Cisco CSO Says Antivirus Money "Completely Wasted" 503
mernil writes with an excerpt that kicks off a story at ZDNet Australia: "Companies are wasting money on security processes — such as applying patches and using antivirus software — which just don't work, according to Cisco's chief security officer John Stewart. Speaking at the AusCERT 2008 conference in the Gold Coast yesterday, Stewart said the malware industry is moving faster than the security industry, making it impossible for users to remain secure."
Quick linux question (Score:5, Interesting)
WTF? (Score:3, Interesting)
Generally, a rational botnet creator would tend to try to pwn the low-hanging fruit first - i.e. the ones that have no updates, malware detection, AV, etc. Only if he/she is unable to get a large enough botnet after applying those tools would one resort to the higher-level techniques.
It's rather like saying that Timothy McVeigh would rather have used nuclear ordnance when a U-Haul full of fertilizer served his purpose just fine...
Re:Quick linux question (Score:1, Interesting)
For you Wine users, have you ever received a Windows virus or other piece of malware targeted at Windows which has proceeded to wreak havoc on your system? Furthermore, were you able to use any form of antivirus program to fix it, whether it be a Linux native program such as ClamAV or, more interestingly, a Windows antivirus solution running inside Wine?
Re:Quick linux question (Score:5, Interesting)
Re:Not completely wasted... (Score:3, Interesting)
Agree somewhat (Score:3, Interesting)
People Believe What They Want To Believe (Score:1, Interesting)
Look at high severity security exploits for XP SP2+ and moreso Vista (even pre SP1). Choose your security reporter and even though these OS's are very popular they have a very low high sev count. You can no longer say Windows is the problem; you can say Windows WAS the problem.
Re:Agreed -Free For Personal Use (Score:3, Interesting)
Re:Stating the obvious.. (Score:3, Interesting)
Re:Stating the obvious.. (Score:3, Interesting)
windows Pc's are cheapie throw-aways. Get a virus infection, toss it and get a new one.
And yes it IS profitable to me. I still get $100.00 for data backup and moving, plus I get a PC from them for free to recycle that I sell on ebay for $100.00 with a fresh reinstall of XP from it's COA sticker.
I make money, they spend the same AND get a new better machine. it's a win-win.
Re:Agreed -Free For Personal Use (Score:3, Interesting)
That's a bit complex. Why not just run a liveCD then? Cache it into RAM, and it runs very fast.
Re:Stating the obvious.. (Score:3, Interesting)
90% of pc owners do not have the ability to install windows XP it's just too difficult.
Re:Agreed (Score:4, Interesting)
Re:Agreed -Free For Personal Use (Score:5, Interesting)
Is this really what it's like? Is having malware violating your personal computer the norm? Is it really impossible to design secure OS's and applications from the ground up instead of making them full of holes and relying on "solutions" that pick up the pieces? Is it really better to do damage control than prevention?
I find that very hard to believe. I think it's more likely that the current state of the software industry is based on complacency and no respect for the customer and his or her personal data.
If it turned out that the maker of your main door lock made a shoddy product that allowed anybody to unlock it and have their way with your house... you'd be mad, right? You'd hold them responsible, want your money back, never buy from them again, maybe even sue them and ask for reparations if they acted like assholes.
But when your personal computer gets broken into you don't make a peep, you just sigh and use a backup, if they have one. Then it's back to the torture of finding and paying for antimalware, knowing full well that one day you'll get shafted again.
Someone please explain this self-abuse to me. The only explanation I've come up with is that people are ignorant and/or brainwashed into thinking there's no alternative so they'll put up with anything and think that's how it's supposed to work.
Software industry needs to grow a spine, take responsability and stop all the "no guarantees" crap. Than maybe, just maybe we'll see some improvement on the malware front.
Re:Agreed (Score:2, Interesting)
A new/old method is to use Instant System Recovery (ISR) solutions. Though they require some adjustment in thinking and deployment, once set up you can get rid of any unwanted content (Malware certainly falls within this category) with a simple reboot of your computer.
