But I'll also add this condemnation of Microsoft. I haven't traced through their OS in many, many years, so to be fair to them, things like this may no longer be the case. But back in the day, they were *notorious* for repackaging the same code over and over and over. DOS was well-understood by that point and its vulnerabilities were well-known and easily exploited.

All because Microsoft couldn't even be bothered to reassemble or recompile key parts of the kernel.

For example, I did one of the first analysis (analysees?) of the so-called "antiexe" virus. DOS 5 through DOS 6.22 were so similar, the freakin' offsets in the kernel didn't even change(!). The entry point to the DOS kernel was in the same exact location in all. Antiexe simply looked up the DOS data segment address, then started poking in junk at the *fixed* (and known) offset of the entry point of the kernel. That way, it could bypass most current security software. (But not ours. Grin.)

Our system also addressed a killer bug (first discovered by Geoff Chappel) that Microsoft had known about, but had apparently not bothered to patch: if the partition table was recursive -- i.e., an extended table pointed back to itself -- the computer would hang during the boot. Even booting onto a floppy wouldn't work! As soon as the kernel on that floppy started trying to examine and mount the hard drive's partitions, it would loop forever. Hang tight.

I can't even imagine how many people carried their computers into a shop, only to have the tech tell them that their hard drive was defective. (I know of a couple of cases myself.)

So ... believe me when I say I'm anything but a Microsoft lover. Like I said, maybe they've improved now, but back in the day, they were making money hand over fist and couldn't even be bothered to address obvious stuff like this.

I'm not surprised at all.

Our approach was to stop viruses before they got onto the computer. I remember Wolfgang(?) with Integrity Master (another system available at the time) complaining of the same thing we did: the "AV shootouts" focused entirely on scanners.

They were easy to test! Just turn them loose on a hard drive full of virus samples and see how well they did! But what about people like us that took a different approach?

Our ARF system not only "innoculated" the executable files, I can give away some of our secrets now. (Heh. Like it matters.) I actually became a DOS "guru" and figured out ways to hook into the OS itself. We watched the SHARE hooks, too -- an obvious vulnerability that everyone else ignored. We hooked all of the standard interrupts *inside the kernel* (we didn't just patch into the interrupt chain), we captured the "trace" interrupt to see if anyone was "tunneling," we did CRC "checksums" on the actual DOS code and other key areas.

I'm not boasting, but we never, ever found a virus that could get past us. The worst case, the system would get confused and hang, but there would be no infection. After reboot, the system was still clean.

Now ... how do you test that? How do you "shoot that out?" You don't. These so-called testers love scanners. SCANNERS! That's all they want to test.

That, combined with the fact that virtually no one registered it (and the additional fact that Windows 95 had come out), made us lose interest. I briefly worked on moving the blocker into a VxD, but it wasn't worth the bother.

> I am convinced there must be at least ONE shady AV company that creates viruses

Heh. We speculated about that all the time back when I was writing AV software. I know there were a few cases where "proof of concept" stuff magically sneaked out of the lab, but to be fair to the companies involved, they immediately sent full details to all of their competitors.

But you do have to wonder. :)

And if you consider those "are you sure you want to close this window?" online popup scams, they DO install malware. I guess it's just a question of whether you consider them a "shady AV company" or just outright bad guys. (I vote for the latter, myself.)

> Microsoft DOS 6 with AV built in ... was defeated by every virus writer

That's because MSAV included the classic, textbook example of "security through obscurity." Utilities like FORMAT and FDISK would do the same things as some malware, which would cause false alarms. The users would be terrified by this, so there was a solution: a "secret" (wink, wink!) system call in the OS that their utilities used to temporarily disable the alarms. (!!!)

It was top secret ... so naturally, everyone knew about it. A call to disable VSAFE became one thing that EVERY DOS virus writer put at the top of his code. Naturally. Of course.

Ah, you're bringing back memories now. :)

Proof that I'm an old timer: my used of the term "anti virus." It's not called that nowadays. It's Malware Detection, Security Software and Shields and Bad Guy Blockers(tm). I must update my terminology and get with the times. :)

I'm anything but a Microsoft lover, but I have to defend them.

About a million years ago, back during the DOS era, a friend and I wrote an anti-virus suite (the ARF Antivirus, maybe you can still find it online, though I don't recommend that you use it!). It was quite effective; we used the file integrity approach, and stored the integrity information in the files themselves. (We were up front about it; some people don't like that, so we said, hey, you don't like it, just don't use our stuff. No hard feelings.)

Ergo, I think I can at least offer an opinion that's slightly above drooling moron status.

One of my biggest complaints about AV tests is that they're unrealistic. This has been years ago, now, so maybe it has changed, but back then, the folks who did the testing were arrogant and very hard to deal with. Your software had to produce a .TXT log file; it had to do this, it had to do that, or they would just fail it outright.

Once you made them happy, then they tested it against every virus they could find, including some that WERE NOT (and never would be) in the wild.

Bottom line, and to make a long story short: the people who were writing AV software back then were writing it for these tests, and not for the real world. I don't know if that's the case nowadays; I just don't know. (For that matter, maybe Microsoft's stuff really does suck. Given how badly their stuff worked back in the DOS era, it wouldn't surprise me. But I just don't know.)

