back to article Google guru blasts Android virus doomsayers as 'charlatans'

Google's open-source program manager has launched an entertaining rant against firms offering mobile security software, accusing them of selling worthless software and of being "charlatans and scammers". Chris DiBona, Google's open-source programs manager, argues that neither smartphones based on Google's Android nor Apple's …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Thumb Up

    He has a very valid point...

    There are plenty of idiots willing to pay money for snakeoil thou, and many big companies selling it. (tarnishing their reputations in the process).

    Me, I use Mcvities Antivirus.

    1. Anonymous Coward
      Anonymous Coward

      I guess they saw a sucker coming.

      Good luck with that.

    2. Anonymous Coward
      Anonymous Coward

      Thank you for setting such a fine example.

  2. Field Commander A9
    Thumb Down

    "No Linux desktop has a real virus problem," he added.

    And we all know the reason to this is.....

    1. Anonymous Coward
      Anonymous Coward

      Because ...

      ... it makes a hard distinction between system and user files, perhaps?

  3. Johntron

    Taunting

    Feels like they are just drawing attention to themselves and taunting people to write some "real" viruses.

    1. Anonymous Coward
      Anonymous Coward

      Not taunting, stating the obvious

      It isn't "harder" to write a *nix virus but it is really very, very difficult to get said virus to actually infect the OS without explicit permission and even if you somehow manage to go there, its even harder for the virus to infect the actual system ... if a user account is compromised, delete it and make a new one. Probably reducing that user's range of permissions in future.

      It is astonishing how badly this is not well understood by non-Linux/Unix users. If Windows had Unix-like constructs with regard to users, permissions and what is and isn't recognised as an executable file, from day one, it would be very much more robust today -- not infallible to be sure -- but really very much harder to totally work over by a virus or malware.

      MS should just put a Windows overlay on a Linux kernel and be done with it. Sure, it would break backwards compatibility in a lot of ways but at the moment MS seems not to care as much about that as they once did.

      1. Gordon Fecyk
        Thumb Up

        So you're asking for Windows 2000 then?

        "is Windows had Unix-like constructs with regard to users, permissions and what is and isn't recognised as an executable file, from day one, it would be very much more robust today "

        While Least Privilege existed as you described it in Windows since NT 3.1, 2K was the first release that started shipping with the file system defaults that take advantage of it.

        OK sure, I will blame Microsoft for not supporting it in Office 97. Beyond that, blame third parties for writing crap that insists on admin / root prvilege to run.

        1. eulampios

          >>OK sure, I will blame Microsoft for not supporting it in Office 97. Beyond that, blame third parties for writing crap that insists on admin / root prvilege to run.

          I am curious to know what makes Windows software authors be so unprofessional and why is it so different for Linux and *BSD (et cetera Unixes) where such problem does not exist? BTW, why does MS Windows by default would execute a file with a proper extension ? It would be quite dumb likewise when a user clicks on a file without any extension?

          1. Gordon Fecyk
            Thumb Up

            I wish I knew, eulampios. I wish I knew.

            "I am curious to know what makes Windows software authors be so unprofessional."

            I've been seeking the answer to that question for six years, now.

            While I'm at it, I'm also wondering why the more expensive the application, the more likely it is to break. I can buy a bargain-bin game (Singularity) that will run with least privileges on Windows 7, yet I can't buy a million-dollar point-of-sale system, marketplace system, or hospitality system that does.

            (I can't say which systems without risking my career. Maybe that's part of the problem.)

            1. eulampios

              I got a hypothesis, Gordon.

              I do agree with you. Not necessarily expensive, though. Consider an Adobe pdf reader. It it is a piece of insecure lumber compared to evince, xpdf, kpdf and such. Take another Adobe's pos, flashplayer. I still do not understand, why does it need 5-10 times more CPU time than mplayer, vlc et many not al. Even when a movie is being downloaded on pause it manages to make my fans roar, while a simple and reliable flvstreamer needs only a tiny 1% of CPU to do the same job on RTMP protocol.

