Hacker News new | past | comments | ask | show | jobs | submit login
Avast: a Chromium fork with critical security checks removed (code.google.com)
232 points by andygambles on Feb 8, 2016 | hide | past | favorite | 118 comments



You ever noticed that these "secure" forks of browsers put out by antivirus companies are usually security trainwrecks?

cf: "Chromodo" and the vulnerabilities disclosed by this same researcher[0]

[0] https://code.google.com/p/google-security-research/issues/de...

EDIT: And let's not forget TrendMicro's recent blunder with the enabled-by-default HTTP server for "Password Manager" that is installed as part of their antivirus program.[1]

[1] https://code.google.com/p/google-security-research/issues/de...


Which makes you wonder about the quality of the products they develop 100% in-house.

In the case of the browsers, it "only" the bits they tampered with that's more insecure. For their own stuff, anti-virus, firewall and what not, they've "tampered" with the entire code base.


In my experience non-OSS security software is not worth having. There are some exceptions but they are exactly that, exceptions. More often then not by installing this garbage you are putting yourself in a worse position than not having it at all.


The (closed-source) security software Microsoft ships with modern Windows is quite good. I don't think OSS/non-OSS is the real dividing line, but rather motivation of the vendor is.

In the case of Microsoft, their motivation is to make Windows work better, in the case of OSS the motivation is often to scratch personal itches, both of these motivations trend towards positive results.

In the case of 3rd party security software vendors, their motivation is usually to upsell you from whatever version you are using to a higher level of "security", so it is in their best interest to go nuts with false positive reports (eg. finding some browser cookies in a scan, posting up such severe looking warnings that you'd think your system is rooted), bog your system down, etc.


What gives you the impression that Windows Defender is any good? It hasn't had a consistently decent detection rate since 2012.

(See: https://www.reddit.com/r/YouShouldKnow/comments/40zh69/ysk_t... https://www.av-test.org/en/antivirus/home-windows/)


Personally I think Microsoft wasted their money with their built-in security software, and should have just ignored it. In fact, they're wasting money pouring resources into security patches. They should just leave security holes wide open until they feel like getting around to fixing them, if ever.

Think about it: all this stuff is costing them money, and that reduces their profitability. What is it gaining them? Nothing.

Why? Simple: if customers get pissed off, what are they going to do, switch to Linux or Mac? Maybe a few, but the vast majority will just put up with it and gripe and complain. They're never going to leave Windows, so it would make sense for Microsoft to screw them over.


Many AV vendors have national security concerns.


Bitlocker and Applocker are among the exceptions, but I stand by my statement they are just that - exceptions to the rule.


The only AV scanner I've found that is worthwhile is Malwarebytes. Honestly, my mothers friend had got Norton Antivirus, so I installed it and ran a scan. Found 3 bits of malware. Then installed Trend's AV scanner after uninstalling Norton - found 2 more malware. Ran Malwarebytes - found 45 and removed them!


I've lost weeks of my life to hacking around problems caused by antivirus software.

Oh, I got paid for the time, but which is more satisfying and looks better on my resume: "Hacked around antivirus bugs" or "Built a cool and awesome feature"? :-)

Here's my previous rant on the topic with specific details:

https://news.ycombinator.com/item?id=10248084

And a mention of one of the debugging techniques that was helpful here:

https://news.ycombinator.com/item?id=10250001


>Which makes you wonder about the quality of the products they develop 100% in-house.

You might be interested in reading up on tavis Ormandy and his adventures with Sophos antivirus. He was able to find several holes in sav with [allegedly] very little effort. Which was especially comical because they could be used to pwn Sophos' network firewall product which is used by enterprises.


Worse still, that stuff hooks into you OS at just about every level.


To be fair, I doubt they know the Chromium code base as well as they know their own (also why they shouldn't fork it.)


I know most consumers don't really care about this stuff until it bites them, but products like this are supposedly (I guess) marketed to consumers who care about security. I think it's worth it to be skeptical of claims made by any vendor, and ask some key questions:

- what changes have been made in the fork? - can I (or people in the software development community) see the source code? - what peer review policies are applied to changes made in the fork? - when (not if) something goes wrong, what policies and mechanisms are in place to fix it?

... just to name a few. No software is perfect. No engineer is perfect. There will always be bugs. There should just be an expectation that people will take reasonable precautions.


