Slashdot Mirror
Windows Is 'Insecure By Design,' Says Washington Post
Circuit Breaker writes "A Washington Post article says Microsoft Windows is insecure by design. Quote: 'Between the Blaster worm and the Sobig virus, it's been a long two weeks for Windows users. But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks -- just like in earlier "malware" epidemics. This is not a coincidence.'"
There's a large difference between "Windows is insecure by design" and "Windows was not designed to be secure or with security in mind" just as there's a significant difference between saying "Impalas are deathtraps by design" and "Impalas were not designed with safety in mind".
That said, and though the Post's article was a little muddled in general I agree with the spirit of the article in that
1). It's reprehensible that Microsoft apparently didn't have security (a broad term, but the literature to define it is out there) as a guiding design principle when they designed Windows, and
2) As a result of this, Items central to the functioning of Windows do not lend themselves to good security.
Funny how 95% of PC users have Windows, I wonder why a Virus writer would want to target Windows??!? Perhaps that is why so many exploits are found, because people are targeting it religously, start targeting Mac and Linux as much and see who is insecure!
I spent ages trying to think of sig, but never did
The old DOS/Windows had security as a pretty secondary concern, it was just about getting things to run and not crash a lot of the time. NT/2K/XP is much imrpoved, but it still suffers from this legacy. For example, it's still difficult to run users in non-Admin roles because some applications expect the user to have full Admin rights. Only when most of these applications are update will the ability to use real user security settings become practical.
Perhaps now we should try to get other "mainstream" media entities to cover stories with this sort of angle... such as:
* The New York Times
* CNN
* USA Today
* The Wall Street Journal? (Yeah, it's a long shot, but...)
Does anyone here have contacts with any of these companies?
Honey, I shrunk the Cygwin
What baffles me is that even with all this evidence for the need for operating system diversity in the corporate realm both corporate America and the US government are eliminating anything non-Microsoft. Lemmings.
What is it going to take? Ships sinking? Trains being derailed? Satellites dropping out of orbit?
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
Not only is what this guy who wrote the article saying a ridiculous choice of words, I consider it to be libel. He is saying that the architects of Windows, with his comment 'by design', planned on having security flaws. If I were MS, I'd sue this guy by making such a claim. No one sat around a conference table in a code review and said.... you know what.. this isn't insecure.. we need to change that.
Sheesh.. more of the same. People writing articles that I would equate to "TROLL" and "FLAMEBAIT"
I didn't have ANY trouble with SoBig.. or Blaster.. why, because I patched my system and secured it.. I also have taken steps to protect myself from crap mail programs that allow SoBig.
rant over...
Here's a modest proposal: Microsoft should use some of its $49 billion hoard to mail an update CD to anybody who wants one.
The sorts of people that would think to order such a CD in the first place are likely already patching their machines. Others will get the CD and misplace it, forget about it entirely, or mistake it for something like an AOL disc and toss it in the trash.
The coolest voice ever.
The way I see this is that Windows is for good or bad popular. As such people will poke around it more and find more holes. Its not like Mac + Linux are totally secure. Now as there are more people, more holes will be found.
Now from these Microsoft issues more patches etc. It should be pointed out that the holes that allowed the recent worms are fixed by a patch released over a month ago. Its just that people/admins haven't applied them meaning systems are still exploitable.
Also Windows isn't designed to be totally secure from the ground up it designed to work on a wide range of hardware and appeal to all levels of people.
Just my $.02
Rus
Cheap UK and US VPS
indeed...
:/
I've had to patch and put up to date almost a dozen systems in my free time these weeks. Not seeing one penny for that since they all belong to friends and family...
That aside from the bozos at work that got hit and the flood of questions along the lines of "my computer keeps rebooting on me everytime I connect to the Internet... what can it be?..."
And people wonder why techies are grumpy...
~
~
:wq
I'm really not trying to be a troll here, but if a CS department requires a specific type of operating system (and probably the software that runs on said OS) in order to teach, then it's probably not worth the money to attend. Sure, learning to program with Microsoft's code du jour might help in the short term, but nothing beats teaching fundamental computer science principles in the long term.
What happens when the next big thing comes along and all the CS grads are stuck with C# as their sole reference point?
The only reason these worms can spread is because of the lack of basic computer intelegence of the average user. i have had windows and used the internet religiously for years and have never gotten a worm on my box.
So basically what i'm saying here is that its not always the operating systems fault, even though i think windows is insecure it gets to much shit for it.
There are 10 kinds of people: those that understand binary code and those that dont
Obligatory Response:
The argument sort of breaks down when you talk about webservers, with Apache solidly in front with % usage, yet it's the smaller-target MS offering that is the one hit with exploits.
There's something more fundamental about the differences in security -- yes, MS is a bigger target, but that doesn't mean that it can't also happen to be the easiest target (and it is).
This is a bit unfair. Microsoft identified the problem and offered updates long before the worm hit the streets. Microsoft cares about the security of Windows, but it was the stupidity of the users which led to the compromise of their systems. If a Linux hole is found, nearly ever user would update to fix the change, because the average user of Linux knows what putting it off may entail. The average Windows user does not have the same computer knowledge, and hence, Microsoft gets the blame. Just another MS bashing is what it is!
A blog like any other.
Linux and MacOS users are, let's face it, in the minority compared to Windows users. Granted Windows most likely does have moe security flaws than these other OSes, but the main concern here is that virus writers will target the OS that will cause the most damage (or that they have the most experience with) and that will almost always be Windows.
Even if all the known exploits in Windows were patched, all it would take it one more for another virus to do something like Blaster or Slammer. On the flipside though, something like that could just as easily happen to Linux if an exploit were found, it's just that no one bothers to write viruses that take advantage of it.