              Also, I guess that, the lack of Unix or other reasonable culture on Windows has to be blamed upon the Redmond-based parent . My surmise is itself caused by my own experience as a user of the MS Windows (in the past) and GNU/Linux, *BSD currently and in the future ( provided M$ wont' stifle the latter to extinction). The Unix-based is more motivating, encouraging for learning than the former. It might also be well applicable to many software writers.

              This all converges to the mother of all causes, the nature of software. Namely, whether it is free or imprisoned. Say, would it be possible to create and maintain something equal to Emacs or vim. Linux or BSD kernel, GNU software, Apache or nginx web server, etc...? The Unix perfection itself owes it so much to the ability to freely use, copy, change and redistribute.

              1. Gordon Fecyk
                Boffin

                "Free" does not mean "Secure" or "Better"

                "This all converges to the mother of all causes, the nature of software. Namely, whether it is free or imprisoned." [...] "Unix perfection itself owes it so much to the ability to freely use, copy, change and redistribute."

                Do the words "Unix" and "perfection" belong in the same sentence?

                "Free" (GNU) software can be just as secure or just as broken as so-called "imprisioned" software. Quake II is GPL-licensed now, but its current (3.21) release makes the same stupid mistakes as current releases of Oracle's SQL client on Windows. Likewise, the last time I tried making Quake II work on some distro of Red Hat Linux, making OpenGL (um, pardon me, "Mesa3D") work required root access.

                This is all "original research," true enough. I can only claim that I made Quake II work for non-admins on Windows, and have made source code to my mods available per GPL terms. I couldn't make Q2Linux / Mesa3D work.

                MS encouraged developer laziness with DOS, Win 3.1, 95, 98 and ME. But all I've heard after XP SP2 was how terrible MS was for breaking old stuff, even though devs had four or so years to fix it since 2K came out. None of these changes were secrets; there were four editions of Advanced Windows out before then.

                As for expensive, that's just an observation; the more expensive an application is, the more likely it is to not work as a non-admin. That's developer inertia (laziness). If I had the time I'd like to go through all of the GPL-licensed software for Windows; I'd bet I'd find as much admin-needing code there as I would in the commercial world.

                (A lesser man might claim a conspiracy; "GPL authors make Windows versions less secure to encourage moving to Linux." Not true; I'd claim GPL authors are just as lazy as commercial ones.)

      2. Anonymous Coward
        Anonymous Coward

        Hmm...

        "If Windows had Unix-like constructs with regard to users, permissions and what is and isn't recognised as an executable file, from day one, it would be very much more robust today..."

        Some sort of access control lists should do the job.

        Err...

      3. John 137
        Mushroom

        I think it would be a mistake to assume you've solved your infection by deleting the user. Once you have a login of any sort, privilege escalation is possible--here's a couple options that were posted on one site, within the last month: http://www.exploit-db.com/exploits/17932/ http://www.exploit-db.com/exploits/18105/

        Have you killed off every process he started, even the ones that hide themselves? Did you remember to look for cron jobs? Running services? Scheduled "at" tasks? Maybe some other user left his .bashrc world writeable, so now the next time he logs in it'll launch a backdoor-type service and your attacker is right back in.

        I saw a very interesting demonstration once. Using something like Flashrom (http://www.flashrom.org/Flashrom), you can reflash the bios while the system is running, needing only root access (and sometimes not even that). In the demonstration, they reflashed the bios with a slightly modified version; everything worked normally, with the added "feature" that if you booted the system with a file named "xyzzy" in /tmp, the BIOS would read your filesystem and make it SUID root. There's a local exploit that will not go away no matter how many times you re-install Linux.

        Nuke (from orbit), because that's the only way to be sure.

        1. eulampios

          >>Have you killed off every process he started, even the ones that hide themselves? Did you remember to look for cron jobs? Running services? Scheduled "at" tasks? Maybe some other user left his .bashrc world writable, so now the next time he logs in it'll launch a backdoor-type service and your attacker is right back in

          The default perms for files created by a user is -rw-r--r-- 1

          $pgrep -u user # to see processes run by the user user, or

          $top -u user #or press u in the top session to provide the name

          #pkill -u user

          will kill the all processes

          One of your links' exploit did not work for me and no escalation was possible. Did not check the other one.

          I myself think that if a serious suspicion comes up, one should reboot to runlevel 1 to the single root shell and issue deluser or userdel command. That wont remove the home dir as well, one can if necessary.

