Why Free?

Kelsey Bjarnason wrote:
> In article <e%E6c.5981$Q16.266085@news20.bellglobal.com>,
> fake.RemoveThis@ihatespam.com says...
>
>>"kurt wismer" <kurtw.RemoveThis@sympatico.ca> wrote in message
>>news:_gE6c.20463$Eb6.498223@news20.bellglobal.com...
>>
>>>Black Dog wrote:
>>>[snip]
>>>
>>>>Also, like lots of people, I sometimes suspect the AV vendors and vxers
>>
>>are
>>
>>>>in cahoots.
>>>
>>>there's no way to keep something like that secret - if it were
>>>happening you'd have heard about it...
>>>
>>
>>The question was -- why don't people want to pay for AV. The fact that AV
>>vendors, and only AV vendors, profit from viruses is one of the reasons why
>>people don't want to pay for it. You can argue till you're blue in the
>>face, Kurt, that it's a silly/paranoid belief/feeling but it doesn't change
>>the way people feel, or the answer to the original question..
>
>
> I don't like paying for AV software... because it's an entirely created,
> artificial cost. The entire AV industry - all 2 billion a year of it -
> is based directly on MS's inability to write good code. Since it's
> their incompetence that caused the problem, if anyone should be paying
> for AV tools, it's them. Not the users who are victims of MS's
> failures.
>

You're confusing vulnerabilities in the M/S Windows oS, which can be
exploited with malicious code programs, with viruses, in general. How do
you account for the fact there are viruses written for other OSes? Is it
all just shitting coding and lack of security?
 >> Stay informed about: Why Free? 

JT wrote:


>
> The reality is that most virus DO exist because of flaws in MS code or MS
> lack of security in the OS model. Without the ActiveX flaws, 99% of all
> virus would not exist.

What about Trojans and backdoors? Not all malware takes advantage of
ActiveX? What if you have ActiveX totally disabled but execute a program
you think, or have been told, is a game?

Add security flaws, such as the RPC exploit that
> allowed Blaster, and you have most of the rest. Without ActiveX, you reduce
> the need for AV greatly.

You just said 99% of viruses are due to ActiveX flaws. Now, you're
saying something different. It doesn't take you but 2 sentences to
change your mind.

Close the ports and unneeded services that MS
> leaves lying around by default and you eliminate most of the rest. Those 2
> steps would reduce the AV industry from a 2 Billion dollar a year industry
> to one of probably 2 Million dollars.

You just whip these statistics out of your head?

>
> There will always be attempts at exploits. Phishing and other "human
> engineered" exploits attack the weakest part of any security system, the
> human part. Why make it easier for the bad guys than it has to be.
>
Your last sentences contradicts, not supports your initial point. Just
what is your point?
 >> Stay informed about: Why Free? 

JT wrote:


>
> The reality is that most virus DO exist because of flaws in MS code or MS
> lack of security in the OS model. Without the ActiveX flaws, 99% of all
> virus would not exist.

What about Trojans and backdoors? Not all malware takes advantage of
ActiveX? What if you have ActiveX totally disabled but execute a program
you think, or have been told, is a game?

Add security flaws, such as the RPC exploit that
> allowed Blaster, and you have most of the rest. Without ActiveX, you reduce
> the need for AV greatly.

You just said 99% of viruses are due to ActiveX flaws. Now, you're
saying something different. It doesn't take you but 2 sentences to
change your mind.

Close the ports and unneeded services that MS
> leaves lying around by default and you eliminate most of the rest. Those 2
> steps would reduce the AV industry from a 2 Billion dollar a year industry
> to one of probably 2 Million dollars.

You just whip these statistics out of your head?

>
> There will always be attempts at exploits. Phishing and other "human
> engineered" exploits attack the weakest part of any security system, the
> human part. Why make it easier for the bad guys than it has to be.
>
Your last sentences contradicts, not supports your initial point. Just
what is your point?
 >> Stay informed about: Why Free? 

