![](/i/fill.gif) |
![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On 06/06/2011 06:55 PM, Darren New wrote:
> On 6/6/2011 10:29, Orchid XP v8 wrote:
>> Seems to me more like "useless busy-work to reassure the customer that we
>> really are doing something".
>
> Or maybe "check that you haven't installed something while the scanner
> was turned off"?
...which the on-demand scanner is *still* going to detect...
>>> Try Microsoft Security Essentials. It's really good.
>> It has "Microsoft" in the name. Why would it be good?
>
> Because it's written by the same people whose OS you're trying to
> protect is?
Heheh. These are the people who thought "hey, let's make it so that
every home user has full admin rights by default". Yes, I'm sure they
know a thing or two about security. ;-)
>> That's a valid argument for a file server. But even in that case, you (or
>> somebody else) still has to *access* the file.
>
> But the other person might not have a virus scanner.
If the file is on a file server, then each time you try to access it,
the AV product on the server will perform an on-demand scan.
> Too many people try to do cool stuff and just skip all the tools that
> Windows gives you to make it work well.
Now /that/ I can agree with.
>> Now why the **** couldn't McAfee have done that for itself?
>
> Dunno. Privilege problems?
What, this scenario didn't show up in testing? "We want to clean a virus
that's currently running" seems like more or less test #2 or #3 in any
sane test suite...
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
Am 06.06.2011 20:22, schrieb Orchid XP v8:
>>>> Try Microsoft Security Essentials. It's really good.
>>> It has "Microsoft" in the name. Why would it be good?
>>
>> Because it's written by the same people whose OS you're trying to
>> protect is?
>
> Heheh. These are the people who thought "hey, let's make it so that
> every home user has full admin rights by default". Yes, I'm sure they
> know a thing or two about security. ;-)
Um...
Wrong perspective. Development was actually from CP/M's "access control?
just lock the f*** room door" concept to there.
Oh, and didn't they go for "hey, let's make it so that every home user
does /not/ have full admin rights by default" when they introduced
Vista? Might be wrong here, but didn't both software and users kinda go
amok back then?
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
>> Heheh. These are the people who thought "hey, let's make it so that
>> every home user has full admin rights by default". Yes, I'm sure they
>> know a thing or two about security. ;-)
>
> Um...
>
> Wrong perspective. Development was actually from CP/M's "access control?
> just lock the f*** room door" concept to there.
Yes. And it has taken them a spectacularly long time to figure out that
this model is ineffective today.
(Apparently this is the company that thought that networks were just a
"fad" that would go away after a while...)
> Oh, and didn't they go for "hey, let's make it so that every home user
> does /not/ have full admin rights by default" when they introduced
> Vista?
Yes.
They didn't do it in Windows 2000, they didn't do it in Windows XP, only
in Windows Vista did they *finally* get it right.
Granted, backwards compatibility didn't help them at all. But I'm pretty
sure there are better solutions than what they actually came up with.
The company's goals seem to be to promote a /sense/ of security rather
than actually /being/ secure.
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
Am 06.06.2011 21:02, schrieb Orchid XP v8:
>>> Heheh. These are the people who thought "hey, let's make it so that
>>> every home user has full admin rights by default". Yes, I'm sure they
>>> know a thing or two about security. ;-)
>>
>> Um...
>>
>> Wrong perspective. Development was actually from CP/M's "access control?
>> just lock the f*** room door" concept to there.
>
> Yes. And it has taken them a spectacularly long time to figure out that
> this model is ineffective today.
Not really. It has been around in NT since when? Ever since the first
version, I guess.
> (Apparently this is the company that thought that networks were just a
> "fad" that would go away after a while...)
If that's what they had thought, they surely wouldn't have attempted to
roll their own network.
But they possibly didn't expect a single network to win over all the others.
I think none of the network operators did back then. And definitely they
didn't expect a (then) /non-commercial/ network to make the race.
>> Oh, and didn't they go for "hey, let's make it so that every home user
>> does /not/ have full admin rights by default" when they introduced
>> Vista?
>
> Yes.
>
> They didn't do it in Windows 2000, they didn't do it in Windows XP, only
> in Windows Vista did they *finally* get it right.
>
> Granted, backwards compatibility didn't help them at all. But I'm pretty
> sure there are better solutions than what they actually came up with.
> The company's goals seem to be to promote a /sense/ of security rather
> than actually /being/ secure.
Yes. I guess customers would go rampant if they gave them a somewhat
secure system - because people would (a) complain that they have to
invest time in security housekeeping (you can't just "buy" security), or
(b) complain that the system still isn't /totally/ secure (ignoring the
fact that such a thing as a totally secure system exists only beyond the
event horizon of a black hole).
Typical end users want to just "buy" their security (or, better yet, get
it for free), and not invest any of their own time into it. So Microsoft
serves this market segment with the best security you can buy for money
alone: The mere illusion of it.
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
Am 06.06.2011 10:28, schrieb Invisible:
> I prefer the old days of the Amiga, where software almost always did
> what it was supposed to. (Or else failed to work completely.) None of
> this "sometimes it works, sometimes it doesn't" nonsense. (Or "if works
> if you press the buttons in this order, but no other order".)
