The Windows Security Nightmare
latif writes "Microsoft has set aside a $5 million fund for paying off informants on malware authors. In my opinion a good chunk of this money deserves to be paid to individuals who help catch the Microsoft employees behind the design of Windows Registry and Windows Update. As I found out, the two mis-features work together to deprive Windows users of all protection from malware. The details of my experience are in the article Why Windows is a Security Nightmare." In a related story, Anonymous Wussie writes "This guy had family with a problem: A Windows XP computer hit by worms that couldn't stay on-line long enough to get patched. His solution? A CD. This article describes the custom made CD he sent to his family member with patches, tools, and instructions to make a fresh install of Windows XP Home Internet safe. I know I'll be doing this in the future."
This is a serious problem, actually. During the height of the worms last summer, we saw hundreds of machines that got infected while in the middle of downloading updates. It even got to the point that the WinXP "firewall" wasn't good enough, since it loaded *last* in the startup sequence, and there was a good 20 seconds to 2 minutes (depending on the speed of the machine) when the machine was on the net and unprotected, even if you had enabled the firewall settings.
It's the bigger problem of running services by default. The average user doesn't need half of the services that run. Linux figured that out years ago - most services are off these days, and those that are on are fairly secure (ie: sshd). Even if some of these services are required for system operation (like some folks have claimed), there's no reason for them to be listening on addresses other than 127.0.0.1.
There is no sig, there is only Zuul.
I cannot help but see the analogy here.
...etc.), and not the root cause (flawed security design, ...etc.).
Microsoft takes the approach of fighting the symptom (malware,
This is the same way many governments approach things like terrorism. They address it like a security problem only, that Intelligence Agencies and the Military/police handle. Why these ideologies developed, and what are the social, economic, and political reasons that lead to it is never even attempted.
And it is not only America, this has happened before in Ireland, Spain, Egypt and elsewhere.
Unless the root cause is studied, a correct diagnosis is made, and then remedial actions are taken, no amount of policing will fix the problem for good.
2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
This isn't anything new -- I've sent plenty of patch CD's with customized .bat/.cmd files along with stupid-easy instructions thanks to an autorun.inf that takes care of everything from hotfixes to updating DirectX and IE, even restarting the box when it's done..all without bothering the user with confusing dialog boxes. It helps quite a bit when your family has dial-up and can't even get to Windows Update before Sasser or equivalent hoses their machine.
But, then again, I've sent many times more Linux distro CD's to my friends.
So your solution is to spend $80 on hardware to workaround a defect in $100+ software? Does he have to carry this device around with his laptop everywhere? This is a joke, right?
If you're going to go after Windows employees, don't bother with the registry and update guys. Nail the guys who made ActiveX and Outlook.
There ya go, I'm an informant now. When can I expect my check? =)
Weaselmancer
Weaselmancer
rediculous.
How do you know? If its not running a virus scanner how would you tell if it had a virus or not?
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
If it has no virus scanner, how do you know that it's never been infected?
Microsoft's Windows Security Update CD is great in theory, but almost worthless in practice. The lead time for delivery is so long, by the time you get the CD, another batch of viruses/worms are out exploiting newly discovered vulnerabilities.
How about you wait until the firewall is loaded before plugging in the network cable?
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
sPh
But, if you don't believe me try this little test:
Take an iPOD, a Laptop with a wireless card in it, and a wireless access point to a retirement home. Place them on a table right next to an Internet connection of any kind. Now ask if any of the residents can get a song from the iTunes store onto the iPOD.
I'll put dollars to doughnuts you won't find a single resident who can do it. Not because they aren't capable of learning how, but because they really just don't care about that kind of thing anymore.
$.02
"I'm just here to regulate funkiness."
The author's slanted raving is over the top. I could just as easily read about some Linux newbie's nightmare experience trying to get all of his hardware to work or how they had to rebuild the kernel after applying some new module to their system.
My main gripe with how things are is that all new PC's should be delivered fully patched as of their configuration date. And since Microsoft has switched to their license subscription model they should ship out CD's to all licensed customers with all rollup security packs available. Just like a TechNet subscription operates for previewing beta products. I don't mean a user calls into Microsoft to request a CD. It's their place to send them out. Just like an auto company would mail out recall notices.
Since a few people have mentioned this: He was using Windows 2000. It doesn't have a firewall.
Igor Presnyakov stole my hat
Wow. Think of what you're saying. You're telling users that they need to shell out almost a hundred bucks for a device that will allow them to safely download updates. Has Microsoft security gotten so bad that we're just going to accept that you need to buy a firewall just keep your OS up to date? Does anyone else see a problem with this?
There is no sig, there is only Zuul.
+5 insightful?
The total cost of his solution was the cost of the CD--your solution costs $80, and it isn't even complete.
He mentioned installing a firewall (such as ZoneAlarm) which is free and would do as effective a job as your $80 solution.
Also, one of the other large problems today is spyware (or hijackware as it should really be called), and that comes over the browser on port 80. Your $80 firewall is not going to stop that. However, the author of that article offered several free (and wise) solutions to combat this problem.
I know I'm not supposed to feed trolls, but common, at +5 I just had to respond.
If you're really pushing this $80 solution over a perfectly reasonable free solution, then you either work for D-Link or you shouldn't be taken seriously.
did you RTFA? author mentions this CD but also states that this is horrible out of date, takes 2-4 weeks to arive and will not ship to his country
That's the problem...Unless I boot linux and pull the internet from the back of the machine, her pc will never be secure...
Why would booting to Linux be any more secure, for that user?
She appears to be the problem, not the OS.
...and I don't believe obtaining a DHCP lease would be a problem through this.
Asking users to plug/unplug their network cable is just plain silly.
It's a rational expectation that a brand new machine, or one restored to factory configuration, should have no fatal problems - we certainly expect that the wheels don't fall off our cars just after we drive off the new car lot. We shouldn't have to *know* that we have to tighten the lugnuts or get new tires because the ones I juts bought are about to explode, and I shouldn't have to immediately change the locks because everyone and their grandmother can pick the one I just bought with a toothpick.
Perhaps I'm taking the analogy too far, but can you name another product that is widely sold brand new with massive known defects?
No, my suggestion was not a "solution" to the general problem. It was an idea for the supposedly technical person trying to fix a b0rked windows box which they couldn't get to stay up long enough to patch. For that person, I would have thought that unplugging a cable would be both obvious and straightforward. Should regular users be disconnecting their boxes every time they reboot? Of course not.
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
I could not help but find myself in quite a humorous state as I read that article. As a Support Analyst for a Fortune 50 company, I see many of the errors that the user was describing in the beginning of the article. Unforunately for him, he reinstalled the OS. All he needed to do was recreate his Windows profile.
The right click locking explorer and the functionality loss of Mozilla were most definely not caused by the Reg, but more likely caused by a corrupted NTUSER.Dat file in the profile folder of his machine.
Furthermore, if you are currently reading this article on your home PC and not sitting behind a firewall of some sort, please send an email to banme@slashdot.org with the attention line reading I am no longer worthy.....just kidding just kidding.
http://jayceecorder.blogspot.com
Asking users to plug/unplug their network cable is just plain silly.
I'd have to disagree. I think making someone work for something might make them a bit more appreciative of what needs to be done to maintain it.
I told my father to take his computer to a local shop to have it fixed rather than drive up to me. Once he learned how much it costs to have things fixed that can easily be avoided he seemed much more interested in learning how to take care of things than thinking "this thing should just do as I want it to" (and he stopped downloading stupid ass screensavers.
A little work goes a long way.
I don't care how good XP SP2 is, I'm not letting it near my PC.
If all this should have a reason, we would be the last to know.
You see, it takes 20 seconds to 2 minutes from the network activation to the firewall start every time you turn on the PC, not just when you're getting the latest update. And if you think you only need a firewall when you're running Windows Update, then you're missing the whole point of having a firewall.
If all this should have a reason, we would be the last to know.
No offense intended, but you can't expect "normal"(dumbass) users to do what you do. Even though your solution may work well, they just won't do it.
I was going to post something less colourfully phrased if no one else had.
The author of the article is either inept or trolling. Unless you are doing something dumb like downloading tons of shareware apps, installing them briefly, then uninstalling them, the registry should be fine.
Of course, he *does* seem to be the kind of person that does exactly that, based on his "I downloaded a random 'registry cleaner' program and trusted it with my computer's stability, and now my PC doesn't work!" thing.
