Removing admin rights from internet use is correct in theory, fact and in use. However, most of the so called security industry have avoided making this stick, because they can sell vaslty larger sums when things are_insecure.

The security industry in MS terms should lobby MS to provide a framework that limits some APIs or other structures so they cannot run at elevated rights. Either that or provide a framework where AV software can lock certain processes into a none elevated process.

End users can partially do this today by making a none admin account, and then right clicking on the programs and use 'run as' - and select the none elevated account (its dirty and has limits, but its something the vendors should provide in a more robust way)

But in the end, this chap is correct. People have been running windows as admin forever, and that has been against best practice for years

Like, the system is more secure if Joe User can't install or create executable code, is very strictly prevented from doing so.

However, we can anticipate that leaks will still exist, as they do now, of privilege escalation. And of course there needs to BE an admin who CAN install new software (if you want to), and install patches, etc - unless you trust the system to do that, and software products themselves, or to do it when Joe User says yes as the sole case where he can. In related news, UAC ain't a bad idea.

For instance: if Joe User runs, oh, Adobe Reader, and Adobe Reader installs a software update to itself, does that amount to a security hole?

trust the self professed "expert" who posts on news articles since it's obvious the other one is probably pushing his own agenda for big business. yup. :P

besides, what does it hurt to steal credit card info, if you didn't use it, it's just the credit card companies that lose out cuz if it goes to court andyou prove the info was stolen, it was obviously the credit card companies fault for not having proper security in place AND credit card companies are bigger thieves than the 3rd world county thieves anyways so way to be 3rd world for going after those thieving credit card companies. you are the robin hoods. :) .... ummm, i should mention i don't have any credit cards because they are evil.

if you were actually an expert, you'd see in the description of all those windows patches something to the effect of "users not logged in with elevated privileges are less affected by this vulnerability." so mikko is still right.

and who are people really going to trust, a world-renowned expert on computer security, or a self-professed "expert" who posts on news articles?

Vista/w7 has the move against everything having root, but lo and behold every month a load of fixes that describe 'a flaw was found that allows anybody to elevate rights', and that's just the core of windows, many plugins also have such flaws, so no mikko, if you had any expertise you would know that doesn't work on windows, so go and share your nonsense on youtube or something.

Just another one of the these Grossman post-CIX "Whaa whaa I was on the internet before you" elitist non-articles.

The guy didn't really say what Grossman has spun his words into saying and, quite obviously, malware does not have a simple, "proven on mobile platform" quick "remove admin from the proles" fix.

Sadly Grossman, like many who sneer at new things becaues they think they've seen it all is just out of touch.

"Hypponen agrees, however, that there would be a price to pay: where would tomorrow's clever programmers come from?"

Umm, that's not exactly a small price to pay. Then there's the gobs of legitimate software that comes from one or two person 'shops'--probably the majority of all software made, in fact. Are you *sure* you want to buy all of your software from the likes of Microsoft? You can be sure it'll get a whole lot more expensive.

Unplugging the internet might be just as practical, in the long run.

Great post.

Perhaps I can just add to this that the best way to guard against being ripped off by online sales or auctions of any kind, Craigslist and eBay included—and whether seller or buyer—is to use a *bona fide* online escrow company. Especially for pricier items like antiques, jewelry and autos. Although it does add some cost, it takes the uncertainty out of the transaction, and that’s a small price to pay for peace of mind.

For my money, the best bona fide online escrow (and there seems to be ten fraudulent escrow sites for every bona fide one) is probably Escrow.com (http://escrow.com). In fact, it’s the only one that eBay recommends, and is the only online escrow company that is licensed to provide escrow services all across the United States.

Take care,

Ulf Wolf

figure out how to make a new "user" that only uses the questionable program.

I think the real point of attack for an effective Linux rootkit(or whatever you call it) would be to compromise one or more package manager servers, then you'd have some true fireworks. Not sure how we'd defend against that.

Bookmarked in case I don't know something.

While I'd like to agree with luddite, I don't think he's being fair to Windows users. I've seen far more Mac users "drive-by download" because they've been told by Apple that their computer is virus-proof.

I think a big distinctions with the Linux users are that their OS was designed with security in mind and that (in general) Linux users are more computer savvy.

Seemed to have a good idea, but he never quite connects the M$ monoculture to the "drive-by download" problem. (Give me a Linux example, please?) I think it's true that nearly all the "click on anything" gullible types use Windows and Internet Explorer. The foul culture of M$ promotes both predators and prey.