Slashdot Mirror
Windows Is 'Insecure By Design,' Says Washington Post
Circuit Breaker writes "A Washington Post article says Microsoft Windows is insecure by design. Quote: 'Between the Blaster worm and the Sobig virus, it's been a long two weeks for Windows users. But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks -- just like in earlier "malware" epidemics. This is not a coincidence.'"
"Windows is better than most operating systems at easing the drudgery of staying on top of patches and bug fixes"
emerge -u world
how _hard_ is that?
It was posted because people have been saying for a long time that windows is insecure, but Joe Shmoe computer user won't know that (you mean there's computers that don't run windows?) until it gets some attention in the mainstream media. This is the media attention a lot of linux geeks have been waiting for.
I'd really like to see this actually. Linux hasn't really been tested at all in the mass market. We might see some interesting results.
Some of us alternative OS users were actually affected by the virus, even if we weren't infected. In addition to the Net slowdown, the friggin SoBig.f virus forges emails. So if you have any windows using acquantainces, or even people who received a forward with your address on it, the SoBig.f virus will cheerfully send out copies of itself purportedly from you! It doesn't just stop at the address book either, but allegedly scans documents on the drive to harvest addresses. Evil, evil thing. So, no computational loss, but potential harm to reputation, even though it's easy to prove via the headers that it did not originate from you, the vast majority of those windows users who get infected with emails bearing your From: line don't know a header from a hole in the head.
I currently run Windows XP (unpatched, no virus-killer) and GNU/Linux machines behind a GNU/Linux firewall/router. I have never been *infected* with anything. If you're stupid enough to set Windows Explorer to "hide the extension of known file types", and to not know that a .scr file is just as executable as an .exe, and to not run a decent firewall then frankly, you deserve to be infected by the latest and greatest virus.
--
Craig
And we certainly see this on the Web, where Apache on Linux greatly outnumbers Microsoft IIS on Windows. Oh wait, no we don't.
http://rocknerd.co.uk
"all this evidence for the need for operating system diversity in the corporate realm"...?
That seems to be a rather easy thing to say if you're not actually trying to manage a business with a large, complex interconnected system of technologies... having spent a rather painful amount of time (actually, more like an amount of rather painful time) in very large companies (35000 PC users at all levels of use), I have to say that a desire for OS diversity is far from an obvious choice. I'm not saying it's a bad idea, just a potentially unpractical one in many real corporate situations.
Working with the single devil you know as opposed to a vast army of individually varied devils may be preferable, at least in theory.
I find it much easier to secure a Linux/*BSD box than a Windows one. Even though I use Win 2000 daily as a programmer. I'm pretty sure I'm not alone in that predicament.
Just keep in mind that a large part of the internet infrastructure does not run Windows, but they (the servers) still seems to do okay, apart from the odd sendmail/bind/openssh bug ;-)
I agree. The Washington Post is a very well known newspaper that many people get. Even my father(who subscribes to WP) read the article this morning and showed it to me because he thought I might find it interesting. He isnt the type to read stuff like slashdot. Just a note..I saw it at news.google.com this morning.
The Television Wiki
Not only are the security implications horrendous in the MS products, but servicing them is a nightmare ....
This story just caught me at a bad time ... I have been trying to do a file/printer sharing between 2 computers running Win 2000 Prof and Win XP Prof using a hub. You would think it would be plug and play, and a little bit of configuration - and that is how I set out my cost estimates for a small business that wanted me to do it for them ... big mistake ...
It is 3 days past now. I have read probably 100 + articles to understand the security implications for these windows products .... Used all sorts of keywords in google to get many articles to see how the damn networking is done in the first place. And I am now thoroughly confused, tired, and am spending a lot of unpaid hours getting this damn networking done. FOR GOD's sake I am trying to network two products from the same company ... How could MS screw it up and make it such a nightmare .... and do such dumb stuff as not turning the security features on by default so that I don't even know what I am exposing, all the patches that are being issued faster than I can download ...
To see a world in a grain of sand, and then to step back and see the beach where the sand lies
Windows XP Home Edition, however, ships with five ports open, behind which run "services" that serve no purpose except on a computer network.
but XP home is not designed to be on a network. according to the the horse's mouth, "Windows XP Professional is best for people who connect to large networks, such as a school or office network. also from the horse's mouth, "Windows XP Professional is required to access a domain-based network.. so they are turning on services that won't even work. great job boys.
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
I strongly advocate mixed platform networks. I consider Linux and/or BSD as the best for most backbone/critical services/systems, but MS Windows to backup the backbone/critical. ...) and platform from Ma-Bell to the user is that the complexity of configuration, security, operation, ... help-desk, network/server admin ... everything would be an expensive pain to support, but (unless power-failure/outage) web/email/ftp/VoIP/VTC/ ... services from Ma-Bell to the user could be maintained during cyber-conflict activities. Someone in the office would always be able to access email, websites, .... .... Just a few critical (maybe one) networks and offices would require this mixed-platform configuration in business and government. .....DB2, My-SQL, MS-SQL, ... other considerations.
