Google and child porn?

Now heres a person seeking instant fame by sueing Google for distributing Child Porn . He claims that Google has profited many million dollars from child pornography. Jeffrey Toback, a member of the Nassau County Legislature said that Google had put up many paid links on its search result pages which linked to sites which distributed pornography including of minors. He also said that Google has the technology to filter out porn results from search results as it was demonstrated in China (Good point, he has).

A Google spokesman denied the allegations and said the Mountain View, Calif.-based company takes numerous steps to prevent access to child pornography.

“When we find or are made aware of any child pornography, we remove it from our products, including our search engine,” spokesman Steve Langdon said in an e-mail statement to The Associated Press. “We also report it to the appropriate law enforcement officials and fully cooperate with the law enforcement community to combat child pornography.”

Somebody please mention to Mr. Toback that if he wants he can filter out those ‘nasty’ results from the settings in Google. And I don’t get it why its just Google. What about Yahoo, MSN and millions of other search engines.

Read more

A worm that gives you headache!

A new kind of worm has been creating a hell in the cyber world recently. Named as Yhoo32.explr, it transmits itself through Yahoo Instant Messenger (Yikes must be careful). After successfully installing itself it downloads its own browser without users permission. The new downloaded browser is a IE look alike. They say there is no difference except a start-up tune. To make things worse it takes users to weird sites and cannot be uninstalled the ‘normal’ way.

Thats all? Not at all. You have not seen the last of this worm. According to Information Week, it blares out some kind of guitar music played by some idiot who has never seen a guitar in his life. Information Week says that the music has chances to create headaches!

What a time. First Computer viruses just used to infect out computer. Now it directly affects us!. Heavens there is no difference between computer virus and real virus now. I am sure this is the first kind of worm that gives humans headache.

What do you think fellas? Comment you thoughts about this nuisance..

Protect the protector

How could they do this to us?! Symantec’s Norton Antivirus may betray us all soon. A gigantic security hole has been found in it. Using this ‘hole’, a hacker can take control of our PC and access all the sensitive datas (if there are any in first place).

Researchers from eEye Digital Security of Aliso Viejo, Calif., discovered the vulnerability and provided evidence to Symantec engineers this week, said eEye’s chief hacking officer, Marc Maiffret. He demonstrated the attack for The Associated Press.

Maiffret’s company — which has discovered hundreds of similar flaws in other software products — also produces intrusion-protection software, called “Blink,” that he said already blocks such attacks and can operate alongside Symantec’s anti-virus products.

To those who use Norton Antivirus: Just hope that Norton release a patch to cover things up.

Linux Security Quick Reference Guide

This Quick Reference Guide is intended to provide a starting point for improving the security of your system. Contained within include references to security resources around the net, tips on securing your Linux box, and general security information :-)

Download

Ten tips for managing passwords

Passwords are fatally flawed, it's true, but for now they are the best option for many companies. But almost everybody could be managing them more effectively.

In all likelihood passwords will remain a problem until the very day they are replaced by technologies such as biometrics, which is the direction the industry appears to be heading. However, until that day comes, below are some tips for fostering a culture of secure and more effective password management.

1. Passwords must not be written down
If it seems incredible that we are still talking about password management at all, then it is unimaginable that we have to make this first point.

If staff are writing down their passwords, having been told why they must not do so, then the system is too complex and too much is being asked of them. Companies must strike a balance between security and usability because a failure to understand the latter can easily undermine the former.

So consider whether employees have been properly educated about the need to keep passwords secure and then consult the measures below if you need to update your password policy.

2. Passwords must be set
And you thought the first tip seemed obvious? It's staggering to hear instances where systems have been compromised because the password was still set as a default 'password' or 'changeme' or similar.

3. Require as few passwords as possible
Balance how much password protection you need with how many passwords can reasonably be managed. Identify which networks, systems and applications have the highest priority. If staff have to remember 10 passwords -- from ones guarding highly sensitive data to ones that really serve little or no purpose - they may be unable to manage all of them.

