To coincide with my 3rd press release , I updated, and expanded a little, this very blog’s second (and first “real”) post ever, Avoiding and Removing Spyware.

It’s not rocket science, of course, but, just by doing what I’ve written there, and without spending a cent, my Windows XP installation from 2003 (on my home desktop / gaming PC) still “lives”, without the usual “my PC has been getting slower and slower… time for another reformat” crap.

Every time some open source software, like Firefox or Linux, has an exploitable security hole, lots of people scream “see, it’s insecure too! it’s no better than IE / Windows!”.

That has always sounded weird to me. Windows or IE have had dozens, maybe hundreds of holes and exploits, and yet, when Linux or Firefox have one, they’re “just as insecure”?!?

Is this thing binary? All or nothing? No holes = secure; one hole = as insecure as a hundred holes?

Is open source software so bad, and do you resent it so much, that you’re only using it because of its absolutely perfect security, and when you find out that it’s not perfect after all, you leave it and crawl back to IE or Windows?

If so, here’s a tip for you: “much better” doesn’t equal “perfect”. (oh, and IE is pure garbage for reasons other than security, too )

Fine, Firefox just had one. Not really “exploited”, since it’s already been patched, but never mind that. So what? How many IE holes have there been? How many PCs are full of spyware, viruses, and/or sending thousands of spam emails a day because of IE holes?

Can Firefox even begin to compare to that? I don’t think so. It’s at least dozens of really bad exploits (not to mention the “less than really bad” ones) behind.

Symantec, among other things makers of shoddy “security” bloatware for Windows, have just stated a bunch of lies about browser/OS security.

According to the report, 25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005, “the most of any browser studied”. Eighteen of these were classified as high severity.

What they don’t mention is that they’re only counting announced vulnerabilities. That is, if Microsoft denies the existence of one, it isn’t counted.

The last 6 months have been carefully chosen, too, because it was the only period where the Mozilla browsers had more vulnerabilities. If they counted the 6 months before, the story would be quite different.

While they say “high severity”, that doesn’t really say a lot. Indeed…

Symantec admitted that “at the time of writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred”, but added that it “expects this to change as alternative browsers become increasingly widely deployed.”

Right. A pity that that argument is simply not true. Not all software is created equal, and not all development teams have the same priorities.

Not to mention that Firefox vulnerabilities are usually fixed in 1-3 days. There are critical IE holes that haven’t been patched (or indeed acknowledged) by MS in years.

How many cases of spyware or other malware infestation from Firefox (other than downloading an executable and running it manually, of course – but then, the browser doesn’t have anything to do with it) have you heard about? None, so far, I’ll bet. IE? Too many to count.

Why the slightly angry tone of this article? Because Symantec are lying. No, I won’t replace that word with a “nicer” one. Their business is being a parasite, and Firefox-using (or Mac-using, or Linux-using) people tend to need “fixers of Windows security problems” less and less, if at all. So they create FUD. They shriek “don’t change to IE (or Windows) alternatives! They’re actually less secure! Keep using IE, and our products, and everything will be alright!”

Nothing scares a parasite so much as the idea of their victims getting rid of them. Firefox scares them. Alternative operating systems scare them. Even security-conscious users scare them.

A thought: if Microsoft ever released a “mostly secure” version of Windows, Symantec would quickly go out of business, don’t you think?

Saw the article mentioned on Slashdot. Quite interesting and informative, IMO.

OpenSwan, ipsec.conf man page:

CONN PARAMETERS: MANUAL KEYING
The following parameters are relevant only to manual keying, and are ignored in automatic keying.

and, still in that section:

esp ESP encryption/authentication algorithm to be used for the connection, e.g. 3des-md5-96 (must be suitable as a value of ipsec_spi(8)'s --esp option); default is not to use ESP

Note that that option (“esp”) doesn’t appear in the AUTOMATIC KEYING options list. From the above, one would guess that it’s only for manual keying, and that for automatic keying that option is ignored – that, indeed, it’s not necessary.

Right? Unfortunately, that’s not true, from what I’ve seen.

Until I added:

esp=3des-sha1-96

to a particular automatic keyed connection, it simply wouldn’t work, because the default is to use md5 instead of sha1, and the other side used sha1.

Oh well… things like this end up making us sysadmins not trust documentation. Unless it’s OpenBSD, of course.

Having a non-patched Windows connected directly to the Internet (through a modem/ADSL/cable connection) is dangerous. A lot of people, unfortunately, are completely unaware of that. Without Microsoft’s service packs and security fixes, it’s estimated that a Windows XP PC can be infected with worms (which can, among other things, install viruses and spyware, and turn your PC into a “spam zombie”, which will be used to send gigabytes of spam – and guess who’ll pay the bill?) in minutes, if not seconds.

The problem here is that a recently installed Windows (unless it was some kind of installation CD which already included service packs and updates – but most “normal” users don’t have those) is an unpatched Windows. Now, to update it (by going to Windows Update, the only thing one should ever use Internet Explorer for), you must be connected to the Net. See the problem? Chicken and egg – you must connect it to update it, but you mustn’t connect it if it’s not updated.

How to solve this problem, then?

The solution itself is relatively obvious: you must update it without it being directly connected to the Internet. The keyword is “directly“.

Two of the best ways are:

• Take it to your work place, assuming it has a firewall, and that you have to connect there using a proxy server. Ask your system/network administrator for help if necessary. Be sure that your PC is freshly installed – that is, that it’s never been connected directly to the Net before. If it was, it may already be infected – and connecting it to your office’s internal network can infect other PCs there, which may lead to you being fired or at least harshly reprimanded.
• Ask a “geek” friend of yours (I’m assuming you’re not one – if you were, all of this article would be common knowledge to you), who has a small protected network at his home, to update your Windows there. I’ve done it for several friends and family members, myself. Again, be sure that your Windows is freshly installed.

Does this seem like a lot of work? Tough. Blame Microsoft. Don’t, however, fool yourself into thinking you can avoid doing this. Trust me: it’s very likely that your PC will be infected while it is updating itself to be resistant to infections.

Oh, and don’t trust software firewalls too much. Unless you really know what you’re doing, you can’t use one to make a non-patched Windows “safe”.

One thing I hear a lot: “oh, Firefox only has had less security holes because few people use it! If it ever grows to 50% market share or more, it will have as many problems as IE!”

It’s not just IE users who say it – many Firefox users believe it as well.

But there’s a flaw in that reasoning.

The flaw is that those people, apparently, believe that all software is of exactly the same quality. In other words, there is no such thing as better or worse programmers, more or less motivated programmers, better or worse testing practices, rushed software to meet a deadline set by the marketing department, a more or less efficient bug tracking system, even different software design philosophies (such as some believing in making the browser a part of the OS, and some beliving that it’s still an application).

If none of these existed, then, sure, maybe all software would be equally good – or equally bad. A piece of software used by twice the users would have twice the number of known security holes – and the less used software would have as many holes, they wouldn’t just have been found yet.

But I don’t think that this “theory” fits with observation of reality. Some software has historically been buggy and insecure (and I don’t mean just IE or Windows – many commercial Unixes such as Solaris or HP/UX apparently only started to care about security this century, though they have been around for decades more). Some other software hasn’t. Some software has holes like “anyone can do this and take full control of the computer”, while in some other software the bugs are more like “there’s a buffer overflow here, which could theoretically be exploited to cause the program to crash”. Big difference, don’t you think?

No, Firefox isn’t perfect, and there will certainly be more bugs – both ones that are still undiscovered, and ones that will be introduced in future versions. But I believe they are, and will be, nothing compared to IE’s history – neither in number nor in severity.

You see, besides the “release dates driven by a marketing department”, the “not open source, so security experts can’t find code flaws and suggest fixes” and the “integrated with the OS” disadvantages, IE has another one that people usually don’t remember. The current IE, 6.0, is still mostly a patched IE 4.0. That’s from 1997. At that time, security wasn’t the huge problem it is today, so IE wasn’t written with security in mind. Have you noticed that IE hasn’t had any real new features from 4.0 to 6.0? It has only been patched for most security flaws found, and for stability. Patched to fix particular holes – not designed as secure in the first place. And from what I see, IE 7 still won’t be written from scratch – it’ll still be IE 4 + patches.

(this article includes parts adapted from my wiki)

A lot of people (not as many as some years ago, but still too many) have no idea what a “browser” is, yet they browse the Internet (or, more precisely, the World Wide Web) regularly.

