Slashdot Mirror
Gates on Winsecurity
xandroid writes "Just a couple days after talking about free hardware, Bill Gates has sent an email to customers saying that Microsoft will continue to focus on security, titled 'A Microsoft Progress Report: Security' (MSNBC story, PC Magazine story, Google News' related stories). The email mentions that fast-spreading and destructive viruses and worms are 'threatening the potential of technology to advance business productivity, commerce and communication', but says that to counter the threats, Microsoft will make 'major investments in customer education and partnerships that will help make the computing environment safer and more secure'. He also talks about the XP Service Pack 2, and says that Microsoft is 'working with microprocessor companies, including Intel and AMD, to help Windows...support hardware-enforced data execute protection (also known as NX, or no execute)'." Reader Zephyr_in writes "Macworld reports that the beta-release of Longhorn is likely to be postponed to early 2005 because Microsoft is concentrating first on a security-focused update (SP2) to Windows XP. Earlier this week Gates said Longhorn is 'not a date-driven release.' and said the speculation that the operating system will come out in 2006 is 'probably valid.'"
The email mentions that fast-spreading and destructive viruses and worms are 'threatening the potential of technology to advance business productivity, commerce and communication',
:-)
I don't know about that.......seeing as how I use OS X, I have yet to experience downtime or hassles due to viruses or worms. Of course there are problems with an increased number of emails from Windows machines containing worms and such, but they are simply filtered out via the spam filter. So this statement from Gates only really applies unless you are using something other than OS X, Linux, IRIX, Solaris, BSD, etc....
Earlier this week Gates said Longhorn is 'not a date-driven release.' and said the speculation that the operating system will come out in 2006 is 'probably valid.'"
Windows is Microsoft's cash cow and from an investor perspective, there may be push from the shareholders.I have sold off most of my Microsoft stock on principle after watching their abuse of the PC market for the last few years, but I still own some and this is not encouraging.
Visit Jonesblog and say hello.
Excuse me, but Intel's ripped off 64-bit system has no sort of NX bit on it. That is the primary difference between AMD and Intel's 64 bit x86 implementation.
What I'm curious about is if this statement from Gates is a forward statement. Does this mean that Intel will adopt the NX bit within the next year or so? Hopefully this will be the case.
I can imagine with this in place, I imagine a lot more of the script kiddies will be doing "Nuke" style attacks rather than full-on hacks. In this case, say if Apache were to have a buffer overrun exploit, the most that would happen is the service would be shut down. Still a pain in the ass for anyone trying to run a web server, but better than running a service that potentially grants access to your machine.
That and worms will hopefully not be so rampant anymore, provided that people stop opening exe email attachments. Don't we wish.
Gates said Longhorn is 'not a date-driven release.' and said the speculation that the operating system will come out in 2006 is 'probably valid.'"
Well, what exactly is the one "must-have" feature in Longhorn that makes it necessary today? Nothing really. A database-driven file system is not necessary. Internet Explorer 7 is not necessary (at least if you have Firefox it isn't). More DRM? Not necessary. What's necessary today are security fixes. And as long as Microsoft keeps patching WinXP, Longhorn is not needed anytime soon.
What is necessary now is SP2. And the sooner they release that, the better.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
telling me what I can and cannot run.
--------
Create a WAP server
Tell gates not to forget about lowering prices. This will help slow the move from Windows to Linux as well.
Price and security both need to be priorities for Microsoft. Both price and security are BIG TIME negative aspects of owning Windows.
Windows Longhorn: We'll release it "When It's Done".
char sig[120] = "\0"
Why does a protected stack need hardware modification ? IANACE, but doesn't OpenBSD do this on standard hardware? As much as I don't like substanceless MS criticism, and as much as I want the status quo's platform to be secure; I really think that actions speak louder than words, and while SP2 is a big step in the right direction, how about: 1. Ditching ActiveX, does anyone actually use this for anything other than malware anymore? 2. Disabling the (Outlook) preview pane by default 3. Higher SSL Verbosity with IE 4. IE URL-bar and statusbar should go into an "extra careful verbose mode" when it encounters hexadecimal encoding ( % ). IMO, these are all obvious things that should have been changed LONG ago, why are they still defaults?
What wasn't said
"....and if anyone makes a workaround for the NX feature to install Linux we will be able to use the DMCA to thwart them."
With Longhorn only coming out in 2006, hopefully Linux will make a huge push over the next couple of years to cement itself as a serious 'business desktop' platform.
Because the fact remains that many businesses will be reluctant to upgrade their existing systems to Longhorn if there isn't some huge productivity increases. Hence Linux can be promoted as the solution for business's existing systems. Dump Windows. Install Linux.
In order for this to happen there needs to be a lot more education to the pointy-haired people of this world. These are the ones that control the purse strings and most of them don't know what Linux is or what benefits it provides over Windows.
Someone/some company needs to take the initiative and educate the non-Slashdot readers about the security issues that Windows currently has and the benefits that Linux provides.
Funtage Factor: Purple
I seem to remember this site used to focus on Linux, with only the occasional Microsoft-bashing article. Nowadays, it's completely the opposite.
I thought this was a site that dealt with computing and technology, what exactly is wrong with this article ?.
I read Gates's comments a few days ago and noted that at no point does he even come close to admitting that every virus, worm, or other exploit that hits Windows is able to do so because Windows own code has made it possible. "Windows security" should be used as a perfect example for a dictionary definition of an oxymoron.
Seriously, with approximately sixty billion dollars in the bank, exactly what prevents M$ from producing a secure OS ?
I really want to disagree with this, but I just can't.