In an office environment for the users in the past I could only advocate Apple and MS software OS+Apps. Late last year I added Linux+GNU desktop/workstation OS+Apps for a mixed platform office environment. Businesses and government should consider letting experienced users [AKA: Geeks/Gurus] select their own OS+Appps desktop.
The reason no one ever supports the mixed network devices/switches/... (3Com, Cisco, Lucent,
For critical/emergency business/government systems and offices the complexity should be able to provide critical services for utilities, command-post, emergency agencies,
Strict adherence to protocols, standards, and configuration would allow business and government to communicate and use www/internet/intranet services.
Letting a one version OS attack (frequently MS) cripple your business, critical infrastructure systems, and/or part of a major government agency like NASA or DoD is PPP.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
I think my favorite part in the article is when the author suggests that MS should use their massive cash pile to mail out a CD of updates to every single customer that wants one. Considering how many CDs AOL sends out (and yes, I know they are bleeding money), wouldn't it make sense to partner with AOL, who is already producing discs, and make them multi-session, so that MS could use the already pervasive CD distribution systems in place to get updates out?
I can't believe no one thought to suggest this before. And if MS was REALLY SERIOUS about making security their #1 priority, it would be a pittance to part with and give their customers a much-needed sense that MS actually does care about their customers.
The question is, do they really care more about the customer or the bottom line?
A lot of the recent problems could have been prevented if people had installed the available patches. However, the EULA's that one has to agree to while installing the patches are downright frightening, and Microsoft keeps making them worse.
I wonder how many people skip the patches because the EULA's are so obnoxious?
A family member of mine got a new Windows XP system, installed it, and tried to download the security patches. Before the XP system managed to download the patches, it had already been 0wned by Blaster. It's really hard to keep a Windows system up-to-date when you can't connect to the Internet to update it.
My solution?? I used Red Hat Linux to download the patch, and wrote it on some media. Of course, he can't really completely wipe his hard drive to be sure he's safe from any other attacks. Why? If the drive is fully wiped, Windows XP can't be installed any more - on his system, the CD doesn't contain the entire OS!
Of course, I'm writing this from a Red Hat Linux system that has a nice built-in firewall, a "root" account that's not normally used, no externally-accessible ports, and lots of other designs that make it far more resistant to attack in the first place. Yum.
- David A. Wheeler (see my Secure Programming HOWTO)
Yes, but you have to admin that the MSBlaster/LuvSan worm would not have been possible if RPC hadn't been disabled in an OS that doesn't require it, i.e. XP Home, or Internet Connection Firewall was on by default rather than requiring user intervention, when half the users out there don't know what a firewall is, let alone how to turn one on.
Also, Linux users are on the most part more tech savvy than windows users, which I think plays a big part (I bet you 9 out of 10 linux users know not to open every attachment they receive).
I am NaN
We are switching over to the Linux based system on our "sponsored" tables, however for our pay-per-use system, we have no choice. None of the bill collecters work on the Linux version as of yet. Until then, one some of our terminals, we have no choice.
Security is a problem, because for starters the kiosk program we have will not run on NTFS, only Fat 32 so we have to swap out harddrives with at least 1 terminal out of 10 a week and reghost it because dispite blocking software, people DL things they shouldn't be.
At work, I have a Powerbook and my boss now has a dual boot system with Windows XP pro and RH 9. He's trying to get used to Linux and Openoffice so that we can have all future employees either use Macs (for those needing photoshop/DW) and everyone can do billing and accounting from Linux terminals.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
Because this text is clearly nonsense. None of the protocols you mention have inherent security flaws Maybe you should have noticed ftp instead, which does have some quirks.
:)
RPC has been targeted due to a defunct implementation on MS side, and the fact that it was open to the internet by default. This has nothing to do with security of the protocols an sich.
To make your point completely moot: when MS does develop it's own protocols (SMB, PPTP etc) they are inferior to the standardised protocols concerning security.
One can safely say that the MS record on implementing secure protocols up till now is not that great.
Only the XBox seems to be quite secure. Of all things, a game console is the current MS flagship
Warper
I run probably the only Linux machine on a residential LAN with a shared internet gateway. Since last week sometime, the virus has so infested the XP/2000 machines on the LAN that all my upstream requests are dreadfully slow. DNS queries and HTTP GET requests, etc. Downstream transfer speeds are just fine. This is the curse of the Slammer virus - 10 to 15 port scans per second per machine on a largely M$ LAN leads to practically no internet access. The sorts of users who refuse to update their machines even weeks after a virus advisory is issued are the bane of their LAN neighbors. How can you just not care that your machine is randomly shutting down with 60-second warnings?!?!
So, Linux helps, but only in as much as I myself cannot become infected.
Hopefully this will post...
The question is, do they really care more about the customer or the bottom line?
The bottom line, obviously.