I advise my techie and non-techie friends alike not to bother with antivirus, but rather to ensure that their files are backed up and their software is up to date.

Those are the most important parts, assuming the user is above the level of downloading and executing malware by themselves.


And with Google planning on banning those fake download buttons, it might alleviate the need for an adblocker. I feel bad installing adblockers on others' computers, but it's helpful for the virus-prone.


Adblockers are a necessity to bring a computer up to the minimum level of security your friends and family need. There is so much malware being served through ads nowadays I wouldn't use any computer and try not to use a phone without adblockers in place


Android phone users may find it useful to know that Firefox for Android works great with uBlock Origin. No more app store popups, audio ads, or sucking down your mobile data.


It's very useful, but I try to encourage everyone I can to root and install a system level adblocker. Not feasible for 100% of people but the more the better.


Can you provide some links about these system level adblockers?


I use AdAway from the F-droid catalogue:

https://f-droid.org/repository/browse/?fdid=org.adaway


I also use AdaWay from the F-Droid repos


> I feel bad installing adblockers on others' computers, but it's helpful for the virus-prone.

You mean like security researchers?

http://www.networkworld.com/article/3021113/security/forbes-...


That article strangely claims it's not Forbes' fault if their pages serve malware. Of course it's their fault and responsibility when they have freely chosen to work with this advertisement provider. Of course they should change the agency, and perhaps claim damages, but one can't transfer the responsibility on third parties.


It was just meant as an illustration that nobody is safe, no responsibility was implied.


This is very close to the advice I give laypeople, but I hit a few other points (e.g. password security): https://paragonie.com/blog/2015/06/guide-securing-your-busin...


Also use some adblock extension and make sure it's subscribed to malware domain filters.


I would recommend using a business-class antivirus rather than the consumer editions. Also, don't use their browser plugins if offered.

At least that protects you from theft. I can keep all my files backed up, but that doesn't protect the data in them from being compromised.

If anything, you need to start recommending encryption to your friends if they aren't going to use an Antivirus.


I used to work for an antivirus vendor and I would not recommend this.

The antivirus engine is the same and the only differences are how it's packaged. They're still shoveling obtrusive, crap software onto your system, just being less obvious about it.

The only reason to have Symantec Corporate Edition Antivirus installed on your system is because your company signed a deal to use Cisco VPN & Endpoint Protection and you're literally forced to use it.

What mostly everyone fails to understand is that antivirus software is not effective as a _preventative_ measure. What they are good at is detecting that you're already infected, but they all have terrible rates of false-positives. Nothing out there is much effective at protecting you from 0-day, despite industry claims to the contrary.

User training/habit modification is the only effective measure at preventing infection (besides being behind a default-deny firewall, but that's not something consumers will do). 99.9999% of infections require user interaction (and the ones that don't require it become instant international news). Adblockers get you most of the way there and do a better job at prevention than antivirus software.

Flaws in AV software have been exploited by rootkits before. AV software is just another point of failure.


No, they aren't good at finding malware installed. I installed Norton on my mother's friend's computer and it found 4 bits of malware. I later installed Malwarebytes and it picked up something like 45 different malware programs! I was surprised so I verified about 12 of them before I realise they were pretty accurate and let it remove them from her system.

That's a very poor detection rate. I mean, I can confirm that at least 12 nasty malware programs weren't detected by a very widely used AV suite!


Many programs, especially "antimalware"-class programs and __especially__ MBAM serve up false positives as valid hits. MBAM serves up common (and innocuous) tracking cookies as malware hits. Nearly everything that MBAM labels as a 'PUP', Potentially Unwanted Program, is bogus. Also, it will serve up data files (metadata, saved data) files from an infection as the infection itself.

Its user interface deliberately does not give its users the proper context to evaluate the severity of a problem. The change came after they made a concerted effort to monetize the app.

MBAM is good at a lot of things (it has traditionally been on top of modern registry hooks and ransomware loaders where other vendors consistently drop the ball) but just because you saw 45 things flagged red doesn't mean you had 45 bits of hostile executable code on your system.

Malware infections aren't a singular entity anymore, they are a stew of items working together to maintain control of your system (exploit, loader, payload [usually a rootkit], defense, c&c). It's often a matter of breaking the chain of processes to 'open up the onion' and regain control of your system.