"BoB" <me.TakeThisOut@privacy.net> wrote in message news:3teo50d706a48qp63kei0luom6sv09i6pp@4ax.com...
> On Fri, 19 Mar 2004 20:23:48 GMT, null.TakeThisOut@zilch.com wrote:
>
> >On Fri, 19 Mar 2004 14:45:30 -0500, BoB <me.TakeThisOut@privacy.net> wrote:
> >
> >>On Fri, 19 Mar 2004 06:24:16 -0500, Cathrine Lowther
> >><janusNOSAP.TakeThisOut@PLEASEmagma.ca> wrote:
> >
> >>>Don't get me wrong -- for years, I was a happy user of F-Prot for DOS,
> >>>which was and is free. Now I am an equally happy user of F-Prot, for
> >>>which I pay a really small annual sum, compared to the cost of any
> >>>other commercial software on my machine(s).
> >>
> >>Are you saying that you now use F-Prot for windows? Some malware can
> >>destroy all windows based AV's. I hope you also retained F-Prot for DOS.
> >
> >She may be using Win XP.
>
> Not being an XP user, I won't even ask why. It is nice to hear a
> positive statement about XP.

If that is what you think that was, then okay.

....but I think it was a reference to F-Prot for DOS not
supporting XP's NTFS and the difficulty in finding a
suitable maintenance environment for use on that OS
and filesystem.
 >> Stay informed about: Why Free? 

[snips]

In article <WvGdne9l6d0CJsbdRVn-hQ RemoveThis @adelphia.com>, owner RemoveThis @dino-soft.org
says...

> Virus are just programs that someone has written.

No, they're more than that. They are programs that rely on security
holes in the OS that allow them to propagate and do damage. They are an
indication that the OS is, from a security standpoint, swiss cheese.

> I suppose if someone
> opens a dos prompt and types without the quotes "format c: /u" that
> Microsoft should have to pay to replace the data?

Actually, yes, frankly - depending on the circumstances. I'll give you
an example. My Linux box, when I set it up, asked me for an
administrator password. It also asked for a user account and password
for general use... along with a recommendation that you really, really
want to do this. When it comes time to log in, there's this nifty
little GUI thing that lets you select which user to log in as... and it
does *not* include the root account. Should you manage to log in as
root anyhow, when the GUI fires up, the background goes red and, IIRC,
there's even a message that pops up saying, in effect, "This is really,
really dangerous. Don't do it."

Now, if I ignore all of that and manage to format my drive, one of two
things can be concluded: either I'm really, truly, exceptionally stupid,
or I actually want to format the drive.

Compare that to Windows. XP for example. It does go out of its way to
ensure you create a proper (non-admin) user account, right? Nope. It
does go out of its way to ensure that you're not running as admin, so
you can't accidentally screw things up, right? Nope. It pops up
messages when you log in as admin saying "this is really dangerous", or,
at the very least, gives some sort of visual indication of the danger,
such as the desktop going red, right? Nope.

Ah. So there's *absolutely zero* reason for the inexperienced or non-
computer-literate user to ever question the effects of running in the
user context they're running in, is there? Nope, not a one. Not a
shred of a hint of a reason. Now, should the user - perhaps because of
a prank e-mail, say - actually try that format, what happens? Actually,
probably not a hell of a lot; I don't think you can format the drive the
system is on, at least. But there are 97 other kinds of mischief one
can do - deltree, del *.*, and so on, which will work - and which
*wouldn't* work, at least for the system files, etc, if the user weren't
merrily pretending he was God and being blissfully unaware of the risks
of this.


> I guess to a certain
> extent you could call just about all virus/worm/malware an abuse of a
> functionality,

No, abuse of non-functionality. The non-functional security model, to
be specific.

> like what Microsoft said about my newsbug code which when the
> web page is opened or if used as stationary in OE (with certain security)
> starts creating bunches of bogus news groups in OE until OE crashes and then
> the user has to manually delete each and every account.

