Slashdot Mirror
TCP/MS, We'll Cure What Ails You
Cringely can string some words together from time to time, and this week's installment is a pretty good one. He's been reading a little too much Gibson (raw sockets have nothing to do with the spread of MSTD [?] 's), but overall, he's probably right. When the time is ripe, I think we'll see a move exactly like this.
What ever happened to the good old days when virii were a thing to be admired, were hand crafted in assembler to use the fewest instructions, and took talent? It seems nowadays everything requires the user to click an attachment in their outlook program. Theres nothing creative about that!
1)Um, are you under the misapprehension that Linux et al are secure OSs on the basis that there haven't been any viruses targeted at it to speak of?
I believe linux...and pretty much any Unix i've dealt with (Solaris,OSF, Ultrix...) are much more secure OS's, becuase it's much harder to write an exploit for a unix box than for a windows box. Writing a buffer flow exploit to compromise a server process is order of magnitudes more work than sitting down and writing and emailing a Word document that takes advantage of the VBscripting to erase you harddrive.
There are "talented" crackers out there that do target unix machines. You can do a lot of real damage if you can compromise a large corporate Unix system....but you have to expend real effort to discover a new exploit on a unix system. With windows on the other hand....the same "feature" is being exploiting repeatedly to cause damage....how many differently named viruses have to circulate before MS removes this exploitable "feature."
Point out a "feature" of linux, or unix that gets repeated used for malicious activity...but people refuse to fix. Bind and sendmail, mainstays of unixland have had a history of exploits but the software makers make it a point to fix the problems asap. Software will be buggy, and bugs can turn into exploits, and then they get fixed. But a FEATURE like VBscripting is not a bug. VBscripting is a very powerful and woefully insecure FEATURE, but MS refuses to strip out the VBscripting features or add a layer of security to their use. MS viruses...don't use bugs in the code...they use perfectly acceptable scripting commands...to do bad things, and MS refuses to do anything about this FEATURE!
2) On the general subject of quality, Linux still hasn't got anything to compare with the Office suite.
No i think there are some candidates for comparision. Take Staroffice...is as slow as MSOffice, and for me staroffice does crash on occasion just like MSOffice...the big difference I've seen is that staroffice doesn't take down the entire OS with a BSOD when it desides to stop working.
You need to upgrade your gnome. I'm living in Ximian gnome on my PC and I haven't had the GNOME Desktop crash yet. But I'll be damned to figure out why my windows PC won't get past the logon box without causing a GPF.
3) I used to buy into this idea that OSS necessarily produced better quality software, but it just isn't true. Large products are flawed for many reasons: release deadlines, unforseen design errors, resource constraints, but mostly because people in general just aren't smart enough
I still believe OSS development makes far better products, but my reasons have nothing to do with being able to make product deadlines or whatever. I do not believe that OSS makes products more quickly. I don't care about release deadlines...the OSS products will get done when they get done....as long as products are making steady progress, that's what matters. How long did it take MS to make a stable OS worth actually paying for? From MS-DOS upto win200...how many manyears or should i say mancenturies of development time went into that development cycle. If want to believe in the pay for every yearly broken release, and call it a full product fine...I'm sick of it. Just don't bring your timeline baggade to the OSS community. Products get done when they get done. I believe that OSS development makes better products, for the simple fact that the source code is available. I believe OSS makes better products becuase in the long run those OSS products are far more adaptible and allow for more innovation. -jef
Look, raw sockets in windows are not the end of the world: they're available already, open source (http://netgroup-serv.polito.it/winpcap/), and you can run them as a non-privaleged user. In as much as MS have a concept of privaleged users.
Even if they weren't, there are SO MANY possible security exploits you can run using a small army of 0wn3d windows boxes. Including (but not limited to) just packeting the crap out of Steve "Bloody" Gibson's webserver. For instance, has anyone considered using something to script the IE network libraries (COM objects, I would imagine) in the background and launch a 'many millions of perfectly valid requests, complete with cookies and everything' attack?
How would you defend against that?
This whole raw socket thing has been blown out of all proportion. Can we please stop fretting and find a way of PREVENTING these big attacks from being spread. Or possible. Or something.
Dave >:(
I write a blog now, you should be afraid.
He didn't say that raw sockets have anything to do with the spread of MSTDs. They're two distinct but related issues. His point is that MS OS's are generally easier for script kiddies to get into, and that raw sockets will make compromised MS systems much more dangerous.
It used to be the case where you could manage to create 'blind' TCP sessions by predicting the ACK number produced by the remote host. This was pretty commonly used on IRC where someone would have a legit, non-spoofed connection and sit in a channel and have a blind, spoofed TCP session along side it. He could then see the channel activity, and even interact with others through the spoofed connection, usually long enough at least to gain ops and take the channel.
These days (almost?) every new TCP/IP stack will generate acceptably random ACK numbers to prevent these ACK prediction spoofs. But for the purposes of a DoS, it doesn't matter if you never get the return packet. In fact, in the case of ICMP, it works to your advantage. If I flood 1400 byte ICMP echo requests using spoofed IPs (random or otherwise), not only will I hit your downstream bandwidth but because of the replies you (by default) generate I'll also be hurting your upstream bandwidth and your replies won't flood me back.
As most others have pointed out, the only real solution is egress filtering. Unfortunately if a box is compromised that is sufficiently close to a backbone, this solution (FWICS) won't work.
Jason.
You know, I thought the same thing as she did in the past. I'd worked for large companies and I knew how incompatibilities cropped up and it was just from engineers being distanced from their customers.
..someone took it out) CR/LF instead of NL. ^Z as EOF. blah, blah. I wonder how many of these are deliberate?
Well, I was chatting with an ex-microsoft employee who had moved over to the white-side and he put things in perspective. Microsoft has strategic meetings where they sit around a table and say "how can we own this?"
That put a different light on all those subtle incompatibilities I had always had to deal with.
Backslash instead of slash in paths... / for options instead of - (remember switchchar?
"Cringely" and Dvorak keep saying, "No, seriously, shutdown the Internet and replace it with something secure."
They're missing the first law of complex systems. I can't remember the exact quote, but it goes something like:
All complex systems that work began as simple systems that worked.
You can't replace today's Internet, the result of decades of evolution, with something purpose-built from scratch to do as much. The attempt will suffer from the second-system effect, and just plain won't work.
It's easy for a columnist to ask for something drastic. Too easy. But it sells papers (or click-thrus, or whatever we're selling today).
Stupid job ads, weird spam, occasional insight at
I don't know about you guys (and gals), but last time I was at this tiny web site for a tiny computer manufacturer, I had the choice of Win98 SE, WinME, Win2K or Win2K with an upgrade to WinXP. That doesn't sound like manufacturers are limiting my choice of viable Microsoft operating systems to me.
People wouldn't be forced to participate, but if they remain anonymous, I might choose to block them. I certainly wouldn't accept file attachments from them. I know you hate this idea, but I think the Internet needs a fingerprint.
Hmm... And who would control this "fingerprint"? Our beloved government, who is trustworthy? A large computer corporation like, say, Microsoft? And how would something like this work internationally? Who is forcing you to accept attachments now? I run Win98, WinME, Win2K and WinXP all on different machines. Over the last week, I've been sent about 10 emails with both SirCam and Badtrans, and none of my machines are infected. Why? First off, I didn't open the attachments right away. Second, I tested the attachments by saving them and then scanning them first. This is not a difficult concept! If someone puts a big package in your mailbox at home, and it's ticking, do you just open it up if the return address says it's from someone you trust?
You can choose not to have a fingerprint, but then your ability to communicate with others may be limited -- a price many people may choose to pay.
This is endorsed by the same crowd that bitches about MS Passports?
If kids want to install an Internet game, the game's IP port would be registered and permitted to operate, hopefully by the parent.
