You got my car analogy all wrong. I mentioned two different drivers. Drivers who know how to drive cars and drivers who know learnt how to drive defensively. At this stage, it's how we can compare O.Ss users, isn't it? Even with all the technology that car manufacturers come up with, it will never be good enough. You cannot blame a car manufacturer if you have an accident because the road was wet. Can you blame them? No, you can't. You didn't care enough to have extra lessons to drive defensively. Had you done that, you could make the car respond to you, and you wouldn't have the accident. You'd know what you'd have to do in order to stop worse things that could come from the accident. As we are right now with O.Ss, that's how I see it. Let's see what future is reserving to us all.
The way I see it there is no difference between an exploit and a socially engineered attack, both fall under intrusions/ security issues. I believe security falls into the kernel, the rest of the logic falls from that. I think you can either try to educate users and provide information and hope that they make the right decisions or you can work on some security code that tries to protect the user for them. Maybe both would work. I personally believe that the second choice is the right one. edit: And I believe that because educating billions of people doesn't seem feasible to me and I'll always expect human error whereas errors in code can be hammered out by teams and that will effect those billions without their needing to opt into training.
Why you keep suggesting things that are already implemented? WHY people KEEP thinking they are the first ones in the world to think in so blatantly obvious things? It's beyond me. You (not only you, but several others) must think everyone in Microsoft are innocent home users programming for innocent home users. Remains to be demonstrated the possibility of such a system being "possible" for the (latest) windows complete "ecosystem". Why they "don't do well" in the long run? Where is the evidence? According to researches by Microsoft that I already showed, they are doing very well. Let's remember that IE9 had the complete SmartScreen experience since when, 2 years ago? And that full MSE is still going to be default in Win starting with WIn8?
lmao chill out. MSE is not what I'm asking for at all - I haven't even said what system I would use. I said I like definitive answers, you said MSE gives definitive answers, I agreed. Somehow this means I'm trying to reinvent the AV with blacklisting and definitive answers? lol Did you read it? It's for XP, Vista, 7. The research was done in 2011. Yes, it does remain to be seen how such a system would do in the public. Uhhh, MSE relies on heuristics and blacklisting too. It's hardly some ultimate security solution. Smartscreen obviously works differently but blacklisting and heuristics (reputation) are the core. Obviously it is not the same. But hackers have been able to avoid it by simply targetting plugins etc or getting users to bypass it. Perhaps we'll see a resurgence of exploits if it's so effective. Or maybe we'll just see malware authors come up with a new way to bypass this latest mitigation technique, as seems to happen so often.
With the requisite O/S version, the first part is possible. In this case, though, the file is harmless; it's just that it's not "frequently downloaded", one of the criteria ss filter uses to analyze a file's reputation.
That's not quite what I'd want. Actually I gave smartscreen some thought the other day while I was looking into something else and it's pretty cool. EDIT: Though obviously I don't consider it that amazing.
But, you're looking for the 100% solution... Will it ever exist? Security code is still code, and code still needs to be 100% bug free. So, even if Microsoft does introduce it over time, and hopefully it will, it will never be bulletproof. So, what if the user, uneducated user I must say, comes across something that this security code fails to protect against? The uneducated user could have avoided such if he/she was educated. Sorry, but you cannot put everything in the "hands" of security code. You must accept the fact that security code is still code. Unless someone discovers the way to develop 100% bug free code...
Eh, not 100%. That's kinda like asking for infinity. It's an asymptotic relationship. As you say we have no way to produce 100% bug free code. Especially not in C/++... And what if your educated user comes across an exploit? It comes down to probabilities I suppose. I think that it's more likely that you can make exploiting code too difficult/ slow as opposed to educating users to the point where they make the same number (few) mistakes as that code. In other words, I believe the "best code" is better than the "best user" in terms of exploits :: mistakes (ratio.)
Let's read what you posted: Well, Windows is already doing that for several kinds of known and unknown malware (did you ever see WINDOWS DEFENDER in action?) and Windows is already going to do that for all kinds of known malware and known "unknown malware" patterns in the very next Windows version (something called MSE is going to be added and turned ON by default). So what? That small research means almost nothing and doesn't indicate that the "thing" being developed is ready for the mass deployment that a new Windows version is likely to face. Did they, at least, run that thing in a comprehensible (comparable to the current Windows ecosystem) set of different hardware with different drivers and different installed apps?? No? OK. I want to see the "THE THEORETICALLY ULTIMATE" getting the real world test that SmartScreen is getting before calling it effective (let alone calling it "THE REALLY ULTIMATE"). Yeah, but it's harder for them now. Very harder. Some attacks are "demonstrated" in security conferences, but with all the statistics provided, I think it's safe to assume that 95%+ of the attacks that happen in "real world" against latest Windows PCs end up with blatantly failures some way or other.
