malware.”

    That is a copout Pog!

    You should be able to catch Mr. A out easily – If not you then someone other of the geek patrol shoudl step up.

    What about it?”

    @ldman is a copout. He refuses to own his own words. Is this a game?

    Is it?

    I don’t know, I asked first?

    No you didn’t, I did….

    So @ldman hopes to hide his lack of ethics in word games.

    You don’t fool me @ldman. Maybe you’re fooling other members of the Cult of Microsoft. They are ethically challenged too. So it’s easy to slip one by them.

  12. aardvark, playing troll games, wrote, “This is actually the theory he advanced, although he knows and I know that what he really meant was a web page (a slightly different and more complicated beast) with possible additions such as scripting.”

    As you well know HTML files can and do contain scripts often. e.g. http://w3schools.com/js/tryit.asp?filename=tryjs_dom

    e.g. RFC 2854
    “the introduction of scripting languages and interactive capabilities in HTML 4.0 introduced a number of security risks associated with the automatic execution of programs written by the sender but interpreted by the recipient. User agents executing such scripts or programs must be extremely careful to insure that untrusted software is executed in a protected environment.”

  13. lpbbear says:

    “I’ve asked Mr Pogson for an example of an HTML file which on its own spreads malware. This is actually the theory he advanced, although he knows and I know that what he really meant was a web page (a slightly different and more complicated beast) with possible additions such as scripting. Now, I know, and I am fairly sure that Mr Pogson blah blah blah blah blah….”

    IDIOT! Put your money WHERE YOUR MOUTH IS. Turn OFF your Windows AV security bandages and start searching for porn, weapons, biker gangs, gambling and whatever sites. Visit the results.

    Prove the infallibility of Windows YOURSELF MORON since you’re the one banging the drums so avidly about how perfect it is. Don’t expect Pog to do it for you.

    Clown

    (and keep your scented aunt fanny out of it)

  14. aardvark says:

    Lighten up, Mr McCrae. There’s no reason at all why it shouldn’t be “fun and games.” FOSS could do with more of that, I feel: piddling around with X configuration gets tiresome after a while.

    I’ve asked Mr Pogson for an example of an HTML file which on its own spreads malware. This is actually the theory he advanced, although he knows and I know that what he really meant was a web page (a slightly different and more complicated beast) with possible additions such as scripting. Now, I know, and I am fairly sure that Mr Pogson knows (I might be losing you at this point, Mr McCrae, because you don’t seem to know anything much at all), that this, too, is a falsehood.

    What Mr Pogson presumably means is a web page with a link to malware, a link which I have to click. That’s closer to a real threat, but I’m happy to prove that it, too, is a falsehood. I’ve stated my proposition very, very clearly.

    Since neither Mr Pogson nor any of the rest of you have taken me up on this, I believe you have implicitly conceded utter defeat.

    This felony charge rubbish is just that. All you’d be doing is posting code (loosely defined) with a Terrible Warning that it is dangerous. It’s up to me whether or not I choose to infect my machine. Remember choice? FOSS is all about choice … except when people prove that they can make sensible ones, apparently.

    How do you lot think that security experts ever get details of potential exploits? Does the Magic Virus Fairy leave a fully-detailed dossier under their pillows at night?

    No. What actually happens is that somebody posts them an example of the exploit. That’s all I’m asking for.

    Refusing to commit a felony, my sainted aunt Fanny.

  15. oldman says:

    “This is not fun and games.”

    Its Not?

  16. Kozmcrae says:

    Do you expect Robert Pogson to break the law to satisfy your curiosity @ldman? This is not fun and games. Do you?

  17. lpbear wrote, “As hard as all the AV vendors try they simply can’t keep up with 100% of all exploits that are hitting on a daily basis. “

    More than that, the M$-fanbois seem to feel that AV businesses are able to produce software that detects and prevents malware for vulnerabilities the AV business does not know about. They expect blind batsmen to continuously hit home runs. Sometimes the malware artist finds the vulnerability before anyone else on the planet so there is no defence possible in some cases.

