Slashdot Mirror
Microsoft's Security Report Card
Decaffeinated Jedi writes "In January 2002, Microsoft launched an initiative called 'Trustworthy Computing' aimed at building better security into its products. It's now two years later, and News.com serves up a report card evaluating Microsoft's efforts. Kevin Kean, a group manager at Microsoft's Security Response Center, points out that customers are better off now than they were before the company made the move to refocus on security issues. An analyst quoted in the article, Stephen O'Grady, agrees that he would give Microsoft 'improved marks,' but also notes that the company is not yet where it needs to be in terms of security. He goes on to suggest, however, that 'the numbers indicate that they are at least taking it seriously.' It sounds like Microsoft might have earned itself an Incomplete on this report card."
Is any software really at the point where we can install it and forget about it?
Security is a job for all of us, not just Microsoft.
As long as hackers out there have the tuits to break into systems, security is everyone's business.
I have been pwned because my
Going from an F- to an F+ isn't something to get excited about.
now that i'm an MCP (sucks huh?) i'll be trying to get as many people away from the Microsoft platform to something more secure at every opportunity i can get :)
:)
i'm calling myself a trojan horse
Don't call me back. Give me a call back. Bye. So yeah. But bye our, well, but alright we are on a shirt this chill.
I would like to see some comparisons to Red Hat version 7.2 (since O1) compared to XP (in terms of security patches, not bug fixes).
Heck Red Hat doesn't even support it anymore! 9.0 is coming up too!
Funny, it seems to imply in the news.com article that less advisories are better than more... hell, I think my ol' comp running win98 went for many months last year without a single advisory notice when I clicking into the Windows update site. Pfft. So therefore win98 is safer than Server 2003... :P
0- Eamonman Proud member of DNRC
I thought an Incomplete actually counted as an F.
I think the appropriate grade for this would be an IP (in progress).
Does anybody remember the article where old Microsoft basically said it was the end consumers responsibility to keep things secure and not the developers? I'll have to find the article, but it's only a couple months old or so. I think the "report card" should be re-evaluated knowing that Microsoft really doesn't care about security like they claim to.
That MS is actually improving security is good for all of us.
It's about time, and they still have a long way to go, but increasing security gives less room for E-mail viruses, worms and other network-hogging exploits.
Hmm... Any chance of a class-action suit from people who do NOT use Microsoft, addressing the way their lack of security has wrecked important services for non-MS users?
After all, those of us who don't use MS have never accepted their EULAs, but they've still wreaked havoc for our systems.
Could at least lead to an even further increased MS focus on security, which would help everyone...
I'm a dreamer, the world is my playpen. But hey, I'm a serious person, I can't dream all the time.
And so we have a report card that wouldn't get you accepted to a state university, by the largest, most economically endowed entity in the world.
I'm sorry, Microsoft, but you have to be held to higher standards, not lower. Open source is able to do better with infinitely less.
If a bunch of hobbiests were able to colonize the moon, would we hold back any criticism of NASA?
Or maybe we've just figured out a better way of doing things. In which case, maybe the soft spot for the dinosaurs is somewhat warranted.
And I'll show Microsoft a bigger market!
Until then, I'll stick with BSD, Solaris and Linux.
Just trying to figure out what needs to be updated is a pain in itself, unless you figure out that you need the MBSE. Then you need to wade through the security bulletins, which sometimes contain the patch (in varying locations of the document and with no fewer than two pages to go through to get to the patch) and sometimes tell you to go to Windows Update. Not an option when you're trying to cut a disc for a client, or are dealing with an environment that doesn't allow Windows Update for security reasons.
Grabbing MBSE and every available patch from the website and applying said patches to a fresh Windows XP installation took about two and a half hours, and was incomplete (MBSE reported four patches that weren't applied). Windows Update isn't appropriate for a fresh install because of things like Blaster that will automatically infect the system upon connection to the Internet.
Then, there's all the defaults they've got to have their system phone home, such as sa.windows.com for searches, IE automated updates, WMP automated updates (including DRM), ntp.windows.com, Automated Windows Update. Locking down a Windows XP system is an exercise in frustration.
Trustworthy computing? Methinks not. Linux/BSD/OSX may have their myriad security and design flaws (except OpenBSD, which has yet to have a remote root compromise), but Windows XP holds a special place in my heart. Microsoft has admitted they've got an issue with security, which is a good thing, but now they should really address it -- they should be doing everything possible for the user to take control of his/her system, instead of heading the other way.
It's about as big an oxymoron as Microsoft Works.
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
They have 10-30 BILLION USD in cash/cash like assest s. Why don't the spend some of that to make their products more secure?
I am not quite sure if this is off-topic, but I'm going to take a gamble here :)
:) but I'm really bothered that this "report card" doesn't include anything from the myrad of unpatched internet explorer holes and the way microsoft relicenses PATCHES... I mean, really EULA's for PATCHES? what if I DON'T agree???
:)
:)
""There is an order of magnitude--more people using Automatic Update and downloading patches," Microsoft's Kean said."
This would be the system that gave the world the "DRM or be unpatched" situation, right? how trustworthy.... changing functionality along with a "security" patch
I know that bashing microsoft is a favorite past-time here
really HOW is this "trustworthy" ??
I am REALLY impressed by the stupidity of these "reviewers" and how easily people forget these sorts of things... cudos to microsoft PR... AGAIN
I REALLY needed to get this of off my chest
Fighting for peace is like fucking for virginity
Microsoft Security. What's it all about?
Well that's an easy answer. It's all about educating 'users'.
1. Don't open emails unless you are certain it is from a trusted source.
2. Keep your system patched
3. Ensure you have Anti Virus software installed, and up-to-date.
4. Use the firewall built into XP, or install one of the many free (for personal use) 3rd party firewalls, or even better look for an ISP that firewalls sensitive ports for you.
This is all basic stuff, but many home users don't really give a stuff if their machine is taking part in a DDoS attack, as long as they can still get to their email, view web pages, send instant messages and download pr0n (actually - forget the last one, that's us geeks)
Why work on the Model-T, when you can build the next generation automobile. They have to be competitive to stay in the market place. If they kept patching Windows 3.1, where would we be?
This happens because of competition. If people were looking for more secure systems, then M$ would invest in it.