If Microsoft took up another strategy than pure marketing; they could offer alot better of a product, at the same return.
Microsoft basically offers three things:
1.) A decent operating system. Ill get modded down for saying this, but it's an OK system. It isn't wicked l33t for people like us, but it's a decent system for the status quo.
2.) A excellent office suite (sans Outlook). Anyone want to argue that MS office hasn't been top of its class ever since it started dueling with wordperfect?
3.) Free (beer) apps with Windows. Two of which are HORRIBLY ABYSMAL. Most of the "windows security flaws" come from these two apps; and these alone are the cause of 99% of spyware, adware, phishing, and viruses.
MS needs to drop IE and Outlook. Just get rid of them. Let people download Firefox and Thunderbird or whatever.
MS would lose absolutely nothing by dropping IE and Outlook, gain alot of extra time for their coding and R&D teams, and gain a ton of security, by not having these two awfully designed programs ship with an OS that they claim to be trying to improve the security of.
And I suppose that all the people who buy Macs because they're a better solution for their needs are just victims of the reality distortion field, and should be first against the wall in the New Purge. All those scientists who are transitioning to OSX as their research environment are just ignorant.
You, sir, are an asshat.
A properly designed system is not harmful to other properly designed systems. Windows is not properly designed. OSX (and BSD and arguably Linux) are properly designed.
Why yes, I AM a rocket scientist!
I KNOW how to spend all day trying to configure various things and optimize them for security and use. However, sometimes, I don't feel like reading through piles of security docs just to make sure I can feel safe plugging my computer into a cable line. It's nice to have things just work, and work securely, right out of the box. Apple, however, has provided an operating system whereby I can spend endless hours tinkering with settings, in both a CLI and GUI environment; but by no means do I have to do this in order to get my computer working securely. The best thing you can do for a clueless user who just wants to check e-mail is get them an eMac or iMac. No fancy cables to plug in, no massive suite of security software to install -- just turn on OS X's firewall (built on that rock solid BSD standard ipfw), set up mail.app for their e-mail and get Safari or Mozilla Firebird to start blocking popups. Instantly, they're secured against anything except a direct, targeted attack against their computer. Worms, trojans, spyware... not a problem.
IAALS.
a) Hardware will become nearly free and
b) If Microsoft security becomes hardware-based, it may even work!
Now, seriously, I'm your average M$-basher and could take this opportunity to make some mocking remarks.
But, you know what?
I find it sad when some software monopoly says things like "our systems are not engineered for security" and "our security will improve because we will resort to hardware" -- while still keeping a 95% desktop share.
*sigh*
I disagree, and, as opposed to modding you down, I will reply. I'm an intelligent, well-versed, apple user. I've been working with x86-based machines seriously since I was in 7th grade. I'm now about to graduate high school. Last year, I ""switched", as it were. I went out and found myself an old tibook. It's a good, solid, stable machine. I run linux and many versions of windows via work or at school. However, I like to come home to my Mac. Why? It just works. I putz around with pcs all the time, I am paid to do simple repairs and upgrades. Pcs are a hassle, and I spend a lot of my time working on them. I don't have to fool with my mac. It does exactly what I want, it's rock-steady, it's unix (I know this!), and most of all; It's pretty! Not all mac users are net-incompetent. Very few that I've met, in fact, are. That is a false assumption.
Apple computers are created for, and solely used by people who know, and want to know nothing about computers, the "proudly ignorants".
Ah, but they are also used by the most advanced computer users out there. Those that use them for a variety of fields in science from quantum chemistry to astrophysics, medicine and computer science. Pretty impressive that.
This is a dangerous mindset to encourage. Their computers are set up to do everything for you, to treat the user with a kind of benevolent contempt.
What is a dangerous mindset? Allowing people to be connected? Allowing them access to information? What are you going to say next......That people should not be able to vote for whom they want?
As to doing things for you, yeah, when I want to plug in a hard drive, it is automatically mounted and I don't have to type in the CLI two or three lines of commands to get it mounted and shared. There are many other examples of this and why you perceive this as benevolent contempt completely escapes me.
Some recent pricing of upgrades illustrates the kind of attitude Apple has to its customers.
This leap of logic is confusing. And what recent pricing are you referring to? Can they not expect to make a profit on their investment? Be thankful Microsoft has some minor competition, or else you might be paying more than you might think.
Visit Jonesblog and say hello.
About freaking time. IBM's mainframe and midrange server architectures have been doing this for years. In OS/400, for example, the only things the processor will execute are program objects. Memory blocks marked as data cannot be executed, even in the event of a buffer overflow. The OS and hardware work together to ensure this.
MS will continue to talk about Longhorn to ensure nobody else can grab mindshare. I swear Longhorn stories are on sites like Slashdot and .com.com.com everyday and yet there is no end of talking about a product that won't be out for years.
Security is nice and all, but Longhorn is starting to remind me of heaven - a long way off with no concensus on what it is really like. A lot of faith that things will get better someday is almost required, just as faith is required for the religious minded.
Slashdot posts every single letter, lecture, and little throwaway statement Bill Gates in order to give the "M$"-bashers something to froth over.
Absolutely nothing new will be offered in the discussions for this article.
Meanwhile, Gentoo, Debian, GNU (twice!), and Gnome have all been hacked in the span of the last six months, and LinuxSecurity reports dozens of vulnerabilities for each distro every week alone.
It will always boil down to this--security as a criticism against Windows will always be something that's only valid to other Slashdotters. Most of the rest of the world doesn't see it that way, and the rational of us see it as an admin and user ignorance problem. When Slashdot posts articles with titles like "Another New Microsoft Hole" and it turns out to be a user-ran executable attachment worm (yes, this was a real article), or "Microsoft Violates Human Rights In China" simply because Windows is used by the government there (never mind that China has its own custom Linux distribution, but I doubt we'll ever see "OSS Violates Human Rights In China"), I can only shake my head and just wait for the next cool technology article.
Becuase that's why I first started coming to Slashdot--the cool tech news. Not "let's fill our daily quota of one 'bash M$' article per day." I used to go to K5 as an alternative because of the interesting tech articles that didn't get posted here, but at some point K5 became a liberal anti-Bush administration site. This place has become an anti-RIAA, anti-M$ site. I miss when there was no agenda other than being a cool site for nerds to get news on the latest Stallman lecture, Linux kernel technology, or programmer interview.
You troll .. and to the mods your no better.
I think most people will agree most security problems boil down to one simple thing, the stupidity of the user
Your missing the whole point. The users aren't stupid - they don't care. Computers are not an integral part of their life as they are probably are for you. Hence implying they are stupid because they can't spot a virus is just plain rude.
I have to ask if you know exactly what happens and what to do if your car suddenly stops for no reason. Does it make you an idiot if you have to ask for help ? No because for most cars are a tool not a lifestyle - just like computers.
Apple computers are created for, and solely used by people who know, and want to know nothing about computers, the "proudly ignorants".
Now that Apple is *nix based I find this kind of statement quite suprising. What a bunch of proudly ignorant people.
Apple computers yes do have the obscurity security benefit, however they also have intelligent default settings. Windows with XP SP2 will finally set the defaults to what they should have been from the start.
You are the ignorant one not the non-techie users.
Funtage Factor: Purple
Maybe their league of "talented" programmers is actually taking the time to do something right and improve security in Longhorn? I mean, it's a nasty task to acomplish putting security into Windows.
First, you have to fix all the holes in the OS. Then you have to protect the OS from the users. Then you have to make sure that the system is configured as secure out of the box rather than totally open.
We're used to seeing a major push of Windows every year or so. This might signal Microsoft taking the Linux issue a lot more seriously. The primary reason for using Linux (or something similar) on a server is long-term stability and security. Two things that Windows has been lacking for a long time.
I drink to make other people interesting!
But, here's an idea! What if the email program DIDN'T EXECUTE SCRIPTS WRITTEN IN BASIC!
Hey, Bill, here's some code that will kill worms dead:
How long will it take until Microsoft dips into the Outlook code and stops the running scripts in message attachments?
Maybe never. They'll just build rarely updated "after the fact" virus scanning in the next XP service pack! Yeah, that'll do it.
I won't need it. I use Thunderbird and Mozilla Mail.
Ever dream you could fly? Get up from the Flight Sim. I Fly
Sure, it was easier to write an assembler program adding it's own code to a software, while keeping the infected program executable, than scripting 15 lines of VB Script.
Oh, those poor and innocent individual users. What a wonderful way to make them think they are only victims, and never responsible of the spread of a virus, even if they don't make any effort to secure their system.
Of course, the idea that a malicious program shouldn't be able to do much damage, because it has very restrictive rights is a strong innovation.
Wonderful ! Microsoft OSs will (at last) have memory protection ! Let me remember, how old is Unix ? Nearly 40, isn't it ?
Could someone explain me how Microsoft can be seen innovative by so many people ? And how they can so proudly try to make us believe they always were (and will be) on the right way ?
-----
Interesting points, wonder why you got modded down?
I'd like to add to what you've said and point out that there is a difference between stupidity and ignorance. Stupidity is not being able to learn somethiing. Ignorance is not knowing something, but it doesn't exclude the capacity to learn. Most people, when it compes to the intracacies of the PC, are ignorant, rather than stupid. And they want to be.
For example, I don't want to know the specifics of which particular gasket a mechanic's going to tighten (or loosen) when he reapirs my car, I just want to get to work. I could, if I chose, get materials on automotive mechanics, find out this information, and be knowlegable, rather than ignorant, and even possibly do the repairs myself; but I have no need to know this stuff, so I remain ignorant.
IMHO, This has been one of the fundamental failings of understanding of the Open Source movement, as they try and move from the hobbyist to the mainstream. Doctors, lawyers, and other professionals have too much to worry about in their own fields to concern themselves with makefiles, mount points, and other intracacies of Linux. And, quite frankly, a large number of people simply don't care to learn this stuff, any more than I care to know exactly what happens when I turn the ley in my car to get to work. I just want the engine to start, and use my fundamental driving skills to get to work, or home or to the bar, or wherever.
Does this ignorance mean that I can't drive as well as someone who knows the full workings of an automobile? Certainly it does, however, there are indicators and saftey features in the car itself to protect me from my own ignorance.
This is part of what Microsoft has realized. They realize that people want to know nothing about how their machines work, they just want them to work. That's why their now working on protecting the ignorant user, rather bothering with attempting to educate them. For these users, it's better to put the govenor on the engine, the automated seat belt, and the airbags rather than trying to teach them to use a turn signal when they change lanes.
If Linux is going to embace the mainstream, they are going to have to embrace this ignorant user. Linux is going to need to be so simple that people aren't going to fear it anymore as a more complicated (albeit better performing, more stable and more secure) system than Windows. They're just going to put the cd in the computer, and drive away.
Linux/*BSD will have a better GUI than Windows, more application and driver support than Windows, and an infinitely better design and development process.
.NET Show" videos every month showcasing the new technologies. People can make apps using XAML and a few lines of .NET code. One video shows the dev writing 10-15 line app that lets him update his website blog. They're hardware-accelerating everything, stripping out Win32, and revamping all of Windows. Where are we going to be at in 2006? KDE 3.5 and GNOME 2.8, with the same old XFree86 technology running beneath (oh, gee, it might be XServer instead which will, gasp, add transparency). Same old, same old.
