Using Windows for a Day Cost Mac User $100,000 (and it's not related to anything else totally)



  • In short: guys owns company, normally uses a secured work Mac to access his bank account, one day decides to use the family Windows PC, gets pwned.

    And that's Windows' fault. Somehow. But it certainly is.


  • I survived the hour long Uno hand

    @slashdot, look out. You've got nothing on Macie for posting outdated "news" articles

    Filed under: :p



  • @izzion said:

    @slashdot, look out. You've got nothing on Macie for posting outdated "news" articles

    I see stupid, I share stupid. I'm not concerned with dates or other trivialities.

    also, I want to see Blakey's reaction to that, so shush


  • Discourse touched me in a no-no place

    @izzion said:

    You've got nothing on Macie for posting outdated "news" articles

    Outdated? He's clearly 8 days in front - it's only Jun 2...

    :tropical_fish:



  • As such, I’ve frequently advised small business owners to avoid banking on Windows systems, since all of the malicious software currently being used by these criminals to steal e-banking credentials simply fails to run on anything other than Windows.

    :facepalm:


  • :belt_onion:

    Stupidity, uh, finds a way.



  • @loopback0 said:

    :facepalm:

    Comments are facepalm-worthy too:

    The number of defects in an operating system is related to the amount of malware targeting it.

    And not, uh, the fact that Windows is the most popular OS, nor that pretty much all non-power-users use Windows (with some Macs thrown in, maybe).


  • area_deu

    From the blog's about section ...

    What most people want to know is how I got into computer security, and whether I have a technical background in the field.
    The short answer is “by accident,” and “no,” respectively.



  • Clearly :laughing:



  • Eh...Brian Krebs is a pretty solid guy. He used to write for WaPo. I didn't look at this article (or maybe I did a while ago), but he's done a lot of good reporting on security issues. And trolled a lot of black hats.


  • sockdevs

    As such, I’ve frequently advised small business owners to avoid banking on Windows systems, since all of the malicious software currently being used by these criminals to steal e-banking credentials simply fails to run on anything other than Windows. What’s more, the tools these crooks are using — mainly the Zeus Trojan — almost always outpace anti-virus detection at least by a few days, and by then it’s usually too late.

    It's not the worst advice I've ever seen; the guy does have a valid point, after all.



  • It's still stupid, even if it's not as stupid as it could be.



  • That's true. And why I rarely use Windows. It makes you stupid.



  • $GENERIC_LINUX_JOKE

    ­



  • Seriously, though, could you explain what is "stupid" about the article?



  • @boomzilla said:

    Seriously, though, could you explain what is "stupid" about the article?

    Completely ignoring the point that he was using a home entertainment machine used by non-technical people and blaming the fact that he got pwned on Windows?

    Yes, there is correlation between "Windows machines" and "getting pwned". No, it does not imply causation.



  • @Maciejasjmj said:

    Completely ignoring the point that he was using a home entertainment machine used by non-technical people and blaming the fact that he got pwned on Windows?

    So this is a reading comprehension problem?

    Unfortunately for Green, that PC was the same computer his kids used to browse the Web, chat, and play games online.



  • @boomzilla said:

    So this is a reading comprehension problem?

    Well duh, it's mentioned (briefly) in the article. How else would I know that? But the assertion made in the headline is outright misleading.



  • I don't see how. This was one post among several (many?) where he'd followed people getting ripped off after some sort of Windows malware led to draining their bank accounts.

    This was also 5 years ago.



  • The bit I quoted above - recommending that these users use non-Windows because trojans don't work on non-Windows. Yes, that works now but it's just going to encourage complacency around security because "trojans don't work on Macs" - what when they do become available for Mac? These users blindly carrying on becuase they're assuming it's safe simply because it's Mac (or Linux) could get caught out.

    Informing users about ways to be properly safe and secure irregardless of platform would be a better approach IMO.