What's to say the one they write down and lose isn't the most sensitive?

4. Staff must change their passwords regularly
This limits the likelihood of old passwords, shared between colleagues in less-secure times, coming back to haunt you. It also limits the window of opportunity if passwords subsequently fall into the wrong hands.

How often they are changed must again be a balance between security and usability. If staff are required to come up with a new password every week, they will likely become confused and start writing them down. In fact longer periods between changes -- 90 days rather than 30 days for example -- can actually prove beneficial as knowing a password will have a longer lifespan makes a more complex password far more manageable and may encourage staff to give it more careful consideration.

5. Make new passwords new
When passwords are changed users must not distinguish them from a previous password by just one character. RandomW0RD1, RandomW0RD2, RandomW0RD3 becomes a pattern that is pretty easy to figure out.

6. Avoid obvious words
Passwords must be more complex than a single word which can be hacked with a dictionary attack (using software to automatically enter all the words in the dictionary as well as proper nouns). Names, addresses and other words which are easily linked back to the individual should also be blocked from use. It's alarming how many instances there are of staff using their name, their partner's name or their pet's name.

7. Think long -- but not too long
A password which consists of at least eight characters with a mix of upper case, lower case and numbers is a good start. If the minimum requirement is too long staff may be encouraged to be lazy and use repeat characters or obvious strings: ABCDEFG123456789.

However, a minimum with a reasonably high upper limit would allow staff to be creative. One suggestion is to use phrases rather than words. Certainly 'mYd0g1sCALLEDf1d0' is less likely to be guessed that 'Fido'. Again, it's a step in the right direction towards creating more secure passwords.

8. Automate password changes
The process of making staff reset and choose secure passwords must also be automated. Do not rely on staff to remember how long it has been since they last reset it, what passwords they have used in the past year or what types of words are off-policy. It's not a question of trust. It's a question of history showing us that policies are never adhered to by choice.

9. Educate staff
Ensure password policy is written into employment contracts and that all staff understand why and what that entails. Hopefully, if all other measures work, the most serious human piece of the jigsaw will be the requirement for staff not to share their password and not to write it down. Such wording should also prohibit repetition of passwords between services -- particularly between those outside and inside the enterprise. A corporate login is likely to be more sensitive than a newspaper subscription login which may be shared with friends and family.

10. Look to the future
Finally, look at long-term solutions which will eventually replace passwords -- such as biometrics and two-factor authentication. Passwords are flawed and the above tips are recommendations for how they can be more secure -- for now.

'Useful Firefox Security Extensions' by CERIAS

Mozilla’s Firefox browser claims to provide a safer browsing experience out of the box, but some of the best security features of Firefox are only available as extensions. Here’s a roundup of some of the more useful ones I’ve found.

• Add n’ Edit Cookies
  This might be more of a web developer tool, but being able to view in detail the cookies that various sites set on your visits can be an eye-opening experience. This extension not only shows you all the details, but lets you modify them too. You’ll be surprised at how many web apps do foolish things like saving your password in the cookie.
• Dr. Web Anti-Virus Link Checker
  This is an interesting idea — scanning files for viruses before you download them. Basically, this extension adds an option to the link context menu that allows you to pass the link to the Dr. Web AV service. I haven’t rigorously tested this or anything, but it’s an interesting concept that could be part of an effective multilayer personal security model.
  
• FormFox
  This extension doesn’t do a whole lot, but what it does is important — showing a tooltip when you roll over a form submission button of the form action URL. Extending this further to visually differentiate submission buttons that submit to SSL URLs would be really nice (as suggested by Chris Shiflett).
  