Yeah, I know. But I definitely counted at least 12 seperate and rather nasty Browser Object based malware programs. Which is a lot better than Norton and Trend Micro, who didn't pick them up at all!


It's highly likely that "business-class" antivirus is the same code sold at 100x the price.

It's also highly unlikely that the teams putting out shitty consumer-facing antivirus magically write awesome code for the enterprise versions.


Generally the AV engine will be the same, but the management tools are more corporate-friendly (remote management and group policies, etc.)


Antivirus nowadays only tells you that you're already screwed, rather than preventing it from happening.

The nastiest of the nasty stuff that's going to log keys, steal info, and so on, tends to be zero days. And after that article that showed how dismal the design of the popular antivirus apps is, there's an argument to be made that using them reduces your security.


http://www.sevagas.com/IMG/pdf/BypassAVDynamics.pdf

Anti-Virus is little more than snake oil. If you need to secure a Windows box, get EMET and read http://decentsecurity.com and you'll eliminate most of your attack surface.

    Everyone can be secure.
    
    It is with those four words this website is founded. Computer, smartphone, 
    and online security does not require a degree or years of experience. All 
    it requires is someone show you the way.
    
    You've been sold a lie. You can't buy computer security. It is something 
    obtained through configuration and knowledge. Tragically, these aren't even 
    hard to do or obscure to learn. But no one makes money telling you how to 
    use what you already have. What you need is someone who doesn't care about
    your money or looking smart by spouting off fancy words of no consequence -
    just that you not be a victim.
    
    It pains me to see people who distrust and fear their computers, and who 
    feel powerless in that fear. Because that's not what I see when I look at 
    computers and phones and websites. I see tools I trust with the story of my
    life, and the secrets I leave out when I tell that story to others. Everyone
    should be able to feel like that.
    
    This site does not sell anything. This site does not take donations. This 
    site has no one's name on it.
    This site is to fix what is broken. Which is how we teach security.
If you were wondering because it looked familiar, it's run by the same person behind @SwiftOnSecurity.


> You can't buy computer security. It is something obtained through configuration and knowledge.

Tragically, I believe this is true. But it isn't a great and noble thing that people must gain knowledge to overcome their powerless fear of computer technology, it is a failure of technology creators to provide people with simple tools that they can use without fear.

The problem isn't how we teach security, because hardly anybody should have to learn security in the first place. That the mainstream public is even aware of a concern called "security" having to do with their computing tools is already a failure. I can't think of any other mainstream products that people have to be so careful with, where they are told it is their fault that they just haven't gained the expertise necessary to use it without problems.


> I can't think of any other mainstream product that people have to be so careful with...

Cars. Those also tend to kill people, not just wipe out some baby photos. It's not an accident that almost every country requires licensing before you're allowed to use a car.


Good point! Although the most dangerous issue for most un-careful computer users is identity and/or financial theft, rather than losing baby photos. That can arguably have as severe an impact as many types of auto accidents. But the point that it won't kill you is a good one.


Sadly, the current popular 'solution' to this problem is for massive centralised gatekeepers (Google/Apple/Microsoft) to control software distribution, and to varying degrees prevent you from installing anything that didn't come from their store.

This undeniably makes security easier for non-technical users, but I hardly need to point on the downside on HN: these companies get to decide what programs people can install and distribute to others. They're not held to the standards of governments like due process and accountability - even though there are probably now more Android users than citizens of any one country [1].

Kudos to anyone working on alternative ways to make security easy without these gatekeepers.

[1] 1.4bn Android users in September 2015, according to Techcrunch, vs 1.38bn estimated population of China in 2015. Android is growing faster.


I (and many others far more impressive than myself) am trying to solve this problem at a fundamental level: Give the developers tools that are secure-by-default (i.e. libsodium not mcrypt) and teach better development habits. Make it easier to do the secure thing than the insecure thing.

It might take years, but I believe these initiatives will trickle up and make the software everyone uses more secure at a base, so it will require less cognitive load from the end users to communicate safely with each other.

That's the idea, anyway. Time will tell if we can succeed.


Wouldn't you be better off solving it by sandboxing? Basically don't allow programs to do bad things in the first place rather than try and get all programmers to be perfect. Basically the web (and/or some phone OSes).


Sandboxing is good for stopping memory corruption and privilege escalation bugs. It's not very useful for problems affecting cryptography implementation flaws, logic errors, out-of-date software, etc.

Those problems are better solved by giving developers better tools and frameworks that solve these problems for them, that are simple to use and don't introduce massive security foot-cannons.

(This comment is a minor spoiler to my current project, I suppose.)


The problem with sandboxing is that "bad" has no formal specification. There are legitimate reasons to access contacts, intercept system calls or key presses, use raw sockets, etc.

If you try to make those things not possible then people who need them have to use a different platform, which tends to cause other people who need to interact with those people to use the same platform (and so on) until the original platform is in decline. And the effect is worse the more you lock things down. It doesn't help anybody to have an ultra-secure platform that nobody uses.


I completely agree! This is one of the reasons I'm bullish on Rust; in the long run it will be nice to have a (more-)secure-by-default systems level language.


I see your point, but it's at least partly a feedback loop. If software is going to protect users from themselves, it has to be opinionated and not allow the user to shoot themselves in the foot. This approach is not popular with users.

A good example is the backlash browser vendors get when they try to make TLS errors fatal (without a "continue anyway" button). Users will cry bloody murder until the option to bypass the warning screen is re-added, at which point everyone returns to clicking through all warnings and we're back at "you need to know what you're doing to have a secure machine".


But the users screaming bloody murder are right! (Or rather, they are exaggerating, but they are in essence right.) Most TLS errors are not the result of someone trying to spy on you; they are the result of someone letting the certificate expire or something equally silly.

Furthermore, if all the people advocating HTTPS everywhere get their wish, then the people screaming bloody murder will become even more right! If I'm trying to load the HN homepage, and heaven forfend I get a security error, you better believe I'll ignore it, because even in the unlikely case that someone is spying on me, I can't think of how someone knowing which HN threads I read is going to hurt me in some way.


I'm not sure why you've been downvoted, I think you're quite right. A warning that's shown too often when there's no real threat gets ignored. Making the warnings bigger and scarier is just crying wolf ever louder, and it doesn't work.

I don't think the solution is to avoid HTTPS, however. I think sysadmins need monitoring and automation tools so that expired certificates can be an exceedingly rare event. Letsencrypt has taken a big step towards this by making a fully automated process to get a certificate.


I wasn't one of the downvoters, but I will say:

> I think sysadmins need monitoring and automation tools so that expired certificates can be an exceedingly rare event. Letsencrypt has taken a big step towards this by making a fully automated process to get a certificate.

I fully agree with this. :)


I agree that as a computer literate? person I think I mostly know how to avoid viruses. I've never run any anti-virus software (could just be getting lucky).

My family on the other hand can't avoid click "Yes", "ok" to anything ever asked of them on their computers. They get massively gunked up and infected and nothing I tell them changes their behavior because at a base level they just don't have the awareness. They're very smart people but what the computer is doing or might do in response to their actions is just not something they think about.


Your comment reminds me of this: http://swiftonsecurity.tumblr.com/post/98675308034/a-story-a...

It's a good read, and it was one of the pieces that motivated me to pursue making security easier for people.


Sadly most of that advice will only work for those that work in IT directly. For those that use IT as a tool in the box to get something else done, or as a internet appliance, most of the suggestions will not fly. They will just hit yes on every UAC, and approve every outgoing connection.


Sure, but instead of throwing our arms up and accepting defeat, initiatives like Decent Security are trying to move the needle away from "insecure by default".

I'm trying to do the same thing with developers. :)


I wonder if science is doing us a disservice here. I get the feeling that just a single vulnerability (no matter how complicated it may be to exploit) is enough to claim "fundamentally insecure". Meaning that we are looking at the topic like we are trying to disprove a scientific hypothesis.


Why does anyone use any third-party anti-virus programs these days? Why not just use the Microsoft ones that are free?


For one, because they come preinstalled. I bought a normal Windows laptop for a relative recently, it came with a 30 day trial of McAfee (I think) pre-installed. Once you install any anti-virus, the MS one is automatically disabled, so new users are given the impression that they need to fork out for a subscription once the 30 days is up, or lose virus protection.

It's an utter racket.


Even more, Microsoft and the OEMs don't really go out of their way to explain this choice to customers. I work with a senior software engineer who recently came to me for help with his new PC after having purchased the full version of the included anti-virus software. He seemed surprised when I asked why he wouldn't just stick with the built in software from Microsoft. So I sent him a link from Microsoft's site explaining about Windows Firewall and Defender. He later told me he felt stupid for having been convinced that he had to purchase the full version of what came on the system or else he would be unprotected. I think it is Microsoft who is stupid for not pushing this message harder, especially in light of the recent developments such as this one. In some of these cases, we're seeing that by installing a third-party anti-virus suite, you're actually reducing the security of your system. I think Microsoft should be concerned that these companies are actually hurting their reputation further.


Microsoft certainly seems to be trying to combat the OEMs on this front, in so much as they can without angering their third-party partners or bulldozing the PC desktop/laptop markets.

Those of us with technical inclination need to be sure to point our family and friends with less technical inclinations to the Microsoft Stores and "Signature Edition" [1] PCs, Microsoft's latest marketing term for unbloated Windows installs out of the box. Some of our friends and families may feel they have a special relationship with an existing OEM, so give them the "Signature Edition" website and have them at least bug their OEM to ship them one.

[1] http://www.microsoftstore.com/store/msusa/en_US/cat/category...


I assume Microsoft couldn't push their own solution because of the anti-trust restrictions. Now that those have expired, perhaps they could unless they're afraid they'll get lawsuits against them again.


Is the PC & OS market still as MS-centric as it was back then? I know they still own the majority of the desktop, but with OS X out there, and more fragmentation to mobile, it feels like it would be much much harder to build an anti-trust case against Microsoft.



Globally, yes. I think parent was talking about the US market where OS X is slightly more prominent and according to StatatsCounter surpasses the market share of Windows XP and Windows 10 combined. Microsoft still controls 3/4 of the desktop market according to these stats, but that would probably not qualify as monopoly anymore.


I would never buy a computer for/with someone without reinstalling a clean version of Windows onto the machine.

You have no idea where that computer's been before you.


That's really good advice but also hard to do because most OEMs stopped providing a reinstall option which doesn't reinstall their bundled software as well.

Here's the ArsTechnica guide for doing a clean install of Windows 8.1 – imagine walking the average home user through this process, even before you factor in discouragements such as the likelihood of tech support blaming any problem more subtle than catching fire on your reinstall:

http://arstechnica.com/gadgets/2015/02/save-yourself-from-yo...

This, in a nutshell, is a major source of Apple selling so many iOS devices – I regularly hear people say that it's easier to have a good, secure computing experience that way and they're not wrong.


Eh wait, what? Go to settings, update, click "refresh". That's it. Clean bloatware-free Windows installation. Works in win 8 and up.


OEMs figured out that they could build a custom recovery image with the bloatware included (including on Windows 8). Windows 10 supposedly lets you delete the package that includes the bloatware, but I haven't tried it.

http://www.howtogeek.com/174587/refreshing-your-pc-wont-help...

http://www.howtogeek.com/216751/bloatware-banished-windows-1...

Windows 8 and 10 also have a lovely feature called the Windows Platform Binary Table. This allows OEMs to write an application into the UEFI, and Windows will automatically deploy to memory and run it with admin privileges each time it boots. The intended use was for installing drivers and anti-theft agents, but of course it was immediately used to drop bloatware/malware. This vector works even on entirely fresh installs, and there is no mitigation except obtaining a clean, signed UEFI image.

https://www.techdirt.com/articles/20150812/11395231925/lenov...

http://www.howtogeek.com/226308/the-windows-platform-binary-...


All very well for us techy folk to think and do that, but you can't expect others to.


That's why I said for/with. People wouldn't hire me if I wasn't pro :P


Microsoft has strategic reason not to suffocate the other AVs completely. It's better to have multiple companies attack viruses on multiple fronts. If McAfee and ilk went away completely the onus would lie entirely on Microsoft.

Laptop manufacturers are also to blame because product bundling and bloatware are nothing new.

Microsoft on their part could make it so that Defender worked alongside McAfee but that might encourage users to buy McAfee even more, arguably (double the protection or not knowing they are already protected).


Lenovo are particularly egregious. They collect data from Conduit via their toolbar add on (Conduit is one of the worst malware makers out there - they are owned by Perion/CodeFuel). Lenovo refuse to disclose they do this, in fact I have support emails denying they do.

Further info here: https://news.ycombinator.com/item?id=9653111

Then there is Superfish...

Who knows what else they are going?


>Why not just use the Microsoft ones that are free? reply

For one thing, last time I checked benchmarks they showed that Microsoft's anti-virus not only has worse detection results but also worse performance than some of the free alternatives.


I am very interested in seeing these benchmarks, as my anecdotal experience is the complete opposite.


On my two machines (with SSDs) I regularly find that copying lots of small files is severely slowed down by Windows Defender. It utilizes one core to the max and when disabling it, the copy operation gets a lot faster.

I don't know about other antivirus software though.


I can mirror this experience too. Properly working Intel SSD fwiw. Mine impacts not only file copys but also all small file I/O like listing directories (explorer would hang for 1 second entering a new directory) and the like.


I've had a couple users complain that my program started running really slowly while they were using Microsoft Security Essentials. It turns out that if a file contains a "suspicious" pattern of bytes (which in these two cases were two different user-drawn bitmaps), SE will do some time consuming heuristics every time you open the file. So opening, reading, closing a file 10 times in a row is really bad.


I don't know why this comment is being downvoted. A quick google will show the results.

Page 9 of the latest report: http://www.av-comparatives.org/summary-reports/


Yes. Microsoft, alone among AV vendors, shares any signatures it finds with every other major AV vendor, so everyone is going to find everything Microsoft does, plus what their own research turns up. That said, I don't think it matters enough to bother with the problems for-pay anti-virus vendors bring.


Did you read the document? The Microsoft product is quite good, but many of the paid ones are better. I don't know what problems you are talking about (I don't have any) - but that's a personal anecdote, we are discussing a proper comparison.


> I don't know what problems you are talking about (I don't have any)

the glaring security holes opened by them month after month? The HN link you're posting a comment to is about the 5th bad exploit in third-party AV this year alone.

So far nothing seems to have been found in the MS built-in one.

Installing third-party AV means that you expose yourself to targeted attacks and, if this goes on like it currently does, to drive-by attacks too as by now malware authors must have gotten the hint that searching for vulnerabilities in those various AV products is a very worthwile effort.

In general, AV products provide a HUGE attack surface: They don't just need to support natively many more file formats than any other piece of software, they also have to harden their support against exploit code purposefully written to be malicious.

And compared to many exploitable user-space applications, these AV products normally run in kernel-space, so an attacker doesn't just gain remote code execution, they gain remote code execution with admin privileges.


I skimmed it, I didn't see anything I haven't seen before. Notably they aren't grading on stuff like "number of popups that I have to click through to get it to quit nagging me." There's also been privilege elevation exploits using antivirus software.

EDIT: And there's anti-virus software that's messing with your system's root certificates so it can MitM all your HTTPS traffic to scan it:

http://www.securityweek.com/antivirus-software-has-negative-...


Yeah, but the detection rates suck for every single AV.

Slightly better snake oil is still snake oil.


Why is "worse" not OK but "better" is? Neither can be perfect and both will be far better than nothing. Just making up some numbers, but if the Windows AV can detect 80% of viruses and Norton can detect 90%, then you're still vulnerable to that last 10% whatever you do. You're also still protected from the majority of viruses whatever you do too.


I'll give you an interesting example. I was one day coding a keylogger for testing purposes. 100% original C++ code written by me based on Win32 API docs.

Compiled and ran the code and immediately Bitdefender blocked the program and put up a "Keylogger detected" message.

Microsoft built in antivirus doesn't have this kind of behavioral detection protections.


the reason this is mostly useless is malware writers can do the same test with every AV and just evade the heuristics.


It does raise the bar significantly. There are 3-4 ways for system level keyboard monitoring, and all were detected. So a malware writer has to either disable the AV first, or hook individual applications one at a time instead of the whole system (and this exposes it to injection detection heuristics).


> Compiled and ran the code and immediately Bitdefender blocked the program and put up a "Keylogger detected" message.

Which is quite problematic because it was a false positive. You knew and wanted that program to log key presses.

That's the trouble with aggressive heuristics. Users are going to have a program that translates keyboard layouts by hooking the key presses. Or software that comes with some fancy input device.

Then the antivirus says it's a keylogger even though they know it isn't and the user is taught to expect good rather than bad things when they press "allow" against a something-is-wrong prompt.


I wouldn't call it a false positive, since it was definitely logging keys. I view it more like a sudo prompt.

From my experience there are very few legit reasons for intercepting keys, and the use cases you mentioned are better solved by implementing a device driver (which would be signed by MS).