How can that be? Well, due to some clever marketing (such as putting “Internet” in the application’s name), typical user ignorance and dislike of learning (people typically learn the bare minimum to do something, and then do everything in their power, including heavy effort if necessary, not to have to learn an iota more) and the fact that most users tend to stick to “whatever came with the computer” (in fact, with the operating system), those people use Internet Explorer (IE) without thinking, without realizing that

1. there exists a kind of program called “a web browser”,
2. IE is one, and
3. IE is not the only one, there are others.

What are the consequences of this? There are several, and all are bad ones:

• Microsoft hates the idea of open standards, because that means less control for them. Due to that, IE doesn’t support many modern standards, like CSS2, or supports them badly and/or partially, and – paradoxically, until you think about the reasons for it – is extremely permissive about what standards it does support, like HTML, XHTML and such. In other words, you can’t use many modern (but standard) features (and since so many people use IE, you can’t simply disregard them), but you can also write bad, incorrect code, and only IE will “eat it up” – browsers which respect standards will detect the numerous serious errors. Some HTML editors like Microsoft’s own FrontPage intentionally do this – create code with many errors, but which it “knows” IE will work around, with the result that only IE will show it properly, and less knowledgeable people with alternative browsers will believe it is their browsers which are to blame.
• Internet Explorer is extremely insecure – there have been literally dozens of updates for it, but they just patch particular holes, nothing is done about the fundamental insecurity of it; the browser was developed when computer security was not yet a concern, and it shows. A “bad” site can take control of your computer and install stuff (usually spyware) on it, just because you opened it in IE
• IE has a monstrosity called ActiveX technology, which allows a site to read and write on your system; while it theoretically has some security (and could be used for something useful), in fact there have been many holes in it, and besides many users are used to just clicking “OK” or “Yes”.
• IE (as of IE 6.0 Service Pack 1) doesn’t support any modern features, like tabs or selective image blocking, and only very recently (and only on Windows XP), with XP’s Service Pack 2, did it get a pop-up blocker. “I go to a site and get lots of pop-up windows, and when I try to close them, it opens even more windows!” is strictly a MSIE problem.
• Explorer is “integrated” into the operating system, which Microsoft touts as an advantage, but, instead:
  • makes it so that a browser crash can bring down the entire operating system;
  • cannot be updated without a reboot;
  • cannot be uninstalled;
  • allows Microsoft to only update IE for the latest version of Windows, forcing people to upgrade – this happened recently to Windows 2000 users, for instance, as IE 7.0 will only be available for Windows XP and newer.
• As mentioned above, IE encourages bad code, and lazy, incompetent web designers. Instead of learning enough and working enough to create a properly designed and coded web site which works on all browsers, it is much easier (and requires much less competence) to patch up something, and then say “it only works in exactly the same browser I use, on exactly the same operating system / version I use, with the same screen resolution I use.”
• Web standards are important for other reasons. Quoting a comment by Brian: “I’m talking about blind people, mobile phones, automated spidering scripts, Google, and so on. When you write standards-compliant web pages, you make it easier for all of these people to use your site. When you write IE-only tag soup you are just breaking the web and the philosophy of which it was conceived.”

In short, by using IE (or developing for it) you only harm yourself in the long run. Firefox or Opera may not be exactly like the browser you’re used to (though they’re as easy to use, if not easier)… but everything you currently know, you learned at some time, didn’t you? So don’t be afraid to learn one thing more, which will only benefit you. You’ll say goodbye to spyware and other malware (they can no longer be installed without your knowledge or permission), you’ll have a browser which gives control back to the user (instead of the site), you can block advertisements (especially those that seem to take over your browser and refuse to be closed)…

And there’s something else (you may think that this one is “idealistic crap” that you don’t care about, but, again, in the long run you’ll be benefiting yourself). Statistics. By not using IE, but using other browsers instead, you’ll be adding to the statistics of every site you visit – adding to the reality that web designers and, more importantly, “pointy-haired bosses” are only now beginning to understand: that not everyone uses IE, and that, by making a site that only works in it, they are instantly sending away 15% (as of now – that number is growing) of potential visitors. 15% of billions is a lot. And companies should learn that non-IE users are probably people who are more informed, who don’t sheepily use what they’re fed, but are more discerning. In other words, unless the site is trying to sell “generic viagra”, “genuine snake oil” or some other garbage , non-IE users are more likely to be better potential customers.

