• Quick note - the problem with Youtube videos not embedding on the forum appears to have been fixed, thanks to ZiprHead. If you do still see problems let me know.

Fake Microsoft Security Essentials warnings

When I was a teenager, I had a stick-shift car. If you started the car with the transmission in gear, it would lurch forward violently. Had any people or vehicles been damaged by this, it would undoubtedly been considered "human error". The next car I had (some 10 years later) would refuse to start unless the clutch was disengaged. Had this car lurched forward on starting, this would be considered a serious design flaw. That is progress.

"Human error" is only an excuse for a little while. It is bad design to not take into account things that humans will naturally do. Humans will click on OK without reading the dialog; they have been conditioned to do so by years of practice. And they'll do it even faster if it terrifies them with a bright red box and then offers easy salvation.

People do not install viruses because they are stupid, unless "stupid" means "unable to deal intelligently with systems of astounding complexity". And things are getting more complex. You who would roll your eyes at the "stupidity" of those who run malware from the internet: in ten or twenty years will you understand and calmly consider the consequences of every action you take on a computer?

Security is not impossible; like every technological advance, it is difficult to imagine before it happens. It was a genius who figured out how to stop cars from lurching forward on start-up. Lesser people could have argued (and probably did) that it was not possible to prevent drivers from committing this error, nor was it desirable to limit their powers, nor was it the manufacturer's responsibility in any case. Likewise, it is so easy to throw up our hands and say that there's nothing that can be done about malware.
 
Darat said:
How could Windows be set up in such a way? No insult intended to CORed but this was human error. (Never mind that it was Windows XP.)
Click to expand...
Simple, you build a computer that won't run executable files.

It's actually far cheaper to do this.






;)
 
phildonnia said:
When I was a teenager, I had a stick-shift car. If you started the car with the transmission in gear, it would lurch forward violently. Had any people or vehicles been damaged by this, it would undoubtedly been considered "human error". The next car I had (some 10 years later) would refuse to start unless the clutch was disengaged. Had this car lurched forward on starting, this would be considered a serious design flaw. That is progress.

"Human error" is only an excuse for a little while. It is bad design to not take into account things that humans will naturally do. Humans will click on OK without reading the dialog; they have been conditioned to do so by years of practice. And they'll do it even faster if it terrifies them with a bright red box and then offers easy salvation.

People do not install viruses because they are stupid, unless "stupid" means "unable to deal intelligently with systems of astounding complexity". And things are getting more complex. You who would roll your eyes at the "stupidity" of those who run malware from the internet: in ten or twenty years will you understand and calmly consider the consequences of every action you take on a computer?

Security is not impossible; like every technological advance, it is difficult to imagine before it happens. It was a genius who figured out how to stop cars from lurching forward on start-up. Lesser people could have argued (and probably did) that it was not possible to prevent drivers from committing this error, nor was it desirable to limit their powers, nor was it the manufacturer's responsibility in any case. Likewise, it is so easy to throw up our hands and say that there's nothing that can be done about malware.
Click to expand...

The problem with your analogy is that the adversary in your example was the car which can be completely controlled by its designers. Once the fix was thought of the issue went away. There were no rogue car mechanics walking around at night defeating this mechanism so cars would lurch on their owners.

The adversary in malware is another human being that is using their full intellectual capabilities to defeat you.
 
Daald said:
The problem with your analogy is that the adversary in your example was the car which can be completely controlled by its designers. Once the fix was thought of the issue went away. There were no rogue car mechanics walking around at night defeating this mechanism so cars would lurch on their owners.

The adversary in malware is another human being that is using their full intellectual capabilities to defeat you.
Click to expand...

To expand on the analogy...you don't have groups of rogue mechanics walking through your neighborhood offering a free car check up, then disconnecting your brakes, pouring water in your oil, and knifing your tires. Then telling you your brakes are shot, you've got water in your oil, and your tires are flat...then charging you for the repairs...then take the money and run without fixing your car.

Fake virus checkers and registry tools are big business. Viruses used to be just pranks from computer nerds...now they are money makers.

Edit: In many cases, antivirus software is completely useless, because there are no real viruses involved. They trick you into clicking a link or an "ok" button, which downloads a regular executable...just like any other download. The program then pretends to scan your computer for viruses, and falsely tells you you're infected. Then they sell you a worthless program for $39.95 to get rid of the non-existent viruses. Some of the more unscrupulous ones will hit your credit card for hundreds of additional dollars besides the $39.95.
 
Last edited:
Daald said:
The problem with your analogy is that the adversary in your example was the car which can be completely controlled by its designers. Once the fix was thought of the issue went away. There were no rogue car mechanics walking around at night defeating this mechanism so cars would lurch on their owners.

The adversary in malware is another human being that is using their full intellectual capabilities to defeat you.
Click to expand...

I think the point is here that they put in a fix to stop people doing stupid things. They should be able to do the same to computers. Yes the problem is a lot more complex, but then there is still many stupid things you can do to a car. It just is a lot harder to do them. In future it would be a lot harder to get a virus in the computer.

One example is that in the past you had to update the anti virus software yourself. Some people failed to do this everyday. Which meant that even though the solution to a virus was available many people had not got that version of the anti virus software and so became infected. Now, anti virus software is automatically updated so it is a lot harder to have out of date anti virus software.
 
rjh01 said:
I think the point is here that they put in a fix to stop people doing stupid things. They should be able to do the same to computers. Yes the problem is a lot more complex, but then there is still many stupid things you can do to a car. It just is a lot harder to do them. In future it would be a lot harder to get a virus in the computer.

One example is that in the past you had to update the anti virus software yourself. Some people failed to do this everyday. Which meant that even though the solution to a virus was available many people had not got that version of the anti virus software and so became infected. Now, anti virus software is automatically updated so it is a lot harder to have out of date anti virus software.
Click to expand...

Things are being done all the time. ASLR is an example. Those prompts are another. Execution disable bit in the processor to prevent stack overflows etc etc etc.

The goal posts move and the virus writers adapt.
 
phildonnia said:
People do not install viruses because they are stupid, unless "stupid" means "unable to deal intelligently with systems of astounding complexity".
Click to expand...

I agree, what I find frustrating is telling people not to click on scareware but just turn off the machine, but they do it anyway.

A computer is much like a car people want to turn the key and go. And they really don't listen or read about 'safe operation'.

Such is the nature of life.
 
Macgyver1968 said:
To expand on the analogy...you don't have groups of rogue mechanics walking through your neighborhood offering a free car check up, then disconnecting your brakes, pouring water in your oil, and knifing your tires. Then telling you your brakes are shot, you've got water in your oil, and your tires are flat...then charging you for the repairs...then take the money and run without fixing your car.

Fake virus checkers and registry tools are big business. Viruses used to be just pranks from computer nerds...now they are money makers.

Edit: In many cases, antivirus software is completely useless, because there are no real viruses involved. They trick you into clicking a link or an "ok" button, which downloads a regular executable...just like any other download. The program then pretends to scan your computer for viruses, and falsely tells you you're infected. Then they sell you a worthless program for $39.95 to get rid of the non-existent viruses. Some of the more unscrupulous ones will hit your credit card for hundreds of additional dollars besides the $39.95.
Click to expand...

I'm going to go a bit further with the analogy. The first prompt I clicked on was a very good fake (very likely a screen capture) of a dialog from the anti-malware software already installed on my computer. So a better analogy with a car would be that I go to my regular garage, and the mechanic whom I trust has been replaced with an impostor who looks just like him, who knifes my tires, puts water in my oil, etc. Had I not had Microsoft Security Essentials installed on the computer, I probably wouldn't have fallen for it, and when I started getting prompts from software I knew I hadn't knowingly installed on the computer, I realized I'd been had.

While I think there is room for improvement in Windows security, I don't think there's any way to make malware infections 100% impossible. I have an iphone, and I jailbroke it because I don't like being limited to only software that Apple approves. I have the crazy idea that if I own a device, I should get to decide how I use it. No doubt this leaves me somewhat more vulnerable to malware or incompetently designed software, but I think that's my choice to make.
 
assuming mse doesn't run inside the browser it couldn't look much like the real thing anymore than advertising banners with pictures of buttons look like real buttons, plus there is the uac which will verify that it is microsoft to stop the exploit working.
 
mutile said:
assuming mse doesn't run inside the browser it couldn't look much like the real thing anymore than advertising banners with pictures of buttons look like real buttons, plus there is the uac which will verify that it is microsoft to stop the exploit working.
Click to expand...

This was XP, so no UAC. I think the fake MSE I clicked on was embedded in a browser window, but at first glance there isn't a lot of difference between a fake dialog embedded in a browser window and a dialog that pops up on top of the browser window. When I encountered what I think was the same thing a couple of days later, I thought to scroll the browser window and when the fake MSE dialog moved with the scrolling it was obvious what was up. My guard was down the first time, I'll admit. I just assumed the MSE dialog was real and had spotted malware that the site was attempting to install on my computer and clicked on it. Unfortunately, the fake dialog was the malware installers way of tricking me into running it.
 
You must log in or register to reply here.

Back
Top Bottom