Malicious Spam Up 500% in 2009

 By Shamus Feb 21, 2010 176 comments

For the last several years malicious spam has held steady at around 600 million a day, but in 2009 it jumped up to 3 <carlsagan> billion </carlsagan> a day. (Malicious compared to simply unwanted. The “unwanted” numbers are much higher.) According to the report [pdf file] the increase was due to the increased proliferation and sophistication of botnets.

It’s interesting to note that Adobe Acrobat (and the Adobe product line in general) was by far the leading source of vulnerabilities. Which makes it humorously mysterious as to why the people who put the report together chose to package their findings inside of a pdf file. Okay, the report itself is not a source of infection, but the second biggest problem* with Acrobat is that people routinely use it for packaging information that would be more useful in simple HTML. Let us not further legitimize this practice using a document outlining the dangers of this practice.

Anyway. Botnets. Botnets is such a strange term. It makes it sound like there are these legions of networked robots, like the Geth all nestled into cold metal racks, ticking away the time thinking malevolent computer thoughts about the worthlessness of fleshbags. But the truth is that a botnet is simply a bunch of compromised machines owned by the clueless, the uneducated, the irresponsible, or the idiotic. When your friend asks you to come over and help fix their computer and you find the thing is overrun with mysterious and malicious processes, you’re not just looking at a hosed computer. The machine in front of you is most likely given over to the service of the baleful and dangerous machinery that poisons the network every day. People frequently gesture vaguely in the direction of Russia or China when speaking of mysterious cyber threats. But the real threat is coming from your buddy’s PC because he downloaded and ran a program he shouldn’t. The emails may have been authored in far-off lands (maybe) but they are being sent from his computer and millions of others like it.

My wife seems to be the go-to woman around here when computers go bad among friends and family. (People used to call me all the time for help with these sorts of problems, since I’m the “computer guy” to them. But every. single. person. owns a dog or a cat, and I’m very allergic. Which means I can safely and honestly refuse for health reasons instead of needing to invent some other excuse.) My wife is cursed with a rare form of perseverance and generosity that compels her to take on these sorts of jobs. She used to simply install AVG anti-virus and have it cleanse the machine, but over the years the threats have grown more sophisticated. She eventually encountered a machine that wouldn’t let her install SpyBot or whatever other tools she needed. The malware was purposefully defending itself. This, along with the risk of missing unidentified threats, caused her to adopt a scorched-earth policy: If you call Heather she will fix your computer. But she will do so by installing the operating system fresh. Oh? You’re disappointed that you lost all your settings and that cute little screensaver of the bunny you loved so much and now the machine has forgotten all your passwords and bookmarks? Well maybe next time you should think twice before downloading software from www.microsoft.f3gxq9i12p.com/totallylegit/trustus.html.

I kid. Sort of. It’s easy to get frustrated with people who fall into these traps, but the truth is that a lot of the knowledge we take for granted took years to acquire. How to spot a bogus URL. Or understand the difference between a link and the text that encapsulates it. Or spot a phishing email based on the lack of proper https. Or how to identify dangerous or potentially dangerous documents. (pdf files.) Or when a site or email is asking for information they should already have. Or how to tell that this popup window didn’t ACTUALLY scan your computer and find a bunch of viruses.

The truth is that you could spend many, many hours educating someone so that they don’t fall for these scams that seem to be so insultingly transparent to others. The problem is daunting. Most people don’t want to have to become computer literate in order to use the net. You don’t need to be “TV literate” or “phone literate” or “DVD player literate”. The knowledge you need to use these devices is small and the dangers of ignorance are small or nonexistent. But you can get yourself into a great deal of trouble with the internet, and if you screw up your problems become everyone else’s problem. What we’re seeing is a more perilous version of the “blinking 12:00″ problem that we saw on all VCRs in the 80′s. The tech requires more education than 95% of the people are willing to acquire. (This isn’t just an age thing, either. There are plenty of young people who make these mistakes.) They see the PC as a piece of entertainment equipment (and for them, it largely is) and they just want to push the buttons and have it work. Historically, this isn’t an unreasonable thing to expect. Only now instead of having the VCR blink 12:00am to announce their lack of technical knowledge, their computer is conscripted into the service of people who are undeniably evil and destructive. It would be one thing if their computer just stole their credit cards and that was the end of it. But instead the machine begins sending out emails, posting comments to websites, co-opting the user’s Twitter and Facebook in order to ensnare their friends, and generally making a great deal of trouble for everyone else.

It’s a technical problem, but it seems to need a social solution.

* The biggest problem with Acrobat is the security vulnerabilities. The third is that it’s just plain awful software.

A Hundred!20202016Many comments. 176, if you're a stickler


  1. Ludo says:

    Just to point the obvious, most of these problems are linked to a primary source : Windows.

    I could rant on and on coming to the conclusion that a) Windows is not required for the tasks most of the people require (net connection, e-mail, etc), and b) you could say that needing to marry an antivirus software the second you install you operating system should warn you something is not right (I blame the “insurance” way of thinking for accepting that).

    When I encounter such a situation, I try to understand the needs, and generally end up installing a modern version of Linux (one of the so-called “noob” distributions like Ubuntu).

    The only drawback is the (small) learning curve to understand the little differences between desktops (we’re not talking technical details, just things like “How come I can’t find the blue E ? where is my internet ?”).

    The only reason I still have a Windows box is because I can’t for the life of me play on a console. But it’s just that : a big, noisy, expensive… console.

    My two cents.

    • rxtx says:

      Sorry, but that makes no sense at all. Firstly if you think that Windows isn’t required for most things people want to do, how can you possibly justify installing Linux instead which is just as complex? Secondly, I wish people would stop spreading this FUD that Linux is uber secure and never gets hacked – it has vulnerabilities too you know.

      The only reason Windows gets targeted by malware is that its the most popular. If I want to write some code to build a large botnet, and I can write code that either works on 90% of things or one that works on 10% of things its a no brainer which one I’m going to choose.

      There seems to be this dream in the world of certain Linux users that eventually their OS will take over the world, and everyone will be content and secure and live happily ever after. What they don’t seem to realise is that as soon as this happens all the malware writers will just target them instead and we’ll still be in the same situation

      • Jordi says:

        Additionally, and to get back to the social problem Shamus describes: all the computer-illiterate people use the operating system that comes with their computer (i.e. Windows). The average Mac or Linux user is probably much more computer savvy than the average Windows user.

        • Raygereio says:

          Considering the fact that a large group of mac users bought a mac because they look pretty; I wouldn’t put them in the save ‘computer-savy’ catagory as linux users. ;)

        • Henebry says:

          I think most experts agree that the people who write malicious code gravitate to systems that are in wide use. Mac and Unix systems have been relatively much more safe than Windows boxes in part because their small market share makes them an unattractive target. (I write this as a long-time Mac user, the kind of guy who spends perhaps 1 hour total at a Windows machine in a typical year.)

          So you might say that the real enemy here is the tendency of computer systems to become monocultures. Just like in agriculture, a computer monoculture is more vulnerable than a diverse ecosystem to viruses. Thus the .pdf, like the Word.doc with macros before it, becomes a target for hackers.

          But it’s worth noting that simple .rtf (rich text) hasn’t ever been used as a vector for malicious code, as similarly .html is fairly safe. Both are widespread, universally recognized standards.

          The other crucial factor here is that modest standards (standards that aspire to do one thing well, which do not offer automation or scripting) tend to be a great deal safer.

          Windows did itself no favors, security-wise, when it enmeshed Internet Explorer deep in the operating system back in the nineties. It did so in part to justify its effort to aggressively displace Netscape. And giving IE that central role allowed Microsoft to write some potentially cool stuff that enabling tech experts to remotely control your machine. But those special tools wound up being a gift to the hackers.

          Similarly, I suspect, the danger from .pdfs arises not because they’re a universal standard but because Adobe keeps adding bells and whistles that hand hackers the tools they need to take over your system.

        • LK says:

          One of Mac’s big appeals to casual users is that it’s designed to be easy to use and “just work”. I wouldn’t make assumptions about the relative computer literacy of mac/PC users… though this is partially because it’s a hell of a flame-bait subject.

      • kikito says:

        I think you are missinformed.

        Ubuntu is easier to install than vista, since it comes with most of the basic software already installed (openoffice, a compressor, firefox, messenger…)

        Besides, keeping it up to date is just plain easier. Windows updates will only give you operative system updates. You want to install the new Firefox? Uninstall, download new version and install. In ubuntu all this (kernel + programs – firefox, etc) gets updated automatically by the update manager.

        It is also more secure than windows because its permission model is better. It actually requires an administrator password in order to install things. You just don’t give it to the non-savy users.

        I’ve started installing ubuntu on the most troublesome machines my friends had, and since then I’m a happier man.

        My mum has had ubuntu for 2 years now.

        • mockware says:

          Yup. All my browsing is done on linux. It used to be good enough to not run things you don’t know about but now all it takes is just hitting the wrong website or a wesite that got hacked. I blame Microsoft for being more concerned about usability than security in their design. The biggest flaw is actually how they use memory. They put the code segment above the data segment. This is how buffer overflow hacks manage to cause processes like IE to run nasty code. If they had put the code segment below the data segment, then all buffer overflow would do is crash the system or application. Another huge flaw is their design for ActiveX controls which automatically load. I remember a big stink Sun was having with Microsoft about them corrupting the sandbox model that Sun was trying to implement with Java to avoid security holes. Security really is an afterthought for Microsoft and we are all paying the price.

          • rxtx says:

            Moving your code and data segments doesn’t protect you from stack based attacks…

            • Nathon says:

              It does protect you from heap based buffer overflows though. The way a typical buffer overflow attack works is you get a way to write an unlimited amount to some buffer in the data segment (overflowing it) and eventually you’re writing in code space. And in fact, Vista adopted something like OpenBSD’s scheme where malloc calls mmap to a randomized segment, making it much harder to guess where data is in memory. As far as I know though, they didn’t go the distance and outlaw memory that’s both writable and executable.

        • stormbringer951 says:

          The problem is that your model above – not giving admin access to non-savvy users – is undermined by the assumption that there must be a tech-savvy user in each household. Nuh-uh.

          Ubuntu as a whole is better designed (due to the kernel model), but you need more computer knowledge to use it. It’s not the sort of thing that you just install and run. For example, lots of my friends use Ubuntu. They use superuser / root user for everyday ordinary tasks. So, yeah.

          The permissions model doesn’t work for them, because they have refused to learn the computer-savviness (that Shamus mentions above) to avoid this.

          Besides, if everyone migrated to Ubuntu, the malware economy would just migrate to Ubuntu too. Don’t mistake a smaller market share of malware for Unix-based systems being more secure. It’s just that there are fewer Linux or Mac users than Windows users, so naturally the majority of malware target Windows.

          In any case, “network security is indistinguishable from paranoia” (misquoted that from somewhere). If you go over to milw0rm, or sla.ckers or similar websites, you’ll see that hijacking your computer or stealing personal data is as simple as clicking as clicking on a link.

          And I know that none of my friends would hesitate before following a snipurl link, even if it may compromise their computer.

        • Peter H. Coffin says:

          Ah yes, the Ubuntu update manager… I have stories about the Ubuntu update manager….