If someone emails you an exe, and you run it, and it does something to your computer, that isn't exactly Microsoft's fault.
.pif and so its kinda confusing to some people, but I don't think you can group SoBig in with other security holes that Microsoft has.
I guess sobig is a
Not only for that reason.
I don't have Windows anywhere and haven't for several years now. I don't run Outlook. But it turns out that at least one of the current batch of worms spoofs email addresses.
So all week I've been getting email messages from postmaster@ saying "...your message to so-and-so will not be delivered because it contained the SoBig worm, we advise you to download a security update from..." I wrote a couple of them and got two responses from mail admins saying essentially "Yes, we know it spoofs your email, sorry there's nothing we can do, please understand that we're under tons of pressure on our end, everyone is infected, this worm sucks, you have it easy, you run Linux, stop complaining!"
Anyway, people are receiving messages marked "from" my email address and are getting infected with a worm as a result. Obviously one or several people (editors, management, etc.) that have me in their Outlook address books have become infected and now the worm is spreading from their machines and spoofing my email address as the source. I totally resent this and actually worry about my liability.
Do I now have to trademark my own email address or something and then include a disclaimer in my email saying "This email address is my trademark, you are not allowed to add me to your address book in any way"?
The crap Windows security model has certainly affected me, a non-Windows user.
STOP . AMERICA . NOW
It's be already said, but I'll say it again: Apache is the most used web server on the internet, yet most web server worms are for IIS. Following your logic, Apache should be exploited every couple of weeks.
Also, don't forget the Mac and Linux users who unfortunately happened to be in the address book of some poor Windows user. I'm about to go nuts from the 50-100 autoreplies from corporate virus scanners, and I know I have it easy.
...
If you read the article, the author explains why
it's not just the sheer number of windows
users that's the problem. As an example, there's
the number of ports open on Windows XP (5),
vs. OS X (0) by default. You really do have
to take into account the design of the operating system. Windows is just too easy to hack compared
to the other OS choices.
Johnny
And we certainly see this on the Web, where Apache on Linux greatly outnumbers Microsoft IIS on Windows. Oh wait, no we don't!
http://rocknerd.co.uk
The design flaw that the author is pointing out is that administrator-only functions like RPC and the administrator's message boxes are turned on in a default installation, when the world would be better off with such features in the OS but defaulting to an off position and only running the associated software if the user indicates they want the feature on.
This is not a design flaw that Apple and the various Linux distributors are immune from, just that they seem to violate this rule with less frequency. Let's face it, if Windows shipped with RPC turned off by default, Blaster would have a much smaller impact than it has now.
As for SoBig, there's really nothing preventing a SoBig for Mac or Linux. Afterall, all you need to do is trick the user into executing a program that isn't what they think it is, and then read their address book file. The only complicating factor is that there's an overwhelming market share for the Windows Address Book being used, that it's the only place most virus writers bother to check for addresses to use. In order to make such a virus with the same impact on another operating system, they'd have to check the address book location of about a dozen programs... bloatware for virus writers.
And in cases like these (stupiduseritis?), it doesn't matter which operating system you choose to use, you almost certainly won't have configured the machine properly from a security standpoint.
--
Craig
Perhaps that is why so many exploits are found, because people are targeting it religously, start targeting Mac and Linux as much and see who is insecure!
All of the arguments I've heard against this viewpoint -- which is to say, arguments based on "Windows is fundamentally insecure anyway, it would be much more heavily exploited even if it weren't the dominant desktop OS" -- are entirely theoretical. Well and fine, but as such their soundness is limited. The discovery of exploits is such a chaotic, surprising affair that one cannot hope to accurately predict how it would go for other operating systems without realistic tests of the systems in question. By this, I mean that unless you actually obtain a scenario where Linux or MacOS are indeed dominant, and are given the same exposure as Windows had (we can assume future tense here), running all the risks of being squinted over by troublemakers of all skill levels, and then conduct a "test run," as it were, over a very extended period of time... unless you have that, you are not going to be able to make any claims.
Even a thorough, scientific, hundreds-of-pages review of Windows security structure is no substitute for such a scenario. In computer security of this large a scale, theory is no substitute for experiment.
The coolest voice ever.
If someone succeeded, MS would turn their entire corporate attention towards completely destroying them. They would (mis)use copyright, DMCA, criminal law and anything else they could get their greasy fingers into.
One thing that has saved Linux (so far) is that they can't figure out who to aim at. All they can do is bribe lawmakers and promote FUD. They know that if they take out Redhat, someone else would have the code within seconds anyway.
I'll see your Constitution and raise you a Queen.
The article takes a cheap shoot implying that Windows users always run as Administrator, the Windows equal to the all-mighty root, while Mac and Linux users usually get this right and reserve their root use for important stuff, but spend most of their time on a limited user account.
Microsoft had this bad in the entire Windows 9x kernel OSes because there never was any concept of a restricted user... everybody was an Admin on those boxes. Insecurity at its worst, but it was always thought of as a single-user OS, if you wanted a secure user environment you were supposed to pay for the Windows NT-based OS of the time.
Windows XP, afterall, is a Windows NT-based operating system so half of the problem is now solved. Microsoft's consumer product finally has a restricted mode. The problem is, there's still a user problem... most people use an administrator account as their primary, sometimes only, Windows logon. So, even though the software has caught up, the users haven't.
Comment removed based on user account deletion
I didn't have ANY trouble with SoBig.. or Blaster.. why, because I didn't patch my system. Oh a few things like clobbering Windows Scripting Host and setting things so I see the file extensions, but hardly enough to call it "secured". It's insecure. I know it's insecure.
