On re-reading, I use the phrase “permissions” a lot, so here’s what I mean by permissions. You, the user, have permissions to read and write to many places in your hard drive, possibly all places. If you prevent your account from being allowed to modify say, the system files, then you will not be able to run many installers and other possibly unsafe actions. The problem, basically, is that almost all home users and many business users just use one account, which has administrator privileges, and those privileges allow you unfettered access to your system. The OS houses have tried to address this (mentioned below), but ultimately, if you have admin privileges already or if you can be tricked into exeuting some code that runs with admin privileges, you’re vulnerable to mischief.
The problem is very serious, and few people seem to recognize it: any program that you, the user, execute is executing with your permissions already. It can silently decide to e-mail every document on your hard drive to an IP address in Russia.
The reason for the focus on pop-ups is that browsers are generally written by trustworthy people. The browsers already run with all of your permissions, but they tried to be a little forward-looking. When interpreting or exeucting code found in html, java, javascript and several more of the standard MIME types, the browsers and/or underlying run-time interpreters don’t want to let an untrustworthy website have access to all of your files or any other resources that don’t involve surfing the web, so whenever some object wants to write something or read something from other places on your hard drive, the standards-based interpreters/virtual machines/whatever will pop up a dialog asking if you really want to do this possibly harmful thing. Hitting the close box on a dialog put up by the web browser tells the browser that it should not grant the object the permissions it asked for.
Now, when you install a plug-in (such as the flashplayer or quicktime or realmedia), that plug-in is also going to be running in the browser’s context with all of your permissions. That’s why the browsers ask you whenever some website has an object that requires a plug-in that you haven’t already installed. Be very cautious about which plug-ins you install! The same goes for ActiveX controls: they’ll be running with all of your permissions if you allow them to be loaded.
For any application that’s not a browser, you’re on your own. They’ll be running with all of your permissions the moment you launch them, so they don’t have to ask your permission for anything. You already granted them all of your permissions when you double-clicked. That’s why you should be cautious about where you get your applications. Anything that you launch can read or delete or modify everything that you have permission to read or delete or modify.
This is why it’s a good practice to use a non-administrative account. You won’t have the default permission to read everything or write anything, so anything that you launch (or any process which you allow to be created) will not have the permission to make mischief. Even then, if you launch a malicious program that wants to modify your registry or launch some weird daemon, but that program can’t do what it wants, one of two things will happen. Either it’ll attempt an operation that isn’t allowed (in which case your Windows/Mac OS will put up a dialog asking you for your admin password) or it’ll pretend to be the OS and put up its own dialog asking for your password. If it’s craftily written, the malicious program can actually go off and do whatever you think it was going to do so that you don’t start worrying about running your latest virus checker.
(Virus checkers check for everything that the anti-virus companies know about, and a few activities that might have characteristics of malicious code. So they’re looking for trojans, worms, known-to-be malicious programs, odd registry entries (Windows), odd processes (Mac), etc. in addition to the basic viruses.)
Firewalls that put applications in a sandbox provide a good amount of protection. With these in effect, only the apps that you want to be able to connect to your ports (e.g., the Internet) will be able to connect to those ports. Of course, the OS can connect to whatever it wants to connect to, because it’s the OS that’s allowing you the privileges to do anything at all; that’s why you need to get your OS from a trusted source. Assuming you trust your OS, you should be able to run without any programs accessing the Internet other than your browsers. However, looking on my (XP) PC, I see that my various antivirus programs, adobe reader, my browsers, google earth, etc. have full permissions. DivX and realnetworks/realplayer are blocked because they wanted to phone home but I blocked them the first time I was asked.
Bottom line: Attempt to run on an non-admin account. It’ll be a little painful, and you should curse any non-malicious developer who writes code that will not run unless it has admin privileges. If you see a pop-up while browsing, you can probably hit cancel. But if you want to be safe, kill the application and/or any suspicious process via Task Manager (Windows), Activity Monitor (Mac) or the old reliable kill -9 nnn (Linux, Unix, Mac), where you get your nnn from either top or ps. Don’t hesitate to kill your browser if you’re suspicious. Firefox extensions can be written by trustworthy people at Adobe or by a nerdly mafioso, which is why the Firefox extensions website distinguishes between plug-ins whose authors have been verified to be trustworthy and those that haven’t.
Until they figure out how to actually protect your computer from bad and/or evil programmers, keep your documents encrypted, only run apps from sources you trust, and consider encrypting your entire hard drive a la TrueCrypt. If you have a Mac, enable virtual memory encryption. That will make the OS encrypt any memory pages it writes to disk, which will prevent a bad person from reading your hard drive with a hex editor, should they get physical access to your hard drive. I haven’t looked at Vista or Linux in any detail, but this should be available by now. I haven’t found that capability on XP or any addition to XP. It pretty much can only exist if they build it into the OS.
One temporary solution is the recent interest in running your own copy of Windows off of a thumb drive. You’ll know that your thumb drive is clean, and whatever corruption exists on your actual hard drive will have limited effects. Additionally, some people are running the Linux OS and applications off of CDRs.
Frankly, I do most of my technical work on PCs that have no physical connection to the Internet. I only keep my financial info and passwords on an encrypted disk image on my Mac at home. And on my PC that is connected to the Internet, I never type in a password to my bank or brokerage accounts – I copy and paste fragments of the passwords (using my mouse) just in case a keylogger gets on that PC. I don’t have any defense against malicious admins looking at my screen while I do this, so I generally don’t actually check my accounts on these websites when I’m at work.
Bottom line below the bottom line: as a programmer I know for sure that you should not trust programmers or the software they produce.