Doubt it. Care to point to any signs that show this magical stride Linux is going to make?
OK, two out of four isn't bad. But Microsoft must be scared of something. Why is one of the wealthiest corporations in the world and its army of developers having so much trouble getting something out the door, and why is Bill going out of his way to appear to tow the line? Kind of spooky.
They're not having any "trouble." They're creating entirely new technologies for this new operating system. MSDN has been putting out "The
Uh, why would a company's leader talk about his competitors when he's talking about his own product?
Tell you what, Bill, we've got this stuff called "Linux" and "Mac OS X" out there, among others.
Yeah, let's compare their marketshare to that of Windows...though OS X is definitely making headway lately.
P.S. Maybe I'm the only one, but I'm getting tired of people addressing "Bill" whenever they talk about Microsoft. "Yeah, Bill, do this-and-this." "Yeah, it's sure what Billy Gates wants." So clever and witty...
Whats the result? Users don't even *crack* manuals open, they expect just to be a genius at anything they try. Then software companies realized "hey, nobodys reading these manuals" and they cut costs by stop including them altogether.
When they do include a manual they're terrible. I purchsed a Dell Axim x3i lately. It came with a 200 page manual that's WORTHLESS (and I have a CS degree). I wanted to know if I could sync the device over TCP (the answer is yes, but only if I connect to a windows machine first with the same SMB name as my linux machine grrrrr) -- the manual has no information of any kind on it. Just dry lists of "How to setup feature X", doesn't even mention the purpose or the reason for setting up X, or what it can do. Just the steps to do it with no information ...
Long story short, if I'm confused with a CS degree, who isn't? The companies that stell us this stuff encourage ignorance, theres not a place to learn!
Religion is a gateway psychosis. -- Dave Foley
Do not tempt the gods that way. You're just asking for something.
Is it fascism yet?
"Microsoft will make 'major investments in customer education and partnerships that will help make the computing environment safer and more secure'. "
BILL: GET RID OF THE MICROSOFT HTML CONTROL.
Getting rid of ActiveX and splitting the MS HTML control into a separate modules so programs can display local HTML without worrying about it kicking off a local exploit or downloading untrusted material from the Internet... not just defining zones, but separating the display code, the internet code, and the active desktop code into separate modules that don't interact with each other except through an application that has to explicitly request dangerous things... that would do more for security than anything else Microsoft could do between now and the end of time.
But to do that would be to back out of the claim that it was essential to merge IE and the desktop back when they violated their agreement with the DoJ back in the '90s, and Microsoft cares way more about losing face than improving security.
... that "Winsecurity" is so far removed from actual "security" that it deserves its own word.
Apple computers are created for, and solely used by people who know, and want to know nothing about computers, the "proudly ignorants"
Every extra hour that I am forced to spend learning how make make a computer do what it should have done in the first place adds $50 to the TCO of that machine. So if I have spend even one hour per week figuring out how to keep my machine safe from exploits, I've added $2500 to for the cost of that machine for that year.
I am not proudly ignorant, I only realize that my time is limited and that spending it patching gaping holes in a badly designed product is not top of my list of either fun or productive things to do. At best, you could call me resentfully ignorant because I resent that ignorance should be a problem.
I'm not even sure how you can blame Apple for much of the Internet's current dismal state of affairs. What percentage of viruses, trojans, spam, etc. are distributed via Apple machines?
But, as long as we are playing the blame game, I might as well burn a few karma points. Lets add some more culprits to the list:
1. All the IT vendors that touted software and internet services.
2. All the businesses and organizations that listened to IT vendor's hype and gave PCs to all their employees.
3. The original internet standards designer who gave us naive, overly-trusting standards that make it too easy for anonymous blackhats and spammers to send out untraceable virus packets and spam
4. CPU makers (and Gordon Moore) for giving us such a rapid pace of performance growth that no platform ever matures before it is replaced by another exploit-ridden next generation OS
I'm sure there are others.
Two wrongs don't make a right, but three lefts do.
On my W2K computer at work.
It took me quite a while to convince myself that it was not spam and safe to open. This, I think, shows that Microsoft has a long long way to go.
Life is like a web application. Sometime you need cookies just to get by.
On OSX/Linux/BSD/Solaris...
For the virus to be executed, it would have to be saved to disk and then have the execute bit set. For it to do this automatically, that would involve executing, which it doesn't yet have permission to do.
For a user to execute it, they'd have to save the attachment, switch to their file manager, change the permissions on the file, then run it. That's one more step that is require on Microsoft Windows, and following the data that's more than 2 clicks away is too far away rule, a lot of people won't bother if it takes that much effort.
Most operating systems have this feature built in. If Microsoft were competent enough to have it built into Windows, there would be no need to go chasing the CPU manufacturers.
Follow me
Well said, sir.
Microsoft is constantly lauded by the press and the business world alike for bringing computers to the masses. A chicken in every pot and a Windows license in every home. And while that is a commendable feat, helping to spur the absolutely exponential growth of the internet and computing in general in the last few years, no one stopped to ask if the masses were ready for all this computing at their fingertips. Computers are powerful devices, and are becoming ever moreso with increased use of broadband internet. The potential for a computer to do serious damage is great, when the right person (or perhaps the wrong person, depending on your perspective) is doing it. The problem right now is that the computer companies are doing exactly what every business in our capitalist society *should* be doing with a home appliance: trying to make money. That, above all else, drives their product creation and marketing. The problem with this line of thinking for computers, which are more than just appliances, is there is no responsibility or accountability for consumer ignorance. Yet.