          Okay, one story: I’ve never seen Windows Update Manager (yes, there is one) try to apply a Vista explorer.exe patch to an XP install. Then poop its pants on reboot because it can’t make its desktop manager executable run. I did watch Ubuntu do exactly this about 15 months ago. Which got me to install Centos instead. Oh, and any nonsense about “Just boot into single user mode, kick it to runlevel 3, and use the CLI tools to reinstall gnome forcing where necessary” doesn’t have any regard for what even a garden-variety power-user’s capacities are.

        • rxtx says:

          Ignoring all the Windows vs Linux stuff – does running Linux make your mum any more technically savvy? By moving her to Linux you haven’t really solved the problem, you’ve just plastered over it. The only real reason shes more secure on Linux is that malware authors aren’t targeting her as much.

          Having her run as non-admin is admirable, but still isn’t the ultimate solution – there is a whole class of attacks which are focused on privilege escalation. Even DEP can be bypassed with clever exploit writing.

          The only way really to solve this is user education. By shuffling our problem users over to less targeted platforms we’re just avoiding the issue.

          As an aside, I found it interesting that despite what you claim, Ubuntu doesn’t come with loads of stuff your average user would want. Mp3s? No. Dvds? Sorry. Flash? No, not included. So we’re back in the situation where our non-techy users are having to install a load of stuff from the web

          • stormbringer951 says:

            Even with user education, there are problems. I know several people doing computer science degrees who get infected computers. Are they uneducated?

            • rxtx says:

              Depends what you mean by educated :P Just being on a CS degree doesn’t mean you know anything about basic computer maintenance. My own CS degree was focused on abstract theory and programming. There wasn’t a single thing about security or how to use different OSes

              • stormbringer951 says:

                I assumed that you should at least know the basics if you use computers regularly.

              • ps238principal says:

                As I’ve discovered with many relatives who are older or less familiar with the internet, there are two things that appear to be the biggest causes of infection:

                1. Unfamiliarity with fake updates/warnings/whatever. If you work/live with computers, most people develop a little angel sitting on their shoulder that tends to get suspicious when an icon marked “update” is baloney or if a popup is actually a trusted program telling them it needs something downloaded or updated. My Mother-In-Law has a large amount of impatience coupled with a rampant clicking finger and inability to select “custom install” on things, and so her computer gets loaded with crap. Passing along privileges to third parties (gotta love them toolbars) is another fun gateway to malware.

                2. Unsupervised and uneducated kids using the computer. They want mp3s, pirated games, pr0n, or some kind of glitter-cartoon of themselves to paste on MySpace, and they don’t care what they have to do to get it. No adult wanted “active desktop” running (at least, none I knew), but a lot of my friends’ children who were into Dragonball Z and other anime did, plastering bits from their favorite websites all over the place. I honestly thought about donating their computer to science, just to be used as a worst-case scenario.

            • midget0nstilts says:

              In a sense, yes. There’s a difference between computer science and computer information systems, for starters. They might know a lot about, say, algorithms, but be clueless when it comes to administering databases. Hell, I’m a whiz at Active Directory, but I’d look like an idiot if you asked me to write in assembly.

              When I was studying for my (now-aborted) physics degree, I took a computer science class, and the instructor and several students claimed to have never, ever used Windows, ever. Assuming they weren’t lying, guess how smart they’d look in front of a Windows PC.

        • guy says:

          “Ubuntu is easier to install than vista, since it comes with most of the basic software already installed (openoffice, a compressor, firefox, messenger…)”

          Um, Vista comes with .zip functionality, IE, outlook…

          Sure, YOU may not think IE is a valid browser, but that’s kind of the point. Plenty of people think IE is perfectly fine, and would rather install office themselves instead of dealing with the realm of the incredibly smug. I suppose Ubuntu may not have that problem, but I also doubt many of these people have heard of Ubuntu. Even out of those people, many businesses use office for everything, and those people have to as well.

        • Ian says:

          I love when people try to claim Ubuntu is easy when there are so many long-standing issues with it.

          I’ve tweeted about some of the numerous issues that I’ve had with Ubuntu. The two biggest ones that I ran into was the complete inability to assign a static IP to my NIC and its inability to remember which wireless network my laptop is supposed to connect to, requiring me to type my uber-long WPA key over and over again. This is on a fresh installation, no tinkering, no messing about. I ran into a roadblock within five minutes of booting the system while trying to do something simple. Great job, guys.

          Naturally, some fanboy tried to tell me that normal people don’t do things like set up static IPs. That doesn’t change the fact that I can do it in a few clicks on Windows and OS X. With Ubuntu, it pretends to work and then simply ignores the fact that I did anything.

          The problem, as far as I can gather, is that the network settings manager seems to require root access to make changes, but at no point does it actually escalate privileges.

          My solution? Rip that lame network manager completely out and do it the Debian way. Then I asked myself, “why the hell am I doing this? It’s probably just going to break itself when I update the thing,” and went back to happily using Gentoo and Debian.

          • scragar says:

            Did you file a bug for those things?

            I ask only because I have seen people complain about bugs, but they never file it as a bug, no-one ever learns of that bug and it’s never fixed.

            • Ian says:

              It’s been reported repeatedly, according to my searches.

              Annoyingly enough, the preferred “solution” is to do it the Debian way (i.e. modifying /etc/network/interface). Unacceptable.

        • Shamus says:

          My wife actually gently suggests Ubuntu when she does the system-nuke. (She’s Ubuntu all the way on her own machines.)

          But it’s hard. I mean, if someone isn’t willing to take the time to update IE6, then changing operating systems is probably a non-starter for them.

          • Mari says:

            This is very true. Like your wife, I’m the “go to” person for malware invasions. Do you have any idea how long it took me to just get my in-laws to switch from IE to Firefox? Believe me, they’re not interested in swapping OSes.

            Education is key. It doesn’t stop everything but it drastically cuts down on infestation. It was getting so bad for a while that I compiled a packet of educational materials with helpful hints and suggestions for people whose computers I had exorcised. Beyond that, for especially susceptible users (like the 80-something former school teacher who mainly uses her computer to e-mail her kids and grandkids and then lets the little mites run P2P services on it when they visit) I pop by about once a month to make sure that their software stays up-to-date.

            I also do first-time setup services for a lot of people when they get new computers and make sure they have physical copies of the install media in safe places and set up the best protection net I can get. I’ve found that if I spend a couple of hours with them right at the start it really helps cut down on return visits.

        • Heron says:

          Unfortunately, if the person you’re talking to is even a casual gamer, or if they stream video from Netflix, Linux (any flavor) is basically a non-starter. I’ve been trying to get my wife to switch to Linux for me since we got married three years ago, and for those entire three years, her two complaints have been these:

          1) “I can’t play Age of Empires.”
          2) “I can’t watch Netflix.”

          The first one I finally managed to overcome using Wine, but only because the Wine devs fixed some related bugs; and I wouldn’t call Wine a “solution” so much as a “thing you can use if you’re really desperate to run an older Windows program”.

          The second one won’t happen at all anytime soon, because the DRM-enabling portions of Silverlight that Netflix uses are not part of moonlight, and the full Windows version doesn’t work under Wine.

          So what am I to say to my wife? Too bad, you don’t get those things?

          And then there’s me. I have Gentoo installed. I love it. But I rarely use it. Why? Gaming.

          Try telling a PC gamer to switch to Linux. Even if they like Linux, their answer is going to be something along the lines of “dude, shut up, I’m trying to play [pick an MMO]“.

          What’s worse, a lot of these PC gamers are the very same people who open random attachments and click random links, making their machines “troublesome”.

          Linux can’t solve the problem; social education is the solution, but until people are willing to realize that computer use is not the same as TV use, they’re not going to be willing to undergo that education process.

      • Zak McKracken says:

        Your’re right except for the fact that there are really a lot of different Linuxes out there. That would, given that Linux could actually one day be the dominating OS, make it still very difficult to write a virus that will work on all of them. Also, Microsoft may keep a bug secret for an indefinite amount od time (until someone else makes it public), but the Linux community does not fall into the “secrutity by obscurity” trap.
        Apart from that: sure, if Linux was the primary Os, there would be viruses for it. The only way to find out whether there would be more or less viruses around is to try it out, every other discussion is futile in this context, although of course the OS maker does have an influence on how secure the machine is.

        • rxtx says:

          I get your point, but the problem is most of them run the same software packages. It will still be very similar to what we have now, where an IE exploit can affect all versions of Windows. You don’t need to write an exploit for Debian or Fedora in particular, you just need to write an exploit for Apache or Firefox.

          And yeah the Linux community doesn’t keep things secret, but that doesn’t account for the strong possibility that an attacker has spotted the vulnerability and is keeping quiet about it

    • Fenix says:

      Personally I use Ubuntu (don’t hate) for everything minus gaming in which I just dual boot. That way I keep a very clean Windows side for optimal gaming.
      (Also yes I know linux CAN be exploited but the fact that it’s open software the patches WILL be made because a crapload of people who use the software wont want to be exploited (unlike the people making patches for Windows who I suspect are probably using Linux or Macs). Not to say Windows is bad. Toms hardware did have an article on whether Macs or Windows were actually more secure when discounting the volume factor and Windows won by a landslide. Anyway I’m gonna shut up now.)

    • Primogenitor says:

      +1 for Ubuntu (or other linux or even Mac). Especially on PCs where people just want internet, email, & basic document functionallity a media-plus PC (picture, video, music & DVD). Basically, windows media center with a few extra bits. Some big clear icons on the desktop, and your done.

      You can run ubuntu directly from the CD, which is a great way to get people used to the idea that a PC doesnt have to be windows, and they can go back to their known territory easily.

      Yes, this doesnt work for those with the slightest inclination to instlal other applications, but those people are worth educating on how to do it properly.

  2. Chargone says:

    let me just take this opportunity to mention that i also HATE PDFs. one of very few things that can crash firefox (well, used to) was PDF files. And the ‘would be better as HTML’? totally right so. very. often.

    when/why/how did these evil things spread?

    so far as i can tell, PDFs are 100% formatted for Printing, then you read the paper. which is massively inconvenient and a waste of resources…

    my hatred for this format borders on the irrational.

    now i can add horrible security vulnerabilities to the list of reasons.

    oh, and the whole operating system reinstall thing?
    here’s some fun: windows XP… ugh…

    it tells you it’s uninstalled/formatted/whatever… but it Hasn’t.. and now you’ve got two copies taking up space on your hard drive… evil! (it’s got this automated ‘re-install’ thing that… doesn’t. heh.)

    but yeah… it often surprises me how much stuff i know that so many people just don’t Get…

    and i always have a really hard time trying to convince people just how little i actually know. I have basic computer litteracy, maybe slightly better than that… i don’t have Skills… some people can’t tell the difference …

    … if this is incoherent and rambly? i should sleep… after midnight… yay… wait… how’s that different from normal? blah.

    *leaves*

    • Peter H. Coffin says:

      Yup, that’s pretty much what PDFs were created for: an alternative to paper. But the reasons that they’re used for so many things is that 1) they’re (by default and design) a pain in the ass to modify once they’re “distilled”. (Is Adobe still calling it that? The build step?) And 2) they’re designed to support precise layout and presentation control which HTML is not designed to do and shame on anyone that loses sight of that. Anyone that thinks HTML is page layout, I’ve got a half dozen browsers that say different.

      • A different Dan says:

        1) Yes, it still does.