>
> This kind of thing seems to be endemic to Windows (and now Linux). For
> example, when I was setting up our old file server, I discovered that
> the only way to make the tape drive work was some long, complex routine
> (which I eventually wrote down) where you uninstall and reinstall the
> hardware drivers multiple times, rebooting in between, in just the exact
> right sequence, and then it works perfectly. If you don't do this, the
> device just refuses to function. WTF?
Increase in system complexity, anyone?
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On 6/6/2011 11:22, Orchid XP v8 wrote:
> ...which the on-demand scanner is *still* going to detect...
Again, the on-demand scanner is the worst possible way, efficiency-wise, to
detect such things. Where "efficient" means "minimal impact to actual
users." It should be a last resort, not a primary mechanism.
>>>> Try Microsoft Security Essentials. It's really good.
>>> It has "Microsoft" in the name. Why would it be good?
>>
>> Because it's written by the same people whose OS you're trying to
>> protect is?
>
> Heheh. These are the people who thought "hey, let's make it so that every
> home user has full admin rights by default". Yes, I'm sure they know a thing
> or two about security. ;-)
I'm sure they do. And I'm sure every programmer in Microsoft *wanted* to not
make that the default. That business cases mean you lessen security doesn't
mean the security team doesn't know how to do security.
>>> That's a valid argument for a file server. But even in that case, you (or
>>> somebody else) still has to *access* the file.
>>
>> But the other person might not have a virus scanner.
>
> If the file is on a file server, then each time you try to access it, the AV
> product on the server will perform an on-demand scan.
Sorry? What file server? I'm pretty sure Linux doesn't have a virus scanner
that will detect Windows viruses, for example.
> What, this scenario didn't show up in testing? "We want to clean a virus
> that's currently running" seems like more or less test #2 or #3 in any sane
> test suite...
As I said, "dunno."
--
Darren New, San Diego CA, USA (PST)
"Coding without comments is like
driving without turn signals."
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On 6/6/2011 11:52, clipka wrote:
> Wrong perspective. Development was actually from CP/M's "access control?
> just lock the f*** room door" concept to there.
I still remember being amused at the Burroughs mainframe we were looking at
buying back then. We asked about multi-user features, and they said "code a
password request into your programs." We asked something else along those
lines, and they said "that's why each terminal has a keyhole."
> Oh, and didn't they go for "hey, let's make it so that every home user does
> /not/ have full admin rights by default" when they introduced Vista? Might
> be wrong here, but didn't both software and users kinda go amok back then?
Exactly. It wasn't that they didn't understand what needed to be done, but
that different demands were made. The president would be safer if he never
appeared in public, also.
--
Darren New, San Diego CA, USA (PST)
"Coding without comments is like
driving without turn signals."
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On 6/6/2011 12:02, Orchid XP v8 wrote:
> Yes. And it has taken them a spectacularly long time to figure out that this
> model is ineffective today.
Not really. They figured if you had a system where it was single-user,
adding access control wouldn't help unless you were smart enough to not get
infected to start with. If you had a system that was multi-user, you
probably already know how to create accounts that aren't super-user.
> (Apparently this is the company that thought that networks were just a "fad"
> that would go away after a while...)
Microsoft had networking before TCP/IP was popular enough to need DNS.
> They didn't do it in Windows 2000, they didn't do it in Windows XP, only in
> Windows Vista did they *finally* get it right.
If you had multiple users, you could create privileged users or
non-privileged users. If you had a multi-user networked machine, chances are
you were running AD or some such and didn't have an admin account.
> Granted, backwards compatibility didn't help them at all. But I'm pretty
> sure there are better solutions than what they actually came up with.
Remember that when you're talking about security, the result is to break
things. Security in this sense means "preventing things from working as
programmed." Hence, you can't increase security effectively without breaking
backward compatibility. It's a careful balancing act you have to do.
--
Darren New, San Diego CA, USA (PST)
"Coding without comments is like
driving without turn signals."
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
Am 06.06.2011 22:02, schrieb Darren New:
> Sorry? What file server? I'm pretty sure Linux doesn't have a virus
> scanner that will detect Windows viruses, for example.
It very bloody likely does.
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
Am 06.06.2011 22:02, schrieb Darren New:
> Again, the on-demand scanner is the worst possible way, efficiency-wise,
> to detect such things. Where "efficient" means "minimal impact to actual
> users." It should be a last resort, not a primary mechanism.
You need an on-demand scanner though, lest a program opens a file that
wasn't there when you last had a chance to check it.
Plug in a USB stick full of data, and open something from it right away:
In that scenario, on-demand is the /only/ efficient mechanism. You don't
want to tell the user, "sorry pal, that file you're trying to open
happens not to have been scanned yet - and there's still 4236 other
files scheduled to be scanned before it."
Likewise, you don't want to clog up the system for minutes just because
someone inserted a USB stick he only reads one file from.
So in the sense of "total computing & I/O time spent for virus
scanning", on-demand may be the worst - but "felt" system speed is not
measured in such ways.
Also note that even if a file has been scanned and hasn't changed, the
virus database may have; so if you don't want to dig through all files
on the system every time the virus database changes, on-demand scanning
provides an advantage there as well. (Ideally of course in that case the
file would only be checked against virus signatures that were installed
after the file was last checked.)
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |