Slashdot Mirror
Windows Is 'Insecure By Design,' Says Washington Post
Circuit Breaker writes "A Washington Post article says Microsoft Windows is insecure by design. Quote: 'Between the Blaster worm and the Sobig virus, it's been a long two weeks for Windows users. But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks -- just like in earlier "malware" epidemics. This is not a coincidence.'"
Except the Mac and Linux users in charge of those systems... ;)
There's a large difference between "Windows is insecure by design" and "Windows was not designed to be secure or with security in mind" just as there's a significant difference between saying "Impalas are deathtraps by design" and "Impalas were not designed with safety in mind".
That said, and though the Post's article was a little muddled in general I agree with the spirit of the article in that
1). It's reprehensible that Microsoft apparently didn't have security (a broad term, but the literature to define it is out there) as a guiding design principle when they designed Windows, and
2) As a result of this, Items central to the functioning of Windows do not lend themselves to good security.
The ad on the page was for Server 2003.
On the plus side, if you work as a contractor, it's billable hours. :D GG SoBillable^H^H^H^H^H^H^HSoBig!
"People will pay big bucks for the luxury of ignorance."
Funny how 95% of PC users have Windows, I wonder why a Virus writer would want to target Windows??!? Perhaps that is why so many exploits are found, because people are targeting it religously, start targeting Mac and Linux as much and see who is insecure!
I spent ages trying to think of sig, but never did
The old DOS/Windows had security as a pretty secondary concern, it was just about getting things to run and not crash a lot of the time. NT/2K/XP is much imrpoved, but it still suffers from this legacy. For example, it's still difficult to run users in non-Admin roles because some applications expect the user to have full Admin rights. Only when most of these applications are update will the ability to use real user security settings become practical.
.
If nothing happens then you have a reasonably secure linux box.
In my case, because Virginia Tech's CS department requires us to have XP Pro. The people who don't trust MS use Windows because they have to.
the author makes nice (partial if you may)rebuttal of this myth, and also points to something to back it up like the number of open ports that create potential possibilities for holes,and that are for services that are default enabled, yet shouldn't be used in hostile environment(and how ms does nothing about it, and how xp was supposed to be more secure in matters like this). and frankly i haven't heard of non-hostile environment involving more than 10 people in a deserted island with lots of food and jolly sunshine happiness to keep them away from their computers.
-
world was created 5 seconds before this post as it is.
Perhaps now we should try to get other "mainstream" media entities to cover stories with this sort of angle... such as:
* The New York Times
* CNN
* USA Today
* The Wall Street Journal? (Yeah, it's a long shot, but...)
Does anyone here have contacts with any of these companies?
Honey, I shrunk the Cygwin
I wonder how much money RedHat slipped the Washington post for that one...? *g*
Insecure by design (Score: -1; Redundant)
If 80% of the computers on the Internet were running OS X or Linux don't you think there'd be more Mac and *nix malware?
Now I'm not saying one OS is more secure than another (although that may be the case as well), just an easier and more effective target.
'He was a dreamer, a thinker, a speculative philosopher... or, as his wife would have it, an idiot.' - Douglas Adams
Like a Linux PC owner sleeps anyway....
"Windows is better than most operating systems at easing the drudgery of staying on top of patches and bug fixes"
emerge -u world
how _hard_ is that?
What baffles me is that even with all this evidence for the need for operating system diversity in the corporate realm both corporate America and the US government are eliminating anything non-Microsoft. Lemmings.
What is it going to take? Ships sinking? Trains being derailed? Satellites dropping out of orbit?
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
Here's a modest proposal: Microsoft should use some of its $49 billion hoard to mail an update CD to anybody who wants one. At $3 a pop (a liberal estimate), it could ship a disc to every human being on Earth -- and still have $30 billion in the bank.
...
Please Microsoft, use CD-RWs. I already have a wall covered with silver AOL CDs
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
I think I speak for practically every other user here when I say, "Duh."
Karma: It's all a bunch of tree-huggin' hippy crap!
Not only is what this guy who wrote the article saying a ridiculous choice of words, I consider it to be libel. He is saying that the architects of Windows, with his comment 'by design', planned on having security flaws. If I were MS, I'd sue this guy by making such a claim. No one sat around a conference table in a code review and said.... you know what.. this isn't insecure.. we need to change that.
Sheesh.. more of the same. People writing articles that I would equate to "TROLL" and "FLAMEBAIT"
I didn't have ANY trouble with SoBig.. or Blaster.. why, because I patched my system and secured it.. I also have taken steps to protect myself from crap mail programs that allow SoBig.
rant over...
Here's a modest proposal: Microsoft should use some of its $49 billion hoard to mail an update CD to anybody who wants one.
The sorts of people that would think to order such a CD in the first place are likely already patching their machines. Others will get the CD and misplace it, forget about it entirely, or mistake it for something like an AOL disc and toss it in the trash.
The coolest voice ever.
I'd like to make one quick point. If a remote root exploit is found in Linux (like the RPC hole found a couple of months ago for Microsoft), the same type of Worm can happen.
The biggest (not only) difference, is that Microsoft (with Windows) has such a large market share, that it only makes sense to attack it. If Linux had 90% of the market, you know there would be virii exploiting it's holes. Same goes with Apple (OSX being based on FreeBSD has many of the same holes as Linux).
It was posted because people have been saying for a long time that windows is insecure, but Joe Shmoe computer user won't know that (you mean there's computers that don't run windows?) until it gets some attention in the mainstream media. This is the media attention a lot of linux geeks have been waiting for.
If Linux dominated the desktop market and was on some 95% of computers (or whatever MS is currently at), there would be just as many viruses and other headaches.
We have secretly replaced these Slashdot mods' sense of humor with a rusty nail. Let's see if they notice!!
Give this dude the obvious award. People who don't know enough to lock down there computers are the real security problem, more so than any OS.
All in all, I did like the article, but I thought that the author was being irresponsible in some areas. I thought that it was a bit irresponsible to blame Windows for using "ports" as being a security issue. I realize that open ports are a problem, but they are a potential problem for ANY operating system. OS/X was hinted at being secure because it did not leave any ports open in the basic installation, and Linux was not mentioned at all, which implied that it did not have any issues around these dangerous "port" things.
Windows is the largest target out there, both for commercial and malicious intent. Toss in the fact that everybody hates MS, and that is why we end up with so many people targeting it. It does also help that it is not that hard of a taget to hit.
Ha! I've had to mail out instructions to secure Windows and the patches to all my Windows lusers buddies.
... go to the dos prompt ...
They: "Hey, my cut and paste won't work".
Me: Now listen carefully
I trusted MS XP Pro so much that I fdisked over it with great gusto without a single bootup.
Unfortunately, Toshiba (and thus me) already gave those toads money.
Me physicist. Me make rockets.
Maybe some company should get off their butts and produce an OS that runs Windows applications. Not Lindows but a Windows clone.
If people had a choice besides Linux, then maybe Microsoft would start quaking in their boots.
The persons who create this OS, could be richer then Mr. Gates.
something to think about. and its not too late.
WinXP = Win98 with a different skin
The way I see this is that Windows is for good or bad popular. As such people will poke around it more and find more holes. Its not like Mac + Linux are totally secure. Now as there are more people, more holes will be found.
Now from these Microsoft issues more patches etc. It should be pointed out that the holes that allowed the recent worms are fixed by a patch released over a month ago. Its just that people/admins haven't applied them meaning systems are still exploitable.
Also Windows isn't designed to be totally secure from the ground up it designed to work on a wide range of hardware and appeal to all levels of people.
Just my $.02
Rus
Cheap UK and US VPS
The only reason these worms can spread is because of the lack of basic computer intelegence of the average user. i have had windows and used the internet religiously for years and have never gotten a worm on my box.
So basically what i'm saying here is that its not always the operating systems fault, even though i think windows is insecure it gets to much shit for it.
There are 10 kinds of people: those that understand binary code and those that dont
Obligatory Response:
The argument sort of breaks down when you talk about webservers, with Apache solidly in front with % usage, yet it's the smaller-target MS offering that is the one hit with exploits.
There's something more fundamental about the differences in security -- yes, MS is a bigger target, but that doesn't mean that it can't also happen to be the easiest target (and it is).
Now, who is up for raiding the MS bank?
An infinite number of monkeys will eventually come up with the complete works of
This is a bit unfair. Microsoft identified the problem and offered updates long before the worm hit the streets. Microsoft cares about the security of Windows, but it was the stupidity of the users which led to the compromise of their systems. If a Linux hole is found, nearly ever user would update to fix the change, because the average user of Linux knows what putting it off may entail. The average Windows user does not have the same computer knowledge, and hence, Microsoft gets the blame. Just another MS bashing is what it is!
A blog like any other.
Some of us alternative OS users were actually affected by the virus, even if we weren't infected. In addition to the Net slowdown, the friggin SoBig.f virus forges emails. So if you have any windows using acquantainces, or even people who received a forward with your address on it, the SoBig.f virus will cheerfully send out copies of itself purportedly from you! It doesn't just stop at the address book either, but allegedly scans documents on the drive to harvest addresses. Evil, evil thing. So, no computational loss, but potential harm to reputation, even though it's easy to prove via the headers that it did not originate from you, the vast majority of those windows users who get infected with emails bearing your From: line don't know a header from a hole in the head.
Linux and MacOS users are, let's face it, in the minority compared to Windows users. Granted Windows most likely does have moe security flaws than these other OSes, but the main concern here is that virus writers will target the OS that will cause the most damage (or that they have the most experience with) and that will almost always be Windows.
Even if all the known exploits in Windows were patched, all it would take it one more for another virus to do something like Blaster or Slammer. On the flipside though, something like that could just as easily happen to Linux if an exploit were found, it's just that no one bothers to write viruses that take advantage of it.
Another reasons Mac/Linux is more secure is there isn't 10 million things popping up as you browse the internet, inviting you to install software, change your homepage, or other sundry offers - Here's to incompatibility! Also, Mac/Linux holes get patched significantly faster (in general) then Windows ones.
If someone emails you an exe, and you run it, and it does something to your computer, that isn't exactly Microsoft's fault.
.pif and so its kinda confusing to some people, but I don't think you can group SoBig in with other security holes that Microsoft has.
I guess sobig is a
Site feels slow, so ....
By Rob Pegoraro
Sunday, August 24, 2003; Page F07
Between the Blaster worm and the Sobig virus, it's been a long two weeks for Windows users. But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks -- just like in earlier "malware" epidemics.
This is not a coincidence.
The usual theory has been that Windows gets all the attacks because almost everybody uses it. But millions of people do use Mac OS X and Linux, a sufficiently big market for plenty of legitimate software developers -- so why do the authors of viruses and worms rarely take aim at either system?
Even if that changed, Windows would still be an easier target. In its default setup, Windows XP on the Internet amounts to a car parked in a bad part of town, with the doors unlocked, the key in the ignition and a Post-It note on the dashboard saying, "Please don't steal this."
Not opening strange e-mail attachments helps to keep Windows secure (not to mention it's plain common sense), but it isn't enough.
The vulnerabilities built in: Security starts with closing doors that don't need to be open. On a PC, these doors are called "ports" -- channels to the Internet reserved for specific tasks, such as publishing a Web page.
These ports are what network worms like Blaster crawl in through, exploiting bugs in an operating system to implant themselves. (Viruses can't move on their own and need other mechanisms, such as e-mail or floppy disks, to spread.) It's canonical among security experts that unneeded ports should be closed.
Windows XP Home Edition, however, ships with five ports open, behind which run "services" that serve no purpose except on a computer network.
"Messenger Service," for instance, is designed to listen for alerts sent out by a network's owner, but on a home computer all it does is receive ads broadcast by spammers. The "Remote Procedure Call" feature exploited by Blaster is, to quote a Microsoft advisory, "not intended to be used in hostile environments such as the Internet."
Jeff Jones, Microsoft's senior director for "trustworthy computing," said the company was heeding user requests when XP was designed: "What customers were demanding was network compatibility, application compatibility."
But they weren't asking for easily cracked PCs either. Now, Jones said, Microsoft believes it's better to leave ports shut until users open the ones they need. But any change to this dangerous default configuration will only come in some future update.
In comparison, Mac OS X ships with zero ports open to the Internet.
The firewall that's down: A firewall provides further defense against worms, rejecting dangerous Internet traffic.
Windows XP includes basic firewall software (it doesn't monitor outgoing connections), but it's inactive unless you use its "wizard" software to set up a broadband connection. Turning it on is a five-step task in Microsoft's directions (www.microsoft.com/protect) that must be repeated for every Internet connection on a PC.
Mac OS X's firewall isn't enabled by default either, but it's much simpler to enable. Red Hat Linux is better yet: Its firewall is on from the start.
The patches that aren't downloaded: Windows is better than most operating systems at easing the drudgery of staying on top of patches and bug fixes, since it can automatically download them. A PC kept current with Microsoft's security updates would have survived this week unscathed.
But hundreds of thousands, if not millions, of Windows systems still got Blasted, even though the patch to stop this worm was released weeks ago.
Part of this is users' fault. "Critical updates" are called that for a reason, and it's foolish to ignore them. (The same goes for not installing and updating anti-virus software.)
The chance of a patch wrecking Windows is dwarfed by the odds that an unpatched PC will get hit. And for those saying they don't
I currently run Windows XP (unpatched, no virus-killer) and GNU/Linux machines behind a GNU/Linux firewall/router. I have never been *infected* with anything. If you're stupid enough to set Windows Explorer to "hide the extension of known file types", and to not know that a .scr file is just as executable as an .exe, and to not run a decent firewall then frankly, you deserve to be infected by the latest and greatest virus.
--
Craig
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
When Microsoft introduced Windows NT and NTFS, they had the chance to lock down the system, enforcing the separation between user and system like any modern multi-user operating system. My guess is that this idea got shot down by the people at Microsoft who will do just about anything to avoid breaking old applications. What they delivered is a mess, and it's still a mess. They need a BOFH-type security czar to clean things up and tell users to bitch to the original vendor about their broken applications.
Mea navis aericumbens anguillis abundat
If you take a look at the 'vectors' for these viruses, you'll notice that they're all legacy protocols: http, smtp, rpc. These old unix-based systems were designed at a time when people did not care about security. Yet, they form the very basis of the Internet. Microsoft is practically forced to adopt these archaic protocols in order to stay competitive. Why should they be blamed for the failures of these obscure unix standards?
Too bad this article won't change anyone's plans on using Windows in the future. . .
They will still flock to it like lemmings.
I am over here... now I am back over here!
This article seems to have such a pro-Mac stance that I didn't bother reading past the first couple of paragraphs. It's OS/wars all over again.
Granted it's been a few years since I was a Level 1 Tech for Apple Resellers, but let's not forget that for many years Macintosh (and specifically Mac-OS) reigned supreme as the simplest platform for which to write viruses. And virus writers certainly took advantage of it.
Why? Because every time you inserted a floppy or CD, or mounted a new hard disk or Syquest cartidge, the OS went behind the scenes to load CODE resources from the disk to allow the display custom dialogs (passwords, etc), change desktop settings, layout, etc. The user didn't have to take any action to open files or folders.
It didn't take virus writers long to figure out this point of entry, and with no concept of permissions or anti-trust built into the OS, the malicious code had full control of the system.
Few days went by where I didn't have to low-level format someone's hard disk and inform them that, yes, working backups are a Good Thing to have.
Remember: The more secure a network is, the harder it is to use.
I mean really - changing passwords once a quarter? In a bank, or a hospital, or a military installation, maybe, but my dad is a retired University professor, and the new policy of changing email passwords once every three months is just about to drive him insane.
The several days that several hundred thousand people have been offline due to the Blaster/SoBig outbreaks has to be balanced against the several days or even several weeks that several hundreds of MILLIONS of users would have to spend in class learning how to use their more secure, but less user-friendly computers.
From an economic perspective, ease of use is probably still more important than security. [And I'm a security nut.]
And in cases like these (stupiduseritis?), it doesn't matter which operating system you choose to use, you almost certainly won't have configured the machine properly from a security standpoint.
--
Craig
Perhaps that is why so many exploits are found, because people are targeting it religously, start targeting Mac and Linux as much and see who is insecure!
All of the arguments I've heard against this viewpoint -- which is to say, arguments based on "Windows is fundamentally insecure anyway, it would be much more heavily exploited even if it weren't the dominant desktop OS" -- are entirely theoretical. Well and fine, but as such their soundness is limited. The discovery of exploits is such a chaotic, surprising affair that one cannot hope to accurately predict how it would go for other operating systems without realistic tests of the systems in question. By this, I mean that unless you actually obtain a scenario where Linux or MacOS are indeed dominant, and are given the same exposure as Windows had (we can assume future tense here), running all the risks of being squinted over by troublemakers of all skill levels, and then conduct a "test run," as it were, over a very extended period of time... unless you have that, you are not going to be able to make any claims.
Even a thorough, scientific, hundreds-of-pages review of Windows security structure is no substitute for such a scenario. In computer security of this large a scale, theory is no substitute for experiment.
The coolest voice ever.
Because Microsoft blew off security concerns for so long, millions of PCs remain unpatched, ready for the next Windows-transmitted disease
Well, I for one always wear protection when cybering on MSN
I agree. The Washington Post is a very well known newspaper that many people get. Even my father(who subscribes to WP) read the article this morning and showed it to me because he thought I might find it interesting. He isnt the type to read stuff like slashdot. Just a note..I saw it at news.google.com this morning.
The Television Wiki
On any system that uses pam, this is trivial to fix; a single line in /etc/pam.d/su will do it.
If someone succeeded, MS would turn their entire corporate attention towards completely destroying them. They would (mis)use copyright, DMCA, criminal law and anything else they could get their greasy fingers into.
One thing that has saved Linux (so far) is that they can't figure out who to aim at. All they can do is bribe lawmakers and promote FUD. They know that if they take out Redhat, someone else would have the code within seconds anyway.
I'll see your Constitution and raise you a Queen.
Regarding IE and Active X.
Its nothing but a virus delivery system.
That was about 8 years ago. Microsoft destroyed netscape and aside from some humorous footage of Bill Gates lying under oath nothing was done about it.
Now someone in the mainstream press has actually done their homework. Are we supposed to be impressed ?
Not only are the security implications horrendous in the MS products, but servicing them is a nightmare ....
This story just caught me at a bad time ... I have been trying to do a file/printer sharing between 2 computers running Win 2000 Prof and Win XP Prof using a hub. You would think it would be plug and play, and a little bit of configuration - and that is how I set out my cost estimates for a small business that wanted me to do it for them ... big mistake ...
It is 3 days past now. I have read probably 100 + articles to understand the security implications for these windows products .... Used all sorts of keywords in google to get many articles to see how the damn networking is done in the first place. And I am now thoroughly confused, tired, and am spending a lot of unpaid hours getting this damn networking done. FOR GOD's sake I am trying to network two products from the same company ... How could MS screw it up and make it such a nightmare .... and do such dumb stuff as not turning the security features on by default so that I don't even know what I am exposing, all the patches that are being issued faster than I can download ...
To see a world in a grain of sand, and then to step back and see the beach where the sand lies
Windows XP Home Edition, however, ships with five ports open, behind which run "services" that serve no purpose except on a computer network.
but XP home is not designed to be on a network. according to the the horse's mouth, "Windows XP Professional is best for people who connect to large networks, such as a school or office network. also from the horse's mouth, "Windows XP Professional is required to access a domain-based network.. so they are turning on services that won't even work. great job boys.
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
The article takes a cheap shoot implying that Windows users always run as Administrator, the Windows equal to the all-mighty root, while Mac and Linux users usually get this right and reserve their root use for important stuff, but spend most of their time on a limited user account.
Microsoft had this bad in the entire Windows 9x kernel OSes because there never was any concept of a restricted user... everybody was an Admin on those boxes. Insecurity at its worst, but it was always thought of as a single-user OS, if you wanted a secure user environment you were supposed to pay for the Windows NT-based OS of the time.
Windows XP, afterall, is a Windows NT-based operating system so half of the problem is now solved. Microsoft's consumer product finally has a restricted mode. The problem is, there's still a user problem... most people use an administrator account as their primary, sometimes only, Windows logon. So, even though the software has caught up, the users haven't.
Here's another great security test. Throw your computer out the window. If it isn't smashed to pieces it is reasonably secure.
Comment removed based on user account deletion
I didn't have ANY trouble with SoBig.. or Blaster.. why, because I didn't patch my system. Oh a few things like clobbering Windows Scripting Host and setting things so I see the file extensions, but hardly enough to call it "secured". It's insecure. I know it's insecure.
No one sat around a conference table in a code review and said.... you know what.. this isn't insecure.. we need to change that.
But did anyone ever say "this isn't secure.. we need to change that."?
In the design balance between fundamental security and "user experience", has any weight ever been given to security in the design phases? Surely Microsoft does something they call "design" for this stuff.
Try ReactOS at www.reactos.com
Again, I have to ask...is Bill Gates nuts?????
Look as OS X...pretty good OS, based on BSD, and it's still a Mac OS
We all know MSFT can make a version of Windows based on Linux, so WHY DON'T THEY???
All they'll do is
1.) Put out a GREAT product; and
2.) KILL THE ANTI-MSFT MOVEMENT...
Linux, as an alternative to Windows, will die because MSFT will FIGHT FIRE WITH FIRE.
It makes SO much sense on all levels I SIMPLY CANNOT UNDERSTAND WHY MSFT DOESN'T DO THIS. I am thinking about this from MSFT's standpoint, not everyone else. What is the best way to kill the Linux movement and keep everyone with MSFT (and happy to boot!)???
WINDOWS BASED ON LINUX. Integrate KDE (which is a Windows clone anyways) with, say, FreeBSD to make "Linux Windows" as simple as OS X. It's so simple it might be passing right over Bill Gates' head.
MSFT can take over the OS world by fighting fire with fire by using Linux against the Linux people. It simply boggles the mind how MSFT is so stubborn as to not use it. Apple figured it out and has a good user-friendly OS. Now isn't it MSFT's turn?
While it is true that a lot of these things rely on social engineering, the other part is why does the OS allow the user to do these things in the first place? If you don't want users to do something destructive, why offer them the choice?
One of the first rules of design seems to be lost on MS designers. If you don't want users to do something then don't offer it as an option. You can pop up dialog after dialog warning users like this:
Do not click 'yes'. If you click 'yes' will crash the machine. Only click 'no'.
[Yes] [No]
How stupid is it for a user to click "yes"? How stupid was it for the programmer to put the "yes" button there?
Yet in MS program after MS program they tell you something is dangerous and allow you to do it anyway. I guarentee as long as applications allow this some malicious hacker will use a little word play or social engineering to allow them to do something destructive.
I really want to throttle the person at MS who tried to get people to believe computers are as easy to operate as toaster ovens. Computers are complex machines. Hiding the fact from the user is not only dubious but dangerous.
Apache is more deliberately used than IIS. IIS, however, has a very widespread install base amongst clueless users who don't even realise that they're running it, thanks to Microsoft's boneheaded install procedures.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
I strongly advocate mixed platform networks. I consider Linux and/or BSD as the best for most backbone/critical services/systems, but MS Windows to backup the backbone/critical. ...) and platform from Ma-Bell to the user is that the complexity of configuration, security, operation, ... help-desk, network/server admin ... everything would be an expensive pain to support, but (unless power-failure/outage) web/email/ftp/VoIP/VTC/ ... services from Ma-Bell to the user could be maintained during cyber-conflict activities. Someone in the office would always be able to access email, websites, .... .... Just a few critical (maybe one) networks and offices would require this mixed-platform configuration in business and government. .....DB2, My-SQL, MS-SQL, ... other considerations.