No one sat around a conference table in a code review and said.... you know what.. this isn't insecure.. we need to change that.
But did anyone ever say "this isn't secure.. we need to change that."?
In the design balance between fundamental security and "user experience", has any weight ever been given to security in the design phases? Surely Microsoft does something they call "design" for this stuff.
While it is true that a lot of these things rely on social engineering, the other part is why does the OS allow the user to do these things in the first place? If you don't want users to do something destructive, why offer them the choice?
One of the first rules of design seems to be lost on MS designers. If you don't want users to do something then don't offer it as an option. You can pop up dialog after dialog warning users like this:
Do not click 'yes'. If you click 'yes' will crash the machine. Only click 'no'.
[Yes] [No]
How stupid is it for a user to click "yes"? How stupid was it for the programmer to put the "yes" button there?
Yet in MS program after MS program they tell you something is dangerous and allow you to do it anyway. I guarentee as long as applications allow this some malicious hacker will use a little word play or social engineering to allow them to do something destructive.
I really want to throttle the person at MS who tried to get people to believe computers are as easy to operate as toaster ovens. Computers are complex machines. Hiding the fact from the user is not only dubious but dangerous.
Apache is more deliberately used than IIS. IIS, however, has a very widespread install base amongst clueless users who don't even realise that they're running it, thanks to Microsoft's boneheaded install procedures.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
Computer industry? WHAT COMPUTER INDUSTRY? The VAST majority of these big viruses exploit who's products? All togerther now: MICROSOFT. This isn't Apple's fault, Macromedia's fault, iD's fault, or anyone else. These things are almost all MICROSOFT's. Finally someone in the media seems to get it.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
Even some Linux default installs have security holes. It's all in how it's done, not what it's done with. Are we supposed to throw out everything written in C now, too?
You are not the customer.
This is really an awful way to think about a consumer base that doesn't understand some basic tenants of computing. I've known plenty of Windows users that think 3.5" floppies are hard disks because the casing is, well, hard. To expect them to catalog file extensions in their heads as well is ridiculous. Obviously you are a more savvy user as you have Linux based machines and a firewall set up.
Not everyone has the time/expertise/desire to learn that much about computing, and that's OK. If everyone were a geek, you'd have no one to bitch about, would you?
But did anyone ever say "this isn't secure.. we need to change that."?
I don't know, nor do you, or the Washington Post. That's my point. This guy is making this statement without any facts, just assumptions.
In the design balance between fundamental security and "user experience", has any weight ever been given to security in the design phases? Surely Microsoft does something they call "design" for this stuff.
I don't know about MS. Can you say that they don't? I for one know that my non-software company which has an IT department that watches the actions of MS a lot, has an information risk management team that looks for security holes in all in-house and purchased software before implementation. Would you care to assume that MS gives weight, or doesn't give weight to security during the design phase? Or would you care to not assume, since all the facts are not available?
Actually that's incorrect. the reason most email/address book viruses spread so fast and cause so much havoc is because of Outlook and Outlook express -- which are ENTRENCHED in the business sector. I told my boss the other day that there's an email client that doesn't have these problems (Mozilla Mail) and his first question was how much does it cost to license. Managers think nothing is free, and if it is it's too good to be true -- and that, just isn't true.
If companies made it a rule to stop using outlook/outlook express, and properly instruct people to never open email attachments from people they don't know, and file extensions that aren't safe (pif, scr, exe) then that alone would stop most viruses in their tracks. But alas, 90% of the office workforce is comprised of mindless drones who barely know how to use outlook in the first place.
- tristan
...then how do expect people to mail you legally then? Because after all, just typing your email addy into a "send to" field would be a violation as well. So now if someone wants to email you, they have to get a release beforehand via a different method? Of course, since they've already contacted you, why not deliver whatever message they orginally wanted then? Which would then defeat the purpose of you having email.
You know, being funny aside, you just demonstrated one excellent point: Users should have enough rights to have work done, but not so much to easily screw up the system. Don't use root privilege in vain!
Mozilla Mail in fact is subject to a Sobig-style attack, all that's missing is a virus that reads Mozilla's address book and goes. If your business installed Mozilla Mail, it'd still meet the mindless drones who will still open up the pif, scr, and exe attachments.
1. Most people I know haven't been affected by most of the recent Windows virii. Why? Eudora/others instead of Lookout or Lookout Distress. I've also trained 'em well enough that they understand that clicking Windows Update at least on a bi-weekly basis is a good thing(tm).
;)
;)
;))
2. I wasn't affected, simply because KMail is the least-vile e-mail client I've encountered since old school Eudora. Naturally, KMail runs on Linux.
3. If everyone used Linux, virii would abound for it. The major difference, however, is that if Joe User opened strange attachment #43, he'd be able to hose his home directory and nothing more. Non-root for normal use isn't a hard concept; any good distribution has blinky neon lights that point out the fact that you shouldn't run as root unless you need to. And for the truly stupid computer user, you can educate them by saying, "You can make your username whatever you want, instead of something boring and mundane like 'root'."
On the whole, I'd say Linux is, by default, more secure than Windows. After all, you can get rid of damned near anything you want to in a Linux install. Windows, you're stuck with crap you'll never use unless you sacrifice a goat and invoke the name of Cthulu to uninstall it. Furthermore, in my experience, Linux-based patches are rolled out far more quickly than Windows-based patches. Not to mention the fact that Windows-based patches sometimes, ahem, cause other things to break. (Oh well, the fact that IE is now broken for me got me to install Firebird.