Regards,
S3cuRITy A wORK In PRo9r3SS fOr |\/|1cRoSoFt
l4ST M0d1FI3d: JANUary 15, 2004, 1:16 pm PS7
by roBERt 13Mo5
5TaFf wr1tER, C|\|37 neWS.c0|\/|
Two Y3ars AfTEr (HAirmaN bilL G4T35 CAL|eD ON |\/|1(rOSOft 7wO R3dOuB|E 1t's EFF0Rts T0 sECURe it'5 SOFTwArE, 7eh (OmPa|\|Y a|\/| BE91n|\|in9 twO ma|
pert5 wH0 peN|\|ED a Rep0rT w4rn1NG Th4T m1(R050f7'5 D0|\/|inanCE 1|\| t3h iT |\/|4RKe7 CArRieS A riS| of c4t4StrOPHi( FAI|URE.
7h3 risks 7oO 7he 1t i|\|FRasTRuc7uRE hav3 eVeN MiCR0sOfT'S c0mP37iT0r5 H0pi|\|G thAT 7HE (0Mp4|\|y 9ets 17 Right.
"ON t3h MaCR0 1eVel, Yo|_| \/\/aN7 E\/eRY v3ndOR Tw0 dO a beT7ER JOB 0F sEC|_|r1TY," SAiD |\/|ARy anN DAv1d50N, 7he Ch1ef SECUr17Y 0ffiC3R aT datABAse |\/|4kEr oR4(|E.
Dav1dsON 5EES m1Cr050FT'5 fOcU5 oN 5EC|_|rI7Y, pa1R3d \/\/I7h T3H f4c7 thA7 7eH cOmpa|\|Y aDm175 T0 L0SI|\|g s41ES BEcaUSE Of 5ECur1tY 1SsUe5, aS pRoof 7h4t cUst0merS c4N dEma|\|d b3t7er prOd|_|cts. "yoU HA\/e th3 |\/|ORa| LIAb1lI7y 7w0 y0|_|r CusTOm3rs--th3y B3t Th3yrE buSi|\|E55 o|\| JoOR soFTWAre," SHE 54iD. "7Hey eXp3CT 1T No7 T0o BR3a|, aNd 7HeY SH0|_|1d 9et THa7."
foR i7's pAr7, miCros0F7 is REpEAT1NG a |\/|4|\|Tra of a YE4r a9O: PaTIEnc3--5EC|_|R17y i5 4 J0URNey.
"Yo|_| C4N't T|_|r|\| arO|_|nd The iNFr45TRuCT|_|re In 24 MO|\|7HS," s4id sC0T7 cH4r|\|Ey, a mi(roSoFt 5E(|_|riTY 57R4TE9Is7 WHO ha5 r3p3A73DLY l1KeneD tH3 1NiT14TiVE to NAsa'S 10-y3AR |\/|aRcH TWo The MOOn.
"Y0u NeEd Bett3r eDuC4TI0n, J00 NeED b3773r tOo|5, B3t73R teChnO1OGY," h3 sA1D. "AR3 wE (om|\/|It7Ed tW0 pRoV1D1|\|G tho5e 7hI|\|gs? YEs. R We maK1nG pR0gresS? YE5. bUT Am W3 A|\|y\/\/her3 neAR D0N3? |\|o."
a|\|4|yS7 O'GrAdY saiD he'D G1ve mi(rO5of7 "1|\/|PR0\/3d |\/|ARkS." "bu7 Am They \/\/h3re 7H3Y |\|Eed TO be? n0, THEY IS NOt. tEh nu|\/|berS Ind1(ATe thAt tHEy am 4T Lea5t 7A|1NG I7 5ERIo|_|s|y."
cnet NEWS.c0M'S MIke riCc1|_|7I CON7R1B|_|tED 70O tHIS RePoR7.
Oh - I thought you said "at that point where we can throw it away and forget about it."
What a well worded articulation - almost Greenspan-ish like in a sense that it looks like he is saying something, but you can never hold him upto for "whatever he is saying." And I think this quote summarises the whole article well.
It is 80:20 rule or in Microsoft's case 40:60 rule. In the first year you move 40 % of the distance towards the the Security Goal-Post. So, "Customers are better off today than they were a year ago, . In the next year you move another 40 % towards the goal. So, "Customers are better off two years from today than they will be a year from today. . An so on and on ...
Now if the security Goal Post moves and you find yourself heading in the wrong direction, as it always does in Real life, you can frame your message as follows. You are now 60 % away from the old place. So, "Customers are better off today than they were a year ago, . In the next year you move another 60 % away from the old place. So, "Customers are better off two years from today than they will be a year from today. . An so on and on ...
So,
And how can you be wrong when you say it the way it is said. What a well worded articulation.
To see a world in a grain of sand, and then to step back and see the beach where the sand lies
- Tell the Air Force to secure a building, and they'll lock the doors and windows.
- tell the Army to secure the same building, and they'll post and roam guards.
- Tell the Marines to secure it, and they'll run in shooting and kill all the AF and USA guys.
Where does MS fall on that scale?Put identity in the browser.
people complain that MS hasn't lived up to their promises, but was anyone really expecting all products to automagically become secure? the initiative has to be consistent from the design table to customer installation, meaning the product base has to be renewed from the bottom up before there's a chance they'll have a chance at delivering "Trustworty Computing". patching current products can only get you so far.
What do you mean incomplete on the report card? I thought it was incomplete everywhere.
SEMESTER 2, 2003
PRODUCTIVITY 101 3 HRS 80% C
ECONOMICS 307 3 HRS 100% A
CREATIVITY 92 3 HRS 67% D
GOV'T STUDIES 203 3 HRS 100% A
COSC 507 ADVANCED 3 HRS 78% C
MONO 302 3 HRS 100% A
BORE 405 3 HRS 100% A
THFT 305 3 HRS 100% A
LIES 205 3 HRS 100% A
SCUR 101 3 HRS 20% F
MONO 400 3 HRS 100% A
CONV 101 3 HRS 10% F
HID 205 3 HRS 70% C
OVERALL AVG. 78% C
This explains why mediocre rules the market.
I'm sorry, but after such large-scale security issues like Blaster and Klez, I don't think it's appropriate to give them any sort of improved marks. Sure, the patch might have been out.. But security is also about education.
[sig]www.masterslate.org[/sig]
Re-writing Windows from the ground up seems to me to be the best remedy. Forcibly breaking backwards compatibility should be a design goal.
Microsoft BS7799 certified?
|/________
|\A|ALYS|
It says here, Mr Gates, that you released 32 security advisories and 21 vulnerability fixes for Windoze 2000 Server in the first six months, yet for Windoze 2003 server you 14 flaw fixes and 6 critical issues...