• FlashBlock
  Flash hasn’t been quite as popular an attack vector as Javascript, but it still potentially could be a threat, and it’s often an annoyance. This extension disables all embedded Flash elements by default (score one for securing things by default), allowing you to click to activate a particular one if you like. It lacks the flexibility I’d like (things like whitelists would be very handy), and doesn’t give you much (any?) info about the Flash element before you run it, but it’s still a handy tool.
• LiveHTTPHeaders & Header Monitor
  LiveHTTPHeaders is an incredibly useful too for web developers, displaying all of the header traffic between the client and server. Header Monitor is basically an add-on for LiveHTTPHeaders that displays a chosen header in Firefox’s status bar. They’re not really specifically security tools, but they do offer a lot of info on what’s really going on when you’re browsing, and an educated user is a safer user.
• JavaScript Option
  This restores some of the granularity Firefox users used to have over what Javascript can and cannot do. I’d like to see this idea taken farther (see below), but it’s handy regardless.
• NoScript
  This extension is pretty smooth. Of all the addons for Firefox covered here, this is the one to get. NoScript is a powerful javascript execution whitelisting tool, allowing full user control over what domains allow scripts to run. Notifications of blocked execution and the allowed domain interface are nearly identical to the built-in Firefox popup blocker, so users should find it comfortable to work with. NoScript can also block Flash, Java, and “other plugins;” forbid bookmarklets; block or allow the “ping” attribute of the tag; and attempt to rewrite links that execute javascript to go to their intended donation without triggering the script code.

  The one thing I’d really like to see from this extension would be more ganularity over what the Javascript engine can access. Now it’s only “on” or “off,” but being able to disable things like cookie access would eliminate a lot of potential security issues while still letting JS power rich web app interfaces. Also read Pascal Meunier’s take on NoScript.

• QuickJava
  Places handy little buttons in the status bar that let you quickly enable or disable Java or Javascript support. Note that this will not work with the latest stable Firefox (1.5.0.1). Hopefully a new version will be available soon.
• ShowIP
  This is another tool that isn’t aimed at security per se, but offers a lot of useful information. ShowIP drops the IP address of the current site in your status bar. Clicking on it brings up a menu of lookup options for the IP, like whois and DNS info. You can add additional web lookups if you like, as well as passing the IP to a local program. Handy stuff.
  
• SpoofStick
  The idea with this extension is to make it easier to catch spoofing attempts by displaying a very large, brightly colored “You’re on ” in the toolbar. For folks who know what they’re doing this isn’t wildly useful, but it could be just the ticket for less savvy users. It requires a bit too much setup for them, though, and in the end I think this is something the browser itself should be handling.
  
• Tamper Data
  Much like LiveHTTPHeaders, Tamper Data is a very useful extension for web devs that lets the user view HTTP headers and POST data passed between the client and server. In addition, Tamper Data makes it easy for the user to alter the data being sent to the server, which is enormously useful for doing security testing against web apps. I also like how the data is presented in TD a bit better than LiveHTTPHeaders: it’s easier to see at a glance all of the traffic and get an overall feel of what’s going on, but you can still drill down and get as much detail as you like.

Got more Firefox security extensions? Leave a comment and I’ll collect them in an upcoming post.

Microsoft Windows Defender beta: One easy interface

Microsoft will soon be putting pressure on anti-spyware vendors to provide better performance and more valuable features. Once Microsoft releases its anti-spyware program for Windows, other vendors will have a harder sell. The software is free to legitimate owners of the Windows operating system.

We took a look at the beta version of the program, which is currently called Windows Defender and available for download here. And we were generally impressed.

The program’s interface is one of the easiest to use. Automatic scans are simple to configure, and if you have a constant Internet connection, you can also specify that the program check for updates before scanning.

The program also monitors your wireless network and alerts you if someone else is using it. It tracks and notifies you to changes in many Windows configuration settings, including TCP/IP settings, the Hosts file, Winsock Layered Service Providers and the Messenger service. In addition to scanning for spyware signatures, Windows Defender monitors more than 50 Windows and Web browser components that spyware often targets. The program also gives a detailed profile of all programs and services running on your computer.

