Windows Is 'Insecure By Design,' Says Washington Post

Circuit Breaker writes "A Washington Post article says Microsoft Windows is insecure by design. Quote: 'Between the Blaster worm and the Sobig virus, it's been a long two weeks for Windows users. But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks -- just like in earlier "malware" epidemics. This is not a coincidence.'"

Re:Why was this posted?

[Audity]

It was posted because people have been saying for a long time that windows is insecure, but Joe Shmoe computer user won't know that (you mean there's computers that don't run windows?) until it gets some attention in the mainstream media. This is the media attention a lot of linux geeks have been waiting for.

Actually mac and linux users were affected

[jdigriz]

Some of us alternative OS users were actually affected by the virus, even if we weren't infected. In addition to the Net slowdown, the friggin SoBig.f virus forges emails. So if you have any windows using acquantainces, or even people who received a forward with your address on it, the SoBig.f virus will cheerfully send out copies of itself purportedly from you! It doesn't just stop at the address book either, but allegedly scans documents on the drive to harvest addresses. Evil, evil thing. So, no computational loss, but potential harm to reputation, even though it's easy to prove via the headers that it did not originate from you, the vast majority of those windows users who get infected with emails bearing your From: line don't know a header from a hole in the head.

Re:Corporate Blinders

[vacaboca]

"all this evidence for the need for operating system diversity in the corporate realm"...?

That seems to be a rather easy thing to say if you're not actually trying to manage a business with a large, complex interconnected system of technologies... having spent a rather painful amount of time (actually, more like an amount of rather painful time) in very large companies (35000 PC users at all levels of use), I have to say that a desire for OS diversity is far from an obvious choice. I'm not saying it's a bad idea, just a potentially unpractical one in many real corporate situations.

Working with the single devil you know as opposed to a vast army of individually varied devils may be preferable, at least in theory.

Re:Insecure by Design

[BRTB]

Also fact: System relies on file extensions to differentiate between executable and non-executable files, which in my mind is a bit worse.

Re:MOD PARENT UP, more..

[Flower]

MS chose to enable features as default that did not need to be on most installs. That is an insecure design. To be fair, earlier versions of RH did the same stupid thing and got burned by it. Macs also used to suffer from worms though I don't know why things got better - sorry used to keep up with Macs but not anymore.

Anyway, as for your requirement for "INTENT." Back when the CodeRed came out, work gave me the responsibility of locking down our IIS servers. Back then I didn't have any experience with IIS so I did the smartest thing I could come up with - started reading and convinced work to send me to a one day SANS seminar. Well, the instructor told a story from an MS employee of how MS figured it was cheaper enable crap like Internet Printing and the like by default than it was to eat the cost of projected support calls they would get from people who wanted the feature but couldn't figure out how to enable it.

IOW, enabling everything in IIS was done because it saved MS a few bucks. That is a design decision. It was intentional and most importantly it was insecure.

You still want to mince words on this?

Conspiracy theory

[bokmann]

I'm late to the party with this reply, but I'm posting it anyway for posterity. Someday I'll find this message and link back to it.

Windows IS insecure by design. The Virii and worms that are happening now are pissing people off. In the future, Microsoft will bring the 'security' scheme from the XBox to Windows... code will have to be signed by Microsoft in order to run on Windows. the press will love it, and you will see tons of articles saying things like "Microsoft gets Security Right" and "Microsoft Announces the End of Virii".

And in the end, you and I won't be allowed to fire up a compiler and write a trivial little 'Hello World' program without buying a runtime license from Microsoft, which will be embeded in every program you write.

Innovation will be stifled... I doubt Microsoft will be very license-friendly to Sun, or Apache, or Cygwin, etc.

Microsoft's own lax security is a plan to pave the way to their heavy handed takeover of your computer.

mark my words.

Re:Ummm...