Would this be because W2K3 server is based on Windoze XP code and that the majority of bugs had been ironed out already in the months between the releases?
hmmmm....
I've never shoed a horse, but I once told a donkey to piss off!
1. Don't open emails unless you are certain it is from a trusted source.
That's the big problem here. When your email client, by default, displays HTML and executes macros and scripts, you're extra vulnerable. Even if it's from your pal Bob that you've known for 40 years, his computer may have been owned by a worm and just emailed all his friends seeking to propagate. You say 'hey it's from Bob, I trust him' and open it. Boom, you're owned too, and may never know it.
Bad design is bad design, there's no two ways about it.
Outlook 2003 does none of those things by default. MS has learned.
that they've discovered their security problem is much bigger than they thought it was.
Sure they've progressed in terms of there's more known security holes fixed now than there was 1-2 years back, but there's also far more security holes that have been identified and at (seemingly) a much faster rate than 1-2 years ago.
In other words, 2 years ago, they rated a 4/10 in terms of security. Today, I'd say they probably rate 20/50. Overall, my impression is that they've essentially stayed in place in terms of removing security holes from their products.
If you think that I'm being unfair, consider how long it's taking new security holes to get fixed now versus 2 years ago - it seems to be generally longer.
Also, consider that MS has now taken the step of bundling security updates into big bunches, to ease the pain of applying them - that they've had to resort to this is a reasonable indication (IMHO) that the quantity of security holes being *fixed* has gone up significantly.
Finally, consider the rate at which security holes are being uncovered - it would have to start dropping off dramatically if MS was being successful in fixing their problems. That certainly doesn't seem to have happened.
O'Grady, agrees that he would give Microsoft 'improved marks,'
Have to agree there. Two years ago, it would have been a solid F (us) or 6 (de). Today it's an E (us) or 5 (de).
Assorted stuff I do sometimes: Lemuria.org
There were so many incomplete sentences in the C/Net article that I was shocked. This a 'News' outlet?
Shaddup
Below expectation. Needs to try harder
455fe10422ca29c4933f95052b792ab2
It's an oxymoron.
Seriously though, it's good to see that Windows 98 support has been extended. I shudder to think how many compromised Windows 98 systems there are out there now, let alone imagine how many there would be in 6-12 months time once vulnerabilities that hadn't been patched before support was dropped began to be exploited in earnest.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
Complaints from someone who hasn't mastered the paragraph?
instead of MAJOR CRAP!
At least at the institution of higher learning I attend, an Incomplete is not immediately counted into either total credits or GPA. The student must complete the course by either 1) finishing up the necessary work, or 2) retaking the course at the soonest possible semester (excluding summer semesters). The choice of the two is up to the professor. The Incomplete is replaced by the grade earned by 1) or 2).
You forgot some things for good security.
1. Don't run most programs.
2. Watch out for chat files sent to you.
3. Don't fall for email spams.
4. don't send out bank account info to web sites received by email.
5. don't go to nigeria
6. cut the network connection
7. reboot and reboot often
8. save and save often
9. don't let teens administer the family computer
WhatMeWorry!
Seems like there's three possible sentences that could have been used: 1. Customers are better off today than they were a year ago 2. Customers are no better off today than they were a year ago 3. Customers were better off a year ago If things have improved (as the article explains), then #1 seems appropriate. Even Freud said, sometimes a banana is just a banana.
"Getting there, must try harder and must stop looking up girls skirts." Of course I don't think Microsoft does that and I finally kicked the habit last week :)
rus
CPanel + Root from $35/mo - 10% off with discount code SLASHDOT
Kevin Kean, a group manager at Microsoft's Security Response Center
Did Commander Keen grow up to be a Microsoftie? That would explain a few things...
Although Microsoft is knowen for its security problem the individual microsoft programmist is a good one . Microsoft don't make secure products because the programmers are directed from the menegment to prefer nice Shiny GUI instead on security.
Where does MS fall on that scale?
They'll move the building to an entirely different location, that they will call by a "hi-tech" acronym, and change the design without letting anyone see the blueprints. The new delivery bay will be the wrong size for current trucks. They will set about making all vehicle plants change to the new size trucks and will tell everyone the new trucks are better as they can't interact with old "insecure" buildings.
People will continue to break into the building by using the huge number of gaps left in the walls where Microsoft assumed no one would look. Microsoft will claim these gaps were left for ventilation and that it is exactly the sort of thing the market wants built in by default.
Once people work out what the new building's delivery bay looks like Microsoft will alter its width by 10cm and force everyone to buy vehicle upgrades (scratch resistant paint, wing mirrors closer to the vehicle body, etc).
Eventually they be forced to move the building again...
For an indication of just how seriously Microsoft is taking security, rather than quickly fixing the bug, Microsoft is advising users to manually type URLs rather than click on hyperlinks. Well, of course, only malicious hyperlinks... but because of this bug, a scammer's link appears to be to the genuine website. Of course, they offer other gems, such as a chuck of javascript you can run to tell you the URL of the website you're actually viewing, since their software can't be bothered with giving you a correct indication. Or you can launch notepad and copy a shortcut. Yeah, everyone should have to go to the trouble of doing these steps, because they couldn't manage to get a fix out quickly (within the 1 week between the disclosure and scam artists starting to use it to trick end users to disclose sensitive indo). Microsoft also suggest viewing email at text-only... effectively reading all the html source, and changing to the high security profile )turning off all the dangerous technologies they have "innovated" over the years: ActiveX, scripting, etc...) not because they will help you avoid being tricked, but because it will limit the damage.
All because they couldn't fix this simple problem quickly.
Yeah, that's taking security seriously!
PJRC: Electronic Projects, 8051 Microcontroller Tools
because really, who cares?
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
umm how about switching to a more secure OS so you don't have to put up with all that BS.
.net crap >:[
In the past 3 years I have only used linux at home. Never had to worry about viruses, nor spam (yeah, that's right, I averaged 2-3 peices a year), nor spyware (spam maker), nor adware (spam maker), nor web browsing issues (IE security flaws). Now I spend more time cleaning up all this crap then anything cause I have to have a winblows box at home so i can do
Granted I kept the system patched, and used the built in firewall (switched no to yes, how hard is that? Thanks to SuSE for the easy prebuilt firewall). But at least I never had to reinstall my entire OS because a windows update failed (which just happened to my brother yesterday, and I have seen it several other times, too!)
