I wonder what makes you think you know what goes on in a hackers mind anyway? Well if you're calling me one, you'd be right. I am a white hat hacker. In my work I also have directly communicated with blackhat hackers, I have seen their source codes (and have reversed binaries of the ones we couldn't get in contact with) and I can tell you what they would like the average joe to do. They would very much appreciate if you continued to rely on these signature-based antivirus solutions such as specific vulnerability patches as distributed in software updates because they are so easy to bypass.
In the old days it used to be a cat-and-mouse game where the moment that an AV or security update patched some exploit they simply created a new crypter with a new updated runtime PE (look it up) and a new encoding scheme for scantime detections and that would allow the exact same code to run even with the new signature-based detection/patch. If I had written my previous post in those days I would have called such detection schemes "largely ineffective". But today I described them as "essentially useless". Why is that? Because malware has evolved. Specifically what has become the norm in the last decade or so is polymorphism (another word for you to google) in either malware code directly or the "crypter stub" that hides the original executable. Polymorphism has one goal: to eradicate all signature-based detection of malware. The easiest way to explain it to a non-programmer is that it generates machine code on the fly and at every instance of execution the code will look different but achieves the same effect of the original assembly. This has been effective, and this is the reason behind the article I linked and you did not read, which was that AV companies as large as Symantec (creator of Norton Antivirus, among others) have entirely given up on signature-based detection schemes. So the consensus in the industry is that it is an old and now ineffective way of preventing malicious code from running, however this knowledge has not trickled down to the general public yet which is what I am trying to get across and you are up in arms trying to defend. In a simple sense, your knowledge is plain outdated.
I am amazed that you did not understand that I was speaking from a legal point of view, especially since I mentioned the false advertising charge, that should have been an easy deduction... As I stated companies will do what it takes to keep their bottom line intact, and if that demands pushing out security updates they will do so. They won't do it to please the end users unless it actually affects them monetarily though. And they do not have such an obligation.
And what exactly did you think I was speaking about when I talked of "changes to user behavior" having to be the primary focus of security protection? You really ought to read more carefully before repeating my own ideas in a supposed rebuttal... So I agree with this statement.
The issue of responsibility... Much of this is a political issue, depending on which side of that aisle you are on. As a citizen of a free country I believe you ought to get what you ask for. Therefore if you browse porno sites and click on those "You won 1 million $$" ads then you were asking for trouble as you did not use your own common sense to determine what you click on. In those cases the blame lies solely on you and not Oracle for not providing a fix to a vulnerability. Your second example implies the user is visiting a trusted site (USAtoday, NYtimes, Google.com etc.) where it's reasonable to assume lack of malware and gets hacked because the trusted site is taken over by hackers. In this case the moral responsibility lies on that trusted site to not get infected by malware, that's how I see that situation. Legally they probably won't be held liable, it could be considered an "act of God". But in most cases users who do limit themselves to web addresses they trust have a very low likelihood of getting hacked in general, so it's a valid recommendation especially combined with the other two I promoted (blocking and professional monitoring).
Now I'll get to the offtopic things:
Best you got? Well I explained a better solution to the problem of government organizations security, that would be doing the same that the private sector has done which is filtering malicious places on the internet, and yes, taking certain sensitive computers offline. This is already what is done by the NSA (that's why it took Snowden, an inside man to produce a leak) and it is a genuine solution in some situations. I can't think why you would think otherwise, but I'm glad the CIA, NSA and FBI agrees...
And as for Snowden, well that's beyond the topic of cyber security. If you have a rat inside your organization it doesn't really matter what security measures you take against malware. You have a much bigger problem.
Lately I haven't used my smartphone at all. In fact I've been considering just selling the thing, I thought it could be useful for work but I guess I'm a PC or nothing kind of guy... anyway smartphone security and use by consumers has nothing to do with the security of governmental computers and has no relevance to that debate. Totally separate issue.
No one advertises such things... and if you were to go down that argument then if anything, I'd say our US government should be much better equipped to keep such issues out of the public eye than those countries? In any case it's kind of difficult to do that when WikiLeaks releases hacked (by their own admission) documents for the public to see. I think you and I would agree that it's a shame WikiLeaks and other organizations focus on the US but largely ignore the stuff Russia, China, Iran etc. do. Those countries are the ones doing the worst human rights violations in the world and yet we hear more about Hillary's emails than we do about Chinese prison camps... but that's a topic for another day too.
So you decided to just disagree for the sake of disagreeing? :rolleyes:
This is the most childish thing I've read today. You are seriously telling me you have an all-in-one fix, a magic pill that works for all security situations across the spectrum? I can't help you with that...
So I am going to conclude now. I think the following quote explains where our main disagreement lies in.
I do agree you don't get to pick and choose anymore. You don't get to choose to be irresponsible on the internet and rely on Antivirus and software updates to save your computer from being infected with malware. Thanks to the death of signature based antivirus methods that is no longer an option and until we find a better solution to tackle malware the best guidance that can be given is you eliminate running exploit code to begin with, by using the 3 tools I keep referring to, that is smart user behavior, network and software/plugin level blocking and professional monitoring of the network. If you disagree and have ideas of your own then you are free to suggest those, but AV's and software updates are no longer an appropriate fix, don't take my word for it just ask any major antivirus company.
And the purpose of my posts is not to convince Mr. Coolcolors the software updates evangelist about switching his habits. You clearly are not interested in hearing me or Symantec or Avira or anyone who is in the cybersec profession tell you about the reality so you don't have to change your habits. I understand it is psychologically difficult to accept change, but the fact is what I am saying is echoed by my colleagues and it will eventually trickle down to general public knowledge as well. Give it 5-10 years and I bet your opinion will be very different.
But until then, I ask you if you still have the need to differ with me to actually provide some proof and facts to back up your statements, as I did in my original post and here. I came up with explanations and links to articles. You came up with a post mainly comprised of offtopic hostility towards me and no real new information, if it were a debate over what color the sky is and you were saying its green and I came up with a color palette card showing you green and blue to prove it's in fact blue, you'd just be saying "it's green anyway". That's really not a valid argument. And I have no hostility toward you either but I'm not going to waste more of my time if it's just a pissing contest for you. So I expect you to come up with verifiable proof and links to show how exactly you counter the fact that signature-based solutions to malware are infact still adequate despite large cybersec industry figures stating the exact opposite.
Otherwise I wish you a nice weekend and rest of the year.