The new thing..? Less security?

It sure seems like in the last 1-2 years, more and more users seem to want a simpler appraoch to security. Whether using built-in security options or 3rd party that is not so obtrusive, it seems like a trend.

Is it that more users are more knowledgable, or have we finally started moving past the point of needing a chatty prompt for every action? Or is it the newer OS's are just better.

Does anyone else notice this as well?

Sul.

 

I think it's several things:

Wilders users are fairly advanced and are moving along with the times from old-school stuff like a million scanners to more generic solutions, including virtualization, sandboxing, whitelisting, and, let's not forget, Linux.

The average user is pretty much the same, BUT, there has been a change that even the most clueless user cannot deny - XP SP2 made a small change, IE7/8 made a small change, Firefox made a small change, all of which have shifted the average mentality of computer usage away from 2003-2004.

We're far from an ideal situation and you can definitely not use Wilders as an indicator of what goes out there, but things are changing and taking people along. Five years ago, Firefox was a baby, Chrome did not exist, Youtube did not exist. The focus has moved away and it's more cloud-social than pc-centric, even though the goals are the same - money.

As to chatty prompts, after using them for a while, a day or a year, you kind of get bored. And there's the natural tendencies of things to fall into their rest state. People are not meant to be clicking yes/no forever. Such solutions were a kneejerk reaction to bad OS design and will eventually disappear.

Notice the netbook epidemics, low-power, low-demand, instant-pleasure solutions that are slowly turning the computer into a consumer product, an appliance, not a geek tool. We still have a decade or two until it really gets simple, but there's a trend.

This approach to simplified computing takes the focus away from the 01 stuff the geeks love. Even so, notice the occasional scaremongering campaigns about the state of malware and whatnot. But it gets boring after you hear it a dozen times and the world does not end as predicted. You can only have one Y2K and then the milk wagon runs dry.

Wilders folks are three light years ahead, which is why you see them always using the popular and slightly future technologies. In fact, it's probably a good indicator where the rest will be in 3-4 years.

Mrk

 

After moving to 7 I simplified my approach.
7's firewall and Opera, that's it. Took even UAC off.
Of course I update all my programs often, especially Flash, PDF app and the likes.
A lot of the security hassle is just plain hystery.

 

Why don't you enable full DEP and consider running as a Limited user as well, perfect inbuilt and effective layer of security.

 

I totally agree with you. I am living in a small community and most people I talk to never heard of virtualization, DefenseWall,sandboxing etc.and nobody ever heard of Wilders either...In fact I feel lucky I had the chance many years ago to come to this Forum.

 

I'll be the first to admit that when it comes to more security vs less security, I find myself very confused. I'm still learning about malware and security (I try to never stop), and, on the one hand, the latest malware "breakthroughs" such as getting past DEP/ASLR, being able to infect PDF files without even using a vulnerability..it worries me. On the other hand, I can't remember ever even getting a rootkit, let alone a "computer killer". I've found myself with the occasional trojan, but even then it's been a LONG time since I've actually been infected. Almost the whole time (years), it's been a situation of a file I've downloaded being infected, but the malware never actually ran.

So, perhaps I've worried myself too much. I can tell you one thing, even though I experiment when i get into one of my "worry modes", at heart, I am a simple security kind of guy. I'll always keep my AV, simply because I don't have the ability to determine malware from legit just by looking at it. I love virtual apps. The ability to reboot and be clean is beautiful to me. However, I don't like the idea of only letting such and such run, and such and such access the internet, which is why having to configure Sandboxie bugs me a bit.

I'm not a prompt or error message kind of guy. I really don't want my computer or security software telling me it can't do this or that, or that I myself can't (which makes navigating folders in Win 7 a real pain in the behind for me). I run Win 7 as the default user, with UAC at default. I COMPLETELY understand the benefits of LUA, I just simply don't like the idea of my rights being dumbed down over a malware scare or software not working or half working because of a rights situation.

So, as you can see by my picky nature, I'll not likely ever be as secure as I'm "supposed" to be. Whether that is good or bad, time will tell. I just want to use my computer and surf the internet in peace, it's all I ever wanted.

 

If you were to be a Linux user I would say yes your approach is fine. However, on Windows you are just counting your blessing. It is just a matter of time before something bad happens, God forbid, of course.

Thanks.

 

One thing you didn't mention that I think is important here is the fact that people are starting to analyze their strategies rather than simply following the advice of guru "X" blindly. This is a good thing and is powering the improvements we are seeing in process, relevance to the actual risks the average user is likely to encounter, and overall product quality.

