Former Mozilla dev joins chorus roasting antivirus, says 'It's poison!' Antivirus is harmful and everyone should uninstall it, so says recently liberated ex-Mozilla developer Robert O'Callahan. The former Mozilla man worked at the browser baron for 16 years and has now joined his voice to the growing chorus of hackers pouring scorn on the utility of antivirus software. Among O'Callahan's beefs is …
Except flu vaccines actually work, and AV is still shit.
Fuck I hate AV so much, I used to be 'responsible' if one can call it that for securing smb with antivirus and keeping it updated, across hundreds of machines remotely, and every once in a while you'd still get phonecalls from various bosses (it's always the fucking bosses for some reason) about how their machines did weird shit, and turns out *other* antivirus found what our own antivirus didn't find, and of course they want answers, 'How could this happen!?' BECAUSE IT FUCKING DOES, ALL THE GODDAMN TIME, but diplomatically there was only the platitudes you could give, 'this particular virus was a new variant and hadn't been innoculated against', bullshit of course.
In my experience, at least the computers that I were exposed to, none of them should have been running windows at all, most of them just did basic shit anyway which would have worked just as well running linux, even if one was not a savvy user, and the cases where win was needed it should have been only running as a vm inside a linux host, a particular state saved on the image and when done using it wipe the image and use a new copy of it for next time, it would have saved so much fucking energy and money for everyone involved. AV I hate you so much.
Reminds me of an Internet Café (god, remember those?) I worked at about 15 years back. We tried AV to keep the fleet clean but with an endless parade of clueless fuckwits clicking on every flashing banner that moved it just didn't work.
In the end we went with no AV on the customer PCs, restoring them to a clean image with Norton Ghost every night after closing, and keeping the payment terminals, etc, on a seperate subnet. Saved time, money and headaches.
Reminds me of an Internet Café (god, remember those?)
Always interesting when travelling and using internet cafes to email from, the amount of people who never logged out of email or other sites they had been visiting. Lucky I was nice and used to clear down the history/cookies/logins etc for them.
AV is rubbish:
User education is more effective.
It regularly trashes OSes.
It slows machines
It has wrong default settings
Never up to date.
Gives false confidence, so users don't bother learning about basics.
Disable uPNP on router and PC, always use EXTERNAL firewall, turn off SSSD and all other stupid default services on Windows. No remote content in email. Use NoScript and whitelist and blacklist on each site you use (once per visit is usually enough). Don't install stupid toolbars. Always use custom install and untick extras. Don't download "free" versions of pay only software. Only use sensible sources for SW and codecs.
Disable Autorun on all devices.
All far more use than ANY AV.
I've been saying this for 25 years.
All far
AV may be rubbish, but how do you handle everything else:
"User education is more effective."
Unless the user's dumb as a brick, which tends to be the norm. Plus what if the user DEMANDS you turn off the security settings because their favorite stuff doesn't work otherwise? AND cites "The Customer Is Always Right" when they threaten to replace you for recalcitrance?
"Unless the user's dumb as a brick, which tends to be the norm".
IMHO it's not that they are dumb at all - many of them are very intelligent. It's that they have absolutely no patience at all with any technical necessities of computing that they don't know or care about. (OK, you could argue that it's dumb to have such an attitude, but many of us do in respect of hidden complexities we don't know or care about).
It wasn't users who invented a standard Windows graphics format that allowed executable commands to be placed in the image header and ran them when the image was viewed.
If HW had the same attitude to security you would have computers that caught fire or exploded if you looked at them funny.
The problem is OS design and ESPECIALLY email client and Browser design.
Many people can't be bothered learning.
It's crazy bad design that you can infect OS from browser content.
AV isn't the solution, so while it sometimes nearly impossible, user education, when accepted is far more effective.
Except I just got out of the hospital after someone decided to inject me, violently allergic to, with flu and pneumonia vaccines. I should be dead. [Is this Hell? After this week, I think it really is.] I spent thirty years [1982-2004] not only as a sysadmin owning thousands of systems and responsible for whole libraries of software on services like CompuServe. I was last infected in 1989 on an Amiga. Despite owning a dozen Windows machines of my own.
I think that means I have a cluestick. Yeah, it can be dangerous stuff but so can a vaccine in the wrong hands too. As for trusting Windows Defender, well it's one arrow here except Microsoft loves to alter services, ports, registries, and other system aspects behind my back. FU very much Microsoft.
I am switching us to other operating systems here and no, nether Apple nor popular Linux distributions are involved. At least I have executive respect there for the foreseeable future. Unless some idiot kills me by accident or intention.
/rant.
The problem lies in the way AV products went the "snake oil" route in an attempt to protect and heal you from any disease. Thereby instead of doing what they should have done properly - they started to become firewall, proxies, DLP and whatever. Just, to do it properly, it would have required skills and a level of integration with the OS far beyond their capabilities - especially when the users started to expect "free" products and money had to come from elsewhere...
Thus what you really got was a dangerous pile of s**t hacking into your system in the most dangerous ways. And which usually wasn't able to clean itself properly once uninstalled. Once I got one that redirected Windows scripts to its engine to parse them before execution, but didn't restore the original setting on uninstall.... crippling some Windows updates. Another borked dowloads of some tools that could also used to hack - but without telling what it did. You just got a damaged zip, and wondered why....
That's why in some ways MS one is better. It does less, so it doesn't usually get in the way, and don't slow down everything continuously.
Anyway, from a developer of one of the most effective attack vectors of the PC era (the browser!) I would have expected better. Why browsers are still so insecure, and why, like AV, they attempt to do too much - and often accepting insecure designs just because web apps needs more bells and whistles, exposing users to unnecessary risks?
This post has been deleted by its author
"The problem lies in the way AV products went the "snake oil" route in an attempt to protect and heal you from any disease".
I would suggest that the needs of computer security are very hard to cater for in the competitive free market environment - especially when most software (and some hardware) is proprietary and secret.
Security cannot be added on like a box on the side - or if it is, it won't work very well at all. Ideally it needs to be built right into the system at a deep level, preferably when the system itself is first designed. That is somewhat easier to do with FOSS, although there too there are serious obstacles.
On top of everything there is the chronic incomprehension and patience of users - all the way from your husband, wife or SO to the CxOs of a big corporation - who don't want to hear anything about how computers work, just to have the benefits all the time without any interruptions or hiccups.
"Security cannot be added on like a box on the side - or if it is, it won't work very well at all. Ideally it needs to be built right into the system at a deep level, preferably when the system itself is first designed. That is somewhat easier to do with FOSS, although there too there are serious obstacles."
The biggest obstacle, however, is the user that expects to just get things done. If things get in the way, they complain. Well, like the lock in the door, security necessarily gets in the way of the user's job. And they're not interested in learning more hoops to jump. So what do you do?
The biggest obstacle, however, is the user that expects to just get things done. If things get in the way, they complain. Well, like the lock in the door, security necessarily gets in the way of the user's job.
System security is seldom like a lock in a door. In some cases it's more like having to get an armed and armoured escort, open a dozen nuke-proof doors each with a dozen different security systems, just so they can look out the window for a moment.
Locking the door so that things of value are protected is all that should be needed, and as Mage says "It's crazy bad design that you can infect OS from browser content.".
AFAIA browsers and email are, if not the main source of infection, then a significant portion of it. Sure, stupid behaviour is a part of it but when reputable sites can deliver an infection through advertising, there's a lot more than user stupidity at issue. Make it so the browser cannot infect the OS and somewhat more importantly (yes, really!) make it so the browser cannot mess with files outside of say ~/Downloads and ~/.profile/browser_customisations. That way it shouldn't be able to infect a users other files (photos etc) or anything else - protecting them from at least some forms of crypto malware, stuff that steals private data and so on.
While a browser or email client can infect the OS or mess with user's other files, problems will remain.
Having a prescribed dropzone for downloaded files would be a royal ballache for me a lot of the time, though I'm not against it as a default for new users. What would be more beneficial to my mind, would be if downloaded files weren't executable by default and had to be explicitly OK'd as such by the user.
I've tried in the past to make Windows systems live up to that philosophy, typically by revoking execution permissions on all but one of a user's folders (and crucially not the default download folder) but this just tends to hit problems. 1: some apps have installation/update routines that fail if your TEMP folder doesn't have execute permissions; 2: the stupid-ass Windows permissions granularity where the key permission is "Read AND Execute" whereby if you revoke this permission from a given folder, you can download shit into it and be sure it won't execute, but unfortunately nor can the shell navigate that folder!
In short, a setup whereby the user is required to manually bless the execution of a downloaded file is not a goer without training or seriously crafty system configuration.
Having a prescribed dropzone for downloaded files would be a royal ballache for me a lot of the time, though I'm not against it as a default for new users. What would be more beneficial to my mind, would be if downloaded files weren't executable by default and had to be explicitly OK'd as such by the user.