        2) Why PDFs will never die:

        You’re a public company. You produce regular reports and regulatory filings. You have a legal obligation to (at the very minimum) your shareholders, to provide them with this information. You’re not taking a single damned chance that your report might be malformed or might not show some part of the contents. This routinely happens with html; I haven’t ever heard of it happening with PDF. The readers might not be able to view the PDF, but they’re not going to get *half* of the thing.

        Or you’re a small company. You could spend a week of coding and troubleshooting time making sure your heavily illustrated report shows properly in everything from IE 5.0 to Chrome, or you could print the report to PDF and upload it in roughly ten minutes, since you have to produce a printed version for record-keeping purposes anyway.

        All that said, I don’t use Adobe’s own reader. That is just asking for trouble.

    • guy says:

      It’s intended for printing, actually. Stuff like books.

    • Zak McKracken says:

      Just a quick comparison of different formats:
      - plain text
      You have something to say? Ascii is juuust the thing. saves on memory, everything can display it, there you go. I just wish more people/software knew about UTF-8. Sadly, many don’t and so lots of German, French, Spanish, Swedish … well anything except English, really … texts end up looking really mangled.
      Nice choice if there ain’t much to say and you don’t care what it looks like and anyone can edit it

      - MS Office
      This is a word processor, not a document distribution format, people! MS office viruses are nothing new, anyone can edit it, it’s a proprietary format (so if you’re running Linux you need to trust OpenOffice’s abilities, which sometimes do dissapoint. If the other guy doesn’t have the same fonts installed, everything gets really messed up, so pleeeeaase don’t ever use this file format for distributing anything that isn’t meant to be edited by the recipient!

      - OpenOffice
      Mostly the same as for MS office. Since OO is free, anyone can download it and read the documents, the format is an ISO certified, but in exchange you’ll rarely convince an MS office user to even touch an OO file.

      - HTML
      Similar to plain text, except for formatting which is a bit nicer, encoding can be specified and sometimes even works.
      Completely unsuited for proper typesetting and layouting. Also, never meant for it. You can present information on a website (using HTML) or on paper, using something else, but HTML on paper doesn’t work. Also, you could theoretically zip a web site, including images and everything, and send it around to people, but somehow noone I ever heard of does this.

      - PDF
      Has an ISO certified version, has several different readers (adobe reader is not the only one!), a document will look the same, no matter who opens it on what platform with which software. Will print just fine because it’s closely related to postscript. Used to be non-editable, which is _really_ important if you wanted information to arrive the way you sent it. An office document can be easily modified by mistake while viewing it (using MS Office for reading documents is like using Photoshop for viewing Photos…), but not a pdf. This means: If you want to distribute something that will look the same to everyone, can be printed with no problem and gives you the ability to do a proper layout, there is no way around PDF. It is _the_ format for distributing documents.

      What is actually a problem is something that every self-respecting software had to do in the last few years, which is to be fitted with online functions. There used to be only viruses for browsers and e-mail-software, now there are viruses for video and audio players, document, image viewers, etc.. Also, virtually everyone has the Adobe reader installed, so it’s a rewarding target (much like the old windows/linux debate: viruses will always target the most popular software).
      My solution:
      1st: deactivate macros. Noone uses them anyway, and after my taste, they shouldn’t be in pdfs anyway.
      2nd: If that ain’t enough, use something else! On KDE, you have Okular and Kpdf, in most other environments there is probably something else that will display pdfs. They may lack some functions of the original reader (but are catching up lately!), but the best weapon against viruses is diversity, so there you go.

      So what’s the point, really? Don’t be angry at pdf, because there’s no real alternative to this file format. Many us MS office as substitute, but a quick look at the report shows that the amount of MS office zero-day exploits is at number two behind adobe reader, also it’s quite impractical.
      Be angry at Adobe if you like, maybe that’ll make them patch the holes in their software.

      Zak

      Whoops, turned out not to be so quick, my comparison, thanks for reading this far :)

      • krellen says:

        If PDF had just remained that unalterable, document-presentation format, I would be very happy with it. Around my work place, which frequently deals with governmental agencies directly, PDFs are often used to pass information back and forth – including documents-in-progress and templates. It drives me batty.

        • Zak McKracken says:

          It probably boils down to knowing which format to use for what.

          In my surroundings people tend to use word for everything (sometimes even pure images!). That’s why I’m trying to get them to use pdf more. Constraining everyone to PDF-A (Subset of PDf format, ISO archiving standard, non-interactive etc…) would be a good idea, but it’s hard enough already to get people to realise the difference between .pdf and .doc, so try explaining the difference between regular pdf and pdf-a …

  3. Andy says:

    Well observed Shamus. Not sure what the answer to the problem would be though. It’ll likely continue to be a ‘Red Queen’ scenario betwixt security developers and hackers et al.

    Social change can happen quickly but more often than not it takes a looooong time.

  4. T-Boy says:

    You know, if I was a Mac zealot, this would be the moment where I would begin to pimp out the iPad, constantly telling people that it is the computing device for the stupid– I mean, the non-geeks.

    But then again if I was a Mac zealot I’d shoot myself in the head for being such a waste of space.

  5. Raygereio says:

    Sometimes I do wonders what the hell it is people do on the Internet. I have no illusion my computer is completely save; I use the windows firewall for crying out loud.

    But I know people whose computer is secured by far better (and expensive) software then mine, and yet mine isn’t the one that goes belly up every couple of weeks.

    • A different Dan says:

      Step 1: Forget the notion that software firewalls are a viable security option. If you’re concerned about open ports and unsecured inbound connections from the net, you should be looking at a router with firewalling capability (virtually every one sold today). But the real threat isn’t inbound connections; it’s stuff that gets you to download and execute a file, or run a script on some site.

      I had the interesting experience of troubleshooting UPS’s shipping manager, WorldShip (on WinXP). Got to the point where their tier 2 tech asked to connect to the machine, since this was getting pretty complex. This was on a pretty heavily locked down system behind a hardware firewall… Which posed no problem at all. I was sent to a specific URL, clicked on a link, initiated an outbound connection, and he had complete control of my machine. I don’t believe it even required a Java applet. Now think of this in a malicious context.

      It’s gotten to the point where I don’t even run a local antivirus anymore. The chances of something slipping by it, and then as a first step corrupting the AV install to ignore it, are non-trivial. Instead, set up a routine of using one of the free remote virus scan services on a weekly basis. No worries about outdated definition files, corrupted or highjacked installs. All you need is an internet connection and a functional browser. If you have serious suspicions about being infected but can’t find anything, use a bootable, rewritable DVD with a browser, boot from that and run the remote scan that way. HighjackThis, Spybot S&D and Malwarebytes are a good starting point, though you’ll have to spend oodles of time learning to parse HJT reports or use one of any number of forums out there to interpret the report.

      Oh, and make that DVD *today*. It’s too late once you’re suspecting an infection.

      • Raygereio says:

        Erm; thanks but you could have saved you the trouble of that lengthy post. If I ever get a piece of malware that I can’t remove (or if I’m just to lazy to remove it), I just restore an old back up of the drive that contains my Windows installation.

      • Mari says:

        I’m so in love with HJT. It’s one of my favorite software tools of all time. I had to use cheat sheets for a long time to interpret the reports but I’ve reached the point where it’s mostly intuitive now except looking up the occasional file in a database like BleepingComputer.

        Also, I’m with you on the hardware firewall. Our home network is hidden behind one. Stuff still gets through occasionally, though. Matter of fact, just recently one of the kids got the old “Windows Antivirus 20xx” popup. On an ABPed Firefox browser behind the router’s firewall while surfing a well-known kids’ site. Luckily, the kid knows enough to immediately close the browser without clicking anything and seek parental aid.

      • dpcfmander says:

        @A different Dan

        > Instead, set up a routine of using one of the free remote virus scan services

        This is very relevant to my interest. Which one(s) do you trust and recommend?

  6. Jeff says:

    Whatcha going to do though? Mass-education is not something easily accomplished. Free security software of all kinds exist, and Windows tells you what security software is missing nowadays.
    Some people are just technophobes, who refuse to have anything to do with learning the ways of technology, even when it’s as simple as plugging in a few cords or pressing a button. My dad is one of them, and he thinks I’m a technical genius because whatever problem comes up I fix with a generous mix of intuition, google, and time. (He also thinks I am completely inept at explaining anything because as soon as he hears a single technology-sounding word, he zones out)

    What can anybody do to fix the problem? PSAs to tell people about the dangers of unsafe computing? It’s really not like people are bereft of access to information about how to be safe, they just don’t have the inclination to learn about this horrendously complicated computer box, when they just want the internets and email. I agree it’s partly a social problem that needs fixing, but I honestly have no idea how to go about doing that. If zero-day exploits can slip past savvy computer users with hefty security software, what chance do the hoi polloi stand?
    While a mild education would go a long way, it still wouldn’t stop the impetus of malware.

    • Joshua says:

      “Some people are just technophobes, who refuse to have anything to do with learning the ways of technology, even when it’s as simple as plugging in a few cords or pressing a button.”

      I deal with that problem at my work, where some of our staff seem to flat out REFUSE to learn anything about the computer. BTW, I’m in Accounting, not IT, so it’s frustrating to be a go-to guy for explaining computer-related issues. The usual excuse goes something along the lines of “I’m just no good with computers”. Sometimes I get a little bitter and think, “Shouldn’t it be a fireable offense to say you refuse to learn the skills you need to do your job properly?”

    • stormbringer951 says:

      It’s a waste of time. Computer security works on the principles of weakest link (the most ignorant user on a computer, the most vulnerable computer on a network etc) while the malware producers work on the principle of the best shot (most subtle way of using xss to steal your personal data, newest development in anti-anti-anti-DNS-pinning, most recently discovered vulnerability in Google Buzz and so on).

      All we can hope for is that most people are savvy enough to know which things are blatantly dangerous (downloading pirated stuff, watching / downloading porn, clicking on links in junk mail, drive-by downloads, pop-ups, shortened urls that mask the actual http address and so on).

      Even so, the hackers, black hat and white, have come up with ingenious ways of getting things past the non-paranoid users (read: http://ha.ckers.org/blog/20091228/popup-focus-url-hijacking/).

    • Jay says:

      Technophobes aren’t the only people who are the problem – one of my work colleagues (who has now left) claimed they knew all about computers and how to be safe on the internet. Until one day their computer starts crashing every 5 minutes and I (the IT guy for our small office) have to fix it. Thankfully my boss is sensible – we use Firefox and OpenOffice on our Windows machines and have a Linux file server, which cuts down on the number and spread of infections, but when I had to fix this computer I was appalled. They caught a virus from clicking a suspicious link on Facebook (which isn’t allowed at work), and even after I showed them the list of dozen other nasty viruses and scores of malware programs they still insisted that it wasn’t their fault.

      The lesson from this is that people who think they know what they are doing when they actually don’t can be much worse than people who just don’t know.

  7. Andy says:

    I agree Jeff. My Father’s old saying (when trying and failing to instill good financial sense into me) seems apt:

    The crafty will always make it out of the dafty.

    Andy

  8. someboringguy says:

    Shamus, would you give us some points on these kind of things, like “how to spot a bogus URL”?Or at least give us a link to a safe site that really tells you the “how to” for defending your computer when surfing on the internet?

    • Shamus says:

      That’s a really good question.

      And now that you’ve asked it, I can’t say I’ve ever seen a site that does this in a comprehensive way.

      Hmm.