While I might feel "safer" walking through the forest with an Abrams tank at my back, it is impractical, expensive, and cumbersome when all I really needed was a can of insect repellent and a tent to keep the rain off my head when I camp for the night.

Mike

 

Nice analogy.

 

I suspect a lot of people have been attracted by the alleged convenience of add-on security software that generally has a trivial install process, rather than having to spend the time to learn and configure group policies and file system policies and other built in windows security measures.

 

This subject, like almost everything else, goes in cycles. For a while everyone wants a bunch of apps to play around with, then they want a lighter setup, then they want something to play with......

It's not "going in another direction" it's "going in the same direction it always goes"....in a circle.

 

I compare what's going on to martial arts:

First, you learn all the basics and stick by the rules
Then, you practice everything you learn and try to perfect the techniques
Finally, when you become a master, you make your own rules and do a free-for-all approach without having to follow the rules like before.

 

Good point there. OTOH, I find that setting up a limited account and a software restriction policy is much easier than messing with the configuration of security apps. You see postings asking how to prevent mbr rootkits, what can clean up the TDL3 rootkit, etc. There then follows a list of 20 different security apps but almost no one suggests the simplest solution, don't run as admin.

 

NOTHING is foolproof. Malware authors are, if nothing else, determined, intelligent, and patient. The limited user account, while a good if aggravating solution, is not foolproof. Nothing is.

 

True, but is that an excuse to login as admin, which is significantly less secure?

I would doubt that malware authors spend a lot of time trying to circumvent limited accounts. All the people running as admin provide enough low-hanging fruit.

Whether or not it's aggravating is a matter of opinion, I personally have no problem with it. Once again, it may not be 100% foolproof, but running as admin provides no security at all. I don't leave my doors open just because there are criminals who know how to pick locks.

 

I agree. However, as we know there is no such thing as 100% security, this statement is also not 100% correct either. It is the hand of the artist that paints the portrait, not the quality of the paint nor the size of the brush. In the same way one could say that the false security derived from being a User might slacken the operators senses, where still remaining admin may well keep them sharp.

I think most average Users benefit greatly from a LUA environment, but does it also give them a sense of 'tough as nails' security? LUA is very easily bypassed if all you need to do is click a prompt OK when you are asked. Wouldn't you agree?

Sul.

 

I agree with SUL that LUA is very easy to bypass, but i feel that in today's environment, users are becoming more and more cautious about their computer security. They try to be over cautious while opening unsolicited mails and files, but i agree that still many users rely on their AV's but we'll soon gonna see that this trend will also get change..

 

Nah. In the real world, there has been practically no change at all as to how users view the subject of security. It's still something they a) don't know about beyond scary news articles, b) mostly don't care about except during the occasional scary moment when they realize they might be infected with something and c) have to outsource to other people, such as the usual AV companies. Security forums are far removed from the real world in this sense: forumists occasionally actually plan out their security policies, test various configurations, and then typically just switch stuff around just for the sake of doing it as a hobby. Well, Windows security forums at least are like that. For other OS platforms, it's a little different. In any case, the security forum folks may go back and forth between various third party software and built-in OS features, but the rest of the world goes on like before, using the default settings or whatever the company IT staff has set up, using at best some AV they downloaded or got with the computer, or whatever software the company IT staff has installed without them even knowing, much less understanding. But as far as those security forum type people are concerned, yes, I tend to see some measure of moving away from "noisy" security setups to more traditional and lighter configurations based mostly on OS features, as has been the norm in most multi-user operating systems since eternity.

Such questions are a little problematic. For example: Armed and highly trained security guards are very easy to bypass if all you need to do is flash some cleavage and the guys go blind for a minute, wouldn't you agree? The problem here is the occasionally rather outrageous "ifs".

If your account does not have root, then it does not have root. There can be no "OK" to click on. There are no questions asked, no asking for your permission to do something. It's just: "Sorry, Dave, but no. You can't do this. You need a bigger hat." UAC Protected administrator accounts? They're still superuser accounts. If you can really perform operations that require root just by clicking OK on some prompt, then you aren't any limited user, you're just a superuser with annoying popups.

But sure, ultimately all security policies and configurations have to acknowledge the fact that if the human user in full control of the system (one who has the root password) doesn't know at all what they're doing, then anything can be "bypassed" simply by the user authorizing it out of ignorance. Security tends to be stronger against automated attacks than against social engineering for exactly this reason: if you can fool the admin, then nothing much matters, since he'll just turn off any security to see dancing pigs.


