Linked by David Adams on Thu 30th Sep 2010 20:38 UTC, submitted by fran
Bugs & Viruses "To mark the first anniversary of Microsoft Security Essentials, the company has released some sobering statistics it has gathered during the past year via the free anti-malware software. According to Microsoft, Security Essentials has been installed on 31 million computers worldwide. Out of that group, 27 million users reported malware infections during the year."
Thread beginning with comment 443346
To view parent comment, click here.
To read all comments associated with this story, please click here.
lemur2
Member since:
2007-02-17

Certainly it's a losing battle. Windows is embattled right now due to it being the dominant player. If *NIX were to rise to the top someday, I guarantee you that the battle would be just as nasty. These people go after Windows not because it's inherently less secure (although the defaults are) but because that's where they'll hit the most number of users. Most malware these days isn't even a traditional worm or trojan, but a social engineering effort. Here, click this link in this fake greeting card email... woops, your system is infected but if you give us your credit card number we can remove it, etc. Whichever dominant platform will always have to be fighting a battle against these malware writers, and it will be a losing battle regardless of platform. The only way we'll win the battle regardless is for people to get a little common sense and not click links in emails they don't recognize or run files they didn't download, but common sense seems to be on the decline.


This argument is often put forward, but it ignores a "paradigm shift" that could be possible.

Malware can only exist if it can be hidden. It must be possible to distribute and install software such that the functions the software contains are knowable only to the author. In this way a malevolent author can embed functions which suit his or her nefarious purpose, but which are decidedly not in the interests of the owner of the target machine.

So what is required is a "paradigm shift" towards a situation where only software that can be vetted by anyone and everyone who owns a machine can be installed on a given machine. It doesn't require everyone to actually vet software, it requires only a small percenatge of people to actually vet software. What needs to be assured is that there are people who did not write the software, who can and have vetted the software, and who use it themselves.

If everyone is able to tie down their machines so that ONLY software which is openly vetted as described above can be installed, then malware can't exist on such machines. This won't entirely eliminate malware, as any system can have holes and leaks, but it would reduce the scope of the problem from literally millions down to perhaps tens of pieces of malware that have to be explicitly secured against.

"Here, click this link in this fake greeting card email... woops, your system is infected but if you give us your credit card number we can remove it, etc." ... becomes instead ... "Here, click this link in this fake greeting card email... System warning: attempt to install unsigned software has been prevented."

Windows is a million miles away from such an arrangement. Other systems are much closer to being able to ensure this.

If I may be a little cheeky:
http://www.freesoftwaremagazine.com/files/www.freesoftwaremagazine....

Edited 2010-10-01 02:02 UTC

Reply Parent Score: 3

nt_jerkface Member since:
2009-08-26

So what is required is a "paradigm shift" towards a situation where only software that can be vetted by anyone and everyone who owns a machine can be installed on a given machine.


You're suggesting that all software be open source.

That isn't possible due to software economics and some malware would still slip through. It also doesn't stop the phishing problem.

There is no single solution. Better software and education is the best way forward.

Reply Parent Score: 2

lemur2 Member since:
2007-02-17

"So what is required is a "paradigm shift" towards a situation where only software that can be vetted by anyone and everyone who owns a machine can be installed on a given machine.


You're suggesting that all software be open source.
"

Not quite. I'm suggesting that at the very least all software should be at least one of these:
http://en.wikipedia.org/wiki/Shared_source#Non-Open_Source.2Fnon-Fr...

These are not open source licenses.
The other Microsoft Shared Source Licenses have various limitations that make them non-Open Source according to the Open Source Initiative and non-Free to the Free Software Foundation.


Possibly this one should be the absolute minimum:
Microsoft Reference Source License (Ms-RSL)

If only Ms-RSL (which is not open source) were the minimum standard in terms of disclosing source code, then even then there would no malware.

While the situation persists that source code is routinely allowed to be more restricted (less visible) even than Ms-RSL, then there will be malware.

Edited 2010-10-02 07:47 UTC

Reply Parent Score: 2