      • A different Dan says:

        Y’know, Shamus, you have a lot of pretty security-conscious people here… Maybe there’s some room for a project in your copious free time? :)

        • stormbringer951 says:

          There is no comprehensive way to protect your computer. The threat just keeps on evolving and some of the ways it evolves are frankly ridiculously hard to defend against.

          Most tech websites offer a basic guide to how to protect yourself, but it’s mostly a matter of common sense. In this day and age, even ‘good’ websites can be hijacked by a malicious black hat or a script kiddie running an automated program.

      • Neil D says:

        Ask-Leo.com is a wonderful site for these kinds of tips and general computer safety/how-to/what-the-heck-do-I-do-now type information. You can subscribe to a weekly newsletter and I really can’t recommend it enough. I’m pretty computer-savvy and I still learn some very useful things from it.

        He deals a little with bogus URLs here: http://ask-leo.com/phishing_whats_phishing.html

    • Simulated Knave says:

      How to spot a bogus URL?

      Look for typoes. Remember that company websites use .com, not anything else.

      But the most obvious way – look at the bloody send field. 99 times out of 100, if it’s a bogus URL, the e-mail will not have been sent to you, and WILL have been sent to some e-mail address that clearly cannot actually belong to a person.

    • Simulated Knave says:

      Look at the whole e-mail, not just the url.

      Look for typoes. Look and see if it has been specifically addressed to you. Think about what it’s asking you – does it make sense? If they’re asking you to confirm something, why wouldn’t they just ask you do that next time you were at their site?

      Look at the send field. Almost any mail from any real company for anything legitimate will go directly to your e-mail. If it’s not sent specifically to your e-mail, it is fake. Fakefakefakefake. Or at least not worthy of your time.

      Honestly, it’s easier with an example in front of me.

  9. Noumenon says:

    I have never heard of PDF files being virus carriers. .Doc files I don’t even open in e-mail, but I thought PDFs were as safe as MP3s.

    • Ian says:

      PDFs are just data files so by rights they should be safe. The problem isn’t the PDF itself, but Adobe Reader. During the past year there have been several vulnerabilities reported in Adobe Reader, mostly buffer overrun issues that allow arbitrary code to be executed.

    • Zak McKracken says:

      mp3s aren’t completely safe either …
      WMP had several vulnerabilities once and Winamp also, but haven’t heard of any of that in a long time. I’m not sure how many people are using the Windows Media player for mp3s, nowadays, though. It might just not be such a good target anymore. Or they really fixed it, but something tells me they probably didn’t.

  10. Klay F. says:

    Wow, just a had a “GET OUT OF MY HEAD, SHAMUS!” moment there. I just finished explaining to my mother why her computer is so much crappier than when I first built it for her. In the thirty seconds of so after I had finished explaining things to her, she promptly goes to some strange website that immediately asks for her cell number in order to continue. Without hesitation she enters her number, and after about a minute or so, she was inundated with about 20 text messages, all asking for replies with personal info. I snatched the cell from her before she could do anything any stupider. The problem is that she doesn’t use text messages at all and is therefore charged a semi-criminal fee by her provider for every text message she receives and sends. I was so stunned by what took place that I couldn’t do anything except say to her, “What did I just say?” She really refuses to learn.

    Needless to say, I never open any emails I get from her.

    • SatansBestBuddy says:

      Look her in the eye and gently but firmly remind her, “They are not giving you free stuff in exchange for your number, they are lying to you, don’t listen to them.”

      Thank god my mother’s almost borderline afraid of computers, anything beyond checking her email is something she will refuse to do herself, plain and simple. (hell, half the time she asks me to check her email for her, anyways, cause she doesn’t understand how to download pictures)

      • Klay F. says:

        With my mom, checking her email is the most dangerous thing she does, because she’s one of those people who Forwards EVERYTHING she receives. Plus, she opens and reads EVERY single email she gets whether she knows the address of the sender or not. She really refuses to use caution with her email no matter how many times I explain things to her.

        EDIT: My dad is pretty much the opposite of her with regards to security. He trusts nothing. Consequently, his computer is bogged down with a ridiculous number of third-party firewalls, virus, spyware, and other types of malware scanners. It feels like I’m back in the stone age with how slow his system is with all of this redundant software. I tried to convince him that a system-crippling amount of software does not a safer computer make, but to no avail.

  11. Mark says:

    Yeah, I’m in the same boat as Noumenon. Can someone briefly outline the dangers of .pdf files? Or point me to article? I thought that they were safe also…

    • Raygereio says:

      A pdf file in and of itself isn’t dangerous, it’s that they can contain virusses that can take advantage of security holes in the pdf viewer (abrobat being the most common one).

      Peachy here was the first one, in 2001. These days there are a lot of them, but I doubt you’ll often encounter one in day-to-day computer-use at home. If you work in a company, corparation, whatever organisation that uses PDF’s for everything, then the chance is a bit higher (I certainly have seen a lot of them at work).

      • Athan says:

        And note that with PDFs, or more precisely Adobe’s Acrobat Reader, there is *scripting* which opens a whole extra can of worms. It’s fairly easy to turn this off in Reader though:

        Edit > Preferences > Javascript > untick ‘Enable Acrobat Javascript’

        You can always turn it back on if you ever happen to need to open a PDF that makes use of the feature and you’re SURE it’s safe.

        Other PDF readers may or may not include such scripting abilities.

  12. Danel says:

    Ugh. I remember that malware that blocked off access to anything that could stop it – I could still access most sites, but any sort of antivirus site was unable to load. A real nightmare

    • Noumenon says:

      I’ve got something right now that redirects the occasional Google search result to searchfindsite.com when I click on a link, and when I googled searchfindsite it redirected me to pcbugfinder.com. Malwarebytes and Ad-Aware didn’t help, anyone know anything about this one?

      • Raygereio says:

        That’s an annoying piece of malware; virusscans doesn’t seem to pick that one up.

        Combofix might pick it up. If that doesn’t work, hijackthis or similar programs will probably be able to track it down. You might want to check with someone computer-savy near you if you don’t know how to use it, or check with forums dedicated to helping people like you as Shamus’ website probably isn’t the best place to post huge scanlogs.

  13. Bobknight says:

    Shamus

    this:
    http://free.antivirus.com/hijackthis/

    might help to get rid of those that ‘defend’ themselves.

  14. WCG says:

    Hey, in the DOS days, I was so fascinated by computers that I’d spend hours trying to learn every little detail. But I must admit that, these days, I just want to USE the darn thing. I kept up with this stuff for awhile, but unless you’re a real geek, there’s a limit.

    And being paranoid about security, I really tried to protect this computer, when it was new. But my anti-virus software started growing into this behemoth that would conflict with my other security software. Eventually, I had to remove some stuff that stopped working well with the new versions. And then, when I needed extensive repairs, the shop insisted that most of the security settings in that expanded anti-virus software caused more problems than it prevented.

    OK, my Mom is exactly like Klay’s. She refuses to learn anything, because “it’s too much like work.” Yeah, 30 years ago, she was the only one at her workplace who understood the word processor, but she just doesn’t want to bother with all that now. I don’t want to get like that, but I must admit that I’m getting to the age where I understand it. God! We DO turn into our parents!

  15. Jeysie says:

    I dunno, I’ve never understood why so many people have so much malware when it’s easy (relatively speaking) to set up your comp to protect for you.

    1. Get a modem/router with a built-in port firewall.
    2. Get an A/V that can run real-time scans in the background and auto-updates, without conflicts or using too many resources. (NOD32 for the win here.)
    3. Run on a User account.
    4. Run FF or Opera (basically anything not IE) with pop-ups blocked, auto installs blocked, and other security-based settings.
    5. Install an ad- and malware-blocking HOSTS file.

    Yes, it does take time and saavy to set this up, but the thing is, you only need to do it once, then it’s more or less self-maintaining from there.

    It also helps to know what is and isn’t malicious, but I’ve had things slip through on me and still was protected when I got a warning. In the 13 years I’ve owned a computer I’ve never had any malware or a virus, and I pretty much live on my PC.

    I do think many people really need to stop making excuses and learn how to use their PCs properly, but a basic security lockdown without making the PC impossible to use shouldn’t be an issue. I don’t get why even some PC-saavy people get viruses or malware when I’ve never had any problems.

    • stormbringer951 says:

      1) Most people never bother to change the default password on their routers. Most of them have passwords that you can break through with a brute-force attack.

      2) I haven’t used NOD32 before, but lots of modern malware, once installed, could bypass it. Professor Ross Anderson wrote a paper on online crime available here http://people.seas.harvard.edu/~tmoore/jep09.pdf (yes, as a PDF, no it’s not loaded with malware) which describes how they even have a service sector which helps update malware to obfuscate past the AVs.

      3) Pretty, but no one that I know does it. Mostly because if you run Windows a lot of program automatically assume that you will run it as an admin.

      4) Opensource Vulnerability Database: http://osvdb.org/. There’s quite a few vulnerabillities in Firefox you can find there. If you are savvy enough to use AdBlock, NoScript and other helpful little addons, you’ll be safe(r). Still doesn’t guarantee someone won’t do something phenomenally stupid which their browser can’t protect them against though.

      5) Yeah, good idea.

      • Jeysie says:

        1. That’s why you get someone tech-saavy to help you with the initial setup, since I don’t think the average user could handle ports, either. I’m not saying this setup is something a non-saavy person could handle on their own, but it is something that only needs to be done once, and the maintenance afterwards doesn’t require much saavy.

        2. I do agree that if any malware/viruses get installed, you’re in trouble. Hence the idea is to keep malware/viruses from ever getting installed in the first place (or at least more rarely than the average user gets stuck). Any A/V that can run real-time without using too many resources is a good one (since it lessens “crap, I forgot to scan that before running it” “crap, shouldn’t have visited that website” etc. kinds of moments), it’s just that NOD32 is the one I’m most familiar with.

        3. Well, yes, I know most people don’t do it; that’s why I’m saying they should. Considering that the only programs I use (out of various browsers, games, media players, word processors, chat programs, etc.) that require admin access are my DVD burner and DVD/CD rippers, I find your claim that most Windows programs need admin access to not at all match my own experiences.

        4. It doesn’t guarantee it, no, but it does lessen it. Plus, like I said, there are settings a saavy person would be able to set up.

        5. Ironically, I think this might actually be the best protection in many ways, and it’s certainly the easiest and least-resource-using to implement. And yet it’s also probably the one people are the least aware of.

        I think the problem with most of your arguments is that you expect them to be magic bullets taken singly. They’re not; I’m not going to claim that. But taken together they provide far more protection than the average person has on their PC, yet leave the computer still completely useable, and without needing to saavy-tweak your computer constantly. Even if it’s not 100% bulletproof (although I have gone 13 years with no viruses or malware without sacrificing usability), it still lessens how often you get hit.

    • midget0nstilts says:

      As something of a hardcore Opera user, I feel compelled to point out the security nightmare that is Opera Unite.

    • Heron says:

      I have to disagree about NOD32. I had to manage it at a previous employer (I was the IT “administrator”), and let me tell you, NOD32 sucks. It’s a resource hog, it’s slow, it’s inaccurate, and it’s a pain to administer remotely.

      Avast! for the win, though. As a bonus, the home edition is free, you just have to “renew” your free license once a year.

      As for running as a user account… if you’re talking about Windows, that experience sucks. Got a shortcut on your desktop you don’t like? If it was installed by an installer that was run as administrator, well, too bad, because only the administrator can delete the shortcut.

