Between A Hammer And An Anvil There Is No Space For Security

“Malwarebytes anti-malware is the latest security software to be lanced by Ormandy, who has found serious flaws in products from AVG, Kaspersky, FireEye, Trend Micro, ESET, Sophos, and most recently in Comodo’s Chromodo Chrome fork.”
 
See Google lays bare security flaws in anti-malware product with 250 million users
Personally, I quit using That Other OS when M$ shipped me stuff that just didn’t work. It would crash whether it was idling or in use. It wasn’t a reliable platform for the simple IT of my classroom.

Later, I migrated whole schools that could not afford to keep TOOS running. Between unbootability and malware, it took way too much effort to keep TOOS running. It prevented schools from having enough computers working to do the job. The usual response of schools was to install “antimalware software”, stuff that recognized malware and isolated or removed it. Over the years I worked in schools that used several of the products listed in the quotation on the right. None of them kept the malware at bay. M$ created the malware industry by shipping insecure crapware as an OS. M$ created the antimalware industry by not improving their product but relying on third parties to maintain their jelly-like OS. Between the non-Free (user unable to see how the software worked) nature of most antimalware software, M$’s constantly moving target of an OS and the creativity of the criminals, no one could keep that other OS working.

The latest revelation should be the last straw for many. They should try Debian GNU/Linux. In all the machine-years of usage I’ve seen, I haven’t seen one instance of malware. Not one. Don’t be between the criminals’ hammer and M$’s anvil. Just get away from it all. Use GNU/Linux.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in Linux in Education, technology and tagged , , , , , , , , , , , . Bookmark the permalink.

17 Responses to Between A Hammer And An Anvil There Is No Space For Security

  1. kurkosdr says:

    You are ancient and feeble, Robert, and you have never once touched a Microsoft desktop application from Vista (2005) onwards.

    Birch please… Pog’s memories stopped at XP.

  2. DrLoser says:

    One small plea, Robert.

    DrLoser lost when he wrote…

    May I ask you not to descent to the pitiable levels of oiaohm, who routinely prefixes his posts with an inaccurate insult?

    Or Dougie, whose first resort is remarkably similar?

    Perhaps you could lead by example. And should you choose to shoulder this responsibility, may I suggest that “winning” or “losing” is not an acceptable alternative to the process of proof via scientifically observable fact?

    No, hang on.

    I’m wasting my time here on you morons, aren’t I?

  3. DrLoser says:

    You do recall 64-bitness, I presume?

    Recall? I might or might not “recall” 64-bitness, and in the simple interest of educating you, Mr Pogson, after all these (15) years, was a hardware issue.

    Not remotely relevant here. Consumers buy software.

    Desktop Linux developers typically do not “consider” any feature until it has gained some sort of traction through Microsoft’s offerings.

    It is a simple and obvious observation. For the last fifteen years … possibly the last twenty years … the only thing that Linux Desktop developers have done is to chase Microsoft’s tail.

    Which is quite ironic, really. Because, and the literature will back me up on this (Microserfs etc, this is precisely what Microsoft used to do.

    Right up until about 2005 or so.

    Never mind. You are ancient and feeble, Robert, and you have never once touched a Microsoft desktop application from Vista (2005) onwards.

    I pity you.

  4. DeafSpy says:

    Not quite so, Robert. The first 64-bit version of XP was actually released in 2001:
    https://en.wikipedia.org/wiki/Windows_XP_editions#64-bit_editions.

    And, back in these times, 64-bit was totally irrelevant on desktop.

  5. DrLoser lost when he wrote, “Desktop Linux developers typically do not “consider” any feature until it has gained some sort of traction through Microsoft’s offerings.”

    You do recall 64-bitness, I presume? GNU/Linux had that in 2004 but M$ didn’t release XP/64 until 2005. Linux had been developing AMD64 since 2001, even before the hardware was available.

  6. DrLoser says:

    I believe GNU/Linux never even considered “autorun”.

    First of all, Robert, Desktop Linux developers typically do not “consider” any feature until it has gained some sort of traction through Microsoft’s offerings. There are advantages to this — Desktop Linux can wait and see if an idea really works before adopting it. I’m not entirely sure that one can consider it an intentional strategy, however: it’s just that Desktop Linux developers don’t have the resources to come up with useful ideas of their own.

    And secondly, my basic point is not invalidated. Microsoft was in the business of providing a consumer good to 80+% of the marketplace. (And, Munich notwithstanding, they are still in the business of providing a corporate good to 80+% of that slightly different marketplace.)

    This put them, and puts them, in a completely different position to that of Debian, for example. Debian can afford to ignore the demands of customers, because for all intents and purposes they don’t have any.

    Interesting though your paranoid historical revisionism might be, I suggest that Occam’s Razor suggests The Marketplace as a more believable explanation for those massive security bloopers.

    And since The Marketplace has moved on, and Microsoft has learned its lesson in security, we are now blessed with a version of Windows that is at least equal to, if not superior to, Desktop Linux in terms of security.

    (It’s also a darned sight more functional. Not that you will ever find out, of course.)

