Slashdot Mirror
Windows Is 'Insecure By Design,' Says Washington Post
Circuit Breaker writes "A Washington Post article says Microsoft Windows is insecure by design. Quote: 'Between the Blaster worm and the Sobig virus, it's been a long two weeks for Windows users. But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks -- just like in earlier "malware" epidemics. This is not a coincidence.'"
Except the Mac and Linux users in charge of those systems... ;)
There's a large difference between "Windows is insecure by design" and "Windows was not designed to be secure or with security in mind" just as there's a significant difference between saying "Impalas are deathtraps by design" and "Impalas were not designed with safety in mind".
That said, and though the Post's article was a little muddled in general I agree with the spirit of the article in that
1). It's reprehensible that Microsoft apparently didn't have security (a broad term, but the literature to define it is out there) as a guiding design principle when they designed Windows, and
2) As a result of this, Items central to the functioning of Windows do not lend themselves to good security.
On the plus side, if you work as a contractor, it's billable hours. :D GG SoBillable^H^H^H^H^H^H^HSoBig!
"People will pay big bucks for the luxury of ignorance."
The old DOS/Windows had security as a pretty secondary concern, it was just about getting things to run and not crash a lot of the time. NT/2K/XP is much imrpoved, but it still suffers from this legacy. For example, it's still difficult to run users in non-Admin roles because some applications expect the user to have full Admin rights. Only when most of these applications are update will the ability to use real user security settings become practical.
.
If nothing happens then you have a reasonably secure linux box.
In my case, because Virginia Tech's CS department requires us to have XP Pro. The people who don't trust MS use Windows because they have to.
the author makes nice (partial if you may)rebuttal of this myth, and also points to something to back it up like the number of open ports that create potential possibilities for holes,and that are for services that are default enabled, yet shouldn't be used in hostile environment(and how ms does nothing about it, and how xp was supposed to be more secure in matters like this). and frankly i haven't heard of non-hostile environment involving more than 10 people in a deserted island with lots of food and jolly sunshine happiness to keep them away from their computers.
-
world was created 5 seconds before this post as it is.
I wonder how much money RedHat slipped the Washington post for that one...? *g*
Agreed. I'm not trolling, but one could argue that noone cares enough about macs or linux to target them with viruses. :P
Like a Linux PC owner sleeps anyway....
"Windows is better than most operating systems at easing the drudgery of staying on top of patches and bug fixes"
emerge -u world
how _hard_ is that?
Here's a modest proposal: Microsoft should use some of its $49 billion hoard to mail an update CD to anybody who wants one. At $3 a pop (a liberal estimate), it could ship a disc to every human being on Earth -- and still have $30 billion in the bank.
...
Please Microsoft, use CD-RWs. I already have a wall covered with silver AOL CDs
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Here's a modest proposal: Microsoft should use some of its $49 billion hoard to mail an update CD to anybody who wants one.
The sorts of people that would think to order such a CD in the first place are likely already patching their machines. Others will get the CD and misplace it, forget about it entirely, or mistake it for something like an AOL disc and toss it in the trash.
The coolest voice ever.
It was posted because people have been saying for a long time that windows is insecure, but Joe Shmoe computer user won't know that (you mean there's computers that don't run windows?) until it gets some attention in the mainstream media. This is the media attention a lot of linux geeks have been waiting for.
what about web server worms? apache is much more used than iis, but this didn't help iis...
Obligatory Response:
The argument sort of breaks down when you talk about webservers, with Apache solidly in front with % usage, yet it's the smaller-target MS offering that is the one hit with exploits.
There's something more fundamental about the differences in security -- yes, MS is a bigger target, but that doesn't mean that it can't also happen to be the easiest target (and it is).
This is a bit unfair. Microsoft identified the problem and offered updates long before the worm hit the streets. Microsoft cares about the security of Windows, but it was the stupidity of the users which led to the compromise of their systems. If a Linux hole is found, nearly ever user would update to fix the change, because the average user of Linux knows what putting it off may entail. The average Windows user does not have the same computer knowledge, and hence, Microsoft gets the blame. Just another MS bashing is what it is!
A blog like any other.
Some of us alternative OS users were actually affected by the virus, even if we weren't infected. In addition to the Net slowdown, the friggin SoBig.f virus forges emails. So if you have any windows using acquantainces, or even people who received a forward with your address on it, the SoBig.f virus will cheerfully send out copies of itself purportedly from you! It doesn't just stop at the address book either, but allegedly scans documents on the drive to harvest addresses. Evil, evil thing. So, no computational loss, but potential harm to reputation, even though it's easy to prove via the headers that it did not originate from you, the vast majority of those windows users who get infected with emails bearing your From: line don't know a header from a hole in the head.
And we certainly see this on the Web, where Apache on Linux greatly outnumbers Microsoft IIS on Windows. Oh wait, no we don't.
http://rocknerd.co.uk
Funny, you say that. That excuse is getting to its old age.