      And, as stormbringer951 said, a lot of programs assume you’re running as administrator. Even Microsoft programs.

      Despite the wisdom of doing it, I would never have a non-tech-savvy user run Windows as a non-administrator.

      • Mari says:

        Avast! isn’t perfect, either. Don’t get me wrong, it’s my AV of choice but it can be a pretty big resource hog and sometimes it goes through periods of installing updates 5-6X per day with each time cutting my computer’s incoming bandwidth by around half and ramping up my processor usage to the 60%ish range for 5-10 minutes.

        • Heron says:

          I’ll agree there. When you’re talking about antivirus, and which is more or less of a resource hog, everything’s relative.

          Trouble is, antivirus programs pretty much have to hook all the interesting kernel calls, figure out what the caller is about to do, and decide if it’s kosher. That’ll slow just about anything down, regardless of how efficient the rest of the antivirus program is.

          I don’t really notice Avast! much in terms of CPU usage, but then, I don’t notice much at all on my 4 GHz Core i7.

      • Jeysie says:

        I dunno, NOD32 uses about 20K of RAM for me, and my “idle” CPU usage (with Opera, Winamp, Skype, etc. also running, mind you) doesn’t go over 10% (and I have a Pentium 4 2.8 GHz, 1GB RAM, so I’m not “speed demon” here, plus NOD32 always ran fine on my older P2 computer as well), so I don’t know why you’d consider it a “resource hog”.

        Still, it was mostly an A/V program I have personal experience with that uses few resources; any other one would fit the bill just as well. Basically, something not McAfee or Norton.

        Your “lots of Windows programs need admin access” also runs completely opposite to my own experience.

        I run on a User account every day and do all of my everyday stuff (browse, chat, image scanning/editing, game, word processing, listen to/watch media, etc.) perfectly fine; only time I need to log onto Admin is if I need to install something, once a week to check for OS updates, or to use my DVD burner and CD/DVD ripper programs (the only programs I have that need admin access).

        I also have zero problems deleting shortcuts from either my desktop or Start Menu, even admin-installed ones, so I don’t know what you’re talking about there either. Especially since my friend who works for IBM as an IT techie is the one who recommended and helped me set up my User account in the first place when I switched to XP.

  16. Lurker 2371 says:

    I disagree about HTML replacing PDFs. Can you imagine sending a html document for a job application? Since you have a homepage I’m certain you know how hard it is to create HTML that looks good in different viewers, a problem that’s pretty much non-existent for PDFs.

  17. MichaelG says:

    IMO, the problem is a technical one. Operating systems were designed by and for programmers, and they are supposed to run programs. In the old days (1970), the only source of programs were things you wrote or bought or got from trusted sources. So there really was no security issue.

    Timesharing brought logins and passwords, the tiny amount of security we have now. The goal was preventing other users from snooping or using your resources. External threats were still not on the radar.

    Since the 1990s, the internet has exposed all computers to external threats in the form of malware. But operating systems are still designed to run programs with more or less full priveledges. That’s the fundamental flaw.

    We need to be running all code in virtual machines, and their access to underlying services needs to be strictly controlled. A downloaded app should not ever have access to your file system, you network connection, your email contacts, etc. It’s absurd that we haven’t introduced fine-grained access control.

    If there were a standard set of accesses that were harmless, and apps were all running in a VM, it would be completely safe to download whatever little piece of crap you liked off the internet.

    It’s a losing battle to expect anti-virus code to try and spot all malware (impossible, since it can’t analyze the code and just has to check blacklists) or to clean up threats after the damage is done. We need to change OS code to prevent apps from doing damage in the first place.

    Linux/Mac/Windows all have the same architectural flaw. They run apps written in native code on the real hardware and let them do anything a user can do.

    That has to stop.

    (end rant)

    • stormbringer951 says:

      Good luck implementing that.

    • midget0nstilts says:

      That’s basically the idea behind chroot jails.

    • A different Dan says:

      “A downloaded app should not ever have access to your file system, you network connection, your email contacts, etc. It’s absurd that we haven’t introduced fine-grained access control.”

      Why not?
      Serious question. I take this to mean you’re suggesting there are two distinct breeds of apps: Ones from trusted sources and ones from untrusted sources. (I presume you don’t actually have a thing against digital distribution of software, since more and more perfectly legitimate, large software developers are going that route)

      I’ll agree with your premise, actually, but that’s not where I see the challenge — rather, it’s a question of determining to which category a particular application belongs. Remember this? From what I can find now, they’ve eliminated the $250 per OS *family* cert fee, which pretty much ensured lack of adoption by anyone except the big players. Maybe they’ll get it right this time or maybe, now that people have gotten used to dismissing the whole “not certified” warning dialogue, they’ll just keep on doing so.

      • MichaelG says:

        Java tried to do the right thing with applets. They understood that if a web page could do something malicious with Java, those kinds of pages would be written. So they had a pretty intense security model on class files. The problem was, they stopped at graphics. There was no way for an applet to access files at all, so you couldn’t write a Java applet word processor. If you switched to an app, instead of an applet, you had no security at all.

        What’s needed is something like the applet model, but extended for some useful subset of functions of the OS. For example, an “editor” can have its own directory and read and write files there (to some size limit), but not traverse the larger file system.

        You would define multiple roles, from “graphical widget” to “file editing application”, then other roles, up to “wants complete control.” The user would have to explicitly promote a downloaded piece of code to a higher role (like sudo). That’s not foolproof, since people are idiots, but it’s much better than the current situation, where a downloaded .exe can do anything.

        I understand that it’s a huge change in the infrastructure to sandbox everything, and it’s an open question what those “roles” should allow. But the current approach of “just don’t click on bad stuff” limits us. I’d like to be able to click on random weird crap. I’d like to be able to download indie games without fear. Without some better security in place in the OS, I just can’t.

        I run with noscript in the browser (so many sites are mangled), and never open email attachments. I have to throw away mail from Mom if it has one of those endless chains of forwarded crap. It’s a shame.

        • A different Dan says:

          You would define multiple roles, from “graphical widget” to “file editing application”, then other roles, up to “wants complete control.” The user would have to explicitly promote a downloaded piece of code to a higher role (like sudo). That’s not foolproof, since people are idiots, but it’s much better than the current situation, where a downloaded .exe can do anything.

          What’s to keep a developer from defaulting to “complete access” and be done with it? That way you’re sure it will work, after all.

          But the main issue I see asking the user for authorization for access level changes. Remember that Apple ad that knocked Vista (rightly) for spamming the user with deny/allow prompts? Those are worse than useless, since their dismissal quickly becomes ingrained in the act of installing/running an app and their usefulness as a defense mechanism drops to near-zero. All you’ve gained as a user is some added aggravation.

          And then there’s the whole challenge of educating a truly vast user base as to what each access tier means and what the implications may be of allowing an app access to it. Which is really where we are right now, only with a somewhat altered set of educational topics.

          • MichaelG says:

            I think it would work like this: you run the app out of the box (or from the download), and it gets the lowest permission by default, not one assigned by the developer.

            Then the user has to use a UI feature to explicitly promote the app. The category list says things like “file editing app — this app can read and write files in a directory you assign it.” and “mail sending app — the app can read and send email with your account.” The list text is from the OS, not the app developer, so it can make it sound like you really don’t want to do this.

            There’s no pop-up. Instead, the app would just write some “I can’t live with this permission level, please promote me.” text in its window. But the idea is that the default should be good enough for most trivial apps you’d download, and the user would almost never promote.

            Good system security is then “run what you like, but don’t promote anything you don’t trust. Well-behaved apps don’t need the extra capabilities.” This is much different from “beware of attachments, links, dodgy file formats, etc., etc.”

            • Ciennas says:

              Yeah, but the real challenge would be to make those roles understood by the common user, who may (if you’re really lucky,) understand what ‘OS’ means without explanation.

              The solution here seems to once again involve edumacatin’ some people.

              In light of the fact that the gamer generation is common, (And before them, the ‘hollywood computer’ crowd,) you may as well make a shiny squiggly interface, that explains things with a little flair. I’m thinking of the Tron 2.0 interface mostly, but that’s because I played it recently. I’m sure the UI changes would come quickly.

              The other major problem to adoption of the model would be ironically, the lack of being able to sneak something in.

              If we were all secure from the bad guys, the morally ambiguous good guys couldn’t sneak in and check on all of us to look for terrorists. And they can bitch with the strength of twenty men.

              Also, corporations would find it much more difficult to sneak in garbage on us as well, since they would have to ask their customers to set up their sneaky bastard traps.

              This ‘low level access’ thing intrigues me, and I wish to subscribe to your newsletter. What would the Low level access entail, and how would your idea work with compatibility to old programs. I’m thinking of games here mostly, but a lot of software (and the industry itself,) would be outmoded by this model.

    • Miral says:

      FWIW, that’s one of the ideas behind Microsoft’s .NET Framework; code is “managed” and thus subject to analysis before execution, and code can be run at several different trust levels, or with different permissions (and with special case permissions; eg. when running at mid-low trust an app is allowed to read/write files if they were given the filename from a standard Open/Save dialog, but not otherwise).

      Of course, in practice most developers don’t use the security features; they just set their app to “demand full trust” or ignore it entirely and get confused users (if they’re running something coded expecting to have full trust from a low trust location — as far as the app is concerned, things will unexpectedly fail). And the security features are painful to configure as an end-user.

  18. midget0nstilts says:

    Ugh. Here come the browser/OS/text editor/console vs PC holy wars.

    I agree wholeheartedly, Shamus. Half of my job is finding ways to prevent users from doing stupid things. The other half is cleaning up their messes. It’s a wonder I ever get the time to get the other things I’m supposed to get done!

    I disagree, however, that users are in the right in seeing PC literacy as unnecessary. We wouldn’t let people who are not “car literate” drive a car…. Oh, wait… nevermind.

    Instead blaming the OS/software, we would do well to remember this variant of Murphy’s law:

    Make it idiot-proof, and someone will make a better idiot.

    • Garden Ninja says:

      This cars analogy gets brought up a lot in these debates, and the rebuttal usually assumes that “car literate” means you have the knowledge of an auto-mechanic. Rather than assume, I’ll just ask: What do you consider car-literate (and by extension, computer-literate)?

      If you mean mechanic-level knowledge, then that is definitely demanding too much of users. If you mean the basic stuff about actually driving the car (bare minimum to get your license), that’s a different issue, and I’d argue is what we already have, if you equate “drive from A to B” with “Go online to check email”. The problem is the “knowledge surface area” (best words I can think of; hopefully its clear what I mean) that a person encounters when driving their car is completely dwarfed by the “knowledge surface area” that they encounter operating a computer. There is a lot more to know about your computer to use it “safely” (before you even approach mechanic level knowledge) than there is to know about a car to use it safely, and you probably won’t kill someone if you use the computer wrong.

      • midget0nstilts says:

        Hmm… that’s a good point.

        I’d say you were car literate if you could:

        - Parallel park
        - Do simple repairs (replace tires, add antifreeze, etc.)
        - Knew all the traffic laws
        - Knew basic car safety (not accelerating on ice, going fast when merging unto a highway, etc.)

        This is not comprehensive, but hopefully you get the idea. I do admit that since practically all of my life I’ve been a guru, I have no idea what it’s like to be a normal user.

