[PCWorld]

Post your comments for I Surf Unprotected here

[billjohnson12]

Me too. But then I use a Mac. So I don't need AV.
Ha ha. Ha ha ha. ;-)

[pertelote]

Thank you for the clear statement. Of course I approve, I have one of the same type of unit right here on my work bench. At home when I bought a new computer, I forgot to install any AV for several weeks, and yet never had anything infect it. In truth I can hardly understand how my customers' computers get as messed up as they are when the units arrive on the bench. Everyone always insists that they never do anything online except read email and banking. Really? Hope every IT support and admin reads this and takes heart. We can win, if we can educate the users!

[angylProgrammer]

Well, the anti-virus solution is easier than running a box with no danger of loss. My main PC has had no anti-virus for 4 years or more. One reason that Macs don't get viruses as often because they don't run administrator accounts by default. You want security? Set up a second account with limited privileges and use that for everyday use. Use the administrator account to install programs, and never use it to randomly surf the web. Most viruses cannot install on a system where the current user doesn't have install privileges. It's worked for me, and it'll probably work for you. :)

[Catch22]

Your a smart man. I wish my users would learn some common sense about using the internet. As for the snide Mac comments, I have been on Windows over 14 years with no antivirus/malware protection, with no issues. I hit a gambit of sites, and steer clear of of junk sites that are filled with malware.
Its not what platform your on, its the user. Kinda makes me wonder about the Mac users...

[VSDude]

You have to be careful where you go on the Internet but even then, you can contract a Trojan while viewing SeattleTimes.com (it's happened). Reputable sites often use iframes for ads - or ads that might be coming in from an infected server. A little added protection, to put it in NYC terms, "couldn't hoit!"

[DTNick]

Common sense? Perish the thought!
(And Alameda, CA FTW! :P )

[WinTard]

To quote you:

billjohnson12 said:

Me too. But then I use a Mac. So I don't need AV.

h4. Ha ha. Ha ha ha. ;-)

-----
Google: Results 1 - 10 of about 1,770,000 for safari first hacked. (0.18 seconds)

========================================================================

The Secunia Weekly Advisory Summary
2009-05-21 - 2009-05-28

This week: 59 advisories

========================================================================

This Week in Brief:

A vulnerability has been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user's system.

For more information, refer to:
http://secunia.com/advisories/35091/

--

A vulnerability has been discovered in Mac OS X 1.5.7, which can be exploited by malicious people to compromise a user's system.

For more information, refer to:
http://secunia.com/advisories/35118/

{Snipped}

Hacker claims to have phished Steve Jobs Amazon account

Mac OS: More critical flaws than Windows in 2007

Nils2Own: 'I want to see security flaws fixed'

How about the Firefox on Windows exploit?

Let me correct something. It was a Firefox on Mac OS X vulnerability and exploit. The bug does affect Windows but, honestly, it?s way harder to get the code to run reliably on Windows. That?s the reason I did my Firefox attack on the Mac. I?m not allowed to talk about it but, for that bug, to get real exploitation on Windows is difficult because of ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention). On the Mac, I could trigger it and exploit it easily.

For that reason, I?d rate it a 3 in terms of difficulty. The vulnerability was nice. You get get a lot of control over what you can do and just execute your code. Just place the code in memory. You can spray it and it?ll be in a predictable area. On Mac OS X, there?s no ASLR or DEP, so you can just snaps finger], execute it and it will work._

[Mac malware builds botnet, while smug fanbois gently weep

I'll stop here out of kindness, or I could fill the contents of a book with these Mac invulnerability myths... Lol!
Message was edited by: smax013

[BGG001]

Like he said, don't run unprotected..like me. At least get Avast Home Edition which is free and isn't bloatware like mentioned. (Although if you're going to pay, I say NOD32). I've been running unprotected for at LEAST a year and have run XP, Vista, W7, and Ubuntu and got nothing.