[1lus10n]

please please please PLEASE do not reference wired if you wish to garner any kind of respect.

and just for reference (as a person who works hell desk (tech support) for linux servers) i have not yet met a single person affected or infected by slapper. unix and unix derivatives are vastly more secure because of the way they were designed. not to mention most distro's dont leave 45 uneccasary things running by default, hence the admin of a unix box has to do less to be decently secured.

i will admit this virus wasnt particularly microsofts fault. but we have been doing this same routine for 8 -10 years now with them. sooner or latter they are going to have to own up to it, and yes microsofts systems are inherintly insecure. and no i dont run anything M$ on anything i own or admin.

i am also very aware that i am having a bad spelling day.

Windows does not have to be insecure.

[facelessnumber]

...Or, "The Tecn Commandments of Windows Security."

I run Linux on my servers, but for compatibility, certain programs I need, etc., etc., my workstations use XP. I haven't patched anything. I don't trust the patches and especially not the Service Packs. They can break things and slow things down. If my box is working, why tempt fate? There are a few, very simple things to do that will keep Windows almost entirely secure:

1 - No scripting host. If you don't need it, kill it.

2 - No Outlook. Outlook is bad. IE is almost as bad. Everyone should know this by now. And if you must use it...

3 - Don't open file attachments from anybody unless you know what the hell they are! Why is this so difficult? Well, it's because people never...

4 - Unhide the file extensions. You wouldn't eat something from a package simply labled "food" without having some clue what's in it, so why double-click an icon without knowing what it will do? Learn what these extensions are, and Google it if you're not sure what a given one means.

5 - Don't use IE if you don't have to. Mozilla's now advanced and stable enough that you should almost never have to use IE to properly view a site. I never have a problem with popups, and I've never had my browser hijacked. Using IE tempts people to break #6...

6 - Read the question before you answer "Yes." Do you walk around at work slackjawed and answering "yes" to every question you're asked without listening? If you weren't specifically looking for what a site wants you to install, chances are you don't need it.

7 - Firewall. Buy a $30 broadband router, build a Linux gateway, enable XP's own, built-in, pre-installed firewall, or get something like Zone Alarm, depending on your needs and/or level of computer literacy.

8 - Don't download software without knowing exactly what it is. Read the license agreement. Sure, I like to check out neat toys on Download.com too, but not if I have to install Gator or GAIN to use them. See #6. Read!

9 - Check your processes. and read what's going on in there. Google each one. This is a pain in the ass the first time, but do it once and then you'll know when something's not supposed to be there.

10 - Watch who gets your email address. Get two. One for ordering/registering things, and one that you only give to real people.

That's it. I run no antivirus software and my system thanks me for it with good performance. I have not loaded a Service Pack, a patch, anything. None of this is difficult. These rules are simple enough for almost anyone to follow, and the major ones are extremely easy.

Re:Ummm...

[jonadab]

Exchange rates don't mirror cost of living, necessarily. The Aussie
buck isn't worth as much as the US buck on the international market,
but that isn't because the Aussie buck won't buy as much, locally,
as the US buck will buy in the US.

An example: the exchange rate between where I live (Galion Ohio)
and lower Manhattan is 1:1 -- one dollar from here is worth exactly
one dollar from there. Yet, an entire family here can live on less
money per month than the rent of a two-room apartment there.

The exchange rates do have an impact on the cost of living, as they
have an impact on the cost of some items, but not everything is
priced proportionally.

Here, $10/hour is a decent wage for a single person in a blue-collar
or entry-level position. I take home about that amount after taxes,
working as an entry-level computer troubleshooter (basically, a
one-man part-time IT department at a place too small to have a
full-time IT department), but a professional programmer would
certainly make more than that (except, I doubt if we have any in
the area). Fourty minutes' drive south of here there's a big
white-collar area (Worthington/Westerville, suburbs of Columbus --
conference complexes, marketing firms, shopping malls, and
three-quarter-million-dollar houses[1] as far as the eye can see)
where someone in a position equivalent to mine would make triple
my wage and struggle to get along. Rent is much higher there;
food costs more; everything costs more. A lot of people live up
this way and commute to work down there.

[1] Nobody would build a house that expensive in Galion, because
it wouldn't have resale value. We have a sparse handful of
houses in town worth two hundred thousand or a little more.
Part of it is that the land here is much cheaper.