Which isn't news to me. I don't see why you think I'm saying Windows doesn't do this with MSE/Defender and even to quite an extent SmartScreen. lol, no, it doesn't mean nothing. You just want it to mean nothing. How many times have I said it's not ideal (ie: not some ultimate security.)? And I thought I wasn't invested in the conversation... SmartScreen is effective for what it does, at the moment. But with easy pickings out there like XP users, Flash, and Java, it hasn't really been targeted either. I think it's great as a blacklist, great as a whitelist, and it's great as a way to inform users of an applications reputation, which can very well be a great measure to stop them from running it. We will see if things change. As I said, maybe we'll see malware actually try to bypass it or maybe we'll see them focus on exploits. I think the one thing we can be sure of is that they won't go "Oh darn that Microsoft, we give up!" Yep. I agree - in terms of real world targets SmartScreen is very effective for what it's meant to do. I just think it's limited in scope.
The educated user would use something he/she could have more or less control. I run Chromium with a low integrity level. An educated user would know he/she can control JavaScript, plugins on a per-site basis. An educated user would know things like Sandboxie, AppLocker, etc. An educated user would know about standard user accounts. An educated user would know how UAC actually works, etc. An educated and interested user would know a lot of stuff. Their willingness would be their own limitation. And, if we're talking about a kernel exploit, then I got my doubts the security code you talk would be able to do something about it. I suppose it comes down to probabilities. Which is why I run my system the way I do. It's all about probabilities. For that some reason we can't exclude both factors - security code and educated users. This makes a stronger fight doesn't it?
The kernel's in C/C++ and it's large. No, I don't think we can eliminate exploits there. That's been one of the things I've been thinking about - mitigating kernel exploits. I would definitely use some notifications and maybe in an extreme case some interaction. But I would never give critical decisions to the user. But in terms of what I would rely on/ the core part of the model it would be entirely code.
Well, you said "YOU WOULD LIKE". Lol, it's already doing what "you would like", you know it's already doing what "you would like", but yet "you would like" it to do what you know IT IS ALREADY DOING? OK, it might not mean "nothing". I edited my post. But you are overestimating that research, if you think that it is enough to make your point somewhat "valid". You will need a lot more than that, at least to convince people like me, that tend to think about the variables. And where DID I say that SmartScreen is "ultimate"? You bring up such words FIRST (should I paste your quote?) and go to the defensive when the words you brought up are directed to you. Very weird. Windows XP isn't the most used OS anymore but SmartScreen works in IE8 under XP (apart from the Reputation filter). Flash/Java are being automatically updated now, plus Microsoft Update blocks vulnerable activeX versions. Also I think crackers want the largest possible audience, they target Windows users because Windows users alone are already more than 90% of the users, but if these same crackers can already attack users of old versions of "plugins/browsers/OS/whatever" without difficulty and if that mass of users running old things form, what, 60% of the total of users, crackers are more than likely to be already investigating ways to attack the mass running new things. So yeah, it's more than likely that SmartScreen and everything else are already under deep scrutiny, but yet they remain considerable effective. And just how can it be improved on its scope? Can you give constructive criticism that can be applied now, or will you continue talking about untested theoretical models?
I like definitive answers. I like that MSE gives those. I like that SmartScreen gives those. I like that when it can't give any answer it goes ahead and says "It's suspicious." It's not how I would do it but I think it's ok for an extra layer. It definitely needs to be vetted in the real world. But I'm only using it as a proof of concept. I'm not saying "OMG Tracer is definitively the best security program EVER" I'm saying "Here is an example of a program that, in these tests, far outshines other programs." You should read it regardless, they have some really interesting research about malware in general in terms of behaviors. I don't think that SmartScreen will continue to perform as well as we've seen in IE9 if attackers are ever forced to deal with it - how about that? Flash auto-updates are in beta. Java autoupdates lol those don't work too well. And the fact that Java is cross-platform is going to mean it'll have a huge audience. I do not think that attackers are trying to bypass smartscreen. Maybe one day they'll be forced to but right now there are easier entry points. Java, flash, reader are constantly not updated despite them having update mechanisms (Reader will update, Java will update - with consent) and there are enough users who don't update and they're just easy targets. Saying that attackers are trying to break smartscreen but can't after two years is what makes me feel like you're calling it some ultimate security solution. I do not believe that MS has just created something that's made them give up - I just think they aren't bothering to go after the 10 foot long shark when there's 50 beached whales lying in wait for them. I would include a method to deal with malware that bypasses it + users who accidentally or for whatever reason bypass it. I don't want to be all that specific honestly because, naturally, whatever I consider to be "good security" is what I'll be selling.
