+1

[b]What's the most important part of OS security?[/b]

The user. It’s always the user. I’d rather have a smart user running as administrator on a Windows computer with no firewall, no anti-virus, and no anti-spyware than a dumb user running as limited user on a Ubuntu computer with a firewall, anti-virus, and a rootkit detector. Dumb users click on anything, somehow manage to install untrustworthy software even without administrative privileges, and use easy-to-guess passwords.

As an illustration, take a look at this excerpt from the Seinfeld episode “The Robbery,” in which Jerry buys a secure “operating system,” and Kramer plays the “dumb user.”

ELAINE: [from the bathroom] JERRY! [enters the living-room] Jerry, oh, hi, welcome back. How were the shows?

JERRY: Great, I had fun, where’s the TV, where’s the VCR. [Elaine looks guilty] What?

ELAINE: They were stolen.

JERRY: Stolen? When?

ELAINE: A couple a hours ago, the police are coming right over.

JERRY: Stolen?

ELAINE: [Kramer enters the apartment] Someone left the door open. [it’s clear that she means Kramer; she walks to the bathroom]

JERRY: [to Kramer] You left the door open?!

KRAMER: Uh, Jer, well ya know, I was cookin’ and I, I uh, I came in to get this spatula…and I left the door open, 'cause I was gonna bring the spatula right back!

JERRY: Wait, you left the lock open or the door open?

KRAMER: [bobs his head guiltily] The door.

JERRY: The door? You left the door open?

KRAMER: Yeah, well, I was gonna bring the spatula right back.

JERRY: Yeah, and?

KRAMER: Well, I got caught up… watching a soap opera…[with a broken voice] The Bold and the Beautiful

JERRY: So the door was wide open?

KRAMER: Wide open!

JERRY: [Elaine enters the living-room] And where were you?

ELAINE: I was at Bloomingdale’s…waiting for the shower to heat up.

KRAMER: Look, Jerry, I’m sorry, I’m uh, you have insurance, right buddy?

JERRY: No.

KRAMER: [looks shocked] How can you not have insurance?

JERRY: Because…I spent my money on the Clapgo D. 29, it’s the most impenetrable lock on the market today…it has only one design flaw: the door…[shuts the door] must be CLOSED.

http://psychocats.net/ubuntu/security

In my opinion, all of these broswers are equaly secure providing the person using them only goes to safe sites.

Safe sites? Do you guys read the news posted here? Or even surf the web? There is no such thing as a “safe site”- many legitimate sites are hacked and serve up exploits. Even a Google search can contain exploits.

Browsers are equally secure? Well, only if you ignore the evidence.

:

http://www.webdevout.net/browser-security

I understood what Bob meant by “safe sites”, and I’m sure you did too Frank.

BBC News, or Free Wallpaper Downloads - which one do you think might be safe?

or, how about Social Security dot gov, versus Hot Britney pics?

I don’t think he meant anything more, than a person needs to use common sense when surfing the web, and if they do, it really doesn’t matter which browser they use.

I agree with that.

There’s no guarantee that media or government sites will be safe, as both have been hacked to serve up exploits.

I’ve posted many links to articles on this subject, so regular forum members should be aware of the problem.

The stories are also mentioned here:

http://www.geocities.com/dontsurfinthenude/blog.htm

(See the entries for 2/10/08 and 8/5/08 especially.)

The idea of “safe sites” is just wishful thinking, as the following incident should have proved to even the most wishful;

http://news.softpedia.com/news/Avast-Forum-Hacked-Users-At-Risk-70378.shtml
http://forums.anandtech.com/messageview.aspx?catid=76&threadid=2088998&enterthread=y

Perhaps we could get a confirmation for these year old reports from the avast team.

Why did I miss the reports of the folks who got infected by visiting the avast forum at the time? Perhaps they were remarkably few.

Why didn’t I get infected by visiting the avast forums at the time? Maybe it is my luck … why could it not have been a lottery win?

Why did FWF not bother to report this in the forum until more than a year later? Maybe I missed an earlier report.

This takes us back full circle to the title of this topic. It does say Firefox in the Softpedia article, doesn’t it?

Ah … indeed … must be because I was using Firefox at the time.

It does rather muddy the waters, at least to some extent, in the point being made in the post by FWF though.

I have to wonder about where this is intended to take us. Is the intent to make us all live in fear? Is the point that we should not be using our browsers at all? It is a bit like flying. I didn’t get killed in a plane crash yet (but many others have in my lifetime) so I will go on flying. If I am wrong in that assessment I will try to let you all know from the beyond not to pay any heed to my comments.

And the conclusion is? The butler did it?

Where is Inspector Clouseau when you need him?
http://inspectorclouseau.com

The incident was openly discussed on the forum at the time. I think DavidR spotted it first. I made a comment too. The hack was confirmed by the avast! team. Successful attacks were hopefully very few as we’re always telling people to update their software and the exploit only affected out of date browsers. It was not a question of luck- up to date browsers were not affected. Yes you missed the reports.

http://forum.avast.com/index.php?topic=30119.0
http://forum.avast.com/index.php?topic=30120.0
http://forum.avast.com/index.php?topic=30120.msg249686#msg249686

EDIT: This is actually a second exploit from a year later.

http://forum.avast.com/index.php?topic=34039.0

Ah ... indeed ... must be because I was using Firefox at the time.