  7. DrLoser says:

    So, can you really blame them for that assumption? I dunno, I think we should. Such a narrow-minded view of what the internet would be was simply naive.

    That, again, I humbly submit, is “rewriting history from a personal perspective.” If predicting the future was easy, we’d all be at it — not just Mr Pogson.

    Let’s try a little thought experiment and take Microsoft out of the equation, whilst still retaining “the Internet.” Now, as you know, the IMG tag was not originally part of Berners-Lee’s design — it was foisted on him by Andreesen.

    I’m not saying that it’s a bad idea — in fact, on its own, it fits in quite nicely with the original “Wikipedia-like” notion of the WWW. Just an enhancement of static pages, each still with a URL that genuinely acts as a URL — that’s all.

    Unfortunately (I suggest, for current purposes), once you start down this road, you’re pretty much committed to following it all the way down. The IMG tag suggested embedded media in general. Embedded media led to MPEGs. MPEGs led to adverts. And in order to make this new architecture work even half-decently, you have to expand the original notion of small JS scripts into whacking great monstrous libraries with call-backs and … that is how we got to where we are today, for good or ill.

    Now, if you truly believe that T-BL should have seen this coming, then you are a harsher task-master than I. And I haven’t even begun to discuss XSS and third-party applets and all the rest.

  8. Deaf Spy wrote, “USB sticks were just beginning to replace CD-R/Ws. That was a new revolution coming. People were used to having CD-s autoran by the system. They expected USB sticks to behave the same way more or less. Yes, you can blame them now, but try walking in their shoes back then.”

    Ordinary people have known that carrying loaded firearms can be dangerous for a long time. M$ should have known better but sold convenience to users and criminals. M$ has dirty hands. I believe GNU/Linux never even considered “autorun”. The idea of welcoming random software/malware is abhorrent to all thinking human beings. M$ considered it “collateral damage” on its road to monopoly. That’s why they shipped Lose ‘9x with zero features to enhance security and ~50K bugs. It was the Garden of Eden for malware. By the time XP rolled around they were little better until SP2 which broke most people’s systems because insecurity was built in and was a dependence for many applications.

  9. Deaf Spy says:

    … the security blunders in XP could possibly originate from the fact Microsoft thought the internet would be like Cable/Satellite TV, where you don’t have to worry about …

    You certainly have a valid point, Kurks. Microsoft did underestimate the importance and threat potential of the Internet back then. One needs to look no farther than how DCOM works for a proof.

    However, I want to discuss a bit more Dr. Loser’s point about easiness of use.

    When XP was coming over, USB sticks were just beginning to replace CD-R/Ws. That was a new revolution coming. People were used to having CD-s autoran by the system. They expected USB sticks to behave the same way more or less. Yes, you can blame them now, but try walking in their shoes back then.

  10. oiaohm says:

    One of the serous bad ones is Windows XP firewall only work on incoming traffic not out going. Every other OS with a firewall at the time worked on traffic going in both directions.

    Even windows 2000 was a rare OS server at the time not to ship with a firewall by default. Microsoft seams to take the cheapest path on security. Enough to make user think they are fine.

    Its like the new Microsoft edge browsers private browser mode writing everything the user has done to disc. Hey that cheaper code. There are a long and on going track record of pure stupidity with Microsoft and Security.

  11. kurkosdr says:

    They were made on purpose, and not through ignorance.

    That is why XP was “designed to be attacked.” Actually it was “designed to be trivially easy to use.”

    That. As I ‘ve said in the previous post, the security blunders in XP could possibly originate from the fact Microsoft thought the internet would be like Cable/Satellite TV, where you don’t have to worry about the mpeg streams triggering an exploit in your Satellite/Cable box and injecting malicious code. Aka an internet where everything would be curated, and all .com websites would be nice little American websites (bound to American law), giving correct WhoIs info, not link to scripts from shady off-shore sites and the like.

    So, can you really blame them for that assumption? I dunno, I think we should. Such a narrow-minded view of what the internet would be was simply naive.

    And there was no reason whatsoever to allow unsigned driver installation by exe’s. If some manufacturer is dumb enough to not sign their drivers, ‘eff them. This is what they did in 8.x anyway. I tried to install a no-name USB video grabber for my dad (yes I know, where do I find that stuff? Don’t ask, I wasn’t the purchaser), and the unsigned driver didn’t even install (no red-dialog asking for permission). You have to go to device manager. I like it this way.

    PS: The video grabber was boasting “windows 8 compatibility”, because they wrote in their readme file “manual driver installation only for Windows 8”. Okay…

  12. DrLoser says:

    And as Kurks points out, it’s always a pleasure to hear from the resident paranoid nutter.

    I remember going to seminars where the mathematical and theoretical aspects of this were being presented and discussed.

    I don’t think any of us remember you going to these seminars, RAM. I’m sure you did. It’s just that we have not, hitherto, been privy to the information.

    Perhaps you could dredge up, from memory, a couple of relevant dates, locations, organisers, and topics. No further details necessary. No links requested. It’s a simple, uncontroversial, request, I think.