I rememeber reading an article in Dr. Dobbs about a great piece of file indexing code that Microsoft wrote.. it was a great system, bounded resource use, bounded worst-case performance, a nice piece of CS. By the end of the article I learned that it was written TEN YEARS ago and Microsoft sat on it because they didn't need it from a marketing point of view.
That made me think about how Microsoft operates. They just give out enough to keep customers from leaving. Not one ounce more. That's why Windows is a crappy OS (captive audience, everybody has it on their PC) but the desktop programs are a little higher quality (there is some competition, however tiny).
Another example: C# is a completely open language, not because MS is generous, but because it's a selling point over Java.
MS is calculating and ruthless. You'll get security from Microsoft when it starts to be a problem for the bottom line. Not a day sooner.
And judging by my friends and co-workers nonplussed reactions to these worms/viruses, that day is a long day off...
Sure Windows has bugs that lend themselves to security problems. But nowheere in the article does he prove that Windows is more insecure than Linux or MacOS. All he can claim is that the default settings on Windows aren't the best choices for security, and that Red Hat and MacOS do a better job. I'd call relying on default settings user error, not a problem with the Windows code itself. You might as well say Solaris is insecure by design since (with Solaris 8 anyway), the default install runs sendmail, allowing spam relaying and leaves the telnet and ftp ports open, which can result in stolen passwords.
Vote for Pedro
You're assuming that Windows was designed, and didn't just evolve from a quick and dirty rip-off of CP/M by adding more and more Unix-like features. I have a favorite saying: "Anything that's backwards compatible with a kluge is, by definition, a kluge." Remember, supporting multiple users was an afterthought for Windows!
"Freedom means freedom for everybody" -- Dick Cheney
If every software maker followed these Microsoft specifications Windows would be a much better operating system. A good example of a broken app is Palm Desktop. First of all, it only works with one user. Second, to install it, you have to give the limited user admin rights, install it, and bring them back down to limited rights. It's the same for Documents To Go. Talk about a PITA - and notice that neither of the apps boxes have the Windows logo on them.
On the subject of liability, I wonder why Microsoft is never held liabel for the billions of dollars that these incidents cost the world's economies. A little forethought this would never have happened.
Imagine if Ford were to sell a car with a fundamental problem. One that potentially cost lives. They did and they had to recall it.
Now these virus epidemics probably bring down some rather critical computers and potentially cost lives. (Yeah, yeah, mission critical machines should be kept uber patched...)
Microsoft really comes across as untouchable.
Free Gamer - Free games list and commentary
I manage several win2k workstations (and several win xp laptops) in our company. Fortunatelly, we have avoided any work/viruses due to our firewalls, virus scanners and such but I accredit most of our success from the education of our employees.
I think, IMHO, that most of issues with the worms/virii/etc stem from the ignorance of the common windows users out there. Everyone and their grandma that wants to get on the internet do not look for alternatives out there, they go to circuit city/best buy and get the latest dell/gateway/whatever model and plug it in.
Within our company, we also have a couple rack loads of linux and free bsd servers that must be kept up with as far as patching goes. Most linux admin that I've met keep up with these things, my mother doesn't know the slightest thing about windows update. Granted, Windows isn't innately secure but it takes some knowledge to setup a generally secure linux setup.
Eh, maybe its all shite, but that's my 2 cents.
I now have a new signature on my emails:
*In light of the ability of some email viruses (eg SoBig.F) to spoof this address regardless of whether my machine is infected or not (for instance, pulling my address from a Windows user address book to use as a fake return address), if this statement is not included, consider a message from me to be a virus*
I figure that will be good, going out a few dozen times a day. I urge everyone to pen something similar. Cause, ya know, MS can never have too much bad press... erm, room to innovate.
Also fact: System relies on file extensions to differentiate between executable and non-executable files, which in my mind is a bit worse.
Anyway, as for your requirement for "INTENT." Back when the CodeRed came out, work gave me the responsibility of locking down our IIS servers. Back then I didn't have any experience with IIS so I did the smartest thing I could come up with - started reading and convinced work to send me to a one day SANS seminar. Well, the instructor told a story from an MS employee of how MS figured it was cheaper enable crap like Internet Printing and the like by default than it was to eat the cost of projected support calls they would get from people who wanted the feature but couldn't figure out how to enable it.
IOW, enabling everything in IIS was done because it saved MS a few bucks. That is a design decision. It was intentional and most importantly it was insecure.
You still want to mince words on this?
I don't want knowledge. I want certainty. - Law, David Bowie
With write priviledges only to their own sandbox, then, none of this would be happening. Instead, you've got IE and Outlook running as a user's account, so, despite the prevalance of a workable user based access control list based security system in Windows, Microsoft does not use it where it really counts. Dumb dumb dumb.
This is my sig.
it's quite simple.
to all future emails,
add the tag line
"All of my email messages are pgp signed.
if you receive an unsigned message
with my address, IT DID NOT COME FROM ME"
That's why I tell my family: If you want help with your computer, buy a Mac. I don't support PCs.
Just about everyone in my family has a Mac.
It's a win-win for me, since the amount of support you have to do for a Mac user is virtually nil -- they just work. :-)
your response is a bit unfair--at least from an sys admin stand-point. home users? oh well. until microsoft figures out a way to allow patching without requiring a reboot, admins are stuck scheduling horrible times to install patches--weekends, after 5:00 pm. This sucks. It's really inconvenient to keep up to date. Yes, i realize this is no excuse, gotta do it.
Any windows admin who tells you they have uptimes greater than a week are not patching. What's your IP? What's your email address? Visit my website http://ActiveeXploits.com.
What me worry about linux servers? ssh, apt-get, up2date, during the day, go home at 5:00 pm and enjoy the weekend.
The article should have touched on how inconvenient windows' security model is too.
If you were an unscrupulous weasel, then no, putting that at your bottom of the emails would not make it true. But if you *always* sent your mail pgp, then any mail *not* pgp would not be from you. That is what the poster intended to say IMO.
However, you have a valid point, that, say in some sort of legal setting, you would not be able to prove that the mail wasn't from you.
----
In Soviet Russia, the overlords welcome you!
Windows security, (don't laugh) on NT 5 and up is not too shabby (when properly done... not to say that it is "secure", no systems plugged into electricity and a network are). The problem is not the security model, it's the default level of security applied out of the box. The default level is so lax, it is WISHING it were swiss cheese!
There are so many open orifices by default, it's, honestly, frightening to release a Windows system to the wild of being connected to the Internet without extensive preventative measures. Of course, keeping safe in a Windows environment is very possible but almost exclusively for technically savvy people, the rest of the Windows users (almost all of them) are running Windows with it's default pants down, bent over, with a giant neon "Rape Me" sign on them.
Sigh. Perhaps someday MS will enable some more of their security features BY DEFAULT on Windows (well, lets say, all of them, and then let users drop their computer's drawers if they choose to). Until then, look at it this way... MS's (deliberate?) default swiss cheese security keeps many a person employed plugging the holes.
If it were secure by default and kept itself in great working order automatically, what use would anyone have paying techies to do that? In a strange way, I owe my continued employment to MS's poor default practices.
-Joe
If we're all god's children, what's so special about Jesus? - Jimmy Carr
As sick as defending Microsoft makes me feel, I'm going to have to point out that your analogy isn't fair. A more apt analogy would be Ford making a car with a radio so defective that the car would explode if it received a signal of a certain frequency. Ford learns of this and initiates a recall. People ignore the recall, and then someone hijacks an antenna two weeks after the recall has been initiated and broadcasts said signal of said frequency. Cars explode.
Did Ford send the signal out? No, so they are not directly liable. Did they attempt to correct this problem before it was taken advantage of? Yes. Should such a disastrously massive problem have been allowed to make it into the final design? Microsoft do share some liability for the damage done, but not all of it. It was, after all, their incompetence that created the problem in the first place. Is it all their fault? No, sorry.
The other angle to look at is the cost of installing the patch. Since Windows requires you to reboot after changing all but the most trivial aspects of your system, this makes installing the patch extremely inconvenient for many server administrators. Administrators have no such excuse with a Linux system, which really only requires a reboot after changing the kernel. On Windows boxes, however, such required restarts can end up costing a lot of money, especially if the patch breaks a service that the server is running. So, one thing Microsoft could do would be to reduce the amount of required restarts. Good luck, since the GUI is the operating system, unlike a *nix box, where it's just another process that can be terminated without bringing down the system.
As I said, I now feel sick for sticking up for the pricks in Redmond.
I'm late to the party with this reply, but I'm posting it anyway for posterity. Someday I'll find this message and link back to it.
Windows IS insecure by design. The Virii and worms that are happening now are pissing people off. In the future, Microsoft will bring the 'security' scheme from the XBox to Windows... code will have to be signed by Microsoft in order to run on Windows. the press will love it, and you will see tons of articles saying things like "Microsoft gets Security Right" and "Microsoft Announces the End of Virii".
And in the end, you and I won't be allowed to fire up a compiler and write a trivial little 'Hello World' program without buying a runtime license from Microsoft, which will be embeded in every program you write.
Innovation will be stifled... I doubt Microsoft will be very license-friendly to Sun, or Apache, or Cygwin, etc.
Microsoft's own lax security is a plan to pave the way to their heavy handed takeover of your computer.
mark my words.
I think I'd tend to be a bit heartless. I'd inquire into why they are using windows. If it's necessary, then I'd help them. If it was unecessary, then I'd *strongly* encourage them to use Linux, and ask them why I should waste my time just so they can save time learning something new.