All that aside, Windows *can* be secured. Personally, I'd rather secure a Linux system - it's easier for me. But your own mileage may vary.
emerge -u world how _hard_ is that?"
First off, I'm a Mac user but fairly experienced using Unix/Linux....
The Mac is better than most opertaing systems at easing the drugery of staying on top of patches and bug fixes...
*clicks software update*
Do you really expect newbie users of Linux to understand "emerge -u world" by chance? If so, there is MUCH work to be done to Linux's software update model. Sure the emerge command may seem trivial to most advanced Linux users, but what can be done to expand this simplicity towards the consumer market?
I like big butts and I cannot lie.
these virii were created by people - people create virii for windows because that's what people use, not because it's more insecure than other OS's. When linux gets more popular people will start making virii for it.
The claim of the author is bogus.
The author claims that windows is insecure by "Design" but he fails to talk at all about the actual design of the system. Design goes to the core of system design and I know security was definatly designed into NT from the start unlike Windos9x.
I dont consider buffer overflows to be particularly a design issue but generaly a coding faults. Every OS has had buffer overflows exploits and design can not prevent them unless automatic protection agains them is designed in which most OS's dont implement.
The author should do a bit of research and not write fluffy articles that have no merit!!
Users running NT based versions of Windows are effectively forced, or annoyed, into running as admin. This happens for a number of reasons:
* Old software runs as admin only. Stuff that came out during the DOS/Windows days, much of it pretty recent, simply won't run as anything but admin. This is a nasty legacy thing, and is a vestige of the horrendous design of Win95/98/ME.
* Too much new software runs as admin. For example, if you want to run Microsoft's own Age of Empires, it only installs as admin, and only runs as admin. This is a new application made by the mothership, and clearly, fits into the home scenario as the article. I'd guess that at least 20% of the apps on my Win2k box require admin rights.
* Too many housekeeping functions require admin.
* It is a relative hassle to run a program with admin rights when not admin. The most common way is to -right click on the program's icon, and then select Run As, and then enter the admin password. Ugh.
* Even for the disciplined, quick user switching allows admin to stay logged in, most likely still running OE or some other security nightmare.
The upshot is that if a user even understands the concept of not running as admin, they are forced to, or get lazy and do so.
I've set up several users on Win2k, and taught them about security, and why they really, really don't want to run as admin. Months later, they all are.
This will be a problem if Linux ever becomes widely adopted by home users, and why Lindows runs as root by default.
Didn't Apple get this figured out? Why haven't everyone else copy them as usual?
Jonathan
If you digitally signed all of your electronic communication then you could effectively get rid of this worry. People who trusted your key would know immediately that this was a spoof.
kojent
Yeah, I'm amazed that people are still using Outlook anywhere with the reputation it's gotten.
Apparently this guy didn't hear about the FSF ftp site being hacked and owned for 3 months, causing them to lose trust in valuable data. No operating system is secure. Pointing out that users are stupid and don't know how to run their systems securely (which is all this article really says), is useful sometimes, but MS harly has a monopoly on stupid users.
PGP sign all your email, that way you will be able to prove that an infecting email did not originate from you. Also the very fact that it is a windows worm and you run Linux should indemnify you.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
I wonder how many people read the EULA's? I bet the numbers are related (and small).
Little Brother, watching the watchers
Okay, maybe I should have turned on the firewall before connecting to the Intenet. I didn't realize the virii were scanning so relentlessly and quickly. I also thought that the idea of turning on a software firewall on a brand-new install seems a little dumb. All the firewall does is prevent incoming connections to insecure ports. If Microsoft knew when they shipped the OS that the ports would likely be found insecure, why wouldn't they just turn them off by default? I mean it is one thing to buy Norton Firewall on the presumption that they are fixing Microsoft's broken security model but why would I use a "security fix" that comes on the same CD as the program that introduced the security hole in the first place! It seems totally illogical to me.
To you and nikal, PGP does not prove X did not come from you, it only proves that X did come from you. Even if you are using PGP it is quite easy to send an unsigned message.
Only somebody else's signiture, establishing that it came from them, could begin to establish that it did not come from you, and you would still need to establish that you aren't that somebody else, since having multiple signitures is trivial. (It would probably be reasonably satisfactory under most normal circumstances, though.)
Oh, ha, yes, funny.
Now connect your Windows PC to the internet and wait for someone in Khatmandu to type "format c:".
The real issue however is that Windows * is still using a lot of code from DOS and Win3.1 for all sorts of shit. Those were the days, remember, when personal computers were just that, personal.
*nix has a pedigree in networked computers. So whilst mistakes are made in code of each system, always, one paradigm is always going to be more secure than the other. Until MS really, really and truely re-writes its OS. Shame the article misses this point by such a wide mile.
-- Free software on every PC on every desk
They cease to be liable the moment you click "I Agree"
~
~
:wq
True, but far worse: Microsoft quite intentionally continues to make Windows and Office etc insecure on PURPOSE, as a side effect of offering full programmability of email, Excel, etc.
There wouldn't be any email viruses nor spreadsheet viruses nor Word document viruses if these apps were lobotomized -- if they could not be programmed.
But Microsoft continually makes the business decision that adding the power of programmability to every app is much more important than the resulting insecurity.
The vast majority of Linux apps do not allow that kind of programmability -- even when extension languages like Guile/elisp/etc are available in Unix apps, programs aren't automatically and blindly run whenever some hapless user receives email or views a spreadsheet or whatever.
Conversely, whenever that kind of programmability is added to Unix apps, if it is triggerable just by receiving/viewing a file, then Unix viruses will become far more rampant. (A small saving grace is that the Unix viruses mostly, but not always, will run as some user rather than as root, but this is really only a small issue.)