Why can I not see this happening in the general population? The average users I know bitch about having to confirm Internet activity when Zone Alarm or other personal firewalls pop up and ask.
Programmers who ought to be familiar with Microsoft's plans have suggested that the real motive for raw socket support is for Microsoft to use Windows XP to exploit a bad situation, to deliberately make things worse.
Jesus, what a conspiracy theory. This guy gets paid for this?
Move along, Cringley. Common sense tells us that you're just spreading FUD. Meanwhile, I'll get modded down for criticizing you, I'm sure.
--SC
You read fiction? I write it! Lemme know what you th
AOL/TW own vast content holdings, which are at risk from file sharing. Now it's MP3s, but as broadband spreads, DivX files of movies will become a massive problem. It would be in AOLTW's interest if the anarchic design of the Internet was replaced by one which enforces accountability and traceability. And if the content industry push it hard enough, we may see laws mandating traceability in TCP/IP, preceded by a campaign in the AOLTW/Murdoch/Vivendi/Bertelsmann media about how child pornographers are using the Net with impunity and nobody can stop them.
Hasn't microsoft already brok^H^H^H^H embraced-and-extended TCP/IP lots of times before?
There was a time when Sun servers responded "slowly" to windows HTTP requests because microsoft changed the behavior of TCP slowstart, etc...
I'm sure there are other examples.
More to the point, in an article bashing microsoft, he's described passport pretty much exactly.
I used to respect this person but now I have to wonder what kind of technical background he has and if that background is backed up by ay sound reasoning ability. I remember watching conspiracy theory in the theaters (You know with Mel Gipson). That had some pretty crazy ideas but this is just nuts. At one point in this article he suggests that everyone loose his or her anonymity. Then at another point in the article he criticizes Microsoft for their supposed protocol, which will remove anonymity. This article seems more like a rant by a frustrated Windows user than an actual intelligent discussion on the security problems of Windows.
The two main points of this article are based on flawed assumptions.
1. Raw sockets in windoze is not the end of the world. *nix systems have them, even vxworks. A number of ISP's filter forged packets. If this type of spoofing is such a harm, it is trivial for ISPs to implement this. Cripling stack interfaces in OS'es is rediculous.
2. Passport will not authenticate every connection made on the net. Sorry, this is a pipe dream M$ sold you on somehow. And second, priority net traffic based on M$ passport is even more impossible.
Although most end-users are running a MS-based operating system, there is simply too much non-MS underlying internet infrastructure for such a radical change in protocol. TCP/IP is going to be around for a very long time.
Furthermore, how is it exactly that TCP/MS would prevent things like Code Red from happening? An application is vulnerable to stack overflow exploits because of the application code itself, not because of the protocol through which it receives data. Registering the ports that an application listens on won't help if the app contains a vulnerability.
Cringely goes on to suggest that all connections be traceable - well, that's fine, except that it doesn't solve the problem of people launching viruses from public terminals, or obtaining free trial dialup accounts using fictitious information. Digitally signing specific applicaitons with an Active-X control style GUID, and only granting access to validly signed applications might help, but I can't see developers embracing that idea. Even if they did, it only takes one compromised certificate to release any number of malicious programs.
And did Gibson actually write Zone Alarm? Cringely seems to think so, but it's marketed by Zone Labs, not GRC.COM. Anyone know for sure?
Strags
But it would appear to be a fact
'There is a Light that never goes out.'
There is a very good reason to do the bulk of your computing as a nonprivileged user, and this is it. Unfortunately, being a nonprivileged user is not an option in WinXP...
Ok you had me untill this part mate, and that's going way too far. Sorry to tell you, but the hassle of deleting and not opening annakournikova_jpg.vbs doesn't quite compare to some woman getting beaten by her husband. Not to mention the fact that it's nobody's fault that you get a virus except the prick who wrote the virus. Not microsoft's, and not even your less pooter-savvy mate who thought he was gonna see anna's tits. If enough people used a standard linux desktop for it to be worthwhile, more people would write virii for linux. As linux's popularity grows, so will virii begin to appear, or I'll eat my hat.