One major limitation of Windows Defender — at least in this beta version — is that it doesn’t integrate with browsers other than Internet Explorer. If you use a different browser, you’ll still have general protection against spyware, but you won’t have nice features such as monitoring of changes to your browser. Also, note that the program’s protection against malicious ActiveX controls only works through Internet Explorer.

Also, the beta version of the software does not monitor cookies.

Finally, although Windows Defender did a great job of alerting us to suspicious behavior, the beta program failed to catch two of the key loggers we had installed on our test system. Hopefully, Microsoft will fix that weakness before releasing the program to the public.

Steps to protect yourself:

In addition to installing an anti-spyware solution, you should take several steps to protect your computer against spyware.

• Be cautious about visiting Web sites and downloading software. Most spyware arrives on computers from Web sites that offer downloadable freeware or shareware. Don’t download anything from a site unless you trust it. Close any windows that pop up by using the “X” in the corner of the window instead of clicking on any buttons in the window.


• Use a firewall. Firewalls can prevent hackers from directly planting spyware on your computer.


• Check security settings in your Web browser. Most Web browsers allow you to prevent scripts and ActiveX applets from downloading. Browsers also let you control whether your computer stores cookies.


• Update your operating system software. Spyware often exploits vulnerabilities in your operating system, so keep current with system patches to provide significant protection.

Symptoms of spyware infection:

• Pop-up advertisements. If you have advertisements pop up when your browser is not running, you may have inadvertently installed adware. These pop ups cannot be prevented by pop-up blockers, which only block advertisements triggered by visiting a Web site.


• Configuration changes. If your home page has been changed and you can’t change it back, you are probably the victim of a piece of hijacker spyware. Spyware may also change other configuration settings on your computer and may install toolbars to your browser or other applications.


• Sluggish performance or system crashes. Spyware designers don’t put much effort into making sure their programs work efficiently. If you notice a sudden drop in performance during routine tasks or an increase in system crashes, you may have recently been infected with spyware.

Site of the moment, FirewallGuide.com

FirewallGuide.com provides easy access to basic information about, and independent, third-party reviews of Internet security and privacy products for home, telecommuter, and SOHO (small office, home office) end-users. For current security news, reviews and alerts, see their Internet Security News page.

The Wild West? A personal computer connected to the Internet without a firewall can be hijacked in just a few minutes by automated hacker ''Bots''. The only way to make your computer 100% secure is to turn it off or disconnect it from the Internet. The real issue is how to make your computer 99% secure when it is connected. Not having protection is like leaving your car running with the doors unlocked and the keys in it which a thief might interpret as "please steal me". Stated another way, when was the last time you handed a stranger your wallet and encouraged them to take your social security card, drivers license, cash and credit cards? Locking a car, using a "club" or installing a security system makes stealing a car more difficult. Internet security and privacy products provide adequate protection by making it difficult for "outlaws" to take control of your computer and rip you off.

Bottom Line -- At minimum, any computer connected to the Internet needs to have all current patches to its operating system and browser installed as well as personal firewall, antivirus and anti-spyware software. A more complete solution is taking a layered approach to protect your security and privacy as follows:

• First line of defense -- Choose an Internet service provider and/or an email service that offers online (server side) virus and spam email filters.
• Second line of defense -- Install a wired or wireless hardware router with a built in firewall between your modem and your computer or network. Also consider using a broadband gateway offering a combination of hardware and security software.
• Third line of defense -- Use a security software suite or a collection of individual software products including, at a minimum, personal firewall, anti-spyware, and anti-virus products. Also consider using anti-Trojan, anti-spam, anti-phishing, and privacy software. Please note that cost is not an issue since there is good security freeware available.

Read More...

Fake MSN Feedback Request emails

Shailendra Rai (v-srai@microsoft.com), more probably a fake name sent out a fake email in masses. Here's a copy of what I got yesterday:

Shailendra Rai (v-srai@microsoft.com)

To:

******@hotmail.com

Subject:

Give Feedback about the Windows Live Messenger Beta

Just give it a try, it's not getting out any secret information from you but illegally representing themselves from microsoft. Give the try, Click here.

