[FoRK] The Year That Security Collapses Completely

Stephen D. Williams sdw at lig.net
Tue Jan 12 12:24:00 PST 2016


I think we've talked about it at least being the case that anti-virus is dead.  Security researchers at security conferences have 
had a number of talks to that effect for the last couple years.

 From my point of view:
Anti-virus products don't protect you at all from 0-day or targeting in any real sense.
Your OS, practices, and ability to recover should prevent the kind of legacy virus attacks that it does prevent.
It is costly in both money and in the overhead and breakage that it adds to your machine.
It introduces a usually hidden set of possible security holes.

Want to scan executables etc. for bad things?  Great.  Malware detection and removal is important and useful.  It is required 
amazingly often on Windows.  Elsewhere, meh.  Many of the existing enterprise-oriented products are so invasive that in some 
circumstances, I would rather just reinstall my system from an image than decimate my machine with the overhead.

sdw

On 1/12/16 11:57 AM, Joseph S. Barrera III wrote:
> Greg, you have predicted something like the subject line (I forget your
> exact phrasing), but I don't think it exists. Security will just get worse
> monotonically every year, forever. Like the boot stomping on the face in
> 1984.
>
> http://arstechnica.com/security/2016/01/google-security-researcher-excoriates-trendmicro-for-critical-av-defects/
>
> https://code.google.com/p/google-security-research/issues/detail?id=693
>
> Excerpt:
>
> I spent a few minutes trying to understand how the SB shell worked,
> and then realized they were just hiding the global objects. I sent
> this annoyed follow up:
>
> This thing is ridiculous, wtf is this:
> https://localhost:49155/api/showSB?url=javascript:alert(topWindow.require("child_process").spawnSync("calc.exe"))
>
> You were just hiding the global objects and invoking a browser
> shell...? ...and then calling it "Secure Browser"?!? The fact that you
> also run an old version with --disable-sandbox just adds insult to
> injury.
>
> I don't even know what to say - how could you enable this thing *by
> default* on all your customer machines without getting an audit from a
> competent security consultant?
>
> You need to come up with a plan for fixing this right now. Frankly, it
> also looks like you're exposing all the stored passwords to the
> internet, but let's worry about that screw up after you get the remote
> code execution under control.
>
> Please confirm you understand this report.



More information about the FoRK mailing list