In an office environment for the users in the past I could only advocate Apple and MS software OS+Apps. Late last year I added Linux+GNU desktop/workstation OS+Apps for a mixed platform office environment. Businesses and government should consider letting experienced users [AKA: Geeks/Gurus] select their own OS+Appps desktop.
The reason no one ever supports the mixed network devices/switches/... (3Com, Cisco, Lucent,
For critical/emergency business/government systems and offices the complexity should be able to provide critical services for utilities, command-post, emergency agencies,
Strict adherence to protocols, standards, and configuration would allow business and government to communicate and use www/internet/intranet services.
Letting a one version OS attack (frequently MS) cripple your business, critical infrastructure systems, and/or part of a major government agency like NASA or DoD is PPP.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
Computer industry? WHAT COMPUTER INDUSTRY? The VAST majority of these big viruses exploit who's products? All togerther now: MICROSOFT. This isn't Apple's fault, Macromedia's fault, iD's fault, or anyone else. These things are almost all MICROSOFT's. Finally someone in the media seems to get it.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
okay before you flame me lets go back to unix history and 1980s
.. ..its not that plain blakc and white..
In the 1980s the knowledge of writing secure multi-user, mulit-taskign OSes were locked away in Unix commerical versions not for public examination by those studying Computer Science..
Guess where a large portion ofthose coders ended up at? MS Redmond headquarters..
While past 1990s MS does hold the blame for not being proactive on security ie redoing the kernel
However, I do agree with WashingtonPost's suggestion MS should send a free copy of Longhorn to every registered Windows user worldwide as an effort towards security..
But in closing this set of issue also indicate why opensource OSes will always be more secure because the skills and knowledge is shared with all coding professionals!
Sharing begets Security!
Don't Tread on OpenSource
I think my favorite part in the article is when the author suggests that MS should use their massive cash pile to mail out a CD of updates to every single customer that wants one. Considering how many CDs AOL sends out (and yes, I know they are bleeding money), wouldn't it make sense to partner with AOL, who is already producing discs, and make them multi-session, so that MS could use the already pervasive CD distribution systems in place to get updates out?
I can't believe no one thought to suggest this before. And if MS was REALLY SERIOUS about making security their #1 priority, it would be a pittance to part with and give their customers a much-needed sense that MS actually does care about their customers.
The question is, do they really care more about the customer or the bottom line?
A lot of the recent problems could have been prevented if people had installed the available patches. However, the EULA's that one has to agree to while installing the patches are downright frightening, and Microsoft keeps making them worse.
I wonder how many people skip the patches because the EULA's are so obnoxious?
Open ports are an obvious weakness in the security of an operating system. It is therefore not suprising that the author uses this item to show why the Windows OS is poorly designed in respect to security.
:)
However, the one weakness that keeps showing up is a more fundamental architectural problem. And that is the Internet Exploder as main part of the operating system.
Let me explain: Internet Exploder is build in into Windows at system level. It therefore can run processes at this level. If IE is cracked, it would probably give the attacker full system rights.
Now this is not such a problem if you are just surfing Microsoft.com (astalavista is another matter altogether). Unfortunately it is also used by both their mail clients (Outlook and Outlook Express) to (pre-) view mail.
So now we have an security risk that can be activated from the web. All the big mail viri seem to use this architectural weakness.
To make matters worse, Microsoft has always put functionality before security and has added enhancement uppon enhancement to Internet Exploder. We are talking Java and VBScript, their own Java VM, Active X components, XML support, support for 2 different kind of plugins, the use of IE to view local folders... The list is virtually endless.
All and all this adds up to one of the worst security nightmares that have ever been created. Enough material to build a complete multi-bilion support structure for it in fact. The only thing that can be done to make this go away is to remove Internet Exploder as the central HUB for functionality on a home PC. Something that Microsoft is probably not inclined to do
Warper
A sig? Haven't I typed enough yet???
oh yes. they could call it MSUX.
This is really an awful way to think about a consumer base that doesn't understand some basic tenants of computing. I've known plenty of Windows users that think 3.5" floppies are hard disks because the casing is, well, hard. To expect them to catalog file extensions in their heads as well is ridiculous. Obviously you are a more savvy user as you have Linux based machines and a firewall set up.
Not everyone has the time/expertise/desire to learn that much about computing, and that's OK. If everyone were a geek, you'd have no one to bitch about, would you?
But did anyone ever say "this isn't secure.. we need to change that."?
I don't know, nor do you, or the Washington Post. That's my point. This guy is making this statement without any facts, just assumptions.
In the design balance between fundamental security and "user experience", has any weight ever been given to security in the design phases? Surely Microsoft does something they call "design" for this stuff.
I don't know about MS. Can you say that they don't? I for one know that my non-software company which has an IT department that watches the actions of MS a lot, has an information risk management team that looks for security holes in all in-house and purchased software before implementation. Would you care to assume that MS gives weight, or doesn't give weight to security during the design phase? Or would you care to not assume, since all the facts are not available?
In our lab, all computers run zonealarm (only computers in the lab are allowed to connect to each other, no to campus network) and have anti-virus software (autoupdate every week). All computers are patched and MS outlook is banned. Never had any problems. I think the difference between Linux and windows is the users. Linux users are usually much more knowledgeble about security. As more people use it, I'm sure some will log on as root, will run an insecure webserver, and most of linux security will be gone.
The reason that windows gets all these attacks is because they are a huge corporation and Bill Gates is the richest man alive.
Linux and Mac OS are just as easy to write viruses for, but nobody gives a damn about them because they are The Great Computer Satan that Microsoft supposedly is.
Xaotik Designs
If anything, he put too much blame on the user. Sorry, if a normal user gets yet another screen saver from a friend and it just happens to be some kind of M$blaster with a spoofed from address, Microsoft holds full responsibility. What use is a mail client that can't be used to swap trivial software? Why the hell didn't M$ just make a normal screen saver that can pick pictures from a directory instead of a binary nasty? Rob got the root user / normal user distinction right but he did not put it together quite right.
Friends don't help friends install M$ junk.
A family member of mine got a new Windows XP system, installed it, and tried to download the security patches. Before the XP system managed to download the patches, it had already been 0wned by Blaster. It's really hard to keep a Windows system up-to-date when you can't connect to the Internet to update it.
My solution?? I used Red Hat Linux to download the patch, and wrote it on some media. Of course, he can't really completely wipe his hard drive to be sure he's safe from any other attacks. Why? If the drive is fully wiped, Windows XP can't be installed any more - on his system, the CD doesn't contain the entire OS!
Of course, I'm writing this from a Red Hat Linux system that has a nice built-in firewall, a "root" account that's not normally used, no externally-accessible ports, and lots of other designs that make it far more resistant to attack in the first place. Yum.
- David A. Wheeler (see my Secure Programming HOWTO)
...then how do expect people to mail you legally then? Because after all, just typing your email addy into a "send to" field would be a violation as well. So now if someone wants to email you, they have to get a release beforehand via a different method? Of course, since they've already contacted you, why not deliver whatever message they orginally wanted then? Which would then defeat the purpose of you having email.
:-) lol
But I am serious...Look at Windows Longhorn? Is it based on some UNIX-type environment? NO. It's pathetic and MSFT is killing themselves because every bad OS that comes out from them makes many others put together good ones...if MSFT put out a good one based on BSD or Linux (or how about SuSE [well I guess that is Linux, right?)? Maybe I don't know what I'm talking about), they could make everyone happy which will result in other people not trying so hard to bring down MSFT...
and people would actually like MSFT if they put out a good OS (except certain MORONS who shouldn't be let near a computer (i.e., idiots who've been Mac users for a long time who are now whining about OS X's "difficulty"...and AOL users))
This is kind of difficult to explain, but im the only guy in my area (within 40 miles easily) that knows even how to use linux, or how to compile applications. However, i have quite a bit of windows expirence as well. my cell phone has rang off the hook for the last 2 weeks with people asking me to fix their computers from blaster... first i went to the girls' houses and fixed them, but after one too many doses of the spoiled little girl routine i decided to use VNC to fix this stuff (albiet difficult, not impossible) People do some bonehead things, and although my own personal system wasnt effected (Gentoo linux baby) all my friends were. oh, and by the way, im 16 and have a fairly tricked out gentoo box (quite a few custom wrote scripts etc...)
Fact: File extensions are still hidden by default.
You know what it will take? A better alternative.
"Sufferin' succotash."
1. Most people I know haven't been affected by most of the recent Windows virii. Why? Eudora/others instead of Lookout or Lookout Distress. I've also trained 'em well enough that they understand that clicking Windows Update at least on a bi-weekly basis is a good thing(tm).
;)
;)
;))
2. I wasn't affected, simply because KMail is the least-vile e-mail client I've encountered since old school Eudora. Naturally, KMail runs on Linux.
3. If everyone used Linux, virii would abound for it. The major difference, however, is that if Joe User opened strange attachment #43, he'd be able to hose his home directory and nothing more. Non-root for normal use isn't a hard concept; any good distribution has blinky neon lights that point out the fact that you shouldn't run as root unless you need to. And for the truly stupid computer user, you can educate them by saying, "You can make your username whatever you want, instead of something boring and mundane like 'root'."
On the whole, I'd say Linux is, by default, more secure than Windows. After all, you can get rid of damned near anything you want to in a Linux install. Windows, you're stuck with crap you'll never use unless you sacrifice a goat and invoke the name of Cthulu to uninstall it. Furthermore, in my experience, Linux-based patches are rolled out far more quickly than Windows-based patches. Not to mention the fact that Windows-based patches sometimes, ahem, cause other things to break. (Oh well, the fact that IE is now broken for me got me to install Firebird.
All that aside, Windows *can* be secured. Personally, I'd rather secure a Linux system - it's easier for me. But your own mileage may vary.
We are switching over to the Linux based system on our "sponsored" tables, however for our pay-per-use system, we have no choice. None of the bill collecters work on the Linux version as of yet. Until then, one some of our terminals, we have no choice.
Security is a problem, because for starters the kiosk program we have will not run on NTFS, only Fat 32 so we have to swap out harddrives with at least 1 terminal out of 10 a week and reghost it because dispite blocking software, people DL things they shouldn't be.
At work, I have a Powerbook and my boss now has a dual boot system with Windows XP pro and RH 9. He's trying to get used to Linux and Openoffice so that we can have all future employees either use Macs (for those needing photoshop/DW) and everyone can do billing and accounting from Linux terminals.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
I'm a bigger Linux advocate than anyone, but this
conclusion is wrong. There are plenty of
vulnerabilities in end-user Linux applications;
but there are two factors that resist worm/virus
developers:
1) Fewer users
2) Heterogenous environments
Don't worry, when Linux takes over it will have
its fair share of viruses. The Mac was the first
seriously virus-prone platform, perhaps the Amiga
was up there too back in the day.
these virii were created by people - people create virii for windows because that's what people use, not because it's more insecure than other OS's. When linux gets more popular people will start making virii for it.
The way I see this is that Windows is for good or bad popular. As such people will poke around it more and find more holes. Its not like Mac + Linux are totally secure. Now as there are more people, more holes will be found.
This is, quite simply, a canard. By even the most conservative estimates, Apache outpaces IIS by 10% penetration, and yet the most common worms that affect webservers are Windows worms. By this popularity logic, wouldn't it make sense that virus writers would exploit the more popular webserver? Or maybe it makes more sense that virus writers would use their resources more effeciently to attack the easer to kill system, not necessarily the most popular. The fact that Windows is both easy to 0wnz and popular does not make other systems inherently less secure, or even as insecure as Windows.
This suffers from the same illogical open source argument that says "more eyes looking at the code makes it better". NO. A million monkeys on typewriters won't write Shakespeare and a million linux-heads writing code won't build the perfect system. Security, just like writing operating systems, requires attention to details and knowledge. Windows undermines these by putting barriers to a secure system in the name of their own agendas.
Now from these Microsoft issues more patches etc. It should be pointed out that the holes that allowed the recent worms are fixed by a patch released over a month ago. Its just that people/admins haven't applied them meaning systems are still exploitable.
Did you bother to read the article? Because if you had, you'd notice that the author pointed out that Windows ships with five open, exploitable ports, as opposed to 0 on a stock Linux or OS X install. The author also pointed out the fact that Windows has auto-update, which must compete with a bevvy of other MS sponsored crap, like "signup for passport" and "take a tour of windows".
"Also Windows isn't designed to be totally secure from the ground up it designed to work on a wide range of hardware and appeal to all levels of people."
An interesting thought, but does Windows work on as many platforms as Linux? Does the kernel scale from embedded platforms to supercomputers? And don't even talk to me about WinCE - I'm talking about using the same kernel in your wristwatch and on your server. Hell, even Darwin, the core underneath OS X, builds on both PPC hardware and x86 hardware. I'd say by comparison, Windows works on a much more narrow range of hardware than it's more secure counterparts.
As for all levels of people, well, I'll take the MacOS interface against Windows on a usability Pepsi challenge any day of the week.
My other computer is your Windows box
The claim of the author is bogus.
The author claims that windows is insecure by "Design" but he fails to talk at all about the actual design of the system. Design goes to the core of system design and I know security was definatly designed into NT from the start unlike Windos9x.
I dont consider buffer overflows to be particularly a design issue but generaly a coding faults. Every OS has had buffer overflows exploits and design can not prevent them unless automatic protection agains them is designed in which most OS's dont implement.
The author should do a bit of research and not write fluffy articles that have no merit!!
From an economic perspective, ease of use is probably still more important than security.
Yoda was sitting on my shoulder today;
when he saw your post he had this to say:
Pegoraro has a point about users not patching their systems, but unfortunately I can understand why: the updates are causing huge problems.
;)
On one of my desktop systems, the latest Windows XP driver updates trashed my Hercules Game Theater XP setup. Lots of error messages and no sound!
On my Laptop, the latest Windows 2000 service pack blew away support for the Netgear MA401 WiFi card.
The first problem is easily dealt with. Roll back the upgrade. Sound worked before and it wasn't a critical update--just recommended.
For the laptop, I now have a choice between gaping security holes or WiFi support. Thankfully it dual boots to Linux
I wonder how many people are in the same boat. Plug and pray, or plug and pay!
I run probably the only Linux machine on a residential LAN with a shared internet gateway. Since last week sometime, the virus has so infested the XP/2000 machines on the LAN that all my upstream requests are dreadfully slow. DNS queries and HTTP GET requests, etc. Downstream transfer speeds are just fine. This is the curse of the Slammer virus - 10 to 15 port scans per second per machine on a largely M$ LAN leads to practically no internet access. The sorts of users who refuse to update their machines even weeks after a virus advisory is issued are the bane of their LAN neighbors. How can you just not care that your machine is randomly shutting down with 60-second warnings?!?!
So, Linux helps, but only in as much as I myself cannot become infected.
Hopefully this will post...
The Washington Post discovers that water is wet and fire is hot.
Wake me up for the Pulitzer awards...
Viv
Gmail invites for ip
The question is, do they really care more about the customer or the bottom line?
The bottom line, obviously.
I rememeber reading an article in Dr. Dobbs about a great piece of file indexing code that Microsoft wrote.. it was a great system, bounded resource use, bounded worst-case performance, a nice piece of CS. By the end of the article I learned that it was written TEN YEARS ago and Microsoft sat on it because they didn't need it from a marketing point of view.
That made me think about how Microsoft operates. They just give out enough to keep customers from leaving. Not one ounce more. That's why Windows is a crappy OS (captive audience, everybody has it on their PC) but the desktop programs are a little higher quality (there is some competition, however tiny).
Another example: C# is a completely open language, not because MS is generous, but because it's a selling point over Java.
MS is calculating and ruthless. You'll get security from Microsoft when it starts to be a problem for the bottom line. Not a day sooner.
And judging by my friends and co-workers nonplussed reactions to these worms/viruses, that day is a long day off...
Sure Windows has bugs that lend themselves to security problems. But nowheere in the article does he prove that Windows is more insecure than Linux or MacOS. All he can claim is that the default settings on Windows aren't the best choices for security, and that Red Hat and MacOS do a better job. I'd call relying on default settings user error, not a problem with the Windows code itself. You might as well say Solaris is insecure by design since (with Solaris 8 anyway), the default install runs sendmail, allowing spam relaying and leaves the telnet and ftp ports open, which can result in stolen passwords.
Vote for Pedro
As most people know, it's normal for companies to add design features according to a plan that evolves their products a stage at a time. The ideal product cycle introduces the new version after every potential customer has bought the previous version. Part of the sales pitch for the new version is that it fixes the flaws in the old version.
Some Windows security holes seem like they could closed so easily, for example making a security screen part of the setup wizard instead of just leaving the ports open and the firewall turned off. So here's my paranoid interpretation of this article: Are these holes truly left in place "by design" in order to motivate customers to upgrade when Longhorn goes on the market? Is their strategy to do the patch dance and keep blabbing about Trustworthy Computing until they are ready ride in on a white horse and save the day?
I have been wondering how Microsoft expects to convince millions of intelligent people to shell out for all new DRM-laden hardware in order to upgrade Windows. Maybe one of their levers is to let worm-writers run rampant for awhile. The bigger and badder the boogie man gets, the more willing people might be to swallow the big blue pill.
At the time at which the first Mac viruses appeared, there were already severl hundred DOS viruses in the wild. In fact, I don't believe there were ever more than 24 or so Mac viruses in total. In fact, nVar was, I think, the last major one, and that was circa 1990. By contrast, there were already several thousand DOS viruses (many written in Russia) in existence by the time Microsoft introduced Windows.
In the future, you may wish to actually know what you're talking about before posting...
Lawrence Person (lawrencepersonh@gmailh.com (remove all "h"s to mail)
http://www.lawrenceperson.com/
Users running NT based versions of Windows are effectively forced, or annoyed, into running as admin. This happens for a number of reasons:
* Old software runs as admin only. Stuff that came out during the DOS/Windows days, much of it pretty recent, simply won't run as anything but admin. This is a nasty legacy thing, and is a vestige of the horrendous design of Win95/98/ME.
* Too much new software runs as admin. For example, if you want to run Microsoft's own Age of Empires, it only installs as admin, and only runs as admin. This is a new application made by the mothership, and clearly, fits into the home scenario as the article. I'd guess that at least 20% of the apps on my Win2k box require admin rights.
* Too many housekeeping functions require admin.
* It is a relative hassle to run a program with admin rights when not admin. The most common way is to -right click on the program's icon, and then select Run As, and then enter the admin password. Ugh.
* Even for the disciplined, quick user switching allows admin to stay logged in, most likely still running OE or some other security nightmare.
The upshot is that if a user even understands the concept of not running as admin, they are forced to, or get lazy and do so.
I've set up several users on Win2k, and taught them about security, and why they really, really don't want to run as admin. Months later, they all are.
This will be a problem if Linux ever becomes widely adopted by home users, and why Lindows runs as root by default.
Didn't Apple get this figured out? Why haven't everyone else copy them as usual?
Jonathan
Well over 200, and climbing fast... not only that, my web-exposed boxes are getting a whack per IP address on port 135 about every 15 seconds (equals 17 a second for a Class C) - including many scans on Port 0? Does anybody have any idea why said worm might be scanning port 0?
Got time? Spend some of it coding or testing
To see if your windows box is secure..
Turn your Firewall off for ~15 seconds, if your PC still boots after that, its secure.
Actually, OS X does have (in most systems) some ports/services open by default. Here's a sample portscan with no user-services (ssh,httpd, afp, etc) running. 1033 is assigned to NetInfo
427 is "server locator"
631 is "IPP (Internet Printing Protocol)"
--- Kicking the Cheat since late 2002
Based on what I've seen and heard, it seems to me that the kernel and win32 really can't be all that bad, but the user interface layer is a hopeless rat's nest, and most users still probably do everything as an administrator in XP and later versions. While it's easy for me to do just about
anything (besides installing new programs or rebuilding the system) without logging in as root,
I haven't figured out all the various tricks necessary to lock down my windows install and still make it useful for something besides offline gaming.
I once had a worm in XP,
as it broadcast it said this to me,
"I get a deep thrill when I think that dear Bill,
writes the OS of the poor bourgeoisie."
Cake or Death? Cake Please!
A PC kept current with Microsoft's security updates would have survived this week unscathed.
lol - like I said - this week wasn't a problem for me or my family and friends.
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
And it don't, so it ain't. QED. (-:
Got time? Spend some of it coding or testing
A few years ago there were a few rants because Linux (redhat) wasn't secure out of the box. It shipped with a few packages that had a few exploits- yet the fault fell on the user for not updating their package. ...
My grandmother hasn't updated anything on her computer- she's 81 and more concerned with knitting and talking to her grandchildren. I just walked her thru an update.
Can you imagine if I had to tell her how to do that on linux ?? (without a subscription mind you) - Yeah grandma, type wget -?
Windows Update did- and worked- and fixed it. But it's easier to bash MS for the people whom didn't patch their systems in a timely manner than to target the blame where it ought to be.
In the past 3 years, since my Grandmother got her computer, how many new Redhat versions have rolled out? How many of those versions would seamlessly install over the other one? I believe the answer is 3 versions and none, Bob.
Lay off the MS bashing- most of my software I have to use is closed source and several $K per seat- I'm not going to stop using MS until.... well, never. If they move to a different system then I move. I'm tied to the company that writes the code I need to do my job, as are many people in the engineering fields. Leverage one, move the other.
...goodnight worms...
(from my Mac)
Cake or Death? Cake Please!
perl -e 'unlink("--help");'
Apparently this guy didn't hear about the FSF ftp site being hacked and owned for 3 months, causing them to lose trust in valuable data. No operating system is secure. Pointing out that users are stupid and don't know how to run their systems securely (which is all this article really says), is useful sometimes, but MS harly has a monopoly on stupid users.
Here's a modest proposal: Microsoft should use some of its $49 billion hoard to mail an update CD to anybody who wants one. At $3 a pop (a liberal estimate), it could ship a disc to every human being on Earth -- and still have $30 billion in the bank.
Sorry, but AOL already has that mass-deployment patented.
.unsigged
I wonder how many people read the EULA's? I bet the numbers are related (and small).
Little Brother, watching the watchers
It is exactly because of this that Windows is considered insecure.
There should be no way to run an already complied program that can modify potentially anything on your system from your email! What fool thought that would be a good idea?!
Try emailing me you latest PERAL based virus, and see it just runs because I click on it (thinking it's a cool image because you named it CoolPhoto.jpg.pif).
You think that everyone in the world should know how to protect themsleves from Mircosoft's follies? I don't think a average user should have to worry about idiot protection 'conventions' at all.
It should just work, and failing that, be blindingly obvious. Windows meets neither of these criteria.
I'm a linux user and I'm affected by the worms. Not directly of course, thanks to the virus my DSL line is as fast as a 28K modem. It happens that my ISP (Verizon) is having problems with the extra traffic caused by the worms.
Okay, maybe I should have turned on the firewall before connecting to the Intenet. I didn't realize the virii were scanning so relentlessly and quickly. I also thought that the idea of turning on a software firewall on a brand-new install seems a little dumb. All the firewall does is prevent incoming connections to insecure ports. If Microsoft knew when they shipped the OS that the ports would likely be found insecure, why wouldn't they just turn them off by default? I mean it is one thing to buy Norton Firewall on the presumption that they are fixing Microsoft's broken security model but why would I use a "security fix" that comes on the same CD as the program that introduced the security hole in the first place! It seems totally illogical to me.
The old DOS/Windows had security as a pretty secondary concern
Lets be honest, the people who originally wrote DOS (which was Seattle Computing not Microsoft) and everything after that up until the early 90's never considered security at all. It wasn't even on their radar and with good reason because DOS was just a program loader and disk drive controller. There were plenty of real operating systems such as Multics, VMS and UNIX around from the seventies but since DOS was only running on single user machines that weren't much better than a ZX Spectrum or C64 it didn't really matter. The problem is that somehow Microsoft managed to wallpaper a crappy GUI over the top of DOS and convince people if was a real operating system.
So it kept rolling on and the hardware got a lot more powerful but the basic guts of the "OS" remained little different from CP/M and its ilk. Alright NT was finally written from scratch but by then DOS was everywhere and so to this day all sorts of compromises are made to ensure backward compatability which severely compromise security. It is a testiment to Microsoft's marketing that people don't look at their OS's and laugh the guts up because really they are just the bastard spawn of a primitive (no disrespect to Gary Kildall) operating system that was only ever ment for use on the first primative home computers.
Are you sure you want to send '--help' to the Recycle Bin?
I've been running various versions of Windows for years and have had ZERO problems with viruses.
1. Don't use Internet Explorer or Outlook Express (I use Netscape and Mozilla)
2. Use a firewall (the free version of Kerio)
3. Run anti-virus program.
4. Don't click on suspicious attachments
Over the past several years I've only received 2 or 3 virus-infected e-mails and my AV program took care of them.
I dislike Microsoft as much as the next guy, but the real problem is users who are so stupid and lazy they shouldn't be allowed near a computer.
I manage several win2k workstations (and several win xp laptops) in our company. Fortunatelly, we have avoided any work/viruses due to our firewalls, virus scanners and such but I accredit most of our success from the education of our employees.
I think, IMHO, that most of issues with the worms/virii/etc stem from the ignorance of the common windows users out there. Everyone and their grandma that wants to get on the internet do not look for alternatives out there, they go to circuit city/best buy and get the latest dell/gateway/whatever model and plug it in.
Within our company, we also have a couple rack loads of linux and free bsd servers that must be kept up with as far as patching goes. Most linux admin that I've met keep up with these things, my mother doesn't know the slightest thing about windows update. Granted, Windows isn't innately secure but it takes some knowledge to setup a generally secure linux setup.
Eh, maybe its all shite, but that's my 2 cents.
Quote from the article:
:P
And for those saying they don't trust Microsoft to fix their systems, I have one question: If you don't trust this company, why did you give it your money?
The truth is: no, they didnt paid for the OS.
Seriously, still quoted from the article:
Windows XP, by default, provides unrestricted, "administrator" access to a computer. This sounds like a good thing but is not, because any program, worms and viruses included, also has unrestricted access.
It doesnt change a thing - if unpatched, those boxes are STILL subject to be infected. The Blaster worm, for example, was attacking a service which is already running with full SYSTEM rights.
So, that secretary with reduced rights on a Windows machine would have the virus anyways.
"...a generation of kids has grown up thinking Trance is the shittiest music since country and western." - Paul van Dyk
Is it just me, or does anyone else wish we had a Fark.com-style "OBVIOUS" tag for these types of stories?
Google top 10 search results for RIAA:
1. riaa.com
2. boycott-riaa.com
3. riaa radar
4. riaa radar
5. riaa.com
6. riaa.com
7. News article "riaa hit list"
8. News article "how to tell if the riaa wants you"
9. News article "riaa wants to hack your PC"
10. EFF subpoena database
Summary: 3 links to RIAA's site, 4 links to sites opposed to riaa, 3 news articles (2 of the headlines editorialize against the riaa)
Google is 60% anti-RIAA.
MSN top 10 search results for RIAA:
1. Latest news on riaa
2. riaa.com
3. boycott-riaa.com
4. News article "riaa asks napster to apologize to Metallica"
5. News article "riaa goes after file traders"
6. News article "riaa wins battle to id kazaa user"
7. News article "phony advisory attacks riaa"
8. News article "RIAA/IFPI Force CD Cover Site To Take Down Covers"
9. "Rolls VP129 Tube Phono Preamp w/RIAA EQ - American Musical Supply" (???)
10. News article "RIAA files proposed wording for Madster"
Summary: 1 link to RIAA's site; 1 link to a site opposed to RIAA; 1 neutral site; 7 news articles (none of the headlines editorialize against the riaa).
MSN is 10% anti-RIAA.
Conclusion: If Google represents what most people think of the RIAA, then MSN search has a pro-RIAA bias.
Remember the days when Republicans were the party of fiscal responsibility?
I now have a new signature on my emails:
*In light of the ability of some email viruses (eg SoBig.F) to spoof this address regardless of whether my machine is infected or not (for instance, pulling my address from a Windows user address book to use as a fake return address), if this statement is not included, consider a message from me to be a virus*
I figure that will be good, going out a few dozen times a day. I urge everyone to pen something similar. Cause, ya know, MS can never have too much bad press... erm, room to innovate.
Buffer overflows are not an inevitable defect in modern operating systems. They are there because most designers and programmers have internalized the philosophy that fast is better than safe.
Mea navis aericumbens anguillis abundat
..in the world, this is the matter of accumulating enough of the critical mass.
When enough regular computer users realize that they spend WAY too much time patching, waiting for helpdesk guys, cursing dlls, missing emails the things will change.
Just like fall of the Berlin wall and subsequent fall of the Soviet Union, you just wake up one day and boom - common understanding of what Microsoft is changes like magic and few month later they are gone to their proper 20% market share.
I welcome this article as the sign of times to come.
...there's plenty of other kinds of Outlook viruses around to take up the slack. (-:
Got time? Spend some of it coding or testing
Windows more insecure by design? Bollocks! Who are these people making such sweeping statements? Talk about being clueless!
Look: Windows sucks, we all know that by now. But the Post wouldn't know a design if it hit them on the backside of the head.
What's wrong with Windows is that they're using some pretty mediocre programmers who have no formal training, at least not like what they should have, no discipline...
You have to make accuracy and stability a priority. In Redmond, writing cute AARD code counts higher. The jerk who wrote the GDI for Cutler in C++ was a gambling addict who wasted most of his time devising a system to beat the bank in Atlantic City.
It's not the system - it's the people, and the mentality surrounding them. MS act more like Nixon Watergate plumbers - they're not sensible programmers. Some of them may be OK individuals, but when they're working at a keyboard they lose it.
I have never seen so much bad code in my life as I have seen coming out of Redmond, and I am not making that up. I have thousands of CDs to prove it. Some of them shouldn't be programmers; others don't apply themselves. You have the same issues in every company. But MS go out after blood; they're fanatics, and stability and good programming are a low priority. With MS, it's worse - far worse.
'Insecure by design' is bollocks. What a waste of hot air...
R.
radsoft.net
Also fact: System relies on file extensions to differentiate between executable and non-executable files, which in my mind is a bit worse.
True, but far worse: Microsoft quite intentionally continues to make Windows and Office etc insecure on PURPOSE, as a side effect of offering full programmability of email, Excel, etc.
There wouldn't be any email viruses nor spreadsheet viruses nor Word document viruses if these apps were lobotomized -- if they could not be programmed.
But Microsoft continually makes the business decision that adding the power of programmability to every app is much more important than the resulting insecurity.
The vast majority of Linux apps do not allow that kind of programmability -- even when extension languages like Guile/elisp/etc are available in Unix apps, programs aren't automatically and blindly run whenever some hapless user receives email or views a spreadsheet or whatever.
Conversely, whenever that kind of programmability is added to Unix apps, if it is triggerable just by receiving/viewing a file, then Unix viruses will become far more rampant. (A small saving grace is that the Unix viruses mostly, but not always, will run as some user rather than as root, but this is really only a small issue.)
This should be a wake-up call to teams like Gnumeric; just yesterday on Slashdot Gnumeric was criticized for not supporting every single MS Excel feature, and Jody Goldberg replied that hopefully it would include those by next year. But any Unix app that is 100% compatible with a MS app will be virus prone!
Quote from a poster on that story:
Mmm-hmm, and there goes security.
(Story link: Gnumeric Now Supports All Excel Worksheet Functions )
The really sad thing is that the marketplace clearly agrees with Microsoft about this tradeoff: corporate and personal users are far more concerned with having the power of macros/Visual Basic/etc built in to everything than with even basic security.
Professional Wild-Eyed Visionary
For example, if a design goal is that scripts can be made that can do most anything on the computer (format hard drive, install software, etc) and that the scripting feature is connected to the EMail program and that EMail be able to have scripts in it for other useful reasons, then you, by design, made the system insecure.
It is not that you sat down and said "How do we make it insecure" but rather, by the design you did come up with, you made it insecure.
And, yes, the above example is exactly what Microsoft did. Each step, by itself, seems reasonable. They wanted the scripting system to be able to do anything it needed such that you did not always have to use the "point-n-click" to get things done. Use UNIX types fully understand that. They also wanted the scripting system to be widely available (same technology everywhere) which also makes sense (no need for 100 different scripting systems for the 100 different applications). Even the ability to have EMail with scripts in it (just like HTML with JavaScript in it - there are some really good uses) is a reasonable concept. In fact, if not for the need for security, this feature is/was rather nice as you could do system updates by sending EMail to all of your employees and *poof" it was done when they got the EMail. (Or timesheets, or other scriptable tasks)
The problem was that when you put all of this together you get a major security problem. Huge even. And, unlike what Sun did (and knew to do) with Java and the JVM, Microsoft left this stuff completely open (the scripts can even have x86 code in them!) So, while you get tons of flexibility (by design) you also end up burning yourself (by design).
Anyway, Windows and Windows applications have been and are insecure by design. Not that they wanted to be insecure but they designed features that cause insecurity.
And, if you say that this is not "by design" then I guess a design does not need to take into account all of the aspects of the design. A real designer tends to think through all of the side effects of the design. Thus, either they knew it was insecure when the designed it or they were incompetent. Which do you think they are going to claim?
Windows users are insecure as well
Hmmm...
As pointed out in the article, Windows update notices appear within a blizzard of other annoying notices that Windows users have to deal with, which are mostly in the nature of sales pitches. Usually when you pay for software, it stops dunning you with advertising, but not Windows.
I don't know but imagine that recent Linux distros have competent security update mechanisms. I do know that Apple has a very slick system for updates. Not that some users don't ignore them anyway. Which is the reason for shipping with things closed up so that inexperienced users don't expose themselves unwittingly. But MS intentionally decided that wasn't their worry (by design).
It isn't "bashing" to point out mistakes. But it will become bashing if MS doesn't learn from its mistakes very soon. The article had a great suggestion there for MS to distribute the fixes at no cost.
ThosEM
1) A distro cold have a button on the desktop to apt-get update - when I was running a debian distro some time back I had a special security-oriented source that I updated from (forget the name). Also you are more likley to be able to install multiple patches at once instead of having to reboot after ever patch, possibly confusing users into thinking they have patched when in fact they have only patched one thing.
2) If your grandmother were running Linux you could ssh over and patch it for her.
Point (2) is really the most notable - use of a system where you can enable SSH logins easily (like Linux or OSX, yes I know you can get SSH services for Windows but not be default) means that people with reasonable technical knowledge can act as quick medic to many more systems and at a faster rate (as you observed, helping anyone over the phone is an excercise in frustration for all). I think every single technical person should just stop giving help right this moment to people who do not have a machine you can log into. How many people get by with windows systems only because they have that one technical fried who can help them out? We are all enablers in that regard in that we all try to help people when we can.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I'm one of those "unaffected" OS X users. In the vast majority of clueless AV bounces I've received, the forged address is the one I created solely for my Slashdot account. I've never sent anyone a message from that address (well, except for the editors so they can reject every single story I've ever submitted, but I'm not bitter). Even though I stopped displaying it here a while ago, I think it remains visible on archived pages.
So how did SoBig get the address if it's not in anybody's address book?
With write priviledges only to their own sandbox, then, none of this would be happening. Instead, you've got IE and Outlook running as a user's account, so, despite the prevalance of a workable user based access control list based security system in Windows, Microsoft does not use it where it really counts. Dumb dumb dumb.
This is my sig.
But my friend said to patch it by doing
Sure hope that works....
All's true that is mistrusted
Today I sat down at my computer when I got a MSN message from a friend. That friend is complete noob with computers and now he had a problem.
.... After awhile, me trying to explain him how to scan for viruses. Yeah! It found a virus named blaster and I THINK he got it removed...
.... I, after awhile, get him pointed to the windows update and the patch for blaster. Again I think he got it installed ....
.... I try to explain him how to use windowsupdate but is almost giving up since he just dont get he just gotta press scan for updates and then install updates. Well in the end he gives up and says he dont care ....
This is pretty much what was said:
Friend: Hey. I got a problem with my computer. It has shut itself two times today, without me doing something. What do you think is wrong? I heard something about a virus.
Me: Yeah there is a few major virus's flowing around the net right now. Have you patched your system?
Friend: Patched ? ?
Me: Yeah. You know downloaded updates for windows.
Friend: No..
Me: Oh well. Here is a link to a virus scanner try and run that first.
Me: Good now to update your system.
Me: So, Now I suggest you update your system with patches from windows update.
Friend: Why? What should I waste time download all that? What good does it do me ?
Me: Well... It secures your system, give you updates to windows programs and IE and new drivers. You know. Makes it upto date.
Friend: But how do I do it ?
And there is the entire windows Security problem. Users that just come to their computer to surf abit and download a few programs like kazaa or emule just dont feel the need for updates. And they end up spreding the viruses to the entire net. Oh.. And it dont help that MS dont allow pirate versions of windows to be updated fully. I can see why it would in sense suck for them to give free updates to people that havent payed for the system. But people dont get updates when its all blocked. Which in end leads to viruses like this to run wild.
Add a signature to your email client for a couple of weeks that says you don't use Outlook or any microsft email client. If someone has email from you with headers that originated within Outlook, then please delete the message because it is almost certainly a virus. But the people would have to understand how to view full headers under outlook and outlook express. Send this to everyone in your address book and let them worry about how many of the people in their address books got spammed in your name.
Also, my email logs have already been handy in proving the ownership of questionable email and in tracking sensitive email that was sent but the client did not receive. The mail server at their ISP was swamped and couldn't get a dns lookup on our mail server. They bounced the email, but didn't send us a bounce message. The client called and was upset that they had not gotten the information. Luckily I had also cc'd the email to the company owner and he had gotten it, so I sent the log entries to the client and suggested that they may have lost more email.
The moral here is that windows insecurity has bitten me this week and I wasn't using windows. My linux servers are having trouble communicating with other servers that are buckling under the strain. It will be great when MS actually gets some substance in their "Trustworthy Computing".
Kindness is the language which the deaf can hear and the blind can see. - Mark Twain
... where on the dartboard we have to live. No one of us created the 95% Windows landscape - we can work to change it, but for now we have to live with it.
For whatever reason (bang-for-the-hack, familiarity, relative security), Windows is going to be in the bullseye of the target for the forseeable future. Linux and Macs are going to be well away from the center.
The vast majority of Joe Sixpack users don't really do anything Windows-specific - they could switch, and move out of the bullseye.
Hey, someone with more graphic taste than me should create a picture explaining this to the public...
To a Lisp hacker, XML is S-expressions in drag.
Bears shit in the woods.
Seriously though it is nice to see more mainstream papers to be so observant. Course this is on their webpage, I wonder if it would be in their tree based distribution.
indeed i do u faggotryyes
"Listen up kids! Don't pirate software! You'll end up having to answer everyone's questions about computers."
Nerd: Derogatory term typically directed at anybody with a lower Slashdot ID than you.
This is either a troll or *really* misguided, but I'm bored, so what the heck...
1) They can't. Windows has to be usable by everybody. The ease of use directly conflicts with such things as security. Sure, Windows could have a really strict permissions system by default, try to get people to use a normal user instead of using Administrator all the time... but then your grandma wouldn't get why "cake" is not a valid password.
2) They can't kill it. Many people like myself dislike MS not only because of their crappy software, but because of their monopolistic practices. MS would have to release something decent AND to start competing fairly for me to like it. What are the chances of them doing that?
Windows based on Linux won't happen. MS needs backwards compatibility. Isn't the lack of availability of Office and other programs one of the things that makes moving to Linux so complicated? Now MS is in a really bad situation, if they make an incompatible Windows version, the inconvenience caused by the new Windows version will be almost the same as by Linux. And since Linux is free, has a better security history, and isn't made by a company that uses shady tactics it would surely win, or at least get a big piece of the market share.
Likewise for the patching.
Unfortunately, I also help to run a society with 2,000 people on its mailing list. Guess how many of them have got the virus at some point, and how many other people are now getting the virus with a spoofed From: header containing the mailing list address? I know nobody got it from that address, because there is exactly one person in the world who can authorise posts to that list, and my system is clean. Doesn't stop the irritating automatic replies from "clever" ISPs though. :-(
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Lets say I'm a dickhead virus writer and lets also say that I want to bring the internet to its knees with my virus.
I then consider which operating system to attack -
Linux - way to secure for me to even bother! Its air-fucking tight - gee I dont stand a chance.
Mac - Wow! I cant even understand this operating system - let alone hack it
Windows - ahh yes, piece of cake
If Linux/Mac were even half as popular as Windows, there would be plenty of exploits/hacks/viruses written for those OS's
The fact is - Linux users are basically Slashdot readers and are therefore not stupid enough to expose their systems directly to the Internet the way millions of idiot Windows PC users with cable modem public fucking IP addresses are.
As for Macs - even virus writers must say - "Who the fuck cares?"
---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
Outlook Express 6 SP1 now comes with a setting to "read all messages in plain text" Which is how I have my system configured and which gets rid of approximately 100% of email viruses. But unless you happen to be fiddling around with the configuration of OE, you'd never know this setting exists. If anything, Microsoft should be prominently advertising this "new, free" feature (which is of course ain't new, it's elm-level functionality) as a way to protect your system, but they won't.
Sure, but most people like their email with pretty colors. Then, fine, they should do what Poco Mail does, automatically "sanitize" email by stripping potentially harmful HTML coding and external image downloading (i.e. webbugs) while allowing basic HTML formatting to be read. This is not rocket science, but MS seems to be irresponsibly holding back on such basic safety improvements.
There are two kinds of people: 1) those who start arrays with one and 1) those who start them with zero.
From the article:
I use mutt to read most of my mail (years ago, I used pine.) Opening strange attachments isn't an issue for me, and shouldn't be for anyone else. If there is executable code in an attachment .. my client will show me executable code, it sure as hell won't run it. That's common sense.
In other news, the sky is blue, water is wet, and my feet stink.
it's dorm move-in weekend at the university where i work. after looking at a sample of the machines brought to school by students given the privilege of early move-in (ra's, mainly), we found that less than 5% of our students were patched for both blaster/lovesan and welchia/naichi. as such, it was decided that shutting off the entire residence hall network would be easier than shutting off ~95% of the ports once they got infected (typically takes 3-5 seconds in this environment). so our student workers and a few full-timers like me get to make our way to every single student machine (~8,000 students in the dorms) and analyze, clean, patch, and install a current virus scanner.
overtime is great.
You couldn't have anything like Blaster occur on Linux (at this scale, even if Linux was as widespread) for a few reasons:
1) A lot of distros now enable no services by default, and services that do run usually do not run as root and so can do nothing to either the system of the users files. Same thing goes for OSX which enables nothing by default.
2) Between the different ditros around it would be harder to make a virus that would work correctly everywhere, unlike Windows where monolithic releases ensure that a huge percentage of your target will have the same exploit to, well, exploit.
As for SoBig, your point is a little more valid - but almost no mail readers other than Outlook make it so easy to run an attached file. One click infection is not a feature.Of course, the basic idea that Windows has so many viruses because it's the most popular has been discounted by many posts here re: Apache and IIS. But another supporting point is this - about 15 years ago Macs absolutley held the crown for viral breeding, and that was because the system helped foster them (many many boot viruses) - yet they were not then the dominant platform at all.
The simple fact is that if you make virues easier to write and to propagate then have more viruses on that system as a result.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
First off, let me say that I KNOW that Linux and BSD are a lot more stable than Windows...but in the real world...where family and associates need to be spoon fed, Windows is what is in use. I have had absolutely no problems with any of the recent outbreaks. BECAUSE, I ensure that the computers under my care are current with updates (afer I evaluate them) and that firewalls are properly configured.....and yes, I even talk to the users and ensure that they know that the is some new bad thing out there. Nothing personal, but do not whine about Windows if the real problem is that you expect your users to take care of everything themselves. I don't expect them to, and I am happy to help them without making them feel stupid. That is why I am still employed and happy at my job.
Nice troll!
I remember getting a CD with both the System 7.5.5 update from Apple and some Microsoft updates on the thing.
It's a shame that they don't mail updates to registered users, though. It'd be a good way to convince people to own legal copies.
May we never see th
Those that read the Washington Post know Rob Pegoraro has:
1) Never seen an Apple product he didn't like.
2) Never read an Apple press release that he didn't agree with.
3) Agrees that all new Apple strategies have finally got it right.
Why does that lag exist at all? I realise Microsoft has built its fortune by masquerading software as a tangible good, but we're talking like one CD to each vendor. They're just copying an install onto hard drives and pushing them out the door, so why aren't they kept up-to-date? Couple the in-factory lag with that on already-boxed inventory and the OS that first boots up can be ages-old - and it's probably already attached to a hostile wire.
Your reply is the best so far; however, just take a step back and listen to my point.
Do you think we should write an article that claims that Henry Ford invented the automobile as a device to kill people 'by design'?
People get in vehicles drunk and run into families of four, killing them all. Do you think that this unintentional side effect was, 'by design' when the engineers created the vehicle? Was it 'by design' when man created beer or wine?
I think I'm being treated VERY unfairly by most responses here.
I give you one more example.
When the hammer was designed, do you think the designer intended it to be used to kill people? Or how about the baseball bat?
This is being over-analyzed by so many techies, that I think the clear facts are being missed. That which is, the article is misleading and doesn't contain a fair wording of facts. Put yourself in the shoes of others. Take a breath and look at my point.
Right because unpatched Linux systems have no flaws. LOL.
Yes, it's been a long week, hearing people complaining about this, and I have seen precisely zero evidence of the worm. I'm sure if you were able to sneak in over the weekend and reformat their drives and replace everything with Linux and Open Office, etc., they'd suddenly magically feel compelled to keep their systems religiously up to date, and would have NO problems whatsoever.
Can't turn on the automatic updates on Windows, that would, like, fix things, and stuff, and we wouldn't have Unka Billy to kick around.
As usual, they have struck a good balance between security and ease of use - when you first install you are asked for an admin password (a bit fuzzy on the details as that was some time ago). Then, anytime you run something that needs admin rights a dialog box pops up asking for the password - if I clicked on some random attachment you can bet I am not likley to release that password!!
Happily, few applications require the admin password to install - one of them is, of course, Microsoft Office X. At least I don't have to leave it running and it doesn't seem to have any background services...
Apple's mechanism for having normal users access admin rights is a pretty good one, I would like to see some linux distro pick up this practice if there is not one already.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
If Windows is attacked because it's popular, then why isn't Apache spreading more worms than IIS since it has 60% of the webserver market?
why are your developers doing i.t work?
bite my glorious golden ass.
The NT kernel and even the userspace system are designed for multiple users.
Yet they still have to deal with backward compatibility to a Windows API that evolved from CP/M's. The solution here is starting over, such as in the .NET framework.