        • Garden Ninja says:

          (Edit: Sorry, this is a wall of text)

          Those sound like reasonable requirements. I suppose the analog for computer use would be something like this:

          - Parallel park = file hierarchy
          - Do simple repairs = run virus scan, OS updates (this is the most important one, I think), defrag
          - Knew all the traffic laws = understand UI conventions, don’t dismiss dialog boxes without reading them
          - Knew basic car safety = understand file types at the basic level (a .exe is not a video), don’t open attachments from people you don’t recognize, permissions

          all of my life I’ve been a guru, I have no idea what it’s like to be a normal user.

          Neither do I. The list above sounds reasonable to me, but I know it already. It’s knowledge I’ve acquired by messing with computers pretty seriously for 20 years. No one taught me this stuff; I did it myself. It is easy to say that people need to be computer literate in the same way we expect them to be car literate, but there are two major stumbling blocks to this

          1. There is no infrastructure in place. Computers don’t have the equivalent to drivers’ ed, learners’ permits, driving tests, etc
          2. Us. We don’t encourage good habits. Windows (even 7) makes an Admin account by default (to be fair, with UAC enabled, but that’s a bandaid on a gunshot wound). Because of this, a lot of programs don’t play nice with Limited accounts, or UAC, including some apps from Microsoft (e.g.VS 2008 and IIS 7). So, even though we know we shouldn’t, we relent and use the Admin account. Running as limited isn’t perfect, but it’s a start. I’d say it’s analogous to wearing your seatbelt, but a lot of people who know better, don’t. Regular users don’t even know there is a seatbelt.

          I don’t have a real solution (at least not an immediate one), but I think these are the issues to be solved. Incidentally, I think the issue will be partially solved by time. We are oddities. When we got our first computer, we were the only family I knew that had one. These days, market penetration is much higher. The family that doesn’t have a computer is probably the odd-one-out these days. Even if the parents don’t understand them, the children probably do (at least the basic use of them). They will have that 20 years of experience. Obviously, not all of them will become gurus, but even 20 years of casual usage is a lot of knowledge. If we couple that, with the OS encouraging better habits, and perhaps a computer class in grammar school, I think we will be in much better shape.

  19. Dev Null says:

    It occurs to me that, what with the sheer volume of spam being automatically generated by computer-controlled botnets, frantically cross-connecting across the net, and received by nothing but automated spam filters, that the spamcosystem has got to be high on the list for most likely places for AI to evolve.

    Its alive, and its trying to sell me viagra.

    • Bret says:

      Oh boy.

      The first contact with nonhuman intelligence will be poorly spelled attempts at talkin’ dirty.

      Or, alternately, assuming an evolving security system gets to the top first, Jipi and the paranoid chip writ large.

  20. Jonathan says:

    I’ve despised PDFs since the mid/late ’90s. They tend to be huge compared to other formats, they are hard to read (text almost never sizes properly), the format wastes a lot of screen space, and they’re impossible to copy from. I just hit Print and read the paper document at work.

    Add to the list: Possibly a source of viruses.

  21. Ian says:

    Whenever I run into heavy infections (more often than not anymore) I always put my faith in UBCD4Win. It’s essentially a distribution of BartPE (which essentially creates a Windows LiveCD) with plugins included for many antivirus/antispyware utilities as well as other useful tools. That will typically deal with a bunch of the threats.

    After I get the system back into Windows, ComboFix can almost always make it usable again (note: use at your own risk! I’ve never had ComboFix render a system unbootable, but the possibility is there). After that, clean it up with free tools, verify that everything works properly, and that should be that.

    • stormbringer951 says:

      If I get a virus, I just reinstall.

      • A different Dan says:

        You must not have any games that limit your install count.

        • Jabor says:

          Not really. If a game tries to do that to me, I find a way to disable that “feature”.

          • A different Dan says:

            I’d appreciate any pointers to doing exactly that with EA’s Battlefield2142. It’s the only game I have that has this “feature,” but given that EA has a very cute tendency of disabling user accounts for anything starting from critical forum comments (your forum account *is* your game access acount), I’ve refrained from experimenting. Well, beyond swapping the executable for a No-CD version.

      • Ian says:

        So you’re willing spend a day (or a few days, depending) trying to restore your documents and settings back to the way that they were but not willing to spend 6 hours just cleaning the infection? Alrighty then!

        Besides, the people that I do those cleanups for are inexperienced users. Reinstalling Windows on another person’s machine is just asking for trouble. “How do I get to this now?” “What’s the password for my e-mail?” I’d rather do it the right way rather than the Geek Squad way if possible.

  22. swimon says:

    The only solution: We must create up-link! It’s 100% hack proof.

    … Yeah I don’t know much about malware so I post obscure game references instead ^^ (at least I think it’s obscure).

  23. Dustin says:

    I don’t want to sound like a Mac Zealot here, because I do happen to work for a certain fruit themed electronics company, but Shamus’ musings are exactly why the iPad will be an enormous success. I wholly appreciate the fact that my opinion is in the minority here on Twentysided. But I hope that there are some here who see my side of it. Hear me out.

    I grew up on PCs. DOS, Windows 3.0, autoexec.bat’s and QBASIC. For a good 10-12 years I was ‘Windows only’, even installed Windows ME when it was first released. I’ve used and troubleshot Windows 3.0, 3.1, 3.11, 95, 98, 98SE, ME, NT 3.51, NT 4, 2K, and XP. I scoffed at the first iMac’s lack of a floppy drive, derided Apple’s claims to the first home supercomputer in the PowerMac G5. Macs didn’t have “The Games I Wanted to Play”, so they didn’t deserve my time or consideration. I’d used Macs on and off over my life, the Apple ][, OS 9 and OS X 10.2 when I worked for an ISP, some blue and white G3s in the graphics design lab when I took some Photoshop classes in college (still hate those hockey puck mice).

    Then in 2005, I was between jobs and in desperate need of money to pay the bills when Apple called me to offer me a job. My initial thought was “no way”, but survival instincts took over and I gave them a chance. I’m glad I did, because my viewpoint would otherwise still be as closed as many a “power user’s” is today. I probably would have been one of those Vista apologists.

    There are 6.8 billion people in the world. Of those billions, what percentage of them is savvy enough to navigate to Twentysided and chime in on their viewpoint? WE are in the minority. The tech savvy, the gamers, the geeks, the hackers. The majority of the world’s computer users don’t care about DirectX, WHQL certified drivers or whether or not their OS has a certified UNIX core. They could care less if their computer multitasked, they get confused and lost by having multiple windows open. WE are the niche market. The iPod and iPhone proved this, and soon the iPad will be proving it as well. This is not to say that we the power users will lose our market immediately, but that an entire new segment will open to compete with and eventually replace our own. Yet there will always be an undercurrent of hackers, of power users, of those pushing the limits of the status quo and adding to or improving upon it.

    One parallel I’ve heard and I’ll use it here is the automatic transmission vs manual transmission. It used to be if you wanted to drive a car, you needed to know how to work the stick shift. Misuse or uninformed use of the stick shift could cause damage to the rest of the car. The automatic transmission negates that possibility. The same can be said of computers. If you use a Windows machine, you need to know how to work an anti-virus/anti-spyware/internet security suite of software, or you hired someone to do that for you. Your chauffeur, to bring back in the car analogy. The automatic transmission has opened up the world of driving to those untold millions who could care less about gear ratios, or the minute savings in fuel you can enjoy by shifting properly.

    The iPad will (eventually) do the same for computers.

    • midget0nstilts says:

      One nitpick: I think even normal users would care if they didn’t multitask, even if they had no idea what the word means. IMO, the lack of multitasking is one of the iPad’s failings. You can’t even browse the Web while still being available for chat!

      I think the AT vs MT analogy is better suited to command line vs GUI. Like automobiles, computers will always require routine/preventative maintenance, whether it’s done by the owner or a hired mechanic (computer technician). You still have to at least do simple things like check the tires and oil every now and then. We were all taught not to do stupid things like accelerate on ice or in puddles, or change lanes without looking behind you.

      A better analogy would probably be mass transit. I’m not saying this because I’m an analogy Nazi, but I’m trying to point out that most people probably don’t want an iPad. Just as mass transit is inconvenient because it may not go where you want it to, and you have to adjust your schedule to it, an iPad can’t do Flash (although I admit there are no technical limitations preventing this), and it can’t as I mentioned do chat and browse at the same time. And I think we can all agree that there is nobody who wouldn’t want either of these things.

      EDIT: I just realized that computer labs like those at a library are mass transit! The iPad is more like a bicycle!

      • Shamus says:

        “We were all taught not to do stupid things like accelerate on ice or in puddles, or change lanes without looking behind you.”

        I want to live where you live. :)

      • Heron says:

        I think even things like instant messaging are something of a niche. Most people don’t use messenger, or if they do, they’re not online all the time.

        We, the niche, tend to overestimate the usefulness of multitasking for the average user.

        See, the average user just wants to be able to switch between a word processor and their web browser and their e-mail client so they can do their homework or write that report for their manager. The iPad will handle that sort of pseudo-multitasking just fine.

        The iPad can also compete with e.g. the Kindle DX; for essentially the same price, you get an eBook reader with a wider selection (it has all the same books as the Kindle by virtue of the Kindle app, plus Apple’s own bookstore) that’s also touchscreen and can do internet browsing and e-mail. Oh, and it’s color.

        In other words, with the iPad coming out, there’s essentially no reason for the average ebook reader to buy a Kindle. (Keep in mind that I work for Amazon, so in theory I have a vested interest in encouraging Kindle sales… but the iPad is just so much better that I can think of one and only one reason to buy a Kindle instead, and it’s just another niche.)

        I say this as a guy who has historically been quite vocally anti-Apple, but who bought an iPhone and loves it.

        • midget0nstilts says:

          I’d be curious to know, actually. The only reason I signed up for AOL Instant Messenger and (what was then) MSN Messenger was because my non-techie friends insisted that I do. I was just happy using email, telephone, online forums and IRC. (I do have to admit, however, that Windows Live Messenger is quite nice.) I don’t even use AIM any more. I’ve texted on my phone less than five times in my entire life. They used to beg and plead that I use Xanga, then LiveJournal, then Friendster, then MySpace, then Facebook. I’m proud to report I never used any of them! Anyway, my point is I guess I had always assumed that IM/social networking sites were primary used by all the cool kids and weren’t really for geeks like us.

        • Caffiene says:

          Does the iPad have e-Ink display? The benefit of a Kindle, etc, is the low eye-strain readability of its display…

          Either the iPad does have it, in which case it’ll be useless for any form of movie or animation (e-Ink displays have very, very low refresh rates) or it doesnt, in which case it is a much less desirable reader than something like a Kindle.

          (If anybody does have a good write-up of the iPads display tech Id be interested to see it… So far, I cant find anything to indicate its any better than trying to read on a standard PC screen, mostly by virtue of nobody talking about it beyond resolution)

          • maehara says:

            IPS LCD display – not e-ink.

            Have used e-book readers on the iPhone without suffering from any real eyestrain, so the iPad may well turn out to be quite usable (although larger screen = more light for the eyes to deal with). That said, I’ve never used a Kindle or other e-ink reader, so I’ve got no point of comparison.

          • Heron says:

            I’ve heard vastly differing opinions regarding eInk, whether it’s good or not, or better or worse than some competing thingy.