So, no, it is not just about educating users, it is about makeing a more secure system! Windows is crap,when will the world realize this? (I'm not saying linux is the best, just better...every OS has it's problems, but windows just has the most...by far)
I wonder if their original plan was to extend Win98 support anway, for "positive PR".
Seems that MS is trying to undertake PR in a very SCO-like fashion lately.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
I am reading a lot of MS-bashing here. But let's take a look at some facts here:
/. crowds--me included--can be an arrogant and blinded bunch. Sure, we can sit around bashing MS and fool ourselves on how insecure Windows is, but that doesn't accomplish anything. MS is catching up /fast/; that's fact. If we remain complacent, we can fall behind sooner than you think.
Consider a pretty standard setup--the OS, plus ftpd and httpd--here's the count of errata advisory between M$ Win2k Server and RedHat 9:
Microsoft: 1, for the botched FrontPage Extension patch released in November.
RedHat: 4, for the following:
1. Dec 2nd: Updated 2.4 kernel fixes privilege escalation security vulnerability RHSA-2003:392-05
2. Dec 16th: Updated lftp packages fix security vulnerability RHSA-2003:403-07
3. Dec 17th: Updated httpd packages fix Apache security vulnerabilities RHSA-2003:320-09
4. Dec 24th: Updated 2.4 kernel fixes various bugs RHBA-2003:394-08
Not to mention I will need to think about what to do when RH9 becomes EOL in April.
Interesting.
I am by no means by pro-MS here. If I have my way it'd be all qmail and publicfile. In fact, I don't have the balls to put my company's Exchange server directly on the 'net; I put it behind a RedHat box running perdition, and have qmail as the MX, behind an IOS IDS/FW.
Trust needs to be earned, and MS is slowly earning mine in the security front. I don't trust MS software enough to stick them directly on the Internet yet, but they did earn my trust to let Windows Update automatically sort things out: Not a glitch in the last 18 months.
The fact of a matter is, with a little clue as a admin, Windows can be made pretty secure. Being clueless, Linux can be made to be a big wad of swiss cheese.
We Linux and
Now that you have the facts... Go ahead, mod me down.
Security at MS is a marketing thing not a cultural thing. They're putting a lot of effort into patching Windows (because they want the worlds data centres to start running it and .NET so that their future is a bit safer), but they're putting very little effort into other products - for instance IE's most recent phishing bug which prevents it displaying anything after a ""%01" in the address bar (a gift for spammers after your credit card details everywhere) was picked up well over a month ago and yet no patch exists. And don't get me started on its awful SSL implementation. IE is a good example of a relatively small product that needs re-writing from the ground up and has done ever since it was first cobbled together several versions ago. MS hasn't done anything to it, and won't, because it looses money for them anyway. They might sort out Windows with Longhaul or whatever its called, but my guess is that they won't. With a bit of luck it will be too late for them by then anyway and Penguins will rule the world.
Total troll.
It's official. Most of you are morons.
An incomplete after a while becomes an F at most colleges....and since it's been going on for more than two years.
You can find more information about the "Trustworthy Computing" initiative on this site. Quite cool that it still exists, actually. :-)
Learn to format your /. posts and they'll learn to appease ultra-grammar-freaks like yourself.
"We invented personal computing." - Bill Gates
Okay troll, I'll bite.
First of all, Mac isn't the solution. OS X is quite expensive and doesn't run on the relatively inexpensive PC hardware.
Microsoft doesn't make money on the fixes. Remember, Windows Update is free. You get the fixes for free.
Windows is simple and easy to use, but also runs on the inexpensive PC hardware.
umm how about switching to a more secure OS so you don't have to put up with all that BS.
.net crap
Your choice of OS doesn't make your system secure. What makes a system secure is a user that has a clue.
In the past 3 years I have only used linux at home. Never had to worry about viruses, nor spam (yeah, that's right, I averaged 2-3 peices a year), nor spyware (spam maker), nor adware (spam maker), nor web browsing issues (IE security flaws). Now I spend more time cleaning up all this crap then anything cause I have to have a winblows box at home so i can do
Like you, I've not had a Virus in countless years. I don't get spam, My system has no spyware, or adware or web browsing issues (Firebird rules!), and I run a Windows box (Prerequisite of being a Windows Sysadmin). Had I have been an uneducated user, I'm sure I would have fallen fowl of most (if not all) of the issues you have listed.
But at least I never had to reinstall my entire OS because a windows update failed (which just happened to my brother yesterday, and I have seen it several other times, too!)
There are aproximately 3000 Windows PC's on the university network that I admin, and I don't see Windows Update issues that you see. Occasionaly a patch will fail, but if you know what you doing it is quite simple to fix, without having to resort to a complete re-install. Reinstalls are for failed disks and compromised machines.
So, no, it is not just about educating users, it is about makeing a more secure system!
But who makes the system secure? Why _educated_ users do. - If a user is clueless, the odds are that they will be compromised, regardless of what OS they choose.
Windows is crap,when will the world realize this?
I'm beginning to think you are a troll.
let's go further, with a geeks help. others feel free to add on.
1. Don't use Outlook or Outlook Express, I don't care what your reasons are. Don't do it.
2. Use Mozilla 99.9% of the time. Fall back to IE only for sites that absolutely need it. In mozilla disallow window/image/statusbar manipulation by the browser, as well as supressing popups.
3. Run spybot search & destroy, innoculate your machine. run a spybot host file.
4. Run AV, something other then Norton, they are the number one target now, as far as anti-anti-virus software is concerned.
5. Home users with a single computer should disable workstation and server service. Many other services are excellent candidates as well.
6. Ditch MSN messenger (and popups) and go with GAIM if you have simple messenging needs.
7. Check your startup programs once every few weeks...i.e. start>>>run>>>msconfig
8. a repeat of parent's #4, but I think the xp firewall is tripe, make it a "must do" and get a linksys type firewall device. stopping the constant hammering a little up stream.
Most average users don't know about these options, it's up to us geeks, to show them.
many home users don't really give a stuff if their machine is taking part in a DDoS attack
That's rather unfair - the vast majority of home users don't know what a DDoS attack is, and wouldn't know how to tell that their machine is involved in one.
It's official. Most of you are morons.
Delaying OSS development via law suites and :-)
other means (babes@personal.osdn) is likely to
increase the national security
Yours In Jesus,
Bribe Doors
yea it's sad but you'll get over it...