  • @boomzilla said:

    I don't see how. This was one post among several (many?) where he'd followed people getting ripped off after some sort of Windows malware led to draining their bank accounts.

    It wasn't "using Windows" that cost him $100,000 - it was "using a home machine which was also used by technical illiterates (since even in 2010 it was already almost impossible to get infected due to a Windows bug), and which got malware installed".

    It's like saying "using Linux causes WTDWTF server downtime". No it doesn't - using shitty forum software does. That this software happens to be written for Linux is completely irrelevant.



  • @loopback0 said:

    Informing users about ways to be properly safe on secure irregardless of platform would be a better approach IMO.

    At the time, his recommendation was to use a LiveCD. This was really good advice. Your idea requires that users maintain good discipline. Not using Windows is probably a lot easier and effective.

    @Maciejasjmj said:

    It wasn't "using Windows" that cost him $100,000 - it was "using a home machine which was also used by technical illiterates (since even in 2010 it was already almost impossible to get infected due to a Windows bug), and which got malware installed".

    Yes, and if he hadn't used Windows to bank with, none of it would have happened. You can tilt against sensational headlines all you want, but you might as well go sit with blakey in the Windows fanboi section if this is your argument that the article is stupid.



  • @boomzilla said:

    At the time, his recommendation was to use a LiveCD. This was really good advice.

    Yes - I didn't at any point say the article was stupid - just the bit I quoted.


  • area_deu

    @boomzilla said:

    At the time, his recommendation was to use a LiveCD. This was really good advice.

    Because a LiveCD is readonly and can't have malicious modifications?

    Has nothing to do with most of them being Linux ...



  • @boomzilla said:

    Yes, and if he hadn't used Windows to bank with, none of it would have happened.

    No, if he hadn't used his home machine to bank with, none of it would have happened.

    If we weren't using Linux, we also wouldn't have shitty forum software on our hands.



  • @aliceif said:

    Because a LiveCD is readonly and can't have malicious modifications?

    Pretty much.

    @aliceif said:

    Has nothing to do with most of them being Linux ...

    True. He probably mentioned some sort of BSD at some point. But they definitely weren't Windows.



  • @Maciejasjmj said:

    No, if he hadn't used his home machine to bank with, none of it would have happened.

    He'd posted other things where work computers had gotten infected.

    @Maciejasjmj said:

    If we weren't using Linux, we also wouldn't have shitty forum software on our hands.

    Experience and CS prove you wrong.


  • :belt_onion:

    @boomzilla said:

    At the time, his recommendation was to use a LiveCD. This was really good advice.

    Unfortunately, doesn't work in all cases. Personal banking? Mostly, yes. Here, any kind of business account management requires a hardware token of some kind (USB stick, smart card). Many of them lack drivers or client software for anything but Windows. And still, even if it worked, you'd have to install it every time, unless you make your own live CD with all the stuff already included.



  • @loopback0 said:

    Yes - I didn't at any point say the article was stupid - just the bit I quoted.

    Now explain why that was stupid:

    As such, I’ve frequently advised small business owners to avoid banking on Windows systems, since all of the malicious software currently being used by these criminals to steal e-banking credentials simply fails to run on anything other than Windows.



  • @boomzilla said:

    Now explain why that was stupid:

    @loopback0 said:

    recommending that these users use non-Windows because trojans don't work on non-Windows. Yes, that works now but it's just going to encourage complacency around security because "trojans don't work on Macs" - what when they do become available for Mac? These users blindly carrying on becuase they're assuming it's safe simply because it's Mac (or Linux) could get caught out.

    Informing users about ways to be properly safe and secure irregardless of platform would be a better approach IMO.

    Post cannot be empty.



  • @Onyx said:

    Unfortunately, doesn't work in all cases. Personal banking? Mostly, yes. Here, any kind of business account management requires a hardware token of some kind (USB stick, smart card). Many of them lack drivers or client software for anything but Windows. And still, even if it worked, you'd have to install it every time, unless you make your own live CD with all the stuff already included.