          Having said this let's remember that 99% of Windows malware come from the internet and self-execute by even by system sometimes. This would be a painstaking task on a POSIX system. One has to grant +x permissions to a file. On Windows, default is to judge according to the extension.

          1. Anonymous Coward
            Anonymous Coward

            @ eulampios

            Precisely.

            Also, what is marked +x for one user isn't going to be so for another -- and certainly isn't going to wind up in /bin or /opt or any other system level directories. Nor is it going to be able to replace any system level file with a malicious copy.

            I can make a user's range of permission very local and limited. Anything that does get through is going to be trapped at the user account which I can pkill and remove.

            Also *nix doesn't just blindly execute files based on file extension ... something that Windows still does.

  4. Ru

    Oops

    I can see this turning into another '640k should be enough for everyone' statement. Only it actually happened.

  5. Gordon Fecyk
    WTF?

    [citation needed]

    "Windows malware estimates routinely exceed 5 million and above" [citation needed]

    Anti-virus vendors don't count as reliable sources, either. They're "original research" at best.

  6. Dr. Vesselin Bontchev
    Boffin

    DiBona is so full of it

    While it is true that there are snake oil salesmen in the mobile security business (which field of business doesn't have them?!) - like scanners with pitiful detection rates and overblown estimates of the number of Android malware programs out there - this DiBona chap is so full of it that it's not even funny.

    Smart phones are not "inherently more secure than PCs". Just like with the PCs, the weakest link is the user. The user would install anything from anywhere without ever stopping to think. And it's kinda difficult to protect people from themselves, you know? No solution is fool-proof, because the fool is always bigger than the proof...

    Mobile malware hasn't caused "much of a problem"? OK, let us assume, for the sake of argument, that it has hit only ONE user (in reality, thousands have been hit, but humor me). That certainly wouldn't be "much of a problem", compared to the millions of smart phones out there, right? Now, stop and think for a moment. What if that ONE user was YOU? Do you still think that protection for mobile devices is useless because malware "isn't much of a problem"?

    No major cell phone has a virus problem?! I guess, he doesn't count Nokia as a major brand of cell phones, then. In the early days of Symbian (S60) - the OS that most Nokia smart phones used - many mobile viruses spread accross such phones over Bluetooth and MMS.

    Regarding the "no Linux desktop has a real virus problem" crap, with the risk of being flamed by all the Linux fanbois here, I'd say that it again depends on how you define "no" and "a real virus problem".

    One more point regarding the "snake oil salesmen". Please note that many (most?) Android security vendors offer their scanners for FREE and only sell for money their other, non-malware related cervices, like backing up the information on the phone into the cloud, tracking the phone, locking the phone and so on. You can hardly call a "snake oil salesman" somebody who is giving you their product for free. Or is Mr. DiBona actually claiming that the other security services are worthless?!

    Now, speaking of worthless and incompetent stuff, how about a long and hard look into the Android security model, huh?

    1) Android, out-of-the-box would install and run any signed app (if configured to use alternate markets). Signed by anyone, I mean. As opposed to that, the iPhone would run only apps signed by Apple. That's not necessarily a good thing - personally I'd take malevolent freedom over benevolent dictatorship any time - but it does have a negative impact on security.

    2) Android is plagued by bugs, exploited by the various rooting exploits, the fixes for which take ages to reach the end user. This is not only Google's fault - much of the blame falls on the mobile operators - but fact is that Apple's model provides better security in this aspect too.

    3) Android has the same user-incomprehensibility problem that has plagued the Windows security software for ages. You download an app. It tells you that it requires X, Y and Z rights. The vast majority of people have absolutely no clue what these rights really mean and why the app might need them. Android's description of them is pitiful. The responsibility for making a correct security decision is dumped entirely on the user. In such a situation, most users will fail to make the correct decision.

    Why is it not possible to grant only some of the rights that the app requests?!

    Why is it not possible to change later the rights granted to an installed app?!

    1. BenDwire Silver badge
      Meh

      For the minority of people ....

      Try LBE Privacy Guard if your phone is rooted - nicely restricts rights on a per-app basis.

