[tlug] Anti-virus software is a scam

["Stephen J. Turnbull" <stephen@example.com>]

Dave M G writes:

First, let me say that your main point is correct.  Conventional
antivirus software *is* a scam.  It's based on "signatures" of *known*
exploits, and sometimes known viruses.  Ie, it's based on detecting
and stopping known bad patterns, assuming that everything else is OK.
But strong security assumes that anything that isn't explicitly
permitted is an attempted exploit.  Besides the obvious, there's also
a subtle advantage to the stronger approach.  That is that if
"anything goes", some programmer will surely write a program to take
advantage of it.  These are often buggy.  On the other hand, if
there's a specific set of rules, not only is it relatively easy to
write programs to obey those rules, but they are more likely to be
share, and improved.

 > For instance, I say that you can never get a computer virus from certain 
 > file times,

It's possible to be exploited by *any* file type, including ASCII
text.  It's very unlikely that printable ASCII text can do it, but in
theory with the right bugs in your text editor it could happen.  I
once managed to crash a multiuser minicomputer by the simple expedient
of sending ASCII art designed for a DEC VT220 terminal back to its
original author, who was silly enough to read it on the console, where
it proceeded to invoke a function key's definition at the wrong time
(and he was running as root, oops).  A good time was had by all!  For
another example, just reading Emacs ASCII text "can cause arbitrary
code execution" as they say (of course the default setting is to not
execute code at all, and to ask before just setting variables, but
it's possible to enable automatic execution.)

Image files (and other non-text media) make it a lot easier.  Modern
image files are actually quite complex; effectively they are programs
in rather limited programming languages.  What makes them dangerous is
the complexity of the actions performed by "statements" in those
languages, which are often given buggy implementations, and the fact
that they contain liberal amounts of binary data -- which (with the
right bugs) the computer might interpret as machine code.  Once that
happens, anything can happen.

Another problem is that most users don't know how to identify the kind
of file.  They look at the filename extension, or maybe their MUA
tells them the MIME type, but both of these can be bald-faced lies.

 > and I explain why Linux is more secure than Windows.

Linux and Mac also have security features that often are not enabled
on Windows machines, such as the special powers of the root account
not being available to ordinary users, besides generally being more
picky about getting permission to execute code.  For practical
purposes most Windows users run with administrator powers, which few
Linux users and almost no Mac users do.  This isn't all that much
protection from evil, given that many things an evil person would want
to do (spam mail, flood ping) can be done be ordinary users.  However,
it's substantially harder for a simple exploit to cover up; you not
only have to crack the mail reading user, but also install a root kit,
or your activity will be logged (both in things called logs, and also
in correct file timestamps and the like).

However, modern systems (Mac of course, but also Linux) are getting
more and more promiscuous about what they'll execute without asking.
Almost all mail programs will display PNGs without asking (by
default), but libpng has had at least two major bugs allowing arbitary
code execution, with actual exploits (ie, it was demonstrated that a
program could be run without crashing the system).  Flash is well-
known to have had a lot of security relevant bugs, although I don't
know if any of them resulted in exploits observed in the wild.

So I agree that Mac and Linux are more secure than Windows, but it's
not necessarily true that they'll stay that way forever.