            I haven’t tried the Kindle, so I don’t know how nice it is to read; the iPad’s display tech is the same as the iPhone as far as I know, and I don’t mind reading on the iPhone at all (aside from the screen being small). Of course, I don’t mind reading on computer monitors, either, so YMMV. I’m probably not a typical computer user.

            What it does affect, though, is battery life. eInk displays use a lot less battery power, so if you tend to go long periods of time (several days) without access to electricity, then the iPad won’t really work for you regardless.

  24. Factoid says:

    Scorching the earth is the ONLY safe policy when it comes to malware. I will occassionally clean a machine if I’m convinced it’s only got superficial spyware problems, or if I need to get it working temporarily to run a backup, but in those cases I generally follow up with a full blown reload.

    It’s actually faster than diagnosing and running half a dozen fix tools and analyzers. It takes about an hour to load windows. It can take 2 or 3 hours to diagnose and repair a system.

    The best thing is that Windows7 is designed to be installed from a flash drive or portable hard drive. So you can skip the slow DVD and get it installed in about 20 minutes from a portable.

    So my new policy is going to be that if someone wants me to fix a computer, they have to either have Windows 7 or buy the upgrade license first and then I will back up their data for them and reload it from my portable drive using their install key.

  25. Colonel Slate says:

    At my place of work we started calling it a war around the beginning of 2009, we specialize in anti-mal anything really, but it has become an all out war, if it wasn’t already.

    Also, Mac Vs Linux Vs Windows, let me tell you, my work place runs all three, and we do work for the government, classified and all, but all three are just about the same in the ease of infiltration and destruction, it really does just boil down to I think Windows is most popular, so it’s most targeted. We have several Mac and Linux boxes that have been bricked by some of the nastiest code I’ve ever seen, things that change minor things that cause overheating damage to motherboards and processors. Though it is worth noting that I’ve seen much worse to Windows boxes.

    Just my two cents like everyone else.

  26. Nothing about “don’t click on links, some might be evil”, “people who you have on your Messenger may sometimes send you phantom messages while they’re offline but that’s different from real messages that are offline”, “WindowsXP.exe is malware”, etc. is common sense. It is decidedly uncommon sense.

    I’ve always thought that this is a LEGISLATIVE problem. This isn’t the 90s. Guys aren’t writing malware in their basement for fun. This stuff is connected to huge profits: Market data, etc. PROSECUTE THEM. If the money disappears, the incentive does too. I’m amazed no one talks about the problem in these terms.

    • stormbringer951 says:

      And how? The Governments are hung up on “superusers”, shadowy hacker types who break DRM, steal thousands of bank account numbers and play with Defence computers. The media called Kevin Mitnick a “genius hacker” when his hacking consisted of “social engineering” a.k.a. psychological manipulation.

      Current legislation to hunt down these mythical superhackers incriminates thousands of more or less innocent computer users. The problem is that the Govts doesn’t understand the problem – they see code as something they can’t understand and which allows hackers to essentially have superpowers. This is because criminologists assume that online crime consists solely of finding vulnerabilities in code and leave it at that, while computer security experts shrug their shoulders and announce that security is always a losing battle. The Govt instead listens to reports of mass hysteria (“omgwtf! terrorist hackers shut down O’Hare airport!” when in fact it was an adolescent who accidentally tripped a switch in a telephone network and shut it down, preventing aircraft from remotely activating the landing lights at a small unmanned airport.

      • blue_painted says:

        I wondered if it’s possible to start something under the PATRIOT Act — after all, spam and viruses affect defence personnel wasting their time and reducing their effectiveness, so degrading the defence of the USA and that’s something that is taken very seriously these days.

        • Matt K says:

          But in all honesty who are you going after. If certain facts are to be believed a lot of the people who make the code live outside the US (and thus US jurisdiction). Other countries (not all but some) just do not care. Also, how to do make sure you go after the hacker and not someone who’s computer has been hacked?

          Pretty much you need evidence beyond a reasonable doubt that the person did this which is difficult.

  27. Mark says:

    Thanks a lot for the information about pdf’s to those who responded to my question. I will make sure to disable those options for Javascript.

    I also found the following web page from within the options while looking at the Enhanced Security options.

    http://help.adobe.com/en_US/Acrobat/9.0/Standard/WS0A9F02BE-0B04-4e37-B971-16EEB6FD318E.html

    Strangely enough, although both Reader and the web page state that the Enhanced Security option should be left on as a default, on my install it was turned off, and I have no memory of ever turning it off.

    In addition, I found some Multimedia Trust settings that I changed from “Always On” to “Prompt”.

    When did Adobe Reader become so complicated?

  28. Lockesly L'Crit says:

    It’s really not that hard to learn a computer. Unfortunately, like you said, most people don’t want to take the time to learn.

    I’ve excelled in my GIS (Geographical Information Systems) certificate course in my university; not because I was some l33t nerd or anything, but because I knew the basic functions of my operating system and knew how to take instruction. There were plenty of people in my course who didn’t even know how to unzip a compressed file, or even know what Windows Explorer (the most important part of a Windows OS) was. It makes me wonder what they were thinking when they joined the program… It’s computer related, so obviously you will need at least a fundamental knowledge of a computer.

  29. Chris says:

    “Oh? You’re disappointed that you lost all your settings and that cute little screensaver of the bunny you loved so much and now the machine has forgotten all your passwords and bookmarks? Well maybe next time you should think twice before downloading software from http://www.microsoft.f3gxq9i12p.com/totallylegit/trustus.html.”

    Whenever I am fixing a computer like this I feel like I’m a shady mechanic,
    “Mmm, that’s gonna cost ya”, “Hmm, that’s not pretty” etc.

    If I had more balls I would just tell people, “I can install Ubuntu/Fedora for you, but I will not attempt to install antivirus/antispam programs or clean your old system or reinstall Windows so that it can happen again”.

  30. Eltanin says:

    Wow. What a pertinent post.

    This is what I do for a living – fix people’s compromised machines. I mean, we do other stuff too, but a lot of business comes through the door that’s a home-user infected machine. And the scorched earth approach is clearly best, but it’s hard on the user because they have all those photos and itunes music folders and pirated videos and stuff all over the machine. So users prefer to have us try to remove things (thank goodness for Malwarebytes Anti-malware) even though it may or may not work. And lately I’ve seen a lot more in the ‘not going to work’ category. Things have been getting progressively nastier, especially in 2010 in my personal experience.

    User education is hard/impossible. Things have happened so fast and with such complexity that most people are too daunted to even attempt to learn. As many comments have noted, many people just throw up their hands and say “I’m not a computer person!” It’s a mental attitude problem though because it’s not that they are incapable of learning the material. I think that it’s just that we as humans aren’t really designed/used to such insanely rapid change. So people instinctively shut down and fear these things even if they have to do it as part of their job.

    I just had a fascinating discussion with a friend about the relative security between Unix based OSes and Windows. The Windows ‘open-air’ concept makes a lot of things easier to do, but makes security a patched-on effort. Whereas Unix makes security the basis but usability becomes the patched-on affair. Both systems seem to be moving toward each other even if they are approaching the same spot only asymptotically.

    So while I agree that Linux is fundamentally more secure and also less targeted, I’m not sure that it can ever be the answer to the problem. I don’t believe that there is or ever will be a totally secure OS. In the end it will always come down to user behavior and choice at some level. And given the technical challenges still present in any distro of Linux, porting the computer-illiterate to Ubuntu or whatever is not going to make them happy.

    Anyway, I’ll stop blathering. I will say though that the smug attitude of Mac and Linux users isn’t winning them any friends. Smug ain’t cool, no matter how in the right you feel yourself to be.

    P.S. – does anyone here have any tips on how to get into the Bleeping Computer ‘school’?

  31. Daemian Lucifer says:

    Wow,so many comments,and only one mention of windows 7?Im surprised how many people use vista.Ive seen that pile of crap with just 3 people here(not counting the friend of mine who works with a computer store,and thus has to use it as well).Most either still use xp,or have skipped straight to windows 7(usually because of my recomendation).Its actually the best layman os there is:Fast to instal,no need for custom programs,and its surprisingly stable(for a windows,that is).

    • Roll-a-die says:

      While I agree with your point that Win7 is a decent OS. I can install ubuntu in 20 minutes and be up and running with flash and codecs installed in 25. In 30 I’ll have gvim set up fully and be off writing code in the intervening 20 minutes which it takes you to get fully set up. And then you have to patch, restart, patch, restart, patch, restart… 1 day later, patch, restart.

      All the while I’m browsing funny videos on youtube… 1 week later, patch… What were you expecting something to come after that?

      • Daemian Lucifer says:

        Really?Ive installed it in ~30 minutes the first time.All the drivers,codecs,decent picture viewer,archiver,flash,everything.And that includes that crucial patch,which was quite fast.The only thing I had to look for on the web was driver for my tv card and real player for playing .3gp files.I didnt even bother with all the custom programs Ive used before(though I did install opera simply because Im used to it and cant bother with ie).And in the past 6 or so months I had it as an os,I had only 3 crucial system patches that required restart.The rest were minor updates that I dont even bother with until they reach a certain threshold,which I could also set to be installed automatically.

        Yes,it is a windows,but it doesnt work like the rest of the windows.

  32. ClearWater says:

    What really scares me is smart phones like the iPhone. Once viruses start coming out for those (if they haven’t already) we’re in real trouble. I know what to do if my PC gets infected but I don’t have a boot disk for my phone, nor a virus scanner.

    • Klay F. says:

      I actually tested this on one of my old phones not to long ago. I downloaded a file that clearly didn’t belong on a phone (I forget what kind of file it was though) to its microSD card. I then put the microSD card into my phone. I then searched my phone for the file, ran it, and the phone promptly froze. I couldn’t even turn it off. I had to remove the battery, take out the microSD card, and turn it back on. I put the card back into my computer to try and remove the file, but my computer wouldn’t read the card anymore. I had to reformat it, losing everything that was on it in the process (thankfully nothing important). If I could screw up my phone momentarily just by running a non-malicious random file, I kinda of shudder to think of what is possible with someone with malicious intent. I’m kind of surprised that more viruses aren’t spread through text messages.

    • maehara says:

      There have been a couple of exploits for jailbroken iPhones, but nothing for ‘stock’ that I’m aware of. (Jailbreaking usually involves enabling SSH access to the iPhone’s OS, with most people doing it not bothering to change the default password. Nice, easy target for the unscrupulous.)

      Some details: http://www.tuaw.com/2009/11/07/jailbreak-worm-rickrolls-the-unsecured/

      • guy says:

        Not sure about for smartphones, but there apparently is a bluetooth enabled phone exploit. It does require the user to do somthing stupid, but since it works by spamming them until they accept or move out of range, people who are in a hurry sometimes do accept so they can use their phone.

  33. wererogue says:

    “You don’t need to be “TV literate” [...]. The knowledge you need to use these devices is small and the dangers of ignorance are small or nonexistent.”

    Unless you’re watching FOX News :V

  34. Mark says:

    I just read this, which is along similar lines.

    http://quietbabylon.posterous.com/i-have-some-opinions-about-the-rww-facebook-l

    Apparently, lots of folks thought that an article about Facebook logins was the new Facebook login page because it came up first on google or something. As someone who works on usability for a big site, I see this sort of thing semi-frequently, and it’s a bit of a daunting problem.

  35. Zaghadka says:

    Sounds to me like you’re doing the equivalent of blaming people who get lice for their lack of cleanliness. It’s unkind, and unhelpful.

