Windows Is 'Insecure By Design,' Says Washington Post

Circuit Breaker writes "A Washington Post article says Microsoft Windows is insecure by design. Quote: 'Between the Blaster worm and the Sobig virus, it's been a long two weeks for Windows users. But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks -- just like in earlier "malware" epidemics. This is not a coincidence.'"

Choice

[Spleener12]

I have one question: If you don't trust this company, why did you give it your money?

In my case, because Virginia Tech's CS department requires us to have XP Pro. The people who don't trust MS use Windows because they have to.

Re:Choice

[mjmalone]

If you read the computer requirements for computer science majors you will see that they also require to you be able to run mandrake linux.

In FAQ they respond to the question "Do I have to use Windows XP Professional on my computer?"

Certain assignments or software in some classes may require the use of Windows which is available in the Computer Science undergraduate labs. If you do not run Windows on your computer, you will miss an educational opportunity to learn Windows administration, which is a marketable skill. The Department will not check that you are, in fact, using Windows XP Professional. However, if you choose to run Windows 95 or 98, you will almost certainly experience increased difficulty in the programming classes.

The requirement is more of a guideline for people who don't know what to get. And the original poster is probably just a karma whore who doesn't know what he/she is talking about.

'windows attacked because popular'

[gl4ss]

the author makes nice (partial if you may)rebuttal of this myth, and also points to something to back it up like the number of open ports that create potential possibilities for holes,and that are for services that are default enabled, yet shouldn't be used in hostile environment(and how ms does nothing about it, and how xp was supposed to be more secure in matters like this). and frankly i haven't heard of non-hostile environment involving more than 10 people in a deserted island with lots of food and jolly sunshine happiness to keep them away from their computers.

-

Re:'windows attacked because popular'

[Darth_Burrito]

I think there's a lot of very valid popularity related reasons that cause Microsoft to be subjected to a higer percentage of attacks per vendor than other systems.

First, consider who Microsoft based systems are popular with: home and office users. Often, as in the case of SoBig, the users are as much a target as the operating system.

Second, because Microsoft is so popular and because they have a history of problems (such as bluescreens), they have become extremely unpopular, particularly among that certain segment of the population that might create and unleash viruses. While I know of many corporations//organizations whose capacity for evil greatly exceeds Microsoft's (Monsanto, Phillip Morris, etc), I know of no company so hated by so many all over the world.

Finally, when you consider the amount of viruses, worms, and the like that affect Microsoft versus a nix, it is important to remember that Microsoft is an entire homogonized platform in and of itself. The misc services, the ftp server, the smtp server, the web server, the database server, the mail server, etc are all made by Microsoft and many of these components are standard, especially in a microsoft shop. Compare this to a nix where people more readily pick and choose each of the above components. If you are writing a multi-vector worm like Nimda, windows represents the easiest target because there are a lot of standard uniformly implemented services which are virtually guaranteed to be there. If you were writing the same thing for a Nix, you could target Apache, sendmail maybe, and then what? There's so much diversity in the Nix world that it makes it more difficult to target.

I am not excusing Microsoft's security problems in any way. I just believe that the popularity of Microsoft and its platforms has had an extremely significant effect on the number of times they are targetted, and as a result, compromised.

People in glass houses

[scdeimos]

This article seems to have such a pro-Mac stance that I didn't bother reading past the first couple of paragraphs. It's OS/wars all over again.

Granted it's been a few years since I was a Level 1 Tech for Apple Resellers, but let's not forget that for many years Macintosh (and specifically Mac-OS) reigned supreme as the simplest platform for which to write viruses. And virus writers certainly took advantage of it.

Why? Because every time you inserted a floppy or CD, or mounted a new hard disk or Syquest cartidge, the OS went behind the scenes to load CODE resources from the disk to allow the display custom dialogs (passwords, etc), change desktop settings, layout, etc. The user didn't have to take any action to open files or folders.

It didn't take virus writers long to figure out this point of entry, and with no concept of permissions or anti-trust built into the OS, the malicious code had full control of the system.

Few days went by where I didn't have to low-level format someone's hard disk and inform them that, yes, working backups are a Good Thing to have.

