Concerns about security are as important as the applications we run these days. Back in the 1990s, I never thought about a firewall. The word was never mentioned - even during the Win95 days.
That's because firewalls were only used by corporate networks on the internet/WAN facing side. Even today, as much as people like to think otherwise, the "good" hackers are going after corporations- trying to leak source code for the latest game, or their flagship product, etc. It is the script kiddies who can hardly use the ping command that threaten the average user and try to build up botnets.
the web has become worse for opportunists with unscrupulous geeks writing malware for them.
a Snake-Oil salesman is a Snakeoil salesman, regardless of the medium. And trying to write malware has become harder and harder over the years- not easier, as the vulnerabilities they use are patched and new security is implemented directly into the operating System (windows UAC, for example). As far as I'm concerned, the actual dangers are no different then they used to be, and in fact, browsers and systems are hundreds of times more secure- but people are paranoid- and not because they understand the risks, but because they don't. a cave man with the common cold might have feared that it would kill them, simply because they don't understand. Now everybody knows that it's only fatal in very specific circumstances where another more terminal condition is concerned. Much in the same fashion, misunderstanding leads to paranoia, despite Quantos' humourous signature "Paranoia, it's what results when you have all the facts" it's rather the opposite. When you don't have all the facts, people tend to fill in the blanks with paranoid assumptions- generally, worst case scenarios. for example, what happens without an AV program would of course lead to the paranoid assumption that a virus infection is the only possible result. Of course, it is a result, but it's not the only possible outcome, and additionally, having an anti-virus program doesn't prevent the most dangerous viruses anyway, since the most dangerous viruses are the newest ones whose signatures don't exist in the database.
To illustrate- Linux is itself a rather secure environment, but it doesn't matter how secure a operating system is if you sidestep the protection. With windows, people are disabling UAC in droves because its "annoying"- most Linux users are more informed- they NEVER run as root (administrator) and instead elevate for, and only for, those system administration tasks that require it. you won't find them running a browser as root, and yet I often find that those systems that have been severely compromised by viruses and malware have UAC disabled.
of course, running something like a browser as root doesn't in and of itself make the system vulnerable. But it makes your system as vulnerable as the browser- if the browser has a buffer overflow or some other issue that can be used by a script, or a vulnerability of some other type that can be taken advantage of, once the script is in control of the browser, if the browser is running as root the script is in control of the system. If the browser is not running as root, the script would still need to try to elevate to root, something a lot easier said then done. It is the benefit of a Limited user account, not to limit the user, but to limit the programs the user runs- not only in case one of those programs is purposely made malicious but also if one of those programs is an unintended vehicle of something malicious through a vulnerability.
Since Google decided to try and take over the internet and make ad-clicks a way for people to make extra money while sitting on their asses, the web has become worse for opportunists with unscrupulous geeks writing malware for them.
You are lying to yourself. web-based attacks and malware were far more prevalent <before> google took hold. Considering Internet Explorer 3 allowed any page to run arbitrary binary code at will (ActiveX) it didn't take a lot of effort, either.
I really hate google, facebook and all the rest of them for what they have done to cyberspace over the years.
Google, facebook, etc. None of them have done anything bad to the internet. The internet was riddled with popups and flash ads before Google became prevalent in search around 2000, and before 1998 when they were founded it wasn't much different, aside from the lack of a search engine that didn't have a page full of ads on their first page. AltaVista, Yahoo search, etc- all the various search engines <FILLED> their main pages with ads and sponsored ads. Google didn't, and in fact, they still don't- their main page is basically a logo, search box, and a few buttons. Sure they now have paid ads in various locations in the search results, but those locations are well defined and illustrated, as well, unlike the front page ads and the paid search results provided by altavista and the other search engines before google (they have of course abolished that practice, from what I can tell).