:)
Luckily I haven't had anyone ask me - I guess I don't advertise my computer skills enough
please please please PLEASE do not reference wired if you wish to garner any kind of respect.
and just for reference (as a person who works hell desk (tech support) for linux servers) i have not yet met a single person affected or infected by slapper. unix and unix derivatives are vastly more secure because of the way they were designed. not to mention most distro's dont leave 45 uneccasary things running by default, hence the admin of a unix box has to do less to be decently secured.
i will admit this virus wasnt particularly microsofts fault. but we have been doing this same routine for 8 -10 years now with them. sooner or latter they are going to have to own up to it, and yes microsofts systems are inherintly insecure. and no i dont run anything M$ on anything i own or admin.
i am also very aware that i am having a bad spelling day.
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe." --Albert Einstein
I just took my son to college this weekend and set his pc up for him. (Ah yes, dad knows FAR more about computers that jr...)
We dropped his stuff off in his dorm and discovering there was only one ethernet jack in his room we left for Best Buy to grab a cheapy hub so he could plug his LINUX box, his PS/2 and his roommate all into the single lan jack.
Well, we blew off the hub because his roommate called his cell phone and said he was "bringing a *thing* from home to hook both of *them* up at once"..
So, assuming he was talking about a hub we blew that off. Well, we got back and discover the roomy had plugged a cordless phone into the lan jack. I pulled the cord and announced that they were lucky system security didn't come up and billy club someone for crashing planet earth into the mooon by plugging the phone into the lan jack. The roomy was sitting there looking like he had crapped his pants.
I plugged my son's pc into the lan and fired it up to make sure it was configured properly with the college system and it was fine.
My son is using Mandrake 9.1 w/KDE 3.1.3tex.
Now, when you fire up Linux *MOST* people are going to say something, it's different you know and if a NORMAL person has a few brain cells functioning, they will notice something is different and not only ask questions but come over to watch..
Nope. Roomy sat there waiting for his chair to blast off, he could have been watching me pilot the starship Enterprise as far as he knew.
I very quickly drew the conclusion that this kid was not only dead in the head, his computer skills are less than ZERO.. I asked him what he has, he told me he has a laptop with Windows 98. Whee! How fun can that be??!!
There were hundreds of kids lugging brand new Compaq and Dell boxes in and they *ALL* had big fat, "WINDOWS XP installed" stickers on them.
You can bet your ass that those kids will be ate up with that shit, probably already, if not for sure by the coming weekend.
Those kids, by dragging all those XP boxes in were building a big petri dish for the script kiddies to play...
I can say this. I'm damn glad my kid is using Linux, I don't have to worry about him getting caught up in all these childish virus/worm/trojan games. This shit has gone way, way too far.
I'm not going to pump all my money into repairing his PC (600+ miles from home) every few days, dumping money down the toilet on anti-virus crapware that does not work, and paying $200 for an OS that just brings you constant headaches.
I told my son that if he wants to stay in that school then the Linux stays on his PC and M$ is forbidden on his machine. If he changes it or let's someone change it, that's it. He goes to local community college with the local idiot beerheads..
I find the article's amusing suggestion that MS could send update CDs to everyone on the planet scary. Its bad enough that I get my monthly AOL CD. I don't want a quarterly MS CD either.
Did anyone else notice this, or was it just me?
No Not Again! Its whats for dinner.
why not offer them a choice?
I'll help you move to linux for free, or I'll charge you $50 to fix your system this time.
tell them the charge will double each time they need help, for either system.
Humpty Dumpty was pushed.
please please please PLEASE do not reference wired if you wish to garner any kind of respect.
ok
And I wouldn't surprised if Longhorn had built-in virus protection. Not only would it make the OS less susceptible to viruses/worms/etc, but it would also be a nice revenue stream for Microsoft (like they'd give away the definitions for free, maybe bundle them with windows patches) And just for the record, the last virus I actually got was the Italien A virus (an old dos virus).
...Or, "The Tecn Commandments of Windows Security."
I run Linux on my servers, but for compatibility, certain programs I need, etc., etc., my workstations use XP. I haven't patched anything. I don't trust the patches and especially not the Service Packs. They can break things and slow things down. If my box is working, why tempt fate? There are a few, very simple things to do that will keep Windows almost entirely secure:
1 - No scripting host. If you don't need it, kill it.
2 - No Outlook. Outlook is bad. IE is almost as bad. Everyone should know this by now. And if you must use it...
3 - Don't open file attachments from anybody unless you know what the hell they are! Why is this so difficult? Well, it's because people never...
4 - Unhide the file extensions. You wouldn't eat something from a package simply labled "food" without having some clue what's in it, so why double-click an icon without knowing what it will do? Learn what these extensions are, and Google it if you're not sure what a given one means.
5 - Don't use IE if you don't have to. Mozilla's now advanced and stable enough that you should almost never have to use IE to properly view a site. I never have a problem with popups, and I've never had my browser hijacked. Using IE tempts people to break #6...
6 - Read the question before you answer "Yes." Do you walk around at work slackjawed and answering "yes" to every question you're asked without listening? If you weren't specifically looking for what a site wants you to install, chances are you don't need it.