Allowing non-elevated code to install system hooks also enlarges the attack surface, since now a malware piece can just infect your keyboard layout translator for getting keyboard access.

Me, I would like an Intent/Permission mechanism on Windows, where certain actions like keylogging or accessing other processes memory require explicit white-listing (like on Android/iOS). Currently some actions do require a certain privilege, but that privilege is granted per-user, not per-app, so it doesn't help that much.


> From my experience there are very few legit reasons for intercepting keys, and the use cases you mentioned are better solved by implementing a device driver (which would be signed by MS).

That's assuming you have control over what third parties who write the software have done, and needing to go through the expensive bureaucratic process to get a driver signed is a major reason why they wouldn't do it that way if there was any alternative.

> Allowing non-elevated code to install system hooks also enlarges the attack surface, since now a malware piece can just infect your keyboard layout translator for getting keyboard access.

But now you're not talking about antivirus anymore. Installing things is expected to require privileges. There is a huge difference between a password prompt that says "authenticate if you want to install" and a red alert that says "malware detected and blocked, override may cause fire and mayhem."

Which is especially problematic when it's done by third party antivirus because it means the vendor of whatever software is being misdetected as malware probably didn't encounter that in their testing.

> Me, I would like an Intent/Permission mechanism on Windows, where certain actions like keylogging or accessing other processes memory require explicit white-listing (like on Android/iOS). Currently some actions do require a certain privilege, but that privilege is granted per-user, not per-app, so it doesn't help that much.

Fundamentally non-technical people don't understand what they're authorizing. It doesn't matter how granular the choices you provide are if the person in front of the button doesn't understand the implications.

You have to be able to trust the software you run, which implies trusting the people who made it. And people keep trying to solve that problem centrally when it isn't a central problem. Microsoft can't tell you if you can trust your brother, or the girl you met at the computer club. They can't tell you if you can trust Lenovo or Sourceforge. Microsoft certainly can't tell you if you can trust Microsoft. You have to decide, or decide who to trust to decide for you. And if you aren't going to decide for yourself then the person you trust to decide can't be Apple or Microsoft, it needs to be someone you personally actually trust, because central gatekeepers can't be trusted not to act against your interest when it's in theirs.


That's not problematic at all. If I want the thing to run, I'll whitelist it and move on. Constant false positives would probably be a bad thing, sure, but any user advanced enough to be installing a keylogger deliberately is probably advanced enough to know the difference.

The alternative is that we don't see when a keylogger is being installed non-deliberately, and that would be worse IMO.


From what people I've talked to have told me - they don't trust Microsoft to secure the OS.

Plus, e.g. Comodo gives you a firewall. While I know that Windows has a perfectly good firewall, it doesn't come with a systray icon with a button labeled "protection from active network probes: active" or whatever.

Personally, I just have a router between me and the big bad internet and use Security Essentials plus Common Sense 2012.


Warning your Common Sense 2012 is outdated, you should buy the new 2016 version ;-)


Every antivirus has exploits. Having one installed just opens more doors for attackers to hit your PC.


It closes some too. Anti-virus software does not have to be perfectly secure (not to be confused with providing perfect detection!). To have a net positive impact on computer security, all anti-virus software has to be is quite literally better than nothing. That's by no means a given, but neither is the opposite: that using anti-virus is by definition worse than not using it.


They can't be bothered to do things that are actually effective, like reading installation dialogs fully, installing an ad-blocker, and avoiding the downloads from the sketchiest of porn and torrent sites.


It isn't (just) laziness. A friend of mine downloaded Google Chrome because they knew it was a secure browser to use... except that the search result page provided them with a poisoned installed full of malware.

If you're not technically inclined there are minefields everywhere.


I bought my father-in-law a new laptop, wiped it and installed it with just what said he needed.

Only to watch him say "I want to get vlc," type vlc into Google, skip over the VideoLAN - downloads link, and click some virus-infested link further down because the title of the link was "Get vlc."


"What's VideoLAN?" ~ The not technically-focused.

This is why the scams work.


The top result for me is:

VideoLAN - Official page for VLC media player, the Open ...

The other results are all either directly or almost directly associated with VLC. I get no scam sites in the top 10 results. Have the search results improved? Is this the effect of search personalization? What gives?