Re:It's not Windows' fault

[lkaos]

The recent DCE/RPC vunerability exploited MS's DCOM implementation residing on the end point mapper port using raw DCE/RPC over TCP.

This has nothing to do with Unix and certainly isn't a standard (hell, Samba doesn't even support this). This was totally a MS-original.

A lot of the http virii are based on MS-extensions or broken non-standard behavior of the MS clients.

If MS has followed what you refer to as "obscure unix standards", this wouldn't be an issue. Despite what you may thing, Unix systems were designed with security in mind whereas Windows was designed as a user-operating system.

quoth Marc Andriesen

[Crashmarik]

Regarding IE and Active X.

Its nothing but a virus delivery system.

That was about 8 years ago. Microsoft destroyed netscape and aside from some humorous footage of Bill Gates lying under oath nothing was done about it.

Now someone in the mainstream press has actually done their homework. Are we supposed to be impressed ?

Re:95% a target perhaps?

[deputydink]

Funny how 95% of PC users have Windows, I wonder why a Virus writer would want to target Windows??!? Perhaps that is why so many exploits are found, because people are targeting it religously, start targeting Mac and Linux as much and see who is insecure

Actually, virus writers write virii targetting windows machines because windows machines are easy targets, not because there are so many licenses sold.

According to Netcraft's site survey only a quarter of active sites run Windows leaving the bulk of the public internet running on *nix.

I suspect much of the 95% of PCs you speak of are safely walled up in institutions, schools and corporations private networks, which are generally out of scope for a worm like blaster to target.

Now koniosis, what you should impress you is that *nix's run the majority of public sites on the internet, (those sites most easily attacked, i might add) with a marked minority of serious compromises as compared to Windows. More sites, less bugs. Simple.

Finally, only a Microsoft employee could think that its justified that the amount of embarrasing code compromises grow proportionally to desktop marketshare.

Re:Insecure by Design

[Tony-A]

Fact: File extensions are still hidden by default.

Plug and Pray, or Plug and Pay! Security Optional

[alexander.morgan]

Pegoraro has a point about users not patching their systems, but unfortunately I can understand why: the updates are causing huge problems.

On one of my desktop systems, the latest Windows XP driver updates trashed my Hercules Game Theater XP setup. Lots of error messages and no sound!

On my Laptop, the latest Windows 2000 service pack blew away support for the Netgear MA401 WiFi card.

The first problem is easily dealt with. Roll back the upgrade. Sound worked before and it wasn't a critical update--just recommended.

For the laptop, I now have a choice between gaping security holes or WiFi support. Thankfully it dual boots to Linux ;)

I wonder how many people are in the same boat. Plug and pray, or plug and pay!

Re:Good point, muddled way of expressing it

[PygmySurfer]

XP's firewall is off by default and takes at least five steps to turn on

I seem to recall XP's firewall being turned on during the inital "Welcome to Windows" wizard that pops up after installation, if you choose the option "This machine will be directly connected to the internet" (Or something like that).

That being said, I always turned the firewall OFF, it was too much of a pain to set up additional ports to allow.

Since then, I've moved to a Mac, and OS X's firewall is much easier to configure.

I certainly agree with the rest of your points though (and the majority of the article).

OS X is completely locked up...

[cfoster611]

In comparison, Mac OS X ships with zero ports open to the Internet.

Actually, OS X does have (in most systems) some ports/services open by default. Here's a sample portscan with no user-services (ssh,httpd, afp, etc) running.

Port Scan has started ...

Port Scanning host: 127.0.0.1

Open Port: 427
Open Port: 631
Open Port: 1033

1033 is assigned to NetInfo
427 is "server locator"
631 is "IPP (Internet Printing Protocol)" ...according to the iana.

Re:95% a target perhaps?