.pif and .vbs (Here you stop user interaction for virus to be downloaded)
But it makes a great difference (on Windows) right in a moment after you:
step1) Disable Internet Connection to Explorer and Outlook (almost no one virus can connect to internet to download it's other part or upgrade, because they mostly use ActiveX download object)
step2) Start using Mozilla or Opera or even better Thunderbird and Firebird (in this step you disable IFrame and OCX viruses)
step3) Teach users not to open
Problem with Windows is not 95%, but IE and Outlook are made as centerpart of the system, thus allowed to any action no matter how stupid it is.
Based on that: YES, Windows is insecure in its roots.
Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
"all this evidence for the need for operating system diversity in the corporate realm"...?
That seems to be a rather easy thing to say if you're not actually trying to manage a business with a large, complex interconnected system of technologies... having spent a rather painful amount of time (actually, more like an amount of rather painful time) in very large companies (35000 PC users at all levels of use), I have to say that a desire for OS diversity is far from an obvious choice. I'm not saying it's a bad idea, just a potentially unpractical one in many real corporate situations.
Working with the single devil you know as opposed to a vast army of individually varied devils may be preferable, at least in theory.
Give me a break. Linux (and Mac) don't have a huge share of desktops, but more and more companies (the kind of companies you want to hack and steal credit card numbers from) are running Linux-based servers. The source code for Linux is on millions of computers, naked to the world.
I learned about preventing buffer-overruns when I was in high school. This "most computers are running Windows" excuse for viruses is a cop-out, plain and simple.
Auto-reply to ACs: "Truly, you have a dizzying intellect."
I find it much easier to secure a Linux/*BSD box than a Windows one. Even though I use Win 2000 daily as a programmer. I'm pretty sure I'm not alone in that predicament.
Just keep in mind that a large part of the internet infrastructure does not run Windows, but they (the servers) still seems to do okay, apart from the odd sendmail/bind/openssh bug ;-)
The size of the windows audience has something to with the sheer number of viruses & worms, but that doesn't mean that mean that BSD/Mac OS/Linux are automatically just as insecure as Windows. Microsoft hasn't exactly gone out of it's way to ensure that users are safe and secure (not to the extent that OpenBSD has anyway)
Furthermore, *NIX has a massive presence in the server closets of the world. A worm that/virus that exploited these systems could be very lucrative for a malicious individual.
- Stealing corporate data (so we could find out who exactly SCO buys the stuff McBride is smoking from)
- DDoS attacks with OC-3 (rather than DSL/Dialup/Cable)
- Spam directly from the mail servers
There are certainly good reasons to write *NIX worms/viruses, but I think a combination of cluefull administration, a well designed OS, and to (a smaller extent) obscurity work together to make them a particularly hard target (when compared with Windows)
The only way to get everyone patched (moreso than the auto-download and ready to install of Windows) is to force everyone to patch. However, there would be several dupes on slashdot about how our rights are being taken away and how Microsoft can look into our computer. A step further, if people started using Linux, you might see the same thing with Linux...
This is my digital signature. 10011011001
I agree. The Washington Post is a very well known newspaper that many people get. Even my father(who subscribes to WP) read the article this morning and showed it to me because he thought I might find it interesting. He isnt the type to read stuff like slashdot. Just a note..I saw it at news.google.com this morning.
The Television Wiki
The recent DCE/RPC vunerability exploited MS's DCOM implementation residing on the end point mapper port using raw DCE/RPC over TCP.
This has nothing to do with Unix and certainly isn't a standard (hell, Samba doesn't even support this). This was totally a MS-original.
A lot of the http virii are based on MS-extensions or broken non-standard behavior of the MS clients.
If MS has followed what you refer to as "obscure unix standards", this wouldn't be an issue. Despite what you may thing, Unix systems were designed with security in mind whereas Windows was designed as a user-operating system.
int func(int a);
func((b += 3, b));
Regarding IE and Active X.
Its nothing but a virus delivery system.
That was about 8 years ago. Microsoft destroyed netscape and aside from some humorous footage of Bill Gates lying under oath nothing was done about it.
Now someone in the mainstream press has actually done their homework. Are we supposed to be impressed ?
Visualize the world of wine
Not only are the security implications horrendous in the MS products, but servicing them is a nightmare ....
This story just caught me at a bad time ... I have been trying to do a file/printer sharing between 2 computers running Win 2000 Prof and Win XP Prof using a hub. You would think it would be plug and play, and a little bit of configuration - and that is how I set out my cost estimates for a small business that wanted me to do it for them ... big mistake ...
It is 3 days past now. I have read probably 100 + articles to understand the security implications for these windows products .... Used all sorts of keywords in google to get many articles to see how the damn networking is done in the first place. And I am now thoroughly confused, tired, and am spending a lot of unpaid hours getting this damn networking done. FOR GOD's sake I am trying to network two products from the same company ... How could MS screw it up and make it such a nightmare .... and do such dumb stuff as not turning the security features on by default so that I don't even know what I am exposing, all the patches that are being issued faster than I can download ...
To see a world in a grain of sand, and then to step back and see the beach where the sand lies
Comment removed based on user account deletion
While it is true that a lot of these things rely on social engineering, the other part is why does the OS allow the user to do these things in the first place? If you don't want users to do something destructive, why offer them the choice?
One of the first rules of design seems to be lost on MS designers. If you don't want users to do something then don't offer it as an option. You can pop up dialog after dialog warning users like this:
Do not click 'yes'. If you click 'yes' will crash the machine. Only click 'no'.
[Yes] [No]
How stupid is it for a user to click "yes"? How stupid was it for the programmer to put the "yes" button there?
Yet in MS program after MS program they tell you something is dangerous and allow you to do it anyway. I guarentee as long as applications allow this some malicious hacker will use a little word play or social engineering to allow them to do something destructive.
I really want to throttle the person at MS who tried to get people to believe computers are as easy to operate as toaster ovens. Computers are complex machines. Hiding the fact from the user is not only dubious but dangerous.
Apache is more deliberately used than IIS. IIS, however, has a very widespread install base amongst clueless users who don't even realise that they're running it, thanks to Microsoft's boneheaded install procedures.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
Computer industry? WHAT COMPUTER INDUSTRY? The VAST majority of these big viruses exploit who's products? All togerther now: MICROSOFT. This isn't Apple's fault, Macromedia's fault, iD's fault, or anyone else. These things are almost all MICROSOFT's. Finally someone in the media seems to get it.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
Even some Linux default installs have security holes. It's all in how it's done, not what it's done with. Are we supposed to throw out everything written in C now, too?
You are not the customer.
I think my favorite part in the article is when the author suggests that MS should use their massive cash pile to mail out a CD of updates to every single customer that wants one. Considering how many CDs AOL sends out (and yes, I know they are bleeding money), wouldn't it make sense to partner with AOL, who is already producing discs, and make them multi-session, so that MS could use the already pervasive CD distribution systems in place to get updates out?
I can't believe no one thought to suggest this before. And if MS was REALLY SERIOUS about making security their #1 priority, it would be a pittance to part with and give their customers a much-needed sense that MS actually does care about their customers.
The question is, do they really care more about the customer or the bottom line?
oh yes. they could call it MSUX.
This is really an awful way to think about a consumer base that doesn't understand some basic tenants of computing. I've known plenty of Windows users that think 3.5" floppies are hard disks because the casing is, well, hard. To expect them to catalog file extensions in their heads as well is ridiculous. Obviously you are a more savvy user as you have Linux based machines and a firewall set up.
Not everyone has the time/expertise/desire to learn that much about computing, and that's OK. If everyone were a geek, you'd have no one to bitch about, would you?
Funny how 95% of PC users have Windows, I wonder why a Virus writer would want to target Windows??!? Perhaps that is why so many exploits are found, because people are targeting it religously, start targeting Mac and Linux as much and see who is insecure
Actually, virus writers write virii targetting windows machines because windows machines are easy targets, not because there are so many licenses sold.
According to Netcraft's site survey only a quarter of active sites run Windows leaving the bulk of the public internet running on *nix.
I suspect much of the 95% of PCs you speak of are safely walled up in institutions, schools and corporations private networks, which are generally out of scope for a worm like blaster to target.
Now koniosis, what you should impress you is that *nix's run the majority of public sites on the internet, (those sites most easily attacked, i might add) with a marked minority of serious compromises as compared to Windows. More sites, less bugs. Simple.
Finally, only a Microsoft employee could think that its justified that the amount of embarrasing code compromises grow proportionally to desktop marketshare.
Where you are wrong, and the Washington Post is correct is that Windows doesn't have to be intentionally flawed to be 'flawed by design'. Something can be flawed by design as far as security goes just in neglecting to design a proper security model to begin with. Windows is flawed because it wasn't designed to be secure from the beginning, and newer versions, even those written after Microsoft started to become more aware of the need for security, have been hamstrung by their need to retain backwards compatibility with older versions and for software written for older versions which in many cases just won't install and/or run correctly on a properly locked down installation of Windows. Whether Microsoft intentionally designed in security flaws isn't what matters, what matters is Windows, as it is currently designed and implemented has some inherent design flaws which make it less secure than it needs to be. Among them are the fact that so much Windows software relies on being able to write to system directories (to add DLLs, etc) to be installed, which leads most people to allow too many users to be able to access too many files. Another is the fact that Microsoft built in scripting which allows too much access to low-level functionality (in other words, it doesn't run everything in a restricted sandbox) into just about everything, including the email clients and office software most Windows users depend on. Another is the fact that executability is based on file extension and not by permissions, if it wasn't, then people wouldn't be able to accidently execute malicious downloads so easily. This problem is compounded by the fact that by default most Windows facilities and software likes to hide the file extension.
The Washington Post article is not a troll or flamebait, it is a very necessary wake up call to the average Joe Windows users. If more of them had patched their systems and used mail clients other than Outlook or Outlook Express as you have, then these viruses/worms wouldn't be such a big problem. Without the mainstream press letting these people know, they will not get the message.
A family member of mine got a new Windows XP system, installed it, and tried to download the security patches. Before the XP system managed to download the patches, it had already been 0wned by Blaster. It's really hard to keep a Windows system up-to-date when you can't connect to the Internet to update it.
My solution?? I used Red Hat Linux to download the patch, and wrote it on some media. Of course, he can't really completely wipe his hard drive to be sure he's safe from any other attacks. Why? If the drive is fully wiped, Windows XP can't be installed any more - on his system, the CD doesn't contain the entire OS!
Of course, I'm writing this from a Red Hat Linux system that has a nice built-in firewall, a "root" account that's not normally used, no externally-accessible ports, and lots of other designs that make it far more resistant to attack in the first place. Yum.
- David A. Wheeler (see my Secure Programming HOWTO)
Fact: File extensions are still hidden by default.
these virii were created by people - people create virii for windows because that's what people use, not because it's more insecure than other OS's. When linux gets more popular people will start making virii for it.
Why are attachments allowed to do *anything* on the computer?
Uhh, because some of us know our way around well enough to get programs from people that we want to run. Saving to HD and then running doesn't change a thing. To say you shouldn't be attaching executables is silly. People should be safe: know who sent them the mail, know what it is they are running, and run an up to date virus scanner, as well as keep their system patched.
If you are talking about automatic running of attachments, that is a different story, but I want my computer to do what I tell it to do.
Users running NT based versions of Windows are effectively forced, or annoyed, into running as admin. This happens for a number of reasons:
* Old software runs as admin only. Stuff that came out during the DOS/Windows days, much of it pretty recent, simply won't run as anything but admin. This is a nasty legacy thing, and is a vestige of the horrendous design of Win95/98/ME.
* Too much new software runs as admin. For example, if you want to run Microsoft's own Age of Empires, it only installs as admin, and only runs as admin. This is a new application made by the mothership, and clearly, fits into the home scenario as the article. I'd guess that at least 20% of the apps on my Win2k box require admin rights.
* Too many housekeeping functions require admin.
* It is a relative hassle to run a program with admin rights when not admin. The most common way is to -right click on the program's icon, and then select Run As, and then enter the admin password. Ugh.
* Even for the disciplined, quick user switching allows admin to stay logged in, most likely still running OE or some other security nightmare.
The upshot is that if a user even understands the concept of not running as admin, they are forced to, or get lazy and do so.
I've set up several users on Win2k, and taught them about security, and why they really, really don't want to run as admin. Months later, they all are.
This will be a problem if Linux ever becomes widely adopted by home users, and why Lindows runs as root by default.
Didn't Apple get this figured out? Why haven't everyone else copy them as usual?
Jonathan
Actually, OS X does have (in most systems) some ports/services open by default. Here's a sample portscan with no user-services (ssh,httpd, afp, etc) running. 1033 is assigned to NetInfo
427 is "server locator"
631 is "IPP (Internet Printing Protocol)"
--- Kicking the Cheat since late 2002
Uh, hate to tell you, but unless you're sueing somebody you're not participating in society in normal ways.
Stop the Slashdot effect! Don't read the articles!
I wonder how many people read the EULA's? I bet the numbers are related (and small).
Little Brother, watching the watchers
Okay, maybe I should have turned on the firewall before connecting to the Intenet. I didn't realize the virii were scanning so relentlessly and quickly. I also thought that the idea of turning on a software firewall on a brand-new install seems a little dumb. All the firewall does is prevent incoming connections to insecure ports. If Microsoft knew when they shipped the OS that the ports would likely be found insecure, why wouldn't they just turn them off by default? I mean it is one thing to buy Norton Firewall on the presumption that they are fixing Microsoft's broken security model but why would I use a "security fix" that comes on the same CD as the program that introduced the security hole in the first place! It seems totally illogical to me.
I now have a new signature on my emails:
*In light of the ability of some email viruses (eg SoBig.F) to spoof this address regardless of whether my machine is infected or not (for instance, pulling my address from a Windows user address book to use as a fake return address), if this statement is not included, consider a message from me to be a virus*
I figure that will be good, going out a few dozen times a day. I urge everyone to pen something similar. Cause, ya know, MS can never have too much bad press... erm, room to innovate.
Also fact: System relies on file extensions to differentiate between executable and non-executable files, which in my mind is a bit worse.
Anyway, as for your requirement for "INTENT." Back when the CodeRed came out, work gave me the responsibility of locking down our IIS servers. Back then I didn't have any experience with IIS so I did the smartest thing I could come up with - started reading and convinced work to send me to a one day SANS seminar. Well, the instructor told a story from an MS employee of how MS figured it was cheaper enable crap like Internet Printing and the like by default than it was to eat the cost of projected support calls they would get from people who wanted the feature but couldn't figure out how to enable it.
IOW, enabling everything in IIS was done because it saved MS a few bucks. That is a design decision. It was intentional and most importantly it was insecure.
You still want to mince words on this?
I don't want knowledge. I want certainty. - Law, David Bowie
True, but far worse: Microsoft quite intentionally continues to make Windows and Office etc insecure on PURPOSE, as a side effect of offering full programmability of email, Excel, etc.
There wouldn't be any email viruses nor spreadsheet viruses nor Word document viruses if these apps were lobotomized -- if they could not be programmed.
But Microsoft continually makes the business decision that adding the power of programmability to every app is much more important than the resulting insecurity.