That was the top result for him, but the problem was it didn't say "VLC" right up front. I believe he grabbed what looks to be the 12th link when I use a private browser, but who knows what search personalization he'd picked up along the way, since he had logged into Google. I know it was at least half-way down.


5th word in the title doesn't count as "right up front"? sigh...


Never underestimate the laziness of the human mind scanning for something. Now, I do think the text back then (1.5 years ago) might have said "VideoLAN - downloads" and that was all -- which is worse -- but I recall seeing "VLC" obviously in the description under the link, and it could have been in the link title.


Oh, well, then I understand. I wouldn't expect someone to actually read the description. Even I wouldn't underestimate laziness by that much :) I'm glad the VLC folks learned their lesson.


Another scary one: search for “Flash update”, “Java update”, etc. If you use Yahoo, Bing, etc. you'll have to screen past dozens of adware-or-worse links before finding the official sites – perfect for the next time a security exploit hits the news and viewers are told to upgrade ASAP.

People have reported this to various slackers for years but companies like Yahoo are loathe to turn down ad revenue and they still have millions of users.


The Yahoo user base is decreasing every year.


Agreed, but it's still a lot of people in aggregate and I suspect it has a notably higher percentage of the inexperienced users who would be most vulnerable to this and probably aren't like to switch to Google / DDG any time soon.


You mean security essentials?


MS Security Essentials detection rates are pretty poor, historically. Considering excellent products like Avast are free for the home user, I don't see why we'd recommend the MS one.

To be fair, MS has recognized this and has been steadily improving detection rates. It has only recently been able to outdo Avast or AVG. Hopefully, this trend will continue. I imagine MS is under a lot of pressure to contain the Cryptolocker-type infections and the bad press of the past couple years is probably a motivator.

http://www.alphr.com/security/6745/best-free-antivirus-of-20...


>excellent products like Avast

Isn't this claim somewhat refuted by the very article you are posting against? There are other comments in this thread that explain why this doesn't make any sense eg pilif's above[1]

[1] https://news.ycombinator.com/item?id=11058688


They both have detection rates in the high 90s, which is considered excellent, in general, and certainly so for a no-cost product. MSE only just edged out Avast.

The comment you listed cites nothing, not sure why its so authoritative to you. All software has vulnerabilities, but where's the big attack on AV? What CVEs are we seeing in the wild, if any?


Tavis is beast when comes to finding these exploits. Its always fun reading his write ups.


I get more excitement from seeing his avatar in my Twitter timeline than any other.


Aren't these sorts of zero days worth a LOT of money? He didn't go all the way to RCE, but he probably could have gotten there. It makes you wonder how many people are out there with Tavis' skills who just farm these things and sell them to the highest bidder instead of making us safer.


Fortunately there aren't many with Tavis's skills, but you don't need to be that legendary to find these sort of vulnerabilities.

Assuming you can identify (skill) and safely sell (anonymity expertise and market savvy) a zero day, the demand for them is quite limited. (The only reason the price is so high is that the supply is just even lower.)

Additionally, if you have the market savvy to extract the maximum value for a 0day, you will quickly realize the feast-or-famine nature of unsavory income isn't great for a stable home life. You might eventually want a day job, and you can't exactly say "Oh, I helped that virus penetrate your network three years ago that you just detected last month."

So most people with Tavis's skill levels typically aren't in a hurry to go rogue.

And the ones that do are more interested in compromising bitcoin exchanges and drug marketplaces on Tor Hidden Services than they are in spreading malware to end users. (That's the advertising industry's shtick.)


Yea, I'd also have to say very few. A researcher of that skill level is pulling a very comfortable salary. A lot of the work that comes with that salary requires you to have an above board reputation. If a company is hiring you (or your parent company) to find vulnerabilities in their product, they need to be sure you don't have a conflict of interest.


My machine is running CUPS on 127.0.0.1:631 (the local HTTP interface). Does this mean any web site can print with my printer?


Potentially depending on how it is secured (if it is), but it warrants further investigation.


Interesting posts from Avast explaining how they supply data to their marketing analytics product from their AntiVirus products:

https://forum.avast.com/index.php?topic=171725.0 https://blog.avast.com/2015/05/29/avast-data-drives-new-anal...


Aw, I got all excited that someone had actually made a Chromium fork with basic things, like JS's script security context completely ripped out. No HTTPs validity checking, etc.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: