When does convenience trump security?

Discussion in 'other software & services' started by RoamMaster, Feb 27, 2011.

Thread Status:
Not open for further replies.
  1. Someheresomethere

    Someheresomethere Registered Member

    Joined:
    Feb 17, 2011
    Posts:
    71
    Re: RWhen does convenience trump security?

    IMO knowledge and common sense play a big role. With enough of those, besides using LUA and a safe web browser, even just a good antivirus is more than enough to keep your computer safe (a Backup strategy wouldn't hurt either). Of course, most members here on Wilders use many more security apps, including HIPS (which I find terribly annoying), but hey, what do you expect from members of a security forum :D. Being myself a member I too am a little more paranoid than I should be so since I occasionally buy stuff online I use SafeOnline just in case my AV misses anything, and Sandboxie rarely for suspicious apps. But overall everything's light and quiet and I don't get flooded by security popups.
     
  2. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I'm really glad you raised such a question. At the time, indeed, the article I mentioned wasn't very detailed, as in it lacked a few information. Also, one of the mentioned sources also only mentioned there was no need for administrative rights as it would execute to memory. Back then, I thought of an exploit (be it a web browser exploit, pdf reader exploit...), which would load the malicious code to the process memory itself, hence not triggering any antimalware or even SRP/AppLocker.

    I had a PDF file I have been wanting to read, which for lack of time I still haven't, until today.

    The exploitation scenario isn't mentioned (I guess it's a plausible scenario to be happen; not only with Carberp, but also other malware as well); at least, not in the way I had under consideration, which would most definitely ruin the purpose of SRP/AppLocker.

    That said, what the article (TechRepublic's) lacked was that it won't require administrator rights (the variant in question) because it will write to user-space and then execute itself on each session start to memory. According to the PDF article file, it won't make any changes to Registry, and the reason is because it will only execute to memory.

    A properly secured system would KILL straightaway any chances of infection; unless a careless/unfamiliar user with such situations would allow him/her self permissions to write to user-space startup entries, which let's face it, it's not that very uncommon?

    So, even excluding the exploitation scenario I had under consideration, we could be talking about a specially crafted document that could exploit a vulnerability in the respective program, etc. No need for the method I had in mind.

    And, as others have been mentioning, and it's something I totally agree, we have to draw a line between usability/convenience and security.

    Just as an example, my web browsing protection resumes to this: low integrity level, no plugins, browser disallowed to download anything, which kills drive-by downloads; javascript disabled.

    And, I do that, because I don't believe in common sense for web browsing. Common sense to patch applications, the operating system, yes, absolutely. But, there's no common sense when it comes to web browsing, as in there aren't safe and unsafe websites; there are legitimate and illegitimate websites, and sometimes legitimate websites get hacked. As simple as that.
     
  3. wat0114

    wat0114 Guest

    The article linked to at the beginning of this thread is so typical of what we see all the time. Sure, they are factual, but they also very conveniently leave out some important details such as exactly how the malware infects from start to finish, how many users, percentage-wise, got infected, how exactly they were unsecured - unsecured because they were not running latest updated antivirus, or unsecured due to long-standing unpatched applications like Java, Flash, Reader?? Do they mention if they were running LUA or the more than likely Admin? Of course not. These details are left out as usual. What we read about in these articles and what the reality is are no doubt two completely different things. These infections were, undoubtedly, not rampant, wide-spread as they try to portray in the articles. The actual numbers are minor, due to the those (few) who ignore their outdated av definitions and unpatched, vulnerable apps all the while running as full administrator.
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Why are the numbers minor? Is the amount of people getting infected - and, I'm talking about those who are aware of it, because at some point either their AV flags something or they see strange security alerts telling them to buy some security application or even messages saying their files got encrypted and they got to pay to have them back - really that scarce?

    I'm not just talking about the first BBC article I mentioned; I'm looking at it in a general way.

    Security forums specialized in cleaning malware say otherwise; and this is just a smaller % of people with infected systems; others go to the computer shop where they bought their PCs, others go to their relatives who know more than them.

    Reality is: There are more than proved methods to infect systems, and simply because they work. And, they work, because the larger % of people don't know any better.

    Some exploit kits explore older vulnerabilities; something quite common among most (if, not all) of them. Why? There are plenty of systems with vulnerable applications.

    Now, this isn't meant for you (or, strictly meant for you), some people, at least here (other places as well), tend to believe security has to be inconvenient and that it will kill usability of the O.S, etc, waste resources... I'd say that those who believe that, for sure don't know what they have at their disposal, either via O.S itself, hardening web browser...
    In fact, if one knows how to harden the O.S and web browser, you can kiss good-bye 99% of threats; the other 1%, I think that would be up to the user to keep or not the system clean.

    The problem is that the % of people who can do that and, obviously know how to do it is very scarce.

    Anyway, security doesn't have to be a resource monster, usability monster, etc.
    You just need to know the infection vectors and close those holes.
     
  5. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    Convenience and security works hand-in-hand....

    I'll suggest you read these (or at least glimpse through them).

    Beyond Fear: Thinking Sensibly about Security in an Uncertain World by Bruce Schneier
    Notes from Bruce Schneier's Beyond Fear
    The Psychology of Security

    I'll put a few quotes here for convenience...

    - How simple you want this to be is your call.

    - This is why you see so many different setups on this forum itself. There's no 'right' or 'wrong' - just what is good enough for the individual.

    - Which is why we have various forms of setups here - ranging from the
    lightest or least complicated to the hardcore lock-down or extremely resource-hungry setups. Different people have different 'needs' and look at security differently. One man's meat is another man's poison.

    - Sure, we don't. Otherwise, you wouldn't have step out of your house without a heavy armor or a bulletproof vest on your body....