Will I retire or break 10K?
Yes, many default Windows NT settings could be better in terms of security. For example: user accounts, by default, are part of the Administrators group; many security problems could be avoided by running with less priveleges.
These defaults are designed to be convenient more than secure. IMO, many of the users having problems with these insecure defaults don't know any better. They just want the machine to work. It is inconvient to switch to an administrator to install new apps, so Microsoft (not discouraged by retailers) designes defaults that are convenient, like these: 1. Make only one user so they don't get confused. 2. Since there is only one user, make it an administrator so that they can easily install new prorams with a minimum of hassle. 3. Make other defaults compatible so they will work with poorly written 3rd party programs that won't run without excessive powers.
The point I am trying to make is that poor defaults are not equivalent to poor basic design and that better-informed users can easily change these defaults so that the system is vastly more secure, even if it means more work to get finnicky programs to work.
If average users can't handle using their computer with a normal user account, disabling services they don't need, configuring a firewall, how do you expect them to deal with the exposed complexity of Linux?
Personally, I use XP, Mozilla, only patch when there is a new service pack, use a firewall, and have had zero problems with any of these virii.
"Windows XP, by default, provides unrestricted, "administrator" access to a computer."
And this after Microsoft made security its number one priority!
Anyone here who does not believe that the "security is our number one prioity" speech was nothing more than a PR decision please raise your hands.
The race isn't always to the swift... but that's the way to bet!
I caught a brief news story on CNN this morning about the recent worms. There was a correspondant from PricewaterhouseCoopers claiming that since Windows and unix are the most used operating systems, that most viruses are written for those platforms.
I wouldn't have thought that there were more than a handful of viruses written for Unix, and they certainly were not the cause of the recent increase in email traffic. What is Pricewaterhouse smoking? And what's with that name, anyway?
I'm late to the party with this reply, but I'm posting it anyway for posterity. Someday I'll find this message and link back to it.
Windows IS insecure by design. The Virii and worms that are happening now are pissing people off. In the future, Microsoft will bring the 'security' scheme from the XBox to Windows... code will have to be signed by Microsoft in order to run on Windows. the press will love it, and you will see tons of articles saying things like "Microsoft gets Security Right" and "Microsoft Announces the End of Virii".
And in the end, you and I won't be allowed to fire up a compiler and write a trivial little 'Hello World' program without buying a runtime license from Microsoft, which will be embeded in every program you write.
Innovation will be stifled... I doubt Microsoft will be very license-friendly to Sun, or Apache, or Cygwin, etc.
Microsoft's own lax security is a plan to pave the way to their heavy handed takeover of your computer.
mark my words.
Windows - insecure by design
"Well no s#it!" quipped man on the street, John Q. Slashdot.
Sorry, it doesn't take Woodward and Bernstein to figure this stuff out.
I seem to remember from when I was in college (around 1990) that macs in the computer labs had a lot worse virus problems that the PC part of the labs. There may have been more DOS viri, but for some reason the mac ones seemed to spread and "stick" a little better.
However, if true all it does is lend credence to the thought that even if Windows were not the biggest platform, it still would be the one with the most viri - simply because it's easier to write sucessful virii for.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
It has been recently discovered that the Pope is Catholic. Who knew?!
You did have them shut down the VNC server when you were done, right? :-)
I applaud you for helping out all these people though. It's scary how seemingly a lot of the country works only because they have similarily ept friends like you...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
a few days ago i got an email from the mcafee smtp gateway at wright-patterson air force base saying that an email that i sent my commanding officer was a virus (??!!??)
since my email correspondence is exclusively conducted from a linux machine or from yahoo's webmail interface, i was, to say the least, perplexed.
this makes perfect sense. i'll go do some research now...Too bad it's on page F7 of the Sunday edition... Joe Windows User will never see it there. It should have been on the front page, or maybe in the sports section.
Lost: one sig, witty, 120 chars, sentimental value. Reward offered.
I'm not an XP lover, but it's the OS that's on my computer. It just is. I play games and run Photoshop and other programs...so I use XP because my favorite programs all run on this OS on fairly cheap hardware.
Now, I may be doing something wrong here, but I've NEVER had a virus. I've never had a problem with a worm or anything really. XP hasn't even crashed on me before....ever. I've had programs hang up or crash...but the OS itself hasn't crashed.
And this has been the same on the 2 different machines that I've run XP on.
But yet, I always hear about everyone raking XP and Windows across the coals all the time. Yet I've never ever experienced nor do I know anyone anyone that's ever had major problems with XP. Oh, I know people out there have problems...but it's just that I personally have never known any.
Why is that? Now, as I said, I'm not an XP zealot at all. I could take it or leave it. But after reading here on Slashdot the evils of Windows and XP it would seem that my machine should have burst into flames months ago, yet it's going on day after day, never turned off, always hooked to the net...and chugging right along.
And I'm not really doing anything special. I keep up with all the updates to XP...which takes about 2 minutes out of my week. And I have basic Norton Antivirus running. I have Seti@home running when I'm away from the machine and I do a disk clean up and defragment maybe once a month or so.
So again, I must be doing something wrong (or right) to where XP doesn't give me one iota of problem.
I'm not praising XP...at least I don't mean to be praising it. You only see people bashing Windows, never praising it. To praise it would mean being thrown out of geekdom. So I think if XP or NT is working for you, you keep your mouth shut or just talk about how great Linux is.
I guess your mileage may vary.
"Music is everybody's possession. It's only publishers who think that people own it." - John Lennon.
rm -f -- --help
I hereby place the above post in the public domain.
What a freakin' joke of a topic. No one in their right mind intentionally designs flawed software with hopes that someone will take advantage of them. Microsoft may be sloppy, but they aren't stupid.
You gotta remember, virus writers are little more than terrorists. The only difference is the hostages aren't necessarily human... it's data and CPU cycles. No self-respecting terrorist goes after the minority when there is a much larger group of victims to attack.
8==8 Bones 8==8
ok, lets look at this...
we have a marketing machine that has sold windows a 'easy as a toaster over', i.e. no technical knowlege needed. they seem to have pressured choices to be made that sacrificed security for simplicity/user friendliness.
we have the programmers that created bugs 6 or 7 years ago that are still being discovered and they are writing new ones. the attitude that once a piece of code is 'done', it's done. the pressure to make the new version seems to be a problem here.
the users. granted they've been told it's easy and you don't need this or that or to think. but they bought a complex system. they thought they bought a toaster oven when really they bought a car. every halfway awake person knows that a car needs regular maintanence or it will break down. and even then things go wrong. and when the car needs work you do it yourself or you *pay* someone else to do it. this seems to have escaped computer users. how many of you heard users express: 'you want me to *pay* to have a virus removed?'
anyway, i think the real reason why we have this problems is that too many people had their head in the sand and said it can't happen here. or decided to save bucks by not doing pm or save bucks by not having qualified technical talent, etc.
eric
the real problem is users who are so stupid and lazy they shouldn't be allowed near a computer.
No, the real problem is Microsoft, using marketing to make a complex system that requires careful maintenance appear simple and practically zero-maintenance-- and then selling that system to people who are incapable of and/or have no interest in carefully maintaining it once the truth comes out.
Oh, and let's not forget their "open kimono" security model-- unnecessary ports open to the internet by default, and swiss-cheese apps that until recently would allow arbitrary code stuck practically anywhere to be executed without warning the user by default.
Blaming the clueless users here is like blaming the tenants when their apartment building collapses one night while they're all sleeping.
~Philly
Microsoft has this stigma because virii writers know what thier target audience is. If you wanted to make a statement would you do it for 10 people to see or 10000 people?
If 10 years from now linux becomes mainstream (yeah right), you'll soon see a rise in virii written for the audience that uses the most popular OS.
Not to mention the fact that most virii rely on users stupidity (Moms, grandmothers, suit types etc etc etc) to click an attachment. This is something a well informed user would never do.
I'll admit OCX, COM and even OLE in MS is a horrible idea to have running about, but thats the stuff that makes MS easy to use and why they have the monopoly.
My mother never saw the irony in calling me a son-of-a-bitch.
Microsoft has this stigma because virii writers know what thier target audience is. If you wanted to make a statement would you do it for 10 people to see or 10000 people? If 10 years from now linux becomes mainstream (yeah right), you'll soon see a rise in virii written for the audience that uses the most popular OS.Not to mention the fact that most virii rely on users stupidity (Moms, grandmothers, suit types etc etc etc) to click an attachment. This is something a well informed user would never do. I'll admit OCX, COM and even OLE in MS is a horrible idea to have running about, but thats the stuff that makes MS easy to use and why they have the monopoly.
My mother never saw the irony in calling me a son-of-a-bitch.
I block all emails with an executable attachment. Don't like it? so what. Use ftp or http to get your file.
I believe that email should be intrinsically safe. I don't give a rats ass if someone thinks they know what they are doing. I know that what they are doing is dangerous and I choose not to spend my time fixing their virus infected windoze box.
My reward is that Sobig and the rest of the MS virii of the week just bounce off my email server.
I get no complaints really. In general my users are glad that the stuff they are hearing about is someone else's problem.
Umm... I'll probably be modded down, but... Developers aren't IT support. They're basically end users that shouldn't have to worry about keeping their desktops running (at least where I've ever worked).
bump
Unfortunately, the biggest problem with your statement is this: "If 10 years from now linux becomes mainstream (yeah right), you'll soon see a rise in virii written for the audience that uses the most popular OS. Not to mention the fact that most virii rely on users stupidity (Moms, grandmothers, suit types etc etc etc) to click an attachment. This is something a well informed user would never do."
/*... the best a virus writer will be able to do is *MAYBE* delete a file or two from the users own account... but the OS itself will always remain intact. The biggest problem, as I see it, is that MS has dumbed down the OS so much, that people no longer understand the difference between user and admin accounts. A generic install of 98/se/ME/2k/2kpro/xp/home/etc. and you immediately have an account that is the equivalent of always loging into a linux box as root. So... here's one difference between *nix and M$ is that at least *nix installs create user accounts and do not mix user and admin privileges on first installing the OS.
The rational of that statement is that users can effect the system. A properly setup system (as is the case for a standard *nix install) provides users with a baseline environment to work in, in addition steps have already been taken to negate the ability for 'virii' to be anything more than a nuisance. Of course I could be completely wrong here... I doubt it, but what the heck. Lets entertain this thought -- lets say that *nix becomes the mainstream desktop OS of choice... let the virus writters of the world go nuts... what you'll find is that even the best quickly give up because of the inherent strengths of *nix OS's. Basic user vs admin rights, the standard setups that don't allow rm -rf
Windows patches come in both a Windows Update version (downloaded through an ActiveX control through windowsupdate.microsoft.com) and a "redist" version (downloaded through any graphical web browser).
Will I retire or break 10K?
This post hits the nail on the head. If every 'dumb' Windows user were to suddenly be given a completely up-to-date Linux system, there would be mass worm/virus attacks in a couple months. Flaws would be found, the systems would go unpatched, and we're right back where we started. The computer is only as secure as the user allows it to be. I think automatic updates is a fairly good idea, especially when compared to the alternative (well, for broadband users, at least). If Linux had 90% of the desktop, we'd see all sorts of worms and virii as soon as people found some exploits. And they would find exploits. No code is perfect.
Oh wait, this is slashdot. Where slashbots salivate over the divine opportunity to smell Linus' excrement.
Sorry, I just HAD to say something to get modded Flaimbait.
General Issimo Francisco Franko is still dead.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
[Microsoft Windows] XP ... has an administrator account, and all other accounts can be made to run as guests.
Yes, but they can't run much. Many of the most popular Windows applications, especially games, are poorly coded such that they require Administrators group privileges to install or even to run. The publishers of these apps did not realize how poorly coded the apps were until Microsoft switched its consumer operating system from the Windows 9x codebase to the NT codebase.
Will I retire or break 10K?
You know, how hard would it be for microsoft to add a patch that, when a computer is booted, a large red screen comes up and tells people there are new patches? You know one to replace the you are booting into windows screen or somethig like that. THey have to watch taht dumb screen anyway. When they connect to teh internet it would send a message to the computer that there is updates then next time they reboot they will know. The thing is Microsoft already does some automatic updates without letting the customers know now. If you have ever used the MSN software you would know what I mean. I used to do tech support for MSN and we always new when they would do an update because that day we would get flooded with calls. Microsoft already does updates. They have spyware on our computers already. They just need to use it to work with their customers rather than use it all for marketing. THe problem with Microsoft is that the customer is not number 1, the dollar is. THis is going to be their downfall one day.
I love Microsoft bashing as much as the next Linux user, but this article doesn't make much sense. Linux machines are targetted very often in security issues. If you have an unsecured Linux machine on the internet, it will either succomb to a worm, or be hacked by script kiddies. Most admins don't even usually notice script kiddie hacks (think monitoring thousands of servers..). Yes, Windows is insecure by design. So is Linux. So is *gasp* OpenBSD. Software written by humans is insecure by design.
Ever heard of "Unsafe at Any Speed"? Pretty damning choice of words, huh? GM sure didn't slow down Nader's career with any libel suits.
A call to stifle journalistic speech gets modded insightful?
researchers have discovered that the atmosphere
refracts most of the white light of the sun
into the blue frequencies......
Agreed that developers aren't IT support (well, unless they're developing apps for IT). But they ought to know how to keep their desktops running.
Heck, I used to develop in a shop where any developer above "junior programmer" was expected to know how to reinstall the OS (Solaris, Ultrix or AIX), configure it for Oracle, install Oracle, install our software (a GIS system), and generally manage their own workstations. Ditto for the sales support guys'n'gals and the trainers (although the latter might need some phone support).
Would you have automotive engineers or even car salesmen that don't know how to drive, check the oil and put gas in the car?
-- Alastair
Set wayback clock to 1980's.
A book called "Outside the inner circle" points out that crackers want access to mainframes (like Unix systems).
A text file "the dirty dozen" listed 12 well circulated trojens. All of them ran on dos. All of them were to attack BBSes.
The file grew untill the 'script kiddys' of the day realised they could get more milage out of trojens.
One of the two major free tech mags (eather Computer Currents or Micro times I forget) printed an artical on how Dos is hopelessly insecure and Microsoft should make something new that was secure.
At the time I felt this was asking a bit much. See Dos was made to run on PCs. Those systems aren't powerful enough to run a secure operating system. They were only just powerful enough to run viruses.
However I also felt that the PC AT was powerful enough to run a secure operating system should one be made with it in mind.
386 even more so.
However the early pleas fell on deff ears and Microsoft instead chouse to use my excuses for the insecurity of Dos to continue to excuse the insecrity of Windows.
Microsoft continues to make excuses.
Viruses and worms could hack your admin password out of the password file if it wasn't for the fact that the passwords aren't actually needed.
Today virus and worm writers are just doing it to prove how fragle Windows is.
In the past it was some sort of sick contest today I think worm writers are sloppy on purpous just to prove just how pathetic Windows security really is.
Early MacOs had the same problem but not a first. Apple desided to "keep up with the joneses" by giving MacOs the ability to multitask. The ability to run many background tasks (the primitive multitasking supported by dos) is all it takes to run a virus. That and be totally devoid of security.
Microsoft will quickly point out that they released patches for security problems months before any given worm is released yet they work. The reason? Windows admin do not trust the patches. Microsoft makes the same rooky mistake over and over again. I know this mistake becouse I made it. Deploying bug fixes and security patches BEFORE testing. I crashed a BBS once doing this. As a hobby programmer for a sysop this is excusable... ONCE. As a large corp servicing millions of users around the world making this mistake over and over again is bad enough and then to just make excuses is worse.
(And when I made my one mistake I never heard the end of it)
Microsoft can't be held responsable if a printer driver is defective I'm told. True true but when that printer driver crashes the whole operating system it's time to stop blamming the driver and start blamming the person who designed the driver interface.
It's come so far that one worm is actually writen to try and download an update. Microsoft may be lazy but the rest of the world isn't so it failed.
I don't actually exist.
If the Mac, with 5% of the market, has 50 viruses, doesn't Windows' 70,000 mean they have 700,000% of the market? Now *there's* a monopoly! http://www.sunspot.net/technology/custom/pluggedin /bal-mac082103,0,7518456.column?coll=bal-business- indepth
The author lists open ports, the firewall not being on by default, the patch system, and user privileges in his article as insecure "design" choices. The only one of these that qualifies as a DESIGN flaw is the user privileges. I don't think any of the others qualify as a design matter.
It is certainly a bad decision to leave unnecessary ports open, and they should be left closed unless the user specifically requests that they be turned on. Given the general target audience for Windows, I would go farther and say that it should give some kind of warning about possible security issues when opening up ports.
The firewall not being turns on by default is not necessarily a bad decision, and I BELIEVE it has a question regarding utilizing the firewall when setting up any network connections. So it gives a choice at an appropriate time. There's not much reason to run a firewall without a network connection. If memory serves the option is not really stressed, and I can't remember if it defaults to on for network setups, which would probably be a good choice along with stressing the need for it when going through the setup. So some improvements could be made in this area, but I don't think Windows' current behavior is horribly flawed in this case.
I think he's critisizing the Windows Update facilities for the wrong reasons. I can see criticism for not releasing updates in a timely fashion, but critisizing it because it comes in the midst of some other configuration choices is just silly. I mean from your average users standpoint Windows is providing an EXTREMELY easy to use update facility that even provides options to setup automatic updating of the system for critical updates. The update facilities for most other platforms falls well short of Windows Update in general ease of use.
The only really strong point the arthor makes is regarding the way Windows' handles user priviledges which is certainly one of it's weak points, and the only point he makes that is truly a design flaw.
I'm sure Windows has plenty of insecure areas in its design, but all but one of the ones mentioned in the article are configuration insecurities, and even then some of them are questionably valid points.
- b
Thanks. That's been bothering me for months.
You want the truthiness? You can't handle the truthiness!
Your check is in the mail. Bill G.
Yes, I'm running Mandrake 8 with evilwm and Opera 6.12 to make this post, so I'm safe, but I doubt that network is!
As for Macs "Who the fuck cares?
All of us Mac users who laugh at the screwed up Windoze environment. We don't seem to spend much time writing in forums about who's fault it is when viruses attack. There just aren't that many opportunities in the Mac OS to begin with. To put it plainly, we don't give a damn; its just fun to read about all of "your" controversy. ha! Ha! HA!
It allows toast to enter and exit at will!
But seriously your going to compare Linux or OpenBSD to windows in terms of security? Lets be realistic. On top of the types of exploits that target poorly written software for both OS's. Such as say your average
WU FTP exploit and your average IIS exploit that are say both remotely executable over the net
and
a poorly DESIGNED (read: feature not a bug) app such as Microsoft Outlook express.
How come I've never had to worry about an email that might wreak havoc on my computer system in Linux...whether I"m using PINE or MUTT or even Evolution? Sure its partly due to the fact that as a normal user on my machine I can't do any real major damage..but its also because evolution (or whatever) doesn't have "Features" included that would allow a script to run and gather up my address book and start sending everyone some free porn.
I could write some more paragraphs arguing my point but I think you get the idea. There is a difference between human err and poorly designed or badly designed software.
======== In the future, everything will be artificial. ========
Yes, but that's because when a LINUX user is in bed but not alone, LINUX user and the LINUX user's partner are too busy to sleep until noon the following day. By that time the chance to obtain slumber has long since past.
When Argumentum ad Hominem falls short, try Argumentum ad Matrem
Let me ask you something - if you created a program that was hard to use (but usable, none the less) and released it to the public where it sold poorly, do you think anyone would buy your excuse that the public was too dumb? That it was their responsibility to try and understand how your program worked? Try it and see what your boss says. See if he thinks it's up to your users to figure out what to do and how to do it, rather than up to you to design a better software package. Try it and you'll be out on the street. =)
.pif file or even what it is. That users aren't patching every week. Etc, etc. No, it had nothing to do with the fact that that Microsoft did not take the time and effort out to design a product that was reasonably secure for an audience that (they knew) would not be able to fix an insecure PC. This despite the fact that, as the article shows, it was not difficult at all to do.
This is, in fact, the argument you are making. That Microsoft is not to blame because its end users don't know what port 139 is or how to block it. That users don't know why they shouldn't click on a
Come on, MS knows the technical capacity of many of their users - why do you think they worked so hard to make IE and Windows Media Player default programs? Because they knew most of their users couldn't even tell you what browser/media player they were using. So they knew that this audience wasn't going to just say "oh, I need a firewall!" and go get one, or know what these "critical updates". If a secure setup sold PCs, MS would have made a secure setup. No doubt.
The fact is that Microsoft gets the important things right - and the important things, to them, are only those that affect sales. If it worked half as hard to make PCs secure as it did to crush some of its competitors, Windows would probably be unbreakable by now. But on this one, they passed the buck, because they're not too worried about a major loss in sales from it. The decisions were knowingly made, and they were irresponsible.
I know it's hard to believe but if you actually had the patches, kept your AV scanner current and used it once in a while then your personal workstation was unaffected. It's all the idiots who didn't which resulted in net admins pulling whole subnets out to stop the spread.
So is MS insecure. Shit yeah. And people should just understand that by now and work around/with that fact of life.
Hey, when you cure AIDS then you can say that sex is not dangerous by design. Until then it's only rational sense to do what you're supposed to do to protect yourself.
You really have to get this in perspective.
:)
If Windows was the 'free underdog', and Linux was the '$$$ market leader' (ie. complete role reversal), then people would go to great lengths to pull the reputation of Linux down by creating viruses to exploit any vulnerabilities it may have.
How many mac viruses are created? I can't say that I remember hearing about anything significant recently. How many computer users want to bring down the reputation of Apple? (well, maybe after their false G5 speed claims it's another story..)
A couple of over-hyped viruses does not make Windows a less secure OS than Linux, or vice versa. Both operating systems have had many exploits found in their design over many years. Over different time periods, Linux systems have been had more current exploits than Windows, and vice versa. It's a fluctuating situation with no clear winner.
And that's my bit for the day
Software written by humans is insecure by design.
OpenBSD is built with security well into the design. It takes every care to minimize security risks in the system. This does not mean OpenBSD is lead-plated secure; just that security is one of their major considerations when making decisions on coding, configuration, etc.
Most unices are like that - very little runs under root or kernel privileges.
The article is arguing that Windows is designed without even considering security, with it being tacked on as an afterthought... and to a certain extent it's right. Who needed security or root-shells or whatnot when running DOS and Windows 3.1?
Doing the Right Thing should not be preempted by making a buck.
I would submit to you that MAC and LINUX which I
am actually quite fond of in certain times, do not
have the market share that MS has. ie. No self respecting hacking gives a crap about them, because they cannot effect much of a stir with the tiny user base, which is also mostly made up of self important renta geeks who change OS's daily and explore the net looking for patches and updates. It is far more useful to attack the giant who Mom and Pop use, especially because Mom and Pop don't know or care about updates and patches. So if by inherently insecure you mean largest user base, highest number of attackers, and most reason for someone to want to attack. Then yeah Microsoft is insecure by design. They should have kept use to about half a million geeks world wide then they could prance around pretending to be more secure as well.
Well I'm sorry, that my english is pathetic.
Besides i'm danish and so is he. So that is kinda a mood point.
Sa det loser jo hele det problem idiot.
Yep: the RedHat 'updates' GUI works just fine.
I use windows most of the time and haven't lose a moment of sleep either. I was careful enough to install a decent firewall, email soft and anti virus in my system, as well to avoid opening emails from strangers. Never got a single virus here.
