|
Do you make your software virus proof?
If it's not broken, fix it until it is
|
|
|
|
|
To the best of my ability - but most of the responsibility lies with the OS and browser since they're doing the low level stuff.
Contrary to popular belief, nobody owes you anything.
|
|
|
|
|
And someone better will defeat it... But that's your fault, right?
By your logic, YOU should have put more time and expense into defeating all viruses that might attach your software.
If we as developers tried that, the cost of our apps would skyrocket and the app side would be exponentially huge, and it would never be done.
If it's not broken, fix it until it is
|
|
|
|
|
Kevin Marois wrote: If we as developers tried that, the cost of our apps would skyrocket and the app side would be exponentially huge, and it would never be done. Which is why we rely on the OS and its API's to be secure.
Contrary to popular belief, nobody owes you anything.
|
|
|
|
|
"If we as developers" includes OS providers. They do have some level of protection in there, but they cant stop everything and if they tried the already over-priced Windows would never be purchased.
If it's not broken, fix it until it is
|
|
|
|
|
Kevin Marois wrote: If we as developers" includes OS providers. They do have some level of protection in there, but they cant stop everything Of course but you seem to be suggesting that only a rudimentary level of security is OK and we should rely on 3rd party anti-virus developers to do the hard stuff.
If the AV folks can do it - why not the OS developers?
Contrary to popular belief, nobody owes you anything.
|
|
|
|
|
Kevin Marois wrote: By your logic, YOU should have put more time and expense into defeating all viruses that might attach your software
The answer to that is obviously no, but as a developer, I don't think it's unreasonable to be expected to at least try to mitigate potential issues when you design your apps. That's why, after all, threat modeling tools exist. They're not just for OS designers.
It starts with not requiring the user to run as an admin, not saving passwords in plaintext--those sorts of things. You're not entirely absolved from any responsibility just because there's an anti-virus running that's trying to protect the user from himself.
|
|
|
|
|
So then where do you draw the line separating "uninitiated code execution and file deletion" from "legitimate code execution and file deletion?"
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
|
|
|
|
|
That's the $64,000 question. Today Linux distros, OS X and Windows all have slightly different answers but all of them provide pretty good security. All are more secure today than they were 10 years ago or even last year.
Contrary to popular belief, nobody owes you anything.
|
|
|
|
|
This is the reason it's unreasonable to try to code around it.
Who decides who can and cannot delete files?
If it's not broken, fix it until it is
|
|
|
|
|
Kevin Marois wrote: it's unreasonable to try to code around it. Do you prefer the "Wild West" days of DOS where any attachment in an e-mail could wipe your HD? Just because it's difficult doesn't make it unreasonable.
Kevin Marois wrote: Who decides who can and cannot delete files? Notifying the user and asking permission / requiring a password is where they usually end up. Windows has things like User Account Control, Firewall and Drive Encryption. OS X has GateKeeper (App signing), Encryption and Firewall.
Contrary to popular belief, nobody owes you anything.
|
|
|
|
|
Kevin Marois wrote: Who decides who can and cannot delete files?
Ultimately, Access Control Lists, and they generally work as designed.
|
|
|
|
|
Mike Mullikin wrote: You don't think an OS should protect against uninitiated code execution and file deletion?
No! No, I don't. Unless you know how to implement mind reading capabilities and embed it into OS, anything you do regarding this 'issue' will be more of an annoyance then actual solution.
|
|
|
|
|
Mladen Janković wrote: No! No, I don't. You would prefer that an e-mail attachment or some script in a web page could (without your permission or knowledge) modify / delete files on your computer?
Contrary to popular belief, nobody owes you anything.
|
|
|
|
|
If I clicked attachment it's damn job of a mail client to open it and not to nag me. It's my own fault if the attachment has malicious behavior.
I have used clients that make you go through all kind of hoops just to open attachments, f*ck that!
|
|
|
|
|
...and if some web site is hacked and a "normal" link runs a script that kills your data too bad, huh? That's harsh!
Contrary to popular belief, nobody owes you anything.
|
|
|
|
|
Kevin Marois wrote: No 'bug' allowed that. Some deviant came up with this and wrote it.
That's a very good example and creates a strong point toward the debate.
Wow, that sounds sarcastic when I typed it, but I really mean it.
|
|
|
|
|
Do you also expect fire or health insurance to be free?
|
|
|
|
|
Mladen Janković wrote: Do you also expect fire or health insurance to be free?
Of course not, but keep in mind that the word "insurance" is misleading. It doesn't ensure that your house won't burn down or that you won't die. It is more of an "assurance", that you can replace damaged property or your spouse won't be financially crippled by your death.
AV software isn't "insurance" or even "assurance." It's preventing (in a condom sort of way) problems with something that's originally flawed.
Marc
|
|
|
|
|
Fine! Fire and burglar alarms should be free.
|
|
|
|
|
Mladen Janković wrote: Fire and burglar alarms should be free.
No, because it's not an intrinsic problem with your house.
And granted, I'm arguing more for the sake of the argument than any real reason.
Marc
|
|
|
|
|
|
Marc Clifton wrote: No, because it's not an intrinsic problem with your house.
Yes it is. It's perfectly possible to build a house that is made entirely of fireproof material and with enough security measures to deter even the most enthusiastic thief. The reason we don't is simple - it would take years to build and there's only about three people in the world who could afford it! The exact same is true of an OS.
If every OS had to be perfect before release then ... actually Godel's Incompleteness Theory makes that an impossibility so ... if every OS had to be as near perfect as possible before release then we'd still be waiting for Windows 1 and if it was ever let loose on the world it would require terabytes of disc space and a stonking great bank balance to be installed.
A builder provides you with the best possible house that is practical and affordable. He expects you to be responsible in using it to the extent of buying insurance (which may also require additional costs for better locks or alarms) and not living in a manner which would make its destruction inevitable (indoor barbecues, keeping a rhinoceros in the kitchen, that sort of thing). The OS deal is no different.
|
|
|
|
|
No I expect fire hazards and health hazards to be illegal and impossible!!
|
|
|
|
|
As you mentioned, MSE is free. Don't like it? Join the club. But AV software choices are like banks - you will find that every one of them has a hate-club. And it's hardly fair to expect AV companies that are independent of OS companies to give away their software based on your logic.
Using that same logic, your home security should be free, right? Because the people that built your home should be 100% responsible for it's security? Even if you leave your doors unlocked? And your car? Is the manufacturer responsible if it's stolen or items are stolen from inside? They took the time to build an electronic key much harder to bypass than the old metal keys, but then you left the doors/windows open or left your keys with a "trusted" valet... is that the manufacturer's fault?
Clearly there are instances where the manufacturer has to accept some level of responsibility - like a lock that fails to work, or the case of the Ford van keys that weren't unique allowing van owners to start other people's vans. And OS providers clearly have had bugs that leave us vulnerable. And they fix the ones that are reported (though some faster than others). But I don't see how they can be responsible for every stupid action that someone takes. You open an unknown attachment from an unknown sender, get infected and that's the manufacturer's fault? Is it their fault when you contact that guy in Nigeria to split the millions that he's safely siphoned and trying to move to a US bank? What about when you turn off your firewall? We each have our own responsibilities - the manufacturers have to accept theirs and we have to accept ours.
On a similar note - all security comes at the cost of convenience. MS could block you from opening or running your email attachments that it "thinks" are bad, but then you will lose the convenience of opening attachments that are actually safe but detected as being potentially harmful. Some thing with every website you go to (with all of the script that runs on it), every application you launch, and everything you do on your system. Seems to me that MS tried to do that with Vista and the backlash was horrendous. It's a no-win situation - the extra security comes at a cost and convenience/access comes at a cost. Ever hear of the Patriot Act
That's my two cents anyway!
|
|
|
|