The vast majority of Linux apps do not allow that kind of programmability -- even when extension languages like Guile/elisp/etc are available in Unix apps, programs aren't automatically and blindly run whenever some hapless user receives email or views a spreadsheet or whatever.
Conversely, whenever that kind of programmability is added to Unix apps, if it is triggerable just by receiving/viewing a file, then Unix viruses will become far more rampant. (A small saving grace is that the Unix viruses mostly, but not always, will run as some user rather than as root, but this is really only a small issue.)
This should be a wake-up call to teams like Gnumeric; just yesterday on Slashdot Gnumeric was criticized for not supporting every single MS Excel feature, and Jody Goldberg replied that hopefully it would include those by next year. But any Unix app that is 100% compatible with a MS app will be virus prone!
Quote from a poster on that story:
Mmm-hmm, and there goes security.
(Story link: Gnumeric Now Supports All Excel Worksheet Functions )
The really sad thing is that the marketplace clearly agrees with Microsoft about this tradeoff: corporate and personal users are far more concerned with having the power of macros/Visual Basic/etc built in to everything than with even basic security.
Professional Wild-Eyed Visionary
With write priviledges only to their own sandbox, then, none of this would be happening. Instead, you've got IE and Outlook running as a user's account, so, despite the prevalance of a workable user based access control list based security system in Windows, Microsoft does not use it where it really counts. Dumb dumb dumb.
This is my sig.
Today I sat down at my computer when I got a MSN message from a friend. That friend is complete noob with computers and now he had a problem.
.... After awhile, me trying to explain him how to scan for viruses. Yeah! It found a virus named blaster and I THINK he got it removed...
.... I, after awhile, get him pointed to the windows update and the patch for blaster. Again I think he got it installed ....
.... I try to explain him how to use windowsupdate but is almost giving up since he just dont get he just gotta press scan for updates and then install updates. Well in the end he gives up and says he dont care ....
This is pretty much what was said:
Friend: Hey. I got a problem with my computer. It has shut itself two times today, without me doing something. What do you think is wrong? I heard something about a virus.
Me: Yeah there is a few major virus's flowing around the net right now. Have you patched your system?
Friend: Patched ? ?
Me: Yeah. You know downloaded updates for windows.
Friend: No..
Me: Oh well. Here is a link to a virus scanner try and run that first.
Me: Good now to update your system.
Me: So, Now I suggest you update your system with patches from windows update.
Friend: Why? What should I waste time download all that? What good does it do me ?
Me: Well... It secures your system, give you updates to windows programs and IE and new drivers. You know. Makes it upto date.
Friend: But how do I do it ?
And there is the entire windows Security problem. Users that just come to their computer to surf abit and download a few programs like kazaa or emule just dont feel the need for updates. And they end up spreding the viruses to the entire net. Oh.. And it dont help that MS dont allow pirate versions of windows to be updated fully. I can see why it would in sense suck for them to give free updates to people that havent payed for the system. But people dont get updates when its all blocked. Which in end leads to viruses like this to run wild.
it's dorm move-in weekend at the university where i work. after looking at a sample of the machines brought to school by students given the privilege of early move-in (ra's, mainly), we found that less than 5% of our students were patched for both blaster/lovesan and welchia/naichi. as such, it was decided that shutting off the entire residence hall network would be easier than shutting off ~95% of the ports once they got infected (typically takes 3-5 seconds in this environment). so our student workers and a few full-timers like me get to make our way to every single student machine (~8,000 students in the dorms) and analyze, clean, patch, and install a current virus scanner.
overtime is great.
Your reply is the best so far; however, just take a step back and listen to my point.
Do you think we should write an article that claims that Henry Ford invented the automobile as a device to kill people 'by design'?
People get in vehicles drunk and run into families of four, killing them all. Do you think that this unintentional side effect was, 'by design' when the engineers created the vehicle? Was it 'by design' when man created beer or wine?
I think I'm being treated VERY unfairly by most responses here.
I give you one more example.
When the hammer was designed, do you think the designer intended it to be used to kill people? Or how about the baseball bat?
This is being over-analyzed by so many techies, that I think the clear facts are being missed. That which is, the article is misleading and doesn't contain a fair wording of facts. Put yourself in the shoes of others. Take a breath and look at my point.
I'm late to the party with this reply, but I'm posting it anyway for posterity. Someday I'll find this message and link back to it.
Windows IS insecure by design. The Virii and worms that are happening now are pissing people off. In the future, Microsoft will bring the 'security' scheme from the XBox to Windows... code will have to be signed by Microsoft in order to run on Windows. the press will love it, and you will see tons of articles saying things like "Microsoft gets Security Right" and "Microsoft Announces the End of Virii".
And in the end, you and I won't be allowed to fire up a compiler and write a trivial little 'Hello World' program without buying a runtime license from Microsoft, which will be embeded in every program you write.
Innovation will be stifled... I doubt Microsoft will be very license-friendly to Sun, or Apache, or Cygwin, etc.
Microsoft's own lax security is a plan to pave the way to their heavy handed takeover of your computer.
mark my words.
I'm not an XP lover, but it's the OS that's on my computer. It just is. I play games and run Photoshop and other programs...so I use XP because my favorite programs all run on this OS on fairly cheap hardware.