Feel free to send me this "newsbug code"; I'll open it up in, say, KNode
in Linux and we'll see how much damage is done. Feel free to send *any*
code you can think of - viruses, trojans, HTML posts with embedded
javascript, whatever - and I'll merrily open the lot. You know what
happens? Not a thing. Why? Because nobody else in the universe seems
to suffer the sheer scope of unbelievable prowess Microsoft brings to
the table when it comes to making software fragile, unsafe and
unreliable. They are the gods of risk; no other software can come close
top the sheer danger factor theirs offers.
 >> Stay informed about: Why Free? 

[snips]

In article <WvGdne9l6d0CJsbdRVn-hQ RemoveThis @adelphia.com>, owner RemoveThis @dino-soft.org
says...

> Virus are just programs that someone has written.

No, they're more than that. They are programs that rely on security
holes in the OS that allow them to propagate and do damage. They are an
indication that the OS is, from a security standpoint, swiss cheese.

> I suppose if someone
> opens a dos prompt and types without the quotes "format c: /u" that
> Microsoft should have to pay to replace the data?

Actually, yes, frankly - depending on the circumstances. I'll give you
an example. My Linux box, when I set it up, asked me for an
administrator password. It also asked for a user account and password
for general use... along with a recommendation that you really, really
want to do this. When it comes time to log in, there's this nifty
little GUI thing that lets you select which user to log in as... and it
does *not* include the root account. Should you manage to log in as
root anyhow, when the GUI fires up, the background goes red and, IIRC,
there's even a message that pops up saying, in effect, "This is really,
really dangerous. Don't do it."

Now, if I ignore all of that and manage to format my drive, one of two
things can be concluded: either I'm really, truly, exceptionally stupid,
or I actually want to format the drive.

Compare that to Windows. XP for example. It does go out of its way to
ensure you create a proper (non-admin) user account, right? Nope. It
does go out of its way to ensure that you're not running as admin, so
you can't accidentally screw things up, right? Nope. It pops up
messages when you log in as admin saying "this is really dangerous", or,
at the very least, gives some sort of visual indication of the danger,
such as the desktop going red, right? Nope.

Ah. So there's *absolutely zero* reason for the inexperienced or non-
computer-literate user to ever question the effects of running in the
user context they're running in, is there? Nope, not a one. Not a
shred of a hint of a reason. Now, should the user - perhaps because of
a prank e-mail, say - actually try that format, what happens? Actually,
probably not a hell of a lot; I don't think you can format the drive the
system is on, at least. But there are 97 other kinds of mischief one
can do - deltree, del *.*, and so on, which will work - and which
*wouldn't* work, at least for the system files, etc, if the user weren't
merrily pretending he was God and being blissfully unaware of the risks
of this.


> I guess to a certain
> extent you could call just about all virus/worm/malware an abuse of a
> functionality,

No, abuse of non-functionality. The non-functional security model, to
be specific.

> like what Microsoft said about my newsbug code which when the
> web page is opened or if used as stationary in OE (with certain security)
> starts creating bunches of bogus news groups in OE until OE crashes and then
> the user has to manually delete each and every account.

Feel free to send me this "newsbug code"; I'll open it up in, say, KNode
in Linux and we'll see how much damage is done. Feel free to send *any*
code you can think of - viruses, trojans, HTML posts with embedded
javascript, whatever - and I'll merrily open the lot. You know what
happens? Not a thing. Why? Because nobody else in the universe seems
to suffer the sheer scope of unbelievable prowess Microsoft brings to
the table when it comes to making software fragile, unsafe and
unreliable. They are the gods of risk; no other software can come close
top the sheer danger factor theirs offers.
 >> Stay informed about: Why Free? 

On Sat, 20 Mar 2004 10:44:32 GMT, optikl <optikl DeleteThis @invalid.net> wrote:

>JT wrote:
>
>
>>
>> The reality is that most virus DO exist because of flaws in MS code or MS
>> lack of security in the OS model. Without the ActiveX flaws, 99% of all
>> virus would not exist.
>
>What about Trojans and backdoors? Not all malware takes advantage of
>ActiveX? What if you have ActiveX totally disabled but execute a program
>you think, or have been told, is a game?