He didn't compare the severity of Microsoft viruses to the severity of wife-beating; he compared the emotional dependence of the victims of both upon the perpetrator of both. In other words, he is trying to answer the question "what keeps them coming back for more?"
Windows XP Home Edition runs everything as root. How can you apologize for that? They have said that user accounts and permissions are too complex for the consumer, yet both Mac OS 9 and Mac OS X have user accounts and permissions. Mac OS 9's are of the training-wheels variety, but Mac OS X is full-bore, hardcore Unix. iMac users are getting by, so surely Windows users can adjust? The reality is that bad network security is good for Microsoft, because they never get blamed, only "Internet hackers" get blamed, and they want us all to use MSN anyway, not the Internet.
As for your argument that popularity is the only reason Microsoft operating systems are virus-riddled, that is bunk. There are 25 million or more Macs out there, and there are lots of people who would love to stick it to Apple because they think Apple is on some kind of high horse. Why are there only a handful of Mac viruses? The system is completely scriptable, so there are tools there. But the worst Mac viruses all run in Microsoft software on the Mac. If you don't have Microsoft software, then you are susceptible to less than half of the viruses that run on the Mac.
Blaming virus writers is easy, but think of it this way: the guy who wrote "Melissa" simply sat down at his computer, wrote a document in Microsoft Word, and emailed it as an attachment to another user. He didn't cut through a chain-link fence, he didn't pick a lock, he didn't hack somebody's password; he just wrote a Microsoft Word document. One of the features of Microsoft Word documents is that they can include tables; another is that they can include scripts that send emails. Who is to say that using one feature is not a crime and using the other one is? Ignorant politicians and cops who believe Microsoft and their apologists. There were no Windows programs until Microsoft created the Windows API that provides the environment for them, and there were no Outlook viruses until Microsoft created an environment that demands them. If there is no security in that environment, then you can't expect things to be secure. If you leave your flashy sports car running and unattended with the doors unlocked, you have to share some of the blame when someone takes it for a joyride. Microsoft is practically begging people to write these viruses, which is the point of the article. They can't be this stupid ... they are doing it on purpose to give Unix itself a bad name. To make the world so scary that their users will cling to Microsoft's skirt like frightened children.
There are probably a few convenient factors that prevent them from being called "Outlook viruses".
First (as others say) is that the slobs in the media don't know of the existence of Mutt, Pine, Eudora, etc. They know Outlook, Notes, and AOL client.
Second, they don't know the subject that they talk about. Here in Washington, there used to be some smart TV reporters. But they weren't photogenic enough, so they were fired, or offered bad jobs/pay cuts. So now, WUSA has a bunch of young, attractive morons on the payroll. What does this have to do about anything? Like many media outlets, they have no experience with anything. It's not just computers. It's local politics, health science, world events... Most (not the modifier) reporters are just dumb. Reminds me of a college roommate. Okay guy, but not the sharpest tack in the drawer.
But, at least some of them interview people with half a clue. Which brings me to point three: the people they ask are either M$ users, MCSE's, or in some way involved heavily with Microsoft. To them, Outlook IS email. So they describe it that way.
The next reason I see is simple: MSNBC. Yeah, yeah, yeah, separate editorial staff, independent reporters, yadda, yadda, yadda.
Now, take all of these (which individually might be minor) but remember how much news comes over an AP wire (or Bloomberg, or whomever). Listen to your local news. Much of it is a rehash of some simple wire-service article. Reporting with an emphasis on the 're'. And these folks don't know tech.
I doubt that any of these alone could cause the problems. But taken as a whole, we have this situation. Basically, the blind leading the blind.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
Hi.
I didn't read the article but I would just like to say:
I think this is bad.