    And Marcus Ranum sums it up well on his blog:

    - Seems like I need to stop being so hard-working after all.:p

    P.S. If you ever see me bring about complexity in my so-called setup, it's only because I am purposely doing it for the fun of trying out things...and maybe the adrenaline rush I get as a side-effect from visiting and posting on this forum. See my sig;) No worries, I'll move on soon enough...:D All of us will one day...
     
  6. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,557
    I give this some love :-*
     
  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    @ safeguy

    Sorry for not quoting that post of yours, but just to say that pretty much shows it all, and I believe it comes in the direction of what I previously mentioned, which is that security doesn't have to be a resource or usability monster, and that it's perfectly possible to balance what you see as being acceptable to happen with the security you have deployed. Different people have different opinions of what they see as being acceptable to happen, and deploy security measures according to their own views.

    If you go a few posts back, you'll perfectly see what I find to be usable, in my own use of my own system. For others, such would be rather complicated of dealing with; not because it's hard to understand, but rather because it requires a routine, and many people simply refuse to have one.

    Just like some people rather have firewalls that show when an outbound communication is about to happen; others, simply enjoy to have such in silent way; others, simply don't care that much about outbound traffic.

    Etc, etc... I guess you get the general view of it.

    Very nice post indeed!
     
  8. wat0114

    wat0114 Guest

    Just to make my point clear, I don't suggest common sense is all that's needed to remain secure on-line, just that it's a component, an under appreciated one at that imo, of a sound security approach. I will suggest that those who fall victim to most of the common exploits are not employing any or enough common sense in their approach.
     
  9. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Convenience and usability are not the same and are not interchangeable terms. Security doesn't conflict with usability. Convenience and integration can compromise security. Example, when I find a PDF on the web I want to read, I save it to my desktop and open it with the PDF reader, not in the browser. If there's a flash video I want to see, I drop it on the free standing flash player. This isn't as convenient but it's just as usable. On occasion I have to bypass a few Proxomitron filters in order to get a webpage to work properly, but that's the extent of the user mode inconvenience. IMO, that minor inconvenience is worth the added resistance to web based attacks.

    Tight security, HIPS, and outbound firewalls does not translate into a "trip through pop-up land", unless you installed the apps and didn't take the time to configure them properly. Both Kerio and SSM run silently here because their rulesets are done. Every application and system process that needs internet access has just the access they need, nothing more. Each one can parent only those applications and executables that are necessary for its operation, nothing more. The end result is secure, lightweight, usable, and quiet, no matter who is using it. Everything works the way it should. For me, security will always trump convenience but not usability.
     
  10. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,972
    The amount of security to convenience depends on the user. Right before I joined Wilders and read way into HIPS I use to go by different magazines. At the time it recommend AVG Free and Online Armor. So I decided before trying it for personal use I would install it on every machine in the house. Now the warning did say it would have "a small amount of popups" so I trusted everything in the learning wizard and rebooted. In about a week it was removed on every machine due to the fact I did not worry about the rules and just went the yes/no route. The security overtook the convenience (especially when my parents used the machine).

    So after that moment when I setup everyone up I stay with convenience more then security. Lets take MalwareDefender as an example because its a popular program here. Now I would never ever most likely be able to set that up on my parents machine. They don't like popups so I keep it in their convince range. I personally use this scale when setting up a security setup for friends and family:

    Does it have popups that are simple to understand?: Giving them something that can provide 99% protection with popups is no use to them if they can't understand it is not going to solve anything.

    Will it destroy day to day experience?: If its going to bother them why use it? If they just want to log on and check their email and facebooks, and download ebooks why make something where it wipes everything out after reboot unless they save it to one location. If its going to cause them stress it won't go on.

    Are they willing to learn?: I will not install something that they have to change their whole PC usage and do everything differently just to be secure. It removed the convenience of the PC.

    I personally just install the basics and they last a while with little infections every once in a while but not way bad. Installing them an AV with good detection rates take out a major amount of infections. Then install an AntiSpyware with real time to back it up. Then web guard (DNS services, addons) to prevent them from getting to bad sites in the first place really prevent many of the infections users get without have to take out convenience. Then just teach them to back up their files and boom they are pretty safe with convenience.

    (Wow that was one of my longer posts.)
     
  11. RoamMaster

    RoamMaster Registered Member

    Joined:
    Oct 1, 2006
    Posts:
    50
    There's a long standing myth that porn sites contain viruses. Someone like CNet or PCWorld did a web crawl and downloaded anything their bot came across. They found their infection rate was something like %60 higher on porn sites than on newpapers. And %20 or so higher than on gaming sites.
    Someone here probably knows what I'm thinking of. I don't have a link and can't recall the source. It got syndicated everywhere and the idea became widespread. Basically it boils down to an oversimplified headline taken way too far.
     
  12. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    This is probably correct. There are a lot of myths on the Internet. Although, I think it is probably fair to say that some countries seem to suffer more with malware than others.
     
  13. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,381
    Location:
    West Yorkshire, UK
    It depends.

    It depends on who the user is and who is the owner of the computer.
    In the business where I work, we need very strong security, for the simple reason that the data we work with needs to be kept safe and secure.

    If I regularly need my admin account to mess about with system settings or installing things then I use virtual machines to experiment, just to give an example of how you can maintain convenience and security.
    But, this may not be a usable option for everyone.

    One thing I will say is, there is a big difference between an educated user who understands the risks and issues of running with admin rights, compared to a user who does'nt.
    For example on my development machine, I need Admin rights for certain tasks, but I don't ever surf the web on this machine, so I will never be at risk from web based vulnerabilities on that machine, but a less educated user...

    Cheers, Nick
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.