As everyone should know, Internet Explorer is a very insecure browser, and daily use can quickly turn a Microsoft Windows PC into a spyware-ridden, spam-sending slow, unstable abomination.

I don’t use IE at home, because Mozilla Firefox is infinitely better and more secure, but I’ve found that many people, even those otherwise educated and intelligent, think of “the Internet” as “the blue E”, and, when wanting to open a site, open IE without thinking.

So I had to do something about it.

Now, while I think that (as of mid-2005) it is still to early to implement this as official policy in a company (many bad sites or incompetently-designed intranet applications only work with IE – and sometimes only with a particular version), it can be useful in many home / small office networks.

Requirements

• a Unix-like machine (e.g. GNU/Linux or OpenBSD), possibly with 2 network cards, already running as a gateway for your network (this part is beyond the scope of this article)
• a firewall running on that machine (I use OpenBSD’s pf, but Linux’s iptables would also work) (again, firewall instructions go beyond the scope of this article)
• a Squid proxy server installation on the same machine, with the desired access configuration (including, possibly, authentication and such).

Steps

1. configure your firewall not to allow direct HTTP (ports 80 and 443) and FTP (port 21) from the internal network (otherwise, users could just disable the proxy in the browser)
2. change your Squid configuration like this:

   Before the “allow” for your home network, insert the following:

   acl msie browser MSIE
   acl getmozilla dstdomain .spreadfirefox.com
   acl getmozilla dstdomain .getfirefox.com
   # firefox download places always have "mozilla" in the URL
   acl getmozilla2 url_regex mozilla
   
   # the following use IE's engine
   # magic online
   acl exceptions_ie dstdomain .wizards.com
   # jre updates
   acl exceptions_ie dstdomain .java.sun.com
   acl exceptions_ie dstdomain .jdl.sun.com
   # stardock central
   acl exceptions_ie dstdomain .stardock.com
   # city of heroes
   acl exceptions_ie dstdomain .coh.com
   acl exceptions_ie dstdomain .cityofheroes.com
   acl windowsupdate dstdomain .windowsupdate.microsoft.com
   
   deny_info ERR_BAD_BROWSER msie
   
   http_access allow msie windowsupdate
   http_access allow msie getmozilla
   http_access allow msie getmozilla2
   http_access allow msie exceptions_ie
   http_access deny msie
   

   The exceptions are for some applications which (foolishly) use IE’s engine and identify themselves as it. You may not need these, and require different ones.

You should also create an ERR_BAD_BROWSER file (on the share/errors/English directory) for telling users that they’re using an insecure browser, and that IE is only for Windows Update, and for downloading Firefox. For example, here is mine:


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The requested URL could not be retrieved</TITLE>
<STYLE type="text/css"><!--BODY{background-color:#ffffff; font-family:verdana, sans-serif}PRE{font-family:sans-serif}-->
</STYLE>
</HEAD><BODY>
<H1>ERROR</H1>
<H2>The requested URL could not be retrieved</H2>
<HR noshade size="1px">
<P>
While trying to retrieve the URL:
<A HREF="%U">%U</A>
<P>
The following error was encountered:
<UL>
<LI>
<STRONG>
Insecure browser detected.
</STRONG>
<P>
Microsoft Internet Explorer (MSIE) is an insecure browser, and I don't like it
being used in
my home. :) MSIE, and MSIE-based browsers such as AvantBrowser or NetCaptor,
can only be used for <a href="http://windowsupdate.microsoft.com">Windows
Update</a>, or for downloading <a
href="http://www.spreadfirefox.com/?q=affiliates&id=2703&t=49">Mozilla
Firefox</a>.</p>
<p>Please use a more secure browser such as <a
href="http://www.spreadfirefox.com/?q=affiliates&id=2703&t=49">Firefox</a> or Opera.
</UL>
<P>Your cache administrator is <A HREF="mailto:%w">%w</A>.