[justsomebody]

C'mon, get a reality check.

decent firewall script
For common user, redhat-config-securitylevel or menu Applications - System Settings - Security Level (enter administrator password) Choose between No, Normal, Maximum, Normal has proven to be sufficient for average users

download the latest patched kernel
Click Red asterisk that's blinking in your left corner. Click Launch up2date (enter administrator password) - Next - Next - Finish

In linux you have far more control over the system and can do far more damaging things, as its less restrictive than windows
Yes, I agree, but only when I'm root. When I'm using my user account system is far better protected. Again user don't need to know what console is.

so you can't say windows doesn't stop users being stupid because linux doesn't make an effort to either
Actualy it does, if you read what I answered

To protect your self from posting stupidity, try running system before you wanna join the critics.

And yes, there is a major difference

When you set up Windows you start as Administrator. Most people even without password. First user that you create is still administrator and again there is a possibility to have no password

When you set up linux, you MUST enter administrative password that can't be blank, but redhat starts firstboot script on first login. Here you MUST enter your username and password, by the way, default password length is 6 characters

By the way I'm available to your next comments

Re:Ummm...

[hankaholic]

now the worm is spreading from their machines and spoofing my email address as the source. I totally resent this and actually worry about my liability.

To whomever modded this post up, you have apparently been trolled.

First of all, your fear of liability is irrational. If it is known and documented that a trojan will forge the sender address, and the headers show that the mail was not sent from your ISP, it sounds like you're in the clear. Even if it were sent from your ISP, one would have to show that you controlled that IP at the time the message was sent.

Furthermore, unless you can cite a case in which a user was held responsible for the activities of a trojan running on his or her system, I feel pretty safe in calling you paranoid. Unless you did knowingly spread the trojan, you're fine, except for the aforementioned paranoia.

That aside...

Do I now have to trademark my own email address or something and then include a disclaimer in my email saying "This email address is my trademark, you are not allowed to add me to your address book in any way"?

Nice try.

Too bad you seem to have no clue what trademark actually covers. Contrary to what you seem to believe, owning a trademark does not give you exclusive right to control the use of a certain combination of letters in the Roman alphabet.

This means that Bertelsmann can't do a damned thing about me saying "Bertelsmann" here. Bertelsmann Bertelsmann Bertelsmann. Nor can the RIAA. From the USPTO:

A trademark is a word, phrase, symbol or design, or a combination of words, phrases, symbols or designs, that identifies and distinguishes the source of the goods of one party from those of others.

As long as I'm not using a trademark to mislead people by implying that a product was provided the company which holds that trademark when the product hadn't really been provided by said company, there really isn't a problem.

Go try to register your email address at the USPTO. If you succeed, let me know what it is, and I'll email you letting you know that I heard a story about the Recording Industry Association of America (TM) was suing students from colleges including Princeton University (TM), that I saw the story on MTV's (TM) website, as well as on the news on a Time-Warner (TM) station, and that the students were likely running Microsoft (TM) Windows (TM).

Then I'll invite you to imitate the actions of The SCO Group (TM) and file a lawsuit against me which is destined to do nothing but waste court time.

Hell, you can even forward a copy to each of the companies which own the aforementioned trademarks.

When the court case is thrown out, I'll buy you a cup of coffee at Starbucks (TM), which buys its milk from Horizon Organic Dairy (TM).

Re:Running always as root....

[Sexy+Commando]

IMHO WindowsXXYY will never be secure until Windows introduces the concept of the sticky bit on files -- but are there patent problems with that?

Have you ever heard of the term "NTFS"? go to an XP machine and see how C:\WINDOWS\Temp permission is set up. Your saying that Windows has no sticky bit-like mechanism is like saying *NIX doesn't hae ACL.

long week for windows users is right.

[htmlboy]

it's dorm move-in weekend at the university where i work. after looking at a sample of the machines brought to school by students given the privilege of early move-in (ra's, mainly), we found that less than 5% of our students were patched for both blaster/lovesan and welchia/naichi. as such, it was decided that shutting off the entire residence hall network would be easier than shutting off ~95% of the ports once they got infected (typically takes 3-5 seconds in this environment). so our student workers and a few full-timers like me get to make our way to every single student machine (~8,000 students in the dorms) and analyze, clean, patch, and install a current virus scanner.

overtime is great.

Rob Pegoraro

Those that read the Washington Post know Rob Pegoraro has:

1) Never seen an Apple product he didn't like.

2) Never read an Apple press release that he didn't agree with.