Then you are not talking VIRUS anymore. Malware for sure. Fixing the
security model even reduces the problem with trojans and backdoors. If the
average user doesn't have access to the total machine, then most backdoors
can't function, because they don't have the rights to what they want to do.
And trojans will be limited to affecting a limited part of the machine that
is controled by the user, not reeking global havoc. Of course this is
assuming a flawless OS with a Perfect security model
>
>Add security flaws, such as the RPC exploit that
>> allowed Blaster, and you have most of the rest. Without ActiveX, you reduce
>> the need for AV greatly.
>
>You just said 99% of viruses are due to ActiveX flaws. Now, you're
>saying something different. It doesn't take you but 2 sentences to
>change your mind.

No mind change here. A reading comprehension problem on your end. That
sentence means, of the 1% of VIRUS left over (that is what most of the REST
means), the majority exploit the poor security model of windows. Make it
simple. 1000 virus 990 will probably be activex. 7 will probably be OS
weakness.
>
> Close the ports and unneeded services that MS
>> leaves lying around by default and you eliminate most of the rest. Those 2
>> steps would reduce the AV industry from a 2 Billion dollar a year industry
>> to one of probably 2 Million dollars.
>
>You just whip these statistics out of your head?

Not a statistic, an estimate. The 2 Billion figure was from your quote. I
Estimate that the problem would be 1000 times less severe, therefore the 2
Million estimate. Instead of 1000 virus (an example, not a hard number)
being in the wild, you are down to 2 or 3. Much more manageable problem.
About 1000 times less costly.
>
>>
>> There will always be attempts at exploits. Phishing and other "human
>> engineered" exploits attack the weakest part of any security system, the
>> human part. Why make it easier for the bad guys than it has to be.
>>
>Your last sentences contradicts, not supports your initial point. Just
>what is your point?

The post I replied to said

>Viruses don't depend on software flaws. Even if MS's code
>were flawless - viruses could still exist and create a desire
>for anti-virus measures.
>

My point is that the vast majority of virus DO in fact depend on software
flaws. The complexity of the problem when the software is not so easily
exploitable is beyond the capability of crackers and script kiddies. If the
software was flawless (not going to happen in any OS) then you have killed
the market for AV products.

JT
 >> Stay informed about: Why Free? 

On Sat, 20 Mar 2004 10:44:32 GMT, optikl <optikl.TakeThisOut@invalid.net> wrote:

>JT wrote:
>
>
>>
>> The reality is that most virus DO exist because of flaws in MS code or MS
>> lack of security in the OS model. Without the ActiveX flaws, 99% of all
>> virus would not exist.
>
>What about Trojans and backdoors? Not all malware takes advantage of
>ActiveX? What if you have ActiveX totally disabled but execute a program
>you think, or have been told, is a game?

Then you are not talking VIRUS anymore. Malware for sure. Fixing the
security model even reduces the problem with trojans and backdoors. If the
average user doesn't have access to the total machine, then most backdoors
can't function, because they don't have the rights to what they want to do.
And trojans will be limited to affecting a limited part of the machine that
is controled by the user, not reeking global havoc. Of course this is
assuming a flawless OS with a Perfect security model
>
>Add security flaws, such as the RPC exploit that
>> allowed Blaster, and you have most of the rest. Without ActiveX, you reduce
>> the need for AV greatly.
>
>You just said 99% of viruses are due to ActiveX flaws. Now, you're
>saying something different. It doesn't take you but 2 sentences to
>change your mind.

No mind change here. A reading comprehension problem on your end. That
sentence means, of the 1% of VIRUS left over (that is what most of the REST
means), the majority exploit the poor security model of windows. Make it
simple. 1000 virus 990 will probably be activex. 7 will probably be OS
weakness.
>
> Close the ports and unneeded services that MS
>> leaves lying around by default and you eliminate most of the rest. Those 2
>> steps would reduce the AV industry from a 2 Billion dollar a year industry
>> to one of probably 2 Million dollars.
>
>You just whip these statistics out of your head?