I was able to implement DHCP-updated DNS entries with BIND 8, several years back. It wasn't as EASY as it is with BIND9 (and possibly DJB. I don't use it) but the capability was definitely there.
The first rule of MCP club is you do not talk about MCP club.
Now go set up franchises all over the country.
>Microsoft don't make secure products because the programmers are directed from the menegment to prefer nice Shiny GUI instead on security.
Apple has some good programmers
Apple management has a GUI focus
Still Apple doesn't make conceptual security flaws like requiring root privilege for any user to perform even the most basic tasks.
--
Every program has two purposes -- one for which it was written and another for which it wasn't.
Thanks. As I said, "I'll try..."
Put identity in the browser.
4. Use the firewall built into XP, or install one of the many free (for personal use) 3rd party firewalls, or even better look for an ISP that firewalls sensitive ports for you.
Or, MicroSoft could just turn off the services by default.
But let's get realistic, Microsoft doesn't really have an interest in security, in fact I'd argue they prefer to keep their OS from being "too secure" on purpose.
Social scientists are inspired by theories; scientists are humbled by facts.
cp is rock solid for me -- it just doesn't do much more than copy... As we add features and systems become more powerful, problems will come up regardless of the vendor.
The question isn't one of whether or not there are problems, the question is how they are dealt with, and *that* is where the focus should be for a report card like this.
dmiessler.com -- grep understanding knowledge
I completely agree. Why is it that people just inherently hate microsoft so much? (aside from the zealots) Its a decent OS, I wouldn't say it was the best by far, but it helped bring personal computers into everyone's home. Although one can argue how much good that did us. I guess without it I wouldn't be in the position I am today..but I digress.
95% of the people I support, all of whom use Windows (mention linux and they think you are talking about a prescription drug for cholesterol) don't even know that windows update exists. I ask if they have anti-virus installed. Yes they answer, meaning they have an extremely out of date version of mc affee waiting to be initialized, never been actually installed or updated. If they go to a website that has some fun new screen saver program or little cartoon for their systray, they think its fun and download it. They don't know that could hurt their system. If a dialog box pops up, they click yes, no matter what it says. They don't know better.
The operating system can only do so much. Sure MS releases their software with security holes, at least they offer patches. Its the responsibility of the user to take care of their system. If you don't patch and take care of your OS, you'll be taken advantage of.
"Wisdom is not a product of schooling but of the life-long attempt to acquire it." -Albert Einstein
You don't see critical updates for OpenOffice, do you?
looks that way.
we haven't bought any virotic BugWear(tm) in years, but some of our customers are still hostages of the felonious kingdumb, & spend A LOT (time/money) trying to keep the infactdead softwar gangsters' bogus spyware kode working. seems like a fool's errand that never ends?
we give them a F for still FUDged.
I second that. Many people tout Linux's security, but many of the distros allow you to choose to not have a root password during install and they have ssh on by default.
Your security is only as good as your latest patches. People believe that linux security is better, but you have a much higher user knowledge level on your average linux box than your average windows box.
slashdot, news for crazed liberal socialist zealots
Microsoft Security. What's it all about? Is it good, or it is whack?
I'd have to say whack. As is this report. Crowing about the lack of reported vulnerabilities means nothing when you have paid security firms not to report vulnerabilities! Of COURSE the vulnerabilities reported have decreased. But have the real vulnerabilities decreased? Thanks to Microsoft, we will never know.
Without subjecting themselves to the same review other operating systems undergo, they have no cause to crow about a perceived dearth of vulnerabilities, especially since many previously reported vulnerabilities persist and will not be patched (but are not included in this report since they are not newly reported).
The way I see it, the argument that programs "need not be fast" is saying that most things we do with our computers (web browsing, listening to music, writing email and word processing) aren't terribly processor intensive. The bottlenecks are usually storage speed and user response. Even the newest and greatest DDR3000 memory can't send data anywhere nearly as fast as a 500mhz PIII can execute it. Same thing with hard drives and network. It's also true that most user interaction is the slowest part of most operations. If you're typing in MS Word (or OpenOffice.org ;), your processor is sitting there going "OK, type another letter!" about 2 billion times a second.
That said, our requirements (I assume you're with me, cause you're compiling stuff...) are a little different than the average user. I manage to hit 100% CPU utilization pretty regularly due to compiling, POV-Ray, starting Mozilla, etc.
Just the fact that it doesn't have to be fast doesn't mean it can't be, but I figure the less time the developers spend making Windows 0.0000001 second faster at popping up the start menu the more time they spend fixing bugs and security holes.
Karma: Contrapositive
RedHat taking action to fix bugs in short order, while Microsoft drags their feet and doesn't even fix some holes deemed "low-risk." I'll take the OS from the company which has shown the commitment to supporting their customers over the one from the company that *says* they will.
"The best laid plans of mice and men gang oft agley..." - ROBERT BURNS
What the hell? Not far to go?!?!?!?!?!?! Who the fuck is paying the morons at C|Net to lie about this shit? MS got hit with more worms last year alone than it ever has. So, how is it now more secure???? C|Net is a bunch of MS whores!
All of that being said, no technology area is devoid of security flaws. Look at the recent attention given to H.323 standard vulnerabilities due to default ASN.1 parsing. That affects many vendors and product lines. Today I read an ISC diary entry detailing a couple of exploits that affect non-Windows environments. Apache, OpenSSH, QMail, Sendmail, etc. have all had their share of recently announced flaws.
Of course Open Source Software *should* be more secure since many eyes can review the code as it is maintained and updated. But the fact that nevertheless there are significant flaws and exploits in this area further proves my point. Microsoft is the largest software company on the planet so of course they have a target on their back. There are no doubt many third party organizations dedicated to doing nothing but trying to break Windows in order to submit security reports. Of course there are anonymous black hats doing the same but for other obvious reasons.
If the same manpower and effort was dedicated to breaking Linux and OSS applications (which currently have much less exposure and market share) I am sure that even more holes would be poked into what most folks on this board defend as being the silver bullet against corporate greed, monopolistic tyranny, and gaping security holes.
We're not going to hold a software company responsible for selling a product that risks the data on your system by leaving itself vulnerable to normal user actions? What next, advisories that you shouldn't drive north because cold weather might make the wheels fall off your car at speeds in excess of 40 mph?
If I surf to a site, or open a random attachment in a viewer, and my system dies as a result, that software is defective by design. Any company that tells me I can't do either of these things with their products is admitting that they are knowingly selling defective software.
