Slashdot Mirror
Windows Is 'Insecure By Design,' Says Washington Post
Circuit Breaker writes "A Washington Post article says Microsoft Windows is insecure by design. Quote: 'Between the Blaster worm and the Sobig virus, it's been a long two weeks for Windows users. But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks -- just like in earlier "malware" epidemics. This is not a coincidence.'"
the author makes nice (partial if you may)rebuttal of this myth, and also points to something to back it up like the number of open ports that create potential possibilities for holes,and that are for services that are default enabled, yet shouldn't be used in hostile environment(and how ms does nothing about it, and how xp was supposed to be more secure in matters like this). and frankly i haven't heard of non-hostile environment involving more than 10 people in a deserted island with lots of food and jolly sunshine happiness to keep them away from their computers.
-
world was created 5 seconds before this post as it is.
In FAQ they respond to the question "Do I have to use Windows XP Professional on my computer?" The requirement is more of a guideline for people who don't know what to get. And the original poster is probably just a karma whore who doesn't know what he/she is talking about.
Visualize the world of wine
The recent DCE/RPC vunerability exploited MS's DCOM implementation residing on the end point mapper port using raw DCE/RPC over TCP.
This has nothing to do with Unix and certainly isn't a standard (hell, Samba doesn't even support this). This was totally a MS-original.
A lot of the http virii are based on MS-extensions or broken non-standard behavior of the MS clients.
If MS has followed what you refer to as "obscure unix standards", this wouldn't be an issue. Despite what you may thing, Unix systems were designed with security in mind whereas Windows was designed as a user-operating system.
int func(int a);
func((b += 3, b));
Regarding IE and Active X.
Its nothing but a virus delivery system.
That was about 8 years ago. Microsoft destroyed netscape and aside from some humorous footage of Bill Gates lying under oath nothing was done about it.
Now someone in the mainstream press has actually done their homework. Are we supposed to be impressed ?
Funny how 95% of PC users have Windows, I wonder why a Virus writer would want to target Windows??!? Perhaps that is why so many exploits are found, because people are targeting it religously, start targeting Mac and Linux as much and see who is insecure
Actually, virus writers write virii targetting windows machines because windows machines are easy targets, not because there are so many licenses sold.
According to Netcraft's site survey only a quarter of active sites run Windows leaving the bulk of the public internet running on *nix.
I suspect much of the 95% of PCs you speak of are safely walled up in institutions, schools and corporations private networks, which are generally out of scope for a worm like blaster to target.
Now koniosis, what you should impress you is that *nix's run the majority of public sites on the internet, (those sites most easily attacked, i might add) with a marked minority of serious compromises as compared to Windows. More sites, less bugs. Simple.
Finally, only a Microsoft employee could think that its justified that the amount of embarrasing code compromises grow proportionally to desktop marketshare.
XP's firewall is off by default and takes at least five steps to turn on
I seem to recall XP's firewall being turned on during the inital "Welcome to Windows" wizard that pops up after installation, if you choose the option "This machine will be directly connected to the internet" (Or something like that).
That being said, I always turned the firewall OFF, it was too much of a pain to set up additional ports to allow.
Since then, I've moved to a Mac, and OS X's firewall is much easier to configure.
I certainly agree with the rest of your points though (and the majority of the article).
Actually, OS X does have (in most systems) some ports/services open by default. Here's a sample portscan with no user-services (ssh,httpd, afp, etc) running. 1033 is assigned to NetInfo
427 is "server locator"
631 is "IPP (Internet Printing Protocol)"
--- Kicking the Cheat since late 2002
X-MailScanner: Found to be clean
Not sure what it achieves, but it's there.
Sig:Why copyright isn't a fundamental human right
It's not a magic bullet, but mandatory security just went mainstream.
What this all means is the ability to put programs into levels and compartments from which they can't escape. Security breaches in the mail handler or the web server can't propagate to the rest of the system.
The code is open source, GPL, and written by the United States Department of Defense's National Security Agency. It looks like Microsoft's attempt to shut down that project failed.
Its all a matter of perspective. It seems like Windows NT/2k/XP works pretty good for knowledgable end users (Which you seem to be one ...). I have a W2K box that as a box works pretty good at what it does (though it does have some rather strange memory related problems .. but not nasty enough to justify a re-install...)
However, atleast for me, after running Linux, Mac OS X and now FreeBSD as my primary desktop, I have a different perspective on how an operating system should work.
I actually find the *nix desktops to be easier to work with. Not only are there a lot more cool features (ie mozilla has lots of neat features over Internet Explorer, same with KDE vs Explorer, etc..) but the entire system seems laid out much more logical. When programs install on my FreeBSD box, I know exactly what files it has installed and where (not to mention it is really easy to remove ALL the related files compared to the add/remove feature in Windows). I can quickly find what applications are running, I have a lot more information available to me as far as what is going on "under the hood" and most importantly, I can access all critical features on a fast SSH connection instead of trying VNC or some other cumbersome GUI interface.
So whats my point? Well I suppose when my Windows using buddies, relatives and customers call me with yet_another_windows_problem (sobig, blaster, other viruses, adware, whatever..) I tend to think that "well if they were running *nix, would they have this problem? (usually not)" and "if they were running *nix, I could simply SSH to their box and fix the problem in a few minutes instead of explaining how to setup VNC over the phone and trying to troubleshoot it remotely (with their side being a 28.8k dial up connection)) or hopping in my car and physically sitting in front of the computer and hacking away at it..
Whats my point? I dunno. I guess I have found the *nix systems to be generally better than the Microsoft offerings. Since using *nix, I have different expectations to how my computer should work and at this time, Microsoft does not meet these expectations. Infact, when I am using Windows boxes, I have found that I get frusterated with the machine because it doesn't work like I am use to.
This includes security updates and point-revisions of the OS (which one might presume to have less-critical security updates rolled into them), and excludes application specific updates for the i-App suite, Safari, etc. that were not labelled as "Security" related (one might assert that they were in fact security related, but they included point-upgrades to the applications as well. Those toatlled perhaps 8-10 updates over the span covered). Note that two (Stuffit! and IE) are for 3rd-party bundled apps with labelled "Security" updates.
yes, I'm aware that I haven't installed the latest one to patch the off-by-one bug that impacts the FTP server. I'm waiting until I need to reboot for some other reason.
TOTAL UPDATES OVER THE PAST 10 MONTHS: 5. 7 if you count patches to 3rd party apps, one of which was IE. 10 if you're really liberal and include the point-revisions of the OS too.
Please tell me where these "lot of security updates in the past 6 months" are... I'm not seeing them.
This is what grabs me: a new vunerability with MDAC announced on 8/20 is rated as 'Important'. Same buffer overflow problem as 026.. same potential for damage.. most/all corporate customers have MDAC running.. but it doesn't rate a 'Critical'. Are they waiting for exploit code to appear or are they waiting for the sh!tstorm to die down?