Consider other home appliances: stoves, televisions, water heaters, automatic litter box cleaners. None of these things require a license to operate. Why? Because although they may be dangerous if used improperly, they don't really pose an immediate danger to other people; just the person operating the device. Since we as a nation believe that people should take responsibility for their own uses of these devices, only product warning labels, owner's manuals, and occasionally tech support are offered as education.
Now consider devices that truly do pose an immediate danger to other people: automobiles. Because we are all driving on roads with *other people* and are a potential danger to them, we as a nation decided that drivers needed to be licensed in order to drive, i.e., there is a mandatory level of education needed before people are allowed to use the device.
When personal computers were first introduced, they fell into the first category above. Each unit was separate. If you didn't read the manual and fried your hard disk, that was your problem. However, as we network more and more, and desktop environments such as Windows and Zero Install try to blur the line between working on your own machine and working as part of a network, computers are migrating into the second category. We're all driving on the proverbial internet highway. Now, if you are a clueless user who clicks every attachment in emails and forgets to install security patches, you are endangering the livelyhoods (if not the lives) of other people on the network. Even the responsible people can still be hammered: you can't tell me that mail servers running OS X are not slowed down by the deluge of emails from Windows boxes still running SoBig and MyDoom. No one is immune, and it translates to lost revenues for everybody.
So what do we do to fix it? Do we mandate that computer companies educate their customers? No. That would be like asking car companies to teach their customers how to drive. How about the ISPs? Nope. They're just the toll booth operators. TThe problem is standards: the world of personal computers sprang up absolutely overnight, from a standards compiance point of view. Automobiles have had over 90 years with the same basic premise (gas, brake, clutch, steering wheel, internal combustion engine), and they have been refined to be compatible with each other. Take one driver's education course, and you can drive any car built. They can all run on the same fuel. They all fit on the same roads (current SUV trend notwithstanding). All of them have at least some interchangable parts. Yet there are dozens of car companies, each with its own set of designers and engineers. Computers sprang up so fast, with a new technological revolution every week, that standards compiance hardly had time to ask, "what the hell just happened?" As it is, we have several major operating systems, none of which run the same software (they all req
For security, the MD5 hash of this message and sig is 09f911029d74e35bd84156c5635688c0.
No, not everything, of course. But some of what he says is right. Much of
the bits about isolation and resiliency are dead on the money: having the
firewall on by default is a start, but if I understand correctly what he's
saying (which is hard, because the wording is brief and nontechnical; it
was obviously not written for a technically-inclined audience), Microsoft
intends to actually *fix* Outlook. Not "patch" it to stop a particular
exploit, but actually fix the root problem.
He also says some stuff that's good to hear despite not really constituting
security -- e.g., popup blocking, and not loading remote content in email.
He also talks about taking measures at the system level to mitigate the risk
of buffer overruns, but I can't tell from what he says whether what they're
doing there will be helpful or a placebo. This is where the CPU NX stuff
comes in, and I'm a little over my head there; I understand the idea, but
I don't think I grok all of the implications.
This is actually a good article. Not perfect, but good. Go read it, those
of you who haven't yet. I don't think we're going to slashdot Microsoft.
Cut that out, or I will ship you to Norilsk in a box.
IMO the other main player in the make-a-fast-buck-off-the-stupid industry has to be Apple computers. Controversial, but let me explain. Apple computers are created for, and solely used by people who know, and want to know nothing about computers, the "proudly ignorants". This is a dangerous mindset to encourage. Their computers are set up to do everything for you, to treat the user with a kind of benevolent contempt. Some recent pricing of upgrades illustrates the kind of attitude Apple has to its customers. While relatively unpopular, Apple computers can safely get away with this. But like "security through obscurity" it is not a policy that can scale safely.
AOL and Apple are a twin prong attack on our Internet experience. Perhaps it is time to introduce a licensing scheme beginning with the users of these two products. We license Car drivers, because a bad car driver is a danger to others as well as himself. Increasingly it is becoming clear that inexperienced users must fall in the same category.
Everyone is entitled to an opinion and I see the grains of truth you put forth. As Apple making for an easier/possibly better user experience by dumbing things down (Though OSX is as simple or complex as one needs it to be).
But on the other hand I happen to use MacOS both pre X and OSX itself. I'm also a systems engineer who specializes in administering Linux boxen. Exim/LDAP, various flavours of Apache, Bind, CVS etc yatta yatta. I also write a lot of Perl and PHP and dabble in C. You make it sound as if all Apple products are like tonka toys compared to other systems and the comment about people who know nothing tend to buy Apple is simply preposterous. I tend to beleive that this is why Win is so popular in the first place because of those who simply don't or can't be bothered to know anything.
I do use MS products all of the time as part of my profession but I've never chosen them for personal use and I don't say this because it's something to be proud of or anything. I just choose not to as I've always preferred the alternatives. They just make more sense to me and I personally find them more elegant. Though when I look back at my first comp (a commodore PET) I'd as sooner eat my own words but anyway... As a matter of personal experience I usually find users of other OS's than an MS OS to be more knowledgeable about the inner workings and limitations of their system of choice. As well it's pretty much agreed upon here that it's the users themselves that are helping spread virii and worms. By far and large it's the win users who are doing it so I don't see the relevancy of your attack on Mac users or even AOL'ers for that matter. It's not the internet connectivity that's the cause of the spread. Again it's the users. A person knows that they want to buy a computer. They go to the store and buy one. Naturally it has Windows pre-installed. A no brainer. But to actually go out and buy a system that is NOT the norm requires a bit more thinking especially if that system costs more than the norm which is usually the case.
