AV versus no AV?



  • @remi said in AV versus no AV?:

    Why can't you give me clear instructions how to wash it? Stop confusing me with your mumbo-jumbo about "labels" and "programs"!

    Simple instructions:
    1 - Drop at cleaner's shop
    2 - Pick it up when cleaned
    3 - profitspend more money



  • @remi said in AV versus no AV?:

    (oops, I'm getting derailed here... maybe I need to fit a Trump reference in there to ensure a clean (!) shift to the garage?)

    No washing required in that case - he'll require you to buy a new American shirt to keep people employed!


  • ♿ (Parody)

    @remi said in AV versus no AV?:

    @flabdablet Why would I bother reading the doc? I don't care! I don't want to know what my shirt is made of, I want it to be clean! That is your problem, as a washing machine maker (or cloth maker, I don't care which one) to find out. Plus, if it's written there, why are you not smart enough to detect it automatically? Why should I be doing your job?

    (I'm just pushing the analogy about using computers... it holds up quite well, for once!)

    7/10 Blakeyrants.



  • @boomzilla It's missing an open-sore reference...



  • @remi said in AV versus no AV?:

    Plus, if it's written there, why are you not smart enough to detect it automatically?

    RFID tags on clothes, sounds like a good idea actually.

    But it still won't let you automatically separate "incompatible" clothes unless you add some extra hardware to washing machines.



  • @anonymous234 You're not thinking "big". Add a tracker to each piece of clothing so that you can geolocalise it, and find out automatically how dirty it is based on that (plus your social media activity such as partying, outdoor activities, relationship status etc.). Then an app on your phone telling you when you need to wash your clothes, and put everything in the cloud to be able to share between users and you've invented smart washing.

    (here are a few :giggity: to add in the above sentence: :giggity: :giggity:)



  • @remi said in AV versus no AV?:

    put everything in the cloud

    The way water efficiency is trending in today's new washing machines, it's won't be too long before brief exposure to a heavy fog is enough to get your clothes acceptably clean.


  • Considered Harmful

    Antivirus increases your attack surface as demonstrated yet again yesterday:

    A system running Intel's McAfee VirusScan Enterprise for Linux can be compromised by remote attackers due to a number of security vulnerabilities. Some of these vulnerabilities can be chained together to allow remote code execution as root.



  • @LaoC Yup, because those antivirus program often requires you to run as root/administrator.

    Much like a Windows service that run as LocalSystem, if it has bug and have opening port that can be accessed remotely, your machine can be pwned.



  • @LaoC said in AV versus no AV?:

    A system running Intel's McAfee VirusScan Enterprise

    To be fair, a sysadmin who chooses Intel's McAfee VirusScan Enterprise fully deserves all the consequences.


  • :belt_onion:

    @ben_lubar said in AV versus no AV?:

    @gordonjcp said in AV versus no AV?:

    how does a modern OS even get viruses

    The same way any OS gets viruses: stupid people running things they shouldn't or smart people finding ways to run things they shouldn't on someone else's computer.

    (3) Stupid developers who add stupid features to programs and those stupid features turn out to be easily exploited to do bad things.

    For example, images in SVG format. It turns out that you can put Javascript into an SVG file. And since the only program most people have that is capable of viewing SVG files is a web browser -- BAM. Malicious Javascript attack.



  • @El_Heffe said in AV versus no AV?:

    @ben_lubar said in AV versus no AV?:

    @gordonjcp said in AV versus no AV?:

    how does a modern OS even get viruses

    The same way any OS gets viruses: stupid people running things they shouldn't or smart people finding ways to run things they shouldn't on someone else's computer.

    (3) Stupid developers who add stupid features to programs and those stupid features turn out to be easily exploited to do bad things.

    For example, images in SVG format. It turns out that you can put Javascript into an SVG file. And since the only program most people have that is capable of viewing SVG files is a web browser -- BAM. Malicious Javascript attack.

    Please tell me how having SVG instead of HTML makes JavaScript more vulnerable to viruses.


  • :belt_onion:

    @ben_lubar Probably because people don't normally open random html pages people email to them. They might open random SVG images.



  • @sloosecannon said in AV versus no AV?:

    @ben_lubar Probably because people don't normally open random html pages people email to them. They might open random SVG images.

    How would that be more dangerous than opening a SCR file, which equally few non-tech people have heard of?


  • :belt_onion:

    @ben_lubar said in AV versus no AV?:

    @sloosecannon said in AV versus no AV?:

    @ben_lubar Probably because people don't normally open random html pages people email to them. They might open random SVG images.

    How would that be more dangerous than opening a SCR file, which equally few non-tech people have heard of?

    Have you forgotten the difference between data and code?

    Yes, opening a random SCR file is bad. Yes, many people don't even know what what an SCR file is. But that is completely irrelevant. A SCR file is essentially the same as an EXE file. Its whole purpose is to execute one or more instructions.