The only way I can explain it is that most people use Microsoft software, and what we use must be the best, right? I mean, how often does someone buy a new car and then complain about all the problems that it undoubtedly has? Hardly ever. It must be the same with computers; the Windows users have an emotional investment in the product and they want everything to be just fine, so they apologize for shoddy software; "Oh Windows crashed, I bet the next version is better, this one is getting quite old", "Oh I got a virus, I wish those evil hackers would be put to death". See my point? They never think to blame Microsoft because they are Microsoft to a certain extent; they belong to a huge fanclub of a massive group of people. That's gotta feel good.
And it makes it tough for us non-Microsoft users to get along with. Like the abused wife that toddles on back to her jerk of a husband, so the users return to Outlook, because "this time it will be better" and "I don't know how I could possibly function if my calendar and e-mail client were two separate programs."
The wheel is turning, but the hamster is dead.
Micro$oft (NASDAQ: M$FT) today realized that their new TCP/MS protocol will not function over the Internet's (mostly-non-M$) infrastructure. The TCP/MS protocol is designed to address some of the security issues involved with the industry-standard TCP/IP protocol. It allows for authentication and tracing, to allow large corporations to know who does what, when, where, and how.
Micro$oft is not held back by this issue, however. They are currently working on developing a solution called "MS-over-IP" which will allow TCP/MS packets to travel over non-M$-compliant IP networks. This will be available as a patch to the upcoming Windows XP, for approximately $300. Micro$oft also notes that if your ISP refuses to conform to the new TCP/MS standard, and you do not wish to spend $300, you may switch to their M$N Internet $ervice, which will support native TCP/MS connections.
Micro$oft did not return any calls to our reporters on this issue, and simply sent us an E-Mail saying: "All your packets are belong to us."
One of the reasons that IPv6 is not very popular is because the MS version is proprietary as hell. MS is waiting for the big switch to IPv6 so incompatabilities between Unix and NT/winME could show up. At the time when the first MS-IPv6 stack was written, ms arrogantly assumed NT would own %80 of the server market by the time IPv6 became standard.
With almost everything running on NT, MS could then easily convince IT managers to only run NT on all servers for full network compatibility. The good news is that Microsoft's server dream never came quite true. Unix is still king on the Internet and is surprising gaining marketshare. At only %35 of the server market, I believe the MS IPv6 will not be very standard even if the whole Internet switches to the standard IPv6. But due to the MS-IPv6 problem, IPv4 will never quite go away.
http://saveie6.com/
The whole "monetary investment" concept is hitting the nail on the head.
:)
Scenerio one:
-- Arthritis is, by nature, a waxing and waning problem for people who experience it. This means that half the time it hurts and half the time it doesn't on average. The medications for it aren't always that good, and barely affect the 50/50 chance of improvment.
-- Let's say a filthy-rich golfer buys a copper bracelet for 100 dollars to cure his arthritis, and he experiences a decrease in pain! Note that this decrease in pain is likely to be a naturally-occuring decrease. Nonetheless, he attributes this decrease in pain to the copper bracelet.
-- Now, another filthy-rich golfer also bought a copper braqcelet for 100 dollars to cure her arthritis, and she experiences an increase in pain. In other words, the bracelet appears to have done nothing for her arthritis. She paid 100 dollars for it, so she doesn't really feel like admitting her foolishness for buying the bracelet, of course!
-- In summary, about 50% of the people who buy copper bracelets go on to recommend them to friends, and 50% of them are too embarassed to say anything bad about them.
Now, go next door, and talk to your neighbor about their computer's operating system and computer that they just put down a few month's salary on. Are they going to say anything bad about the super-duper Wintel machine they just drained their wallets for? I doubt it. Also, what are they going to compare it to?
People feel a lot better having to pay for a product and seeing a smooth interface and knowing that their company endorses it. This seems to be a fact of capitalism. I really hope this fact becomes fiction...