The largest stumbling block to general acceptance of these solutions has been their complexity and cost. Things are changing however with the recent developments in what has been coined "Light Virtualization" solutions like the Returnil Virtual System (returnilsoftware (dot) com) that supports entering "shadow" mode without requiring a reboot of the computer.
Though ISR will not detect or block Malware it will ensure that the computer is clean after a restart and all System Partition changes are gone. No improper removals,, missed detections, or left over junk to track down...
Though I disagree with Stewart's assessment that AV is a "waste of money" I agree that it has been ineffective as a front-line cure to the problem.
AV's are necessary if only to provide negative feedback on the effectiveness of your security configuration...
Mike
Facing metaphorical mortality of your OS (Score:3, Interesting)
A healthy system may have the latest and best immune system known to man, but this does not guarantee and should not be construed to mean that the system is invulnerable or immortal. It is merely immune or resistant to the diseases that it has been exposed to or evolved resistance or immunity to.
We don't expect medical science to ever eradicate all disease and make us perfectly healthy; why do we think it's possible for computers? (Or conversely, why do we think that building an immune system is wasted effort?)
Then again, perhaps turing/von neumann machines and biological organisms aren't so similar after all. It's hard to assess whether this extended metaphor is too forced to be useful or not.
Re:Agreed (Score:5, Interesting)
This whole thing makes me wonder why there isn't a lightweight Linux distribution thats sole purpose is to run another OS in a virtual machine. A user could then run a firewall/etc on this hypervisor to protect the guest.
I know Vista is supposed to do this, but let's face it, it's a big target, and it's created by Microsoft.
Re:Agreed (Score:2, Interesting)
We get hung up on the minutia of security, and toss around old chestnuts about obscurity and user responsibility, but that kind of thinking has finally run us aground. It has no future.
At the end of the day, cracking systems is work, and crime is a business. The only systems that are really at risk are the ones that can be exploited profitably in some way, and only in that way.
This means in practice that we don't have to protect all conceivable access points, we really only have to deny an exploiter a profit from their troubles.
If you think about it, there are many very simple and creative ways that you can deny a criminal a profit without in fact limiting your own utility. For example, I can create a throw-away instance of a machine on a grid that will do everything I want it to do, and then when it's done, I simply shut it down. So a black hat has maybe 20 minutes to crack my system and exploit it to hell and gone before I throw it away.
Now maybe I've got the entire credit card database for the world's largest bank on that machine, or maybe not - the bad guy has to *pay up front* to find out, and he has to move fast. Even if he's made a good bet, he can still be denied his profit because I might shut down before he's found what he needs. He only has to try this a few times before he works out his ROI from attacking me is a big fat negative number, and gives it up as a bad joke.
Who cares that this is "security by obscurity?" That's just a slogan. What I'm saying is that we are thinking of security in the old Cold War way, Spy vs Spy, treating it like it was an arms race. Well, nobody ever wins an arms race except the arms merchants.
We need to stop obsessing about plugging holes. By all means, we should do the obvious. But flip their ROI and it's all over. This is the universal vulnerability of all computer crime.
Re:Not one of those is a virus... (Score:3, Interesting)
AC didn't say malware. There has never been a Mac OS X virus. Ever. Period. And by your own admission, even worms and trojans are incredibly rare. Feel free to cite a virus if you can, I'd love to read about the thing if it were to exist.
Re:Agreed (Score:2, Interesting)
You disable TCP-IP on the physical network interface, so the Windows box can't talk to the internet. This forces it to route its junk through the virtual machine, which exposes a private network between the host and VM. The VM, in turn, has a second virtual network interface that's bridged to the host's physical interface. Since the VM runs its own TCP stack, it can still talk to the world even though the host is deaf and dumb.
Conceptually, the VM gets inserted between the ethernet level and the TCP level. Barring any freak hypervisor weaknesses, the worst that can happen is for someone to root the VM... they can't break through to the host.