Give any linux distro to a not so careful guy, who will probably not care about updating the kernel and some daemons, and you will end with a exploit ridden box, with legs wide open for remote access with root privileges.
It's not about what system you use, it's about how you manage it.
Cheers.
Hell, there are no rules here. We're trying to accomplish something. - Thomas Edison
As an IT admin, that is your perogative, and that's not what I'm arguing against. I'm arguing against the software not having the ability to do a fairly common, and useful, task. You can turn it off by default, but by removing it you begin to limit the functionality of your software, and add very little security.
Story sans nag
I can explanate how to administrate your network. You must configurate and segmentate it, so it can computate.
It's not a magic bullet, but mandatory security just went mainstream.
What this all means is the ability to put programs into levels and compartments from which they can't escape. Security breaches in the mail handler or the web server can't propagate to the rest of the system.
The code is open source, GPL, and written by the United States Department of Defense's National Security Agency. It looks like Microsoft's attempt to shut down that project failed.
Because they don't have to, and consumers will keep purchasing their product. Why doesn't MS upgrade Explorer to have tabbed browing and popup blocking built in? Because they don't have to. It goes on and on.
But Unix is insecure by design also.
Maybe not as bad as Windows, but still.
I remember pretty clearly all the initial talk about viruses being for the Mac. The main culprit imho was the "resource" setup of executable files that made it trivial to modify an executable to run any code you wanted, thus hiding the virus entirely in files already on the disk. People would take disks with the infected program, run it on another Mac, and the virus would install itself and infect every executable file on any other disks inserted. (these were 3.5 floppys).
DOS (and Unix) required at least the insertion of some jmp instructions to get your own code added. Everybody thought these were much more clever and possibly more dangerous, but they were at the time almost nonexistent, while Mac virii were everywhere, spread at shocking speed for a system that required disks to be manually carried from one host to another! A typical one would spread over the entire country in a month, and could not be eradicated: cleaning it off and it would be reintroduced soon afterwards.
In fact the word virus was more appropriate to this. Instead of modifying the entire machine, it modified a "cell" (a program) to do it's replication work. The organism (the machine) would eventually be killed. Modern viruses instead seem to hide in the enormous complexity of the file system as extra files, usually of the same size or larger than the other files, so maybe these should be called bacteria instead.
They are usually named like this:
nakedwoman.mpg (extra long space here)
After connnecting to a LAN, I'd usually get those kinds of files in my shared network folder from other people's computers. It goes either way. Making things more simple for users is how Microsoft stays in business. Although I do have to say, many of their new user features actually make it harder for a good portion of the windows using population.
Or any linux server anywhere used as a mail server. There aren't any of those are there?
-Looking for a job as a materials chemist or multivariat
I don't know this for sure about port 427 since it doesn't seem to be open on my OS X machine. But take port 631 for example. It is used for printing services but by default it doesn't allow access even from other machines on the same LAN. It is possible, of course, to open it for LAN access - but that isn't the default. By default, OS X is indeed, locked up, as it should be for the majority of users.
In other news, really, really smart scientists that spent a lot of grant money determined that: living people breath (air), fish generally live in water, Battlefield Earth was a mindwitheringly bad movie, and cutting down a tree with a herring is inherently impractical.
Windows Insecure By Design? a world of ***!!DUH!!*** It's nice to see the general public starting to wake up to this fact. Expect to see the standard ports (135, 445, etc) closed when Longhorn comes out... maybe And even then, I doubt MS will make any other changes. Or, if they do, they'll open up five or six more ports in the process. :-P Not that I'm bitter... oh no.
Let's never forget the conversation between a fictional Steve Jobs and Bill Gates in "Pirates of Silicon Valley":
fictional Steve Jobs: We're better than you are. We have better stuff.
fictional Bill Gates: You don't get it, Steve--that doesn't matter!
Furry cows moo and decompress.
Didn't Microsoft plan on making all their software subscription based a year or two ago?
Heck, I used to develop in a shop where any developer above "junior programmer" was expected to know how to reinstall the OS (Solaris, Ultrix or AIX), configure it for Oracle, install Oracle, install our software (a GIS system), and generally manage their own workstations.
You worked at my place didn't you? Does the phrase 'minimal crust' mean anything?
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
NTBugTraq recently lauded some decision Microsoft made to start shipping Windows XP with Internet Connection Firewalling enabled by default.
Come Longhorn, you won't even be the admin on the box at any given time - you'll simply know a password that, when prompted, you can enter for admin access just long enough to do whatever it was that needed doing.
Windows update is two things at the same time:
1. AWESOME. ABOUT FRICKING TIME. SHOULD HAVE HAPPENED BACK WHEN WINDOWS 95 SHIPPED.
2. Crap, and they know it, and they're working like dogs to fix it. The latest version of their installer system has or is about to enter Beta, and the idea is to get everything in the company to use it, or one other (unspecified) installation method. Once that happens, you'll finally be able to get things like "Update.Microsoft.com" (updates ANY MS product).
I just took my son to college this weekend and set his pc up for him. (Ah yes, dad knows FAR more about computers that jr...)
We dropped his stuff off in his dorm and discovering there was only one ethernet jack in his room we left for Best Buy to grab a cheapy hub so he could plug his LINUX box, his PS/2 and his roommate all into the single lan jack.
Well, we blew off the hub because his roommate called his cell phone and said he was "bringing a *thing* from home to hook both of *them* up at once"..
So, assuming he was talking about a hub we blew that off. Well, we got back and discover the roomy had plugged a cordless phone into the lan jack. I pulled the cord and announced that they were lucky system security didn't come up and billy club someone for crashing planet earth into the mooon by plugging the phone into the lan jack. The roomy was sitting there looking like he had crapped his pants.
I plugged my son's pc into the lan and fired it up to make sure it was configured properly with the college system and it was fine.
My son is using Mandrake 9.1 w/KDE 3.1.3tex.
Now, when you fire up Linux *MOST* people are going to say something, it's different you know and if a NORMAL person has a few brain cells functioning, they will notice something is different and not only ask questions but come over to watch..
Nope. Roomy sat there waiting for his chair to blast off, he could have been watching me pilot the starship Enterprise as far as he knew.
I very quickly drew the conclusion that this kid was not only dead in the head, his computer skills are less than ZERO.. I asked him what he has, he told me he has a laptop with Windows 98. Whee! How fun can that be??!!
There were hundreds of kids lugging brand new Compaq and Dell boxes in and they *ALL* had big fat, "WINDOWS XP installed" stickers on them.
You can bet your ass that those kids will be ate up with that shit, probably already, if not for sure by the coming weekend.
Those kids, by dragging all those XP boxes in were building a big petri dish for the script kiddies to play...
I can say this. I'm damn glad my kid is using Linux, I don't have to worry about him getting caught up in all these childish virus/worm/trojan games. This shit has gone way, way too far.
I'm not going to pump all my money into repairing his PC (600+ miles from home) every few days, dumping money down the toilet on anti-virus crapware that does not work, and paying $200 for an OS that just brings you constant headaches.
I told my son that if he wants to stay in that school then the Linux stays on his PC and M$ is forbidden on his machine. If he changes it or let's someone change it, that's it. He goes to local community college with the local idiot beerheads..
I find the article's amusing suggestion that MS could send update CDs to everyone on the planet scary. Its bad enough that I get my monthly AOL CD. I don't want a quarterly MS CD either.
Did anyone else notice this, or was it just me?
No Not Again! Its whats for dinner.
Some of us developers working for smaller businesses need to handle EVERYTHING.
"Hey, Dave, make our fundamentally different, colocated e-commerce sites securely share all their data amongst each other and seemlessly integrate it with this new proprietary MRP solution. Upgrade our computers when we're not using them. Find a legal way to install this one copy of Office onto all these computers. Make our computers faster and better. Don't touch my computer. Upgrade our Norton Antivirus server and all our clients. None of us want login passwords, but we do want security. This one mid-90's era server ought to be enough for all our needs. We want video conferencing on all our sites. We don't want to buy anything."
I do almost as much IT support as I do development.
There's no reason that the number of viruses would be proportional to the number of boxes. Each virus maker has to make the same decision, more boxes->faster spread->bigger infection. If you want the fame and the glory (or rather if this is what you consider fame and glory) it is *ridiculous* to ignore Windows boxen (hence the ~100% focus on them)
That said, there are probably enough Windows zealots who can code (if there are 20 times as many Windows-ers as Linux-ers/Mac-ers) that if there were an abundance of Apple holes *somebody* would take advantage of them just to knock the Mac-ers down a notch.
My list of multiplayer
If you are developing in-house software, the developers are part of IT. While it is not a good idea for developers to install into production, they should look after their own systems and test bed servers. This has two advantages: 1. Developers become familiar with how the production environment works so they don't promote unworkable solutions. 2. IT support/sys admins can't much up developers machines. :)
Jesus was a compassionate social conservative who called individuals to sin no more.
Windows: For people who know nothing about computers.
OpenBSD: For people who know nothing about security.
*BSD is dead.
So, basically: Windows is already capable of requiring executable files to be flagged using permissions, as well as being already capable of requiring the user to explicitly mark an attachment as "executable." It just doesn't and instead maintains a large database of "what to do" with various file extensions - open it with another program, or execute it directly. (XP seems to also inspect the file and guess basic MIME types, it figured out some SQL scripts were text files without being explicitly told. I don't think it'll ever guess "executable," but if it does...)
So, at least in that respect, Windows is indeed insecure by design.
You are in a maze of twisty little relative jumps, all alike.
The best feature of non-Outlook email programs is the inability or difficulty that they have running activex, java, or javascript.
To this date I have yet receive a single email that has ever needed to use any script or programming language to deliver the message so why the heck is it still in and ON by default?
Ah well, all I can do is my part. I patch and have a linux based firewall protecting me. That firewall has had nearly 3000 hits on 135,137, or 139 in the past two days. A month ago it would have had no more than 12 in the same period.
You might be right.
The combination of hidden file extensions and using those hidden file extensions to differentiate between executable and non-executable files seems incredibly dangerous.
Seems like hiding HAZMAT labels on tank trucks because they make motorists nervous.
P.S. http://www.newsfactor.com/perl/story/16555.html. Nothing is completely secure, even Linux.
"Sufferin' succotash."
Does the phrase 'minimal crust' mean anything?
Um, not that I recall at the moment, but it's been 10 years. Does 'VISION*' mean anything?
-- Alastair
And scratch their beards... Even the women. Right.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Mac and Linux not targeted? Taking the view of a malicious hacker, why would you bother coding a virus that only affected a minority of computer users? If Linux ever really makes it mainstream, you may find it's just as susceptible.
But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks
Yet.
No, that too would be "like Unix". I think that's where they got the idea.
With x permission you can "scan" a directory, which means you can retrieve the inode of a file linked therein as long as you already know the filename. With r permission you can get a listing of filenames to choose from. Whether you can open the file, of course, depends on the file's own permissions (you know that but I'm clarifying).
I haven't yet checked if OS X requires x permission on an app package folder, a Mach object file inside, or an old-style standalone application file. Probably not, so some of this sort of protection has likely gone out of OS X. On the other hand it's a bit harder to pass off a .app package in an email attachment than a .exe.
You dope.
Never ever ever download driver updates from Windows Update. Always get them from the hardware vendor directly. There is no way Microsoft could know more about supporting a piece of hardware than the hardware vendor. So don't even bother.
Schwab
Editor, A1-AAA AmeriCaptions
But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks
Yeah, and neither has anyone with an atari, amiga, commodore, apple, xbox, or PS2.
Well, checking the oil I'd put more akin to checking free resources. Same for most of the other fluids in the car, short of fuel. fuel's akin to turning the thing on in the first place. Do these people need to know how to operate the turn signals, trunk release, windshield wipers, domelight, etc? I'd rate them as your basic intelligent car owner.
As for changing fluids out, the computer equivalent would be to a backyard mechanic, who handles oil and antifreeze coolant. Maybe checks the tranny fluid and takes it somehwere if it doesn't look right. Changes out burned out lights, etc. Stuff that is mostly covered in the owner's manual, or at least has stuff like fluid quantities. In computers, I'd equate that with being able to hook up external devices and get them to work, being able to remove stuff from C:\WINDOWS\START MENU\PROGRAMS\STARTUP, configure basic network settings from instructions for something like DSL or Cable. Calls for support or a technician when something out of this range goes wrong.
A+ certified techicians would equivalently handle basics, like replacing alternators, starters, draining transmission fluid, replacing water pumps, checking differential gear oil, lubing the suspension or steering parts, replacing obviously bad water hoses, and the like. Stuff that stands out. By comparison to computers the person would be able to replace hard disk drives and CD-ROMs, install video cards, install the OS from scratch for the default configuration, configure sound support, and the like. Maybe even dig into the registry a smidgeon.
And above that you'd have your power-technicians, who would be up there with not being afraid to remove stuff like engines, axles, transmissions, steering columns, dash boards, interior parts, etc. These people would be able to play with advanced networking, deal with driver and IRQ conflicts, handle tweaking of the OS, dig into the registry a bit, etc.
Beyond that, you find different people who can rebuild engines or transmissions in their sleep, modify sheet metal artistically, handle advanced upgrading of suspension, and the like. They would in computer equivalents be specialized, but very talented. They probably wouldn't even do much of the lower-level work unless they had to, because they would be more valuable higher.
Well, that was quite long enough of a ramble...
Do not look into laser with remaining eye.
The question is, do they really care more about the customer or the bottom line?
If things carry on with a lot more big exploits coming down, if they con't care about the customer, there is a chance that they won't have to worry about a bottom line.
We still have to educate people, but also, systems must be designed to be able to accomodate non-computer peopl and the fact that they usually have other things to think about. Think of it this way: would you rather your physician spend his/her time worried about patients or the computer system? It's an awfully simplistic example but I think the point needs to be made that few people should have to consider their computers more than a tool and learn a large set of hoops in order to maintain and use it.
Step 1)
Download and install
NSIS. It's a free script-based install tool creator for Windows.
2) Take a clean system that you want as your "base", then install a patch or an application. Type in the paths, customize the install, etc. etc. Keep in mind whatever selections you choose will be replicated on each machine you will do later.
3) Use the install.log file (used for the uninstaller) and a get a feel for what files, directories, registry keys, etc. it created.
4) Create an equivalent NSIS install script (use the NSIS archive link to find recipes and guides to help out) to do the same actions without prompting.
5) Create the installer on using the files on the test machine and the script from step 4.
6) Put the installer program on a file server, then use SMS or the remote computer management to get each Windows box to download the file and run it at a specified time. This should replicate the installation procedure from the test box (provided you trasnlated the log into the NSIS install script correctly)
I'm sure you could figure out how to use perl to go from the install.log into a NSIS script and build the package all in one fell swoop. You could schedule the machines to all go to download a specific file name every night and run it using the Windows Task Scheduler if you wanted. Just replace it with a do-nothing program when you don't have a patch you want to apply. Just in case, make sure the installer checks to see if the installer has already been run before so it doesn't do it twice and overwrite shit.
This sounds like a cool project! Now I'm all interested.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Sure its insecure, but its not going anywhere anytme soon. What to do?
From here. Apologies for the formatting mess, the hyperlink fixes that.
A few very doable fixes to stop most worms and viruses.
1. Microsoft must make their next Service Pack for both XP and 2000 set autoupdate to "install without asking." It should warn the users its doing this so advanced users can disable it.
2. Micosoft should also turn XP's firewall on by default. I believe they are planning on doing this in the near future.
3. MS could develop a "security wizard." Kind of like its Baseline Security tool but for the home user. It runs, sees if your MS networking ports are open to the world, checks to see if you're behind a firewall, etc and gives
you tips. It should auto-run every 30 days unless its deactivated.
4. Outlook/Outlook express should refuse to open any attachment that is a
true executable or script like exe, vbs, pif, etc. The user should be forced to save the file to his or her hard drive first. This will stop
accidental double clicks and give the AV software a chance to scan the file.
So instead of "Open this?" the dialog box will say "Where do you want to save this potentially dangerous file?" Also users without AV should be
warned by their OS or mailer. "Warning: I can't detect an anti-virus program on your computer!"
5. Corporate networks must block port 25 from the inside. This will keep client computers from become spam machines.
6. Residential ISPs must block all RPC and Windows networking ports. My cable modem provider blocks windows networking and its probably saved us
from collapsing more than a couple times over the years. Add ports 135, 445, etc and we'll be sitting pretty. Users can always do HTTP or FTP downloads and uploads.
The bright side of the current situation is that the worse these worms and viruses get the more incentive IT managers have to buy better protection and secure their networks. I'm sure funding to buy an SMS package, AV on the mail
server, etc is much easier to get now than it was last week. Not to mention many higher ups want to know why they got 500+ emails during lunch and why
their IT department isn't doing anything about it.
The downside is that there's a certain balance to maintain. If worms get worse before security gets better than we might just see a virus with the
penetration of SoBig but instead of attacking windowsupdate.com it will corrupt the registry on the local computer, corrupt all documents on all
drives (including networked drives), etc on a set date. So far the popular worms and viruses have been very, very benign.
As far as the 'get a Mac' comment goes. Well, the computer I'm using right now has been upgraded to the point where it can't be upgraded any further.
My next machine will probably be OSX with this and my laptop running 2K.
"But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks"
I don't know what they're talking about. I might be using Linux, but those Windows machines just killed the network that I was plugged into.
I'm only paranoid because everyone is against me...
>Agreed that developers aren't IT support (well, >unless they're developing apps for IT). But they >ought to know how to keep their desktops running.
Not where I come from. I could regale you with many stories of co-developers (trying) to build their own pc's, etc. One particulary amusing event was our resident Perl developer who claimed that his machine kept crashing because it was running too hot. He summarily opened the case and poured some of his pepsi on the CPU to cool it off and keep his system from crashing again.
Windows Is 'Insecure By Design,' Says Washington Post
Obligatory Slashdot one-liner: "No shit."
Bullshit. There are about 50 Mac-specific viruses, as opposed to over 70,000 Windows viruses. Apple has ~5% marketshare, and a slightly larger installed base, yet it is targeted by only ~.07% of the known viruses.
All you're showing is that it's not a linear function of popularity. Well, duh. What good would there be writing a mac virus right now? Most of the computers it interacts with will be windows machines. Even if it were the perfect virus, it just wouldn't get anywhere.
So not just a proportional amount of viruses written target microsoft. Almost every single virus written targets microsoft. The lack of viruses for your platform is PURELY due to popularity, whether you want to believe it or not, not due to some magical super-special secret virus resistance inherent to your OS.
No virus or worm will ever have its way with a Mac the way Windows worms rape Windows PCs, period. All unnecessary services and ports are off by default, and if any suspect code tries any funny business, the user gets a dialog asking "Should I run this?"-- not a green light to do whatever it wants from the OS.
You are ignoring the fact that 99% of windows worms nowdays are based on dumb users running whatever attachments they get. It has *nothing* to do with services and ports open. And it *does* pop up a "should I run this" window!!
If Microsoft went away tomorrow and Apple took 100% of the market, there would still be nobody writing successful Mac viruses, because the gaping security holes just aren't there to be exploited.
Are you kidding? It'd be just as easy to write mac worms as windows worms are today. Most of them are just targeting a popular email client, reading its address book, and sending itself as an attachment to a bunch of those addresses along with a witty message. That's ALL.
Now, as for worms which *do* exploit security flaws, usually the flaws have had patches available for weeks or even months. And *every* OS out there is getting continuously patches as new flaws are found, including windows, linux, and MacOSX. The frequency of patches isn't the important thing, it's the severity.
The following sentence is true. The preceding sentence was false.
Nice try, but you are in the minority. Virtually every WinXP user I know here has virus problems, including the auto-reboot one. Just because your number hasn't come up yet in the M$ russian roulette doesn't mean you're safe. Most of us have changed over to Linux for a reason, and not all of us philosophical ones believe it or not, but practical ones. btw Photoshop works fine under Linux with the Crossover plugin. If only Counterstrike was plug-and-play under Linux (or even native) then I wouldn't keep re-installing Windows on a partition.
Phillip.
Property for sale in Nice, France
I know it's a lot to ask on Slashdot, where grammar and spelling aren't exactly second nature, but can we please get over this pseudo-latinistic plural of the word virus?
I know it's vogue with geeks to use latin plurals, but as anyone who has studied latin knows (and I realize nowadays not many people can claim this), not every word ending in -us is a second declension masculine noun (whose nominative plural, of course, ends in -i).
It's a good guess for most words ending in -us obviously of latin origin (focus, for example), but it doesn't hold in all cases and you should definitely do your homework.
But since this is Slashdot, I did your homework for you. Check out this page for an explanation.
Be warned, though, it sort of assumes that you have a brain. Those lacking need not read it. For those of you that just want to take my word for it, the plural is 'viruses' (that wasn't so hard, now was it).
Is it possible that Windows was never designed with security from the start because it was not designed for a network from the start? MS entered the networking and Internet game pretty late and with it came all the worms, trojans and other stuff. Of course, this assumes that the constituents of present-day Windows have a lot in common with the pre-TCP/IP Windows of old. Still, I think it could be one way of looking at the fundamentally insecure design of Windows.
Netcraft says that, say, 25% of web servers are running IIS. That means 10,000,000 web servers are running some version of Windows (of which there are relatively few in the majority of that 10M) on Intel x86 CPUs. The other 75% are running some arbitrary variant of Apache, with arbitrary modules enabled, on arbitrary architectures. So there's probably no single configuration in the remaining 32M web servers that's anywhere close to the popularity of the majority of the IIS 10M.
The Linux/Apache worms just get much less press because they affect way fewer systems.
aQazaQa
I thought it was amusing when I surfed over to the Post to read the article there was an ad for "Windows 2003 Server" on the page. I had to take a screen shot. If you want it it's here --> http://johnford.net/images/windows_ad01.jpg
http://slashdot.org/comments.pl?sid=75725&cid=6766 597
The gist is that Windows has spend more time on usability and 'integration of the web browser and stuff' and little time on security. Read my prior post.
Hmm I wonder if the wash post moitors /.? (LOL) cause it seems like they got that idea on windows from me. I know it took redhat a little time to start shipping with a firewall configuration tool as part of the install, but they do now. Why is it though that MS has been around for so long and it took them till 2000 to ship a pitiful attempt at a firewall, when even Linux (the new kid on the blook) has had one for so long? Even OS X has a better out of the box firewall utility.
Only 'flamers' flame!
Does slashdot hate my posts?
...Or, "The Tecn Commandments of Windows Security."
I run Linux on my servers, but for compatibility, certain programs I need, etc., etc., my workstations use XP. I haven't patched anything. I don't trust the patches and especially not the Service Packs. They can break things and slow things down. If my box is working, why tempt fate? There are a few, very simple things to do that will keep Windows almost entirely secure:
1 - No scripting host. If you don't need it, kill it.
2 - No Outlook. Outlook is bad. IE is almost as bad. Everyone should know this by now. And if you must use it...
3 - Don't open file attachments from anybody unless you know what the hell they are! Why is this so difficult? Well, it's because people never...
4 - Unhide the file extensions. You wouldn't eat something from a package simply labled "food" without having some clue what's in it, so why double-click an icon without knowing what it will do? Learn what these extensions are, and Google it if you're not sure what a given one means.
5 - Don't use IE if you don't have to. Mozilla's now advanced and stable enough that you should almost never have to use IE to properly view a site. I never have a problem with popups, and I've never had my browser hijacked. Using IE tempts people to break #6...