      That said, I do agree with a lot of this - even as a Linux die-hard and Nexus S owner!

      1. Anonymous Coward
        Anonymous Coward

        Go ahead and trust the questionable dreck.

        Zoner for the WIN.

    2. Gordon Fecyk
      WTF?

      [?specify]

      "many [?specify] mobile viruses spread accross such phones over Bluetooth and MMS."

      You're not immune, Mr Bonchev. Examples, please.

    3. This post has been deleted by its author

    4. nhirsch

      Vesselin: Haven't heard or read anything from you in many years. I glad to see you still have thoughts in this business and well thought out I might add, as usual!

    5. eulampios

      @ Dr. Vesselin Bontchev #

      Доктор Васелин,

      >>What if that ONE user was YOU?

      We're talking about the risks, simple probabilities. A low risk threat is than the (much) higher one. It's NOT that GNU/Linux, FreeBSD are completely devoid of any risk of getting a malware, it is just the overall probability is much lower then on Windows. It is partly explained by Craiggy (above) http://forums.theregister.co.uk/user/44832/. The sandbox security Android model makes it even more secure than a regular distro. However, a lack of secure repository diminishes this advantage and makes Android lose against the distros and* BSD. Android users do also tend to be less educated (in IT).

      >>Android has the same user-incomprehensibility problem that has plagued the Windows security software for ages. You download an app. It tells you that it requires X, Y and Z rights. The vast majority of people have absolutely no clue what these rights really mean and why the app might need them.

      I am curious, what similarity with Android permissions do you find when want to install a 3-d-party app on Win7? Where does it specify permissions? Permissions do not exist for apps on windows. There are no virtual users or groups, there is only the system .

      Permissions are pretty straightforward. A game that wants to access your mailbox, texting and phone making is a suspicious app, or maybe a poorly written piece of crapcode.

      Mere common sense, ability to read in English, Bulgarian or whatever language, is enough. Information is a power indeed.

      Whereas on Windows one lacks such information, no matter how much knowledge she or he might have, it yields very little strength. They can only say "In AV we trust!"

    6. Mike Judge
      FAIL

      ermmmm

      " Android, out-of-the-box would install and run any signed app (if configured to use alternate markets).'

      so that's not really out the box then... it also warns you against so if you try and enable non market apps.

  7. Chad H.

    I don't think the reason is higher security...

    I think the real reason why we haven't seen mobile virii take off is simply a case of economics. The time spent creating a mobile virus could be used to create a windows virus that has a much higher payoff rate.

    In other words, You can either try to fish where there are a lot of fish, or very few fish. Windows has more fish.

    1. rurwin
      Thumb Down

      "The time spent creating a mobile virus could be used to create a windows virus that has a much higher payoff rate."

      I'm not convinced. That argument might work for Linux and Mac, but I don't think it sticks here. The number of smart-phones is accelerating fast, and phones are on 24x7. PCs are often switched off. If you infect a phone and make it broadcast spam at 4am the chances are that it will be awake to do so and its owner will be asleep.

    2. Anonymous Coward
      Anonymous Coward

      Wooly thinking ...

      There are more mobiles than humans on planet Earth. How is making a mobile virus not economical?

      Your fish analogy doesn't hold water I'm afraid.

      1. Chad H.

        Im afraid it does hold water

        There are many phones. However most are not smartphones and they run a multitude of incompatible OSes.

        302 Million Smartphones sold across all OSes vs 13882 million phones and 350 million PCs.

        1. Anonymous Coward
          Anonymous Coward

          You do realise

          That you can write a virus for a dumbphone just as easily (easier) as for a smartphone? There's only a few dumbphone OS's, you know.

          The infection vector is different but not insurmountable.

          1. Chad H.

            If you have to say not insurmountable

            Then you're saying its going to take an awful lot of work.

            Why do that much work when you can get an easier payoff elsewhere for the same level of work?

  8. Graham Lee
    Linux

    Size matters not, the only difference is in your mind

    "Talk of exponential malware growth is justified but needs to be put into context, that the huge rise is coming from a base of almost nothing and that the raw figures remain trivial compared to the Windows virus plague."

    That's true, but not really relevant: you only need to be infected by one strain for it to ruin your day.