[canuckster]

Hear, hear! Another renegade :)
In 2002, after a particular McAfee update left me unable to scan except in Safe Mode (a bug their support was unable to fix), I took a chance and started surfing "naked", figuring that — being a web developer — I knew enough to protect me.
Well, it turns out I was right. :)
Seven years on, and I'm clean as a whistle (I run TrendMicro online, plus AdAware and Spybot, every 3 months or so, just to be sure - but they never find anything but tracking cookies). I'm using Win 2K and XP, and have used plenty of file-sharing software, installed many dozens of free apps, etc. (ie safe computing doesn't mean you have to give up anything)
What amazes me is that IT'S NOT THAT DIFFICULT! I'm no super-genius ... but I guess I took some responsibility for learning a few geeky (but simple) things about computers — something that most people seem not to do. You know — file extensions, common browser exploits, that sort of thing.
We trust SO much to our computers these days — bank accounts, treasured photos, personal diaries, entertainment collections — and yet we just sit back and assume everything will all work out. "I've got my antivirus program, so I'm okay; I don't need to worry about anything else."
I liken having antivirus software on your computer to having a doorman for your bar/restaurant/whatever. When someone tries to enter, he looks at their face, then compares it to a list of everyone who's been banned from the place, and if there's no exact match, he lets them in ... except all it takes is a fake moustache to fool him! If you, as the owner of the establishment, never questioned the doorman's decisions, it wouldn't take long till you were robbed!
My point? Go ahead and keep the doorman, if it's helpful. But don't think that gets you off the hook; you still have to pay attention.
I'll bet Nigerian scammers don't get as many viruses as the rest of us. They, at least, take an active interest in the tools of their trade ...

[Grr8008]

Macs are not invulnerable. If you are not careful you can get a virus. You can get one on just about every platform. The same is true for Linux, were it not for the low market share it would have plenty of viruses. Windows just happens to be a huge target. Using an analogy, would you rather shoot an arrow with a bulls eye that is two or three feet diameter or two or three inches?

[JTF243]

Until DSL became available earlier this year, I was on dial-up with a 10-yr.-old Windows 98 Pentium 2. It started off with Norton AV, but I switched to AVG years ago. It also had the ZoneAlarm Free firewall even before that. It has never had a virus, but it MAY have some generic spyware, such as Wild Tangent's as I have had some of their games on the system. The software was migrated from the original HD in 2001 to a larger drive, and that was reformatted and reloaded with Win. 98 in '04. Both HD's are still in the machine and still functional. Like the author, I do not bank or shop online, unless there is no other option.

[raife1]

COUGH... COUGH...

Im sorry...

But, this articles conclusion is awful worrisome to me, because it simply, defies the realities of "Windows" usage. Just because the author, personally, (anecdotally) has avoided "viruses"... or other "malware"... they can, simply, be avoided..? in normal-use..? (...while running a "Windows", based, computer)..?

Sorry, but...

The simple FACT is that even a "fully patched", and "updated" Windows-computer (run by an experienced user... let alone a "typical" user) most certainly CAN still be COMPLETELY compromised, simply from -touching- a "poisoned" (and, YES... perfectly "legitimate") "website". In fact, many of the top security-researchers, and institutions, are now stating that -THIS- is becoming the NUMBER-1 method of serious computer-infections. And, that is while USING... "anti-virus" software, non-standard "browsers", software-"firewalls", AND "routers".

The fundamental-fact is that the "Windows-OS" is, simply, too (poorly) "integrated", "bundled", and implemented (...by Microsoft, let-alone, third-party application-developers, who must work within the Windows-framework). This is a characteristic found at the most fundamental-levels of the "Windows" design/approach/architecture) And, yes... Microsoft still DOES... use the BOLT-ON (after-the-fact) approach to fixing, what are often, INHERENT "design-flaws". Those are just the technological-facts (based upon years of "personal", "external", and independent-institutional, security/design/application -research).

The "Windows Vista/Windows-7" code-base has improved the situation somewhat. And, Microsofts attempt at (once again, after-the-fact) process/user-authorization, helps. But it (the latest iterations of "Windows") is hardly as "hardened" (I.E. inherently "secure") as several alternatives (...all, bogus, "popularity" arguments, aside).

Furthermore, MOST "users", now, do know about (and effectively avoid) email-infections/scams (my experience is that we, "support-personnel", are rather thoroughly, mostly passed that hump). They (typical computer-users) also DO run numerous anti-virus, and anti-malware, applications, by default. However, "Windows" still has too many OS infection-vectors, and security flaws (and, that includes "Vista/Windows-7"). In my opinion, to even remotely suggest that "being careful" is enough to avoid the, VERY REAL, "security threats" faced by (even, prudent) "Windows PC" users, everyday... is ill-conceived, and DANGEROUS, or, just plain... UN-TRUTHFUL.

And, THAT is TWO-CENTS from someone who has literally spent years, often, picking-up the pieces... for other "careful", "experienced", users/developers/designers.

[WinTard]

While I agree the Internet is a hostile environment, all OS are vulnerable to malware, regardless of type. However, specifically regarding Windows, a few studies have concluded that 92% of critical Microsoft vulnerabilities mitigated by Least Privilege accounts.

Like under Unix/Linux/BSD/OS X using the su command, running as a simple user, and not administrator or root equivalent, by simple use of the Run As command, would prevent most problems...

Principle of Least Privilege::

In information security, computer science, and other fields, the principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program on the basis of the layer we are considering) must be able to access only such information and resources that are necessary to its legitimate purpose.[1][2]

When applied to users, the terms least user access or least-privileged user account (LUA) are also used, referring to the concept that all users at all times should run with as few privileges as possible, and also launch applications with as few privileges as possible.

Here's a good read on how to use Run As effectively under Windows:
http://safecomputing...nload/RunAsUsersumit05.pdf

Abstract
This is an ITSS draft document designed to help technically advanced Windows users run under a more secure (non?admin) context. Please send your much appreciated feedback to itss@umich.edu.

Run As User!
You?ve heard it a thousand times: ?Don?t run as admin?. Yet you continue to tempt fate. You log in with admin credentials and surf the wild wild web through whatever minefield it takes you. You open email and attachments with abandon, confident in the fact that you?ve never been hacked before. Yet every once in a while, your heart starts to beat a little faster. Perhaps it happens when you land on some web site you didn?t expect, or when you double?click on that unsolicited email or launch some video clip that your friend sent you. Your heart accelerates because you know, deep down, it?s just a matter of time before you do get hacked. And then, because you?re logged in with administrative credentials, you know the price could be big. If you?re lucky, only your ego will be bruised. Worse, the integrity of your system will be compromised and personal as well as private University information will belong to someone else. In fact, it?s entirely feasible that your system has already been compromised and you?re not even aware of it. How do you know that it hasn?t?

If you?re pushing your luck by logging in with administrative credentials, then read this paper. We?ll illuminate the ?tips and tricks? necessary to start running as user. You?ll feel better running in a less privileged context, and you?ll be making a critical contribution to the security posture of your unit and the University.

[canuckster]

I say again: if you know what you're doing and take the proper precautions, it's not that difficult. Here's what I do:
1) For browsing — Firefox with NoScript and AdBlock; Java is disabled.
2) In Acrobat Reader I have Javascript turned off.
3) If I'm ever in doubt about an attachment, I'll upload to VirusTotal, and/or save the file to my drive but open it into a text editor so I can see if it really is what it says it is.
4) If in doubt about a Word doc, I'll open it in WordPad instead to avoid macro issues.
5) I update Windows regularly.
6) Autorun is disabled.
7) I pay attention to security news (only takes a couple minutes a day).
Am I such an anomaly? After SEVEN YEARS of living like this without one single infection? (And by the way, I run under an admin account, if that doesn't just make your blood boil.) Isn't it just possible that a conscientous user can succeed on his or her own?
Sorry if I didn't use enough quotation marks ...

[RNR19952]

If you surf unprotected how would you know you even have a bug?
And like another user has stated their are legitimate websites that will give you a drive by download.

[canuckster]

1) As I said, every 2 or 3 months I do a complete check of my system online with either TrendMicro or Kaspersky, plus run Spybot, AdAware, and HijackThis! then, too. They have come back completely negative (except for tracking cookies) EVERY SINGLE TIME for the past 7 years, so I must be doing something right.
2) Drive-by downloads require Javascript (or Java) to work in Firefox (IE's may be a different story), and I have NoScript disable all scripts be default. When I see something appears to be missing on a site, I look at NoScript's toolbar to see what it has turned off, and then selectively allow only the script(s) I think will make a difference -- so if I'm at the New York Times, I'll only allow a script from its own server, not from its advertising partners.
-------
Am I 100% absolutely bulletproof? Of course not. But neither are those who rely on so-called AV solutions.
I do believe that, with some knowledge and care about how I surf, my risk is not only extremely low, but may easily be lower than most people's, simply because I understand typical attack vectors. A "know thy enemy" kind of thing.
By contrast, when each new zero-day exploit comes out, everyone with "protection" is extremely vulnerable until their software gets updated (especially if they take greater risks BECAUSE of their AV software, ie believing they're in good hands). Not me.
One of the previous commenters suggested that most people are, in fact, aware of the dangers; I respectfully disagree. That is, I disagree with the implied level of their knowledge. If by "aware" one means that they simply never open attachments, then that's a pretty blunt way of dealing with things. There's a whole lot more awareness to be had on the subject. (I guess these people would never eat anything unpasteurized, either.)
I know many people who have no idea about what kinds of files can infect them and what kinds can't. And yes, I'm glad they're using AV. But I'd rather make them safer through EDUCATION -- real education, not just blanket statements like "never open attachments" -- rather than reliance on bloated software that fosters ignorance.
Look at this analogy:
1) Most bicycle injuries happen when a person falls off their bike.
2) Bicycles rarely fall down if they have training wheels attached.
3) If you don't wish to fall down, then always keep your training wheels on.
Continuing this example, if we treated bikes like computers, we'd be happy if people became better cyclists, so long as they keep their training wheels on. Take them off and you're a danger to society! You'll be giving people the wrong example!
Okay, no analogy's perfect, and I'm sure there are holes in mine. But it makes my point.
I'd like people to take responsibility for the tools they use. And there's nothing like the incentive that surfing "naked" can bring to make that learning high-priority. The result? Far fewer infections, far less identity theft, and a much smarter general public.
How could that not be better than the staus quo?

[smax013]

Surfing unprotected is generally fine for those that know what they are doing...but most people do not. Thus, I am usually just a little bit nervous when I see articles like this or statements how it is OK to surf unprotected as it might entice many people who should NOT be surfing unprotected to do so.

And FWIW, I personally feel that Apple is stupid for suggesting that Macs are so secure that they essentially advise surfing unprotected...even though there are virtually know known threats "in the wild" (and yes, WinTard, I know that there are vulnerablilities on the Mac, but to date no one has really shown signs of exploiting such vulnerabilities in the "wild" in any noticeable or significant way...unlike Windows).

[WinTard]

I mirror your sentiments smax013. Wise advice. Anything and everything has its vulnerabilities, no need to 'hammer' it down. I probably only stressed Mac OS X vulnerabilities, because some people truly believe they are invincible, and go proclaiming it to the world. The disconcerting issue, is if someone is infected, but sincerely believes they are invincible, how would they even know that they are infected? Impossible! Or so they think...

[canuckster]

WinTard, I believed I had been clear in my post that I don't claim to be invincible; rather, I claim to be at least as well-protected than someone who relies on AV. (Perhaps better, since paying attention to what I'm doing becomes required rather than elective.) Though I must say that, while a seven-year perfect record (at least by the standards of TrendMicro, etc, which continue to verify this) is no guarantee that I'll continue to remain malware-free in the future, it's by no means without significance, either.
(It would be interesting to learn what percentage of people have, in fact, suffered infections despite using AV for the past seven years, and compare that to the track record of "conscientious objectors" like myself.)
If I used AV, I'd have a lot less incentive to be careful online -- and then when the zero-day exploit hits that my AV hasn't updated for, BOOM! I'm infected.
By the way — how do YOU know you're not infected? Because McAfee tells you so?
I don't mean to fight about this, despite the rhetoric. I just can't help thinking that some people — not everyone, certainly; but not a slim minority, either — would be better served by relying on their own wits than those of a program, and to take 100% responsibility for the actions they take on their computer.
And as for whether Michael Scalisi has been irresponsible in writing about this (a suggestion made by others), I think that's bunk. He's been very clear about how he steers clear of danger, and also has warned people not to try this without a great deal of forethought. If some reader is witless enough to zip through the article and jump to conclusions then that's his own fault. Michael's audience is, after all, adults who should be able to think for themselves.