6 - Read the question before you answer "Yes." Do you walk around at work slackjawed and answering "yes" to every question you're asked without listening? If you weren't specifically looking for what a site wants you to install, chances are you don't need it.
7 - Firewall. Buy a $30 broadband router, build a Linux gateway, enable XP's own, built-in, pre-installed firewall, or get something like Zone Alarm, depending on your needs and/or level of computer literacy.
8 - Don't download software without knowing exactly what it is. Read the license agreement. Sure, I like to check out neat toys on Download.com too, but not if I have to install Gator or GAIN to use them. See #6. Read!
9 - Check your processes. and read what's going on in there. Google each one. This is a pain in the ass the first time, but do it once and then you'll know when something's not supposed to be there.
10 - Watch who gets your email address. Get two. One for ordering/registering things, and one that you only give to real people.
That's it. I run no antivirus software and my system thanks me for it with good performance. I have not loaded a Service Pack, a patch, anything. None of this is difficult. These rules are simple enough for almost anyone to follow, and the major ones are extremely easy.
- that which can be adequately explained by incompetence - Napoleon
In this case we don't speak of the incompetence of Microsofts programmers but rather incompetence derived from the greed of their marketing driven direction bolstered by lawyers struggling to attain and maintain a tenuous monopoly built upon a house of cards the result.
It has been clear for years that Microsoft fully intends to own you accomplished by owning your computer. No wonder then that Microsofts operating system inexorably tied to all other Microsoft programs comprise most assuredly the worlds most comprehensive root kit. Microsoft product has not been built on the basis of security and personal privacy because that runs counter to, and serves to hinder, the global exploitation of users in the quest for even greater market control and profit.
Limited security and privacy may be sold piecemeal as another value added bolt on, perhaps even given away for free in trade for users agreement to enhanced EULAs that further promote the companies legal ability to remotely root, reconfigure, or disable your box in part or parcel and to do so serendipitously if necessary. But clearly, the overiding concern of Microsoft is the global control and consequent expoitation of the worlds computer resources.
The latest manifestation of this desire is dot net and what is dot net if not the latest incarnation of Microsoft engineered marketing to turn millions of computer systems into Redmonds remote access terminals to the bank accounts of a rental society.
Security? Privacy? You might as well be tree hugging in a Brazilian rainforest. The Congress has been bought, the Judicary has been bought and those not bought have been appeased by inclusion. For the RIAA and the MPAA we have DRM and the list goes on.
But the Microsoft engineered marketing droids of Bill have a problem having been exposed being just a little overzealous with their favorite root kit. The race to world domination might have to be yellow flagged while Microsoft products hit the pits so at least a few rods of security can be pushed back into the crankcase and the holes patched with yet another layer of duct tape and bubble gum. In the meanwhile we get to witness the SCO car, fresh tires and a full tank of gas courtesy Microsoft, trying desperately to knock anything sponsored Open Source into the wall and hopefully out of the race.
If there is no realistic alternative then Microsoft doesn't have to worry much about the rubes whining over such piss middling aspects like security and privacy. If the rubes somehow manage an alternative operating system on which to run alternative software then Redmond may well have to tighten up their root kit to the point that only authorized crackers have access. You can bet your ass the NSA, the Department of Homeland Security, the FBI and the CIA to name but a few entities, have an overiding and up front interest in the matter and their concerns are also Microsofts since export licenses for global markets hang in the balance. That their own systems are widely running Redmonds root kit seems to be of lesser importance although that is probably not ascribable to malice either.
In regard to what has happened, is happening and regardless of what may happen, the bottom line has become the simpler issue over whether or not anybody can trust Microsoft with their security, privacy, data integrity or even long term accessibility of computer resources such as the internet. From my perspective the answer is clearly that we cannot trust Microsoft and that we must fight to retain alternatives to insure our freedom and not our enslavement.
The situation is the same for my machine, I like Linux, I support Linux, etc... but I am definitely not an idiot or a liar. I am using Windows XP and I have never had a problem. I don't know what these guys are talking about and I really admire people when it comes to be an idiot so openly. There are so many reasonable, understandable, legitimate reasons to attack XP, Windows, Bill Gates, Microsoft, etc... but for some reason people choose the worst ones.
Simply put together a virus / worm that will exploit Windows and Macs.
It isn't like it is particularly difficult to write a virus for Windows. Lots and lots and lots of other people have done so.
And you claim that Macs aren't any more secure.
So why aren't there a few dozen viruses that exploit holes in both systems? If it finds itself on a Windows box, it runs one thing. If it finds itself on a Mac, it does a different thing.
That way it would be sure to spread through the Windows boxes so it could also get the Mac users.
Basically, your post boils down to "things would be different if things were different". Maybe they would be. Maybe they wouldn't be. There's no way to test that.
All that can be said is that there aren't dozens of multi-platform viruses (despite claims that Macs and Linux boxes would be targetted if they had more market share).
Nor are Apache servers cracked with the same frequency as IIS boxes, despite Apache being deployed 3x more than IIS.
Not that these facts disprove your claims. But you have nothing that does support your claims other than your assertion that "things would be different if things were different".
and why not? theyve already got the license theyd need from SCO
Hmmm. If every Windows user with a virus knows a Linux user, does that mean knowing a Linux user gives you a virus.
This issue is a bit more complicated than you think.
This is what grabs me: a new vunerability with MDAC announced on 8/20 is rated as 'Important'. Same buffer overflow problem as 026.. same potential for damage.. most/all corporate customers have MDAC running.. but it doesn't rate a 'Critical'. Are they waiting for exploit code to appear or are they waiting for the sh!tstorm to die down?
Outlook doesn't automatically run attachments you receive. As far as I know, it cannot even be set to do so.
The problem is that users run attachments they receive. This is not a problem isolated to Outlook or Windows. It could happen on Linux or Mac OS.
I would say Microsoft has made sure that these people without the technical sophistication to find something else like OS/2, BEOS, FreeBSD or Linux, could only choose Microsoft Windows. Then in addtion to that, they sell them an out of the box insecure OS and encourage them to use the free web browser (IE) and free email client (Outlook Express).
I would say that when Microsoft stoped updatiing their Anti-Virus program for Windows 3.1 was a good clue that they did not really care about end user security.
There are just to many viruses out there to keep track of. So we are not going to bundle and maintain Antivirus software for our OS.
Give me a break
vi +
Instead of a big red screen on bootup telling them there are new patches, a big screen saying free porn if you click here (which installs any new patches).
C'mon, it's the DUMB people who don't patch their systems, so play to their weaknesses. Free porn, free money, whatever obvious lie (to a normal person) should be enough to get them to fall for it.
While Microsoft certainly has its problems, this attitude is pretty much, in my opinion, bullshit. If the statistics were reversed and Apple or Linux had 95% of the market you'd see just as much trashing on those systems as you see now on Windows. Script kiddies are going to attack what ever gets them the most attention. And attacking something that only has 3% of the market does not get them that attention.
Its the same philosophy of why more Corvettes get stolen than Yugos. Nobody wants a Yugo.
Yes, Windows has internal problems. All OSes do. Its a fact of life.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
And I think that goes for "conspiracy" too.
Though I do expect that MS will happily exploit their laxness in building their systems if they can do it in such a way as to make their monopoly permanent and legally required.
SCO Unix == Xenix (microsoft's Unix)
Virii is not a word. You mean viruses.
> General Issimo Francisco Franko is still dead.
He's not dead - he's hiding in my closet with Elvis, Jimmy Hoffa and God.
Seriously.
Not only does it look at the file extension to see if it's executable or not, in many circumstances it doesn't bother to check if the internal format of the file actually matches the extension!
.exe to a .pif and then running it. This should not work, but it does, and it's something viruses have actually taken advantage of.
For example, try renaming a
Have Microsoft made any attempt other than in Outlook to close up silly holes like this? To the best of my knowledge, they have not. For all their proclamations about trustworthy computing, given this and the continual recurrence of buffer overrun-style bugs, you'd have to wonder whether they really care about making secure software.
We sue companies for defective products that makes us loose time and cause injury. Windows has caused Billions of dollars loss for industry. Every one should sue M$ for their losses.
That's the most effective way I've seen to teach people about OS's/languages in general.
But really, while I agree with the statement in theory, in practice I've seen just that statement used by students to justify their resistance to learning an OS/language they don't know already (ie a non MS OS).
I suppose you could say there aren't many problems in winXP for the more knowledgeable user. However it does have a strange tendecy to lose (!) critical os files at seemingly random moments. I've had three friends' computers and my own toss me a 'NTLDR is missing' when powering on my computer. I'd consider that a problem.
Also, I think most of the WinXP users don't know how to use the NT recovery console, or where to put NTLDR even if they did.
Don't get me wrong, I think XP is ok. I use it every day, since to me Linux desktops don't feel comfortable, and I've yet to find a distro which has a graphical configuration tool (yes, graphical, since I don't have the time or motive to learn all those options by heart) that doesn't crash on me every time I try to change anything significant.
Though I have known one school whose prime purpose seemed to be to get foreign students (from one particular country) into the US so they could get green cards.
I worked for a company (for 3 days..I left out of principle) who the owner refused to accept the word "can't"..he wanted Windows to run on a Mac (he didnt understand the the concept of processors or architecture), when I told him he can't...he demanded to get it done..so..I write him a price quote...It was basically a quote to program a virtual machine that ran on the PPC chip. After giving him the proposal (man-hours, etc)..he said he can buy comparative VM software for around $500. (He does his homework, but not enough).he wanted to know why it would cost so much and take a year to program...
If you're not a Liberal in your 20's, then you have no heart.If you're still a Liberal in your 30's you have no brain.
....no one would ever patch this shit and it would be a hacker's playground. It's an ugly truth but it's the truth.
But there is another kind of evil that we must fear most... and that is the indifference of good men.
As I recall, there are 6 ways a Mac can be infected by a virus. No one has found a new way since 1995. Every single Mac Virus has to exploit one of those 6 ways. Virrus detection and removal on a Mac is trivial.
Not so for Windows. Every time you think you have figured out all of the ways a virus can infect the system, someone finds another way in.
Duh, the virus/worm is run. The fun part is there are so many ways to get windows to run arbitrary code. Tell your web browser not to execute arbitrary code. No problem, there are several known bugs that will allow arbitrary code to be run without the users permission, and more waiting to be discoverd all the time. That is, if you are running Microsoft Windows.
vi +
Regarding Unix scriptability, have you looked at OS X's Applescript? Almost all OS X programs are fully scriptable using Apple Events which in turn can be called from any scripting environment so you can use your favorite language, be it Perl or Applescript, to script any OS X program. So certain Unix-like OS does already fully support scriptability to application level.
I've been using a scriptable email program (Eudora) for years and haven't had a single problem because insecure design.
"Although it is not true that all conservatives are stupid, it is true that most stupid people are conservative."
Umm...I didn't read people's posts, but what about the fact that Mac and Linux make up only a small percentage of the OS used today? Who would want to create worms with a target of ~5% of computer users?
Go home
I don't think this really matters one way or the other.
<RANT>
The way I see it, there is really one solution to this: Deliver EVERY OS to EVERY user with EVERY port to the outside CLOSED by default. Here's why: Most users are NOT smart enough to know to close down ports they don't need, so this will work for 95% of the users out there. And the ones that are smart enough to know they need the ports should be smart enough to know how to read a goddamn manual and turn the ports on. If they don't know how to do this simple thing, then they shouldn't be opening the ports in the first place, because they're still too dumb to use them properly.
</RANT>
Karma: Frotzed (mostly due to the Frobozz Magic Karma Company)
Longhony will be the secure platform because it will block all unsigned scripts and exes. If you turn off the feature then MS will not honor its software license! You will still be able to use it but you will lose ability to upgrade, and send signed attachements, or moderated signed content p2p file share. If you turn off the default security setting then your computer will be tagged unsafe for networking. Tough unix cookie longhorn will be very safe from software pirates, music pirates, and hopefully new sales. Even .docs will be lockable. New software will just not install without security clearence. Leave the security on and every single thing you send out over the internet will contain the unique signature of your computer. Only MS will hold the keys and the defenders of software license DMCA Gestapo will get easy access. Unless the FBI wants some info on you too, oh wait the RIAA, and MPAA has to get in on the act...... have I scared you enough yet, it is all true!
OH THE SHAME I fell off the wagon and use sigs again!
After all even though I'm using a system admined by someone else, and even though it isn't directly vunerable to direct attack, and even though the attachments but not the messages are filtered, and even though my mail client won't run attachments, I've still lost half a dozen important email messages in the noise of the massive amounts of mail I've gotten from the past couple of worms.
Important stuff has been missed because these past two (or is it three) worms have made email nearly unusable. I didn't get enough spam to worry about filtering it. It was getting close, but I still didn't bother. This has made me learn procmail just to deal with mass numbers of bogus messages. It IS a colossal headache. Moreso I imagine for mail admins who have to deal with flooded machines that aren't actually vunerable either.
There is a civil war coming in the United States. Remember which side has most of the guns
Well said, but let's put this little myth to rest: Lindows doesn't run everything as root by default anymore.
How long ago was that?
There's Bochs, which is free and will emulate an x86 on almost anything, including the Mac, but it's not very fast.
And since about 1994, there have been Macs that can run Windows using a built-in x86 compatible processor, like having two computers in one. You could switch between them by pressing a simple key combination, and it came with software to help you do things like copy and paste between them. The high school I attended had one.
My bosses generally don't believe in "can't", but most of the time they're right.
Don't know if these things transfer by email, tho.
dominionrd.blogspot.com - Restaurants on
give me a break you grandstanding moron. the people who didn't install the updates -- which require but a few clicks -- will certainly not install via cd. update availability is not the issue.
(snaps suspenders, adjusts belt, strokes beard with a thoughtful air.)
Then yawns again, and shambles off down the hall.
C|N>K
How about this?
Use one of these and one of these to create a filtering E-Mail server in this form-factor(1).
If people insist on running Windows? I insist on making money off them.
(1) Get them one of these or these to store additional E-Mail(2).
(2) Hell. Add LDAP so the worm will have a bigger addressbook to work through. Backups will be easy though.
Router...checkc k (occasionally)
Anti-Virus...check
Patched...che
Viruses...nope
I'm currently using EzMTS as my mail server and have recieved well over 100 infected e-mails simply because I can't do basic checks with the software. It says it can but in actuality, it can't. I put Mercury Mail on my new server which is taking the place of the old one and temporarily set it to handle e-mail as a test. POOF. No more BigOne.F e-mails. It does proper filtering.
I'm moving to colocation so I need remote management. VNC is just waiting to be hacked with no logging to track attempted logins and just a single password to get in with only 8 significant characters. I downloaded the source and 30 minutes later I have a white list that prevents any IP but ones I specifically list the ability to even connect to attempt a password in the first place. It also logs every IP that attempts to connect so I can see if I'm getting attacked and take action.
Security is not brainsurgery. But on the other hand I'd hate to think what kind of crap I'd have to put up with if say for instance AT&T tried to put security as a default on VNC. The white list is about 20 lines of simple code that solves the problem very nicely. HTPASSWORD for Apache had to be modified quite a bit to be made reasonably useful. I had to remove lots of code as it was. I'd hate to think what I'd have to cut out if it came with prewritten usefulness.
I like the fact that Windows is "insecure" out of the box. It reduces the amount of hoops I have to jump through to get things working the way *I* want them working. I'd hate to imagine the nightmare of trying to configure Windows as a router. I'd rather have an external hardware solution that I plug in and is a 2 minute job to configure that I can then plug any computer into regardless of the OS and know they're all equally secure without having to dick around with each of them.
I dumped Linux because I didn't care to fight with the OS. I have better things to do. Microsoft is not my mother. It is not here to protect me from the big bad world. And I don't expect it to. If you need Linux to be your mother to hold your hand and protect you then good for you.
If software companies were FORCED to be liable, no company but Microsoft et al would be able to afford to stay in business.
As it is, software companies can CHOOSE to be liable in order to get deals. A hospital would not buy software from a company that didn't promise their software would not kill the patients.
If you don't like that Microsoft doesn't guarentee you anything then DON'T BUY IT. And good luck finding an OS that guarentees your complete saftey from the big bad world of hackers and virii et al.
Ben
Work Safe Porn
In the past week, the Merc has been running articles quoting Microsoft authorities as saying, essentially, "Honest Injun we WANTED to require automatic updates, but we thought people would be paranoid of our intentions, so we made updates optional! Now look at the chaos!"
My prediction: There WILL be an attempt by Microsoft, probably successful, to make sure all future Windows versions automatically check for and download updates -- not only bug fixes, but also updates for furthering their own inimical combinations of big brother and forced marketing.
- Wendy
It's so nice to see Microsoft finally get something right.
--Rick "If it isn't broken, take it apart and find out why."
What the article talks about is merely "insecure by configuration", not "by design".
OK, MSFT could and should improve in creating a more secure default configuration, but I expected the article to be more interesting regards the "design" of windows:
Graphics in the kernel, no true multi-user system and filesystem permissions. That, IMO, is what makes Windows insecure by design. And those are issues that won't be so easy to fix without large rewrites and without breaking a lot of backwards compatability. The configuration in contrast can be fixed quite easily. It is on a deeper level where the real trouble is.
The original:
http://www.cis.upenn.edu/~KeyKOS/
The x86 version:
EROS (the Extremely Reliable Operating System) is a close derivative of KeyKOS that runs on Intel-family machines. Further information on EROS can be found at the EROS Home Page
http://www.eros-os.org/
But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks
Wrong, dead wrong. I use nothing but Linux and OpenBSD and Sobig caused me a lot of headaches:
1) At work, where I'm the residential security guru, I had to kick the windos admins so they go and patch their systems.
2) Also, as an ISP we had a serious bandwidth problem incoming and had to find ways in dealing with it (blaster was worse than sobig, but easier to handle, we just dropped some ports).
3) At home, I was drowning in sobig mails. A regex in postfix took care of that, but it took me half an hour to work that out
4) To this day, I'm getting these bullshit notifications. Whoever has a virus scanner and is still sending out notifications after Klez and Sobig have been using faked from headers for months should be shot for stupidity.
As a matter of fact, my main complaint about the whole virus crap is that even though there's been one virus during the past years that I've been vulnerable to (Slapper), I still get a good part of the damage.
If it'd all "stay in the family", I couldn't care less about windos and its inherent virus problem.
Assorted stuff I do sometimes: Lemuria.org
You, sir, are an idiot.
To see the magnitude of the problem, go to download.com and check the user opinions of the software listed there.
Lets say you go to see the user opinions of Mailwasher Pro or Disruptor OL.
These programs integrate with Outlook Express and are very easy to configure.
Now half the people who gave these programs negative reviews did so because they couldn't fsking understand what to do.
Who's fault is it then? When they can't understand easy programs like Mailwasher or Disruptor then how do you expect them to figure out stuff in Linux?
For these dumb heads, there is nothing you can do.
Its a known fact that the easier a firewall is to install and configure, the more insecure it is.
A good firewall should be one where you need to configure many of the options yourself.
Is somebody going to tell that to the users of Zone Alarm which pretty much needs no configuration?
Linux is more secure because a lot of stuff is configurable.
Bush is on fire and its not good for my lungs.
Hoping that this is not offtopic....
It seems relevant to discuss moving our friends and family to *nix, considering the unpleasantness that has been happening in the windows world over the last week or so. As such, I'll offer my experiences with this sometimes painful process, and hope that they are helpful.
I have had two good experiences with moving non-geeks to *nix thus far. On both occasions, we were providing a person who had little experience with computers or the net with a machine that would allow them to do the following:
1: Surf ye olde net with a minimum of fuss
2: Send and receive email, again sans fuss
3:Be able to cobble up the odd Word Doc or Spreadsheet
4: Not have to call thier tech support (ME) to fix things like virii, BSOD, etc.....
In my experience, these are the things that most folks want out of thier machines, and they don't need Windows to do it. Even as we speak, my Grandma is running Shrike (RH9) and having no problems. All she needed to know was where the internet button is and where the email button is, and no more problems! This required my presence for setup and a 5 minute tutorial on what button was what, but that was it.
With my sister, who was the 2nd guniea pig, the process was a bit more involved, as she needed mp3 support, a P2P client, and had an odd duck of a soundcard that needed ALSA to function, but she is now running along with no worries. Compiling ALSA and gnutella from source is not something that she would have cottoned to, but the point is that now that everything is up, she likes her system, has no trouble with it, and it required all of 30 minutes of my time to configure.
On the other hand, the times where I have had problems when trying to move a muggle to *nix have been when they have a pet program (i.e. photoshop, turbo tax, or something else that is WIN32/MAC only) that won't run on *nix and Wine won't run correctly. In this case I give up and resign myself to dealing with the virii as they appear.
I don't know if other people's experiences have been so smooth when moving muggles to *nix, but I think that in the aftermath of the last few virii to hit the Windows world, we'll see more and more of our friends and family that are willing to make the switch.
JHM
Don't Panic!
Coming late to this discussion but I still have to say this even if nobody reads it...
(emphasis mine).The quote from this article in a highly visible magazine is:
This is the one question. Why are there so many technical people that, knowing all the risks and odds, still don't dare patch the systems for fear that the cure will be worse than the dissease?
I know that the writer is mostly concerned with all the ignorant people at home, but when Microsoft itself tells people to not connect to the Internet because of security concerns, then logic fails. How should these people get their updates then?!
Enough ranting since chances of this being read are small anyway. No sense in wasting time.
Karma? What's that again?
Sorry to burst folks' generalizing bubble, but with proper, ingrained use of firewalls and anti-virus, I personally have had no problems with any Windows systems I administer. Stock, out-of-the-box, unpatched Windows users, on the other hand..
As someone who works in security, "insecure by design" has a precise meaning to me, which I've not seen mentioned here yet. The developer's intentions have nothing to do with it. "Insecure by design" means every implementation of a given system will share a common set of security vulnerabilities. In other words, the design (think API or protocol) itself is flawed. No implementation is safe.
Example: The design of the http protocol does not provide any method of running arbitrary code from the client on the server. A perfectly implemented web server will contain no remote vulnerabilities of this type. Flaws in particular web servers like IIS are caused by mistakes in the implementation, not the http protocol itself. The protocol is secure by design with regard to this attack.
Contrast this with a protocol whose design is insecure. Nothing in the SMTP spec addresses the issue of spam. High-volume anonymous message injection is allowed by the protocol. Solutions to spam have to be implemented externally with things like blacklists and filters (which are considered external even when run during the SMTP transaction as they aren't part of the SMTP protocol itself). No SMTP server, no matter how perfectly implemented, can both completely follow the SMTP spec and reject all spam. Thus SMTP is insecure by design with regard to spam.
Nebulous terms like "windows" and "secure" mean next to nothing by themselves. What is "windows"? The NT kernel? The win32 API? The set of programs and services enabled by a default install? Secure against what types of attacks?
For reasonable definitions of the above, the statement "Windows is insecure by design" certainly makes sense. Take "windows" to mean the win32 API and "secure" to mean enforcement of access control. Remember the shatter attacks discovered last year? That's a flaw in the design of the win32 API. No implementation is safe. It fits the definition of "insecure by design" perfectly. And Microsoft has alluded to more such vulnerabilities lurking in the win32 API (remember when they said they couldn't reveal all the APIs for security reasons?).
Democracy is two wolves and a sheep voting on lunch.
If I was one of your friends, why would I read your sig, much less care what it said? I mentally filter out signatures in the same way that I ignore spam and advertising.