What I'm trying to say here is that the OS doesn't make people lazy, ignorant or stupid regarding computing. They are already predisposed for whatever reasons. No matter what system you happen to use, all basic concepts are the same across the line. Choice of platform is irrelevant and a waste of time to focus on such small details and minutae. A Win machine can be just as secure as a 'nix or Mac machine (which is a bit of a misnomer really because pretty much all worms/virri are wriiten for Win anyway) as it's simply a user's habits that the malicious count on. Simple as that. Nothing more nothing less. It's just common sense which to me doesn't seem to be so common anymore. Although I truly beleive that the OS of choice has nothing to do with anything here, I will say this to stay within context of your comments; For now just keep in mind who the people actually are that are making it so easy to sully your 'net experience before pointing any fingers.
Where are we going to be at in 2006? KDE 3.5 and GNOME 2.8, with the same old XFree86 technology running beneath
You know, there's a flipside to that coin: if it ain't broke (which it mostly isn't), don't fix it. Unlike Microsoft, "we" don't have to do buzzword-laden feature releases on a regular basis.
Free software isn't perfect by any means, but it's steadily improving. Besides, nobody really knows where we'll be at in 2006 - not even Microsoft can give you any guarantees on where they'll be then.
I'm reminded of that solid metal car that Kinsman (the Grey Lensman, in E.E. "Doc" Smith's series) got into... the one that went 7000 miles per hour, was absolutely completely lightlessly black dark inside, had no seat belts or other cushioning, and was driven by an alien of a species that can "see" through solid matter. The accelleration was insane and he ran into everything on the way. Supposedly a severe bruising is in order if the driver "takes it easy" for "non-terrestrials".
What I find interesting about Gates' ideas about security is that it perfect sense from his perspective. Nerf the hardware so the software can't do anything it shouldn't without authorization. That way, his development costs can go down because there isn't nearly as much that can go properly wrong when someone writes bad code. He doesn't have to spend as much on development, and his customers don't have to worry about his crappy development.
It's a bit like industrial waste. No worries. We're saving money. (The science goes to waste, instead of the environment.)
It's kinda funny. If Gates gets his way, he'll be able to offshore the majority of his software development to the cheapest bidder. He'll still need real computer scientists to design and research the future for Microsoft, but then he can hire bargain basement code monkeys to follow their design documents as closely as they can figure out. "If it compiles, it works."
Windows Media Player 9--the future. (Can I kill myself now?)
I'm as mimsy as the next borogove but your mome raths are completely outgrabe.
Oh, please, don't be so condescending. I'm a programmer, been one since 1978 (how old are you?) and I've been using Macs since they came out. Even have a Lisa. I'm the IT director at a company where we have about 30 servers, most of them Macs. The ones that aren't are running a variety of *nix, and one Windows Terminal Server. I've written TONS of code for DOS, for heaven's sake, and Windows since 3.1.
Trust me, I am not "proudly ignorant". I use Macs because they're better. Period. I am not genetically defective, either. Jeez.
Here's an interesting though. Is Linux more secure and stable BECAUSE it is more difficult to set up?
Linux makes few assumptions. You have to explicitly install and run things if you want them. There is no marketing pressure to force you to take features you do not want. Heck, you can even build your own kernel to include or exclude features. The "barrier to entry" under Linux is higher. So the majority of Linux installs were installed by somebody who actually knows something about a computer.
Conversly, Windows is easy to install. Furthermore, since it comes pre-installed on most computers, it is REAL easy to install. Windows is not so much of a choice for most users as it is the failure to make a choice. Many of the people "succesfully" running Windows are "twelve o' clock flashers". (You know, those people who's VCR constantly flashes "12:00" because they have no idea how to set it.) Combine this with cheap, always on broadband and you have a recipe for disaster.
You've heard of "Security through obscurity", well Windows suffers from "Insecurity through ubiquity"
Interesting how the article fails to place any blame with Microsoft - the company that provided the faulty platform for the spread of this malicious software.
Imagine if you bought a microwave oven that didn't have sufficient shielding to protect you from the "criminal" radiation within.
And this malicious software "evolves" too. Oh yes. Its not the platform itself that becomes more and more buggy. No. the malicious software "evolves".
Microsoft are also committed to major investments in customer education as well. Thats right. its your fault you got a virus. Stupid customer.
So Microsoft create this problem and now its "really funky and groovey" because it is trying to patch its own mess up. And who is going to pay for all of this, dear customer? You guessed it.
Much as I like their 3 steps to "protect your pc", they seem to miss out the obvious one:
Don't use faulty software.
I think you underestimate users. People will double click, unzip and spend however long it takes to run any attachment they get. Even if their e-mail program or ISP or whoever says something like "The attachment is a virus... do not open it." They will still open it.
Now, for most users, It's not the 2 clicks away is too far rule... it's called you need an administrator password to install anything rule. This is why people tell you to not log in as root. (and why the root account is disabled by default in OS X) Now when you double click that attachment and instead of opening a document, it prompts you with the password dialog box, alarm bells should start ringing.
Oh and most archival programs will save rwx flags. So while it's harder to get a virus, never underestimate how stupid people can be.
So on OS X, if I download a SWF file or a HTML file with embedded JScript, or visit a page with a Java applet in it, I won't be able to execute any of the scripting code embedded in those files unless I copy them to my hard disk and set an execute flag?