  18. oldman says:

    “Are you serious?”

    Are you?

  19. Kozmcrae says:

    ““I don’t spread malware.”

    That is a copout Pog!”

    @ldman, you are asking Robert to break the law then call it a “copout” when he refuses?

    Are you serious?

  20. lpbbear says:

    These M$FT guys are pathetic. As hard as all the AV vendors try they simply can’t keep up with 100% of all exploits that are hitting on a daily basis. Its not even totally Microsoft’s fault though they share a huge burden of blame for the shoddy software they have forcing down users throats for so long. No, its more a matter of there being too much all the time. Eventually with or without security software most Windows users get hit. Its actually more the exception that doesn’t. Simple as that.

    If the MS dillwad(s) wants to test turning off his AV software just do it and then start searching for porn, gambling sites, free games, weapons and sporting goods or any other low hanging fruit that tend to attract the average computer no nothing user. It won’t take long before his system is
    pwned” by someone in Russia, China, Zimbabwe or elsewhere. He won’t need Pogs “testing” at all.

  21. No point was made. Drive-by infections do happen.

  22. oldman says:

    “Refusing to commit a crime is not a copout, oldman. Such a test on a LAN might be legal but compromising a remote system is illegal in Canada and USA. I will not bite.”

    So I guess you will concede the point being made?

    eh, Pog?

  23. Refusing to commit a crime is not a copout, oldman. Such a test on a LAN might be legal but compromising a remote system is illegal in Canada and USA. I will not bite.

  24. oldman says:

    “I don’t spread malware.”

    That is a copout Pog!

    You should be able to catch Mr. A out easily – If not you then someone other of the geek patrol shoudl step up.

    What about it?

  25. I don’t spread malware.

  26. Well, perhaps you have not heard of honey-pots. Perhaps you have an anti-virus thingy on your router. Who knows? If the AV does not recognize the malware it can get through and if you have malware for a vulnerability not yet patched by M$ and “partners”, you are toast.

  27. aardvark says:

    In fact, I will up the stakes. I’ll even switch my AV off. (As I noted, you were less than conspicuously honest on the subject of AV and Zeus, but let that pass. We are all scientists here, and we respect each other’s opinions.)

    Here are the specs for the experiment:

    I have a bog standard (£250) HP Windows 7 laptop, bought last year. I’ve been removing the crapware as I go along, and I’ve got rid of all the silly Norton and McAfee “promotions.”

    Currently I’ve got Avast installed. I will switch that off for the experiment. I will leave the network connection on, even though the network connection might deliver some other virus (according to you).

    I will be logged on as a User, not as SysAdmin.

    I propose to load your test HTML up — you are welcome to include Javascript, and in fact just about anything else you might consider dangerous.

    I propose to click on any and all links that you consider part of the experiment.

    Now, what do you think will happen?

    I’m awfully sorry to bore you with scientific method, Mr Pogson, but then you must have been similarly bored for the last forty years or so.

    Sadly, boredom is the price we occasionally pay for discovering the truth behind clearly falsifiable theories.

    Remember that the challenge is open to all, not just yourself. Even Mr McRae is welcome to send me HTML (if not via your blog, then as a TinyURL or similar.)

    Of course, you are welcome to challenge my motives and goodwill … but so what? The way that the scientific method works is, it’s reproducible.

    If I lie about the results, I will be found out. Even Mr Oiaohm is just about capable of repeating the experiment… once he’s translated the stipulated terms into gibberish, of course.

  28. aardvark says:

    Show me the HTML, Mr Pogson. Show me the HTML.

    Boring I may be, but I am proposing a perfectly valid scientific test. I am even prepared to suffer if the results turn out as you say.

    Are you up for the test, or are you rather less scientifically inclined than you pretend to be?

  29. aardvark is becoming boring. Lately, he wrote, “Nothing will happen.

