Linked by David Adams on Thu 30th Sep 2010 20:38 UTC, submitted by fran
Bugs & Viruses "To mark the first anniversary of Microsoft Security Essentials, the company has released some sobering statistics it has gathered during the past year via the free anti-malware software. According to Microsoft, Security Essentials has been installed on 31 million computers worldwide. Out of that group, 27 million users reported malware infections during the year."
Thread beginning with comment 443365
To view parent comment, click here.
To read all comments associated with this story, please click here.
lemur2
Member since:
2007-02-17

"Agreed. The paradigm needs to change. It should be impossible to install software outside of a software installation manager, which requires even then a locally-entered password for a special-to-purpose account with elevated priveledge. Clicking "OK" is not enough.
Hmm, as I recall that's exactly what the iPhone does now isn't it? We all know just how much we love that... Repositories won't solve the problem. "

Good try, but no. AFAIK, iPhone applications can be rejected by Apple for reasons other than that they contain malware.

Openness won't solve the problem. Why? Because people don't care. They're not going to vet the software, and given how easy it is to add repositories in, say, Ubuntu, the paradigm will simply shift from "click this link" to "want some naked pictures? Just add this repository..." Next thing you know, you've got an infected glibc or worse.


There are thousands of repositories, many of them are binary repositories. Because of the community nature, however, if a bad apple were to show up such as you suggest, the repository and key would quickly be added to a blacklist.

No system is perfect. There was a very isolated case with an IRC server sofwtare that had got "poisonned" on one or two servers recently, because the original authors did not provide any signatures. It was quickly fixed when discovered, and I believe the two dsitributions that picked up the bad software (Gentoo and Arch) have already changed their policy about unsigned source packages.

Once again, it doesn't require everyone to vet the software. In fact, it only requires one person to find the malware, and it will get fixed for everyone who uses the distribution. Quickly, without much fuss. According to the experiences so far, this is what happens in the real world. It isn't as though there have been no attacks via repositories, just very, very few successful ones. Maybe a dozen machines, worldwide, at most, in ten years, have ever been compromised via repositories.

It's been verified all right... by the repository owner, who signed it with their gpg key which *you* validated when you added the repository! Do you really think malware writers won't think of that should this shift ever happen on a broad scale? They won't need to infect existing repositories. Most users will do anything they're told if told correctly, so they need only add *new* repositories. Again, social engineering, right out in the open. So, how do we stop that?


Blacklisting.

Only allow software to be installed from approved repositories? Wait though, isn't that exactly what we hate about the iPhone and Apple?


Whitelisting restricted repositories, shouldn't be necessary, blacklisting malevolent repositories has been more than enough so far. Actually there haven't even been any of those, the one instance of malware getting into a repository was through pure slackness by the repository maintainers including unverified source.

Bottom line: No matter what paradigm shift may happen, the malware will not be far behind. Package managers are superior, but they will not end the problem. They'll shift the delivery mechanism, but they'll only divert it not stop it.


That is your contention but it it is not really supported by real-world outcomes with real wrold repositories and real world distributions.

In the real world, this delivery mechanism has been used for over a decade by many distributions for thousands of packages for millions of users, and the instances of malware can still be counted on the fingers of one person's hands.

There's only one way to stop this: user education.


Your claim is not at all supported by the actual facts.

People need to stop treating their computers like magic boxes, get some common sense, and a little basic knowledge. They need to treat computers like tools, you have to know at least a little about how to keep them running well and how not to damage them.


All that needs to hapen is to eliminate packages where only the author can know the functionality of the code. Make it so that such packages cannot be installed. Make it so that in order to get any ability to be installed, at least some real world actual end users of the software have to have the ability to know how it works.

That single step would eliminate malware.

After all, people won't buy or eat rotten fruit if they can tell it is rotten. At the very least, if rotten fruit is inspected and the inspectors could emplace a sign which says "this is rotten fruit" ... the amount of rotten fruit eaten would reduce from kilotonnes down to tens of grams.

Why should software be any different?

Edited 2010-10-01 04:52 UTC

Reply Parent Score: 3