Saying that forcing users to enable an Execution Flag on files before you can run them, is a 'security feature' is ignorant. There are plenty of plain file formats that can contain executable code in them, and an 'execute flag' doesn't do anything to solve that problem. All it does is inconvenience users. Word Macro Viruses were plenty effective even though you couldn't double-click a Word file and run it just like an EXE file.
using namespace slashdot;
troll::post();
W-insecurity!!! Oh Snap!
I was talking about executable files (notice the word "executed" in my post). You're talking about interpreted scripting languages. If you don't want such things to be run, then either disable whatever "feature" causes them to be run, or choose to use software that simply doesn't run them.
./perlfile.pl until the execute bit is set. Running it using perl ./perlfile.pl is different, since the initial program being run is the perl executable, and it's not up to the shell to decide how to run the script.
Java VMs (at least the real Sun versions) have a security policy which prevents applets writing data to anything other than the domain from which they came. i.e. if it came from the internet, it cannot read/write to any arbitrary part of the local filesystem unless you change the security policy manually.
"Plain file formats" do not contain executable code. They might contain code that can be interpreted. A perl file downloaded from the Internet for example cannot be run by typing
I'd agree that any point-and-click GUI that lets users run interpreted code from files like that is missing something in the security department.
The execution bit being a security feature is a fact, not a sign of being ignorant.
Follow me
I have yet to experience downtime or hassles due to viruses or worms.
:)
I'm not going to get into an OS war but I also have not had any downtime due to a worm or virus on my Windows XP box. This is because I do not open e-mail attachments, run a hardware firewall, and keep my system up to date with the latest patches and virus definitions.
I also have a G4 running OSX and an older PC running SuSE. My favorite is the G4 not because I am a Apple zealot but because I like the interface. I didn't like Apple before OSX. I still don't like Apple hardware but I can get over that.
My point here is that the most important aspect of security is the user. Microsoft still has an uphill battle but I believe they are moving in the right direction. Right now I think the best thing Microsoft could do would be to buy some TV time and inform the average Windows user on how to improve security (besides switching to Linux)
I still remember the day I could open up anything...yes... anything in my text editor without the slightest fear of anything going amiss. The absolute worst that could possibly happen is I get a screenfull of gibberish as the character generator tried to translate the binary file to displayable characters.
Then some yokel got busy with embedded executables ( not Gates... I am talking about the guys behind the ANSI escape codes which enabled certain codes to be defined then execute to do certain things ) and the first "ANSI bombs" were crafted. Its been downhill from there.
If nothing else, return to a clean form of HTML. Standardize it. And give it no power to do ANYTHING but display.
And Gates, stay out of those damn plug-ins. You don't wanna take the heat for the security risks, because anyone can write a plug-in to do all sorts of nefarious things under the rug. Trying to make some sort of automated install easy for some businessman is only gonna be subverted to make worms and viruses autoinstall.
Asking people to install programs they know nothing about to me is akin to asking people to sign legal forms they know nothing about. If businesses are going to be afforded the protection of the law when it comes to people not knowing how it works, they are going to have to assume all liability for what it does when said uninformed people run it.
If we can't enforce this accountability onto software developers, then we are never gonna get rid of those underhanded people who release code that has ulterior motives. Those people who release sneakycode are really making it tough on the rest of us who want honest programs.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
I for one will be boycotting whichever of Intel or AMD try supporting this first.
When they both start supporting it, let me know. I have a nice ATX footprint PentiumPro motherboard to sell you.
---
Don't you just love how Windows' in-securities are spun as "evil forces"?
And don't you also love how Microsoft's solutions always point the responsibility finger elsewhere. They always try to paint themselves as the good guy, having to clean up after the mayhem someone else initiated. "Here's our progress on taking steps to combat the evil in the world."
One of these days, business is going to wake up to this shell game and start holding the software manufacturer to blame for the general design problems of their products. Then you'll start seeing a general shift to another platform, maybe starting in the back office, file and printer serving, firewalls, etc. The desktop will be last.
Wait a sec, perhaps that explains the new firewall corporate bought for our branch to replace our old Win2K one... Linux.
There is no need to use a SlashDot sig for SEO...
And AMD supports it first. They support it right now. Intel is dragging their feet on it. That's the reason I WILL be buying AMD and boycotting Intel (although there are others, this would be the main one).
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
I could be wrong ( it would require a lot of testing to be sure ), but it seems to me if we had gone with a Harvard type architecture, were data and code are separated at the chip level we wouldn't be discussing this at all.
Perhaps it would be prudent to re-visit the past, in order to move into the future.
Not too many current chips do things this way, though the 8051 series comes to mind.
---- Booth was a patriot ----
Are you sure? SOMETHING'S got your keyboard fucked up.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Couple of random thoughts:
1. NX bit is not an end all in preventing mal code from running. It does limit some exposure.
2. DRM is not guaranteed security as MS is trying to sell to the public. It does guarantee that fixing a hacked system will be sooooo much more difficult. A successful hack could rended someone's local data inaccessable. And we are sure to see version 1.0 type vunerabilities in bios, os and libraries for a while... eeek.
3. MS providing antivirus, firewall and so on will not work out as competition between vendors has fueled a ton of creativity and generated some pretty amazing products. Let's hope this feature is like the backup software included with Win3.11 and 95 rather than IE.
4. None of this really speaks to MS's most important and weakest security-wise product: MS Office.
-- $G
I got the e-mail. For me, it was spam. I never asked for it. I didn't sign up for any Microsoft newsletter, and certainly not in any way that was verified via a reasonable opt-out system. Thus, I found the passage about spam particularly ironic. Here was some long-winded spam that trumpeted how the next version of Windows would have spam-protection tools. Naturally, I fired off an abuse complaint. So far, I've received no response to that.
I can't get too worked up about the threat to Symantec et al. caused by MS closing their security loopholes.