7 - Firewall. Buy a $30 broadband router, build a Linux gateway, enable XP's own, built-in, pre-installed firewall, or get something like Zone Alarm, depending on your needs and/or level of computer literacy.
8 - Don't download software without knowing exactly what it is. Read the license agreement. Sure, I like to check out neat toys on Download.com too, but not if I have to install Gator or GAIN to use them. See #6. Read!
9 - Check your processes. and read what's going on in there. Google each one. This is a pain in the ass the first time, but do it once and then you'll know when something's not supposed to be there.
10 - Watch who gets your email address. Get two. One for ordering/registering things, and one that you only give to real people.
That's it. I run no antivirus software and my system thanks me for it with good performance. I have not loaded a Service Pack, a patch, anything. None of this is difficult. These rules are simple enough for almost anyone to follow, and the major ones are extremely easy.
This is _sort of_ true
If you recall the days of 68K macintosh, and Windows 3.11, there were quite a few macintosh virii.
Market share has gone down, while the emotions towards the OS have changed.
A much much larger percentage of Windows users _hate_ Windows, while more mac users love macs, that's why they chipped out for them.
Error 407 - No creative sig found
While Microsoft certainly has its problems, this attitude is pretty much, in my opinion, bullshit. If the statistics were reversed and Apple or Linux had 95% of the market you'd see just as much trashing on those systems as you see now on Windows. Script kiddies are going to attack what ever gets them the most attention. And attacking something that only has 3% of the market does not get them that attention.
Its the same philosophy of why more Corvettes get stolen than Yugos. Nobody wants a Yugo.
Yes, Windows has internal problems. All OSes do. Its a fact of life.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
And I think that goes for "conspiracy" too.
Though I do expect that MS will happily exploit their laxness in building their systems if they can do it in such a way as to make their monopoly permanent and legally required.
I worked for a company (for 3 days..I left out of principle) who the owner refused to accept the word "can't"..he wanted Windows to run on a Mac (he didnt understand the the concept of processors or architecture), when I told him he can't...he demanded to get it done..so..I write him a price quote...It was basically a quote to program a virtual machine that ran on the PPC chip. After giving him the proposal (man-hours, etc)..he said he can buy comparative VM software for around $500. (He does his homework, but not enough).he wanted to know why it would cost so much and take a year to program...
If you're not a Liberal in your 20's, then you have no heart.If you're still a Liberal in your 30's you have no brain.
wow, 10USD per hour... life must be tough.
The average family wage in australia is $10.50 USD per hour. ($35,000AUD / 2000Hours * 60c)
Tell me, how do they cope?
>Tell me, how do they cope?
Dunno, but the difference is due to the very low GDP for Australia vs. the very high GDP for the USA. The accounts for the difference in wages between many different countries.
In the US itself, though, there are places where $10 US an hour is well below poverty and you would be expected to drift from shelter to shelter (Parts of California), and also places where $10 US an hour will make you rich (Alaska?).
The US is quite strange like that.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
Off course the next windows will have virusprotection. MS just bought an anti-virus company. But.. are those people who don't patch update the datafiles? And will MS have the data available in time and correct?
And ofcourse, for years to come a lot of people will be perfectly happy with older version of windows..
So don't have your hopes up. Besides, now that everybody (ahum) is protected we don't have to fix IE and outlook anymore, do we?
Nobody expects the spanish inquisition!
In the past week, the Merc has been running articles quoting Microsoft authorities as saying, essentially, "Honest Injun we WANTED to require automatic updates, but we thought people would be paranoid of our intentions, so we made updates optional! Now look at the chaos!"
My prediction: There WILL be an attempt by Microsoft, probably successful, to make sure all future Windows versions automatically check for and download updates -- not only bug fixes, but also updates for furthering their own inimical combinations of big brother and forced marketing.
- Wendy
What the article talks about is merely "insecure by configuration", not "by design".
OK, MSFT could and should improve in creating a more secure default configuration, but I expected the article to be more interesting regards the "design" of windows:
Graphics in the kernel, no true multi-user system and filesystem permissions. That, IMO, is what makes Windows insecure by design. And those are issues that won't be so easy to fix without large rewrites and without breaking a lot of backwards compatability. The configuration in contrast can be fixed quite easily. It is on a deeper level where the real trouble is.
To see the magnitude of the problem, go to download.com and check the user opinions of the software listed there.
Lets say you go to see the user opinions of Mailwasher Pro or Disruptor OL.
These programs integrate with Outlook Express and are very easy to configure.
Now half the people who gave these programs negative reviews did so because they couldn't fsking understand what to do.
Who's fault is it then? When they can't understand easy programs like Mailwasher or Disruptor then how do you expect them to figure out stuff in Linux?
For these dumb heads, there is nothing you can do.
Its a known fact that the easier a firewall is to install and configure, the more insecure it is.
A good firewall should be one where you need to configure many of the options yourself.