3) Agrees that all new Apple strategies have finally got it right.

Re:what about Gentoo?

[Gilmoure]

Hell, not only does OS X patch itself and Apple apps (Safari, iMovie, iTunes, etc.), it'll even path Internet Explorer with a security patch. This is accomplished via a pop up window with a list of updates to install, check boxes next to each one, info buttons next to each one and a single install button. Nice being able to que all the installs and set them d/l'ind and running. After doing a restart, if necissary, it'll check again, to see if there are more patches that are now needed.

Re:Another example of Windows' designed insecurity

[Ravenseye]

And that's about as basic as it gets. E-mail is text. Anything else is un-necessary. Why people just HAVE to use lazy-HTML is completely beyond me. People should use Pegasus or some other compliant mailer...at least to keep life sane for those of us who otherwise give a damn.

Re:MOD PARENT UP, more..

Don't remember any Mac worms, but a couple of annoying viruses. Chiefly the ones that spread through the Quicktime CD autorun thing, which should always be turned off even under OS X - virtually nothing ever used it, and it's unnecessary on a Mac anyway (the users know what to do because a CD picture pops on their desktop and has a nice pretty picture and icon inside to double-click on in exactly the manner they're thoroughly accustomed to).

If there was a worm I've forgotten, please do remind me of it. :)

Re:Ummm...

[LetterJ]

I patch regularly, run a hardware firewall and have gotten exactly 1 virus on a computer I own (in 1996 from a floppy disc in a college lab) and even that didn't get off the floppy and I still was affected as I received 1000 infected emails per day at the end of last week as *other* people got infected and sent messages both to and from me without my involvement. Aside from guarding my email address with my life (gee, my customers would love that policy) no amout of due diligence would have prevented the problems I received.

Re:Quick linux security test.

[1010011010]

I did an strace of a (brand new, designed-for-XP) program on Windows XP recently. The program changes the mouse cursor when you mouse over certain UI features. According to strace, Windows XP uses WOW (windows-on-windows -- Win16 emulation!) to do this. To this day. In their latest operating system release. Sheesh. The Win32 call thunks down to Win16 emulation, even on XP. How busted is that.

Plus, windows thinks that just because a file's name ends in ".exe" or some other magical combination of letters, that it's a program and should be loaded and run. Over here on my Linux systems, I can deny execute permission to entire filesystems (such as users' home directories), and in any case, Linux doesn't assign every random attachment and download execute permission by default.

Re:New sig file...

[dspeyer]

They beat you to it (sorta), Sobig.F contains the line

X-MailScanner: Found to be clean

Not sure what it achieves, but it's there.

Redist versions of Windows patches

[yerricde]

Windows patches come in both a Windows Update version (downloaded through an ActiveX control through windowsupdate.microsoft.com) and a "redist" version (downloaded through any graphical web browser).

Re:Don't worry...

[ceejayoz]

Never got a single virus in five years of using Outlook - I only just recently moved to Mozilla Thunderbird for the spam filtering.

Honestly, any user with an ounce of common sense can use Outlook perfectly safely. That e-mail with the pidgin English and the .vbs attachment? Don't run the attachment! Simple enough...

NSA Secure Linux going into the standard kernel

[Animats]

On August 13, 2003, with little publicity, the NSA Secure Linux was merged into the mainline Linux kernel. It's in 2.6.0-test3 and later kernels. There's also useful documentation at the sysadmin level, and the beginnings of a multilevel secure X-windows system.

It's not a magic bullet, but mandatory security just went mainstream.

What this all means is the ability to put programs into levels and compartments from which they can't escape. Security breaches in the mail handler or the web server can't propagate to the rest of the system.

The code is open source, GPL, and written by the United States Department of Defense's National Security Agency. It looks like Microsoft's attempt to shut down that project failed.

Re:Perhaps I'm doing something wrong...