Really, though, it's the users who shell out significant coin buying products that are known to be defective that needs to change. If users won't hold a vendor accountable for their miserably defective garbage by not buying it, I guess the user community deserves all the pain that bad decisions cause. At least they could be rephrasing their complaints as "I bought a piece of crap and it exploded when I used it. I made a stupid decision." rather than "I surfed this site and my PC blew up. Bad site! Bad, bad site!"
Also, last fall a few more former security companies knuckled under and now no longer engage in disclosure. Without some semblance of public disclosure, there is now way for sysadmins to verify that their systems are/aren't vulnerable or to verify if the patch worked or not. Talk about putting one's head in the sand.
The problems from that company are as severe as before, perhaps worse. For those still stuck with that company's products, 2004 will be a hard year, especially if its customers run afoul of privacy and other regulations as a result of the product.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
I too use a windows desktop at home, and I too have rarely become infected - and the two times it happened it was entirely my fault (once before I started worrying about keeping my machine on dialup patched, the other when I stupidly rebooted on a machine still plugged into the network fresh from a new install - took code red all of ten seconds to find me all over again).
Anyway, I use Mozilla too, and I use proxomitron, and I use an IPCop firewall - and my system has STILL been intruded upon (right before the most recent SSL flaw was made public) even with "Zone alarm" running on the windows box that was attacked. In fact, the first thing the intruder did was disable ZA and all my system logging.
XP with the XP firewall is still XP. No OS is absolutely secure, but there's simply no way I would connect a personal windows workstation directly to the internet any more. Out of necessity I'll allow my laptop to swim in that ocean, but I make sure there's NO personal info on that and I purposefully keep the HD small and the partition empty as possible so as to make for quick image reinstalls.
User education would go a loooooong way to fixing this problem. But I argue that the Windows PC system itself is flawed in regard to home computing: rather than put up "safety barriers" that can be easily overcome with a modest amount of education, the system is instead setup in "hack me" mode right out of the box. Do I need RPC services to be able to check email and surf the internet? SHOULD I need these services just to be able to do those simple things? No - then why is it enabled by default?
The list goes on from there, of course, but I do think you get the point. Giving administrative priviledges to every executable on the desktop of an admin who knows nothing at all about computers is an exercise in insanity. XP comes configured to make user accounts easy to create and use - but do they even bother to educate the user on WHY these should be used? Of course not - MS is not going to tell the user their machine is vulnerable out of the box! That would be like Ford including instructions in the owner's manual on "what to do when the steering wheel stops working" or "what to do when the brakes fail."
I think that would be an "F".
You'd think if they were truly serious M$ would root out and correct these as the #1 security priority....
But what do I know, I'm just a coward...
Well OK, I guess it's probably Red Hat. But I haven't been "scrambling" at all, and I don't think the difference really comes down to me using Debian instead (in the long run).
You can't compare total number of security advisories between Red Hat and Microsoft and get any kind of reasonable data. Microsoft sells an operating system and a few applications, several of which are integrated into said operating system. Red Hat sells an operating system and hundreds of applications. All but the most basic, core tools are installed because you decided they should be. Most of the Debian Security Advisories that hit BUGTRAQ don't apply to any of my machines. With Microsoft, nearly all of the advisories that hit BUGTRAQ apply to my machines (with the exception of IIS and SQL Server, but gee! if I want to use SUS, I'll need IIS too, because we MUST use a full Web browser/server for software updates! Oh, and that's OUR Web browser and server, thanks.)
Don't use Media Player, Outlook Express, or Internet Explorer? Sorry, but we've decided that it's really important that your machines have all of those, including your servers. I don't have to install Mozilla and MPlayer on my Linux servers. I just install what I need. MS has added support for partial "uninstallation" of some software, but it seems to get put back after certain updates, and you can't get rid of IE.
I don't need the pretty point-and-drool GUIs on my servers, and Linux gives me that choice. I choose to install less software and be more secure. Microsoft doesn't offer choice, and doesn't want choices to be offered. That's the difference, and I don't think it's going to change any time soon. All of the security initiatives in the world won't change their corporate culture.
WMBC freeform/independent online radio.
Of course Ballmer's upset, even late comers like HP are raking in sums like $2.5bn on Linux. That's not even counting the extra productivity from having a more secure design.
Even the regular employees know the gig is up and more than half have cashed in their options, even Uncle Fester himself cashed in. I'm sure the fact that the options come out of your U.S. taxes (in the form of a write off) has something to do with the accounting as well.
Parmalat, Enron, Worldcom, Microsoft.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Look to the past to see the future: when radio first began it was completely unregulated because no one knew exactly how it even worked. Even after radio receivers had become affordable enough to enter "middle class" homes radio was still largely unregulated - until it came to the point you had neighboring transmitter stations engaging in kilowatt battles for the same frequency space because "that's where people were listening." The bands became increasingly crowded because ANYONE could rig up a transmitter and have at it.
What you and I have come to expect from the PC has been shaped by our participation in the "invention" of it. But a vast majority of users - even users who witnessed that invention process - have no ethical relationship to that community. They no more expect to have to defend their personal computers from attack in their own homes than they expect to have to defend themselves from personal attack in that same space. Even when it comes to "attack" from communications mediums like TV and radio and telephones.
THAT'S why the modern PC is still not what it needs to be. not for grandma who just wants to check her email and surf the net. If grandma wants to play games there's nothing at all wrong with being able to download free games from a website - but there absolutely SHOULD be mechanisms in place to prevent grandma's computer from requiring a repairman's attention simply because the game didn't "like" her computer. Yes, it would take a lot of clock cycles to have this kind of protection. And yes, it would impact performance. But clock cycles are ever increasingly cheap, and there's nothing to prevent grandma from learning HOW that box works and then delving deeper.
The solution IS technological. the internet is not "broken" but it still needs a way to be "fixed" at least as perceived by the majority of inexperienced home users. And it better come quick, because the lawyers and lobbyists are lining up their constituents.
You should not have to know how to build a radio just to be able to listen to music. And you should not have to know how to "install a program" and "configure user identities" just to be able to surf public spaces, correspond via email and chat, play games and watch movies and listen to music without being accosted or verbally abused in your own home.
If we don't fix it, the politicians will... or they'll bleed us to death trying.
Many of the problems have been embedded in their corporate culture from Day 1. It's gonna take a long time to train *everybody* to think first about how some new whizzy feature might work against the security of the system as a whole, especially in a place where (apparently) whizzy features are the medium of exchange, and the more you can coin the richer you are.