Is somebody going to tell that to the users of Zone Alarm which pretty much needs no configuration?
Linux is more secure because a lot of stuff is configurable.
Bush is on fire and its not good for my lungs.
But I wouldn't consider myself a "technician", even in a metaphorical sense; I have an education in the humanities. I am miles and miles away from doing any serious computer-related work, such as programming.
The reason I can do these things is because the OS installation interface today is extremely simple (for the needs of the normal computer user), and the preconfigured way the OS and various programs work is still annoying enough (I'm talking about Windows here) that I feel I have no choice but tweaking a bit. And the hardware interface is also rather obvious; in most cases one really has to go out of one's way to connect anything wrongly inside the box, or mess up anything seriously if doing so. I am able to use the software and hardware resources I have to use, and I cannot afford having anyone else to help me with them. That's all. I enjoy doing this, to a certain degree.
I have a life. I really do. I've just chosen to ignore it.
As someone who works in security, "insecure by design" has a precise meaning to me, which I've not seen mentioned here yet. The developer's intentions have nothing to do with it. "Insecure by design" means every implementation of a given system will share a common set of security vulnerabilities. In other words, the design (think API or protocol) itself is flawed. No implementation is safe.
Example: The design of the http protocol does not provide any method of running arbitrary code from the client on the server. A perfectly implemented web server will contain no remote vulnerabilities of this type. Flaws in particular web servers like IIS are caused by mistakes in the implementation, not the http protocol itself. The protocol is secure by design with regard to this attack.
Contrast this with a protocol whose design is insecure. Nothing in the SMTP spec addresses the issue of spam. High-volume anonymous message injection is allowed by the protocol. Solutions to spam have to be implemented externally with things like blacklists and filters (which are considered external even when run during the SMTP transaction as they aren't part of the SMTP protocol itself). No SMTP server, no matter how perfectly implemented, can both completely follow the SMTP spec and reject all spam. Thus SMTP is insecure by design with regard to spam.
Nebulous terms like "windows" and "secure" mean next to nothing by themselves. What is "windows"? The NT kernel? The win32 API? The set of programs and services enabled by a default install? Secure against what types of attacks?
For reasonable definitions of the above, the statement "Windows is insecure by design" certainly makes sense. Take "windows" to mean the win32 API and "secure" to mean enforcement of access control. Remember the shatter attacks discovered last year? That's a flaw in the design of the win32 API. No implementation is safe. It fits the definition of "insecure by design" perfectly. And Microsoft has alluded to more such vulnerabilities lurking in the win32 API (remember when they said they couldn't reveal all the APIs for security reasons?).
Democracy is two wolves and a sheep voting on lunch.
Exchange rates don't mirror cost of living, necessarily. The Aussie
buck isn't worth as much as the US buck on the international market,
but that isn't because the Aussie buck won't buy as much, locally,
as the US buck will buy in the US.
An example: the exchange rate between where I live (Galion Ohio)
and lower Manhattan is 1:1 -- one dollar from here is worth exactly
one dollar from there. Yet, an entire family here can live on less
money per month than the rent of a two-room apartment there.
The exchange rates do have an impact on the cost of living, as they
have an impact on the cost of some items, but not everything is
priced proportionally.
Here, $10/hour is a decent wage for a single person in a blue-collar
or entry-level position. I take home about that amount after taxes,
working as an entry-level computer troubleshooter (basically, a
one-man part-time IT department at a place too small to have a
full-time IT department), but a professional programmer would
certainly make more than that (except, I doubt if we have any in
the area). Fourty minutes' drive south of here there's a big
white-collar area (Worthington/Westerville, suburbs of Columbus --
conference complexes, marketing firms, shopping malls, and
three-quarter-million-dollar houses[1] as far as the eye can see)
where someone in a position equivalent to mine would make triple
my wage and struggle to get along. Rent is much higher there;
food costs more; everything costs more. A lot of people live up
this way and commute to work down there.
[1] Nobody would build a house that expensive in Galion, because
it wouldn't have resale value. We have a sparse handful of
houses in town worth two hundred thousand or a little more.
Part of it is that the land here is much cheaper.
Cut that out, or I will ship you to Norilsk in a box.
"The chance of a patch wrecking Windows is dwarfed by the odds that an unpatched PC will get hit."
Yet my workplace has had several problems directly caused by Windows updates. It's not frequent, but it's happened far more often than it should. It would be different if the problems were intentional and documented (see Red Hat example below), but they weren't. We had to roll back the patches and intentionally leave ourselves vulnerable until the next patch that fixed the prior patch was released.
I have had only one Red Hat security fix that caused (minor) problems with one of the Linux systems (the web server). An Apache upgrade was made in which the configuration format for one option (I can't remember which one) was changed, making the current configuration non-functional. However, this was planned by the Apache Group and was documented in the upgrade RPM. A simple tweak to the configuration file brought the service back, and life went on.