No, the exploit affected IE and Firefox. It would’ve been because you were using a patched version of Firefox.

It does rather muddy the waters, at least to some extent, in the point being made in the post by FWF though.

I have to wonder about where this is intended to take us. Is the intent to make us all live in fear? Is the point that we should not be using our browsers at all? It is a bit like flying. I didn’t get killed in a plane crash yet (but many others have in my lifetime) so I will go on flying. If I am wrong in that assessment I will try to let you all know from the beyond not to pay any heed to my comments.

The point being made is that it doesn’t matter where you surf- you will always be at risk. To suggest that you can avoid attacks by keeping to “safe” sites is wrong.

FWF,

have you ever seen any assessment of how many were infected by this hacking of the avast forum?

If you skate on thin ice and get across - even if it is risky - you are still alive.

To get back to my point - you are pointing out risk - I am pointing out risk too. You are saying that no sites are risk free. I am not disagreeing but saying there are certainly “safer” sites to stick to.

We are really back to the old “you could get killed crossing the street in front of your house tomorrow”. While I agree that we should not here ever say that surfing is risk free nor should we be trying to tell folks that the sky is falling.

For the last four years and more I and the folks I support have been avast users - in that time all of us have now moved to being behind hardware routers too and I push the “keeping up to date” with security fixes. I am relieved and glad to report that in that time we have all been surfing and none of us have incurred an infection - I hope it will long remain that way.

FWF,

have you ever seen any assessment of how many were infected by this hacking of the avast forum?

Not by individual hacks (the point of an exploit is to install malware without the user’s knowledge, after all) but by hacking of web sites, yes:

Virtual Heist Nets 500,000+ Bank, Credit Accounts

A single cyber crime group has stolen more than a half million bank, credit and debit card accounts over the past two-and-a-half years using one of the most advanced strains of computer spyware in existence, according to research to be published today. The discovery is among the largest stolen data caches ever recovered.

…

The makers of Sinowal typically have spread their Trojan by sewing malicious code into the fabric of large numbers of legitimate, hacked Web sites. When an unsuspecting Windows user visits one of these sites, the code left on the site tries to install the Trojan using one of several known Web browser security holes, such as vulnerabilities found in popular video and music player plug-ins like Macromedia Flash and Apple’s QuickTime player.

http://voices.washingtonpost.com/securityfix/2008/10/virtual_bank_heist_nets_500000.html

Some good points raised here , not that I’m an Adjudicator . ;D

Basically all of us who follow the Avast! forum suggestions for safe surfing , and use Avast! Anti-Virus with it’s compatible software bedfellows , which change as required year after year will report they have very few if any viruses .
This is good , Yes ??? Awareness of how to configure your AV , Anti Spyware , Firewall , and Browser whether it be IE or Whatever is what it takes to have a better than Nil chance of navigating from one website to the next , as I believe … , maybe not everyone

Husk: ( Thread Starter )

I just had my computer reformatted. And the computer guy said that firefox is badnews and is bad and stuff and that is doesn't block anything and let's everything through, Which is IE as I recall ^^. Which in my opinion in NOT TRUE!!, Now my mum thinks it's causing crashes. At least she knows how to reformat now. Any idea on how to make her not believe this?

Wasn’t this topic also about Firefox ; “Now my mum thinks it’s causing crashes.” If so you may want to look at how much memory , you have , RAM , How much memory IE uses when you run it compared to Firefox , and fix whatever is making the Comp. crash , your mother will have to let you use Firefox then , logically there would be no reason to not use it .Also because a very large lot of people here at this AV Forum who use Firefox aren’t getting viruses , or system crashes .
Read the Forum posts and get familiar with why Best of luck .

There's no guarantee that media or government sites will be safe, as both have been hacked to serve up exploits.

I’ve posted many links to articles on this subject, so regular forum members should be aware of the problem.

alanrf pointed has pointed out in another thread that I didn’t respond to Bob’s question.

I didn’t do so because I thought it was a straw man.

I thought at the time everybody knew what I meant (I’ve said it enough elsewhere) but re-reading the thread, I haven’t actually stated it here.

So I will state it.

There is no such thing as a safe site, so it is important to keep your web browser and web-facing software up to date.

Hacked web sites use exploits to install malware, but these exploits usually affect out of date, unpatched and insecure web-browsers or web-facing software.

With a fully patched and up to date system, it is perfectly safe to surf any site on the web.

The rare exception is when an exploit exists for a browser or piece of software for which no patch has been issued- a zero-day exploit. When this is true, I would recommend following any advice given for mitigating the threat, or avoiding that browser or piece of software until a patch is issued.

WebShield is a useful first line of defence for Windows users, but the main line of defence is a fully patched system, which is why I recommend Secunia so often.

Secunia Online Software Inspector (OSI)
Secunia Personal Software Inspector (PSI)

Isn’t it nice when we are able to agree on a statement.

This Tech is off his rocker, When I’m asked by a customer about browsers I try to give them the good and bad points about ALL of them. But, if they ask what I use I tell them IE, Not because it’s special, just because it’s MY choice.