Your choice of OS doesn't make your system secure. What makes a system secure is a user that has a clue.
Not ALL security risks are PIBKAC (Problem Is Between Keyboard And Chair).. I'd say stamping out the remaining ones is what secure software is all about..
Like you, I've not had a Virus in countless years. I don't get spam, My system has no spyware, or adware or web browsing issues (Firebird rules!)
So you attribute your system security in part to software? How queer.. You should be able to use Microsoft Internet Explorer in a "clueful" manner and it would never have any security issues, right?
The OP is right in one thing; he doesn't have to worry about a lot of things. Personally, I'm worried about things like COM listening to every damn IP on the planet instead of localhost or 192.168.0.0/24. That means I have to run a firewall.. I worry about spyware; used to be you could stick to the trusted download sites like tucows and download stuff you knew didn't contain crap (in the day, virusses). Now I'm not so sure any more, after I got my system infected from a "trusted" download.. (And yeah, occasionaly you use a computer with, shock, horror, new software..)
I worry about my mom's computer even more. I needn't fret as much if she were on a more secure and/or less targeted system.
Try educating your mom. Or even better, mine. There's a limit to what miracles you can perform, trust me.
SCO employee? Check out the bounty
They liken securing their code to NASA's 10 years to get to the moon...
So that must mean it will take Open Sorcerors 20 to 30 years to make secure code because the Open Sorceror model is "ALL WRONG"...
Can I make you some sandwhiches?
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
As someone else already pointed out, lftp is a client. That aside, I almost never run FTP on any of my servers. SCP clients are freely available for any operating system I can imagine someone using as a desktop. Perhaps there is a need for you to run anonymous FTP, but in that case you can select a secure product like publicfile.
Also, you can't have a Microsoft server with just an HTTP and FTP server. You must have a full GUI and fully featured Web browser with a _terrible_ security history in order to get security updates. You simply can't strip out features you don't need to the degree you can in Linux.
Why is it an important feature for _servers_ to be able to be set up with "a minimum amount of clue"? Aren't there hundreds of unemployed IT folks out there? Your company should at least be able to bring in a consultant to do the initial setup and show someone how to maintain it. You don't have Bob from accounting install the real-world security system. Why are computers supposed to be different?
Yes, Microsoft is getting better. But the diagnostic tools for figuring out why something is going wrong suck (though third parties help out here as much as they can). They still have EULAs for security updates, and their service packs don't offer an option to install all the security updates without the new "features". They still want to be the ones in control of the computer, and that's not what I want. Pivx have proven via their QwikFix tool that the default settings could certainly be locked down tighter while having no effect on most people (Windows admins: check this tool out. It would have stopped Blaster even on unpatched machines.)
As for RH9 making an early trip to the gulag, I've heard that Progeny will be offering support for some Red Hat versions. This also illustrates that commercial Linux distributions are vulnerable to the some of the same hazards as commercial proprietary software. The difference is that if you were REALLY inclined, you could create your own updates for Red Hat 9, which is why companies like Progeny can do it too. Or with something like Debian's apt-get source -b [package], you could keep even an unsupported version of the OS going. And yes, for the people who still need it, the 2.0 kernel is still having new releases. As it is in many other areas, the difference is the availability of choices.
WMBC freeform/independent online radio.
I'd like to see 90% of end-users using Linux and then see how secure it actually is... Note that these 90% will do _every_ possible stupid thing which will compromise security. Similarly, all the script kiddies, virus writers etc. would know that there is this huge bunch of potentially stupid guys (who do not know anything about security) using Linux. Now that would be a good security test (remember that many of these guys would also be admins by themselves...) for Linux (actually it would simply prove that Linux could not be used by these guys...).
(Total number of infected machines) divided by (Total number of windows machines) = 0.0000000004
A pretty damn good record
I have to ask:
If you think being an MCP sucks (I'm not one, nor do I plan on being one, so I wouldn't know), why did you even bother taking the exam? Was it for employment possibilities? Job requirement? If that's the case - and I'm assuming that you would prefer to do other (perhaps Linux) systems work - why not market that instead? If you're strong in other systems, you're definitely employable.
being .compared to georgewellian fuddite corepirate nazi softwar gangster felons/execrable.
So you attribute your system security in part to software? How queer.. You should be able to use Microsoft Internet Explorer in a "clueful" manner and it would never have any security issues, right?
Well, yes, I guess I do use Internet Explorer in a clueful manner, because I don't actually use it. Mozilla Firebird is my browser of choice.
Come on, this was a bad year, though everybody seems to pretend that nothing happened.
In the span of six months, GNU was hacked twice, and GNOME, Gentoo, and Debian were all breached. And according to Linux's dirty little secret, LinuxSecurity.com, dozens of new holes in OSS software are discovered every week.
Where is the Slashdot article on that?
"Sufferin' succotash."
Your choice of OS doesn't make your system secure. What makes a system secure is a user that has a clue.
To a large extent, yes. But some systems are easier to secure than others.
bignutz@linux [~/work/bin] $ locate .vim|grep syntax
|wc -l
345
bignutz@linux [~/work/bin] $
exploits is the key. OSS encourages people to point out their bug and flaws. Because they care about the product they release to the world. M$ discourages people to mention their short commings. The site that listed all the unfixed IE bugs was taken down due to a request from M$. DCMA prevents people from mentioning anything they learn from decompiling programs. (You don't think that stopped do you?)
So, I makes sense that M$ has had below average exploits published last year.
you look at the programs that NO ENTERPRISE WANTS TO ADOPT early. windoze 2k didn't gain wide acceptance until 2002 and 2003 server and its cohorts probably won't grab the same market share that 2k has overall, because of its massive security and compatibility issues.
"You never want a serious crisis to go to waste." - Rahm Emanuel
You thought ALL bugs in opensource software would be eliminted? Sorry to sound flip but like are you new to the world of computers and software or something? The point isn't that both Linux and Microsoft software have security problems, that will ALWAYS be the case. The point is with Linux and OSS software security problems are fixed quicker and can't be covered up and ignored like in the commercial world. Shit they have the freaking code to OSS and even according to you the amount of crictical bugs was the same as MS's? Is there any more daming evidence against closed source software? I mean if all of the holes are in the open and isn't in a 100 to 1 ratio against OSS doesn't that say a shitload about the quality of OSS software?