    Tux - but only after he gets his shots.

  9. PFesser

    "No major cell phone has a 'virus' problem in the traditional sense that Windows and some Mac machines have seen,"

    Mac? Is that a joke? I've used Macs since the late 'seventies - never had a virus, never used an antiviral program. And believe me, I go where mortals fear to tread on the Web. Security is built into the Mac OS from the ground up; it's a grownup's OS, not one made by kids in a high school lab in Seattle.

    Reminds me of the anecdote about the farmer who, plagued with rats, decided to buy a cat. The rats, alarmed, had a meeting. They decided to tell the farmer that if he wouldn't buy a cat they wouldn't buy a cat. Good idea; you don't get an antiviral for your Android and I won't get one for my iPhone, iPad and eight Macs. We'll see who comes out on top.

    1. Not That Andrew
      WTF?

      What?

      That was even more incomprehensible than AmanfromMars on a bad day!

    2. Anonymous Coward
      Anonymous Coward

      "I've used Macs since the late 'seventies"

      You were ahead of the pack !

      The first Macintosh was introduced by Apple's then-chairman Steve Jobs on January 24, 1984

    3. DryBones
      Coffee/keyboard

      Huh?

      You mean the one built on BSD and pretty much a glorified GUI? That "written with security in mind"? Shoulders of giants, etc. The one that was from when malware was just to cause mischief, before it became a business model? That's called "not being targetted". No more, no less.

    4. BritishEnglish

      Not quite from the ground up - just the sweet, sticky layer on top

      "Security is built into the Mac OS from the ground up".

      Correction: the only thing 'built into Mac OS *from the ground up*', is the flavour of Unix that *is* the Mac operating system, and that, sure as me2Phones are me2Phones, wasn't built by Apple. It was 'borrowed', in the best Apple traditions, as heJobs, himself, boasted in the late 90s (about Apple's use of other people's ideas, that is).

      The part that Apple added was the shiny, pointy, clicky, swipey stuff, stuck on the top of the OS, which some swoon over and others think is just a little shell-suit-style tacky. This, the GUI, is not at the heart of any security claims. The OS (Unix) is, and credit for that goes right back to the original design at Bell Labs in the 1960s. For that, Linux users tip their hats in gratitude and give due credit, whilst Mac fanbois, albeit usually in ignorance, mostly tend to believe that iJobs actually knew something about software, perhaps even wrote some. Such is the faith of true believers.

    5. Anonymous Coward
      Anonymous Coward

      Just goes to show there are some stupid, but lucky folks out there.

      Good luck.

    6. Angus Ireland
      Holmes

      "never had a virus"

      Neither have I. And I use Windoze.

      Had to assist plenty of lusers who have had viruses though. In my experience, it's usually an issue involving PEBKAC...

    7. BritishEnglish

      Mac OS 'from the ground up' is, actually, Unix, with a layer of sweet, sticky Apple stuff on top

      "Security is built into the Mac OS from the ground up".

      Correction: the only thing 'built into Mac OS *from the ground up*', is the flavour of Unix that *is* the Mac operating system, and that, sure as me2Phones are me2Phones, wasn't built by Apple. It was 'borrowed', in the best Apple traditions, as heJobs, himself, boasted in the late 90s (about Apple's use of other people's ideas, that is).

      The part that Apple added was the shiny, pointy, clicky, swipey stuff, stuck on the top of the OS, which some swoon over and others think is just a little shell-suit-style tacky. This, the GUI, is not at the heart of any security claims. The OS (Unix) is, and credit for that goes right back to the original design at Bell Labs in the 1960s. For that, Linux users tip their hats in gratitude and give due credit, whilst Mac fanbois, albeit usually in ignorance, mostly tend to believe that iJobs actually knew something about software, perhaps even wrote some. Such is the faith of true believers.

  10. This post has been deleted by its author

  11. Anonymous Coward
    Anonymous Coward

    Oh boy...

    Not the smarted statement made the Mr. Super-genius... he just laid the gauntlet down for every virus hacker to take up.

    I hope he has a nice golden parachute from Google....

  12. Anonymous Coward
    Paris Hilton

    iOS, iOS, the threat is so much less ..