[naelurec]

Its all a matter of perspective. It seems like Windows NT/2k/XP works pretty good for knowledgable end users (Which you seem to be one ...). I have a W2K box that as a box works pretty good at what it does (though it does have some rather strange memory related problems .. but not nasty enough to justify a re-install...) However, atleast for me, after running Linux, Mac OS X and now FreeBSD as my primary desktop, I have a different perspective on how an operating system should work. I actually find the *nix desktops to be easier to work with. Not only are there a lot more cool features (ie mozilla has lots of neat features over Internet Explorer, same with KDE vs Explorer, etc..) but the entire system seems laid out much more logical. When programs install on my FreeBSD box, I know exactly what files it has installed and where (not to mention it is really easy to remove ALL the related files compared to the add/remove feature in Windows). I can quickly find what applications are running, I have a lot more information available to me as far as what is going on "under the hood" and most importantly, I can access all critical features on a fast SSH connection instead of trying VNC or some other cumbersome GUI interface. So whats my point? Well I suppose when my Windows using buddies, relatives and customers call me with yet_another_windows_problem (sobig, blaster, other viruses, adware, whatever..) I tend to think that "well if they were running *nix, would they have this problem? (usually not)" and "if they were running *nix, I could simply SSH to their box and fix the problem in a few minutes instead of explaining how to setup VNC over the phone and trying to troubleshoot it remotely (with their side being a 28.8k dial up connection)) or hopping in my car and physically sitting in front of the computer and hacking away at it.. Whats my point? I dunno. I guess I have found the *nix systems to be generally better than the Microsoft offerings. Since using *nix, I have different expectations to how my computer should work and at this time, Microsoft does not meet these expectations. Infact, when I am using Windows boxes, I have found that I get frusterated with the machine because it doesn't work like I am use to.

Re:Ummm...

[andreMA]

Yes, so very many of them:

• Sunday, October 06, 2002 10:08:43 US/Pacific: Installed "Security Update 2002-09-20" (1.0)
• Sunday, October 06, 2002 10:09:19 US/Pacific: Installed "Internet Explorer 5.2 Security Update" (5.2.2)
• Sunday, October 06, 2002 10:21:30 US/Pacific: Installed "Mac OS X Update" (10.2.1)
• Friday, February 14, 2003 18:31:25 US/Eastern: Installed "Mac OS X Update" (10.2.4)
• Friday, March 07, 2003 17:43:42 US/Eastern: Installed "Security Update 2003-03-03" (1.0)
• Sunday, March 30, 2003 22:10:29 US/Eastern: Installed "Security Update 2003-03-24" (1.0)
• Saturday, April 12, 2003 13:35:20 US/Eastern: Installed "Mac OS X Update" (10.2.5)
• Tuesday, May 13, 2003 14:28:01 US/Eastern: Installed "Mac OS X Update" (10.2.6)
• Tuesday, June 10, 2003 12:52:53 US/Eastern: Installed "Security Update 2003-06-09" (1.0)
• Sunday, June 22, 2003 15:12:53 US/Eastern: Installed "Security Update 2003-06-09" (2.0)
• Thursday, July 24, 2003 15:30:54 US/Eastern: Installed "Security Update 2003-07-14" (1.0)

This includes security updates and point-revisions of the OS (which one might presume to have less-critical security updates rolled into them), and excludes application specific updates for the i-App suite, Safari, etc. that were not labelled as "Security" related (one might assert that they were in fact security related, but they included point-upgrades to the applications as well. Those toatlled perhaps 8-10 updates over the span covered). Note that two (Stuffit! and IE) are for 3rd-party bundled apps with labelled "Security" updates.

yes, I'm aware that I haven't installed the latest one to patch the off-by-one bug that impacts the FTP server. I'm waiting until I need to reboot for some other reason.

TOTAL UPDATES OVER THE PAST 10 MONTHS: 5. 7 if you count patches to 3rd party apps, one of which was IE. 10 if you're really liberal and include the point-revisions of the OS too.

Please tell me where these "lot of security updates in the past 6 months" are... I'm not seeing them.

Re:Ummm...

[dabootsie]

Full headers of the e-mail in question would indemnify you, as the originating IP is added by the first SMTP server to deal with the message and can't be spoofed by the client.

People, please stop saying 'virii'

I know it's a lot to ask on Slashdot, where grammar and spelling aren't exactly second nature, but can we please get over this pseudo-latinistic plural of the word virus?