    That would indeed be a problem. His target audience being the US, this wasn't a problem.



  • @boomzilla said:

    But they definitely weren't Windows.

    They could be (Windows boot CDs can be done), and they would be just as secure due to being read-only.

    @boomzilla said:

    As such, I’ve frequently advised small business owners to avoid banking on Windows systems, since all of the malicious software currently being used by these criminals to steal e-banking credentials simply fails to run on anything other than Windows.

    They also fail to run on DOS. Doesn't make DOS more secure than Windows.

    If people do start doing personal banking with Linux, malware users will target Linux because that's where money is. Using Linux over Windows is just security by obscurity - in this case, running a system obscure enough that most malware writers don't bother with it.



  • @loopback0 said:

    Yes, that works now

    Ta da!

    @loopback0 said:

    "trojans don't work on Macs" - what when they do become available for Mac?

    He might update his advice.

    @loopback0 said:

    These users blindly carrying on becuase they're assuming it's safe simply because it's Mac (or Linux) could get caught out.

    It's possible. Things change. But his advice was certainly sound at the time. I don't know if things have changed, and his reporting lately has focused more on ATM skimmers and big data breaches. I suspect this is in part due to Windows becoming more secure in the last half decade.

    Conclusion: Not Stupid.



  • He really should have been using Windows RT. I've never gotten a virus on my Surface.

    :ducks:



  • @Maciejasjmj said:

    They also fail to run on DOS. Doesn't make DOS more secure than Windows.

    I know you guys are mostly ignorant about his advice, but one of the points was that if you pop an Ubuntu CD in, you have Firefox, which people were already familiar with.

    @Maciejasjmj said:

    If people do start doing personal banking with Linux, malware users will target Linux because that's where money is.

    :rolleyes: Fuck...Beta 11 appears to have wiped out completion our custom emojis. Fuck you dicsourze.

    Nevertheless, you're going to be safe right now, while Windows is targeted.

    @Maciejasjmj said:

    - in this case, running a system obscure enough that most malware writers don't bother with it.

    No. Just no.



  • @Maciejasjmj said:

    In short: guys owns company,

    Ok...

    @Maciejasjmj said:

    normally uses a secured work Mac to access his bank account,

    Wow he just fucked-up his IRS return by admitting he uses that Mac for personal business.

    Oh wait, was that not the point of the WTF?



  • @blakeyrat said:

    personal business.

    It was his company's bank account AFAICT. Also, I'm disappointed in you not ranting.

    @boomzilla said:

    I know you guys are mostly ignorant about his advice, but one of the points was that if you pop an Ubuntu CD in, you have Firefox, which people were already familiar with.

    And in DOS, you can install Lynx, with which some people are familiar with too. Now, your point?

    @boomzilla said:

    Nevertheless, you're going to be safe right now, while Windows is targeted.

    And if you obfuscate your password handling routine by doing some random ROT-x shifts, you're safe right now, and you may even deter one or two attackers who won't bother. That still doesn't make your system even a tiny bit more secure than the other guy storing passwords in plaintext.



  • @Maciejasjmj said:

    It was his company's bank account AFAICT.

    Then why was he accessing it from a NON-work computer? Either way this guy's a dumbshit.

    @Maciejasjmj said:

    Also, I'm disappointed in you not ranting.

    If you want me to dance for your amusement, pay me. Fuck you.



  • @boomzilla said:

    Yes, and if he hadn't used Windows to bank with, none of it would have happened. You can tilt against sensational headlines all you want, but you might as well go sit with blakey in the Windows fanboi section if this is your argument that the article is stupid.

    Let's try a thought experiment.

    Suppose we're reading an article about someone going to a really impoverished neighbourhood, by themselves, at night, and getting mugged. Because poverty and crime correlate.

    Poverty and race also correlate, and it happens that this dirt-poor area is also predominantly black.