    Oh, but you meant I had to click on something, didn’t you? Hence my accusation of Attack by Implication.”

    If the vulnerability/attack is one that is not recognized by the AV software, something may well happen.

    e.g. see Microsoft Security Bulletin MS11-029 – Critical “This security update resolves a privately reported vulnerability in Microsoft Windows GDI+. The vulnerability could allow remote code execution if a user viewed a specially crafted image file using affected software or browsed a Web site that contains specially crafted content.”

    An HTML document could well load images in your browser… No user action required other than the normal operation of a web-browser used to visit a site. No clicking on the links on that page were required.

  30. aardvark says:

    Mr Pogson:

    Once again, your special subject of Attack By Implication, I see:

    “Tell us, oldman, how does one keep that other OS safe when a user downloads an html document that exploits a vulnerability in that other OS that has hither to not been seen before by the AV community and M$ has no patch for it???”

    Balderdash. This is not what happens.

    We can settle this quite easily. Post an HTML document on your site, and I promise I will copy it and load it into my browser (on a Windows system that happens to be 7 and AV protected, although in this case that is overkill).

    Nothing will happen.

    Oh, but you meant I had to click on something, didn’t you? Hence my accusation of Attack by Implication.

    It’s a little more difficult than that, as I’m sure you’re aware. However, let’s take this a logical step further. Tell me which link you want me to click on, and I will click on it. I will then report the results.

    They will be entirely boring, and, I am afraid, will put a significant dent in your implications.

    That’s an open challenge. You, Mr McCrae, Mr Oiaohm, Mr OE, Mr Dougman, or any security/cracker expert you can dredge up: Show Me The HTML. And here’s my promise: even if I know it is going to be harmful, I will still click on that link.

    I really can’t do better than that. Can you?

  31. From that perspective, M$’s stuff is malware complete with trojans and spyware. A re-re-reboot is a denial of service attack.

  32. Kozmcrae says:

    @ldman said:

    “I’ve NEVER been pwned – Ever! In fact until an antivirus package was mandated I never even ran with that!”

    How many reboots in that period, installs, patch Tuesdays, and how long were you paying 4 employees when you could have been paying one?

    It’s not just getting owned by malware @ldman, it’s getting owned by Microsoft.

  33. oldman wrote, “anyone who attached a computer to the internet has to be prepared to perform the tasks needed to keep safe.”

    Tell us, oldman, how does one keep that other OS safe when a user downloads an html document that exploits a vulnerability in that other OS that has hither to not been seen before by the AV community and M$ has no patch for it??? Thousands of new malwares are released daily and a few of them are for unpatched vulnerabilities in that other OS.

    When you tell me that you have never had malware, you are telling me you severely limit the use of your PC compared to the intended/designed uses of it, like keeping it off-line etc. I have worked in many schools and recently they all have had fully patched regularly updated OS/anti-malware and they have all had malware outbreaks. When AV updates finally arrived, I could find 100 instances in malware in a single PC sometimes. With daily AV updates that would be rare but it does happen. More typically there will be a half-dozen trojans doing who-knows-what to IT. I have never found a single instance on hundreds of GNU/Linux PCs that I have scanned. The people who hunt malware for a living report millions of species of malware for that other OS and only a few thousand for GNU/Linux.

    UPDATE I just stumbled upon Verizon’s survey of breaches of IT systems. 48% were keylogger thingies, 20% involved backdoors caused by malware, and 18% involved disabling security measures. Larger organizations which presumably can afford the best protection still had 18% of breaches being backdoors caused by malware. 71% of breaches of larger organizations by hackers (not malware) took only minutes to accomplish. 39% of compromises of larger organizations took months to discover. 86% of the large organizations that were compromised in the survey sample regularly update their anti-virus software but 28% of their compromises involved malware.

  34. oldman says:

    “I tell my customers and clients, if you use Windows you will get owned, period.