I know it's vogue with geeks to use latin plurals, but as anyone who has studied latin knows (and I realize nowadays not many people can claim this), not every word ending in -us is a second declension masculine noun (whose nominative plural, of course, ends in -i).

It's a good guess for most words ending in -us obviously of latin origin (focus, for example), but it doesn't hold in all cases and you should definitely do your homework.

But since this is Slashdot, I did your homework for you. Check out this page for an explanation.

Be warned, though, it sort of assumes that you have a brain. Those lacking need not read it. For those of you that just want to take my word for it, the plural is 'viruses' (that wasn't so hard, now was it).

Re:Good point, muddled way of expressing it

[rabidcow]

If a file ends in .exe, .vbs, .bat, .scr, or one of lots of other extensions, Windows assumes it's executable and will load and run it when the user clicks on it. Or a "shell" command references it, etc.

Not only that, it goes and hides that part of the name by default, so most people won't get a warning that the file will be executed.

it's even possible to deny the "execute" permission to an entire filesystem

You can actually deny execute permission on a drive (or any file/folder) in Windows as well, but since that's shared with folder traversal it may not be feasable. (and I doubt that's available in "Home" editions...) It might work if you go and enable it for all folders specifically (and not thier content), but that would get extremely tedious.

MS Marketing department security bulletin ratings

[lanalyst]

This is what grabs me: a new vunerability with MDAC announced on 8/20 is rated as 'Important'. Same buffer overflow problem as 026.. same potential for damage.. most/all corporate customers have MDAC running.. but it doesn't rate a 'Critical'. Are they waiting for exploit code to appear or are they waiting for the sh!tstorm to die down?

Re:Why was this posted?

Virii is not a word. You mean viruses.

Re:Perhaps I'm doing something wrong...

[westlake]

The msblast worm seems to have been for most folks a non-event.

The Symantic W32.Blaster.Worm Removal Tool has been downloaded about 131,000 times through Download.com, which is probably a fair measure of the scale of the infection.

---but, in comparison, Kazaa was downloaded 2,678,000 times last week alone.

To break into Download.com's top fifty lists, a Windows program must approach 30,000 downloads a week, to make the Mac list, a bare---some would say pathetic--- eight hundred.

The simplest conclusion to be drawn from such numbers is that it is difficult for even the most aggressive worm or virus to bring down more than the tiniest fraction of the installed Windows base.

---not because Windows systems are "inherently secure," but because the Windows user base is so immense an infection can be contained before it becomes unmanageable, or even visible to users, for anyone who auto-magically installed the RPC patch on July 16th, the hoo-rah after must have come as quite a surprise.

Re:JRTFA

[caouchouc]

There are some unlucky people who practiced due dilligence and thought they were patched, but were not.

Windows Update had (and still has) a flaw in that it checks registry keys to determine if you have patches installed, rather than the files themselves. Sometimes the registry key is inserted but some or all of the actual patch files are not, for one reason or another. This happened to many people on July 17th, and they were probably really surprised when they got hit by the MS Blaster worm.

One particularly noteworthy victim of this flaw is the US army.

Re:I have a coworker who kept saying it was hardwa

[dtfinch]

How long ago was that?

There's Bochs, which is free and will emulate an x86 on almost anything, including the Mac, but it's not very fast.

And since about 1994, there have been Macs that can run Windows using a built-in x86 compatible processor, like having two computers in one. You could switch between them by pressing a simple key combination, and it came with software to help you do things like copy and paste between them. The high school I attended had one.

My bosses generally don't believe in "can't", but most of the time they're right.

Re:Ummm...

[MickLinux]

Nope. Don't do it that way. You're liable to promote Linux to their system, and yourself into homelessness.

---

Use a proper business model:

"Okay, my first charge for help is going to be $100 -- $50 for one hour of help, and another $50 for a second HDD, installing a dual-boot Debian Linux on your computer. At that point, you have a choice about which system you want to boot into, and it will make it easier for me to disk-image your Windows system directories, and fix your problems. One thing, though: keep all your program CDs in one place for quick reinstall; your programs installed in c:\my programs; your downloaded programs in c:\my downloads\programs; and all your documents stored somewhere under c:\mydocuments. That will keep things simple for me, and cheap for you.