For the first question: Are you a Microsoft employee?; Choose: Yes

This is what I got:

If you feel insecure giving out information like what you use as alternative to MSN Live, your observations, suggestions, and other information, please dont follow the survey link. It is rather suggested no one should follow the survey unless being aware of what you are doing. Oh, did I forgot? Forgot what? this -> LOL

Good Luck!

Hacker's Challenge 3 - Review at Amazon

Book Description

The ultimate test of hacking skills for IT security professionals

This unique volume helps you determine if you have what it takes to keep hackers out of your network. Twenty brand-new, real-life security incidents test computer forensics and response skills--all in an entertaining and informative style. The latest security topics are covered, including phishing and pharming scams, internal corporate hacking, Cisco IOS hacks, wireless hacks,VoIP hacks,Windows, Mac OS X, UNIX/Linux, and much more!

Each challenge unfolds like a chapter from a novel and includes details of the incident—how the break-in was detected, evidence, and background such as log files and network diagrams--and is followed by a series of questions for you to solve. Detailed solutions for all the challenges are included in the second part of the book.

From the Back Cover

The stories about phishing attacks against banks are so true-to-life, it’s chilling.” --Joel Dubin, CISSP, Microsoft MVP in Security

Every day, hackers are devising new ways to break into your network. Do you have what it takes to stop them? Find out in Hacker’s Challenge 3. Inside, top-tier security experts offer 20 brand-new, real-world network security incidents to test your computer forensics and response skills. All the latest hot-button topics are covered, including phishing and pharming scams, internal corporate hacking, Cisco IOS, wireless, iSCSI storage, VoIP, Windows, Mac OS X, and UNIX/Linux hacks, and much more. Each challenge includes a detailed explanation of the incident--how the break-in was detected, evidence and clues, technical background such as log files and network maps, and a series of questions for you to solve. In Part II, you’ll get a detailed analysis of how the experts solved each incident.

Exerpt from “Big Bait, Big Phish”:

The Challenge: “Could you find out what’s going on with the gobi web server? Customer order e-mails aren’t being sent out, and the thing’s chugging under a big load…” Rob e-mailed the development team reminding them not to send marketing e-mails from the gobi web server…. “Customer service is worried about some issue with tons of disputed false orders….” Rob noticed a suspicious pattern with the “false” orders: they were all being delivered to the same P.O. box…He decided to investigate the access logs. An external JavaScript file being referenced seemed especially strange, so he tested to see if he could access it himself…. The attacker was manipulating the link parameter of the login.pl application. Rob needed to see the server side script that generated the login.pl page to determine the purpose….

The Solution: After reviewing the log files included in the challenge, propose your assessment: What is the significance of the attacker’s JavaScript file? What was an early clue that Rob missed that might have alerted him to something being amiss? What are some different ways the attacker could have delivered the payload? Who is this attack ultimately targeted against? Then, turn to the experts' answers to find out what really happened.

About the Author

David Pollino leads research focusing on wireless and security technologies.

Mike Schiffman, CISSP, holds a research role at Cisco Systems, Inc., and serves on the advisory boards of Qualys, IMG Universal,Vigilant, and Sensory Networks.

Bill Pennington, CISSP, CCNA, manages research and development at WhiteHat Security, Inc.

Tony Bradley, CISSP-ISSAP, is a Fortune 100 security architect and consultant who has written for several computer security–related magazines and websites.

Microsoft Issues Three Security Updates

Microsoft today issued three software patches to fix a security flaw in Windows, another in iits Exchange Server e-mail product, and two "critical" vulnerabilities in older versions of Adobe's Macromedia Flash Player that comes bundled with Windows.

The Flash patch being distributed by Redmond fixes two serious vulnerabilities present in versions 6.0.79 or earlier installed on either Windows 98, Windows 98SE, Windows ME or Windows XP (Flash is installed by default on all of those). To see what version you have installed, check out this link.

This patch also includes the security fixes for Flash versions 7.x and 8.x that Adobe released in March. If you applied those patches, you shouldn't have to update, but just check your Flash version anyway to be sure. The most recent safe version of Flash is 8.0.24.0.

The second update fixes a couple of security flaws in Windows that Microsoft said could be used by attackers to cause systems to seize up. This flaw exists in XP, Windows 2000, and Windows Server 2003. If you are using one of these operating systems, visit Microsoft Update and install this patch.

The final patch fixes a critical problem in Exchange Server, which many businesses use to manage their incoming and outgoing e-mail.

For businesses using Exchange, this is a very important update to install. The problem is, even Microsoft admits it may cause problems for some third-party applications that work hand-in-hand with Exchange. For instance, Reseach in Motion, the company that makes the popular BlackBerry mobile phone/organizer, said applying this patch will break some functionality required by its software. Microsoft has published some workarounds for businesses that have trouble after installing this update.

Operating System Sucks-Rules-O-Meter

Sucks-Rules-O-Meter? Hah, this time for Operating Systems.

Here's the results. Linux rules according to those whoo know what it is. It sucks according to those who can't install it. Heh!, my point of view. :D MacOS is sweet, whoever used has voted rules. MacOS sucks less because of lower approach to everyone. Wishlist, adsense will buy me the MacBookPro, fingers crossed. Lastly, Windows! Sucks!! :D

This operating system quality and approval metric is based on a periodic AltaVista search for each of several operating systems, directly followed by "sucks", "rules", or "rocks".


Read more, as said by the original sucks-rules-o-meter site [http://srom.zgp.org] :

We search for all operating system names exactly as shown above, with the exceptions of

Mac OS, Mac OS X, and VMS. For Mac OS, we add the search results for the incorrect but common spelling "MacOS". Because Mac OS X is sometimes abbreviated to simply "OS X", the Mac OS X search is just for "OS X" -- we have not found other instances of this term on the web, so we can use it without confusion. For VMS, we add the results for "OpenVMS". We do not search for any derogatory slang misspellings of any operating system name.

Well, right I reached that page from Google too, searching linux rules. Pretty Techy? :D

Today's Website - SecureRoot.com

Today I dont have time to write much longer, but here's a recommendation.
SecureRoot is one of the most popular computer security sites on the web. Over thousands of sites listed in the security directory, security news, tools, forums, newsletter, etc.

Hacker Sentenced to Five Years in Jail

Jeanson James Ancheta was sentenced to 57 months in federal prison on Monday for creating and spreading viruses from which he earned profits. Jeanson, a 20-year old Downey, CA, pleaded guilty in January to federal criminal charges. His sentence is currently the longest prison term handed down for a computer virus related crime.

After he is released from prison, Jeanson will spend three more years on supervised release, during which time he will have limited access to computers or the Internet.

Ancheta created and sold botnets to spammers and hackers. These botnets were capable of taking over thousands of computers and launching Internet-based attacks.

Although Ancheta avoided a possible sentence of 25 years, $60,000 worth of assests were seized from him. Additionally, Ancheta will be responsible for repaying $15,000 to the US military for networks he damaged.

LinuxSecurity.com 's Security Dictionary

LinuxSecurity.com 's Security Dictionary!!!

http://www.linuxsecurity.com/content/view/117309/

Key
	I	Recommended Terms with an Internet Basis
	N	Recommended Terms with a Non-Internet Basis
	D	Deprecated Terms, Definitions, and Uses
	C	Commentary and Additional Guidance
	O	Other Definitions

“Mac OS X is Insecure” Rivals “Paul is Dead” as Publicity Ploy

From: http://www.tonybove.com/getoffmicrosoft/blog/

It was a slow news week in February, so the press naturally ganged up on the “Mac vulnerability” story.

News reports, such as “Is Mac OS as safe as ever?” By Joris Evers of CNET News.com, stirred up the flamers in both Windows and Mac camps with statements like this one:

Apple Computer fans have long loved to point out the safety of using Mac OS X, which has mostly been left to its own devices by hackers. But the arrival of three threats has some asking: Is the software’s charmed security life over?

The Beatles’ charmed life as band may have been over in 1969, but it wasn’t because Paul was dead.

Of course, George Ou at ZDNet got in on the blood frenzy with “Extremely critical Mac OS X zero-day exploit released“:

The problem is severe because a user simply needs to visit a malicious website and shell scripts with launch with zero user interaction! [bolding his]

Oh my gosh! There are clues on all the Beatle album covers!

I reported on two Mac OS X flaws last week, but this news frenzy centered around a new vulnerability that runs a script in the Mac OS X Terminal program if you merely visit a Web site with Safari, and points to possibly other methods of running a script surreptitiously.

This comment from mdfischer to George Ou was most useful:

The problem can be worked around by renaming the Terminal program in /Applications/Utilities, or moving it elsewhere… This should be a non-problem in a day or so. It was a clever hack, but Apple should have caught this in their QC. It hasn’t emerged as a ‘real’ problem yet (unlike the numerous Windows exploits). Sadly, however, this is an opportunity for mac-haters to crow … why not let them. They don’t, and won’t, get many other chances. Go ahead and give them a taste of what it is like to be in the shoes a mac user. And take this opportunity to experience in ever so small a way what it must be like to be in theirs.

Renaming or moving the Terminal program, as described above, is a sure way to fix future exploits that use the same method of running a script. But most of us already have a way to block this method. By default, Safari leaves off the dangerous option to “Open ’safe’ files after downloading”. You would need to turn this option on for this vulnerability to exist. FireFox and other browsers don’t even offer this option and are safer as a result.

The vulnerability can also use Apple Mail if you click on a JPG attachment — such as a “picture” from someone you don’t know. Well, don’t do that! And if you like to live dangerously, then rename the Terminal program as described above.

Like I said, it was a slow news week, and security experts took the opportunity to crow about their research and get publicity. I’m on the verge of calling it a conspiracy — of security experts to drum up business. But it is human nature to poke at this scrap of news and turn it into a discussion of whether anything at all is secure.

I think it’s wrong to believe that since all software is ultimately vulnerable, Mac OS X is not secure. All locks are vulnerable, but some can be picked a lot easier than others, and people generally choose better locks so that they can sleep at night. That’s what the editors (and mainstream bloggers) should remember when they bends over to give these security firms free publicity in exchange for exciting headlines — see “Mac Attack a Load of Crap” by Leander Kahney in Wired News:

These security woes prompted a rant from one of our editors in a daily story meeting.

Mac security-threat stories are annoying, he said, because they play off misconceptions — held with a fervor bordering on the religious — that the Mac platform is inherently more secure than Windows. Not so, he insisted. Microsoft has done some stupid things that exposed its customers to unnecessary risks compared to Mac users. But all systems are theoretically vulnerable, so it’s inevitable that the Mac citadel will eventually be breached.

The Mac has had no viruses to date, he said, primarily because of its small market share. It’s got a superior track record compared to Windows, but it’s not invulnerable; rather, no one has bothered to spend much time trying to attack it. Now that hackers are taking more notice, life will get harder for Mac owners. He suggested I tackle this “wake up call” in this column.

Kahney was all set to write this column in the way the editors wanted, but decided, instead, to write the truth:

I’m not going to be running any anti-virus software anytime soon, just as I haven’t run it for many years.

Also, I’m not going to turn off any preferences that make my daily computing habits any less convenient (the browser takeover is protected against by disabling the “Open safe files after downloading” preference in Safari).

The smuggest of smug Mac users is right: the platform is more secure, and these new security threats are no more threatening that a paraplegic kitten…

These Mac security holes are a storm in a teacup. They’ve inspired hundreds of stories in the press and even the national network news, but if they were Windows holes, no one would have blinked…

These Mac “threats” are only news because of their novelty, not the threat level they pose.

I guess the surviving Beatles will have to do solo albums now. And who was that guy who was knighted by the Queen of England? Sure looked like Paul to me.

Windows Vista: Security Through Endless Warning Dialogs

Paul Thurrott's scathing article Where Vista Fails highlights my biggest concern with Windows Vista:

Modern operating systems like Linux and Mac OS X operate under a security model where even administrative users don't get full access to certain features unless they provide an in-place logon before performing any task that might harm the system. This type of security model protects users from themselves, and it is something that Microsoft should have added to Windows years and years ago.

Here's the good news. In Windows Vista, Microsoft is indeed moving to this kind of security model. The feature is called User Account Protection (UAP) and, as you might expect, it prevents even administrative users from performing potentially dangerous tasks without first providing security credentials, thus ensuring that the user understands what they're doing before making a critical mistake. It sounds like a good system. But this is Microsoft, we're talking about here. They completely botched UAP.

The bad news, then, is that UAP is a sad, sad joke. It's the most annoying feature that Microsoft has ever added to any software product, and yes, that includes that ridiculous Clippy character from older Office versions. The problem with UAP is that it throws up an unbelievable number of warning dialogs for even the simplest of tasks. That these dialogs pop up repeatedly for the same action would be comical if it weren't so amazingly frustrating. It would be hilarious if it weren't going to affect hundreds of millions of people in a few short months. It is, in fact, almost criminal in its insidiousness.

We have fairly recent internal builds of Vista for a project we're working on at Vertigo, and we've run into this problem too. Even though you're ostensibly logged in as an "Administrator", you're inundated with a sea of security dialogs if you try to do anything even remotely, well, Administrator-y.

The problem with the Security Through Endless Warning Dialogs school of thought is that it doesn't work. All those earnest warning dialogs eventually blend together into a giant "click here to get work done" button that nobody bothers to read any more. The operating system cries wolf so much that when a real wolf-- in the form of a virus or malware-- rolls around, you'll mindlessly allow it access to whatever it wants, just out of habit. As Rick Strahl notes, this is the ultimate form of nagware:

Then there are the security dialogs. Ah yes, now we're making progress: Ask users on EVERY program you launch that isn't signed whether they want to elevate permissions. Uh huh, this is going to work REAL WELL. We know how well that worked with unsigned ActiveX controls in Internet Explorer – so well that even Microsoft isn't signing most of its own ActiveX controls. Give too many warnings that are not quite reasonable and people will never read the dialogs and just click them anyway… I know I started doing that in the short use I've had on Vista.

But there's an even deeper problem lurking under the surface. Why doesn't Vista respect my choice to be an Administrator? Who is really in control here: me, or my operating system? There's something awfully paternalistic about an operating system that lets me log in as an Administrator, but treats me like a regular User. If you're going to treat me like a User, at least have the decency to create a regular User account for me. That would certainly make more sense.

Rick Strahl confirmed that, indeed, Vista downgrades Adminstrators to regular Users by default, in a misguided attempt to enhance security. He also posted a helpful workaround:

[..] even if you are logged in as Administrator, you're not getting Adminstrator rights. There's a way to turn this feature off by the way:

• Run gpEdit.msc
  
• Go to: Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options
  
• User Account Control: Run all users including Administrators as standard users - Disable
  
• User Account Control: Behavior of the elevation prompt - No Prompt
  

Then log off and log back on.

I seriously hope Microsoft reconsiders these bizarre policies before Vista is released.

1. Let administrators really be Administrators!
   
2. Create all new users by default as plain Users. If a user opts to upgrade to an Administrator, that's the appropriate time to pop the scary warning dialog.
   
3. If a user tries to do something that requires Administrator rights, show a dialog telling them so, and offering links to a) log in temporarily as an Admin, or b) enter the Admin credentials in-place for a quick one time operation.
   

It could be so much simpler if Microsoft just followed the established conventions.

Posted by Jeff Atwood