Not a statistic, an estimate. The 2 Billion figure was from your quote. I
Estimate that the problem would be 1000 times less severe, therefore the 2
Million estimate. Instead of 1000 virus (an example, not a hard number)
being in the wild, you are down to 2 or 3. Much more manageable problem.
About 1000 times less costly.
>
>>
>> There will always be attempts at exploits. Phishing and other "human
>> engineered" exploits attack the weakest part of any security system, the
>> human part. Why make it easier for the bad guys than it has to be.
>>
>Your last sentences contradicts, not supports your initial point. Just
>what is your point?

The post I replied to said

>Viruses don't depend on software flaws. Even if MS's code
>were flawless - viruses could still exist and create a desire
>for anti-virus measures.
>

My point is that the vast majority of virus DO in fact depend on software
flaws. The complexity of the problem when the software is not so easily
exploitable is beyond the capability of crackers and script kiddies. If the
software was flawless (not going to happen in any OS) then you have killed
the market for AV products.

JT
 >> Stay informed about: Why Free? 

"JT" <spam.TakeThisOut@dcplus.dyndns.info> wrote in message news:3b391727b7b3593a6c4332d76674d971@news.teranews.com...
> On Sat, 20 Mar 2004 10:44:32 GMT, optikl <optikl.TakeThisOut@invalid.net> wrote:
>
> >JT wrote:
> >
> >
> >>
> >> The reality is that most virus DO exist because of flaws in MS code or MS
> >> lack of security in the OS model. Without the ActiveX flaws, 99% of all
> >> virus would not exist.
> >
> >What about Trojans and backdoors? Not all malware takes advantage of
> >ActiveX? What if you have ActiveX totally disabled but execute a program
> >you think, or have been told, is a game?
>
> Then you are not talking VIRUS anymore.

Strictly speaking, neither were you (but *I* was). The basic
idea of "virus" is not constrained by needing to use *any*
software flaws whatsoever.

> Malware for sure. Fixing the
> security model even reduces the problem with trojans and backdoors. If the
> average user doesn't have access to the total machine, then most backdoors
> can't function, because they don't have the rights to what they want to do.
> And trojans will be limited to affecting a limited part of the machine that
> is controled by the user, not reeking global havoc. Of course this is
> assuming a flawless OS with a Perfect security model

Which is quite an assumption.;o) Worms may need to exploit *something*
whether it is code (buffer overflow), design (known resources in a known
location i.e. *.wab), or peoples desire to be loved. However, a virus need
not do anything to get through your security perimeter unless your security
model includes safeguards specific to malware that hides within programs.
The fact that an integrity checking application or utility isn't bundled with
a particular OS isn't really a flaw in software or design, and such an app
won't 'identify' the culprit responsible - and that is AV's strength.

[snip]


> >Your last sentences contradicts, not supports your initial point. Just
> >what is your point?
>
> The post I replied to said
>
> >Viruses don't depend on software flaws. Even if MS's code
> >were flawless - viruses could still exist and create a desire
> >for anti-virus measures.
> >
>
> My point is that the vast majority of virus DO in fact depend on software
> flaws.

Could you explain? Are you using the term "virus" to include all
self-replicating malware? If so, this is yet another reason to draw
a distinction between the two terms "worm" and "virus". A "virus"
is not something that depends on a flaw in software - it depends
on the same things that the user depends on to get work done.
If you remove access to the methods it uses, you no longer have
a useful machine for the user either.

> The complexity of the problem when the software is not so easily
> exploitable is beyond the capability of crackers and script kiddies. If the
> software was flawless (not going to happen in any OS) then you have killed
> the market for AV products.

Not true, because if you remove the so-called 'flaws' that a virus
uses - you have removed the machines usefulness as well. Yes,
there may come a time when users will say, "gee - remember back
when there were computer viruses?" - but I don't think they will be
using general purpose computers like we are.
 >> Stay informed about: Why Free? 

