I just recently switched to running a limited account on my home machine. I find it very helpful to have a copy of Process Explorer running as administrator at all times.

It requires two "logins" on boot (limited user, then run-as-admin for Process Explorer), but it means I can run other apps as admin from Process Explorer without going through the windows run-as mess. Also, if any services start acting the bollocks, you can kill them easily.

If you can trust your users to act responsibly (e.g. they won't spawn Internet Explorer as admin), it's definitely something to consider.

While tradition anti-virus is ineffective, they big AV players are slow to move to more effective solutions such as whitelisting. I believe there was several startups creating whitelisting AV, many of which were quickly bought up by the more traditional AV companies.

I got sick and tired of all of the security mess with Windows, so I recently switched to Ubuntu for my laptop (mainly just used for browsing). I've been quite pleased so far.

I liked this article for the most part, but I think what you said about the conflict of interest between anti-virus software makers and virus vulnerability is not reasonable. That's like saying that auto mechanics want your car to break and doctors want you to get sick. This may be true to an extent but I would certainly not say that it is the status quo.

About a week after you wrote your article on 'How to clean up a spyware infection' I downloaded a file which I thought contained a virus but I was willing to risk it anyway. As I figured, I've never had a virus in my 15 years of computing, and virii are annoying at best.

How I was wrong! It did contain a virus. It launched IE7 in the background and continued to download virus after virus after virus. I d/c from the net to install antivirus/removal tools, which were all closed on the install screens.

Using your methods from How to clean up a spyware infection, I battled the virus for 4 days. Finally removing it. After doing some reading, I determined the virus was a vundoo infection which has been around for a couple of years constantly updating its form. No anti-virus vendor detects it. That's insane!

I've since removed any monitoring anti-virus software and will instead rely on myself no longer being an idiot. I'll use spyware scanners at regular intervals, monitor my services and processes, rootkit revealers, and good old fashioned google to deal with any virii that come my way.

For the less technical minded, I pity you if you happen to run into a virus such as this.

The past 2 times I got hit by worms (once last year, once this), none of my installed AV softwares (SAV, AVG Free on different computers) picked it up. One of them was W32.OlderData, and it wasn't until a couple months later that information on it (technical details, removal) was available Symantec's AV database.

It maybe due to geographical differences that here in Singapore, we face a different subset of viruses and malware, but it goes to show that traditional AV have no place in the current world where a kid living in basement is able to come up with something new everyday.

Even herustics detection doesn't work as well, the number of false positives you get with those....

Upon reading your earlier spyware post I recently changed both my daughters (9 yo) and my computer to non-admin. Now whenever my daughter needs to do something admin related like repaier her IP address, or install software, she knows to switch to admin, fix it, and switch back. The admin password is her own name because, as I said to her, "it's your machine".

I figure that this is an excellent opportunity for her to learn about some key issues facing computer users and she is becoming surprising savvy - she uses context menus and keyboard shortcuts - something that will stand her in good stead in the future.

You shouldn't have to "switch users" to install something that requires administrator privileges. If you right-click an executable file, there is a "Run as..." option that will let you select a different account to run the program as.

You can use this to run most things as a standard, non-privileged user, and resort to using the administrator privileges only when strictly necessary.

Then again, this feature might only be available on XP Pro, or via a setting in the group policy editor. Unfortunately I don't have an XP Home installation to compare right now.

(it might seem like "right-clicking" and managing multiple accounts is too complicated, but the technical bar has already, in my opinion, been set high enough by the user knowing of and seeking ways to avoid spyware infestations.)

I use Linux for all my tasks and development. It's always running. I occasionally will boot into Win for a game or two of Civilization 4, but then immediately switch back after I'm done. Kind of a learning curve if you've never used it before, but after my 2-3 years of experience with Linux, most Distros contain the same concepts, thus switching from one to another becomes routine in terms of system administration.

If I desperately want a program that runs only on Windows, first I check Wine and see if it emulates.. if it doesn't I then debate whether I *truly* need it. I check for an alternative that runs on Linux and then I check if there's any drivers for running on Linux. If all else fails I will cautiously install it on Windows, such as Visual Studio or just use its alternative on Linux - Netbeans. I never use VS, simply because I'm never in Windows... don't get me wrong, I like VS.

Aside from that, after using Fedora, Kubuntu and now regular Ubuntu for my desktop/server machine, and Ubuntu for my laptop for about 2 years I have not had to deal with viruses or spyware. It's funny to me when someone at work will say something about updating virus or spyware definitions... I feel like I have been kept out of the loop as I haven't done that in 2 years. :)

My brother got a nasty rootkit on his laptop that had never been connected to the internet, without "just doing anything stupid." How? He bought a Switchfoot CD and put it in the hard drive (and doesn't run as administrator), and hadn't turned autorun off. I spent 3 days trying to get rid of the Sony BMG rootkit, and deleted the files, but then on rebooting, it bluescreened.

How do you protect against this kind of thing?

>>That's like saying that auto mechanics want your car to break and
doctors want you to get sick.

The difference here is that, all things being equal, cars will ALWAYS break down eventually, and you will always get sick or have an accident where you will need a doctor. If the threat of viruses were negated we would never need AV software -- which is why the AV companies will always be in support of some sort of fear.

I once got a virus on my Linux box. But that's because I was stupid.

I had an extremely limited account called "guest" (with password "guest") so that my college roommate could cleanly shut down the computer during a thunderstorm. Since there was no way to log in remotely, it wasn't a security issue.

Some months later, I installed the OpenSSH package. It was configured to allow anyone but root to log in remotely, and sooner or later a worm found its way in and tried to crack root. I noticed the excess network traffic, found a suspicious file in /tmp, destroyed it (and a couple of processes), then added the AllowUsers directive to /etc/ssh/sshd_config.

