John C. Dvorak’s latest column is a rant about Microsoft’s security software that includes this amazing paragraph. And by “amazing,” I mean “breathtakingly ill-informed and doesn’t PC Magazine have any technical editors anymore?”
I use a utility called Prevx [link: http://www.prevx.com], a host-intrusion protection system, as well as one or two other antispyware packages to keep the stuff at bay. And it still sneaks in once in a while. Most recently, I forgot to turn off my CUTEftp client and left it running all night. In the morning some system had loaded some weird software called “active skin,” and I had to use SpySubtract to remove 26 Registry entries. Exactly how anything manages to worm in through the open port and place items in the Registry is beyond me, but it happens all the time.
Oh, lordy.
Repeat after me: Leaving an FTP client open does not allow an intruder to install software on your computer. Cannot happen. Science fiction. Even if you were to run an FTP server on your computer, the only thing someone could do would be to upload files to your PC. They couldn’t run the program or edit your registry. And anyway, that’s completely irrelevant in this case, because Dvorak was running an FTP client.
So what about this horrible spyware program that had to be removed? ActiveSkin is a UI development environment from ShapeSoft. It uses an ActiveX control. I can’t find out much about it (and the company that owns it has gone dark), but I know that Symantec calls it “a non-malicious component that may be used by other applications.” I have seen hints that it is used with ICQ, with Ad Hunter, with the SigmaTel audio control panel, and with a number of homebrewed VB6 programs (like this one). Several well-known spyware and Trojan programs use this component, including Insecure Executable Downloader, but it does not appear to be harmful in and of itself.
In fact, given that the spyware scanner John is using is from Trend Micro, it wouldn’t surprise me if it’s a false positive. The ActiveX control (remember, Symantec calls it non-malicious) was probably included with a program that Dvorak installed. It registered itself at installation time (thus adding entries to the registry). It wouldn’t be the first time that Trend Micro had been guilty of identifying a perfectly legitimate program as spyware.
From that false premise, Dvorak then reaches the sweeping conclusion that Microsoft is unwilling and unable to “fix” Windows so that it’s perfectly secure.
Sigh. There ain’t no such thing as a secure operating system. Sensible security precautions can be built in, development processes can be improved, reaction time for fixing security issues can be cut down. But “fixing” Windows does not mean creating a code base that has no more security issues ever.
This is yet another reason why I stopped reading PC Magazine. The trouble is, several hundred thousand people still do, and after reading this column they’ll come away with the mistaken belief that hostile software can attack their computer using a simple FTP client. Who knows what other ridiculous technical errors are in this same issue?
As Dvorak would say, sheesh.
Ed Bott 
Sheesh indeed. I’ve always found Dvorak to be a pretty clueless guy..
PC Magazine has needed the equivalent of John Stewart’s bit on Crossfire to cause a purge. And Dvorak would be the first to go. His rant columns have, for a long time, been the worst sort of clueless that can be printed.
Ed: Spot on, as always. Your readers should know, however, that there are security issues associated with FTP – notably that all information, including user name and password, are sent as cleartext. FTP is great for accessing public information but should never be relied on for secure file transfers. Secure Shell (SSH) or a VPN tunnel are more appropriate for confidential information.
I don’t know. To me a program is not “perfectly legitimate” if it is installed without your knowledge. The fact that you can’t find out much about the program also would give me pause. In the end, the program seems to fit no useful purpose and deeming it spyware would seem to be the sensible approach to take.
Kevin, based on what I have seen, this is not a separate program installed the way adware is. It’s a component that adds functionality to another program; in this case it adds the skinning capability, just as another component might add an editor or a picture viewer.
I strongly suspect that this is a false positive. Remember, this was identified by an antispyware program as a group of entries in the registry. And the main point, anyway, is that this almost certainly showed up on Dvorak’s machine because of something he did. To claim that it magically appeared because he left his FTP client on all night is ridiculous.
Oh, and I didn’t mention this above, but … he says this happens all the time. Sheesh and double sheesh!
Ha, Ha, Ha! I really like Dvorak, he adds some real humor to the PC industry. He is the equivalent of a “Power User” but when it comes to things like this it looks really embarrassing. Spysubtract? Don’t get me wrong Trend Micro makes a great AV but their anti-spyware has a long way to go. Not to mention the three best anti-spyware apps are free: Ad-aware, Spybot and Microsoft AntiSpyware.
People need to stop complaining about Windows Security and just secure their system: http://mywebpages.comcast.net/SupportCD/SecureXP.html
It is not hard. FTP = Spyware infection? OMG ROFLMAO!
Even when I agree overall with John Dvorak’s conclusion, I disagree with his brain-dead thesis. He is an example of what happens of what happens when people think too hard without bothering to understand any background information.
However, the central concern of Windows security is that it’s too granular to make security a simple affair. Yes, it’s theoretically possible to secure a Windows system. The problem is that almost nobody knows how to do it well. It comes out of the box with most of the features enabled. Even most variants of Linux don’t do that. The 2003 Server package was a welcome breath of fresh air in that regard; though I still maintain that it has way too much optional stuff running by default.
It’s time for the Windows community to acknowlege what VMS does, what the BSD distros do, and what most other POSIX flavor systems do: Leave the network ports turned off and the services disabled unless explicitly enabled by the user.
Given Windows early PC heritage, this is an incredibly tall order. The best we can hope for is a gradual tightening of security features until the default Windows behavior is more in line with most other OSs. However, until that happens, Windows security will always be an oxymoron.
Quoted from AB3A: “Yes, it’s theoretically possible to secure a Windows system. The problem is that almost nobody knows how to do it well.”
Well… not true. To secure a windows system, do not connect to the internet.
However, the main problem with all computer OSes (regardless) is Default Permit. OSes assume it will be okay to run programs.
ah dunno, this looks kind of iffy (admitting that I have not read hardly any of the detail)
http://www.cert.org/tech_tips/ftp_port_attacks.html
Lo and behold, I search for early OSes pre-dating MS DOS and Ed Bott’s blog comes up. How the hell are you? Remember those heady ZD days, Ed? It ain’t like it used to be, but a lot of us tech journalism hacks are still hanging in there, huh?
Best wishes…John Dodge
editor-in-cheif, Electronic Business magazine