The reason that firewalls and Anti-virus software weren't heard of and therefore didn't sell very well before is because people weren't absolutely paranoid. Now everybody seems to think they need an Anti-virus, firewall, malware scanner, and about 12 other programs. And it is this very fear of needing these things that let's the ads that advertise things like registry cleaners and scanners make so much money for the people that run them. And in the long run the paranoia that drives people to install all these programs causes their computers to slow down and crash, as they install rogue-filled, adware supported "firewalls" and "anti-virus programs" that are actually just containers for a host of infectious software. The internet is only as dangerous as people want it to be, and nowadays it's an important "fact" that the "internet is a dangerous place" when in fact it's no different then it's ever been- as long as you don't try to do something stupid like download pirated software or music or "keygens" or anything along those lines- you will be perfectly safe. If that wasn't true, <I> would be infected all the time by the "evil internet" as the "thousands upon thousands" of "expert hackers" that are trying to get into my PC will "jump for joy" that I have no software firewall installed. Since I have now been connected for over 2 years, and I've only been infected once (by a download acquired by "doing something stupid" listed above, packaged with the friendly neighborhood virut) All I can say is there is absolutely no basis for ever havign a software firewall installed on any machine. The main thing a firewall would prevent is a trojan program trying to "phone home" to it's controller. It's better to simply not download the trojan to begin with.
Additionally, despite equally prevalent claims that downloads can be changed "en route" to your PC, that simply doesn't happen. a download is acquired straight by connecting to the HTTP server and requesting the file.
I think the time will come very soon when Gopher will be rediscovered by many people - for informative gophersites without the risk of malicious scripting.
Aside from the
exact same issues that have been prevalent with http and ftp. It's no safer then HTTP or FTP, unless you factor in the fact that each browser's writers have been working to eliminate those issues found in HTTP and FTP. Large scale and public attacks via the Gopher protocol are no less common but they are essentially back-burner issues. FTP can't run scripting anyway- the scripting part of any browser is solely at the discretion of the browser itself- the browser runs the script. Generally in a sandboxed environment. Of course because as I noted, everybody is paranoid, they assume that even though all the precautions have been taken, a script can somehow "escape" this sandbox and do what it pleases, and, in some cases, it can. but doing what it pleases is a lot harder then it sounds, since browser-included client side scripting languages (like VBScript and ECMAScript) don't have built in support for file operations, and the use of something like the FSO (file system objects) by a script running in the browser would require further circumvention of security, including the fact that the FSO is not marked as "safe for scripting" so cannot be instantiated by IE. of course since the script in a firefox or opera browser cannot create ActiveX Objects and doesn't have local file system access even if it breaks out of its "sandbox" I can't help but wonder what people are paranoid about. I don't know why people will cower in a corner when they find a few temporary files written by their browser at the request if a script, and yet continue to blithely attempt to download pirated software, music, and keygens with little import for their contents. For many people, Security is important until stands between them and what they want. in the latter case it doesn't matter how many UAC prompts appear when you try to double-click "fun game keygen.exe" they are going to run it, and the trojan that it certainly contains will be let loose on the system. And once a piece of malicious software is loose on your system, it doesn't matter how many superfluous "security" applications you have installed, you've already lost the prevention war. Some may say that a software firewall will prevent a trojan downloader from downloading more infections. Perhaps, but only until they are able to circumvent the software firewall. Remember the trojan program is running on the same machine as the firewall- it can do anything the firewall can, including changing registry keys associated with the firewall (say, allowing certain URLs through or something) or even disabling the firewall completely. Hardware firewalls aren't perfect but at least their settings cannot be changed by malicious software running within the network.
Anyway- asking ourselves wether we are better off now then we were several years ago, only the paranoid or deluded can say "no, we are not". The reason that, for example, you never had a firewall in 95 was because your system didn't need one- the attack vector that firewalls try ot prevent simply wasn't used. Windows 95, for example, had a vulnerability that you could send a specific packet to any system and instantly blue screen it, no questions asked. Anybody could have run a program to send this packet to a set of IP addresses and Blue screened every single one of them running windows 95. Doesn't sound like a security conscious operating system to me.