"And for those saying they don't trust Microsoft to fix their systems, I have one question: If you don't trust this company, why did you give it your money?"
This is a bone-headed question. They gave Microsoft their money because they had to. Most people still don't know anything but Microsoft. They blindly hand over their money year after year because, thanks Microsoft's abuse of its monopoly position, they don't have a choice.
Another thing people seem to forget is that when Microsoft first announced this functionality, the op-eds were full of warnings that email viruses were just around the corner. Microsoft's position at the time was that the benefits would outweigh any theorhetical risk.
As an ex Windows admin, the thiing that I found most difficult about Windows was not a lack of security by design. Downloading the patches and keeping the AV up to date will suffice normally. No, the problem of windows, to me, lies in that it is a fucking mess.
/bin, /usr/bin, /usr/local/bin etc, confusing for a newbie), but the fact that Windows has literally tens of dozens of directories that belong to the system, that are both undocumented and not self explanatory, as well as the registery, which is an inconsisten fucking mess if there ever was one are things that make windows a pain.
This may sound ludicrous in view of the jungle that one faces when one moves through a *nix directory tree on the command line (e.g. why is there
On top of this there are so many design decisions that are superficially a good idea, but make things hell when one goes beneath the hood. An example is the desktop. From a visual point of view it might make sense to only store data in my documents and below that, which is also encouraged by the open/save dialogue, but the My Documents sits in a deep sub folder in the real directory tree. The actual dialogue boxes of so many system controls are anything but friendly. While the wizards make things simple in a linear way, they are a stop gap measure screwed on top of a system that is anything but consistent and visually well though out otherwise.
To me it seems that MS designs it's system in that the core OS team has first go at making the bitch work, and after they are done, the mess is passed on to the UI team which then has the pleasure of slapping crap like wizards and My Documents and tons of irritating marketing reminders (passport, messanger bla bla bla, hide those icons so you can't find them again) on top of the system so that MS can call it "User friendly".
Fucking bullshit.
Worse than that ... at the time I worked for Microsoft, I spoke out about the feature becoming used for virus transmission. This statement was made directly to Balmer in a room of 400 developers ... and the room went silent.
Nothing was ever done about the issue.
One of the things that I fear the most is an actual terrorist attack using viruses to completely disrupt our financial system. It could be pretty simple and still be successful simply because the countries that have the money are the same countries that the terrorists are targeting! While countries like Iran would be "hit" they would not suffer nearly the damage that countries like the U.S. and Great Britan would. Because of this possibility, I think it is very important that the free countries of the world take immediate steps to harden themselves against computer based terrorisim, worms, viruses, and other security issues.
I think that there is poor security designed into Windows. Microsoft knows how to design adequate security, as proof of that look at the X-box. It is quite secure. This probably means that a future generation operating system is going to take the "lessons learned" from the X-box and apply them to that new O/S. This will be the PR story at least. The truth will be closer to MS obtaining a software monopoly on the Windows platform. They will control licenses for it and will require your source code for evaluation before you get the key that will allow installation.
Perhaps poor security is better than the alternative that M$ will dream up. They are driven by profit (every company is) and will take full advantage of any opportunity that they control (as they have already demonstrated).
After the past couple of weeks, it is obvious that there is a business opportunity out there for someone OTHER THAN MICROSOFT to offer a product for Windows that is a full featured security system for desktops (and servers).
I'm wondering what this kind of system would entail? How could you provide exceptional security to everything from a home PC to an enterprise level network? There are some obvious things like firewalls, anti-virus protection, automated patches, controls for security and permissions, and so on. But there are other things that could be done too. How about a key system for executing software? If the key does not exist then the software (exe, process, driver whatever) simply does not get permission to run. What about software that monitors network traffic and when certain limits are set human intervention is required of the PC is taken off line?
I am also wodering about the ethical issues associated with all of this. If Ford puts a car on the road that they know is insecure and an accident happens, they have liability. If I drive a car knowing that it is unsafe, I have liability. If the state allows a road to go unrepaired, they have liability. Isn't the same thing true for a software product? In today's world, in this litigious society, isn't M$ opening themselves up to a great deal of liability when their software is a swiss cheese of vunerabilities?
Great. I'll let you spend the 6 months it'll take to teach my mom what an "extension" is, what it means, why she should care, and then the differences with all of the nitty gritty details (why the same files have different extensions (htm, html, shtml, etc), why pictures have different extensions (jpg, jpeg, gif, tiff, tif) and so on.
Fact of the matter is extensions shouldn't matter -- they're just a legacy artifact of 8.3 filenames and commandline interfaces. Macs have worked just fine without them for years. Unix system use a hodgepodge of extensions, mainly to represent what content a file contains to a person on the commandline (the same effect is derrived by giving files icons in a GUI). On a unix system I could have a file named foo.jpg -- doesn't mean it's a jpg. In fact, it could contain a binary and could be executed if the right bits were set on the filename. Depending on a file extension to convey an accurate representation of it's contents is just asking for trouble.