Those loopholes should never have existed in the first place. I think the fundamental unfairness is that we had to be saddled for a couple of decades with a P.O.S. "operating environment" because both MS and its customers were too short-sighted to get it right the first time.
Also, no matter how much good faith effort is exerted to close security holes at the design and implementation levels, there will *always* be a need/market for an external security effort. Something like CERT won't go away. I can still imagine a healthy "security ecology", as organizations attempt to crack MS software and blackmail^W attempt to convince the rest of the world that the fix is needed.
John.
You're being misleading! The fact is, I as a Windows user don't even need to save a virus to disk and run it in order to get infected. :P
So UNIX users are actually three steps removed from dangerous attachments, but seriously will KDE and GNOME eventually bring in traditionally Windows specific security issues inadvertantly by trying to mimic the Windows environment?
says that Microsoft is 'working with microprocessor companies, including Intel and AMD, to help Windows...support hardware-enforced data execute protection (also known as NX, or no execute)'
Marking pages as being executable or not has been a feature of many processor families for decades. It's generally a useful feature, but it is neither necessary nor sufficient for making opearting systems secure: after all, Linux, BSD, and Solaris manage to be much more secure than Windows running on the same processors.
once it's proven to work, then the bells and whistles get added.
...
Unfortunately, once you add the bells and whistles you can no longer say with any certainty that the code still "works." Anytime someone touches working code they risk breaking it. Only way to avoid that is testing, which is as much of an inexact science as programming is
He isn't saying he is going to deduct it on his taxes dumass. He is saying that he is willing to pay more for a machine that will allow him to spend more time making money and less time fixing it. If his productivity increases, he will make back the difference.
I think you underestimate users. People will double click, unzip and spend however long it takes to run any attachment they get. Even if their e-mail program or ISP or whoever says something like "The attachment is a virus... do not open it." They will still open it.
Tell someone there are 100 billion suns in the Galaxy, and he'll believe you. Tell him a bench has wet paint on it, and he has to touch it to make sure.
Mit der Dummheit kämpfen Götter selbst vergebens.
Well I run several *nix servers, my home and office machine are both Win XP. I ave *never* been infected by a virus. Never.
In the words of some of the security professionals out there(from the people at @stake and foundstone):
If you have never been hacked [sic] you are either too small a target to be worthwhile, or, you have been hit, but are not good enough to notice.
Amongst security professionals, you are rated good if when asked how many times have you been hacked in the last 5 years, and your answer is "once or twice". If it is "never" that is almost as bad as "lots".
Try to hack my 31337 firewall!
Second, there is a lot of variety in Linux installations even though they are all compatible in broad terms. Differences in what languages are available, permissions on what the user can run, where files are located, etc. And since the average Linux user isn't being spoonfed Microsoft "innovation", the average Linux user knows better than to open an unknown mail attachment and every Linux mail client will not do this by default.
Linux distros don't run unneeded services out of the box by default (been that way for years). Most exploits in Linux take advantage of minor vulnerabilities (such as the Ramen worm which used a hole in the lpd print daemon to deface insecure Apache installations). Even then, without administrator (root) power, the damage these worms/viruses can cause is very limited.
It isn't impossible to write a worm to affect Linux. Just difficult. And even when done, the vulnerability that made it possible is often patched within hours. Viruses are for all intents and purposes impossible to write for Linux without a root exploit available.
The inherent design differences of Linux vs. Windows even with Linux installations becoming more prevalent and thus more inviting to attack will still keep Linux, *BSD and Mac OS X relatively safe from large scale, billion dollar attacks that run rampant on MS based systems. And if there is an attack, the Linux community will fix it and help educate rather than beg the government to create standards and blame the whole thing on customers rather than admit to plain crappy software engineering.
The hoard of people arguing about virii and worms in this thread is just amazing. I'm suprised people aren't bickering about the hardware level NX. No Execute? Sounds like a BAD idea. ::sigh::
The whole DRM thing is getting to be ridiculous. I shouldn't have to present my papers to the DRM gestapo every time I want to do something on my computer.
The disappointing thing is that most people who buy a Dell/Gateway/Prefab computer in the next 3-5 years won't know a single thing about NX and DRM. Only the geeks will know better.
.deviatefromtheabsolute.
So? He also said ..
"640K ought to be enough for anybody."
- Bill Gates, 1981
I guess you missed the study that Slashdot posted which stated Linux was the most breached OS on the net.
.NET, so most everything will be sandboxed. What's going to happen when we see another article about a public Linux breach like we've had with Gentoo, Debian, Gnome, etc. and nothing happening on the Windows front because Microsoft has taken all these extra measures? I'm sure Slashdotters will find something to bitch about, but personally the technology fascinates me, and there are some damn smart people working over there at Microsoft.
I seriously doubt Windows is inherently more secure--the fact is, that operating is in use by some 90% of computer users, so it's not unreasonable to expect that things are going to get through once in a while. In that regard, Windows has the potential to become more secure than Linux simply because it's so much more field-tested.
You mention that Longhorn will ship with worm vulnerabilities, without realizing that Longhorn will be entirely
Technically, if it's embedded in an e-mail and runs itselfvia some scripting feature, and speards itself to other computers, it's a worm.
Unix/Linux users are one step ahead of Windows as far as standard viruses go, but they're a long way off as far as worms go. I'm not aware of any mail clients in KDE or Gnome that support scripting, and if one did appear, I don't see why people would switch away from the current range of excellent apps like Evolution and KMail/Kontact.
If one of those did start supporting scripting, I'm betting that enough people at the development end care, and the default would be to have scripting turned off.
Follow me