This should be a wake-up call to teams like Gnumeric; just yesterday on Slashdot Gnumeric was criticized for not supporting every single MS Excel feature, and Jody Goldberg replied that hopefully it would include those by next year. But any Unix app that is 100% compatible with a MS app will be virus prone!
Quote from a poster on that story:
Mmm-hmm, and there goes security.
(Story link: Gnumeric Now Supports All Excel Worksheet Functions )
The really sad thing is that the marketplace clearly agrees with Microsoft about this tradeoff: corporate and personal users are far more concerned with having the power of macros/Visual Basic/etc built in to everything than with even basic security.
Professional Wild-Eyed Visionary
But if Ford recalls the car and makes a reasonable attempt to get you to have your car fixed and you still don't fix it then who's fault is it?
If you are going to use the analogy at least follow through with it.
Today I sat down at my computer when I got a MSN message from a friend. That friend is complete noob with computers and now he had a problem.
.... After awhile, me trying to explain him how to scan for viruses. Yeah! It found a virus named blaster and I THINK he got it removed...
.... I, after awhile, get him pointed to the windows update and the patch for blaster. Again I think he got it installed ....
.... I try to explain him how to use windowsupdate but is almost giving up since he just dont get he just gotta press scan for updates and then install updates. Well in the end he gives up and says he dont care ....
This is pretty much what was said:
Friend: Hey. I got a problem with my computer. It has shut itself two times today, without me doing something. What do you think is wrong? I heard something about a virus.
Me: Yeah there is a few major virus's flowing around the net right now. Have you patched your system?
Friend: Patched ? ?
Me: Yeah. You know downloaded updates for windows.
Friend: No..
Me: Oh well. Here is a link to a virus scanner try and run that first.
Me: Good now to update your system.
Me: So, Now I suggest you update your system with patches from windows update.
Friend: Why? What should I waste time download all that? What good does it do me ?
Me: Well... It secures your system, give you updates to windows programs and IE and new drivers. You know. Makes it upto date.
Friend: But how do I do it ?
And there is the entire windows Security problem. Users that just come to their computer to surf abit and download a few programs like kazaa or emule just dont feel the need for updates. And they end up spreding the viruses to the entire net. Oh.. And it dont help that MS dont allow pirate versions of windows to be updated fully. I can see why it would in sense suck for them to give free updates to people that havent payed for the system. But people dont get updates when its all blocked. Which in end leads to viruses like this to run wild.
It dosen't have to be legal liability to cause trouble. A pissed off client, boss or girlfriend can be plenty of liability to have to deal with. If they have trouble understanding the actual causes, then good luck reasoning with them.
Kindness is the language which the deaf can hear and the blind can see. - Mark Twain
Outlook Express 6 SP1 now comes with a setting to "read all messages in plain text" Which is how I have my system configured and which gets rid of approximately 100% of email viruses. But unless you happen to be fiddling around with the configuration of OE, you'd never know this setting exists. If anything, Microsoft should be prominently advertising this "new, free" feature (which is of course ain't new, it's elm-level functionality) as a way to protect your system, but they won't.
Sure, but most people like their email with pretty colors. Then, fine, they should do what Poco Mail does, automatically "sanitize" email by stripping potentially harmful HTML coding and external image downloading (i.e. webbugs) while allowing basic HTML formatting to be read. This is not rocket science, but MS seems to be irresponsibly holding back on such basic safety improvements.
There are two kinds of people: 1) those who start arrays with one and 1) those who start them with zero.
From the article:
I use mutt to read most of my mail (years ago, I used pine.) Opening strange attachments isn't an issue for me, and shouldn't be for anyone else. If there is executable code in an attachment .. my client will show me executable code, it sure as hell won't run it. That's common sense.
First off, let me say that I KNOW that Linux and BSD are a lot more stable than Windows...but in the real world...where family and associates need to be spoon fed, Windows is what is in use. I have had absolutely no problems with any of the recent outbreaks. BECAUSE, I ensure that the computers under my care are current with updates (afer I evaluate them) and that firewalls are properly configured.....and yes, I even talk to the users and ensure that they know that the is some new bad thing out there. Nothing personal, but do not whine about Windows if the real problem is that you expect your users to take care of everything themselves. I don't expect them to, and I am happy to help them without making them feel stupid. That is why I am still employed and happy at my job.
They cease to be liable the moment you click "I Agree"
That depends on the various sales of goods statutes of the several jurisdictions in which M$ products are sold. It is not uncommon for such exemption clauses to be explicitly limited or even completely abrogated by legislation.
Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
Why does that lag exist at all? I realise Microsoft has built its fortune by masquerading software as a tangible good, but we're talking like one CD to each vendor. They're just copying an install onto hard drives and pushing them out the door, so why aren't they kept up-to-date? Couple the in-factory lag with that on already-boxed inventory and the OS that first boots up can be ages-old - and it's probably already attached to a hostile wire.
Your reply is the best so far; however, just take a step back and listen to my point.
Do you think we should write an article that claims that Henry Ford invented the automobile as a device to kill people 'by design'?
People get in vehicles drunk and run into families of four, killing them all. Do you think that this unintentional side effect was, 'by design' when the engineers created the vehicle? Was it 'by design' when man created beer or wine?
I think I'm being treated VERY unfairly by most responses here.
I give you one more example.
When the hammer was designed, do you think the designer intended it to be used to kill people? Or how about the baseball bat?
This is being over-analyzed by so many techies, that I think the clear facts are being missed. That which is, the article is misleading and doesn't contain a fair wording of facts. Put yourself in the shoes of others. Take a breath and look at my point.