Now, I may be doing something wrong here, but I've NEVER had a virus. I've never had a problem with a worm or anything really. XP hasn't even crashed on me before....ever. I've had programs hang up or crash...but the OS itself hasn't crashed.
And this has been the same on the 2 different machines that I've run XP on.
But yet, I always hear about everyone raking XP and Windows across the coals all the time. Yet I've never ever experienced nor do I know anyone anyone that's ever had major problems with XP. Oh, I know people out there have problems...but it's just that I personally have never known any.
Why is that? Now, as I said, I'm not an XP zealot at all. I could take it or leave it. But after reading here on Slashdot the evils of Windows and XP it would seem that my machine should have burst into flames months ago, yet it's going on day after day, never turned off, always hooked to the net...and chugging right along.
And I'm not really doing anything special. I keep up with all the updates to XP...which takes about 2 minutes out of my week. And I have basic Norton Antivirus running. I have Seti@home running when I'm away from the machine and I do a disk clean up and defragment maybe once a month or so.
So again, I must be doing something wrong (or right) to where XP doesn't give me one iota of problem.
I'm not praising XP...at least I don't mean to be praising it. You only see people bashing Windows, never praising it. To praise it would mean being thrown out of geekdom. So I think if XP or NT is working for you, you keep your mouth shut or just talk about how great Linux is.
I guess your mileage may vary.
"Music is everybody's possession. It's only publishers who think that people own it." - John Lennon.
In a response to a recent story, someone mentioned that UNIX standards were generally based upon specifications which had been made publically available for comment.
This is something that many take for granted, but it is quite important. RFCs are discussed publicly, and people review protocols independently of specific implementations. This means that the protocols themselves are refined, and implementors only have to worry about correctly coding to a given specification.
Under Windows, the specification is often "whatever works with this code is fine". This invites much less review of the protocols, and since the protocols are ill-defined, it's difficult to determine whether the protocol has been implemented correctly.
Somebody get that guy an ambulance!
Right on. My experience was the same. I was immunized from BLASTER on July 17th according to the log from MS Update. It's very hip and au courant to ignore MS Updates, because they're a pain, and their Service Packs don't have a great reputation. But updating early and often has kept me out of trouble.
When I started getting Sobig emails on Tuesday, I even took the time to call two of my friends (who subscribe to some of the same lists I do) to warn them not to trust emails with attachments. I had to explain the whole concept to them, but they got it. I got 40 the first day, 20 the second and only a handful since. And I had no desire to open any of them.
The biggest threat that Windows poses is that from users who are totally clueless... they turn on their machine thinking it's some kind of "email machine" and nothing else. Not a clue there are threats or risks out there. And no indication from Windows, or Outlook, or IE that anything they do could be unsafe. Windows update works, at least this time it did. They're not going to get more saavy, so there's no harm in telling people to use windows update.
Tell your friends:
1. Don't preview email
2. Delete email you don't know or trust
3. Don't open attachments if they're not absolutely known and expected
3. Update early and often
The article is right, Windows is dangerous. MS isn't going to tell the consumer, because that would threaten their (considerable) cash flow.
I'll shut up now.
Everything I've ever learned the hard way was based on a statistically invalid sample.
Agreed that developers aren't IT support (well, unless they're developing apps for IT). But they ought to know how to keep their desktops running.
Heck, I used to develop in a shop where any developer above "junior programmer" was expected to know how to reinstall the OS (Solaris, Ultrix or AIX), configure it for Oracle, install Oracle, install our software (a GIS system), and generally manage their own workstations. Ditto for the sales support guys'n'gals and the trainers (although the latter might need some phone support).
Would you have automotive engineers or even car salesmen that don't know how to drive, check the oil and put gas in the car?
-- Alastair
It's not a magic bullet, but mandatory security just went mainstream.
What this all means is the ability to put programs into levels and compartments from which they can't escape. Security breaches in the mail handler or the web server can't propagate to the rest of the system.
The code is open source, GPL, and written by the United States Department of Defense's National Security Agency. It looks like Microsoft's attempt to shut down that project failed.
I just took my son to college this weekend and set his pc up for him. (Ah yes, dad knows FAR more about computers that jr...)
We dropped his stuff off in his dorm and discovering there was only one ethernet jack in his room we left for Best Buy to grab a cheapy hub so he could plug his LINUX box, his PS/2 and his roommate all into the single lan jack.
Well, we blew off the hub because his roommate called his cell phone and said he was "bringing a *thing* from home to hook both of *them* up at once"..
So, assuming he was talking about a hub we blew that off. Well, we got back and discover the roomy had plugged a cordless phone into the lan jack. I pulled the cord and announced that they were lucky system security didn't come up and billy club someone for crashing planet earth into the mooon by plugging the phone into the lan jack. The roomy was sitting there looking like he had crapped his pants.
I plugged my son's pc into the lan and fired it up to make sure it was configured properly with the college system and it was fine.
My son is using Mandrake 9.1 w/KDE 3.1.3tex.
