In
Zaphod said:
I do. In individual computer, small home/business networks, as well
as LAN and WAN corporate environments.
So do I. Although I also done it the so-called right way and the
so-called wrong way and tested the results. Very few people actually do
this. Most people are lemmings and just accept what they are told.
Of course you would. Because you know of no other way.
Please describe, in detail, how *your* "knowledge, research, and
experimentation" is better than Microsoft, Gartner Research, Cisco,
and every computer security company and professional out there?
Because they all say, without exception, that you need to apply OS
security patches and fixes, promptly and regularly, as a part of
securing your systems.
Just follow the money trail. Just look at Microsoft for example. They
place such a low priority on security updates it is laughable. After all
why would it take about two years to plug a known security hole?
Microsoft isn't alone here either, other companies does the very same
thing. I bet they assign such a low priority because they too know
plugging security holes are just futile.
And of course Microsoft, Gartner Research, Cisco, etc. are going to tell
you to install security patches and fixes. Why wouldn't they? As it
makes the lemmings feel secure even though it is only a false sense of
security nonetheless. And selling this false sense of security sells and
they make millions off of it.
So why are some of us better than the above? Easy, as we hear reports of
people having success of doing otherwise. And instead of writing them
off as nuts, we investigate, research, and experiment to have the
necessary data to prove them wrong. But guess what? The data proves them
to be right all along.
Well I have been running Windows since '93 (using other OS about 15
years before that). And I always did things the lemming way and listened
to whatever Microsoft, Gartner Research, Cisco, etc. said to do and it
made me feel smart. And in that time, I never had a Windows virus. So I
must be doing things right, right?
Well Microsoft finally forced me to start doing things the wrong way. As
they sold Asus OEM XP licenses for the meager EeePC 701 netbook with
only 4GB of SSD space. With SP2 installed, you only had 200MB free.
There was no way to even install updates as they just wouldn't fit ever!
So I figured I wouldn't no longer have a clean record of never having a
Windows virus, thanks for Microsoft accepting money for licenses that
they knew that could never be updated. Well guess what? I never got any.
I was totally prepared for the worst and backed up every chance I got
(multiple versions of course), just in case. And I figured I would be
doing a lot of restoring.
Well I used those EeePCs on the Internet for a whole year and still no
viruses. So I gambled, I have a few dozen of computers here and I'll
just stop updating half of them for experimental purposes only just to
see what happens. Well that was three years ago and none of them ever
picked up a single virus either.
So who are you going to believe Zaphod? People who tells you that you
better keep your OS up-to-date or you will get viruses. Or people who
doesn't get viruses and doesn't update their OS?
First, it does work - as a reasonable, rational *part* of a
comprehensive approach to security.
No it doesn't work, period! You know what is involved with security
patches? First finding them all is an impossible task for starters.
Secondly every time you patch an OS, you are bound to break some driver
or application. This is an enormous task and no wonder it takes many
companies (Microsoft included) a couple of years to come up with a patch
for a security hole to the public that was known two years ago. So what
good is being two years too late?
Second, who said anything about
trusting in them, especially trusting in them alone, which is what you
are implying? Firewall, intrusion detection, email
filtering/scanning, web filtering/scanning,
antivirus/antimalware/antispyware, all play a part in system security,
as do OS patches. Why in the world would you neglect one of the
layers? Would you fail to apply a security update to one of the other
layers? What is different about applying a security patch to the OS?
No you don't need all of those layers for one. No wonder some complain
their computers are slow because they have way too many layers
installed. That email filtering is redundant for one with a real time
AV. The secret to success is to reduce the layers down to as little as
possible and to still be protected.
Please reference the many news stories in the past where massive
outbreaks of various pieces of malware could have been thwarted by OS
patches that had been released well in advance of the outbreak. Like
Conficker, Sasser, Zotob, etc. Again, keeping systems patched and
up-to-date is only one layer in a multi-layer approach to protecting
your system.
Conficker, Sasser, Zotob, etc. are thwarted by an up-to-date AV and a
sandbox too.
Sure you can - guard dogs, dead bolts, security doors, etc. Plenty of
third party add-ons for my home security system. But even withthe
add-ons, I would still want to apply the update, wouldn't you?
Those are not the updates I was thinking about. But I see your point.
Although would I install the update for my home security system? That is
debatable. If they came out with an endless cycle of updates, then no I
wouldn't. As I would write them off as they can't get it right and have
no business programming their own hardware. And I speak as a hardware
engineer who has written the software for my designs too. I don't like
programming per se... but if I have to explain how the hardware works in
detail to a programmer, it is just often easier to write the program
myself.
Personal computers are totally different! You can shop around for
the best security product. And you don't have to trust Microsoft for
your security needs. And to be honest with you, Microsoft has and
continues to produce very weak security software. This is just one
area that Microsoft really hasn't been very good at. So why put your
faith in them?
I don't "put my faith in [just] them", as with anyone serious about
security, I use various third party tools to enhance the security of
my system - but again, if the additional protection is available, why
NOT install it?
Because more security software isn't better! The more you install, the
more likely they are going to trip over themselves. The secret is less
is better while still maintaining protection without being redundant.
See my previous example of massive outbreaks of malware that would
have been stopped in their tracks had systems only been up to date
with OS security patches. And (not to sound like a broken record),
why NOT install the additional protection?
You say would have been stopped by up-to-date security patches because
that is what you believe. Yet I hear reports all of the time of people
who religiously keep them up-to-date and who still get malware. So how
is that possible?
Now there is another camp that sports a firewall, AV, and a sandbox
environment that doesn't get viruses and who doesn't update their OS.
Amazing how that works, eh?
So we have another method. Take the Maxthon browser for example.
Even when security patches and AV fails, Maxthon still caught them.
Maxthon Beats Microsoft to the Punch Creating Barrier to Zero-day
Attacks - PR Newswire
http://www.prnasia.com/pr/10/01/100058511-1.html
I would argue that this isn't "another (as in different) method" , but
as I've been saying all along, an additional layer in a comprehensive
approach to system security. But as I've said, why neglect one of the
other layers - or as you put it, "why put your faith in them
[Maxthon]"?
No, you need three basic things for total security.
1) A stealth firewall (XP and later already has this one build in)
2) A good real time AV
3) A sandbox to cover everything including things that nobody thought of
yet
Notice that OS updates isn't even in the list?
Sandboxes aren't impermeable. AV (as you point out) is reactive, not
proactive. In fact, none of the layers are perfect - if they were, we
wouldn't need any of the others now would we? So, we improve each
layer as much as we can, update them, patch them, replace them as
needed. Only fools neglect them.
There are only three layers for total protection. Yet you want to add
tons more. So I disagree. You only need the basic three and that is all.
Although you can reduce it to just one for total protection if you
wanted. But it comes with some limitations and having the basic three
has virtually no limitations.
For example, with a real time AV and a sandbox, you really don't need a
stealth firewall. The problem I have going without is that you are
totally exposed on the Internet and hackers, bots, etc. can see you. And
about 99.9% of the problems start here. So going without is just a dumb
idea and your just asking for trouble. It is like walking through a very
bad neighborhood at night alone without protection. Sure if you are a
super hero or something, no problem. For the rest of us, just don't do
it!
A real time AV is important because anything opened or executed gets
checked through the malware database before it can do anything. And if
it doesn't get a clean bill of health, it can't be opened or executed.
At least not without your permission first anyway.
A sandbox like environment including Sandboxie, Avast (latest version
includes a sandbox), Windows Embedded, Windows SteadyState (free), etc.
can protect you against virtually anything all by itself. In fact, this
is what most public computers use to keep their systems malware free.
And things like Windows Embedded and Windows SteadyState can be locked
down so tight that nothing can change the OS or applications. Not even
Windows Updates or AV updates (and if they can't get in, virtually
anything else can't either). And anybody who has suffered from virus
attacks again and again, I would think should highly consider installing
something like this.
Who is waiting? You make it sound like you have to choose between
applying OS patches and using any additional methods - but they are
complimentary to each other, not exclusive. So install your antivirus
and keep it updated. Sandbox your browser, use a firewall, filter
your email, - AND patch your OS. There is no good reason to neglect
it.
Well in the long past, I would have totally agreed with you and anybody
who said differently was just plum crazy. But thanks to Microsoft for
forcing me to go without updates, I now know that isn't so at all. ;-)
