Chrome Security Warning for scene.org
category: general [glöplog]
Quote:
Quote:
Why would an average joe who is not an it guy be on scene.org??
THAT.
I for one would like to have more non-IT-guys in the scene, but maybe that's just me.
Quote:
Quote:AV solutions have a host of problems (false positives, having vulnerabilities themselves, ...), but I for one am nonetheless really glad that they protect me at least from all those threats that are at least a day old.
That´s wishful thinking. It sometimes can protect you from KNOWN threats with a KNOWN detection method
Yes, that's exactly what I meant. I for one WANT to be protected from known threats, hence my Conficker example. People who mindlessly bash AV software should go out more often in the field to see what happens to people that do not use AV.
Quote:
but not from something unknown which might be in the wild for months.
Something that's in the wild for months and not yet picked up by AV is usually a nation state malware. Bashing AV because it doesn't detect that is stupid.
Everything else is spreading willy-nilly and gets picked up by AV quickly. Of course a specific family of malware gets mutated very frequently to avoid detection, that's why I wrote "protect against threats that are a day old". And again, I like to be protected against yesterday's malware when I switch on my PC. I still fail to see how AV is "causing a similar level of trouble", but to each his own.
Quote:
in a world full of devices with 24/7 online presence and hence enough possibilities to quickly spread, update and mutate malware anytime.
You obviously have no idea how modern malware operates nowadays. 24/7 online presence has nothing to do with it when the overwhelming majority of all new infections happen via exploit kits in drive-by attacks and social engineering via malicious attachments and links.
Quote:
My experience looks more like that:
[lots of examples for false positives]
So much about the security "average joe" gets.
As I already said, false positives are a problem. Leaving out examples where AV detects malware shows your bias, however.
Quote:
Also, security needs to cover the whole environment, thus any local machine based solution is likely to miss most network and social engineering based tampering attempts.
Of course, implementing a holistic approach is IT security 101. But that goes both ways: "whole environment" includes local machine based solutions like AV as well. Network-based solutions alone will miss the majority of modern attack vectors (see above), so leaving AV (among other host-based solutions) out of the mix makes no sense.
Quote:
Keeping the users dumb by scaring them instead of providing helpful advice and education is definitely helping the business of certain companies. But it does not improve the situation for the users
Wrong. Actually, there are several studies showing that simplified warnings in browsers improve the security of the average user (again, "average" meaning non-IT-guys). Look up Matthew Smith and "usable security" for example if you want to learn more about that.
But maybe blindly hating "certain companies" is easier and more fun, what do I know. :)
Should AV be subdivided?
Just got the warning myself. It's cool. "Harmful programs" sounds dangerous, I like it.
Morally decadent programs that will corrupt the minds of the youth!
Morally decadent programs that will corrupt the memory, this is why we must obey the MCP!
Just use Opera. It's Chromium-based since a while back... it really is a no-brainer to make the switch now, absolute no need for Chrome anymore, or the lesser browsers.
Opera? All the cool old farts use Vivaldi these days anyway!
Quote:
Opera? All the cool old farts use Vivaldi these days anyway!
Speak for yourself...
Vivaldi and current Opera is basically just Chrome with slightly different paint on it...
@Kylearan: Do you even notice how much you contradict yourself? E.g.:
So a non-IT guy approaches scene.org just to get scared away by a big fat red warning as a welcome, yet you still think it is a good thing?
So you admit that the protection is basically just an illusion. Or even worse, do you want to say that such a thing as "good" (institutional) in contrast "bad" (non-institutional) malware exist? Not to mention that it is quite naive to think that a worldwide net of organized criminals doesn´t have the ability to exploit the same weaknesses as well.
...which in turn basically happens on users being online for more than just grabbing their mails in a few seconds. Not to mention that web installers and automatic updates isn´t a legit software toy either, and protecting a machine is basically irrelevant if the target is the user itself.
If you count properly you´l see that the list contains quite some positives, though mostly not handled as they should have been. More true positives are not in the list because there weren´t any in my surrounding so far.
But I´ve just found a true positive handled properly I have to admit
Well, that one sums it up quite well, and the thread has been successfully derailed a few posts before anyway. Waiting for ponies now.
@Kylearan: Do you even notice how much you contradict yourself? E.g.:
Quote:
I for one would like to have more non-IT-guys in the scene, but maybe that's just me.
So a non-IT guy approaches scene.org just to get scared away by a big fat red warning as a welcome, yet you still think it is a good thing?
Quote:
Something that's in the wild for months and not yet picked up by AV is usually a nation state malware. Bashing AV because it doesn't detect that is stupid.
So you admit that the protection is basically just an illusion. Or even worse, do you want to say that such a thing as "good" (institutional) in contrast "bad" (non-institutional) malware exist? Not to mention that it is quite naive to think that a worldwide net of organized criminals doesn´t have the ability to exploit the same weaknesses as well.
Quote:
You obviously have no idea how modern malware operates nowadays. 24/7 online presence has nothing to do with it when the overwhelming majority of all new infections happen via exploit kits in drive-by attacks and social engineering via malicious attachments and links.
...which in turn basically happens on users being online for more than just grabbing their mails in a few seconds. Not to mention that web installers and automatic updates isn´t a legit software toy either, and protecting a machine is basically irrelevant if the target is the user itself.
Quote:
As I already said, false positives are a problem. Leaving out examples where AV detects malware shows your bias, however.
If you count properly you´l see that the list contains quite some positives, though mostly not handled as they should have been. More true positives are not in the list because there weren´t any in my surrounding so far.
But I´ve just found a true positive handled properly I have to admit
Well, that one sums it up quite well, and the thread has been successfully derailed a few posts before anyway. Waiting for ponies now.
Quote:
change browsers
firefox gives the same warning
The message is actually wrong. How stupid are Google and Mozilla?
Still better than this...
For people potentially being scared of running suspicious binaries, why not put an uncompressed, 'unmangled' executable on the side to the release packages.
Releasing sources does not help those without development environments and understandably many people wouldn't care about releasing them anyway. But an uncompressed binary with some extra options would also save the trouble of adding multiple versions for multiple resolutions, etc.
This of course doesn't help with binaries already detected as viruses.
Releasing sources does not help those without development environments and understandably many people wouldn't care about releasing them anyway. But an uncompressed binary with some extra options would also save the trouble of adding multiple versions for multiple resolutions, etc.
This of course doesn't help with binaries already detected as viruses.
My point was that there aren't any viruses in demos, so it is plainly a false message.. How about the Big G talks to us some time and clears this up? It seems like they're deliberately ignorant.
(Which they are, haha...)
(Which they are, haha...)
i assume a subtle warning text box about false negatives that our compression technologies cause AVs to assume malpractice on the download page for non-logged-in users or something cookies-based for first visitors will suffice nicely.
"Of course it will."
If elevated_win7_test.zip is the only file causing a problem, we could simply remove it, the 2016 version should suffice these days.
In general I'm with Preacher a bit, I think the future is web anyways. I personally think the right direction is WebGL 2.0 (ES3.0 equivalent) - with it you can do almost all (if not all) that the most native demos do (except for Fairlight's maybe), yet it's still real time and size can be judged (size is even relevant in practice).
Let Mentor or I know if we can help with the elevated_win7_test.zip issue
In general I'm with Preacher a bit, I think the future is web anyways. I personally think the right direction is WebGL 2.0 (ES3.0 equivalent) - with it you can do almost all (if not all) that the most native demos do (except for Fairlight's maybe), yet it's still real time and size can be judged (size is even relevant in practice).
Let Mentor or I know if we can help with the elevated_win7_test.zip issue
If "the future is web", we're fucked, because right now this whole thread is a great example to why the web is broken.
the future is the web, as long as they dont look at the web!
Our hosting took down loonies.dk automatically twice a few months ago due to 3 out 67 av scanners flagging some zip files. As I would suspect other hosting companies will follow suit sooner or later (otherwise their shared IPs would be flagged like scene.org is..) I instead made a script in front of the zip files, mangling the (crinkled) executables like this. (it's a .net host if you are interested in the handler).
Next step would be if we could detect the av scanners and send clients that we are reasonably sure are humans the unmodified files instead, but I haven't made out a pattern from the logging yet... And putting a captcha form in place of what clients expects to be a zip file download seems worse than the current solution.
Next step would be if we could detect the av scanners and send clients that we are reasonably sure are humans the unmodified files instead, but I haven't made out a pattern from the logging yet... And putting a captcha form in place of what clients expects to be a zip file download seems worse than the current solution.
yeah well now you're just coming up with, like, SOLUTIONS, maaaaaaaan
How long til we won't be able to install and run third-party software on our computers?
Quote:
I think the future is web anyways. I personally think the right direction is WebGL 2.0 (ES3.0 equivalent) - with it you can do almost all (if not all) that the most native demos do
Quote:
If "the future is web", we're fucked, because right now this whole thread is a great example to why the web is broken.
I used to be very excited about webGL as a crossplatform demo solution and in theory it should work like IQ says. But unfortunately the more I played with it I realised it is has it's own compatibility issues, constantly changing and different performance and implementations across multiple browsers, then changes and inconsistencies again within different versions of the same browser. That's before we even get to differences of underlying OS and hardware which the browsers are running on.
Not to say webGL is bad but it is certainly no better than existing environments.