Footnote: The copper-bracelet example is from some medical/doctor journal/magazine article. Sorry, but I can't remember the issue number or title. Anybody know the article I'm thinking of? I hate using nifty ideas and not giving due credit
But Cringely's real point is that Microsoft is a very powerful company with a long history of turning its own technical shortcomings into market strengths. Microsoft's PR machine is incredibly effective - witness the FUD that kicks into high gear any time MS announces anything.
It's also instructional to remember a few Microsoft projects that didn't go off as planned. Ever wonder why journalists never bring up those failed efforts, or points to the millions of wasted dollars MS has spent over the years on vaporware?
Remember how Microsoft Bob was going to "personalize" the computing experience? Well, it failed not once, but twice!. Remember how Chrome was going to "revolutionize the industry," according to the drooling press?
Because Microsoft is the 800-lb. gorilla of the software world, even when they fail, they get the benefit of the doubt. It comes with the territory. Also, because the Microsoft culture is fantatical about continuous improvement, they have a long history of sucking hard at v1, sucking at v2, becoming fairly usable at v3, and taking over the market by v4 and beyond.
Microsoft has been doing this long enough to realize an opportunity when they see one. Cringely is reminding us that unlike all of you Slashdot readers out there, Microsoft is driven not by desire to build cool, useful technology, but by the desire to control marketshare. That's the be-all, end-all of their existence.
So whether Cringely is correct about raw sockets or the demise of TCP/IP doesn't really matter. Almost every company that has gone toe-to-toe against Microsoft in a market segment has failed because they continually underestimate and miscalculate Microsoft's strengths (IBM, Novell, Apple, WordPerfect, Lotus).
Microsoft has an overarching vision of the computer marketplace that is far more evolved than any of their competitors, with the possible exception of Sun.
Microsoft remains unconcerned with business ethics, is unafraid of censure by the government, and wouldn't hesitate to use the ubiquitous of their own flawed products as an excuse to move the foundation of the Internet to a proprietary framework.
Microsoft doesn't give a shit about the history of the Internet and the spirit in which it was created. They don't give a shit about letting everyone in.
If Microsoft believes they can make the Internet a proprietary environment that they can control, they will work relentlessly toward that end.
Read the EFF's Fair Use FAQ
I can see the part about TCP/MS as being a remote possibility, but the real problem with the theory is the part about Microsoft introducing something like raw sockets specifically to encourage abuses that they hope will subsequently be blamed only on hackers, UNIX, and TCP/IP itself.
This would seem to be an extremely risky strategy due to the high potential that it could backfire from a public perception point of view. My experience is that despite the fact that some people are apologetic toward Microsoft as Cringley points out, there is a steadily growing public perception of the weakness of Microsoft products.
Many Windows users that I know use it because they feel they have to, either for the applications they need, because their workplace demands it, or because they feel they are too non-technical to use an alternative like Linux (and believe me, many of them are). They are well aware of the instabilities and the susceptability to virii, and in fact many of the Windows users I know joke about it all the time even though they use Windows for various practical reasons.
I think at this point in time, if Windows XP doesn't live up to the MS hype about it being a more stable and robust platform, and ends up in fact being less robust, they run a significant risk of damaging their public perception; probably not fatally, but noticably none the less. Given the fact that a wholesale migration to TCP/MS, while possible, is far from a sure thing, this would seem to be a rather risky strategy.
While scripting in an email client is just plain dumb, it isn't what makes outlook good for viruses [anymore]. Then total fools make up 90% of email users and we just have to live with that, because that's the exact equivalent of what they do in Windows. If you're claiming that the solution is to make it really irritating to do something as useful and legitimate as using stuff your friends send you, then I suggest you look for better solutions
(and don't read that as me condoning the user interface Outlook uses for that task) This is true. I feel Microsoft's response to Outlook viruses has been superficial at best, and they do deserve some blame.