Just ignore grammar nazis. They're pathetic trolls with no life. They have started posting AC becuase they know everyone hates them and mods them down. Your english is much better than most Americans, so don't worry.
That's is not necessarily a terrible thing. It very clearly marks executable programs in a human-readable format that's saved with the filename. Because "chmod u+x " isn't very intuitive (I use FreeBSD quite a lot and I keep thinking that O stands for Owner, rather than Other).
.doc / etc) - many systems outside the DOS / Windows world do this.
The use of file extensions extending across the system to documents is undoubtedly a good thing for human readability (.txt /
HOWEVER (thinking about this some more), probably a *better* solution would to have a four or five letter type that could be assigned to each file. Something like: "chmod exe " for executables. The type (exe) could be printed in the directory listing alongside the file, and would still allow applications to register a type to open documents when they're clicked on.
What does it mean to say something like
"RedHat's firewall is turned on by default"?
Once upon a time at least, a firewall was a
separate machine that passed through selected
network traffic, and was nearly crippled for
any other purpose.
If you're talking about "turning on the firewall"
on a given workstation, it seems to me that the
meaning of the term "firewall" is drifting....
You forget that MS have once had something called xenix.
If the market had showed more interest in unix, it wouldn't have mattered to MS if they sold xenix or DOS/Windows, they made the same color of money on either one.
idiots who've been Mac users for a long time who are now whining about OS X's "difficulty"...
These idiots are the same ones who, if you give them a windows box, get virus infections.
Is MS to blame because they sell an OS that's easier to use than *n*x? If you think "yes", just wait until the "easier" versions of linux with pretty GUIs finally become really easy and more popular.
While Linux and Macs don't get the majority of viruses, you also have to look at a few things objectively. For one, the majority of consumer computer users are PC users. PCs are more economical and have a larger selection of software and hardware available to the average consumer at pretty much every department and electronics store. Now look to your various flavors of OSes. Even though Linux is gaining popularity, it's still not the type of thing you'd see grandma using. With the exception of a few obscure types of OSes, that leaves Windows with the majority of the market share.
Now imagine your average consumer. They want a cheap computer that will do everything they want using an OS that isn't "too hard" for them to learn. People are inherently lazy. Once they can get their e-mail, surf the web, scan and print, play a few games and change their wallpaper do you think they really care about security until they get a virus?
Don't get me wrong, I don't support MS by any means. If anything they are quite guilty of being a lazy organization with sloppy programmers that enjoys stepping all over it's consumers. They don't innovate anymore as much as they regurgitate. That said, they didn't make the virus.
Personally, I took the single greatest and most efficient step to reducing the threat of viruses... I removed IE & Outlook. After that I installed Mozilla and a simple virus scanner with a shell extention that displays "Scans for Viruses" in a menu when I right-click. The process is basicly like this, I scan a file before I run it and I delete any e-mail from anyone I don't know. Somehow I don't see this catching on with your average consumer.
Anyway, getting back to the point, add all this up and imagine you want to the proud parent of a virus. You want to cause as much havoc and inflict as much damage as possible. So what OS would you go looking for vulnerabilities in?
Mosquitoes are annoying by design, but necessary in nature. They provide for birds.
MS is likewise necessary in our society.
After all, what would the hoards of admins do in a world were they are not indispensable anymore? What would all the antivirus companies and security experts do for a living?
MS may be blood suckers, but they *do* generate a lot of venue...
You Linux guys can't see beyond the end of your pocket protectors. Go ahead. Set up your families with Linux boxes.
Let me know how it goes.
Curious, though. Are you gonna send them to Circuit City or what.
Zo, got her Mac.
The Observer had an article in its business section on Sunday by John Naughton in which he makes the very valid point that the epidemic of viruses is made a lot worse by the fact that desktop computing is in effect a Windows monoculture.
Maybe Windows is insecure by design, but the main reason for the many problems with malware on Windows is certainly the fact, that there are many many people that really hate Microsoft for manifold reasons.
require a specific OS so as not to have a support nightmare on their hands. A friend of mine is in an undergraduate Business Admin campus, no CS. They only allow Win2K, XP home/pro. ;)
Now he's an OsX nut and loves Apple more than life itself but hunkered down and wept while paying for a PC laptop.
While I understand the reasoning behind the policy (These are after all, pointy-haired-bosses in training) one would think that anyone savvy enough to WANT a non-M$ box in that crowd is more likely to GIVE tech-support than NEED it
I am the Barber of Seville.
Not being a Microsoft zealot, but when did the Washington Post get to be the expert on OS design and security architecture?
Considering the recent release of Windows Server 2003, it appears on the surface that MS is trying to do something about security. Somehow I have my doubts, since they've closed everything down to the point that nothing works, and important services are not installed by default.
Trying to deploy services on a W2K3 server is not a simple task. They seemingly have gone the way of the US government by trying to close or kill anything that might make a server useful.
Friends in the IT field have deployed W2K3, and are calling me weekly with new 'strange' problems. IMHO it comes down to a couple simple things.
1. Don't deploy something you haven't tested.
2. Pay attention when installing/configuring a new server.
3. Properly plan your deployment BEFORE you actually do it.
4. NEVER use a default install of anything (MS, Linux, Mac OS) - it will bite you in the ass...
These are simple things, and it comes down to the Sys Admin to be intelegent enough to do this. Security should not be left to MS, as they have proven time after time they are unable to secure anything.
It 'stands to reason' that an operating system designed to function to the benefit of an ever-changing and far-from-perfect species would function such as something that is less than perfect. It breaks, you fix it and go on. "I guess I've been wrong all my life, but so have billions of other people... Certainty is just an emotion." -- Hal Clement
"Attention! This Product Was Not Designed With Security In Mind! The Usage Of This Product May Infect Your Computer, Hurt Someone, Shutdown The Business Of A Whole Company And Even Slow Down The Whole National Economy!"
In a same way as it is required in civilized countries to have on tobacco products.
Less is more !
I know an auto parts saleman who can't install _any_ of the parts he sells, not even a radiator. Not crippled or handicapped, just lazy.
But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks
How's that? It's all about emailtraffic overkill, it doesn't really matter what OS you're using, everyone's losin sleep over this. We run nothing but OSX and Linux but we're still getting huge amounts of virusemails in (the only difference is that the virus isn't able to distribute from here), plus all mailserver bouncemails (our info@ account appeared to be a pretty popular sender on other people's Outlooks).
bada bing
I wonder how the folks who've spent 2 weeks patching the 10K-odd PCs in our enterprise will react when they find they have to do it AGAIN, NOW. Maybe I (the neighborhood Linux/FreeBSD advocate) won't seem as loony now...
I keep up with all the updates to XP...which takes about 2 minutes out of my week.
and this staetment convinced that this had to be an out-and-out fabrication!
I've been helping a lot of people with infections over the last couple of weeks. The last call I had was friend with a cable modem. She had left on vacation shortly before the lov-san/sobig.f fiascos, came back just after some of the dust had settled and was worried enough about the media hype to call me before ever connecting to the Internet (she depends on this system for her work; real-estate appraisal). Due to an infection with klez a few months ago, she was religious about updating her win2k system and her Norton Anti-virus software.
Now here's the point: on a system that had been updated 3 weeks earlier, with a cable modem connection, Windows update identified 21 critical updates and took 1 1/2 hours to download/install them all!
2 minutes a week my ass!
But they had released an update for this about a month or 2 in advanced. I have recently rebuilt this system (due to hardware error, not software) and run Win2000. I also kept currant with all service packs and critical updates. I check every month or so for any.
The thing that got to me and my dad, is that this headache could have been avoided if people use a weekly scanning antivirus software, as well as periodically checking for updates. I've heard the argument that patches for networking features can screw up mission critical applications - But if you are using software that has to exploit system code instead of using it... something fishy there, and that, according to my dad (A retired 20 year Systems Analyst) is just a bull shit excuse.
Arguments abound "We shouldn't have to check for updates all the time!" Yeah yeah, and I supposeyou don't look at your fuel gauge everytime you get in your car.
blah
...is that if Mac or Linux were on top of the heap, they'd be getting all the viruses. Virus writers want their "work" to spread, so it only makes sense for them to write for the system that's by far the most widespread.
-----
Sorry, I'm only a 1336 h4x0r.
Never ascribe to malice that which is adequately explained by incompetence. - Napoleon Bonaparte
The title of this article is kinda flamebaitish. However, I found the text of the article pretty accurate and unbiased. He isn't accusing Microsoft of deliberately designing Windows to be insecure.
However, he does bring Micrsoft to task for not doing enough to fix these problem or make them easy to correct. Personally, this is where I think Microsoft has a lot of cupability. Look, these problems have been around a long time. Microsoft has thousands of programmers who, if you believe the press releases out of Redmond, all have security as their prime motivation right now. And yet, Windows Server 2003 was released with services that should be restricted to the LAN open and listening on the Internet! Didn't they learn anything from previous vulnerabilities?
After a while, it begins to look hard to be that stupid, that consistently.
> You Linux guys can't see beyond the end of your pocket protectors.
> Go ahead. Set up your families with Linux boxes.
I wish I had, when I first set them up with a computer a couple of
years ago. A Duron 750 being such a vast improvement over a 486SX33,
they would have switched, grown accustomed to it. But no, I had to
be an idiot and get them Win98SE.
I have a plan for getting them switched, though: wait until the
Duron 750 is as hopelessly obsolete as the 486 was when I built
the Duron system, then build them a *second* computer. Let them
keep the existing Win98 install on the Duron, but also have
something decent running on newer hardware. It's too soon just
now, as the Duron is still competitive, but give it a while...
This approach of course will not work on people who go out and buy
their own computer.
Cut that out, or I will ship you to Norilsk in a box.
I'm not defending MS. I work with the OS and realize what a piece of crap it is. However, I have a problem with the following statement: "But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks" Why would anyone spend the time to research exploits for Linux/Macs when they own such a small percentage of the end-user market? If a worm/virus was released into the wild that exploited some Mac vulnerability, how many boxes would be infected? How much media time would the worm receive? Not much. There just aren't that many Macs out there. It wouldn't propagate nearly as quickly or effectively as a Windows outbreak because of the sheer mass of Windows enabled targets running on the net. Hear this. I'm not defending MS. I think the OS sucks monkey nuts. I just think it's a little short-sighted to make statements like the one listed above. How different would things be if the roles were reversed? What if Macs were the norm while Windows was the OS of choice by geeks everywhere? How many Windows exploits would be popping up then? The roles would be reversed. Every h4x0R would be hammering the Mac OS looking for exploits instead of Windows. Why would he waste his time to crack Windows when there are so few out there?
I've messed around a little with Bochs, but it's pretty alpha still,
and it's not trivial to get it to work with anything other than the
provided image (FreeDOS, wasn't it?). Windows on a Mac? I'd quote
the price of VirtualPC. Less messing around.
Cut that out, or I will ship you to Norilsk in a box.
Tell your friends:
1. Don't preview email
2. Delete email you don't know or trust
3. Don't open attachments if they're not absolutely known and expected
3. Update early and often
or...
1. Run Linux.
It's nice to kick back in your armchair while everyone else I know scrambles to get their patches installed. Unfortunately, I do IT support at work and they have a few thousand systems running Windows. Can you say job security boys and girls? I knew you could.
I can't afford a sig!
I'd like to know if this is really true.
When the NT kernel was being designed it had security in mind. There are varying levels of privelige, access control lists for the file system and system objects etc. Some of these features are only appearing in Linux now with 2.6
Sure there have been flaws in the implementation, services turned on, running with system level priveleges with ports exposed to the internet. So Windows the system is not secure out of the box. But is it insecure by design?
A lot of people run windows as an administrator because programs written in the 9x era were not designed with the security model in mind. Programs want to access system level files or registry settings. Windows XP brough the two product lines together but in order to maintain the backwards compatibility they had to sacrifice the security.
Also people hate hitting security barriers whenever they want to reconfigure something.
I would like to see some evidence that a box running NT can NEVER be secure due to its design, rather than just not being currently secure due to its implementation.
All the trolls about MSLinux seem to assume that NT is a terrible cludge that MS ought to abandon and just build a Windows GUI over Linux like Apple did over BSD.
Is NT really flawed in its design or is it just the layers of services, APIs and backwards compatibility fixes that make the current implementations of NT vulnerable.
If all Win32 apps were sandboxed the way win16 apps are and MS migrated to a new API would this solve a lot of the problems?
I would welcome links to articles about this.
"Taligent is still pure vapor. Maybe they'll be the last who jumps up on Openstep... "
At the top of this thread is an ad for MS Small Business Server - oh, the irony!
Or purchased a pre-installed system.
Don't get me wrong, I don't want the folks in Redmond strung up by their short-hairs. I don't think anyone wants the writers of software to be liable for how it is used. I just want them to write decently secure software. It is really hard to give them the benefit of the doubt when they have repeatedly abused their power. If they *really* cared about security, this could all be written off to the nature of the software industry. There will always be bugs, always be crackers. Hopefully, there will not always be Microsoft as we know them today.
My beliefs do not require that you agree with them.
"The chance of a patch wrecking Windows is dwarfed by the odds that an unpatched PC will get hit."
Yet my workplace has had several problems directly caused by Windows updates. It's not frequent, but it's happened far more often than it should. It would be different if the problems were intentional and documented (see Red Hat example below), but they weren't. We had to roll back the patches and intentionally leave ourselves vulnerable until the next patch that fixed the prior patch was released.
I have had only one Red Hat security fix that caused (minor) problems with one of the Linux systems (the web server). An Apache upgrade was made in which the configuration format for one option (I can't remember which one) was changed, making the current configuration non-functional. However, this was planned by the Apache Group and was documented in the upgrade RPM. A simple tweak to the configuration file brought the service back, and life went on.
"And for those saying they don't trust Microsoft to fix their systems, I have one question: If you don't trust this company, why did you give it your money?"
This is a bone-headed question. They gave Microsoft their money because they had to. Most people still don't know anything but Microsoft. They blindly hand over their money year after year because, thanks Microsoft's abuse of its monopoly position, they don't have a choice.
Windows insecurities are strategic - they are the "stick" that gets everyone to agree to EULA changes. I predict a critical fix will install Palladium within the next couple years, and that a worm will appear shortly after that will force everyone to install that patch.
Here's what was installed on my XP machine at work: .NET Framework version 1.1 .NET Framework Service Pack 2, English Version .NET Framework version 1.1
Successful Thursday, August 21, 2003 Security Update for Microsoft Data Access Components (823718) Web site
Successful Thursday, August 21, 2003 August 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 (822925) Web site
Successful Wednesday, July 30, 2003 Windows Error Reporting: Recommended Update (Windows XP) Web site
Successful Thursday, July 24, 2003 Q322011: Recommended Update
Read more... Web site
Successful Thursday, July 24, 2003 Recommended Update for Windows XP SP1 (817778) Web site
Successful Thursday, July 24, 2003 DirectX 9.0b End-User Runtime
Read more... Web site
Successful Thursday, July 24, 2003 Security Update for Microsoft Windows (819696) Web site
Successful Thursday, July 17, 2003 821557: Security Update (Windows XP) Web site
Successful Thursday, July 17, 2003 Security Update for Windows XP (823980) Web site
Successful Friday, July 11, 2003 817606: Security Update (Windows XP) Web site
Successful Friday, July 11, 2003 823559: Security Update for Microsoft Windows Web site
Successful Friday, June 27, 2003 Hp Printer Driver Version 4.20.4100.430 Web site
Successful Friday, June 27, 2003 Q282010: Recommended Update for Microsoft Jet 4.0 Service Pack 7 (SP7) - Windows XP Web site
Successful Thursday, June 26, 2003 327979: Recommended Update Web site
Successful Thursday, June 26, 2003 DirectX 9.0a End-User Runtime
Read more... Web site
Successful Tuesday, June 24, 2003 Microsoft
Read more... Web site
Successful Tuesday, June 24, 2003 814995: Recommended Update Web site
Successful Tuesday, June 24, 2003 331953: Security Update (Windows XP) Web site
Successful Tuesday, June 24, 2003 329170: Security Update Web site
Successful Tuesday, June 24, 2003 811630: Critical Update (Windows XP)
Read more... Web site
Successful Tuesday, June 24, 2003 Q329048: Security Update
Read more... Web site
Successful Tuesday, June 24, 2003 Q323255: Security Update (Windows XP)
Read more... Web site
Successful Tuesday, June 24, 2003 Microsoft
Read more... Web site
Successful Tuesday, June 24, 2003 814078: Security Update (Microsoft Jscript version 5.6, Windows 2000, Windows XP) Web site
Successful Tuesday, June 24, 2003 817787: Security Update Windows Media Player for XP Web site
Successful Tuesday, June 24, 2003 810577: Security Update Web site
Successful Tuesday, June 24, 2003 810833: Security Update (Windows XP) Web site
Successful Tuesday, June 24, 2003 810565: Critical Update Web site
Successful Tuesday, June 24, 2003 328310: Security Update Web site
Successful Tuesday, June 24, 2003 Q329115: Security Update (Windows XP) Web site
Successful Tuesday, June 24, 2003 Q329390: Security Update Web site
Successful Tuesday, June 24, 2003 Q329834: Security Update (Windows XP)
Read more... Web site
Successful Tuesday, June 24, 2003 814033: Critical Update Web site
Successful Tuesday, June 24, 2003 Q329441: Critical Update Web site
Successful Tuesday, June 24, 2003 Q815021 XP: Security Update Web site
Successful Tuesday, June 24, 2003 816093: Security Update Microsoft Virtual Machine (Microsoft VM) Web site
Successful Tuesday, June 24, 2003 Q817287: Critical Update (Catalog Database Corruption in Microsoft Windows XP) Web site
Successful Tuesday, June 24, 2003 811493: Security Update (Windows XP) Web site
Successful Tuesday, June 24, 2003 330994: April 2003, Security Update for Outlook Express 6 SP1 Web site
Successful Tuesday, June 24, 2003 818529: June 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 Web site
Canceled Monday, June 23, 2003 Microsoft
Read more... Web site
Failed Monday, June 23, 2003 DirectX 9.0a End-User Runtime
Read more... Web site
Successful Thursday, November 01, 2001 Windows XP Update Package, October 25, 2001 Web site
S
Security-wise, it's best to completely erase everything and start over. But with this particular type of Windows XP installation, I cannot erase everything and start over. I can do that with most other operating systems (such as Red Hat Linux, or even other versions of Windows): if they've been broken into (or I strongly suspect it), I can erase everything (or swap out the hard drive) and start over fresh. With this type of Windows XP installation, I must pray to the Tiki gods that the attacker forgot to attack the part of the computer I cannot defend. Of course, if I'm an attacker, wouldn't I want to attack the part of the computer that cannot be undone?
Not all Windows XP installations are set up this way, but many are. And this particular installation technique is uniquely dangerous. As far as I can tell, only certain Windows installations are this vulnerable in today's market.
- David A. Wheeler (see my Secure Programming HOWTO)
In a small business you do more than 1 job.
For example, I'm the SysAdmin, DBA, Resource Planner, Disaster Recovery Manager, in addition to my actual title of Software Developer. I also am the liason for all communications with our parent company's (billion dollar company) CIO.
We have 1 manager (VP), 3 developers, 3 support/admin assistant positions. Our company has around 1 million a year income for our office but our clients (which we help our parent company land) bring in over 250 million to our parent company. We are a very small niche, but successful none the less.
I have my own company as well with 2 other individuals and we all work in all areas of the company (except financing which is my bag). Not all businesses are straight "This is your role, do nothing more."
to write a virus for Linux, there would be hundreds of them coming out of Redmond every month.....
PENAROL: Seras eterno como el tiempo y floreceras en cada primavera.
I believe if the mac os or some linux distro were the most widely used os, then it would be the one to get the most attacks. People who make these kind of worms and or viruss i believe try to target the most widley used operating system as to infect more people. At least that is what i would do.
But you can add header that spoofs that adds a originating ip that is not yours. I know, this is hard and gets done wrong by most spam, but headers can be spoofed.
Not to mention intercepted and changed messages that are possible.
Bad PR?
It would be an admission of their incompetence.
PENAROL: Seras eterno como el tiempo y floreceras en cada primavera.
There should be no EULAs on a security patch.
Microsoft should not be using service packs and security patches to update their EULA. Those should not be legally enforceable.
Alas, there are, they do, and they might be.
the worms have taken their toll on systems at the schools where i learn and work. As a student aide to the 'Instructional technology facilitator' (read: the guy in charge of all the software of the PC's and Macs on campus, but has to put in work orders to fix anything), i've patched a half dozen 2k and/or xp systems by hand this last week alone. 80% of the school is MAC based, the boss hasn't a clue about M$ O/S'es, leaving me to keep the administrators and teacher's boxes in line, but it's a MAJOR PITA... At home, on a LAN of 7 boxes, 3 of then W2KP, with a very secure RedHat/shorewall based paranoid firewall between the boxes and the 'net, i have had ZERO problems (as it turns out, the schoo board's net filters, proxies, servers and firewalls are all Windows NT, 2k or 2k3 based save for a set of AS400 racks that run accounting and district wide student databases, and as such disable at every level, SSH), but the servers were still not patched UNTIL LAST WEEK!!!!!!!! my 2k box at home is locked down, i grab my e-mail on my linux desktop, and do anything save gaming on the nix box as well. the firewall does a bangup job of keeping the nasties off my LAN, i have updated scanners on all 3 boxes and have had no trouble, i'm lucky i guess. the cable modem's activity lights go nuts 24/7 even when the 2k boxes and the nix desktop are off (read: lots of shit hiting the firewall), glad their not on the wrong side of it. well... off to patch more boxes.
Logistical Chaos Officer http://www.slagg.org - LAN Gaming in Sarasota FL,USA
Not that I am a Windows fan but if Mac or Linux was the most popular OS wouldn't most viruses and worms target these systems? Window's might have it's security problems but I see new updates and security patches on my RedHat boxes all the time. Couldn't these explots be used for viruses if virus creators targeted Linux or Mac?
I never liked you
It's simple. No end user control. Ever try to read the news on a Yahoo page that has all options missing except about macromedia flash?
The only way to turn off the noise was remove the player. Until they fix the problem of no user control, it won't run on my systems.
A simple always functioning stop and play buttons are all that are needed but are lacking in many in your face blinking wiggiling distracting ads. Even if ESC would work like animated GIF's stop, but even this is non-functional on FLASH. The stop button does nothing, right clicking to uncheck play does not work, only removal works 100% of the time. It's the same reason the blink tag was so hated.
Since I don't need to see all the trivial stuff to read the news, I just do without the player as it's the easiest way to kill the video noise.
The truth shall set you free!
Yes, but define 'reasonable attempt'. Ford would send me a letter telling me to get the car to a dealer. Microsoft expects us to ask if there's a 'recall' in effect.
"Eula?"
Who the fuck is this Eula and why does he keep making us agree to stuff?"
I just wanna email my kid at college, since the little bastard never calls anymore!"
Really. I can't think of the last time I've even bothered to read the EULA on anything. Its long, boring, and is written in lawyerspeak that makes me bleed from my eyes and seethe with hatred from just glancing at the damn thing.
Who really want's to actually read a codument that says, in basic terms:
- We're letting you use this.
- You have no rights.
- If you have this software installed and do something we don't like, we'll sue you.
Nice, guys. Thanks a fucking lot. I give you $40/90/180/26,000 to buy a hunk of software and you try to shove a stick in my ass at the first opportunity.
I'm going back to building cabinets for a living.
s'wut i sed.