But fair is fair. I ran from that circus after about a year of endless arguments with the pompous egotists in Compuserve's Anti Virus forum. I don't know if it's still that way, but I haven't used anyone else's anti virus stuff in years (I protect my stuff a different way, primarily by using secured Linux with good backups, and with periodic integrity checks).

(A pedantic self-correction: it would be more accurate to say that the copper traces must be "controlled" lengths, rather than "equal." I was thinking "equal" in terms of a single, discrete data buss.)

> Don't electrical pulses along a copper wire go at the speed of light already?

That's not the problem, it's propagation effects and timing issues. As someone else here pointed out, these high-frequency signals are essentially radio waves and behave like radio waves. You have interference issues from other, nearby signals. The copper traces on your current motherboard must be carefully routed and kept at equal lengths (because they're essentially transmission lines), or you'll have some bits arriving later than others. Chaos. Using optical eliminates that problem.

(This is also why, if you've ever tried to repair a damaged motherboard, you probably weren't successful. Even if you could successfully identify all the damaged traces -- not easy, what with the "sandwich" layered design -- when you use little jumper wires to bridge the gaps, it just won't work reliably.)

By the way, these propagation effects are the reason why (counter intuitively) SATA and USB can more easily be made faster than older-style parallel connections. Once you get into the 100 megabit range, interference and the precise arrival time of the parallel bits becomes very hard to control. If it's a bit stream, even though it's several orders of magnitude faster, it's just easier to predict and control.

> Don't give people their 15 minutes

If everyone in the media would just agree that they'd never, ever mention the name or show an image of the perpetrator, that would go a long way toward solving the problem. I fully agree.

Absolutely. Most of these mutts have a death wish and want to go out as spectacularly as possible. They WANT the attention and notoriety. I say take it from them.

> improvised bomb attacks

And OK, I'll break my own rule and say this, too. The thing is, something like the Sandy Hook tragedy is just that: a tragedy. Anyone with any human emotion at all is going to be heartsick. I certainly was.

But because of the way the media covers events like these, they get all of the attention. (Disclaimer: I WORK in the media. Radio.) But what doesn't get attention are the countless children who are slowly tortured, or sexually abused, or simply abducted and THEN tortured and abused.

We're fascinated with numbers. Sandy Hook was a horrible, horrible tragedy. I'm not taking away from it for a moment. But there was a little girl who was brutally raped and murdered (when they found her body, her PELVIS had been crushed by the force of the rape) back in NC, where I used to live. Most of you have never heard of her. She never even made the news, save for a brief mention in the local papers.

The truth is that we have a sick society, but we're spraying water on the flames instead of at the root of the problem.

Or with a bomb.

http://en.wikipedia.org/wiki/Bath_School_disaster

To date, this remains the deadliest school killing. The guy had a gun, but chose explosives.

I'm not going to pitch in on this emotional debate, save to point out that if you outlaw guns, crazy people will still find ways to kill other people, and in mass numbers.

The entrepreneur starts the business, makes it successful, then brings in a PHB to watch the money and keep it running. This has been the case for as long as there have been businesses.

Entrepreneurs tend to be creative, driven, and willing to work around the clock. They also tend to be terrible at the "boring" things (like money management). They're often terrible at details, too.

This same basic principle works for established businesses, too. I worked with a company that turned around radio stations many years ago. We'd send in a "hit" team to do the makeover, then put in a PHB to run it after it was successful. Likewise with restaurants: when a new eatery opens, they send in the "A" team to make sure everything is perfect. A few months later, if the restaurant takes off, they send in a "detail" guy to keep it running and making money.

I wouldn't have thought that it'd take a study to discover something this obvious, but it's nice to see it confirmed scientifically. :)

As I said above, I don't trust any of them. None. Nada.

I trust Linux and KDE on my desktop at home, in a home office that only my wife has access to. That's where I do my banking and online shopping.

I have an old nasty credit card with a low limit that I use when I just must download an app on my smartphone (Android, Samsung hardware, thus Google Play). But that's it. No banking apps, no shopping apps, no Latest Thing! apps on my phone.

And I never, ever send sensitive email or texts from that thing, either.

I'm a law-abiding citizen with nothing to hide. But I hide it anyway just because it ain't "Their" bidness. :)

(Hey, that'd make a great tag line. Hmmm ... )

> The problem then is that the software AND the hardware are closed.

Dead on the money. In an ideal world, there would be open standards. I could download my choice of a compatible mobile OS, build from source and install it without any fears that it might not work on the hardware, and without fear that my service provider could hassle me for not using their crap.

I don't think that'll happen, though.

> If it's open source YOU have the power to stop it from doing anything like that

In principle and theory, yes. In practice, maybe not. You would almost certainly use libraries installed on the device, unless you plan to roll your own from scratch (and that's going to eat a lot of SRAM). They could still sniff and snoop at the library level.

Or, they could simply sniff and snoop whatever is displayed on the screen. Your open-source browser is "clean," but Nokia is, in essence, a snoop looking over your shoulder. Character-recognition software is small and fast nowadays.

Waiting for a Slashdot story about how THAT is happening, by the way. Some manufacturers and providers are already admitting that they can access the mike and the camera on your smartphone to "see" and "hear" what you're up to ...

Ergo, I have no doubt whatsoever that even using an open-source browser won't protect you. The only real answer is to ensure that you never do anything really sensitive on a smartphone. I certainly don't.