    Microsoft didn’t exist yet, but Ms. Gates (the real brains behind the outfit associated with the name Gates) was in attendance.

    MARY MAXWELL GATES?????

    Nutter.

  13. DrLoser says:

    Some of the XP security blunders happened because Microsoft was actually averse to changing things, such as their USB autorun mechanism or the “executables do everything they want”which was a legacy from the early Windows years.

    Well now, an interesting and informed comment. Something you don’t get to see every day on the Pog Blog.

    (Oh, I forgot. Kurks has actually run Windows systems in the last ten years, and few if any of the others have.) Anyway, I beg Kurks’ leave to disagree on this point, at least in a mild “I think you’re rewriting history from a personal perspective” way.

    That Auto-Run thing? That “Users are Admin by default” thing? And quite possibly several of the other security blunders? They were made on purpose, and not through ignorance.

    (Pauses whilst the Peanut Gallery rolls around in the aisles.) You have to remember that the “consumer” version of NT — which would be 2000 and XP — was targeted at consumers. 80+% of PC consumers world-wide, in fact. And it’s not an easy sell to consumers when you start by saying “no, you can’t do that” or “after you insert the USB device, you’ll have to go to File Explorer” or indeed anything that involves planning and care and more than a single click.

    That is why XP was “designed to be attacked.” Actually it was “designed to be trivially easy to use.” By the time the waves of attacks over the (still relatively new, and at speeds of 9.6KB on a dial-up, I might add) Internet came along in the Summer of Worms, it wasn’t really possible to turn the supertanker around very quickly.

    Thus Longhorn and Vista and 7 and so on. You can fault Microsoft for a lot of things, but when they notice they’ve made a foundational mistake, they are very good indeed at digging a solution out of their extensive R&D labs.

    These days, Microsoft have partially trained users to act in a secure manner. Yup, there are still PEBCAKs, but it’s far harder to exploit them — other than via the usual Nigerian Prince methods.

    Desktop Linux doesn’t really seem to have learned the same hard lesson since 2000 or so. Possibly this is because the unique brand of uninformed users that Linux attracts is still wedded to things like FTP for outward-facing file transfer, and other gaping security holes.

  14. kurkosdr says:

    @ram

    You are a conspiracy -theorist with a severe case of microcephaly.

    The real reason was that early home computers where little more than a CPU and a basic BIOS. The OS was little more than a command prompt, filesystem/graphics card driver and a set of APIs for basic input and output. Microsoft just made the mistake of not “boxing” dangerous legacy features ( such as writing in the OS folder or settings, installing drivers, autorun), behind confirmation dialogs, like they did in Vista later.

  15. ram says:

    The whole Microsoft and consumer PC thing was a creation of the surveillance branches of the US Military. It was all DESIGNED from the beginning to be totally insecure at a deep and fundamental level. I remember going to seminars where the mathematical and theoretical aspects of this were being presented and discussed. Microsoft didn’t exist yet, but Ms. Gates (the real brains behind the outfit associated with the name Gates) was in attendance, as were representatives of various government agencies and defense contractors.

  16. kurkosdr says:

    M$ created the malware industry by shipping insecure crapware as an OS. M$ created the antimalware industry by not improving their product but relying on third parties to maintain their jelly-like OS.

    True that. Whoever designed Windows XP either had no concept of security or assumed the internet would be like cable/satellite TV, where everything is eponymous and curated.

    Every “infect me” blunder that could be made, was made in XP: Making every user an admin by default, have apps automatically inherit (practically) all user privileges (instead of having some UAC or permission system to limit what they inherit), apps could poop in the C:\Windows folder, set auto-start entries and modify the registery without even asking. Also, goddamn USB autorun. Finally, the ability for apps to install unsigned drivers without any permission from user was added as an extra feature, for your rootkit-authoring pleasure.

    So, it doesn’t surprise me the AV industry grew so humongous in the XP era. XP’s security can, to a large degree, be described with the following phrase “if an piece of code is loaded in memory, it’s game over for the whole system”.

    BTW, this is why I stuck with Vista when everyone else was downgrading back to XP, I could see the benefits of being asked before some exe does something priviledged. Oh yeah, forgot to say Windows is much more secure now. In fact, it even comes with Windows Defender, which has much higher detection rates than ClamAV. If you don’t run unsigned executables and don’t mess with Windows Update settings, it’s safe. Just like you shouldn’t run untrusted GNU/Linux packages and mess with the update settings. Sorry Pog, your memories are outdated (this sounded like something from a Tron movie).

    Small wonder the AV industry is collapsing right now, save for McAfee and Norton who have deals with OEM to intimidate users that if they don’t by subscriptions their PC will blow up.

    M$’s constantly moving target of an OS and the creativity of the criminals, no one could keep that other OS working.
    I have to disagree with that. Some of the XP security blunders happened because Microsoft was actually averse to changing things, such as their USB autorun mechanism or the “executables do everything they want”which was a legacy from the early Windows years.

Leave a Reply