    Not now, not today, not even tomorrow, but at some point down the road it is inevitable.

    D.

    Really?

    I’ve been using microsoft based desktops on the on the open internet since ca. 1990(windows 3.1 with Trumpet winsock running on top of packet driver interface). I’ve NEVER been pwned – Ever! In fact until an antivirus package was mandated I never even ran with that!

    And I am not unique.

    The team that I work for manages and maintains a farm of 350+ windows servers (from Windows 2003 through 2008 R2) – none have been pwned – EVER!

    Magic? Nope – just systematic maintenance and following of a defense in depth strategy for ALL of our servers.

    The real answer you should be giving Mr. D. is that no system is secure by design, and that anyone who attached a computer to the internet has to be prepared to perform the tasks needed to keep safe.

  35. aardvark says:

    (I apologise to Mr lightpriest. The “Lightyear” thing wasn’t meant as an insult or some silly Disney reference; I just failed to scroll up and forgot your name.)

  36. aardvark says:

    Mr km:

    “Whatever you claim, you just can’t say that Windows is a safe by design system.”

    Where on earth did you ever get the idea that I believe that?

    It’s quite possible that there is no such thing: even OpenBSD admits to a couple of vulnerabilities in the past. The easiest way to have a “safe by design” OS, other than never switching it on, is to completely disconnect it from the network and never to allow removable media. A milder version of this policy is what happens in proper “safe by design” server complexes such as large telecoms companies, defense departments, etc. As we know, it doesn’t always work; but it’s better than blind belief in some weird foundation myth of an OS.

    You could try a Capability-based OS, running on a microkernel. That might work … it certainly ought to do better than any “modern” system.

    Failing that, however, I do indeed maintain that NT-based systems since about 2003 are as “safe by design” as is Linux. In fact I would argue that they are getting more so; whatever you may say about Patch Tuesday, it beats having to wait six months for the inevitable re-installation of a Linux desktop before you get security updates.

    Once again: if a single one of you geniuses cares to explain how a botnet distributed via phishing and drive-by downloads has anything to do with the OS itself, we can perhaps have a sensible conversation on the issue.

    Given the evidence so far, I won’t be holding my breath.

  37. aardvark says:

    Mr Pogson:

    ‘aardvark being a cursed troll insinuated, “Funny how you let that small implication slink through, isn’t it?”’

    I rather like that “cursed troll” thing. It makes me sound like a minor character in a Gilbert and Sullivan operetta. Somewhat of an over-reaction to what I actually accused you of, and still accuse you of (I did not insinuate anything):

    “I have never stated that 55% of any set of PCs was infected. The surveyors did.”

    Actually both of you did, as it happens. But I agree, your statement was

    “55% of Zeus-infected PCs had uptodate anti-virus software in one survey.”

    You didn’t make similar claims for the percentage that are pink, or the percentage that run (say) IE. The clear implication (not present in the link, which provides context) is that up-to-date virus protection software still leaves you equally vulnerable on a Windows system. Or did you intend to suggest something else? I’m open to whatever it is.

    If you paid half the attention to the six numbers present in your link that you do to whichever numbers you can dredge up to support your pet theories, you are more than capable of producing the following:

    No AV: 23 – 31 – 1.348
    Old AV: 6 – 14 – 2.33
    U2D AV: 71 – 55 – 0.77

    The last three columns being %age general M$ population, %age of infected set, and of course the second divided by the first.

    Looks to me like up-to-date Windows AV is actually quite a useful thing to have if only to protect against Zeus, according to these numbers. I could speculate on why out-of-date AV is so dramatically worse, but I leave speculation to men of mature years with a lot of spare time on their hands.

    Incidentally, to Mr McRae and Mr Lightyear and the rest, it’s a bit much dumping on me for taking this on, isn’t it? To quote Mr McRae, near the top of the thread:

    “Clarence? aardvark? Any Cult of Microsoft members care to come to Microsoft’s defense of their atrocious security record?”

    Isn’t it rather child-like to issue a challenge like that and then be surprised when somebody actually answers it?

  38. lightpriest says:

    Ivan, how can you compare an exploited escalation to make a file executable to a file being executable just because its extension is “.exe”?

  39. km says:

    @aardvark
    We are so lucky that FBI can target only one OS, and can coordinate action with wise and insightful corporation. Otherwise it could be a disaster. Viruses on most computers, malware, trojans, botnets…

    Whatever you claim, you just can’t say that Windows is a safe by design system. If it were user friendly system for masses it should be designed exactly to stop user from doing stupid thing not encorauge them.

    What can you say e.g Outlook ‘feature’ to open links by hovering mouse over them? Is this safe in any means?

  40. lightpriest says:

    I’m always puzzled by people like this one.

    What exactly are you trying to prove? That Pogson is wrong?

    Let’s assume for a minute that Pogson is wrong.
    If he’s wrong, let him follow his wrong path.
    If you trust he’s smart enough, he’ll probably realize he is wrong some time in the future.
    If you don’t think he’s smart enough to realize he’s wrong, why do you even bother to comment?

    Either way, you’re wasting your time with your distasteful comments.

  41. Ivan says:

    In GNU/Linux, the user has to know how to make the file executable whereas in that other OS, the system does it without question if the user is running as Administrator as many millions do so they can get anything done.

    No, they don’t. All it takes is chained privilege escalation exploit (there are quite a few of those) with a scripted chmod+x for your “impenetrable linux box” to be part of a botnet.

    There is no shortage in that other OS.

    There is no shortage of those in OSS, either.

  42. It needs multiple vulnerabilities to get in. There is no shortage in that other OS.

  43. Bender says:

    “It uses a large repertoire of M$’s vulnerabilities.”, why would it need to do it if it were distributed by drive by downloads or phishing attacks as You claim? It is using vulnerabilities, simple as that, and phishing and drive by download attacks are a bonus to make it even easier to infect.

  44. aardvark being a cursed troll insinuated, “Funny how you let that small implication slink through, isn’t it?”

    I have never stated that 55% of any set of PCs was infected. The surveyors did.

    The fact is that no anti-virus software can be uptodate for detecting all viruses. The surveyors clearly measured the effectiveness of uptodate antivirus software in detecting malware. One authour even found that with five successive uptodate anti-malware programmes, some malware still is undetected. An authour of malware has no limits on how he/she can encrypt stuff, randomize stuff, etc. until there are no stable clues to presence or activity. Scanners normally do periodic scans or scan-on-access and all can be subverted by rootkits. It’s foolish to hold otherwise. It’s like believing you are immune to fire in a tank with x mm of frontal armour when something hellish can come in through an open hatch.

  45. Kozmcrae says:

    aardvark said:

    “I wouldn’t know, Mr Pogson. I’ve never heard of it happening.”

    aardvark, you have reached a level of denial beyond much of what we have seen on this blog. Microsoft’s record on security is indefensible. And you’re part of the problem. If you deny there is a problem, then how can it be approached to be fixed? The proof that Microsoft has failed utterly in security is the multi-billion dollar industry it spawned just to service it.

    Be a part of the solution aardvark. Admit that Microsoft has failed to produce an operating system where security is a top priority. I’m not holding my breath. I’m just giving you another opportunity to be a jerk and use some kind of twisted logic to show Microsoft is not at fault, or that GNU/Linux is “just as bad”. Somehow, to the Cult of Microsoft if you can “prove” that something else is “just as bad” then it’s okay.

    Come on aardvark. Let’s hear your BS. Make it good. I know you won’t let me down.

  46. aardvark says:

    And one more tiny point of mathematical fact, Mr Pogson:

    “55% of Zeus-infected PCs had uptodate anti-virus software in one survey.”

    Indeed so. But this was a survey of computers infected with Zeus, I believe. (The sample was 10,000 infected computers, as I recall.)

    As you are no doubt aware, what with having based your entire career since the 1960s on crunching the numbers, this is an entirely different proposition from stating that “55% of Windows systems with uptodate virus protection are infected with Zeus.”

    Funny how you let that small implication slink through, isn’t it?

    And, not to belabour the point (although I’d be happy to do so), this does not imply that the 55% in question were “uptodate” with virus software at the point where they were infected … which is quite important, if you want to catch a drive-by. Nor does it imply that the 55% routinely run a disk scan, without which the figure is meaningless.

    Nor does it imply that somebody who relies on an “uptodate” virus scanner does not routinely (and against all advice for the last several years) browse the Web as System or Administrator; nor does it imply that the idiot in question is somehow protected from the urge to click on a link to “Download Free Porn Now!”

    In short, it’s a totally irrelevant metric.

  47. lightpriest says:

    Mr. aardvark, you base your logic on a point in time that 57 types of distros would be infected, but you fail to explain how that would happen when:

    1. There are no drive-by downloads in Linux.
    2. You don’t install software from the internet.
    3. Multiple distros using multiple types of GUIs (Gnome classic, GNOME3, KDE, Unity, XFCE), as means to trick users to click on stuff, makes it even harder to create .

    Please, stop waving you hands (unrelated facts) trying to justify your comment.

    Phishing, key-logging and JS injection is not in any way related to installed Malware on a user’s computer which creates large computer botnets – it’s a matter of personal data security.
    Banking computers are not desktop computers.

    You blame Linux for something that never happened, and that practically breaks your whole claim.

  48. aardvark says:

    One more thing, Mr Pogson: I say that browsers have “little choice in the matter,” but in fact they do. IE is particularly good at this.

    Might it just be that the poor souls infected with Zeus were using a FOSS browser that didn’t bother to warn them?

    See, I can come up with silly unsubstantiated scare stories just as well as you can.

  49. aardvark says:

    One tiny correction to your otherwise admirable piece of science fiction, Mr Pogson: it doesn’t matter a whit whether the OS or the browser or even the user downloads an executable without the user’s knowledge.

    The only thing that matters is whether the user executes it.

    This is the basic principle behind phishing, which you might want to look up.

  50. aardvark says:

    “Bingo! What the Hell is an OS doing downloading stuff without the user’s knowledge? Stuff like executables?”

    I wouldn’t know, Mr Pogson. I’ve never heard of it happening.

    I wouldn’t even characterise a drive-by download as being the browser’s fault, either: unless you take a strict interpretation of the sandbox concept (which Sun and Netscape tried, originally, and it didn’t catch on), then the browser (which let me remind you is not an operating system) has little choice in the matter.

    Just out of interest, why did you wait four years before “revealing” this awful lack of responsibility by That Other Operating System?

    Were you asleep for the whole four years, or is it just that you don’t like the idea that Microsoft is rather better at solving important problems — even when they are not Microsoft’s fault — that any Linux distro you care to name?

    I’m going with the second theory.

  51. aardvark says:

    Mr Lightpriest:

    That’s because you didn’t pay attention.

    The FBI can target whatever they like, but it isn’t going to help them much if they deal with 57 separate practically penniless organisations (plus RHEL plus Canonical plus a few others), is it?

    Just tracking the thing down would be a nightmare. Expecting collective action from 57 different no-hope distributors of other people’s software (which is what Downstream is, let’s not kid ourselves) is somewhere between naive and insane.

    Don’t take my word for it. Ask the banks. Commercial banking is not a field that is presently burdened with a big ole chunk of Linux desktops, and for very good reason.

  52. lightpriest says:

    aardvark, you mean the FBI would have a hard time targeting 57 distros, but malware creators would have an easy job at it? I don’t get that logic.

  53. Ivan wrote, ” Social engineering works on all operating systems.”

    Compare “Here, run this executable on your system” in that other OS and in GNU/Linux. In GNU/Linux, the user has to know how to make the file executable whereas in that other OS, the system does it without question if the user is running as Administrator as many millions do so they can get anything done. That’a completely different atmosphere for malware. Same goes for click on the link to this picture of a pretty flower. In that other OS, rose.jpeg.exe is treated as an executable upon download and the system will run it, whereas a download in GNU/Linux has read/write permission but is not executable by default. That’s huge. A user of GNU/Linux has to choose to mess up his system whereas M$ is only too glad to mess it up so M$ can sell another licence “when the hard drive breaks”.

  54. Ivan says:

    No it doesn’t. Social engineering works on all operating systems.

    And it is that dismissive attitude that leaves very little stopping a determined dickhead from attaching a trojan to a developer signed package and having that shipped by say, Debian, Ubuntu, or Fedora.

  55. aardvark wrote, “Once one of you geniuses cares to explain how a botnet distributed via phishing and drive-by downloads has anything to do with the OS itself “.

    Easy, aardvark:

    1. drive-by download – “Any download that happens without a person’s knowledge, often spyware, a computer virus or malware.”
    2. Internet Exploder – “integrated tightly with the OS” FAIL! We don’t need malware integrated with an OS ever.

    Bingo! What the Hell is an OS doing downloading stuff without the user’s knowledge? Stuff like executables? That’s the OS not the user at fault. M$ has a long history of making stuff like that “convenient” and “easy to use”. How about hiding the “file-extension”? So “Picture of the Wife.jpg” is seen by the user and not “Picture of the Wife.jpg.exe”! What crapware does that? How about “Auto-run”. It might as well be called “Auto-infect”. On top of the faulty software shipped by M$, they made it ubuquitous by leveraging monopoly and forcing exclusion of other, better software.

    So, there are multiple levels of blame to be put on M$ for such things and aardvark is silly to argue otherwise. Could malware involve GNU/Linux systems? Certainly, but I have never seen it and the whole attitude of GNU/Linux makes that more difficult.

  56. aardvark says:

    A sad lack of invective, Mr McRae: you disappoint me. Fortunately, your standard level of thorough ignorance.

    Once one of you geniuses cares to explain how a botnet distributed via phishing and drive-by downloads has anything to do with the OS itself, we can perhaps have a sensible conversation on the issue. (That, and Mr McRae would have to put a sock in it, which is unlikely.)

    It’s interesting how Zeus has been around for three or four years now, and it’s only when Microsoft co-ordinates action with the FBI and the credit industry that Mr Pogson actually notices it. Or perhaps Microsoft is remiss in taking this action? Maybe these things are best left alone, in much the same way that Linux security holes sit around for years before anybody notices?

    If anything, Zeus is a very good argument for using Windows 7 and IE9 or IE10. You could just about get by with Firefox, I suppose, but IE is built to-purpose for Windows, which means it is more likely to pop up messages like “Are you sure you want to click on that download link, you idiot?”

    As for my preference for Windows under these circumstances: imagine for a moment that 90% of desktops are Linux-based, rather than Windows-based. (The precise figure doesn’t matter, so let’s not go off on a tangent.)

    Now you’d have precisely the same dangers of drive-bys, phishing, key-logging, HTML injection, etc, but the Feds and the banks would have 57 different distros to deal with, each in a constant and unmonitored state of flux, with little hope of the people who run the distros being able to help in any way whatsoever. After all, a distro is free; there is no Distro Tax.

    Which means that practically no supplier of Linux on the desktop would have the resources to fight back against the threat.

    Do you really think that financial criminals would not target Linux, if it had 90% of the desktop market?

  57. dougman says:

    I tell my customers and clients, if you use Windows you will get owned, period.

    Not now, not today, not even tomorrow, but at some point down the road it is inevitable.

    D.

  58. Kozmcrae says:

    Clarence? aardvark? Any Cult of Microsoft members care to come to Microsoft’s defense of their atrocious security record?

Leave a Reply