    This guy probably isn't an idiot so I wonder how much he had to choke back when reading his lines. Android as safe as iOS and Windows as safe as Mac ? Please ..

    Paris, because I once caught a virus there ...

  13. Anonymous Coward
    Anonymous Coward

    DiBona is obviously an idiot. Hopefully Google will realize this soon and do the right thing.

    Shiat can the fool.

  14. Anonymous Coward
    Anonymous Coward

    Another "virusnguru" steps on his dick!

    "We're dealing with an urban myth. It's like the story of alligators in the sewers of New York. Everyone knows about them, but no one's ever seen them." - Peter Norton, 1988.

    1. Framitz

      Alligators actually have been found in NYC sewers.

      So what else ya got?

      BTW isn't Peter Norton dead as a result of a plane crash or something?

      1. Anonymous Coward
        Anonymous Coward

        BTW isn't Peter Norton dead as a result of a plane crash or something?

        No - that was Buddy Holly. (Lotta people make that mistake - the names sound similar.)

        Actually he's dead as a result of being torn to shreds by piranhas in the NYC sewers while searching for alligator viruses.

        Poor old Peter gave up his life in vain. It was a futile search based on a false positive. The piranhas had killed all the alligators (and all the android viruses) years earlier.

  15. Anonymous Coward
    Pirate

    Android malware are trojans, not viruses

    Viruses spread from one device to another, doing so on a phone would be quite difficult (not impossible, if you theoretically could find exploits for SMS or MMS it could spread from phone to phone by silently messaging your friends the equivalent of a "check out this picture" spam email) Trojans can be/are an issue on Android since there is nothing stopping a developer from inserting one in his software.

    All you need is a free app that becomes popular and well used and an evil author who decides the best way to monetize it isn't to have a paid upgrade that's ad-free, but instead have his next new version send texts to premium SMS numbers or whatever other scam he comes up with. This can't happen on iOS due to Apple's control (many Android users would say control freakery) of its app store, but the Android app store offers no such protection. If such an "upgrade" was silently introduced, then activated later after a million downloads, the guy could retire richer than any developer save the guy who did Angry Birds. Obviously he'd be found out and everyone would delete the app, but if he's already made millions and got away, he doesn't care that his reputation is ruined.

    I think it is only a matter of time before something like this occurs. I suspect that antivirus software probably wouldn't help much though; until the trojan is activated they wouldn't know to stop it, and then would take a day or two (at least) to come up with a fix and get it uploaded to subscribers' phones. Too late by then, you may not even realize you were hit until you see next month's wireless bill.

  16. Anonymous Coward
    Anonymous Coward

    linux

    Kernel.org was rooted in a malware attack earlier this year.

    I'm assuming those developers and the servers are not running Windows....

    Anyone who believes their choice of O/S makes them immune to malware is misguided.

    Any O/S is potentially vulnerable - if Linux was immune, then you wouldn't ever see security updates issued.

    Windows is an obvious target by virtue of the huge numbers of people using it, and the proportion of those who are not tech savvy people and are thus more easily fooled into accepting infected documents, less likely to patch their machines, and so on.

    The developers of the Linux kernel are highly tech savvy users, running linux, and yet they fell foul of malware.

    The biggest threat is over-confidence and if this is the attitude of android developers then I am jolly glad I don't run it because they are asking for trouble if they believe that they have structurally designed out the possibility of malware.

    1. eulampios

      @cap'n

      Who told you that the kernel.org break-in was a result of a malware infection? The original story mentioned compromised ssh-key and/or password account. A few (two, actually ) servers were cracked, not all of them.

      My question is , have you ever heard of a single *nix break-in by means of opening an email body/attachment, clicking on a web link, visiting a website, inserting an "infected" (floppy/cd/dvd) usb disk, automatic RPC-like spreading, installing an infected software from a central repo or *BSD ports ?

      I always adore those relativistic comparisons, when the Lorentz transformation is applied to a log (millions of documented automated infections) in the MS Windows' eye to obtain a speck similar to that in the FOSS' eye with a few incidents of single break-ins. Consequently, the Windows' log must be moving with the velocity close to speed of light. QED Special theory of relativity is at work once again, special it is indeed!

This topic is closed for new posts.

Other stories you might like