"After that, I'll charge $50/hr for service, but it will be a ton cheaper, because I'll often simply restore the image of your OS directory. Indeed, I'll show you how to do it.

---

Quite honestly, as they get used to using Linux, they'll start to forget Windows. I know I did. It's still on my system. Eventually, though, I had to completely reformat my Win98 HDD and reinstall. This time, the reinstall for some reason never gave me Word, which was in the original software set, and I can't figure out how to get it [and it is one of my main reasons for keeping Windows around.] But interestingly, with the reinstall, I ended up doing it a second time and installing almost nothing, but lo and behold, my HP DJ1120c print driver, which used to crash on the loaded system, still crashes on the empty system, and now it's clear that it is an OS bug, since it crashes other things, too. So my other major reason for keeping Windows around, a better print driver, is also bogus.

Well, as people start to realize this stuff, they're going to drop Windows on their own. And you're not going to make yourself poor, servicing them for free.

Re:Ummm...

[mindriot]

Well, but given a simple look in the mail headers, you can well prove that the infected mail did not come from you.

I recently got a load of Failure Notices to my University mail account that claimed the mail I had sent was infected with a virus (I think it was an earlier SoBig variant). Well, the notice included the header of the original email, which in turn included the Received: line I was looking for.

The guy's computer (in another dorm) was denied net access by the computer center after my mail to their abuse handler until he proved to the net admins in his dorm that his box was clean again.

In short: to anyone who asks you, you can effectively prove the mail did not come from you. Unless, of course, you're in via some dialup provider which happens to be the same the sender of the virus mail used; that makes it a bit harder.

Re:Ummm...

[Cederic]

Email viruses for a long time couldn't be prevented by the end user, if that user was using Outlook/Outlook Express.

If I get an attachment called 'summary.txt' then I tend to assume it's a text file, and will view it to see its contents. In OE it may actually have been 'summary.txt.pif', an executable virus. A system that allows that mistake to happen has inherent design flaws.

For the record, that's one reason I've never used Outlook Express. I use mail systems that tell me what I've received, and that will handle attachments in the manner I expect.

Calling people 'stoopids' may make you feel superior, but doesn't alter the insecurity of the design of many MS products.

A lot of users are ignorant. There are solutions to that problem that don't include introducing a whole new class of virus (email viruses), or leaving systems open to remote attack (e.g. MSBlast) by default.

~Cederic

Re:Ummm...

[BigBir3d]

The Washington Post article implies that OS X or linux is by default 100% secure. Most of us here at slashdot know that to be untrue.

1 per month is a fairly small number, I agree. But for your average clueless user... "I just did that last month, now I have to do it again? I thought I bought an iMac so I didn't have to do this anymore..."

Re:JRTFA

[jonadab]

> Tell your friends: Don't preview email. Delete email you don't
> know or trust. Don't open attachments if they're not absolutely
> known and expected Update early and often

No. Tell them go to www.pmail.com and get Pegasus Mail, and read
email with that. "Don't use Outlook. It's too dangerous."