In short: nothing in the real world has changed. Windows has gotten somewhat better in terms of security, but the users, the weakest link, are still exactly the same as ever. In Windows security forums, some people may be gravitating towards more, well, Unix-style security setups than was the norm earlier, but I wonder if that isn't mostly temporary. The problem with security policies based on OS features is that they don't change all the time and don't get flashy updates. They don't make a very good hobby for those interested in that sort of thing, but changing various security software back and forth and following "leaktests" does.

 

I was actually thinking of both UAC and other tools that help make the User life more convenient, such as SuRun. Putting SuRun on average users computers has helped them a good deal, but I have already seen them using it willy-nilly to install some new thing they downloaded. UAC is no better IMO, even worse maybe. You make some good points throughout.

I do think though that the "less is more" feeling is extending beyond just the enthusiasts. I don't know that average users think in terms of "I don't really need it" so much as what UAC has done, making it rather easy to use and understand (although there is a misconception). It seems most novice users I know think Vista/7 are vastly superior to XP security wise and that UAC is somehow thier guardian that makes is more secure.

Sul.

 

Sure, the biggest problem is often between the chair and the keyboard. Although in a LUA there are no prompts to click OK, you get a message box saying you don't have sufficient privileges. If you are referring to UAC, then that's another thing altogether. I can imagine that some people just automatically click them away because they find them annoying. That's also not really a limited account that's set up by default.

You could get some of these prompts with SuRun as well, but I would venture to say that SuRun isn't something the "average user" has even heard of, much less installed.

I use and recommend LUA & SRP because it's included in the OS, costs nothing and is a pretty good foundation to start with if someone wants to secure his system. If someone feels more secure with a security app installed as well, I can understand that. I have a couple of on-demand scanners to check files I download and scan the system partition every couple of weeks.

But I think you would agree that LUA + [insert favorite security app] provides more security than admin + [insert favorite security app], this of course not counting human error, which is unpredictable.

 

If you use a computer at work, you will probably not have the admin password, so LUA as you say just denies you access rights. But in the home environment, which I think most of us here refer to mostly, the user of LUA probably does know the password to root. RunAs is not hard to do. SuRun, as you say, perhaps not well known, is just an easier method of RunAs. Vista/7 with UAC, even worse. Someone taught to run in LUA, shown the RunAs (choose your flavor) will now be able to circumvent the LUA. What is the difference if the logoff to install some malware vs. just using a RunAs or the ridiculous UAC?

Yeah, I would definately agree to that in practical terms for most users. I don't think it is as clear cut as black vs. white, because I for one am living proof that you certainly can be an admin, every day, and just not have problems.

I mean, I totally support LUA, and I actually am pretty aggressive about promoting it to those I know who are not super saavy. The problem I have with it in thier case is that they really do have legitimate reasons to use RunAs operations, but again, when you allow this they are right back to using it as the fix-all for every situation. It seems that some people, no matter how much you try to teach them etc, they just don't care and will do what they think they ought.

There is no remedy for this situation of course. They say you can lead a horse to water but you cannot make him drink. How true with average users, at least a large portion of them. I am tempted so many times to just set them up in LUA and NOT tell them the admin password. But, I don't have time to support people like that. So I give them the best tools I can for thier level of experience, and hope they take enough interest to learn what I teach them.

I can say though that with more and more use of computers in everyday life, the situation is getting better.

Sul.

 

Nicely and accurately summed up, I'd say. And as Mrk and maybe others have stated, Wilders is no where near representative of the "real world". From my experience, most people seem to only focus on an AV solution for their security needs. They know nothing of the differences between LUA and administrator accounts. IMO, LUA and application of latest patches alone will provide the majority of the defenses required to fend off malware infiltration. Sure LUA can be bypassed, but the malware can't embed itself deeply into the system, making its removal a relatively routine task, rather than a nightmarish ordeal.

 

I find it odd that others here claim that LUA (a part of the Windows OS) can be "bypassed". If a user installs a buggy or misconfigured third party firewall, or enables open ports that are closed by default, they can't really claim, for this reason, that Windows security is able to be bypassed and Windows networking is therefore inherently insecure.

 

No, they can't. But they can claim that having incompetent users know the admin password is inherently insecure. And that's exactly the point of that comment of mine that you quoted: LUA cannot be bypassed without privilege escalation exploits, but if you give an incompetent user the admin password, nothing is stopping them from logging out of their limited user account and logging in as admin to get a better chance of having some malware own the system. That's what I mean when I write "bypassed" with quotation marks: software security was not bypassed, human stupidity simply went and turned off software security. The human side of the equation is always a problem. It's a problem for LUA, sure, but also for AVs, HIPS, firewalls, you name it...

 

Nice
and I agree
Sariel