At the company where I'm network admin, we have mostly Win2K and WinXP boxes and Win2K and Solaris servers.
We've got a good firewall, and I try to keep up with the patches in a reasonable timeframe. Not one of our users systems or our servers was infected with Blaster or Sobig.
With that being said, our email is outsourced to another company (Don't even ask, I've been bitching about that to the upper management until I'm blue in the face) well, that other company got MAULED by both Blaster and Sobig. We went most of the week with virtually unusable email and there was nothing I could do about it. (I did however, get a good quota of "I told you so's" with regard to our lame-ass email provider)
So while it's true that we don't have any users with MACs or Linux, if we did, they would have been just as put out as everyone else.
I'm not getting up on WinSoapBox2k3, but I feel the blame lies with the Virus/Worm authors, and with those who run without firewalls and without keeping their systems patched and up to date.
The Digital Sorceress
to create a Linux or Mac OS virus/worm, M$ would have hundreds of coders writing them and releasing them in the wild, just to counterbalance the bad PR they are getting.
PENAROL: Seras eterno como el tiempo y floreceras en cada primavera.
That's when you snap your suspenders, scratch your beard,
You forgot, "rub your fat belly,".
I don't make the rules. I just make fun of them.
Car salesmen? I am reminded of the guy who sold me my current car looking all over the engine compartment for the transmission dipstick. (There is none and the transmission is under the trunk, not up front with the engine.)
Sending a "mailbox unavailable" message right back to spammers seems to me to be a good way to have your email cleaned from spammer's lists. Or would it be?
"Consider the lillies of the goddamn field."
Now, admittedly, this is not a workaround immediately apparent to the users, but if you do even a cursory search on Google, you will find that it is a well-documented problem with a well-documented solution.
The point is a good one, however. There are many apps--even MS apps--which require admin access for full function. I spent a lot of my time at my last employer trying to find the registry permissions necessary to work around this. It can be done for most apps, but it is a PITA and requires a fair degree of comfort with the registry. This is, unfortunately, beyond many Windows technicians. We should be as comfortable with the registry as *nix gurus are with the CLI.
Get off my lawn! Keep the noise down! Stop horsing around!
The way I look at it is that the tools and security ARE actually there. Some in the OS, others in external hardware (firewalls, etc). The problem is users. Microsoft is not in the business to handhold people and protect them. They are in the business to sell software. If the options are there and when things are found they are patched, there is nothing else MS can do. It is up to the users to install the patches and secure their systems.
How about those that got bit by it take a good long look at their systems and accept a little responsibility? Oh wait...we can't have that now can we. Always gotta blame someone else.
You obviously didn't RTFA.
You
people create virii for windows because that's what people use, not because it's more insecure than other OS's. When linux gets more popular people will start making virii for it.
Rob Pegoraro
The usual theory has been that Windows gets all the attacks because almost everybody uses it. But millions of people do use Mac OS X and Linux, a sufficiently big market for plenty of legitimate software developers -- so why do the authors of viruses and worms rarely take aim at either system?
Even if that changed, Windows would still be an easier target. In its default setup, Windows XP on the Internet amounts to a car parked in a bad part of town, with the doors unlocked, the key in the ignition and a Post-It note on the dashboard saying, "Please don't steal this."
As to why this was posted on Slashdot? For the bashers. It's good to wake up in the morning and feel righteous. But seriously, it's a good summary for those that keep arguing this point, that is if people would bother to RTFA. It also puts a little more credibility into it than the average slashdot troll.
"Last one in is a rotten goblin!" - Kepp
Yup, I've seen a lockup that a service contract was around 150K - I believe we turned it down at that point and decided to take out chances. Of course SUN has posted some pretty pathetic results lately, but I guess that's to be expected- how do you justify 150K for the 'ability' to upgrade at a later date should said update be released?
It's ufnny that everyone thinks version 5 was easy to upgrade- I think I had to reformat 4 or 5 times to get rid of it long enough to do an update to 6... and 6 didn't update to 7 (broke everything).... and 7 didn't upgrade to 8, and a clean install of 8 didn't work unless I installed Xwindows (as I wanted to just use it as a webserver/dmz).
Of course, that could just be my luck with upgrades.
As an ex Windows admin, the thiing that I found most difficult about Windows was not a lack of security by design. Downloading the patches and keeping the AV up to date will suffice normally. No, the problem of windows, to me, lies in that it is a fucking mess.
/bin, /usr/bin, /usr/local/bin etc, confusing for a newbie), but the fact that Windows has literally tens of dozens of directories that belong to the system, that are both undocumented and not self explanatory, as well as the registery, which is an inconsisten fucking mess if there ever was one are things that make windows a pain.
This may sound ludicrous in view of the jungle that one faces when one moves through a *nix directory tree on the command line (e.g. why is there
On top of this there are so many design decisions that are superficially a good idea, but make things hell when one goes beneath the hood. An example is the desktop. From a visual point of view it might make sense to only store data in my documents and below that, which is also encouraged by the open/save dialogue, but the My Documents sits in a deep sub folder in the real directory tree. The actual dialogue boxes of so many system controls are anything but friendly. While the wizards make things simple in a linear way, they are a stop gap measure screwed on top of a system that is anything but consistent and visually well though out otherwise.
To me it seems that MS designs it's system in that the core OS team has first go at making the bitch work, and after they are done, the mess is passed on to the UI team which then has the pleasure of slapping crap like wizards and My Documents and tons of irritating marketing reminders (passport, messanger bla bla bla, hide those icons so you can't find them again) on top of the system so that MS can call it "User friendly".
Fucking bullshit.
... like the driver named Conley, who bought a BMW.
This article's old news, I know, but it's worth rereading. This guy didn't know how to operate his brake lights, or his phone, and such. Clearly, even cars are too technical for people, so it shouldn't surprise you if people have trouble with their Microsoft Windows products.
Sometimes you really do need a techie to open your car windows for you.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
Why do you need Outlook Express, Media Player, and DirectX 9.0a/b at work?
Read the rest of this comment...
That, in and of itself, is funny.
Zodiac Survey
when the 'xp' software license expires. i'm under the impression that:
1. you'll probably be using unlicensed products.
2. and they may not work anymore.
billy gates, say it ain't so !
Before anyone else follows Microsoft down the plug, we need to ask loud and clear, "Is MS-Windows ready for the Internet?"
ok Im now convinced how do I uninstall windows on my machine? couldn't find it pls help(-:
It's funny cause it's true.
I suffered because of windows. When i woke up on the morning of the epidemic, my internet connection was up to sh17, not because my FBSD router was broken, not because any of the fibre had broken, and none of the switches had popped, the firewall was running fine, the proxy had plenty of space to stretch out in, my university's 8600 was running great, at 100%, literally, 100%, now, for something which kind of tips the scale at 5% on a normal day, 100% means a lot of traffic.
Now, for two days internet access was terrible, due to sodding windows machines flo0ding the network due to an outbreak of two worms, due to some sod who plugged an infected windows box behind our firewall.
I hate windows.
-- P'thk! http://radbrad.rucus.net/
Comment removed based on user account deletion
He praises Mac for not having open ports and Red Hat for having a firewall. Never does he mentions that a lot of Linux distros *do* ship with open ports (maybe through the firewall). 'Between Blaster and Sobig' is not a much longer period than the time between the ssh (root) exploit and the apache worm last year.
I still think Windows could be a lot more secure by default. But this article is unbalanced and therefore does not seem like a very fine analysis.
>Would you have automotive engineers or even car salesmen that don't know how to drive, check the oil and put gas in the car?
Question is, do you want a salesman with dirt under his fingernails and a grease-stache that won't go away?
Or how about an automotive engineer that produces drawings with smears on them and has grease on his keyboard.
What if they have a different automobile than the ones that they design/sell, and the oil is changed differently?
I am a linux programmer, and I don't know squat about MS windows, yet I am forced to run this on my workstation by the network gurus. Are you saying that I should learn the nuts and bolts of windows? Even though it has nothing to do with my job?
As a programmer I have enough of a job, just staying on top of C, Perl, Shell etc. I don't think it should be necessary for me to be able to write batch scripts to back up my file server and know where to go to download preventative measures for the latest microsoft screwup. Especially given that they are discovered and need to be patched almost daily.
I have my own damn job to do!
l8,
AC
But will they make it hard for someone to release a hacked version of the OS that doesn't have all these locks?
I seem to remember a big hub bub about XP activation, but MS apparently released some versions of their OS that don't require activiation and people that don't really want to pay simply find a friend that has one of those versions (and copy it).
Basically, when it comes to MS and security (even evil security like the kind you describe): I'll believe it when I see it. MS drops the ball all the time (because they're so big and they want to make profit and their users are lazy so MS is lazy). Why should Longhorn be any different?
Furry cows moo and decompress.
Most of the places I've worked the developers would've killed you if you touched their machines (and I would have been at the lead of the lynch mob). Some of them 'might' have let someone help them move the machine from office to office, if they knew the other person carnally.
Big Brother Bush is doubleplus ungood.
...there's more to it than just an insecure design. Some of it has to do with biology.
You can look at the current situation with computers in terms of homogeneous and heterogeneous societies of organisms. A herterogeneous (i.e. diverse) society is better able to weather diseases and the like because something that affects one thing is not as likely to affect something else. This is proved time and time again in nature. When a single population grows too large, it becomes easy for a disease to come in and wipe everything out. Natural societies tend to be diverse (forests, oceans). Man-made societies (plantations, farms, etc) tend to be monocultures.
See the computing parallel?
What I'm saying is that not only is it acceptable to have a variety of computers running different hardware platforms and operating systems, it's a good idea. The network I have at work is rather diverse - Windows 95, 98, XP, and MacOS X. It's a bit of a pain to keep running, but I can feel pretty safe that if some manner of virus gets past my security, it won't take down *every* computer...
Now apply that to a national level. The consumer computer market is 90% monoculture (roughly). Insecure design or no, a virus has a lot of help in spreading in situations like that.
Just my two cents.
Have two executables.
The virus will randomly send one of the executables to the email addresses it finds.
Simply vary the probability based upon the system that it is on. So if it is spreading from a Windows box, 90% of the emails will have the Windows version of the virus.
If it is spreading from a Mac, 90% will have the Mac version.
So, one Mac person gets infected and he spreads that infection to all of his Mac buddies who spread it to their Mac buddies.
Each time a machine is infected, it downloads both the executables and the smtp app from the machine that infected it. So all new infections can spread to Windows and Macs.
The concept is very simple.
And, accourding to you, the execution should be very simple.
Yet it just does not seem to be happening.
Yeah, developers usually have their systems set up and tweaked just so, and would no more want anyone else to mess with it than a mechanic or woodworker would lend someone his tools.
-- Alastair
Typical open source garbage. The OS already has a much more functional installer system that works far better, with tools included with the OS (no need for expensive SMS or custom logon scripts), and has far more support. What's this NSIS garbage? Third party installers are shit. Use MSI.
funny munging
Would you have automotive engineers or even car salesmen that don't know how to drive, check the oil and put gas in the car?
if they sold cars I would. Which is why I dont trust computer salespersons.
The Kruger Dunning explains most post on
What if they have a different automobile than the ones that they design/sell, and the oil is changed differently?
If the automotive engineer doesn't know how to check the oil on any car but his own, he's incompetent. If he doesn't know what possibilities are out there now, he'll just reinvent the wheel (or dipstick), badly.
I am a linux programmer, and I don't know squat about MS windows, yet I am forced to run this on my workstation by the network gurus.
Right. So how do you test your linux programs?
Are you saying that I should learn the nuts and bolts of windows? Even though it has nothing to do with my job?
If you're running Windows on your desktop, then it does have something to do with your job, n'est ce pas?
As a programmer I have enough of a job, just staying on top of C, Perl, Shell etc.
Yeah, terrible how they make all those changes to them every week. Perhaps you should consider another line of work?
-- Alastair
It's just a bad analogy to the mechanical world. Certified auto technicians are more than capable of doing "power technician" work like pulling trannies and engine swaps. Changing alternators and starters is backyard mechanic stuff, the kind of things you just need a good toolbox and a set of jackstands to do. I do it myself - actually, I just changed the clutch in my car, which involves yanking the entire tranny; I wouldn't consider myself a technician any more than I would on my Mac, even though I play with that at a pretty low level, too (I tweak my network settings to milk my cable, fiddle with the OS to make it work *really* well, have my own little LAN, so on). It's all about what you enjoy and feel comfortable doing; I'm neither a mechanic or a tech, just a chemist moonlighting as a chef..
Facts do not cease to exist because they are ignored. - Aldous Huxley
One of the things that I fear the most is an actual terrorist attack using viruses to completely disrupt our financial system. It could be pretty simple and still be successful simply because the countries that have the money are the same countries that the terrorists are targeting! While countries like Iran would be "hit" they would not suffer nearly the damage that countries like the U.S. and Great Britan would. Because of this possibility, I think it is very important that the free countries of the world take immediate steps to harden themselves against computer based terrorisim, worms, viruses, and other security issues.
I think that there is poor security designed into Windows. Microsoft knows how to design adequate security, as proof of that look at the X-box. It is quite secure. This probably means that a future generation operating system is going to take the "lessons learned" from the X-box and apply them to that new O/S. This will be the PR story at least. The truth will be closer to MS obtaining a software monopoly on the Windows platform. They will control licenses for it and will require your source code for evaluation before you get the key that will allow installation.
Perhaps poor security is better than the alternative that M$ will dream up. They are driven by profit (every company is) and will take full advantage of any opportunity that they control (as they have already demonstrated).
After the past couple of weeks, it is obvious that there is a business opportunity out there for someone OTHER THAN MICROSOFT to offer a product for Windows that is a full featured security system for desktops (and servers).
I'm wondering what this kind of system would entail? How could you provide exceptional security to everything from a home PC to an enterprise level network? There are some obvious things like firewalls, anti-virus protection, automated patches, controls for security and permissions, and so on. But there are other things that could be done too. How about a key system for executing software? If the key does not exist then the software (exe, process, driver whatever) simply does not get permission to run. What about software that monitors network traffic and when certain limits are set human intervention is required of the PC is taken off line?
I am also wodering about the ethical issues associated with all of this. If Ford puts a car on the road that they know is insecure and an accident happens, they have liability. If I drive a car knowing that it is unsafe, I have liability. If the state allows a road to go unrepaired, they have liability. Isn't the same thing true for a software product? In today's world, in this litigious society, isn't M$ opening themselves up to a great deal of liability when their software is a swiss cheese of vunerabilities?
DirectX 9b is listed under the "Critical Updates" section on WindowsUpdate now. Apparently there's some nasty vulnerability (who'd a guessed?) in DirectX that 9b fixes.
Outlook Express tends to re-enable itself, so it's best to actually have it be patched, in case it ends up being used.
There are patches for vulnerabilities in every WMP, and you can't really "remove it" per se, so you need to have it patched.
ALL software is insecure by design. Security bugs are almost always the result of some design oversight. Maybe a code flaw causes a vulnerability, but a poor design permits that specific code flaw to make the system vulnerable.
Basing the claim that Linux or Macintosh are more securely designed on a relative lack of viruses or exposed vulnerabilities for those platforms is flawed logic. Numerous other factors are more to blame, including differing user base sizes and makeups (more Windows users), differing code maturities (Linux/UNIX is older and more code flaws have been ironed out regardless of secure-by-design-or-not), and the cultural attitude toward the software (people hate Microsoft and Windows, but who hates Apple or Linus?).
Moderator hint: a comment is neither "Flamebait" nor "Troll" if it is true.
CBC Canada is releasing content on WMFormat for WMP 7 and up only. The reason why is obvious. The Microsoft security focus is exactly as I have stated. They could not give a shit about securing their old releases, Longhorn is designed to cure everyones security problems! With the blessing of Government bureaucrats, and the entertainment industry in North America. So they could care less about security for the old stuff it would hurt sales of Longhorn and cut into revenues too much to really work for them. To do the honorable thing is not a good financial decision for Microsoft! It would also hurt sales of new computers next year. This year was a write off for the big chains. Bastards. Software updates are a joke.
OH THE SHAME I fell off the wagon and use sigs again!
Nobody has to say "let's make this insecure" to have deliberately made the OS insecure. Take 98 for example. A security consious user turns on the "Show all extensions setting", and yet, several extensions remain hidden anyway. This turns out to include the dot ess aitch ess extension, meaning shell handling script. Actually making the extension visible takes a registry hack. So MS has given you a control that apperently has some utility as a security setting, then the control doesn't do what it says. Either the person writing the file settings code didn't know that the individual registry settings would override his code (unlikely), or he knew he was oversimplifying by saying all, but didn't want to say "except for some MS wants to keep hidden". Point is someone at some level decided that a scripting extension was among those that needed to be kept hidden. That's certainly a deliberate anti-security choice.
Who is John Cabal?
"What are you doing, Dave? I wouldn't do that, Dave."
You know what?
I don't really care about smokes, dip, chaw or snuff myself. I personally do not have any investment in any of those companies and not even in farming and processing the tobacco. I do however understand that the wrong people were punished and the wrong people were rewarded. You know, its kind of odd to go to Pennsylvania and tell the Amish that they are Evil (tm) for pushing that tobacco onto others when I see that their entire culture is based around personal responsibility. Perhaps we can learn that lesson here as well. Understand that what you take as a sniper shot at the corporate decision makers is often an ICBM that hits only the innocent low level worker bees.
I don't want to see this happen with software and computing systems. I want the industry to grow some balls and start policing itself. I want to see the IT industry promoting smart decision making and non-superficial business methods. (i.e. various degrees are not the solution... degrees are the beginning, not the end)
However, I am FULLY for the companies that ARE well funded as being held more responsible for their ineptitude. The "deep pocket" clause is not just in direct financial assets or reserves but is actually calculated using potential that itself includes information and networking (not the computer kind :) Use that deep pocket calculation to assess the knowledge and power of the company and thus demand they do what they say they do.
If someone loses money from a software flaw that is judged to have been not just an "act of the software gods" then they should be held at least partially accountable. No crap payments for "pain and suffering" but just a clear mathematical accounting of actual dollars lost.
Then again, I do not believe tort law should EVER be related to punishment. Tort should be for recompensation while criminal law is for punishment. Perhaps there should be a "non-tort, non-criminal" law that focuses on punishing in civil circles. The proceeds should not go towards the lawyer or the government... and here they client is NOT the named client in the tort case but all business and consumers. A silly idea might be to put the money into watchdog organizations or small business support organizations as they seem to be hurt the most often.
Once signed with a private key, provided the key has not been leaked, is secure. The only way to verify authenticity, until someone solves NP-complete problems ...
joshua
make install make clean that's all she wrote. joshua
Call me crazy but if I were writing exploits, I'd pick one underated that's under the radar of the media, etc. More potential hits.
'Important' rated alerts, in my experience, generally get rolled up in a patch cycle or slip through the cracks altogether rather than an emergency security deployment. Folks making the call have to use keywords or an independent rating rather than the MS spin.
I fail to see how windows is any more insecure than most default linux installs.
.. cry me a river
And whoever tries to make the point "linux is just as attractive to virus writers as windows, its just TOO SECURE THAT THEY CAN'T!!!!", as several of you have, I give up.
(this post will be deleted, however if anyone responds with anti-MS comments, your comments will be bumped up with a rating of 5! yay!)
No doubt, the last couple of viruses (msblast & sobig.f) are the results of MS systems bugs.
I truely believe its NOT the issue here: While home users cannot be considered responsible to security issues, corporate admins MUST have (at least some) responsibility regarding the sucurity level of their systems.
As an Open-Systems Admin in a large financial services company, I find it hard to understand what kind of SANE admin would leave his corporates' network gateway/firewall to The Net with tcp port 135 open (with or without a patch)??? what kind of a security-minded admin lets ALL attachments of ALL kinds into his/her domain? Even if all systems I manage were linux/unix/MVS/zOS/S390/whatever I'd still prevent corporate users from getting non-passive-content in (by mail, or by other means).
Sounds insane? - well, for the last four years it worked for us, and as much as users dissagreed to our security policy in the first place, they are now (and for quite a while) blessing for it.
Your cock is hairy? Wow, d00d, I recommend seeing a doctor...
Trademark? might work...
Instead, you might want to lean on the IETF and get them to fast-track one of the SMTP/DNS proposals like RMX or SMTP+SPF.
Basically, the proposals add a record to the DNS system so that destination SMTP servers can see whether the inbound e-mail was received from an authorized outbound mail server for the specified domain. If not, then the domain on the e-mail is spoofed, and the SMTP server can act on that knowledge.
Wolde you bothe eate your cake, and have your cake?
Anyone who believes Microsoft's motives are to produce a quality OS don't know much. They are however masters of manipulation of the masses with flashy toys and domination.
Remember, Windows uses a message passing kernel and does not and cannot take advantage of process space seperation like UNIX can. Oh, UNIX has some shared issues too with the like of shared memory but it is a design decision to use it, in Windows, far too much memory is shared by default.
And if Windows is as secure as Linux/UNIX, then why with Linux and open source is Linux more secure? With Windows being closed source, it should be by Microsoft's claims more secure.
Tell that to the thousands of companies that have killed off many man years patching in the last few weeks. I have some Solaris and Linux systems with up times in the order of 600-1200 days. With a firewall I don't need to patch the fs and others stuff. Easier than insatiable patching.
I like the content at cryptome and your humor. THANKS
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
So, you say that Mac's are just as easy to infect, but no one has done it because the people writing the viruses aren't very good programmers.
I even gave you the basics for how to deploy a multi-platform virus.
Now you're claiming that those virus writers aren't interested in getting that last 5 - 10% infection rate.
Well, I can see that you know exactly what motivates all those virus writers. Of course no virus writer would be motivated by the infamy of being the first to deploy a sobig type virus that hit Windows and Macs.
You've gone from making claims about the technology to making claims about the personalities of the virus writers.
So, it isn't about the technology, it's about their personalities. Right. Sure. You betcha.
Whatever it takes for you to be right, eh?
when did it occur to them that windoze is insecure?? m$ is a pain in the ar$e. in my opinion, their software is like mosquitoes... they are everywhere, and no matter how many you kill, they always find some way to regenerate, and they never come back any better than before. and they carry viruses. coincidence? i think not.
There is no XUL, only WebExtensions...
Interception is something, but the client adding headers is just useless. The added headers will always be in the wrong spot because the client can't control where the server puts the origin header.
Read the actual linked news. Linux kernel 2.6 did NOT have SE Linux merged into it, SE Linux was updated to run the new 2.6 prerelease kernels.
The ultimate plays for Madden 2006
When I clicked on the article, this advertisement popped up in the article.
d _336x280_23k.gif
http://m2.doubleclick.net/790463/mrs02112_itdm_ra
--
Adobe's anti-counterfeiting softw
I was trying to explain this to some people the other day as well; Windows is indeed insecure by design. And Microsoft could have fixed things at any time in the past 8 years or so with regard to viruses; it isn't like they haven't known about the problem. If you ask me, it's gross negligence on their part, and they should be liable for damages.
pb Reply or e-mail; don't vaguely moderate.
I wish the people in my office could look after their computers. But then I would be out of a job. I spend most of my time correcting mispelled login names and passwords, turning "broken" printers by clicking the switch etc. If these people had been taking care of their own boxes we would have been nailed by everything and all their passwords would be "password" or their own login name.
Read the actual patch announcement from Linus Torvalds. Note, way down in the list, "selinux merge".
Comment removed based on user account deletion
In other news, the Washington Post also revealed that the Pope is a Catholic. And finally, they uncovered the recipe for ice.