    Viruses, in the days of drive-by XCSS malware download exploits that get served up in some compromised ad delivered to a perfectly legit page, are part of the ecosystem of the Internet. As with those who have headlice, no matter how repellent the concept, I think you should cut people some slack if they get infected.

    I don’t expect you to pick any nits that aren’t your own, however. ;)

    • ehlijen says:

      It’s not just lice, it’s lice who shoot other people with mortar batteries they build on your head.

      Sure, telling them that they were stupid to roll around in the mud all day and not shower isn’t helpful. Telling that that was how they got the lice is and telling them that they shouldn’t roll around in the mud without some sort of idea as to why hygiene exists is also helpful.

      • Monkeyboy says:

        It’s not just lice, it’s lice who shoot other people with mortar batteries they build on your head.

        Mortar batteries firing more lice!

        That would make a cool minigame.

    • Shamus says:

      True thing: I run no AV whatsoever. Every few months I install some, scan the machine to make sure it’s clean, and uninstall it again. I’m always clean, even though I spend more time online than a lot of the people with compromised machines. (Note that I don’t actually recommend doing this. I just can’t bear the performance hit AV software imposes.)

      It’s about recognizing danger, finding alternatives to problem apps (like Adobe) and avoiding risky behavior.

      A little knowledge can make you a lot safer than a lot of AV software. And no AV in the world can keep you safe if you’re reckless.

      • Zaghadka says:

        I do run AV, if it’s no inconvenience, but I’ve got the same experience. I don’t think I’ve ever come close to being infected.

        My kids’ machine, they have had one problem, ever. Spammer got a hold of their machine. I immediately overwrote the OS partition with a clean image and problem solved.

        But our experiences are probably “expert” ones, you’re a programmer, I’m a retired sysadmin, and the attacks keep getting more sophisticated, so I find it hard to blame the victims of it.

        One friend of mine, she got a very convincing “click here to remove all the viruses we’ve found” message box, and she did the only right thing she could. She put the thing in hibernate and brought it to my house, because she just didn’t have the expertise to know if she was really infected.

        Point of fact: Cons work. I sympathize with any frustration you have with the results of it, but I hope your criticisms of victims of this crap are more tongue-in-cheek than earnest.

  36. Nick says:

    Most people don’t want to have to become computer literate in order to use the net.

    Yeah, who needs to know how to drive a car before driving on a freeway?

    /sarcasm

    • Avilan the Grey says:

      Exactly.

      Once upon a time I saw a joke: What if customers buying a car would have the same mindset as customers buying computers.

      Phonecalls like this would occur:
      “Volvo Technical support, how can I help you?”
      “My car won’t start!”
      (after much Q&A and stuff)
      “Is the gas tank full?”
      “What is a gas tank”?
      “You have to fill the tank with gas if you want to drive!”
      “NOBODY told me that! Why should I have to do that!? I don’t want to do maintenance! All I want to do is to Go Places with my car! Your cars suck!”

      • Shamus says:

        This is basically the point of the article. In the end it’s all about mindset. People approach the computer like a TV: They just want to flip channels and not be bothered with details. Just convincing them that they need to learn more can be difficult. The mindset is “Ah, viruses happen. Nothing you can do about it. Fact of life.” It’s like people that simply accept running out of gas and getting towed once a week. They think it’s just “something that happens” and don’t see a need to learn more.

        • Sem says:

          I find the comparison between driving and using computers appealing but broken. Most people, when they have to learn a new skill, make a simple cost-profit calculation. They consider the disadvantages of not having the skill and the cost of learning it balanced against the advantages of knowing it.

          The disadvantages of not knowing how to drive are rather enormous while those for not knowing how to use a computer properly are a lot lower. (Even worse, I you can’t drive that’s entirely your problem but if your computer is filled to the brim with malware the cost is partly carried by other people (ie. everyone who gets spam because your computer is a zombie in a botnet).)

          Also, when you don’t know how to drive, your only other options are accept it (and limiting your mobility severely), use public transport (which is cumbersome) or ask someone to ride you (which is ok as a one-time solution but you won’t keep many friends if you do it all the time). In case of computers however, you can give up (for most people this is sometimes a viable ‘solution’) or you can just ask some local computer guy/girl (i.e. me and probably a lot of the commenters here) to repair it every few months for the low, low price of 50 Euros.

          Second is the cost of learning the skill. Now, this is pure anecdotal evidence but I learn by building an internal mental logical model of something (be it a computer or another piece of equipment). Feeding me a list of rules (if A do B, if C do E,…) usually doesn’t work. If I don’t know why or how something basically works I usually make mistakes. I suspect most people prefer the ‘list-of-rules’ approach while a lot of geek prefer the mental model approach. The mental model approach is, of course, eminently suited to computers, not so for the ‘list-of-rules’ approach. So, for most people learning a computer skill is hard while it isn’t for geeks. (Even better, I think that for a lot of geeks learning a technical skill is a plus in itself and that case, there isn’t a downside.)

          Third are the advantages. Here, once again, they are a lot bigger for geeks then they are for non-geeks. Take for example me, I use the internet as a source of information, entertainment, eductation, news,… Off course I learn to use a PC properly. It’s either that or seeing your PC slow down to a crawl and drown in popups. Compare that with someone who wants to write a letter or surf once in a while.

          In the end, for most users security is just too much of a hassle. I suspect (hope) this will change in the future. Partly because people will grow up with computers & the internet and partly because computers are still growing in importance.

          I also want to add that I don’t consider myself better then a non-geek just because I’m better with computers. I have exactly the same attitude as them with cars. I don’t like driving and no, I don’t want to learn how it exactly works or how to make it faster. I just want to get from A to B. Off course, this doesn’t excuse me from learning how to drive and know how to at least check the pressure of my tires. I’m only saying that the position of non-technical users is disappointing but understandable.

  37. Adam says:

    Chrome OS/iPhone OS is the future. The average user doesn’t need access to their file system or system-level access for ANYTHING, really.

  38. Avilan the Grey says:

    I recognize a lot of things in this thread.

    I am “computer savvy”, basically because 1) I am a geek, and 2) I have used computers since the ZX81. I am not a nerd, I can’t code or anything, but I know my way around the dangers.
    And I would love to use Linux, but since 95% of what I do on my computer is gaming… No. With the very small amount of other stuff I actually do it is not even worth dual-booting. I do recommend Ubuntu to others if they ask though.

    My wife is not as computer savvy but suspicious enough that she survives with Windows XP and Vista without getting anything.

    It helps that we are on a wireless network (WPA2 encrypted) and the ISP has their own firewall in the basement of our apartment building. This means that between us and the real world we have:

    The ISP:s hardware firewall.
    The hardware firewall built into our Linksys router.
    Comodo Internet Security (free edition) on all our machines.

    Oh and a common sense to pay attention to security alerts and not to click on every link sent to us in mails.

    It is worth pointing out something about “hopeless” users:

    Experts (in Sweden) thinks about 11-12% of all computers on the internet in Scandinavia are completely unprotected or has so weak protection (like a never updated XP with it’s firewall running and nothing else) that it really doesn’t matter.

    They also have concluded that these 10+% of the population simply doesn’t “get” it. They will never upgrade their security no matter how many times they get viruses or Trojans or anything; they just don’t get why it’s important or how they do that.
    In fact, a large potion of the computers that constantly are used as spammers etc etc are from this group.

  39. Steve C says:

    Shamus, I’m curious. Do you still use Adobe Reader?

    Years ago when you first ranted against Adobe many people recommended Foxit. That’s what I switched to because of those comments and I haven’t looked back since.

  40. guy says:

    I can top all the, “Virus is sabatoging antivirus” stories. I recently got a virus that disabled safe mode after the first time I used it.

    Other nasty one: Firefox page I was auto-redirected to while browsing a message group that near perfectly emulated an XP explorer window and pretended to be the system running a virus scan. Only noticed because of paranoia and using windows 7.

  41. Haviland says:

    Every operating system, even *ix will have weaknesses.

    It is possible to remove them through formal proofs using something like Z (ftp://ftp.comlab.ox.ac.uk/pub/Zforum/faq.txt), however, the downside is (from a one-day exposure to Z in the 80s), that it takes about 2 pages of proof for every line of code. When an OS has millions of lines of code, going back decades, it is somewhat difficult to do a formal proof.

    The trouble is that PCs and whatever OS you run on it are thought of as domestic appliances like a fridge, but are in fact vastly complex systems.

  42. [...] Malicious Spam Up 500% in 2009 – Twenty Sided For the last several years malicious spam has held steady at around 600 million a day, but in 2009 it jumped up to 3 <carlsagan>billion</carlsagan> a day. (Malicious compared to simply unwanted. The “unwanted” numbers are much higher.) According to the report [pdf file] the increase was due to the increased proliferation and sophistication of botnets. [...]

  43. Rolaran says:

    Don’t know if you read Saturday Morning Breakfast Cereal, but today’s reminds me of what you’ve said in the past about viruses, in terms of all the protection in the world being useless if the idiot using the computer is going to try and bypass it anyway in search of jubblies.

    http://www.smbc-comics.com/index.php?db=comics&id=1801#comic

  44. Jeff says:

    Sorry if someone covered it, but Shamus, could you do perhaps a brief writeup on what you mean by PDF vulnerabilities? I was always under the impression that it’s just a document (related to OCR or something?) that prints pretty, not that it actually interacts with your computer in any way.

  45. Kotenku says:

    Interestingly, and I’m sure I’m way late in pointing it out in this comments thread…

    The Kennywood website (the one which Shamus cites as having the most egregious misuse of a pdf file he’s ever seen, for their Park Map) still, three years later, uses PDF for it. However, it seems they have had the decency to streamline the park map into a single image, rather than using several thousand objects to draw the picture.

    So that’s…

    progress?

    I guess?

  46. BuschnicK says:

    Hey Shamus, try http://www.shadyurl.com/ as an URL shortening service to test whether your computer security illiterate friends have learned anything – fun service ;-)

  47. Falco Rusticula says:

    Never downloading files unless you’ve asked for them works for me -and when I say ‘asked for them’, I mean that it’s part of a university report that I have to work on. That, or it’s a game, which most likely I got off an actual disk.

    I think it depends what you use the computer for. If you like to just read stuff straight off the page, you have fewer risks than if you like to transfer something onto your own computer.

One Trackback

  1. By James A. Arconati - links for 2010-02-21 on February 22, 2010 at 12:21 pm

    [...] Malicious Spam Up 500% in 2009 – Twenty Sided For the last several years malicious spam has held steady at around 600 million a day, but in 2009 it jumped up to 3 <carlsagan>billion</carlsagan> a day. (Malicious compared to simply unwanted. The “unwanted” numbers are much higher.) According to the report [pdf file] the increase was due to the increased proliferation and sophistication of botnets. [...]

Leave a Reply

Comments are moderated and may not be posted immediately. Required fields are marked *

*
*

Thanks for joining the discussion. Be nice, don't post angry, and enjoy yourself. This is supposed to be fun.

You can enclose spoilers in <strike> tags like so:
<strike>Darth Vader is Luke's father!</strike>

You can make things italics like this:
Can you imagine having Darth Vader as your <i>father</i>?

You can make things bold like this:
I'm <b>very</b> glad Darth Vader isn't my father.

You can make links like this:
I'm reading about <a href="http://en.wikipedia.org/wiki/Darth_Vader">Darth Vader</a> on Wikipedia!