Re:Total Windows XP updates

Here's what was installed on my XP machine at work:
Successful Thursday, August 21, 2003 Security Update for Microsoft Data Access Components (823718) Web site
Successful Thursday, August 21, 2003 August 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 (822925) Web site
Successful Wednesday, July 30, 2003 Windows Error Reporting: Recommended Update (Windows XP) Web site
Successful Thursday, July 24, 2003 Q322011: Recommended Update
Read more... Web site
Successful Thursday, July 24, 2003 Recommended Update for Windows XP SP1 (817778) Web site
Successful Thursday, July 24, 2003 DirectX 9.0b End-User Runtime
Read more... Web site
Successful Thursday, July 24, 2003 Security Update for Microsoft Windows (819696) Web site
Successful Thursday, July 17, 2003 821557: Security Update (Windows XP) Web site
Successful Thursday, July 17, 2003 Security Update for Windows XP (823980) Web site
Successful Friday, July 11, 2003 817606: Security Update (Windows XP) Web site
Successful Friday, July 11, 2003 823559: Security Update for Microsoft Windows Web site
Successful Friday, June 27, 2003 Hp Printer Driver Version 4.20.4100.430 Web site
Successful Friday, June 27, 2003 Q282010: Recommended Update for Microsoft Jet 4.0 Service Pack 7 (SP7) - Windows XP Web site
Successful Thursday, June 26, 2003 327979: Recommended Update Web site
Successful Thursday, June 26, 2003 DirectX 9.0a End-User Runtime
Read more... Web site
Successful Tuesday, June 24, 2003 Microsoft .NET Framework version 1.1
Read more... Web site
Successful Tuesday, June 24, 2003 814995: Recommended Update Web site
Successful Tuesday, June 24, 2003 331953: Security Update (Windows XP) Web site
Successful Tuesday, June 24, 2003 329170: Security Update Web site
Successful Tuesday, June 24, 2003 811630: Critical Update (Windows XP)
Read more... Web site
Successful Tuesday, June 24, 2003 Q329048: Security Update
Read more... Web site
Successful Tuesday, June 24, 2003 Q323255: Security Update (Windows XP)
Read more... Web site
Successful Tuesday, June 24, 2003 Microsoft .NET Framework Service Pack 2, English Version
Read more... Web site
Successful Tuesday, June 24, 2003 814078: Security Update (Microsoft Jscript version 5.6, Windows 2000, Windows XP) Web site
Successful Tuesday, June 24, 2003 817787: Security Update Windows Media Player for XP Web site
Successful Tuesday, June 24, 2003 810577: Security Update Web site
Successful Tuesday, June 24, 2003 810833: Security Update (Windows XP) Web site
Successful Tuesday, June 24, 2003 810565: Critical Update Web site
Successful Tuesday, June 24, 2003 328310: Security Update Web site
Successful Tuesday, June 24, 2003 Q329115: Security Update (Windows XP) Web site
Successful Tuesday, June 24, 2003 Q329390: Security Update Web site
Successful Tuesday, June 24, 2003 Q329834: Security Update (Windows XP)
Read more... Web site
Successful Tuesday, June 24, 2003 814033: Critical Update Web site
Successful Tuesday, June 24, 2003 Q329441: Critical Update Web site
Successful Tuesday, June 24, 2003 Q815021 XP: Security Update Web site
Successful Tuesday, June 24, 2003 816093: Security Update Microsoft Virtual Machine (Microsoft VM) Web site
Successful Tuesday, June 24, 2003 Q817287: Critical Update (Catalog Database Corruption in Microsoft Windows XP) Web site
Successful Tuesday, June 24, 2003 811493: Security Update (Windows XP) Web site
Successful Tuesday, June 24, 2003 330994: April 2003, Security Update for Outlook Express 6 SP1 Web site
Successful Tuesday, June 24, 2003 818529: June 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 Web site
Canceled Monday, June 23, 2003 Microsoft .NET Framework version 1.1
Read more... Web site
Failed Monday, June 23, 2003 DirectX 9.0a End-User Runtime
Read more... Web site
Successful Thursday, November 01, 2001 Windows XP Update Package, October 25, 2001 Web site
S

Re:why don't you want flash installed...

[Technician]

It's simple. No end user control. Ever try to read the news on a Yahoo page that has all options missing except about macromedia flash?
The only way to turn off the noise was remove the player. Until they fix the problem of no user control, it won't run on my systems.

A simple always functioning stop and play buttons are all that are needed but are lacking in many in your face blinking wiggiling distracting ads. Even if ESC would work like animated GIF's stop, but even this is non-functional on FLASH. The stop button does nothing, right clicking to uncheck play does not work, only removal works 100% of the time. It's the same reason the blink tag was so hated.
Since I don't need to see all the trivial stuff to read the news, I just do without the player as it's the easiest way to kill the video noise.

Re:Quick linux security test.

[Nakoruru]

Windows also allows you to deny execute permission to entire filesystems. It allows much more fine grained control than unix.

The latest version of Microsoft Outlook can be setup so it doesn't even allow me to save an 'unsafe attachment', much less run it. I have to hack around in the registery to re-enable it, or ask the sender to resend it in a zip file.