Right because unpatched Linux systems have no flaws. LOL.
Yes, it's been a long week, hearing people complaining about this, and I have seen precisely zero evidence of the worm. I'm sure if you were able to sneak in over the weekend and reformat their drives and replace everything with Linux and Open Office, etc., they'd suddenly magically feel compelled to keep their systems religiously up to date, and would have NO problems whatsoever.
Can't turn on the automatic updates on Windows, that would, like, fix things, and stuff, and we wouldn't have Unka Billy to kick around.
If Windows is attacked because it's popular, then why isn't Apache spreading more worms than IIS since it has 60% of the webserver market?
You want QA on your kernels done by a QA team, you go to a distro vendor. The kernel was released by Linus, not by any vendors. That's the rough equivalent of doing a beta release.
Search for IIS on SecurityFocus's vulnerability database if you want a list of IIS holes. There are many.
May we never see th
I'm not an XP lover, but it's the OS that's on my computer. It just is. I play games and run Photoshop and other programs...so I use XP because my favorite programs all run on this OS on fairly cheap hardware.
Now, I may be doing something wrong here, but I've NEVER had a virus. I've never had a problem with a worm or anything really. XP hasn't even crashed on me before....ever. I've had programs hang up or crash...but the OS itself hasn't crashed.
And this has been the same on the 2 different machines that I've run XP on.
But yet, I always hear about everyone raking XP and Windows across the coals all the time. Yet I've never ever experienced nor do I know anyone anyone that's ever had major problems with XP. Oh, I know people out there have problems...but it's just that I personally have never known any.
Why is that? Now, as I said, I'm not an XP zealot at all. I could take it or leave it. But after reading here on Slashdot the evils of Windows and XP it would seem that my machine should have burst into flames months ago, yet it's going on day after day, never turned off, always hooked to the net...and chugging right along.
And I'm not really doing anything special. I keep up with all the updates to XP...which takes about 2 minutes out of my week. And I have basic Norton Antivirus running. I have Seti@home running when I'm away from the machine and I do a disk clean up and defragment maybe once a month or so.
So again, I must be doing something wrong (or right) to where XP doesn't give me one iota of problem.
I'm not praising XP...at least I don't mean to be praising it. You only see people bashing Windows, never praising it. To praise it would mean being thrown out of geekdom. So I think if XP or NT is working for you, you keep your mouth shut or just talk about how great Linux is.
I guess your mileage may vary.
"Music is everybody's possession. It's only publishers who think that people own it." - John Lennon.
In a response to a recent story, someone mentioned that UNIX standards were generally based upon specifications which had been made publically available for comment.
This is something that many take for granted, but it is quite important. RFCs are discussed publicly, and people review protocols independently of specific implementations. This means that the protocols themselves are refined, and implementors only have to worry about correctly coding to a given specification.
Under Windows, the specification is often "whatever works with this code is fine". This invites much less review of the protocols, and since the protocols are ill-defined, it's difficult to determine whether the protocol has been implemented correctly.
Somebody get that guy an ambulance!
I love Microsoft bashing as much as the next Linux user, but this article doesn't make much sense. Linux machines are targetted very often in security issues. If you have an unsecured Linux machine on the internet, it will either succomb to a worm, or be hacked by script kiddies. Most admins don't even usually notice script kiddie hacks (think monitoring thousands of servers..). Yes, Windows is insecure by design. So is Linux. So is *gasp* OpenBSD. Software written by humans is insecure by design.
Right on. My experience was the same. I was immunized from BLASTER on July 17th according to the log from MS Update. It's very hip and au courant to ignore MS Updates, because they're a pain, and their Service Packs don't have a great reputation. But updating early and often has kept me out of trouble.
When I started getting Sobig emails on Tuesday, I even took the time to call two of my friends (who subscribe to some of the same lists I do) to warn them not to trust emails with attachments. I had to explain the whole concept to them, but they got it. I got 40 the first day, 20 the second and only a handful since. And I had no desire to open any of them.
The biggest threat that Windows poses is that from users who are totally clueless... they turn on their machine thinking it's some kind of "email machine" and nothing else. Not a clue there are threats or risks out there. And no indication from Windows, or Outlook, or IE that anything they do could be unsafe. Windows update works, at least this time it did. They're not going to get more saavy, so there's no harm in telling people to use windows update.
Tell your friends:
1. Don't preview email
2. Delete email you don't know or trust
3. Don't open attachments if they're not absolutely known and expected
3. Update early and often
The article is right, Windows is dangerous. MS isn't going to tell the consumer, because that would threaten their (considerable) cash flow.
I'll shut up now.
Everything I've ever learned the hard way was based on a statistically invalid sample.
Agreed that developers aren't IT support (well, unless they're developing apps for IT). But they ought to know how to keep their desktops running.
Heck, I used to develop in a shop where any developer above "junior programmer" was expected to know how to reinstall the OS (Solaris, Ultrix or AIX), configure it for Oracle, install Oracle, install our software (a GIS system), and generally manage their own workstations. Ditto for the sales support guys'n'gals and the trainers (although the latter might need some phone support).
Would you have automotive engineers or even car salesmen that don't know how to drive, check the oil and put gas in the car?
-- Alastair
MS is at fault, the root of it, to be sure.
It's kind of funny, but I didn't have any problems with either of those viruses in any of my three WinXP machines. Maybe it was the common sense (Sobig) or the fact all my machines were updated (MS Blaster)or the common sense that 300 e-mails with the same attachment from people I don't know might, just might be a virus. This is not to mention of course the firewall, pestpatrol, and Norton Antivirus. Now, you might say, "well hey, my linux box had none of that, wasn't patched, no firewall, nothin!" but think for a few seconds. These viruses were programed for windows, not linux/any other os. Of course your non-windows computer was not infected, because the virus/worm was not made for it. So before you get on your high horse, remmember it can happen if someone bothers to write it.
The best feature of non-Outlook email programs is the inability or difficulty that they have running activex, java, or javascript.
To this date I have yet receive a single email that has ever needed to use any script or programming language to deliver the message so why the heck is it still in and ON by default?
Ah well, all I can do is my part. I patch and have a linux based firewall protecting me. That firewall has had nearly 3000 hits on 135,137, or 139 in the past two days. A month ago it would have had no more than 12 in the same period.
Mac and Linux not targeted? Taking the view of a malicious hacker, why would you bother coding a virus that only affected a minority of computer users? If Linux ever really makes it mainstream, you may find it's just as susceptible.
Well, checking the oil I'd put more akin to checking free resources. Same for most of the other fluids in the car, short of fuel. fuel's akin to turning the thing on in the first place. Do these people need to know how to operate the turn signals, trunk release, windshield wipers, domelight, etc? I'd rate them as your basic intelligent car owner.
As for changing fluids out, the computer equivalent would be to a backyard mechanic, who handles oil and antifreeze coolant. Maybe checks the tranny fluid and takes it somehwere if it doesn't look right. Changes out burned out lights, etc. Stuff that is mostly covered in the owner's manual, or at least has stuff like fluid quantities. In computers, I'd equate that with being able to hook up external devices and get them to work, being able to remove stuff from C:\WINDOWS\START MENU\PROGRAMS\STARTUP, configure basic network settings from instructions for something like DSL or Cable. Calls for support or a technician when something out of this range goes wrong.
A+ certified techicians would equivalently handle basics, like replacing alternators, starters, draining transmission fluid, replacing water pumps, checking differential gear oil, lubing the suspension or steering parts, replacing obviously bad water hoses, and the like. Stuff that stands out. By comparison to computers the person would be able to replace hard disk drives and CD-ROMs, install video cards, install the OS from scratch for the default configuration, configure sound support, and the like. Maybe even dig into the registry a smidgeon.
And above that you'd have your power-technicians, who would be up there with not being afraid to remove stuff like engines, axles, transmissions, steering columns, dash boards, interior parts, etc. These people would be able to play with advanced networking, deal with driver and IRQ conflicts, handle tweaking of the OS, dig into the registry a bit, etc.
Beyond that, you find different people who can rebuild engines or transmissions in their sleep, modify sheet metal artistically, handle advanced upgrading of suspension, and the like. They would in computer equivalents be specialized, but very talented. They probably wouldn't even do much of the lower-level work unless they had to, because they would be more valuable higher.
Well, that was quite long enough of a ramble...
Do not look into laser with remaining eye.
Unfortunately, I live in the poorest town in the poorest county in the poorest state in the USA. We have a nearby University pumping out moderately skilled CS grads who either move away or compete in a small economy, where most employers see $10 an hour as a fair starting wage for programmers. But the scenery is great, and family is nearby.
Your suggestion has some merit, but it involves the Outlook users installing and learning to use some public key encryption implimentation like GPG.
For most, this process is completely out of the question. These are the same people who can't be bothered to apply patches or switch to a much less frequently compromised e-mail client.
These people aren't going to change their habits unless actually forced. It's either that or something needs to be implimented that will transparently protect them from themselves with 100% effectiveness (AV software is useful and all, but it has obviously failed in this regard).
Right now, the only viable defense is vigilance.
Is it possible that Windows was never designed with security from the start because it was not designed for a network from the start? MS entered the networking and Internet game pretty late and with it came all the worms, trojans and other stuff. Of course, this assumes that the constituents of present-day Windows have a lot in common with the pre-TCP/IP Windows of old. Still, I think it could be one way of looking at the fundamentally insecure design of Windows.
The one difference would be this;
Two months after that recall Ford issues a recall for steering wheels, that they can crack and make it hard to control the car. Three months later they issue a recall for their electric adjusted seats which when hit by a certain radio signal fold forward on the occupants of the car. Then only one month after that they issue another for the radio again, this time if playing any old CD the radio may emit a really loud tone until disconnected. Then five months after that they issue a recall for their A/C in which the improper placement in relation to the engine of a connecting hose that can cause it to start burning emitting a nasty smoke unless the A/C is turned off. Two months later a recall is done for door locks that when jarred (such as slapping the door or slamming it) may unlock it coupled with Fords new Easy Go(tm) keyless one button start feature.
It's not just one recall, it is a long history of problems one after another. Some from their own stupidity, some from the stupidity of others.
The only thing that could save Microsoft would be a total rewrite of windows to go back to the 3.1 daze of a GUI and an OS as you mention. Unix does it, Linux does it, and Apple now does it (yuck, defending Apple, *vomits and then ducks*).
I doubt we will see a rewrite any time soon however, for one thing it would be a shit load of work, take a long time, probably be as filled with bugs and holes as the current generation of Microsoft products for at least the first year or more, and probably break all current software, might as well save it for the 64bit processors.
Sorry for the lack of grammar *ducks again*, cheers!
-tog
Users want to use computers, not administer them.
You know, I told the police the same thing the other day. I said "Officer, I don't want to understand gun safety, I just want to shoot things!"
Maybe this latest round of viruses makes my point for me - using and understanding (or learning about) computers must go hand-in-hand.
nope. i call BS.
If Apple has a worm sent around by email(or whatever) you know what would happen... you would get it (after the user who sent it to you click the OK box before the worm auto sended to your mail list), it would ask you to open the porgram and if you want to execute the code, if you choose yes, then it would do whatever damage it could do... that is after you clicked OK and let it do it.