"JT" <spam DeleteThis @dcplus.dyndns.info> wrote in message news:3b391727b7b3593a6c4332d76674d971@news.teranews.com...
> On Sat, 20 Mar 2004 10:44:32 GMT, optikl <optikl DeleteThis @invalid.net> wrote:
>
> >JT wrote:
> >
> >
> >>
> >> The reality is that most virus DO exist because of flaws in MS code or MS
> >> lack of security in the OS model. Without the ActiveX flaws, 99% of all
> >> virus would not exist.
> >
> >What about Trojans and backdoors? Not all malware takes advantage of
> >ActiveX? What if you have ActiveX totally disabled but execute a program
> >you think, or have been told, is a game?
>
> Then you are not talking VIRUS anymore.

Strictly speaking, neither were you (but *I* was). The basic
idea of "virus" is not constrained by needing to use *any*
software flaws whatsoever.

> Malware for sure. Fixing the
> security model even reduces the problem with trojans and backdoors. If the
> average user doesn't have access to the total machine, then most backdoors
> can't function, because they don't have the rights to what they want to do.
> And trojans will be limited to affecting a limited part of the machine that
> is controled by the user, not reeking global havoc. Of course this is
> assuming a flawless OS with a Perfect security model

Which is quite an assumption.;o) Worms may need to exploit *something*
whether it is code (buffer overflow), design (known resources in a known
location i.e. *.wab), or peoples desire to be loved. However, a virus need
not do anything to get through your security perimeter unless your security
model includes safeguards specific to malware that hides within programs.
The fact that an integrity checking application or utility isn't bundled with
a particular OS isn't really a flaw in software or design, and such an app
won't 'identify' the culprit responsible - and that is AV's strength.

[snip]


> >Your last sentences contradicts, not supports your initial point. Just
> >what is your point?
>
> The post I replied to said
>
> >Viruses don't depend on software flaws. Even if MS's code
> >were flawless - viruses could still exist and create a desire
> >for anti-virus measures.
> >
>
> My point is that the vast majority of virus DO in fact depend on software
> flaws.

Could you explain? Are you using the term "virus" to include all
self-replicating malware? If so, this is yet another reason to draw
a distinction between the two terms "worm" and "virus". A "virus"
is not something that depends on a flaw in software - it depends
on the same things that the user depends on to get work done.
If you remove access to the methods it uses, you no longer have
a useful machine for the user either.

> The complexity of the problem when the software is not so easily
> exploitable is beyond the capability of crackers and script kiddies. If the
> software was flawless (not going to happen in any OS) then you have killed
> the market for AV products.

Not true, because if you remove the so-called 'flaws' that a virus
uses - you have removed the machines usefulness as well. Yes,
there may come a time when users will say, "gee - remember back
when there were computer viruses?" - but I don't think they will be
using general purpose computers like we are.
 >> Stay informed about: Why Free? 

On Sat, 20 Mar 2004 10:37:15 GMT, optikl <optikl.RemoveThis@invalid.net> wrote:

>Kelsey Bjarnason wrote:
>> In article <e%E6c.5981$Q16.266085@news20.bellglobal.com>,
>> fake.RemoveThis@ihatespam.com says...
>>
>>>"kurt wismer" <kurtw.RemoveThis@sympatico.ca> wrote in message
>>>news:_gE6c.20463$Eb6.498223@news20.bellglobal.com...
>>>
>>>>Black Dog wrote:
>>>>[snip]
>>>>
>>>>>Also, like lots of people, I sometimes suspect the AV vendors and vxers
>>>
>>>are
>>>
>>>>>in cahoots.
>>>>
>>>>there's no way to keep something like that secret - if it were
>>>>happening you'd have heard about it...
>>>>
>>>
>>>The question was -- why don't people want to pay for AV. The fact that AV
>>>vendors, and only AV vendors, profit from viruses is one of the reasons why
>>>people don't want to pay for it. You can argue till you're blue in the
>>>face, Kurt, that it's a silly/paranoid belief/feeling but it doesn't change
>>>the way people feel, or the answer to the original question..
>>
>>
>> I don't like paying for AV software... because it's an entirely created,
>> artificial cost. The entire AV industry - all 2 billion a year of it -
>> is based directly on MS's inability to write good code. Since it's
>> their incompetence that caused the problem, if anyone should be paying
>> for AV tools, it's them. Not the users who are victims of MS's
>> failures.
>>
>
>You're confusing vulnerabilities in the M/S Windows oS, which can be
>exploited with malicious code programs, with viruses, in general. How do
>you account for the fact there are viruses written for other OSes? Is it
>all just shitting coding and lack of security?