Now, when you fire up Linux *MOST* people are going to say something, it's different you know and if a NORMAL person has a few brain cells functioning, they will notice something is different and not only ask questions but come over to watch..
Nope. Roomy sat there waiting for his chair to blast off, he could have been watching me pilot the starship Enterprise as far as he knew.
I very quickly drew the conclusion that this kid was not only dead in the head, his computer skills are less than ZERO.. I asked him what he has, he told me he has a laptop with Windows 98. Whee! How fun can that be??!!
There were hundreds of kids lugging brand new Compaq and Dell boxes in and they *ALL* had big fat, "WINDOWS XP installed" stickers on them.
You can bet your ass that those kids will be ate up with that shit, probably already, if not for sure by the coming weekend.
Those kids, by dragging all those XP boxes in were building a big petri dish for the script kiddies to play...
I can say this. I'm damn glad my kid is using Linux, I don't have to worry about him getting caught up in all these childish virus/worm/trojan games. This shit has gone way, way too far.
I'm not going to pump all my money into repairing his PC (600+ miles from home) every few days, dumping money down the toilet on anti-virus crapware that does not work, and paying $200 for an OS that just brings you constant headaches.
I told my son that if he wants to stay in that school then the Linux stays on his PC and M$ is forbidden on his machine. If he changes it or let's someone change it, that's it. He goes to local community college with the local idiot beerheads..
Some of us developers working for smaller businesses need to handle EVERYTHING.
"Hey, Dave, make our fundamentally different, colocated e-commerce sites securely share all their data amongst each other and seemlessly integrate it with this new proprietary MRP solution. Upgrade our computers when we're not using them. Find a legal way to install this one copy of Office onto all these computers. Make our computers faster and better. Don't touch my computer. Upgrade our Norton Antivirus server and all our clients. None of us want login passwords, but we do want security. This one mid-90's era server ought to be enough for all our needs. We want video conferencing on all our sites. We don't want to buy anything."
I do almost as much IT support as I do development.
Mac and Linux not targeted? Taking the view of a malicious hacker, why would you bother coding a virus that only affected a minority of computer users? If Linux ever really makes it mainstream, you may find it's just as susceptible.
Well, checking the oil I'd put more akin to checking free resources. Same for most of the other fluids in the car, short of fuel. fuel's akin to turning the thing on in the first place. Do these people need to know how to operate the turn signals, trunk release, windshield wipers, domelight, etc? I'd rate them as your basic intelligent car owner.
As for changing fluids out, the computer equivalent would be to a backyard mechanic, who handles oil and antifreeze coolant. Maybe checks the tranny fluid and takes it somehwere if it doesn't look right. Changes out burned out lights, etc. Stuff that is mostly covered in the owner's manual, or at least has stuff like fluid quantities. In computers, I'd equate that with being able to hook up external devices and get them to work, being able to remove stuff from C:\WINDOWS\START MENU\PROGRAMS\STARTUP, configure basic network settings from instructions for something like DSL or Cable. Calls for support or a technician when something out of this range goes wrong.
A+ certified techicians would equivalently handle basics, like replacing alternators, starters, draining transmission fluid, replacing water pumps, checking differential gear oil, lubing the suspension or steering parts, replacing obviously bad water hoses, and the like. Stuff that stands out. By comparison to computers the person would be able to replace hard disk drives and CD-ROMs, install video cards, install the OS from scratch for the default configuration, configure sound support, and the like. Maybe even dig into the registry a smidgeon.
And above that you'd have your power-technicians, who would be up there with not being afraid to remove stuff like engines, axles, transmissions, steering columns, dash boards, interior parts, etc. These people would be able to play with advanced networking, deal with driver and IRQ conflicts, handle tweaking of the OS, dig into the registry a bit, etc.
Beyond that, you find different people who can rebuild engines or transmissions in their sleep, modify sheet metal artistically, handle advanced upgrading of suspension, and the like. They would in computer equivalents be specialized, but very talented. They probably wouldn't even do much of the lower-level work unless they had to, because they would be more valuable higher.
Well, that was quite long enough of a ramble...
Do not look into laser with remaining eye.
Is it possible that Windows was never designed with security from the start because it was not designed for a network from the start? MS entered the networking and Internet game pretty late and with it came all the worms, trojans and other stuff. Of course, this assumes that the constituents of present-day Windows have a lot in common with the pre-TCP/IP Windows of old. Still, I think it could be one way of looking at the fundamentally insecure design of Windows.
I thought it was amusing when I surfed over to the Post to read the article there was an ad for "Windows 2003 Server" on the page. I had to take a screen shot. If you want it it's here --> http://johnford.net/images/windows_ad01.jpg
...Or, "The Tecn Commandments of Windows Security."
I run Linux on my servers, but for compatibility, certain programs I need, etc., etc., my workstations use XP. I haven't patched anything. I don't trust the patches and especially not the Service Packs. They can break things and slow things down. If my box is working, why tempt fate? There are a few, very simple things to do that will keep Windows almost entirely secure:
1 - No scripting host. If you don't need it, kill it.
2 - No Outlook. Outlook is bad. IE is almost as bad. Everyone should know this by now. And if you must use it...
