graveyard of the gods

[tism]

Perhaps I'm a bit more paranoid than most, but I always cringe everytime I see some old fuck's computer with all sorts of suspicious crap on it. Video downloaders, screensaver packs, smiley packs, etc, all bundled as EXE installers which were handily left on the desktop (default download place) after the user was done installing it.

Folks, installing a program on your computer (especially under the same context as you do all your important work in), is just like inviting the author of that program into your home to do whatever he wants, unsupervised. You do not invite some random stranger you've never met before to stay in your house while you go to work. Why would you do the same with your computer? It is the same thing.

This is not to say that you should never install any program on your computer. But you have to know where the program comes from, and decide whether you can trust it first! A random download link you found from Google/yahoo/whatever is not usually trustworthy! A random download link you saw on a popup while you were browsing porn is definitely not trustworthy!

You log into your bank account with that same computer, using the same context as you install all that crapware in. This is like taking that random stranger to the bank with you and let him watch everything you do, including the account number and PIN that you use to withdraw cash from your account. This is exactly the same thing! That crapware you installed can watch everything that goes on in the computer, and record/manipulate every bit of information that goes through it. Everything in your bank account can be stolen by crapware on your computer.

I don't see how to fix this for most people. Either of the following happen:

1) I succeed in making people so afraid of installing everything that they feel like they have to ask me personally every time they want to install something. And then when I see it is "Video downloader XYZ plus" which the person really really really must have so they can save all their favorite online videos, I glare a bit, and the person ends up feeling disappointed because they can't have it.

or

2) I don't make people afraid enough, and they don't even heed the warnings, but charge ahead installing anything which might look interesting regardless of where it comes from or what it is supposed to do.

or

3) They'll exercise caution, but then let the little kids use the same computer (and same context, again), who will themselves install all sorts of crapware.

I don't know how to educate anyone about computer safety. It either doesn't seem important enough to consider, or people will just expect me to do all their thinking for them. I don't like either of those extremes.

[Brad Reddekopp]

Do you think it would be helpful to try to get them to use something like the AVG Free toolbar which rates pages (and therefore, presumably, the available downloads) for safety?

[tism]

Oh by the way, I really shouldn't have said "old fucks." Some young fucks have the same problem.

Do you think it would be helpful to try to get them to use something like the AVG Free toolbar which rates pages (and therefore, presumably, the available downloads) for safety?

This is where I start to lose most people, since I don't believe in anti-virus in principle. Back to the analogies, anti-virus is like keeping a big list of names of people who are bad, and checking each person who rings your door bell against the list. The problem is that you can never have a complete list of names (anti-virus databases are continuously updated), and the fact that someone isn't on the list is not a sufficient condition to indicate that they are good. Someone walks up to you on the street and wants to take a peek at the contents of your wallet. You don't go and say "well, you aren't on my list yet, so go ahead."

Aside from that... With AVG specifically, I've seen it throw an alert upon starting Internet Explorer, claiming that some DLL is infected. Presumably the DLL got there somehow before, and so must have gotten past AVG already. So the damage the virus was capable of doing was already done (bank account info stolen, etc) between updates of AVG's database.

So long as computers continue to be as expressive as they are, viruses will continue to evolve, evade detection, and generally have the upper hand against users who rely on anti-virus.

What I advocate instead is 1) whitelisting and 2) sandboxing.

Whitelisting is easy, especially if you use a popular Linux distribution (one who has a reputation at stake). You simply install and update your software from the distribution repository.

For other downloaded programs, you sandbox them by running them under a separate user account from the one you use for important stuff. I have separate user accounts for:

- banking (including ordering from sites using credit card)
- e-mail
- web browsing in general
- games
- administration (update software as root, etc)

If the "web browsing" context gets hijacked, I don't have to worry about revealing my bank account or other important information.

I am also suspicious of any software that is not available as sourcecode. So the typical EXE-only program you find on download sites always makes me nervous.

I think these two things, whitelisting (as opposed to blacklisting like anti-virus does) and sandboxing go a long way at restricting your exposure to viruses. The problem is it confuses people. People I talk to generally don't grasp the idea of having separate contexts on the computer for different purposes, or how a rouge EXE could expose your bank info to someone.

[Brad Reddekopp]

Sounds like good advice. If it's lost on most people, that's unfortunate.