True, I often download stuff to various locations depending on what I am doing at the time. So we could have a few options - have the browser only able to write to the profile folder (so it can save history etc) and where the user sets the download/saves the file to at that time, and /temp of course, for newbies have it default to ~/Downloads or whatever is specified in the config as the download location (they can move it later!)
Killing execuatable-by-default would be great but is not-doable on Windows (an OS that lets you have safefile.txt.exe, that hides the ".exe" and has a wordpad icon, and tries to execute anything that ends in .exe, .com, .bat etc when double-clicked is NOT a safe OS!), and probably too many people would complain. But if you at least limit the browser's access to other folders not it's own. If you're a Windows users, which would you prefer - a few moments moving a file from Downloads to where you want it (and yes you may have to remember to come and do it later if it's a long download), or all your personal data trashed because your browser was compromised? I'd rather the browser could be prevented from touching all but a tiny fraction of the disk! (RO at least!)
Users, btw, can be capable of some quite interesting and scary feats in their attempts to use that "special secret preview release" etc. Make it sound that they're somehow a "l33t haxxor" just by having the file and the mad skillz to circumvent the special security routines ("rename illicitfile.zi_ to *.zip"!) that they can read on some dodgy website and they'll be falling all over themselves to install your malware. Make sure to warn them to turn their AV off before downloading as the installer might not work otherwise...
I've tried in the past to make Windows systems live up to that philosophy, typically by revoking execution permissions on all but one of a user's folders (and crucially not the default download folder) but this just tends to hit problems. 1: some apps have installation/update routines that fail if your TEMP folder doesn't have execute permissions; 2: the stupid-ass Windows permissions granularity where the key permission is "Read AND Execute" whereby if you revoke this permission from a given folder, you can download shit into it and be sure it won't execute, but unfortunately nor can the shell navigate that folder!
um.. Wow.. I think I need to take a while away from the computer after this post! Just.. WTF?? Wow..
In short, a setup whereby the user is required to manually bless the execution of a downloaded file is not a goer without training or seriously crafty system configuration.
Yeah.. So sad.. See above..
Still, such activities kept me fed and in new toys for a few years.. If all our users suddenly sprouted a sense gland, I think we'd see a lot of IT peeps out of a job PDQ.
Actually flu vaccines work only if you are lucky enough to be infected by the particular type of flu virus against which you were inoculated. While there are a lot fewer of those than computer viruses, etc., the odds are still heavily in favour of the flu going round your vaccination "Maginot Line".
Since Windows 10 came out, I have actually started recommending just what the author ordered. HOWEVER - this is ONLY after setting the client up as a local user and NOT an administrator. Then I put one or both of my favorite updater reminder tools, like Secunia PSI, and/or File Hippo's Application Manager, so that will close the vulnerability gap with apps and browsers.
Fortunately many apps have improved their own automatic updates, not perfect but getting there. The only other thing I install for sure is CCleaner; and I include this warning. I tell them, if something unexpected pops up DO NOT CLICK ON IT, close the browser, and simply run CCleaner, then open Task Manager to end the task - if it is visible - if not - simply log off and back on, or reboot and all is well.
If you truly want the best damn thing since sliced bread, put Deep Freeze on your computer - HELL you can run as administrator all day if you like, because once you reboot - POOF!! all the bugs and any changes made without your permission are gone - your data storage may be compromised, but the operating system will never get taken over with something like that. There are competitors that claim better technology than what Faronics offers, but I've not been able to test them yet.
The protections that Microsoft lends to the equation are powerful and can defeat all but nation state bad actors as long as one is logged in as a standard user and EVERYTHING is up to date. If your banking and shopping online, I highly suggest the ultimate in anti-keylogging and screen capture technology and install IBM's Rapport - I have extensively tested it, and it is rock solid, but you have to pay attention and make sure it is working in which ever of the big three browsers you like - all of which is simple visual consciousness. My many hours in my honey pot lab are proof enough for me, and I keep testing every chance I get.
"Because they'd be sued for antitrust"
Surely security is a core part of the product? They can't be touched for antitrust on that - unless third parties have built businesses on frightening users by getting clueless salespeople in PC World to flog antivirus with each PC, the way MS gets PC manufacturers to sell Windows with PCs, whether user wants it or not. Othere option is of course to keep it as a separate thing, which would be saying "this type of security is not a core part of this software."
~ Symantec-Norton became synonymous with bundling or forcing subscriptions. Like buying from a mail order corp who won't deliver unless you also buy from their affiliate.