Virus have always depended on the vulnerabilities of the software and the
security of the systems they are attacking with very few exceptions. Go to
any virus database or security advisory. They are exploiting a weakness.
If not activex, then unchecked buffers or insecure automation features.
Started that way in the early MSDOS and AppleII days when virus were young.
The exploits that have happened recently against other OS such as Linux and
Apples OS/X have been exploits of software or security configuration
errors. As an exercise, find a Virus or worm (not a phishing/human
engineering exploit that tricks a user into running a program that erases
his hard disk thinking it was a free game) that does not exploit such a
weakness in all the online virus information. Just get me a couple out of
the thousands that are out there. Something recent would be nice, but I am
not picky

JT
 >> Stay informed about: Why Free? 

On Sat, 20 Mar 2004 10:37:15 GMT, optikl <optikl.DeleteThis@invalid.net> wrote:

>Kelsey Bjarnason wrote:
>> In article <e%E6c.5981$Q16.266085@news20.bellglobal.com>,
>> fake.DeleteThis@ihatespam.com says...
>>
>>>"kurt wismer" <kurtw.DeleteThis@sympatico.ca> wrote in message
>>>news:_gE6c.20463$Eb6.498223@news20.bellglobal.com...
>>>
>>>>Black Dog wrote:
>>>>[snip]
>>>>
>>>>>Also, like lots of people, I sometimes suspect the AV vendors and vxers
>>>
>>>are
>>>
>>>>>in cahoots.
>>>>
>>>>there's no way to keep something like that secret - if it were
>>>>happening you'd have heard about it...
>>>>
>>>
>>>The question was -- why don't people want to pay for AV. The fact that AV
>>>vendors, and only AV vendors, profit from viruses is one of the reasons why
>>>people don't want to pay for it. You can argue till you're blue in the
>>>face, Kurt, that it's a silly/paranoid belief/feeling but it doesn't change
>>>the way people feel, or the answer to the original question..
>>
>>
>> I don't like paying for AV software... because it's an entirely created,
>> artificial cost. The entire AV industry - all 2 billion a year of it -
>> is based directly on MS's inability to write good code. Since it's
>> their incompetence that caused the problem, if anyone should be paying
>> for AV tools, it's them. Not the users who are victims of MS's
>> failures.
>>
>
>You're confusing vulnerabilities in the M/S Windows oS, which can be
>exploited with malicious code programs, with viruses, in general. How do
>you account for the fact there are viruses written for other OSes? Is it
>all just shitting coding and lack of security?

Virus have always depended on the vulnerabilities of the software and the
security of the systems they are attacking with very few exceptions. Go to
any virus database or security advisory. They are exploiting a weakness.
If not activex, then unchecked buffers or insecure automation features.
Started that way in the early MSDOS and AppleII days when virus were young.
The exploits that have happened recently against other OS such as Linux and
Apples OS/X have been exploits of software or security configuration
errors. As an exercise, find a Virus or worm (not a phishing/human
engineering exploit that tricks a user into running a program that erases
his hard disk thinking it was a free game) that does not exploit such a
weakness in all the online virus information. Just get me a couple out of
the thousands that are out there. Something recent would be nice, but I am
not picky

JT
 >> Stay informed about: Why Free? 