    Did the guy get mugged because he went to a black neighbourhood, or because he went to a really crap neighbourhood? If the article headline explicitly states the former, and the copy takes pains to gloss over the latter and imply that the former was the relevant factor, is that an intelligent article?



  • @Maciejasjmj said:

    And in DOS, you can install Lynx, with which some people are familiar with too. Now, your point?

    Just that you're still wrong.

    @Maciejasjmj said:

    And if you obfuscate your password handling routine by doing some random ROT-x shifts, you're safe right now, and you may even deter one or two attackers who won't bother. That still doesn't make your system even a tiny bit more secure than the other guy storing passwords in plaintext.

    I don't even know what you're talking about now.



  • @CarrieVS said:

    Did the guy get mugged because he went to a black neighbourhood, or because he went to a really crap neighbourhood? If the article headline explicitly states the former, and the copy takes pains to gloss over the latter and imply that the former was the relevant factor, is that an intelligent article?

    If a straw man begs the question would you burn him just because he'd burn you?



  • @boomzilla said:

    I don't even know what you're talking about now.

    Just that you're still wrong.



  • @Maciejasjmj said:

    Just that you're still wrong.

    Because you changed the subject?

    I will admit to being wrong due to :moving_goal_post:, however. Congratulations.



  • @boomzilla said:

    straw man

    I don't think what you think that means and what I think it means are the same.

    Even if my analogy wasn't applicable, that's not a strawman.



  • @CarrieVS said:

    Even if my analogy wasn't applicable, that's not a strawman.

    I put more stuff in there than strawman. The best anyone has at calling this article stupid is the somewhat sensational headline. And now analogies to claims of racism.



  • @boomzilla said:

    The best anyone has at calling this article stupid is the somewhat sensational headline.

    And that - again - security by obscurity is not security. Using Linux instead of Windows not because Windows is flawed compared to Linux, but because Linux is less popular is pretty much the definition of that.



  • @Maciejasjmj said:

    They could be (Windows boot CDs can be done), and they would be just as secure due to being read-only.

    Being read-only doesn't make it secure if it has a network connection. It can only boot up as secure as the trustworthiness of whomever created the boot CD.

    And that's saying nothing of the possibility that you're a complete moron and you install your desktop stripper so you can have some entertainment while you do your banking.



  • @boomzilla said:

    I put more stuff in there than strawman.

    Yes, but you put strawman in. I wasn't going to argue the toss about the validity of my analogy, because I don't care enough, but there was no strawman, so I objected to the suggestion that there was.

    If you're suggesting I'm claiming that your opinion is racist because it stems from the same logic as the racist opinion in my analogy, then you have failed to grasp the concept of an analogy. Although you have nicely demonstrated a strawman.



  • @Maciejasjmj said:

    And that - again - security by obscurity is not security.

    You're confused about what this is and what security by obscurity is.

    @Maciejasjmj said:

    Using Linux instead of Windows not because Windows is flawed compared to Linux, but because Linux is less popular is pretty much the definition of that.

    If the attacks are all against Windows, then not using Windows is one way of being safe right now. 100%. But that's not all that his advice was.

    @CarrieVS said:

    If you're suggesting I'm claiming that your opinion is racist because it stems from the same logic as the racist opinion in my analogy, then you have failed to grasp the concept of an analogy. Although you have nicely demonstrated a strawman.

    I'm saying a couple of things. Your analogy is imputing racism where there isn't necessarily any. But that's off topic. Nevertheless, you're using something that's poisoning the well (racism). And it's wrong, to boot. I threw a silly statement mentioning several common fallacies and you noticed one of them.


  • Winner of the 2016 Presidential Election

    The headline should have been:

    Using an unsecured computer for a day cost a small business owner $100,000

    Leave the OS bullshit out of it. It has nothing to do with the operating system, and everything to do with poor security practices. That's just sensationalizing the Mac/Windows fanbois, creating FUD about security, and as @loopback0 pointed out, encouraging complacency regarding security, specifically Mac security.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.