It didn't cause any damage, and I haven't had any trouble since then. Yay for privilege separation, boo for bad default configuration!

it's really hard to contain any infections. as the technology evolves, so as the threats..
i'm aware of those infections that mutate in order to be not detected and all those sneaky tactics.
in my opinion, the best way to prevent such attacks is to give them the taste of their own medicine, a.k.a fight fire with more fire.. xD

That is something that Debian based operating systems did marvelously, you had to 'sudo' EVERYTHING. It was bloody tiresome, but I kid you not, /I/ alone was responsible for crashing that machine XD.

The best advice i ever game my parents about computers was to switch to osx. for security and surfing the web its the best advice you can give anyone who does not know how to jump through the security hoops windows forces you into.

I believe the best anti-virus you can get is the one where you are not connected to the internet. If it's sensitive enough that a compromise would ruin your day, keep that data offline.

I had a virus recently, nothing dangerous, but annoying, and it was caused through my use of internet exploder. I went to the all-knowing google and did a simple search, deleted the virus, and everything was good. I am a safe surfer, I use Firefox, the AdBlock, NoScript, and other plugins, am behind a router, and am not connected to internet when I don't need to be.

I still don't even have an anti-virus, for reasons stated above, they can't catch everything, it's all just a false sense of security. They don't offer enough to make up for how much they cripple my system.

I've been running on Jeff's advice here for quite some time and I could say that it's been the best advice I've ever taken for my home machines.

There was a time when running Spybot S&D would reveal malware appearing and reappearing every day; since the switch to limited accounts I would run Spybot once every month, sometimes once every three or so months and no new malware would crop up anymore.

Why users don't switch to Linux, and why running Windows in Admin mode is default:

1. "Some months later, I installed the OpenSSH package. It was configured to allow anyone but root to log in remotely, and sooner or later a worm found its way in and tried to crack root. I noticed the excess network traffic, found a suspicious file in /tmp, destroyed it (and a couple of processes), then added the AllowUsers directive to /etc/ssh/sshd_config."

2. If you try to find instructions for copying a user profile from an admin account to a standard user account in Vista - you won't. Nobody is revealing this deeply hidden secret. You must not only set up your desktop from scratch, but find and copy all of your customization templates - e.g., normal.dot in MS Word. Golly, this is fun! Thanks, Microsoft.

I tried to take Jeff's advice and use a limited user account on my new laptop, but I install / use a lot of programs and many of them simply will not play nice with a limited account, and constantly having to "Run as Administrator" gets old really really really fast. I am not a computer novice but I view my OS as nothing more than a device that allows me to use as wide a variety of software as I possibly can. That's why I won't use Vista while compatibility problems persist and why I decided not to even bother with a limited account - the hassle of having to use the nuclear option of a reformat / reinstall is less in my view than the death by a thousand cuts of trying to battle uncooperative program and typing in the admin password hundreds and hundreds of times.

Ouch... Man, using a Windows box continues to resemble living in a sewage filled back-alley. Why not just get a Mac or Linux box and jettison Windows permanently? The Windows security architecture is just outrageously broken from the ground up and no amount of patching or band-aid UI effects like Vista's UAC will ever fix it. Unless your typical end user has some absolutely unavoidable business reasons for sticking with Windows, the vast majority of end users would be served much better by switching to an operating system that actually has an effective security model.

kingbee:

Because

a) I develop in Visual Studio
b) I play too many Windows games
c) I can't afford a Mac

Jon, a Mac Mini is $600 :-) How much have you paid for your PC + Windows license + VS license (+ MS Office or whatever else you've got)?

Your other arguments are good, but the "Macs are expensive" line is getting old fast, in fact it's already obsolete.

Here's something interesting: http://www.lostcreations.com/sudowin/sudowin Sudo for Windows.

kingbee,

Windows has a significantly more advanced security model than OS X and Linux only recently caught up when ACLs showed up there. The Windows security model is more akin to SELinux. The only issue is that tightening down the machine leads to compatibility and usability issues.

And there really is nothing stopping anyone from making precisely the same attacks as have been made against Windows on Linux or Mac OS X. If you download a program and run it, the OS really has no choice but to follow your directives. The program then just does what it wants: parties over your data, opens ports to the outside world, joins botnets, emails your friends. Neither MacOS nor Linux are likely to be completely free of Escalation of Privilege issues, and in both cases the program could piggyback onto other legitimate requests for the root account to truly worm its way into your system. The trojan horse attack that Jeff describes is simply not a reflection of the security of the OS. It's more about the security-consciousness of the user and the generally hostile climate on the internet.

If there were serious legal consequences to distributing malware (i.e. jail time) and serious pursuit of those who make this software, perhaps we could clean up the internet so that it is safe for our wives, parents, and children. Windows apps will improve slowly (we can accelerate this slightly by vocally refusing to buy apps that do not run correctly on Vista under low rights), but that is not the real source of the danger, and the world will still be bad because people's low-rights accounts will be the new target.

I gave up on Windows years ago - that was the easy bit. Getting my family and friends to move away from Windows is proving to be much harder.

Perhaps I should wait until after they have spent hundreds of £££s having their machines de-scumware'd and suggest they by a Mac to save money !!

I run as a limited user and I do have the odd badly-written program that requires write access to its own folder or some other idiocy. All I do is switch to admin and give my user account write access to just those folders that the program requires to run properly. Never had a problem since.

Installers are another thing entirely. No one ever develops or tests their software outside an admin account, not even Microsoft. Even Firefox and Thunderbird cannot handle the concept of a non-admin user when it comes to updates.

@nksingh: I guess that you have highlighted the fact that the real issues are non-technical. OS X and Linux seem safer in practice with less sophisticated tech because developers and users have a different set of cultural expectations. If Microsoft absolutely committed themselves to the idea of a environment that is safe by default now it would break existing software and irritate core constituencies, so they have to somehow change how people think with incremental changes to their products. I don't envy them their position.

It's worrying that Microsoft has entered the AV market - as Jeff says there is an inherent conflict of interest there.

This really should be about antivirus (which does run on linux and osx) being obsolete and debilitating to computers rather than an OS debate.

However, you'll find most users do NOT run into security related issues all that often. A virus every now and then, some spyware, and the off chance of being added to a botnet. The majority of those people, I guess, hanging out on porn or crack/hack sites.

The issue should be problems with the user, not the OS. Advocating choosing Linux over Windows for security issues is VERY tired. At least advocate Linux for usability and a wide range of VERY available applications. That's why I'll be changing to Linux on my next PC build.. not security.

I've always wondered what happens when your VM gets corrupted. If its been hacked, even just for one session, it can still keylog your passwords and send your credit card details on.

Linux/Mac Advocates:
I too agree with what you're saying; but I see problems with either OS being a solution:
1) Businesses that are serious about security tend to firewall and lock down everything right down to the kitchen sink. Windows is fairly safe in this environment, especially with email, browsing, and running privileges restricted. This is usually an adjusted running cost already in the budget I've found, so there is no real gain here. Linux conversion is usually too high a cost for MIS (the OS is usually a small percentage of it's real cost, sure linux is free but training support staff isn't).
2) The people that really need to be protected from themselves are home users, and - as happens in my own household - most people using the home pc are interested only in things linux can't offer. For one, installation of any new software is painful (although this is a lot better recently if Ubuntu is anything to go by, it's still not straightforward enough to know if you have all required components). For another, the "good" games are all windows only(ie, anything recent including non-mainstream games like 90% of all kids games).

Comparing the conflict of interest issue in antivirus with that of auto mechanics is inaccurate. You want to take your car to the busiest auto mechanic you can find, because since he is so busy, his self interest is to get your car out the door and not see it again. It is only in the self interest of an auto mechanic whose business is flagging to artificially create business.

However, this relies on a scarcity: the mechanic's time. The antivirus software developer does not have an analogous scarcity, so for him it really is a conflict of interest.

As to virtualization, I am more and more excited by this prospect, but not for security reasons. A virtualization layer can expose a standard hardware set, so researchers in operating systems no longer need to support every device on the planet to get their system into the real world. A Linux kernel is the best option for the underlying system for two reasons: 1. you can strip it down to almost nothing far more easily than Windows; 2. it has the broader hardware support than other candidates like Mach. Anyone want to run a Lisp machine again? Or howabout a Haskell machine?

The problem with antivirus software is delay in releasing updates to clients. If new worm appears most AV products are unable to catch it, rendering them completely useless. And there are new worms every day. That makes AV product to be actually pretty useless, despite people pay money for them and then believe they are protected. IMO AV software is waste of money, as it just does not work.

What works is to have hardware firewall + some knowledge not to execute unkown stuff, but unfortunately average computer user does not have either.

I agree with Josh's comments that this is not about OS. And advocating any one OS over another is truly tiring. Part of the problem of course the anecdotal stuff posted by Jeff that suggests that the problem is partly with Vista and talking about other OSes. As though they are less vulnerable.

On an equally anecdotal level I am using Vista and have had no issues with games or any other application.

Its really more about security software suites that are slowly becoming irrelevant. And about users not exercising some minimal sense. I am not using any of the big security suites (using light weight AVG and Defender) and I havent had any issues. Didnt have them with XP either.

(no flames please - I use Mac and Linux too - associated with a print shop)

Microsoft understands that the average user does not want to do the things you listed here.

They will never run as user only and even if they did they would surely type the admin pwd to get the "dancing bunny" thing installed so why would that help ?

They will never accept running a browser completely isolated from thei harddrive, how would that work witout removing most functionality of the web ? You couldnt even download a file with that which no user will accept.

The average user wants full power over their system, period.

What works is commons sense, and maybe that's something we need to teach, with the risks that are out there maybe it's time to dicuss a mandatory drivers license for the web ?? Why not ?

"It's too bad the powers that be at Microsoft didn't have the guts to pull the trigger on limited user accounts as a standard setup in Vista."

I'm sorry, did you just completely forget the account you retold above where the person has pulled the trigger themselves and had a hard time with it? If they had pulled the trigger then waves of people would be turning off any form of limitation and returning to admin accounts because it's too painful (It's happening at the moment because they slightly botched the solution, but it would be far worse). We would have a security epidemic worse than is at the moment. You have to do these sorts of things slowly.

Get the rootkits trojans to the hell.

I think the answers of 'use a mac' or 'use linux' are flawed because in my mind, i can still download and run a rogue application, and it can still trash _my_ data. Who cares about reinstalling the machine if all the data is corrupted.

Same with running as non-admin - that rogue program, running under your credentials, can still read all of your files looking for passwords and credit card details, and corrupting what it feels like.

Running windows in non-admin mode never worked for me. I had a few commercially bought programs (Adobe Photoshop Album 2.0) that would simply not work as non-admin (a nice dialog informed you of that on start-up). Non-admin (currently) just makes it harder, but not impossible for the virus writers. Death by 1000 cuts indeed.

Anecdotally, I'm sure my machine was last infected when I let someone use my computer. They were staying with us and I (thought I) set up a non-admin very low privilege account. Some sort of mostly benign trojan got me, and that was only defeated by a clean wipe - I was lucky.

Virtualisation is good, but it's no panacea. Virtualisation is better because I can load of certain configurations (dev, not dev, playground) but trying to do it for things like email and browsing - the most exploited virus vectors - is pretty impossible. Graphical programs suck too. You're still reinstalling a virtual machine, because the virtual machine has all the same downfalls of the real machine. You're really just putting up walls to limit damage when it does happen, but are you really making that much of a dent in the problem? Oh, and you did buy all of those licenses for all those virtual machines right? Mr Universal MSDN is fine, but my mom isn't.

Sandboxing - it's mostly the answer. And not done the way .net's access permissions work, but something that any old user can use and understand. Heck it should be something that any old programmer can understand too - because they're the other 1/2 of the problem.

Most programs:
- don't need access to all files in the system (or all file types in the system)
- don't need access to system files (after install, ever?)
- don't need unrestricted access to all network ports/sites
- don't need to listen on tcp connections
- don't need unlimited network bandwidth
- don't need access to the entire registry

Done as part of the install (program supplies a manifest) and enforced from the OS would probably make a lot of these issues go away. The OS could highlight warnings (and allow the user to override) saying 'no this program may not do xyz'. I'd like to do this with commercial programs that I trust too. I want to know what any program is doing or allowed to do in the system.

It's not a simple fix, but MS (and others) will have to make some breaking changes at some point or they will continue to be plagued from all of nonsense. The truth is there's a lot of things in Windows that are broken and not getting fixed anytime soon.

What's the rest of the answer - I wish I knew. For now just filling up the security holes, avoid IE, and Hope For The Best (TM).

Using IE or Firefox has nothing to do with this, there have been plenty of security holes in both browsers and also most users fail to update their plugin software like java, flash and adobe pdf which often have serious bugs.

Don't go that way, don't say "use this and that", it's not helpful to anyone to think they are secure just because they use a certain brand of whatever software, it's ridicoluos. They need to use common sense.

Also, I think we exaggerate the problem, how often does this happen to an average user that uses common sense ? Me personally I have had this issue twice in 12 years and in both cases nothing really evil happened, it was quickly discovered and disposed of and after fixing everything I took the precaution to change my passwords for email and other things.

I think we have to live with this, and I don't agree it's a "security mess", it doesn't happen that often to an average user. It was a mess back on Windows 95/98 both which were impossible to secure but it's not a "mess" today.

You forgot one thing: use a NAT router. Most Windows services still run as the local system, so even if you don't run as Administrator, passive infections are still a risk. NAT pretty much eliminates that.

The last thing you want is for your system to be compromised while you're downloading all the security patches!

[ICR]: When Microsoft pulls the trigger, they put a few million dollars more into the usability of the trigger than that particular user probably did.

I think Jeff "Tiro Fijo" Atwood's point is that if Microsoft made limited user accounts the default, they'd also put in the effort to make it as painless as possible. And it only gets more painless from there as application developers are forced to take limited users into account.

I'm not sure what you mean about doing this slowly. It took long enough to release Vista, so they had time to implement this default properly. It looks like everyone at MS was too busy waving their genitalia at the WinFS team and working on that UAC bollocks.

I recently switched to Ubuntu Feisty on my Thinkpad with XP running in VirtualBox. I'm pretty novice when it comes to Linux but Ubuntu has been a dream. I haven't had any major questions or issues that didn't have an answer readily available in their forums. When running XP, I barely notice a performance hit even with vs.net 2005 & sql 2005 running. Also, pretty much all the software I need to get by on is available and easy to install. I've been so pleased w/ the Ubuntu that I'm pretty sure I wouldn't even have XP if it weren't for my work...There's no reason to fear the Linux anymore. Try Ubuntu out and I promise you'll love every bit of it.

I use linux, so "i don't know what you're talking about".

Sorry i couldn't resist.

It's funny when I see my bro's XP laptop. There are always all these SpySweepers and AV programs with their little tray icons. They are always updating something and asking if they should run again. What a waste of resources and time!

When I first switched to Linux I specifically remember feeling the freedom of not having to deal with all that mess. But I also like the feeling of scanning my system and finding everything to be alright. So I filled that void with rkhunter.

I do the following:

1) I run Mac OS X and do a full, bootable backup once a week on two alternating external hard disks. I do incremental backups of documents daily. The firewall is on, and I run Little Snitch, but I do not run a Mac antivirus application.

2) All Windows stuff runs under Parallels. Whenever I install something, I make a copy of the image. That way, if something goes wrong, I can just go back to a known clean version. I do run an antivirus app under Windows, but do not actually expect it to do much good.

3) I never store actual documents on the Windows image, but always write them to the Mac's hd so I can back it up, and so it can't be messed with if Windows gets infected.

In other words, I do some stuff to prevent an infection, but more importantly, I make sure that I can quickly go back to a working version of all of my stuff if something goes wrong. Best case, I throw away the Windows image and make a new copy of the last known working version. Worst case, I boot from the external HD, clone it back onto my Mac, and copy back any files changed since the last full backup.

I do not expect to be able to get rid of the virus once it's on my system.

Cue the "OS X is more secure because it's a smaller target" cries.

Wait, am I the first? W00t!

So how does running in a virtual machine protect your data if the virtual machine is compromised? It just makes it easier to restore the machine to an uncompromised state.

"Linux/OSX is more secure than Windows" argument is just wrong. Windows, obviously, is a bigger target. Like, at least an order of magnitude bigger. Plus, it's the place where all the vulnerable users are. So malware writers naturally prefer to spend their time attacking windows -- it's just good business sense for them to invest time into that platform.

> I've since removed any monitoring anti-virus software and will instead rely on myself no longer being an idiot

This approach doesn't scale, even with a sample size of 1 :)

> Sandboxing - it's mostly the answer. And not done the way .net's access permissions work

Actually I don't think traditional .NET/Java sandboxes work very well, because they're hard for developers to understand:

http://www.codinghorror.com/blog/archives/000820.html

> how does running in a virtual machine protect your data if the virtual machine is compromised?

Presumably most of your data is outside the VM, and thus in a parallel universe that's unreachable from inside the VM.

> However, this relies on a scarcity: the mechanic's time. The antivirus software developer does not have an analogous scarcity, so for him it really is a conflict of interest.

The more credible and fearsome the threats, the more money the antivirus vendor stands to make. Software licenses are like printing money, almost literally. It's just unfortunate when what you're selling is fear.

> No one ever develops or tests their software outside an admin account, not even Microsoft.

And isn't this the real problem? The way admin has been so thoroughly and completely institutionalized in Windows? Vista has a band-aid, but I don't think it's enough.

> "Linux/OSX is more secure than Windows" argument is just wrong.

It's *not* wrong in the sense that RUNNING AS ADMIN HAS BEEN INSTITUTIONALIZED IN WINDOWS.

Running as an admin will always make you much more vulnerable by default.

This won't change until Microsoft ships an OS where running as a standard, limited user is the default policy.

- Make a habit of reading email through a web mail interface instead of a desktop mail program. It's much safer.

- AV's are still good. Just because they don't catch everything, doesn't mean they are useless. At least they would have blocked the attachment that caused the problem in the first place or warn you before clicking that attachment as in "This might contain a virus.. are you sure?" type of warning.

- If I download an executable which I suspect, I run it in Sandboxie (free from sandboxie.com). This way I know what files it's reading and writing in the sandbox. Using a VM doesn't help me much if the program is doing something invisible in the background. I see 'run it in a VM' advice all the time but what if the program ran fine and it installed an invisible lurking trojan which wakes up after a week and, say, after a few days of using it in the VM, you decide it was safe to install in your OS, how did the VM protect you in this scenario?

A previous poster stated that perhaps it should be illegal to distribute malware, and maybe this is the route that needs to be taken. How do we catch these people who knows thats not my area of expertise, but maybe it'll help.

If people are writing new viruses every day hows my shitty McAfee av suite going to pick those up. I rely on my firewall and my router to keep the bad guys out.

A lot of people here are making the intelligent argument that this problem is OS independent. With so many non-tech savvy users running windows it makes more sense to attack windows than linux or OSX or <insert awesome operating system here> because of the sheer number of users.

So until this becomes a non issue figure out what works for you, do your best to educate your loved ones, and use your head when downloading or opening files from the scary interweb.

You asked, "how do you protect users from themselves?"

My first answer is education. A lot of intelligent people are scared of machines for good reason ...they know that they don't really know how to protect themselves.

Josh (comment #5) said, "I've since removed any monitoring anti-virus software and will instead rely on myself no longer being an idiot.". wtg

Having a comfortable relationship with computers for 25 years (even though I'm a non-techie), I've gotten to the point where I can explain all my cautious habits and even verbalize why things just don't feel right and raise my antennae sometimes, but not fully enough to really teach others beyond 'helpful tips' which isn't really enough.

Vera

I agree that running as Administrator is at the heart of the virus (trojan/malware) epidemic. The extra hassle that is needed to install a new program is perfectly acceptable, it provides a suitable hindrance to inadvertently installing a new program.

Unfortunately, many applications and devices require and/or assume administrator privileges. This is increasing the exposure on Windows NT and is not something that other operating systems have allowed (Mac OSX, Linux, etc.).

I think it would help if computers were viewed more as an appliance, where they perform a specific set of tasks and don't mutate frequently. It is a device for word processing, email, web browsing, etc. but is not intended to be updated with the latest goofy screensaver app.

Look at it this way -- how many people change out the upholstery in their car?

In the meantime, if you can run as a regular user rather than Administrator you will have some protection from inflicting irreparable damage to your os.

I must respectfully disagree with Eric.

I am a developer; I'm constantly installing and uninstalling programs. The average user might not need to do this, but I absolutely HATE running as non-administrator on anything except Linux, which gives me the handy su command.

Computers are not appliances from my point of view; they're user-centric tools.

What good would a table saw be if you couldn't change blades relatively easily to cut tile instead of wood, or replace them in case of breakage?

What good would a hammer be if you had to stop hammering and enter a password giving it permission to pound the next nail in?

On the other hand, I can definitely see the inverse of this. Normal users won't have to install/uninstall many programs nearly as frequently as I do, in the same way as the average homeowner won't be doing rough-in construction in their garage. If I'm going to be doing this level of work, hopefully I can be trusted not to entirely screw up my computer.

What I would really like in a permissions system is the ability to define what my programs should and shouldn't be allowed to do--ON MY TERMS.

Most of the programs I install (text editors, for instance) have absolutely NO NEED to access the Windows folder--and if one of them tries, I want to know about it!

What really needs to be done is to give users the ability to tell the OS what programs can and cannot perform specific actions, both at install time and at any time afterwards. Installing a trojan isn't that big of a deal if your operating system refuses to let it access the filesystem or use any network connections.

Microsoft likes it a lot when you buy a new computer every year. They won't fix anything.

It seems to me anyone who is complaining that running windows as a normal user like Linux does, isn't getting the point. They aren't doing it like linux. Does a normal user do installs in Linux? Use admin to install. If you are logged in as a user and want to install use the runas command, or in some instances there is even a menu option for runas if you right-click on the desired file. Same goes for trying to run a program that needs to be run as admin. Just because that one program needs admin access does that mean everything you use during that time has to have admin access.

Windows has a command line the more you use it the better off you'll be and as a note runas is like sudo.

example uses:
runas /user:administrator cmd
runas /user:administrator c:\<where ever>\photoshop.exe

To find out more options just type runas w/o and parameters.
if you need a link to keep you from typing make that command a batch file.

> Running as an admin will always make you much more vulnerable by default.