Just because MS is a bigger target, doesn't mean they don't shoot themselves in the foot. Running arbitrary code automaticly without a prompt, along with sending bulk email without getting permission are BUGS, not features.
Your son has a PS/2? And is still using it? Wow.
If you want to claim that you know a lot about computers, you should be very careful not to confuse simple things like a PS2 (PlayStation 2) and PS/2 (an old IBM box with MCA that never really took off).
Coming late to this discussion but I still have to say this even if nobody reads it...
(emphasis mine).The quote from this article in a highly visible magazine is:
This is the one question. Why are there so many technical people that, knowing all the risks and odds, still don't dare patch the systems for fear that the cure will be worse than the dissease?
I know that the writer is mostly concerned with all the ignorant people at home, but when Microsoft itself tells people to not connect to the Internet because of security concerns, then logic fails. How should these people get their updates then?!
Enough ranting since chances of this being read are small anyway. No sense in wasting time.
Karma? What's that again?
I'm runnning windows update now, and hey whaddya know.. 17Mb... that's gonna take a while on my 56k dialup. Hmmm... Maybe I won't run it after all..
>> this virus wasnt particularly microsofts fault
If you're talking Sobig.F then yes, it is definitely Microsoft's fault.
In the early 1990s, people got laughed at (or gently educated) if they suggested 'I got that virus through email'. It just didn't happen.
Then MS turn up with their inherently insecure 'Automatically run stuff that's emailed to you' email client, actually build it into the OS (thus ensuring greater take-up than would otherwise have been achieved) and email viruses became commonplace.
The only way this virus wasn't Microsoft's fault is that they didn't write it themselves. The environment it runs in, that enabled it, is entirely and absolutely due to insecure design by MS.
~Cederic
> Linux is more secure because a lot of stuff is configurable.
/. article a while back about
There is truth here. Remember the
how it's hard to find a stock build of Apache in the wild because
all the distros add stuff or make changes? There've been several
security advisories relevant to Apache in the last year, but though
I have Apache running on several systems I was impacted by exactly
zero of them, apart from having to read the security advisory to
determine whether I needed to be concerned.
Configuring options rather than being happy with defaults is not a
magic tonic to solve every problem, but it is a contributing factor
to security.
Cut that out, or I will ship you to Norilsk in a box.
> yeah actually since we are on the topic it is woz's fault for
> making computers accessable
Herring. Dark pink. Outlook Express is *less* accessible to the
end user, *harder* to learn to use, than other email clients that
existed sooner (e.g., Pegasus Mail). Yet in the history of
computing Outlook is the *only* known, documented case of any email
application being the medium for transmission of a virus. There
is absolutely *zero* reason for a mailreader to behave the way it
does (automatically executing received content); other mailreaders
that are even easier to use don't do it that way, because there is
no *reason* to do it that way. Of all Microsoft programs ever,
no other is so much a plague and a nuissance as Outlook. Without
reservation I can say that the world would be a better place if
Outlook had never been developed.
Cut that out, or I will ship you to Norilsk in a box.
I'd like to know if this is really true.
When the NT kernel was being designed it had security in mind. There are varying levels of privelige, access control lists for the file system and system objects etc. Some of these features are only appearing in Linux now with 2.6
Sure there have been flaws in the implementation, services turned on, running with system level priveleges with ports exposed to the internet. So Windows the system is not secure out of the box. But is it insecure by design?
A lot of people run windows as an administrator because programs written in the 9x era were not designed with the security model in mind. Programs want to access system level files or registry settings. Windows XP brough the two product lines together but in order to maintain the backwards compatibility they had to sacrifice the security.
Also people hate hitting security barriers whenever they want to reconfigure something.
I would like to see some evidence that a box running NT can NEVER be secure due to its design, rather than just not being currently secure due to its implementation.
All the trolls about MSLinux seem to assume that NT is a terrible cludge that MS ought to abandon and just build a Windows GUI over Linux like Apple did over BSD.
Is NT really flawed in its design or is it just the layers of services, APIs and backwards compatibility fixes that make the current implementations of NT vulnerable.
If all Win32 apps were sandboxed the way win16 apps are and MS migrated to a new API would this solve a lot of the problems?
I would welcome links to articles about this.
"Taligent is still pure vapor. Maybe they'll be the last who jumps up on Openstep... "
Not that I am a Windows fan but if Mac or Linux was the most popular OS wouldn't most viruses and worms target these systems? Window's might have it's security problems but I see new updates and security patches on my RedHat boxes all the time. Couldn't these explots be used for viruses if virus creators targeted Linux or Mac?
I never liked you
You obviously didn't RTFA.
You
people create virii for windows because that's what people use, not because it's more insecure than other OS's. When linux gets more popular people will start making virii for it.
Rob Pegoraro
The usual theory has been that Windows gets all the attacks because almost everybody uses it. But millions of people do use Mac OS X and Linux, a sufficiently big market for plenty of legitimate software developers -- so why do the authors of viruses and worms rarely take aim at either system?
Even if that changed, Windows would still be an easier target. In its default setup, Windows XP on the Internet amounts to a car parked in a bad part of town, with the doors unlocked, the key in the ignition and a Post-It note on the dashboard saying, "Please don't steal this."
As to why this was posted on Slashdot? For the bashers. It's good to wake up in the morning and feel righteous. But seriously, it's a good summary for those that keep arguing this point, that is if people would bother to RTFA. It also puts a little more credibility into it than the average slashdot troll.
"Last one in is a rotten goblin!" - Kepp