JT wrote:
> On Sat, 20 Mar 2004 10:44:32 GMT, optikl <optikl DeleteThis @invalid.net> wrote:
>
>
>>JT wrote:
>>
>>
>>
>>>The reality is that most virus DO exist because of flaws in MS code or MS
>>>lack of security in the OS model. Without the ActiveX flaws, 99% of all
>>>virus would not exist.
>>
>>What about Trojans and backdoors? Not all malware takes advantage of
>>ActiveX? What if you have ActiveX totally disabled but execute a program
>>you think, or have been told, is a game?
>
>
> Then you are not talking VIRUS anymore. Malware for sure. Fixing the
> security model even reduces the problem with trojans and backdoors. If the
> average user doesn't have access to the total machine, then most backdoors
> can't function, because they don't have the rights to what they want to do.
> And trojans will be limited to affecting a limited part of the machine that
> is controled by the user, not reeking global havoc. Of course this is
> assuming a flawless OS with a Perfect security model

The same *can* be said about viruses. Not all viruses rely on ActiveX.
>
>>Add security flaws, such as the RPC exploit that
>>
>>>allowed Blaster, and you have most of the rest. Without ActiveX, you reduce
>>>the need for AV greatly.
>>
>>You just said 99% of viruses are due to ActiveX flaws. Now, you're
>>saying something different. It doesn't take you but 2 sentences to
>>change your mind.
>
>
> No mind change here. A reading comprehension problem on your end. That
> sentence means, of the 1% of VIRUS left over (that is what most of the REST
> means), the majority exploit the poor security model of windows. Make it
> simple. 1000 virus 990 will probably be activex. 7 will probably be OS
> weakness.

I may have a reading comprehension problem, but you appear to be very
loose with your estimating skills. How about some proof statements for
the 99%?
>
>> Close the ports and unneeded services that MS
>>
>>>leaves lying around by default and you eliminate most of the rest. Those 2
>>>steps would reduce the AV industry from a 2 Billion dollar a year industry
>>>to one of probably 2 Million dollars.
>>
>>You just whip these statistics out of your head?
>
>
> Not a statistic, an estimate. The 2 Billion figure was from your quote. I
> Estimate that the problem would be 1000 times less severe, therefore the 2
> Million estimate.

My quote? You mean the words I pasted in the text of my post, that were
attributable to....I thought it was you. No? Maybe someone else?
Certainly, I've never estimated that number.


Instead of 1000 virus (an example, not a hard number)
> being in the wild, you are down to 2 or 3. Much more manageable problem.
> About 1000 times less costly.
>
>>>There will always be attempts at exploits. Phishing and other "human
>>>engineered" exploits attack the weakest part of any security system, the
>>>human part. Why make it easier for the bad guys than it has to be.
>>>
>>
>>Your last sentences contradicts, not supports your initial point. Just
>>what is your point?
>
>
> The post I replied to said
>
>
>>Viruses don't depend on software flaws. Even if MS's code
>>were flawless - viruses could still exist and create a desire
>>for anti-virus measures.
>>
>
>
> My point is that the vast majority of virus DO in fact depend on software
> flaws.

Vast Majority? On OS flaws? I don't really see that. I'd say, recently
less than 20, not including the variants, of course (.a, .b, .c, etc).
What number do you have in mind?

The complexity of the problem when the software is not so easily
> exploitable is beyond the capability of crackers and script kiddies. If the
> software was flawless (not going to happen in any OS) then you have killed
> the market for AV products.
>

Well, you and I will have to disagree, I guess. I think if we were
talking about *firewalls*, I would be more inclined to say you and I are
on the same page.

While I disagree with your estimate of the percentage of malware that
would disappear with a more secure OS, thus eliminating the need for AV,
I do agree you could kill the market for AV if you eliminated 99% of
those who have access to computers <bg>. Malware is really a people
problem; people write it, people let it have access to their systems and
people have have to deal with it. The most secure OS you can come up
with is going to have someone administering it and someone using it.
That's sort of where things tend to break-down.
 >> Stay informed about: Why Free?