Only because so many pieces of Windows malware assume that you're running as admin currently. I think if there was some mass change in the average computer user to using low-privilege accounts you'll find that malware writers are quite able to cope with running in userland and/or tricking the user into providing credentials. The exact methods will change, but I think the overall picture will remain largely the same. Certainly, running as non-admin is good advice for an individual in the present, but it's by no means a solution for the overall problem.

Virtualization presents some interesting possibilities, but it will be interesting to see how well users will tolerate the inconvenience of shuffling files to and from the sandboxed environment and it still doesn't deal with the problem of people installing a "nifty screensaver".

I'm slowly coming to the conclusion that desktop security (for the home user, enterprise is a different story) is an intractable problem on a general purpose computer. Limited purpose appliances have potential, but seem to be unlikely to be accepted on the market (they certainly haven't been accepted in the past).

There's been some debate in the comments about what kind of user experience there should be with installing software. I think it's important to remember the examples Jeff's talking about: .EXE files being sent via email that purport to be an "active" greeting card. If a legit ecard app needs admin access to install, then Windows is doomed.

If Microsoft is serious about users running non-admin in Vista, they'll change the requirements for software developers to obtain a Microsoft-certified logo. Essentially, certification should ensure a piece of software be installed without admin privleges. If not, why not? I can see a hardware install or AV software requiring such access, but beyond that the reasons start to dwindle. I can't see why a game install would need it. Wasn't that the goal of DirectX?

Many thanks for including a full color reproduction of Munch's Scream in today's blog. It's a glorious painting and states quite succinctly how many of us feel about computer security these days.

But the culture of fear is soooooo marketable...

http://www.geeksquad.com/pricing/default.aspx

Almost all of their services are related to security. There even guaranteed for a whole 30 days...can't beat that.

Linux, Mac OS X, and “LUA” Windows Users are currently safe because there are so few of them.

For a malware author it isn’t economical to write malware for these users. If market share goes up the situation will change.

There is no protection against malware inside OSX or Linux and the security model has no advantages over Windows – actually the opposite is true.

This can be seen on thousands of compromised web servers out there where Linux is more prevalent (LAMP!). Most attacks against buggy PHP scripts are written for Unix platforms.

--

With the acquisition of GreenBorder Google is either trying to implement something similar to Protected Mode IE (i.e. browser sandboxing) for Firefox or it is trying to wrap ReadFile(), et.al. to insert ads into your favourite documents :-)

Felix: "How much have you paid for your PC + Windows license + VS license (+ MS Office or whatever else you've got)"

That's ridiculous, a Mac Mini doesn't come with VS nor Office either. Take those out of your equation and I can buy a similarly powered PC for $350. Of course, that's dramatically *underpowered* and the next step up in Macs is way more expensive then what I paid for my PC. That's the biggest problem with Apples and price, there is no middle ground, you either get and internet surfing machine (Mac Mini) or a supped up powerhouse that's twice as expensive and twice as powerful as the PC you really need.

"If you try to find instructions for copying a user profile from an admin account to a standard user account in Vista - you won't."

Actually, last I tried (granted, in 2000 and XP) it was just a matter of going to the user account in the administrator console and removing him from the "Admin" group. Has that changed in Vista? Does this not do what I think it does in 2k/XP?

"This is partially the fault of Windows software developers who fail to test as standard user."

I disagree. If "run as admin" (right-click on the installer and do so, or get prompted for the admin prompt when you just run it, however Vista does it) behave differently than logging out, logging in as an admin, and then running it: there's a bug in Window's prompted privilege escalation.

Yes, I would love for most software to be able to install without admin access. Perhaps that's what you meant. However, it is definitely Microsoft's fault that full-login and "sudo" logins behave differently in some (relatively large) percentage of installers.

"I think virtualization is the only rational way to protect users from themselves-- and that's why virtualization is the next great frontier for computer security."

I think, were "sudo" to work properly in Windows, and standard user to be fully effective (I have no evidence that it is not; however, like OS X, it is such a severe minority of the universe that we won't know how secure it really is until it gains more traction), that you'd have a lot easier time getting users to use that effectively than to get them to use a VM properly.

As you noted, the "safety" of the VM is that your important data is not exposed in it. So, you can download and install an application, try it out, and decide if it's useful. This works great if you don't want to "try out" this application using any of your "real" data. But, that's what a large number of people will want to do. So, their "real" data goes on a "shared" drive which is then available to the "walled" VM and the standard OS (which might itself be a VM), and, suddenly, there's no data security. Then, the only "security" the VM allows is the granularity of applications installed in it (only install a few apps in the VM and the virus can only spread to a few apps and you have less to reinstall afterward), but your data is just as likely to be published for credit card number sifting or encrypted and held ransom.

All of which is to say: no matter what you put in front of users, they will find a way to foil it.

Anti-virus software on a pc is like drinking stagnant pond water THEN ingesting the chlorine (horribly visual comparison, but think about tap water). It can't act appropriately to protect users from viruses. The best way is to stop them at the source.(i.e put the chlorine in before distribution.)

Unfortunately, attacking malware-creators poses an issue, there is no solid line separating malware from legitimate software.

An example of the fuzzy line is the WhenUSaveNow program, it has popups, but the user HAS to AGREE to install said program, the program fully notifies what it does to the user, but I consider it malware.

Let's say we define what's malware and what's not, then we might end up with another McDonald's hot-coffee-warning, bull crap lawsuit.

I am taking a large risk as Admin, but the alternative is too inconvenient for me, it all depends on what the user has to lose.

Geek Squad lives off of the ignorance of the average user, the same way AV progs do. Ignorance is not bliss, it hits your wallet.

Non-english people has a big advantage against all that spam & virus e-mail. As my wife does not understand english, she never opens a mail not in french. :-)

I was attempting to make the point that traditional sandboxes didn't work well, if at all. Sorry if that didn't come across. I write .net programs for a living (websites, not winforms) and looking at the permissions and setup is a real drag if not downright impossible hence my comment about making it easy for programmers as well as for users.

My point was network, disk, registry, keyboard, etc are all resources that need to be protected by the OS. They should not just be given away at the double-click of a mouse. For 90% of software it should be easy to say what it may and may not do in a succinct and easily presentable manner. I don't care if this breaks old programs. Call it Windows Secure Desktop Initiative or something catchy. If MS does it right they'll continue to own the desktop, and every big vendor will scramble with that new upgrade to have a new little logo.

I don't blame MS, they couldn't have seen it coming, but for their own future they have to make fixes.

Windows continuing to be an insecure platform will push online applications as a better option, despite their limitations. Gmail and Google Docs never required an install. The future of desktop applications depends on the security of the desktop.

some readng for "safe because there are so few of them" camp: http://daringfireball.net/2004/06/broken_windows

I believe someone has made this comment already but I gave up on "anti-virus" long ago. I keep full installed (clean) images off all my computers as well as most of my direct family.

With compression now-a-days and the amazing cheapness of storage, you can have a TB array without really much cost. I have a resident Linux server, which has NEVER had a virus in 9 years, hosting the TB array and when I have issues I simply plug in my recover USB flash, or CD for some of the older computers, and dump the clean image back on my disk. If I am remote I can dial in to my server over the net, or I can just burn it to a DVD. Though the DVD solution is ungodly slow.

I recently had a virus/malware issue and within 30 minutes or so of realizing there was an issue I was up and running in newly dumped image. I do keep my documents/hard data stored on the server as well though so I don't have to worry about data loss on the image dump.

I think everyone should use this method, it all but removes virus and malware threats.

Just my two cents.

That's a bullshit. I always run as administrator and my comps never been infected.

There is only one lesson: don't be dumb.

Good article Jeff. And yes, this is nothing new - George Smith has been pointing out how the AV emperor had no clothes and relies on instilling fear nearly two decades in the Crypt newsletter (and he should know, being one of the earliest authorities on the subject).

"I have a resident Linux server, which has NEVER had a virus in 9 years"

"I recently had a virus/malware issue"

Well, that's great. Nothing like being internally inconsistent.

BTW, I have a Windows server, which has NEVER had a virus in 4 years. Not even recently.

I think we can kill a lot of birds with one stone here....

Am I the only one who doesn't understand the need of 'installing' the vast majority of applications? I can understand why we need to install system components. Things like DirectX, .Net Framework, etc...but why do I need to 'INSTALL' games or applications?

If I have a game, I want *EVERYTHING* I need to run that game in the folder I tell it to. The registry is a huge mess....screw it. Everyone, *stop* using the registry. I'd rather see a 'config.xml' or a 'config.ini' than have to spend hours digging around the registry for whatever the application added.

The vast majority of .DLLs and crap that will get copied to the system directory will never be used by anything other than that one game or application and SHOULDN'T be put into the system folders.

When you execute a file, by default, it should ONLY have read/write permission to the folder it is in, and any sub folders.

If I'm running IE and browse to some shaddy site, IE itself, should only be able to access the folder it sits in, and sub folders. That means, ALL of the data related to IE can be found in the folder and it's sub folders.

If I install another copy of a Windows OS - I shouldn't have to 'reinstall' any of my games or apps. I should be able to browse to the folder it lives in, run it, it should work. See, during the install process a bunch of crap is put into little hidden spots of the registry and files are copied all over you HD. Without those files, the game won't run....so you have to reinstall all of your games. It's crap.

What I'd like to see is a filesystem based security system that views individual executable files as 'users'. Each app, each game, each EVERYTHING, you can run has individual permissions that you can look at and modify. By default, it can't do anything but read and write to it's folder and subfolders. If you want IE to be able to put files in C:\MyFiles - then you need to set the permissions of C:\MyFiles to allow IE access to write to it. Anytime an application attempts and fails to read or write data that doesn't belong to it - you'd see an error message. You know what file did it, and what it was trying to get at.

Taking it one step further, using this model, the VAST majority of applications could/would run just fine as long as the appropriate updates were made. The few installs that really should be 'installed' in the current sense are mostly well-known MS or other big name company products. If I go ot install the .Net Framework that *should* be a real install, but MS could certainly give it a 'stamp' of approval; just like it does with signed drivers.

If someone gets a 'HappyBunny.exe' and they run it, it won't be able to do much of ANYTHING. It has read/write access to some temp folder under IE. Even if it exploits some sort of buffer overflow, or something along those lines, and can excute code, the IE process, only has read/write access to it's folder. If the application requests access to other folders, the user would get the error message with a 'allow/deny' type choice and then, if they allow, since HappyBunny.exe isn't digitally signed by MS - they get a big BIG ugly warning saying that there is virtually NO REASON for an application to need more access.

Administrator accounts could grant the programs access to system folders. Regular accounts couldn't. This would *only* affect the installs of software that has a legit reason for accessing system files (virtually none). Everything else could be installed from the regular accounts.

I like RobDude's idea, reinstalling windows should not mean reinstalling every piece of crap I own. The registry is a mess, can anyone remember off the top of their head where Unreal Tournament 2004 stores its own cd-key?

The registry was supposed to be a replacement for ini files, but I think ini files and folder permissions for an app should be what RobDude is suggesting.

I'm all for spreading the (half)truth that linux/osx are safer...

the more unix based users there are, the more software will come out for these platforms.

everything is a double edged sword though. More users means more interest in the malware-creation community.

RobDude,

I have BEGGING for that very same scheme for years.

It sucks having to reinstall all my apps if I scrub my OS, upgrade my harddrives or change the way my "tear-off" VM is built. Just plain dumb.

The Registry was a big step backwards in usability.

I would like to see some answer from the VM proponents to Mr Sandman's comments about the price of extra windows licenses... we don't all have MSDN.

I applaud the guy who can restore his system from an image in 5 minutes. You must have a smoking fast network to do that, and a small system disk. See whenever I backup/restore it takes hours and hours, and that's to a firewire drive.

See the problem is
1 - any data would have to be backed up first. There are many stupid programs that hide data in strange folders.
2 - your disk image would always have to be up-to-date
3 - you have to keep multiple images, because what happens if you got a virus, didn't know, and then made the backup. You've just backed up the virus.

You just can't win. Virtualisation and backups are just bandaids that help but can't solve the problem.

I just don't bother with small scale / unknown 3rd party apps anymore because it's not worth the risk. I stick to well-known vendors and hope for the best.

Another converted Ubuntu user here. Someone mentioned above that the WinNT security model is actually far ahead of the standard UNIX security model - and that's true. The traditional ext3 filesystem for Linux only allocates *nine bits* per file for permissions information - stored as three octal numbers. It's absolutely a holdover from the years when hard drives were measured in tens of MBs.

In contrast, the NT security model has cascading ACLs, arbitrary numbers of groups and users for a file, and far more levels of permissions the UNIX read/write/execute bits. SELinux and extended attributes (xattrs) can add the same fine-grained security to Linux, but honestly, most people outside of the security profession don't use them.

The key difference here is that the WinNT ecosystem has a different culture - a culture of fear, as Jeff said, but also a culture of default-allow. Combined with the unfortunate integration of IE into the operating system (which is only finally being decoupled in Vista) for political reasons and we have a perfect storm, a malware deluge.

The UNIX culture, however, has a long history of multi-user computers. One of the first things you learn as a new Linux user is about file permissions, and about user accounts. It's not like this is too hard for users to grasp - permissions are used extensively in things like Sharepoint and CMSs, where users understand and *like* the ability to control access. But since it's not a part of day-to-day use of the OS, it doesn't occur to them that files on the hard disk can have the same setup. It's a shame, because they are, after all, working with a great security model - if they realized it.

Seem to be lots of spreading of fear culture here among the comments, from some of the comments you would almost deduct that every windows installation is ridden with viruses and trojams, pherhaps I may humbly suggest you get a basic 101 computer course if that's your experience.

Also, we have to separate between getting a virus warning visiting a site and or when getting an email and the system actually being infected, I have know people that have reinstalled the system when all that happened was that the antivirus alerted when visiting a website or that it alerted on a scan that something was in the temporary files cache, it doesn't mean the machine was infected but most users seem to think that.

And, like I said previously, how often does this happen really ? Most people don't get viruses on a daily basis or even on a yearly basis, that's what it sounds like in this article and in the comments, a user with some common sense that do not download that stays away from "warez" and those kinds of things will not get a virus infection just out of the blue, it was a very long time since Windows had that kind of bugs where you could get infected just being on the internet, it just doesn't happen today. Again, a page or a file in the cache is not an infection.

The more you blog about blogging, the less likely I am to read it. Apparently this has become the meta-blog...

I have a tech-savvy buddy with an interesting strategy. As one with in-demand skills, you're time limited. His strategy is pretty simple - called Three Strikes.

The first time a family or friend's computer is infected, he fixes it for free. Whatever it is. Does it require a complete rebuild? Install a proper firewall, anti-scum... whatever it takes.

The second strike is at cost. I don't know his billing rates.

The third strike calls for a Linux install, also free.

He reports that a cousin is now running Ubuntu, and seems to like it. His Dad has had his second strike.

It doesn't work for me, though. I have a brother who fixes Windows for a living, and seems content to keep fixing my Dad's machine.

I don't know if you are familiar with Winpooch: it is what i could consider the new generation of protection software, and it also comes (coincidence? i think not) from the open source universe. It is pretty much a quick fix but the only way a long-term fix could be made is if windows would take the direction suggested by RobDude.

From the Winpooch website http://winpooch.free.fr/

"Winpooch uses the API Hooking method. It spies programs when they are running and gives to the user a powerful control of their activity.For example, you can forbide a program to write in a system directory or in the registry, or else to connect to internet. That makes the difference between others anti spywares using a database of known signatures."

Quite similar to sandboxing. Too bad it really needs the user's ability to tell what should be trusted and what not, and it doesn't at all fix the problem of a trusted, licenced app which has an inner vulnerability that makes it a backdoor for attacks.

But as long as the regular user would even at times ignore virus warnings from current antivirus software, as I have recently seen (mistaking .mp3.exe files for archives), there is absolutely no chance for a safe world without some big changes being made.

INI vs Registry
http://blogs.msdn.com/oldnewthing/archive/2007/11/26/6523907.aspx

This is an old blog entry but I thought I'd post a comment anyway.

This is for windows people that for whatever reason have decided to keep running in admin for convenience's sake. I am NOT advocating this over running as simple user on the desktop, but since people do it anyway... There is a way to have your cake and eat it too. Since most vulnerabilities come from running apps that connect to the internet, run those select few apps with simple user privileges, on your admin desktop. Here is how:

Get pstools from microsoft. A free download. it contains psexec
For each app, create a batch invoking psexec with the app as the parameter and -l for limited user mode.
Get a free batch file compiler to compile the batch file in an exe and make it so it doesnt display the console window
Replace your app shortcuts with those pointing to your compiled batch file. Change the icons too. Good candidate programs are your browser, torrent client, emule, m_irc, msn, whatever you know accesses the net. Make sure you also go through each program once as admin to take care of all firewall and folder permisson issues on the download folders.
You do this once when you set up the machine. Won't take more than 20-30mins. After that its NO EXTRA HASSLE. You just get a few more cmd and psexec processes in task manager.

Felix, I could buy a PC better than the Mac mini at a lower price.