Most linux admins I know were not scrambling just as much as MS ones. In fact talk to anybody in the industry and that is just par for the course. Linux admins as a whole enjoy better uptime and less security problems. If you feel differently be assured that you are in fact in the minority.
So No, OSS security Didn't "suck" in 2003 as you Trollishly put it. It sounds like the security practices and linux experience level at your company sure does though.
If you wanna get rich, you know that payback is a bitch
I think alot of the crap problems that happen on a windows box stem from the fact that just about everyone using xp/2000 at home is running admin privlidges.
This is obciously not a good idea, but it's necessary. Games particularly are bad about this, half of them won't run with out admin rights. I don't know who to blame for this, microsoft should make it easy to operate as a regular user, not an admin. But software should be written to work with regular users, not just admins.
Yeah, outlook is still shiat. but hey, people want a pink background on their email, there's no way around it. maybe we should send pdf's back and forth. The days of plain text email is long gone, face it.
Imz.
That's not a bug, that's our business plan!
Tell Microsoft to secure a building, and they'll station a PR flack to stand there doing his Information Minister routine.
"This building is the most secure building in the world. The open doors and lack of alarms are a feature, not a problem. Nobody can break into this building. Stop looking at that guy in the stripey jumper with the swag bag! Nothing can break into this building!"
What makes a system secure is a user that has a clue.
That's true! But in order for users to be clued, the OS needs to start informing them. They need to know what's going on in their system. But universally vague error messages; system controls and files scattered all over the OS haphazardly rather than grouped in one location; failure to accurately identify and log net connections, both user-initiated and remote; and other stuff I forgot about -- all contribute to an environment of HIDING INFORMATION from users. This is not security. Has Microsoft improved their attitude? No, I think it's still their mantra.
I am glad that you administrate 3000 Windows PC's at a University, because so have I, although mine were closer to 250 unique PCs for DNA sequencing, hooked up to alot of odd equipment (of which I was the only admin, but hey it was my first job out of college, and I am admittingly still green with only 3 years experience). My network comprised of Solaris, Linux, and Windows. So unlike you, I have a more insightfull understanding as to the comparision between OS'. Unfortunatly, I am not a Mac user, so I can't include that as a comparision, too. I never had a production system fail due to windows update, but that is why I have a test box, which did fail once due to a peice of software for a Microarray machine. But, I fixed it before deploying it (obviously)...but how many home users have a "test box" at home? Come one, now. As a comparision, NONE of the Solaris or Linux updates have EVER failed...and we have just as bizare equiment and software installed on them as well. Since all of my machines were unique, I could not just reimage them once a month like I am sure you do, and neither do home users.
Here is the run down in my experience:
UNIX: faster to install
Windows: faster to setup
UNIX: less time in post-install maintance
The main things that kills windows are:
1. its popularity
2. its file structure security permissions
3. mulitple files dependent on system files (but I won't get into that here, since that is a another long thread within itself, one which effects several platforms, also)
1, Its popularity make it a greater target for people to do evil things such as insert spyware, et al. I mean like you, I don't have any spyware on my systems, but I am an advanced user that has the appropiate firewall to catch anything I miss, plus I run anti-spyware software and obviously anti-virus. But, see that's just it...with the other OS' I dont' have to spend time and company money constantly checking log files of these programs to make sure nothing slipped in. These programs don't have to constantly run in the background eating up resources and the coffers every year for renewals.
What you and many others are saying is not about basic education, it is about *advanced* education. It is not telling someone to take their car in for an oil change every 3000 miles, it is about telling them that they have to change the oil themselves. I am sorry, but if I had to perform all the maintanace on my car myself, there is no way my car would run properly. This, in turn, harms others on the road by jeprodizing their saftey, just as a compromised computer jepordizes my livelyhood (by being used as jump points for hackers, and spam, etc.) I am sorry, but the majority of people don't have time to learn every aspect of their computer or vehicle, and shouldn't be expected to, either.
I don't have to be constantly watching over all the *NIX systems everytime a weird peice of email comes in either. Why? because it can't harm the system as a whole, just the user's information. Which brings me to point 2:
2. Sure there are trojans and such for *NIX systems too, however due to its secure OS, the most harm that comes of it (from a user POV) is that the user's home directory gets snuffed. And that's what backups are for. You can retore their data. Any malware that the user catches is confined to their home directory, and cannot gain access to the main system files (unpatched systems, for the most part, are excluded - as exploits to this theory exist on every platform). Therefore making viruses, and other malware more contained, and less of a threat to the system as a whole. Windows, however, inherently lets greater access to the system's file structure (which somewhat ties into point 3). If windows had a more secured file structure that containted all malware to the user's directory, then it would make life ALOT easier. But let me ask you this, if a user comes to you and says "I need this software installed to finish my Ph.D., make it so." do you not spend th
dude, windows has EASY security updates.
I use Gentoo Linux.. and had my box rooted right out in front of me.
and more often the linux security updates cause the computer not to boot!
(I updated some stuff on Suse with their updater... and blam, my boss was pissed at me, cause he told me NOT to update the boxes, and I was being paranoid about outsiders... but the suse update (kernel update) caused the computer not to boot even!
anyway, my gentoo was rooted, and I've had viruses on my windows... er.. dos on my 286 from a floppy... and from letting other people use my windows with infected floppies...
IMNSHO Linux is more difficult/mystic to keep secure... however it is getting better, and it's free... and I don't have to keep track of stupid serial numbers or pay for it.
Please use [ informative / summarizing ] SUBJECT LINES
Flame me here
Why don't we just forget about making windows secure? Indulge me in my imagination -
IMHO, Windows made pretty bad choices as much as it earnestly strives to be a Network OS. I think the networking layer doesn't come up till pretty late in the bootup for one...
But anyway, if that's the case, since processors are getting more powerful, linux is our emblem for stability and security, and emulators are becoming so available, couldn't we just have a linux without GNOME nor KDE, but just run a fullscreen emulator on top of that and serve windows (or any OS) to the current logged in user?
In this way, we can run "baby" SCALED DOWN (yes, not bloated...) single-user OSs for users - and users get to customise their computing experience beyond choosing their favourite WM or desktop manager.
Yes, linux will become pretty invisible/invincible - but for most non un*x users out there, i think they don't really care what's running below.
Ah well, but that's just my imagination. but i think it'd be cool for instutitions to have such distros installed, then there wouldn't need to be "unix" labs different from "windows" labs. But I guess we need to wait for machines to be miraculously twice as powerful as software needs them to be for this to be less of an imagination.