-Mxa

But “XP Antivirus 2009″ isn’t purely technology related either. That’s my basic point.

Huh? Why do you think it’ll be linear? Even at 30% it makes a lot more sense to go for the 70%, a lot of who are clueless, rather than the 30% who actually had the sense enough to download Firefox.

-Max

Well, it’s not so much a matter of “common” sense. If on my car, a light turned on that said, “You need to stop driving the car right now,” I’d probably do it. I’m not really a car expert, I don’t know what lights I should and shouldn’t have. I suspect that most of the people reading this blog are expert enough on their computer to know what is and isn’t a real prompt, for example. Also, there are much more subtle tricks (clickjacking, etc.) that any non-expert user would fall for.

> Of course social engineering works across OSes.

The Mac desktop market seems to be getting bigger and bigger. I suppose we’ll see if the “Windows seems insecure only because it’s the largest target” continues to hold up. I don’t think it’s held up in terms of IE vs. Firefox, as Firefox now commands a respectable share of the market and I don’t see 18% of attacks going there.

And of course I’m not talking about 419 scams or other things that are not purely technology-related.

-Max

In terms of interfaces, the idea is to create a series of small actions that can do everything, and not to provide a lot of convenience functions unless they’re just wrappers over a series of the simple functions. More of a “building blocks” than a “buildings” method.

There’s plenty of Unix malware, but I agree, it’s pretty uncommon that it’d be installed through social engineering as opposed to say, brute forcing SSH. The nice thing about that security issue is that you can close it up just by disabling password access (it’s a very small attack surface).

I agree that Vista and Win7 are going in the right direction, though MS will still have a serious legacy problem (at least for the next decade or so). And I think we can all agree that many Windows APIs (particularly legacy ones) are more complex than they need to be (partially because Windows is kind of engineered to be a one-size-fits-all product, so we have enterprise-level features and APIs even on our desktops).

-Max

Saying that its impossible to run Windows safely without with antivirus, or that Windows can and will never be secure is just flame bait, which kinda clouds up the whole point of this article, that smaller interfaces lead to less attack surface. Sadly, that also ignores the fact that smaller interfaces can also mean you can’t do half the stuff you wanted either (or at least its often more difficult).

Developing software from the ground up, people rarely would make the same choices twice in a row (even in one or two years, ideas can change drastically, and Windows is hauling around interfaces that are a lot older than that). Starting over from the group up isn’t really an option for most large projects though. So you do what MS is doing. You separate things apart where you can, and update them in small chunks (Vista and Win7). Or you write new APIs and let people opt in to using them instead (WPF).

Of what? That users get fooled by social engineering attacks? Is that even news?

> Most users don’t even have the latest patches installed, either.

I very much doubt this, given that Windows defaults to automatic updates on XP SP2 and above. Even pirated copies receive automatic updates.

> (unless you’re an expert)

Or you have enough common sense to not be a victim of social engineering.

> It’s clearly not just social engineering because that would be effective on all OSes.

Well, then, what is it? The fact is that there hasn’t been an unpatched exploit in ages. So what does that leave?

Of course social engineering works across OSes. Are you saying that non-Windows users who aren’t knowledgeable don’t get 419 scammed or phished? Both are kinds of social engineering attacks, and enticing people to install “XP Antivirus 2009″ is yet another. The Windows market is targeted because that’s where most of the suckers are, simply because it’s larger.

-Max