~ So AV was the original scammers scam, and this has where it has all led! Now as per IoT, the suits are in charge, so the value proposition from buying AV is zero. Sprinkle in the fact too that Avast / AVG are pwning user info, its all just another cyber-cesspool....
~ Whereas this should have been a boon time for AV firms. They should be raking it in for legit utility. How did it get this bad? Hackers-cyber-crims are winning on every front.
McAfee Preintstalls are responsible for more shit than anyone mentions.
I have never seen anyone take up the subscription after the free three months is up but the tards still think they have valid AV on their machine.
All they had to do was uninstall it and Defender would take over and stay up to date.
This post has been deleted by its author
< The only way it could get any worse is to install an AV product from Adobe FFS!>
Adobe and Symantec did partner each other:
https://www.adobe.com/aboutadobe/pressroom/pressreleases/200603/030206Symantec.html
"Initially, the two companies will offer a complimentary trial and the option of special pricing for the Norton Internet Security 2006 suite to users who are downloading the latest version of Adobe Reader"
You almost got your wish.
Curiously, Windows Defender uses ASLR and can operate on a system using ASLR because they are both MS and can therefore access the required APIs to do the defending job.
As to how good it actually is I have no personal knowledge of, but it would seem to be one step better than most anti virus.
As to how good it actually is I have no personal knowledge of, but it would seem to be one step better than most anti virus.
My posting history will clearly show that I have a, well, shall we say "mild dislike" of all things Microsoft.
When I was working in IT repair we used an offline version of Defender/Security Essentials as a regular part of our clean-up scans (also used Eset, BitDefender, Kaspersky and AVG boot disks (PXE boot) and a few other tools). We noticed that WD could find hundreds of infections where a paid and up-to-date Norton Virus would be saying "move along, nothing to see here, everything's fine".
We also found that the installed AVG tended to be crap, but their offline scanner/"rescue disk" was one of the best. And there were a few things out there that no AV seemed to detect. You knew something was there, but what or how. And one or two seemed to infect parts of the USB other than the normal filesystem - we would have tools on USB that were re-imaged after being inserted into a customer's machine, but one or two things survived the re-imaging so we went to the much slower option of USB-DVD (didn't always work) or booting a Linux/F4/Hirem etc an copying across what we wanted first.
Annoyingly W8 and W10 make a lot of this harder to do, especially with that totally fucking ridiculous "only way into safe mode is to tell your computer to go into it BEFORE you know you need it" and the often-equally-stupid "never shut down only every hibernate making it potentially risky to copy data to the HD". Come on MS, help people out who service your systems, especially with safe mode being available if the machine fails to boot (maybe they fixed that, I'm no longer in that part of the industry).
Oh yeah, MSE/WD seemed to be pretty light on resources, and ran rings around Avira when it comes to ease of telling it a file was OK and to ignore it OR getting a sus file submitted to them for further analysis.
"Come on MS, help people out who service your systems, especially with safe mode being available if the machine fails to boot (maybe they fixed that, I'm no longer in that part of the industry)."
This is still a major problem. All the so called 'fix it' features that MS have introduced with Windows 8 to 10 are more of a problem than a help. They either get in the way or just don't work. The restore points often aren't there or magically disappear. The system rebuild often doesn't work either. Then there is the classic of Safe Mode which has hardly any access unless you can get the machine to boot in the first place...which isn't the reason you need Safe Mode.
9 times out of 10 its quicker to try to copy the user data off and rebuild the machines with a fresh USB install.
With Windows 7 you could usually boot it into Safe Mode via F8 and 5 minutes later you would be back up and running.
But no we have to now have the useless Fast Boot setting which is a waste of time and a liability.
I always switch Fast Boot off on all my customers machines. None of them miss it.
"Initially, the two companies will offer a complimentary trial and the option of special pricing for the Norton Internet Security 2006 suite to users who are downloading the latest version of Adobe Reader"
Oh, happy days.
These days they just try to sneak McAfee onto your machine.
that are relying on a 2 year out of date lapsed trial copy of McAfee and Norton.
OR a fully up-to-date Norton for that matter. Aside from Ghost, I don't think there's anything Symantec does that isn't worse than nothing at all.
If they made a sunscreen it'd consist of a magnifying glass and several ultra-high intensity UV lamps just to make sure. If they made airbags they'd be filled with hydrogen. Or shrapnel, coated with cyanide and festering dogshit. I don't know how anyone can promote their garbage without being done for fraud, or collected by the men in white coats with oversized butterfly nets. I actually think there's a software firm I dislike more than I dislike MS!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