No he's not saying viruses spread over raw sockets. He's saying that many viruses/worms like Code Red have the end effect of creating a denial of service attack; denial of service attacks are very difficult to block when the addresses of the packets are spoofed. He's saying that in the future, when 90%+ of the world is running Windows XP (and Windows 95/98/ME/2000 has been discontinued by Microsoft- ever try to get Windows 3.1 anymore?), and 90% of those people haven't used third party tools to secure their computers, there will be a continuous series of distributed denial of service attacks, and viruses like Code Red which will effectivly bring the Internet to a halt. (Most servers aren't running Microsoft OSes, but most of the clients are- the fact that Apache is the most used server is completly unimportant in this matter. Code Red isn't as bad as predicted because most people don't run Windows 2000, but XP unifies the server and consumer OSes so it'll be running on a very large number of computers, making these future problems several orders of magnitute worse.) The end result (as predicted by Cringly) is that Microsoft will extend and embrace TCP to get the Internet (which will be rendered useless by script kiddies and/or attacking foreign governments) working again.
Once implemented, if your web server doesn't speak MS/TCP then no one with Windows will be able to see your site. (And the only servers that will have bug free implementations of MS/TCP will be running a Microsoft OS.) Think that little ploy is hardly enough to overturn the Internet? Then why am I using IE right now? Their ploys have undone greater marketshares.
Someone said that Cisco is working on a way to prevent spoofed IPs at the router, if this is true, then this speculation is for naught. However, the fact that this is plausible should be a wake up call. Microsoft owns all of us. This is the straw that broke the camel's back, I'll resign before I install Windows XP. Microsoft's abuse of their monopoly is an affront to freedom. Live free, or die.
Quoted from Cringely:
If it were not for Microsoft's carefully worded user license agreement, which holds the company blameless for absolutely anything, they would probably have been awash in class action lawsuits by now.But can't sysadmins sue Microsloth for the gross negligence that consumes our bandwidth?
I know the license agreement that I made when I opened my Windows 2000 CD only affected my Windows 2000 desktop. It has *nothing* to do with the bandwidth - which I pay for - that this stupid [expletive deleted - Ed.] worm has consumed.
I'm not normally litigious, but Microsoft needs to clean up their act.
Anyone know a good class-action lawyer?
Fire and Meat. Yummy.
The bee in Gibson's bonnet (and therefore Cringely's, cuz we know where he gets his material) is IP source address spoofing. He thinks that Windows XP will somehow make this much easier.
He's right.
But it doesn't matter.
There are already several easy technical fixes to prevent source spoofing, and if Gibson and Cringely's phantasy comes true, they will all be deployed in various Internet routers in a matter of weeks. Some of them already are implemented in Cisco routers, but are not enabled by default. Long before things can come to sufficient head to justify Microsoft's appearance as an off-white knight to ostensibly save the day.
See also this article from Network Magazine.
When *I* was a youngin, IBM could do no wrong with many decision makers. I swore I'd never have my head in my ass when I got into decision making positions.
Now I'm 42 and one step away from making the decisions. I can INFLUENCE them now, and due to that, we run Apache for our web servers, I've stopped any thought of IIS from being implemented, and run Linux where possible and NT reluctuntly in some applications....
So don't forget this stuff. Microsoft may gain that market share, but one day hopefully pointy-haired bosses will be a bit better educated and make better decisions and not get sucked in by marketing hype.
Oh, I can dream, I can dream...
- Viruses must be targetted at the most prevalent software - a virus written for mutt isn't going to spread anywhere as it will be mailed to 9 Outlooks, 2 NS messengers, and a pine.
- Security priviledges don't make you any more secure for these. So the attachment you ran isn't running root, so what - it still has access to your address list file, it can still send email, and it can still delete the files you actually care about (as opposed to the ones that come with the distro).
- Unix poeple are normally computer savvy so are a less likely target for social manipulation, but if the answer was to switch to linux then all the people who have to work with computers but don't care for them or know much about them (non IT businesses) would be using linux. If these people got an email from a coworker asking them to run the attachment, they would.