Nice. I will... if it doesn't get too technical, because my "thing" is law and order. (but I'm still just a young student). I think differently. SmartScreen looks too solid. When attackers are forced to deal with it near "every time", they will probably focus on social engineering techniques to make users themselves ignore/circumvent SmartScreen. With that, their crimes become more "psychological" and less "technological". Microsoft Update has been blocking vulnerable ActiveX versions of these plugins for years now for those with Automatic Updates turned ON (it's ON by default, remember). It's called the "Cumulative Security Update of ActiveX Kill Bits". I think the number of users running "updated versions"+IE is too significant to make the crackers don't try to target it. They can break SmartScreen! Or else it would be a 100% effective tool (if used correctly)! According to the NSS Labs, SS blatantly blocks 90% of the malware, and gives a reputation warning for 9,something% of the remaining unblocked malware. Fair enough.
There might be some technical stuff in there but you don't have to know too much to understand it. The stuff about malware statistics is very easy to read. And therefor SmartScreen is bypassable by social engineering? That's what it sounds like you're saying. I just want to be clear lol sorry Who was it... Avast! that said ~70% of their users were running vulnerable out of date versions of Adobe Reader? If I can hit 70% of users with an exploit I'm not going to bother with anything else. I mean, kernel exploits exist and they're basically free entryways into the entire system... but why the hell would I (as a hacker) try to exploit them when I have Java or Reader or Flash not updated on so many computers? Or browser vulns? Or old unpatched OS vulns? Yes, there are those 1 or 2% of cases that bypass it. The reason I am curious to see how it fairs when Win8 becomes popular is because malware writers will be forced to deal with it (they aren't being forced to deal with it right now, almost half of the users are on other browsers and there are far easier attack vectors.) 100% of Win8 users will be given the option on boot (it's default Yes but you can turn it off during setup) with it by default and that means it may not be as easy to ignore. If malicious payloads are forced to deal with smartscreen they'll either have to get the payloads to bypass smartscreen or start dealing with more return orient programming attacks where payloads aren't the first step (ie: I take control of a legiitmate process, and use that legit process to turn smartscreen off or other protections off. Normally exploits just download payloads and execute them.)
Maybe I am missing something here, but the way I look at it is what I consider a basic level. Any OS, which allows changes to it after it is made/configured/created/whatever, MUST make allowances for certain actions/function/activities that will require a certain level of trust. That trust might need to come from the maker of new hardware and the drivers (the software authors) and that trust might need to come from the user (admin, user, guest, whomever). The OS cannot, IMHO, ever know how to handle changes to it. Isn't this the core issue, that since the end user actually desire individuality/choise, they expect to put on a program they like. If that program (driver, whatever) requires escelated priveleges to do its thing, then how do you protect what happens when that "hole" is opened? Right now, you are free to choose what type of solution you want to employ. It can be resident AV or a scanner, it can be hips or white/black listing. It can be as simple as checking hashes on executables. You can have protection against files, processes, memory residents, bios/bootkits and network packets. Many methods of protection are even included in the OS if you want to use them, and lately the OS itself is developing some tools traditionally provided by 3rd party, presumeably so that you can trust it to work in the best way. As long as the end user, for whatever reason, is allowed to make changes or run any executable they desire (whether that is a good or a bad thing), then the OS must allow them to do so. Not allowing them to do so would create a safety net, but at the expense of not allowing modifications. The repository could be used to an advantage I suppose. If you could only install drivers/software from an authorized repository, perhaps correct and good code would be assured, and then the OS could restrict the end user to only those approved applications. That is still quite restrictive in my opinion. It stands to reason that if the OS continues to allow the end user to install drivers/software and execute what they want, then it will fall into the hands of the user to employ some way of making sure what they do is kosher. Maybe it is LUA with scanners or maybe it is submitting things to scanners or maybe it is only installing from approved repositories. If a user wants to install something else, and it would be thier choise to do so, then again you are right back to how is the OS going to be able to know what they are about to do is going to be malicious? I still contend, as long as the OS allows the end user the choise of such high level rights to do things like I have mentioned, I don't see how the OS can ever overcome the choises of the user. And I don't think it should have to overcome the choises of the user. I think M$ should have an easy to use, easy to understand and easy to find way of installing approved software. If the user wants to make sure they stay safe, then they can only put those approved softwares on. For any other thing, well, it is up to the user to figure out if it is safe or not. I like the comment that average users might see a computer as an appliance, like a dvd player or toaster. Just another high tech thing to use. I think that is an apt description personally. But what makes people, who are so flippant about a computer and the dangers that the internet brings, think they can do thier banking online without doing some homework? Sul.
Six pages of posts but only 25 votes so far ? Are these numbers the real total ? I find that surprising considering the number of posts.
i just voted. i did not vote before because i did not want to explain why. yes, i think the user need to take some responsibilities. and Microsoft has to beef up their security. --------------------------------------------------------------- anyway, i just wanted to thank everybody here at Wilders for the help and knowledge. i'll drop by once in awhile but it's time to move on. tnx again!