Addendum

Yes, the user agent string can be changed. But I’m counting on the fact that most IE users don’t even know what a “browser” is – they think that “the Internet is the blue E”, and that clicking on it is “opening the Internet” as mentioned before. I’m also counting on the fact that anyone who is technically knowledgeable enough to change IE’s user agent is also knowledgeable enough not to want to use IE.

Addendum #2

“Why not simply download Firefox and tell people to use it?”, you may ask.

It’s not that easy – even at MY place, guests tend to “click on the blue E” without thinking, even after I’ve told them about Firefox. It’s a difficult habit to break for many people. And I don’t believe in “fooling” them by disguising Firefox with a IE theme and switching the icon.

Besides, a lot of software uses the IE engine “under the hood”. You can fall victim to an IE hole even if you never open IE yourself.

Spyware is a big problem these days. Most Windows PCs have a lot of it, without the user’s knowledge; many crashes, slowdown, popups and browser hijacking (for instance, changing the home page without your consent, and you can’t set it back to what you want) are symptoms of a spyware infestation.

Avoiding spyware

1. Do not, I repeat, do not use Internet Explorer. Really. This is the most important part. Use Mozilla Firefox (my personal favorite), Mozilla, Opera or Konqueror. Explorer is unsafe, and malicious sites can use it to install dangerous software on your PC without your knowledge. It also (as of version 6.0) lacks many modern features such as browser tabs. In fact, you should not use IE even if spyware didn’t exist – but spyware by itself is also enough reason to use a decent browser instead of Explorer.
2. Do not use Outlook Express. Much like IE, it’s insecure. Use something like Mozilla Thunderbird, or a webmail like Gmail or Yahoo! Mail.
3. Avoid Microsoft Outlook, unless it is forced upon you at your workplace. And if so, see below for Office Update.
4. Turn Windows’ automatic updates on (go to Windows Update if you need assistance), and make sure they are working (you should be warned about critical updates from time to time). Install all of them.
5. If you have Microsoft Office installed, go to Office Update from time to time, and keep Office updated.
6. Have a decent anti-virus installed.
7. If you’re not behind a firewall, install a decent one on your PC, or, even better, keep it behind one (preferably not a Windows machine)
8. Beware of what you install. Many programs advertised as “free” install spyware along with them. Avoid the following above all:
   • Browser toolbars (they’re for Internet Explorer, anyway, so you won’t need them, right?)
   • Mouse cursors
   • Anything related to a purple monkey
   • Anything, in a web page, that pretends to be a Windows error message (e.g. “Warning: your PC is unoptimized!!!”)
9. Install Ad-Aware, keep it updated and run it from time to time, deleting any spyware it finds.

Note: a non-firewalled, non-updated Windows PC connected to the Internet gets infected by worms (*) in minutes – far less than the time it takes to update it. If you have such a PC in your hands, think hard before connecting it to the internet – if you can’t install a firewall software on it (from a CD, you can’t connect to the net before you are protected, remember?), take it to a friend with a NATted LAN (your geek friend will know what that means), and update it there.

(*) worms are not spyware, but they can, among other things, install spyware on your computer (and, besides, do even more harm than spyware)

Removing spyware

1. Install Ad-Aware
   • run it
   • check for updates
   • check for spyware
   • remove any it finds
2. Install Spybot Search & Destroy
   • run it
   • check for updates
   • check for spyware
   • remove any it finds
3. Reboot
4. Do the first 2 steps again.

• if neither program finds any spyware this time, you are clean. Come on, breathe in relief.
• if, however, any of them still finds spyware, repeat everything one more time. If there is still spyware, then removing it is beyond the scope of this page… Look around in Google, or ask a geek friend, or format and reinstall everything.

Note

Spyware is strictly a Microsoft Windows problem; you can forget about all of this if you use another operating system, such as Linux or MacOS.

Another Note

Contrarily to what most people think, it is not “normal” for a PC to become slower and slower as it’s used, until you have to format and reinstall to get it back to a “sane” speed. If that happens, your PC is simply probably full of spyware (and possibly viruses, worms and such).

Yet Another Note

If you are currently “weaning” yourself from Internet Explorer, it’s likely that you’ll open it from time to time, due to force of habit. As any such use is a potential doorway for spyware to enter your computer, a possible solution, for slightly more advanced users (again, asking a friend should not be out of the question), is to use a proxy server to limit Internet Explorer to Windows Update.