    An SVG file is supposed to be an image. An image is supposed to be nothing more than data -- pixels and color information. Its supposed to be displayed, not executed. Putting executable code into what is supposed to be a data file is a horrendously bad idea and a serious design flaw.



  • @El_Heffe said in AV versus no AV?:

    Have you forgotten the difference between data and code?

    To be fair, MS forgot that distinction as soon as they put macros in their Office document formats and everybody else has since given up on trying to get the resulting evil-smelling genie back in its bottle.

    JAVASCRIPT ALL THE THINGS

    The one that makes me laugh the hardest is Javascript making its way into PDF documents, given that one of the major design goals of PDF was exactly to put some kind of limit on the ways in which the PostScript programming language could be abused.



  • @flabdablet The "Javascript" was a hot coffee spill over your mum's apron when she was doing it with the milkman.

    Her activities you might want to talk to her about ,,, Just saying.



  • @El_Heffe said in AV versus no AV?:

    An SVG file is supposed to be an image.

    No, an SVG file is supposed to be a recipe for rendering an image at the highest quality a given output device is capable of. It's a little bit codey even without JS support.



  • @flabdablet It is a vector representation you dickhead.



  • @sloosecannon said in AV versus no AV?:

    @ben_lubar Probably because people don't normally open random html pages people email to them. They might open random SVG images.

    BTW what is the risk in opening a html file saved locally? I don't know much about web dev but to me it seems like the risk is equivalent to opening any website. Which all of us do many times every day.


  • BINNED

    @marczellm
    Some browsers used to open those with lower security settings. Don't know if this is the case with modern ones



  • @El_Heffe said in AV versus no AV?:

    @ben_lubar said in AV versus no AV?:

    @sloosecannon said in AV versus no AV?:

    @ben_lubar Probably because people don't normally open random html pages people email to them. They might open random SVG images.

    How would that be more dangerous than opening a SCR file, which equally few non-tech people have heard of?

    Have you forgotten the difference between data and code?

    Yes, opening a random SCR file is bad. Yes, many people don't even know what what an SCR file is. But that is completely irrelevant. A SCR file is essentially the same as an EXE file. Its whole purpose is to execute one or more instructions.

    An SVG file is supposed to be an image. An image is supposed to be nothing more than data -- pixels and color information. Its supposed to be displayed, not executed. Putting executable code into what is supposed to be a data file is a horrendously bad idea and a serious design flaw.

    Nope. SVG comes with animation capability and is similar to VRML file, and VRML file was handled with the same level of caution as javascript file by browser that natively supports it (Netscape). I can't see why this does not apply to SVG file too.

    And btw, image/video can embed instructions that can be exploited is not news, we've seen the GDIPLus vulnerability on rendering metafiles a few years ago.



  • @Luhmann said in AV versus no AV?:

    @marczellm
    Some browsers used to open those with lower security settings. Don't know if this is the case with modern ones

    IE6 or below treat it as in "This computer" zone, IE7 or later defaults it to Internet unless you change an option in Advanced tab.



  • @cheong said in AV versus no AV?:

    SVG comes with animation capability

    Sadly IE/Edge refused to implement those and instead said "just use CSS animations (or javascript)".

    Beautiful, a language meant to provide simple styles for documents being used for animations instead of a language meant to represent animations.

    I don't like graphics formats being turing-complete, not because of security but because it makes it impossible to tell pretty much anything about a single file, like if it ever terminates rendering or not.

    I know scripting has its uses, but it's also often used in unnecessary places, like using postscript to send documents to printers. This is why good formats define subsets for particular applications, so you can have "SVG" or "SVG-without-scripting-or-interactivity".


  • Notification Spam Recipient

    @El_Heffe said in AV versus no AV?:

    A SCR file is essentially the same as an EXE file.

    Essentially? As far as I know, it literally is just a plain old EXE file that is expected to accept certain command line flags? 😕



  • @Tsaukpaetra said in AV versus no AV?:

    @El_Heffe said in AV versus no AV?:

    A SCR file is essentially the same as an EXE file.

    Essentially? As far as I know, it literally is just a plain old EXE file that is expected to accept certain command line flags? 😕

    • /s – Start the screensaver in full-screen mode.
    • /c – Show the configuration settings dialog box.
    • /p #### – Display a preview of the screensaver using the specified window handle.

  • Notification Spam Recipient

    @dcon said in AV versus no AV?:

    @Tsaukpaetra said in AV versus no AV?:

    @El_Heffe said in AV versus no AV?:

    A SCR file is essentially the same as an EXE file.

    Essentially? As far as I know, it literally is just a plain old EXE file that is expected to accept certain command line flags? 😕

    • /s – Start the screensaver in full-screen mode.
    • /c – Show the configuration settings dialog box.
    • /p #### – Display a preview of the screensaver using the specified window handle.

    😃 I once made a tail screensaver using this exact sample!


Log in to reply