- Social manipulation asside. There have been the odd viruses taking advantage of MS security flaws - ones where you don't even have to open the attachment to get infected, granted. Any software written in C running on windows or linux is vulernable to things like this - NS Messenger for instance (runs on many platforms) had a buffer overrun bug meaning you could run arbitrary code on someones machine just by sending them a message. pine and mutt etc might have many but since they aren't popular it doesn't matter.
Sure, Microsoft haven't doen nearly as much to prevent this stuff as they should have, but I think that if every man and his dog was running your 'safe' email client on your 'safe' OS, you would find it wasn't very safe at all.Rather than everyone switch from outlook, the solution is probably for everyone to be a little less inbred with which email clients they use.
This seems to be the general opensource response to what I posted (and posts like mine). But how many VB viruses have you actually recieved? VBscript viruses just don't spread, Outlook warns you that you are about to run something potentially very damaging and asks whether you're sure you want to continue (very scarey stuff for not-very-computer-literate people) before running the script, and virus checkers can spot them all a mile off without even needing a footprint. I don't think I've ever been sent a vbs based virus but I've been sent a lot of exe's and screen savers.
.vbs attachment. So were Bubble Boy and Anna Kournekova. (The first required no user intervention as it exploited a serious Outlook security flaw; the second enjoyed a wide spread due to some simple social engineering.)
.txt, .exe or ".jpg.vbs".
.vbs, .doc with macros, .exe, .bat, .com, .scr, etc. Popping up a warning every time a user opens any attachment just makes the user learn to click through the warning without thinking.
Um...the I Love You worm, the most destructive (in estimated $ costs) computer infection in history, was a
That's first of all. And second of all, Outlook's idea of attachment security is to pop up the same "this is an attachment are you sure you want to open it?" dialog box for every attachment, whether
A simple list of things MS could do to improve email attachment security:
1) Run any executable attachments opened directly from Outlook in a sandbox; require user confirmation for any changes to existing files, for creating any new files, or for sending out any email.
2) Turn macro protection in Word on by default, and run Word macros in a similar sandbox.
3) Disable any scripting elements in HTML email; no java, javascript, ActiveX or VB script, just plain HTML.
4) Only pop up a warning when opening an attachment which might actually be dangerous, i.e.
That's 4 changes which would be neither too difficult to impliment nor too annoying or confusing to users. Yes, buggy permissions and buffer overflows happen in most all software, and requiring MS to audit code ala OpenBSD would be impossible. But they're certainly not doing anywhere near what they should to make viruses more difficult to spread.
Before going into my opinion on why people see M$ in this way, I should explain a few things first.
so, all that aside. People love Microsoft because their products are incredibly useful.
As programmers, we know that Microsoft products are buggy, poorly written, and often just plain stupid.
However, you try writing a book with a pen and paper. Now open, even, Word 6 running on Win 3.1 and compare. It's not hard: the M$ product wins out every time.
Or try doing some serious accounting work on a paper ledger, then open M$ Money. Damn, but, you know...
The problem, fundamentally, is that computers are too good. Computers in general are such fantastically useful tools that people love them, even when they're seriously non-optimal.
As far as I can tell, the only really strong link in the whole M$ apps network is Word. Word has so many features, I find it quite incredible. (It does have security failings and other failings, of course. But given the size of its codebase, it's actually pretty reliable, I think. Unlike, for example, IIS, which is just a little program.)
Which is why people shell out all that cash for Office, because Word is amazing, and the features it has are stuff they understand. People understand writing. They don't understand email. They like email, they just don't know how it's supposed to happen. So most of them use Outlook because it comes with their Word, and they assume that because Word is amazing, Outlook is too.
So anyway: that's my point. Computers have radically changed people's lives and made possible things that they found hard to imagine before. Even when they're running M$ operating systems, they're still fantastically useful, so nobody thinks to ask if there's something better around.
my old sig used to be funny, but then slashcode ate it and now it's not funny anymore