3 - Don't open file attachments from anybody unless you know what the hell they are! Why is this so difficult? Well, it's because people never...
4 - Unhide the file extensions. You wouldn't eat something from a package simply labled "food" without having some clue what's in it, so why double-click an icon without knowing what it will do? Learn what these extensions are, and Google it if you're not sure what a given one means.
5 - Don't use IE if you don't have to. Mozilla's now advanced and stable enough that you should almost never have to use IE to properly view a site. I never have a problem with popups, and I've never had my browser hijacked. Using IE tempts people to break #6...
6 - Read the question before you answer "Yes." Do you walk around at work slackjawed and answering "yes" to every question you're asked without listening? If you weren't specifically looking for what a site wants you to install, chances are you don't need it.
7 - Firewall. Buy a $30 broadband router, build a Linux gateway, enable XP's own, built-in, pre-installed firewall, or get something like Zone Alarm, depending on your needs and/or level of computer literacy.
8 - Don't download software without knowing exactly what it is. Read the license agreement. Sure, I like to check out neat toys on Download.com too, but not if I have to install Gator or GAIN to use them. See #6. Read!
9 - Check your processes. and read what's going on in there. Google each one. This is a pain in the ass the first time, but do it once and then you'll know when something's not supposed to be there.
10 - Watch who gets your email address. Get two. One for ordering/registering things, and one that you only give to real people.
That's it. I run no antivirus software and my system thanks me for it with good performance. I have not loaded a Service Pack, a patch, anything. None of this is difficult. These rules are simple enough for almost anyone to follow, and the major ones are extremely easy.
This is what grabs me: a new vunerability with MDAC announced on 8/20 is rated as 'Important'. Same buffer overflow problem as 026.. same potential for damage.. most/all corporate customers have MDAC running.. but it doesn't rate a 'Critical'. Are they waiting for exploit code to appear or are they waiting for the sh!tstorm to die down?
It's so nice to see Microsoft finally get something right.
--Rick "If it isn't broken, take it apart and find out why."
As someone who works in security, "insecure by design" has a precise meaning to me, which I've not seen mentioned here yet. The developer's intentions have nothing to do with it. "Insecure by design" means every implementation of a given system will share a common set of security vulnerabilities. In other words, the design (think API or protocol) itself is flawed. No implementation is safe.
Example: The design of the http protocol does not provide any method of running arbitrary code from the client on the server. A perfectly implemented web server will contain no remote vulnerabilities of this type. Flaws in particular web servers like IIS are caused by mistakes in the implementation, not the http protocol itself. The protocol is secure by design with regard to this attack.
Contrast this with a protocol whose design is insecure. Nothing in the SMTP spec addresses the issue of spam. High-volume anonymous message injection is allowed by the protocol. Solutions to spam have to be implemented externally with things like blacklists and filters (which are considered external even when run during the SMTP transaction as they aren't part of the SMTP protocol itself). No SMTP server, no matter how perfectly implemented, can both completely follow the SMTP spec and reject all spam. Thus SMTP is insecure by design with regard to spam.
Nebulous terms like "windows" and "secure" mean next to nothing by themselves. What is "windows"? The NT kernel? The win32 API? The set of programs and services enabled by a default install? Secure against what types of attacks?
For reasonable definitions of the above, the statement "Windows is insecure by design" certainly makes sense. Take "windows" to mean the win32 API and "secure" to mean enforcement of access control. Remember the shatter attacks discovered last year? That's a flaw in the design of the win32 API. No implementation is safe. It fits the definition of "insecure by design" perfectly. And Microsoft has alluded to more such vulnerabilities lurking in the win32 API (remember when they said they couldn't reveal all the APIs for security reasons?).
Democracy is two wolves and a sheep voting on lunch.
As an ex Windows admin, the thiing that I found most difficult about Windows was not a lack of security by design. Downloading the patches and keeping the AV up to date will suffice normally. No, the problem of windows, to me, lies in that it is a fucking mess.
/bin, /usr/bin, /usr/local/bin etc, confusing for a newbie), but the fact that Windows has literally tens of dozens of directories that belong to the system, that are both undocumented and not self explanatory, as well as the registery, which is an inconsisten fucking mess if there ever was one are things that make windows a pain.
This may sound ludicrous in view of the jungle that one faces when one moves through a *nix directory tree on the command line (e.g. why is there
On top of this there are so many design decisions that are superficially a good idea, but make things hell when one goes beneath the hood. An example is the desktop. From a visual point of view it might make sense to only store data in my documents and below that, which is also encouraged by the open/save dialogue, but the My Documents sits in a deep sub folder in the real directory tree. The actual dialogue boxes of so many system controls are anything but friendly. While the wizards make things simple in a linear way, they are a stop gap measure screwed on top of a system that is anything but consistent and visually well though out otherwise.
To me it seems that MS designs it's system in that the core OS team has first go at making the bitch work, and after they are done, the mess is passed on to the UI team which then has the pleasure of slapping crap like wizards and My Documents and tons of irritating marketing reminders (passport, messanger bla bla bla, hide those icons so you can't find them again) on top of the system so that MS can call it "User friendly".
Fucking bullshit.