The hotfix issue is a legitimate complaint, but anyone who is running Windows 2000 (an enterprise operating system) at home should be comfortable with making slipstreamed install CDs - especially if the user is someone with dialup access who regularly formats and reinstalls their system.
I'm sure MS would be happy to provide physical CDs with the updates on them if more than a tiny fraction of users were willing to pay a small fee for the convenience. It's not like Linux users get magic free CDs mailed to them from the groups that package the distributions.
"...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
You're telling users that they need to shell out almost a hundred bucks for a device that will allow them to safely download updates. Has Microsoft security gotten so bad that we're just going to accept that you need to buy a firewall just keep your OS up to date? Does anyone else see a problem with this?
/. crowd will never want filtered internet for themselves. But for your family? Wouldn't you want your mom on an AOL idiot proofed connection? If anything goes wrong, you could just tell her to call AOL and play dumb.
Our office lan has a hardware firewall and a network installed virsus scanner. I think every network should be secured.
As a home user, do you trust Cable One, AOL, or a generic small time ISP to keep you safe? Are they responible for filtering all network traffic before it hits you? I'm going to say they should have hardware firewalls of there own.
The
Quoth the parent:
I read that and nearly spit coffee on my keyboard. OK, let's assume that the parent poster is being 100% honest, that he made "a few grand" selling home-burned CDs outside Best Buy at $20 a pop. That's, conservatively, 100 CDs!
In other words, at least one hundred people were perfectly willing to shell out money -- cash, presumably -- to some random guy in front of a store, then take this guy's CD home and blindly install whatever the hell he'd given them!
Folks, talk all the shit about Microsoft that you want, but there's your security problem! If this guy is on the level, we've just had a prime lesson in the reason why Blaster, et al spread like typhoid.
You know, don't you feel sorry for Microsoft, sometimes -- just a little bit? I mean, imagine you're a Microsoft engineer. You're hard-working. You really do try, given the massive user base you have to support and the cruft of legacy code you're stuck with. Reasonably fast patching for security holes, updates -- hell, they'll send you a damn CD of updates for free!
And then you read something like this. And request an immediate transfer to the Office development group...working with Clippy would seem like a joy.
And for all the linux advocates out there -- especially the zealots, the Stallman's Witnesses -- this is a cautionary tale. If and when linux starts to hit the desktops, you're going have this same problem. If 100 users are willing to take some guy's CDs and install them, no questions asked, they're not going to flinch when he says, "Oh, and it will prompt you for your administrator password. You'll need to enter that in order to make sure the system is scrubbed." Play out your own nightmare scenario, there. Linux is inherently more secure? Really?
Social engineering-based cracking can't be stopped. Not by Windows, not by Linux.
The whole idea of Windows Update is a joke. Using an unreliable and insecure network as the primary means of distributing security updates is simply idiotic. This is like asking people to walk through a minefield to get to a shelter.
And yet, people still want Windows. I work in a high-tech call center, and people still look at me with blank stares when I tell them I don't use Windows at all at home.
Q "What do you run for anti-virus?"
A "Nothing. Linux isn't as succeptible to viruses"
Q "What about spyware?"
A "Same thing. I don't run anti-spyware either because I don't get it. Oh, and I can update my computer without rebooting too"
I've even had a laptop running nothing but Slackware, and technical people _not_ believing that Windows wasn't somehow still on the machine! People just don't see computers with anything other than Windows. If computers = Windows, then how can people get sick of Windows and not be sick of computers? The fact is, Microsoft has done a brilliant job of equating computers with Windows, to the point where even most technical people don't see any other option.
I think my job as an Open Source advocate is to just let people see Linux run on a computer, and let them follow the inevitable logical conclusion themselves.
Ruby on Rails Screencast
This guy's an idiot. He installs crap and unreliable third party applications and drivers on his system and then blames Microsoft! The article was a rant about security, so why the comments about the registry? It seems that was a dig based on some other personal dislike. He admits he placed his trust in some third party tool to clean his registry! Seems rather foolish.
/etc, /lib, rc scripts, etc. Just as time consuming and frustrating to fix. Just as painful for incompetent and computer illiterate people. Just as many people running with root level priviledges. Just as many boxes cracked automatically before security updates can be downloaded.
... oops!).
If Linux were as popular as Windows, there would just as much poor quality crap coming out for it trashing
I ran Windows 2000 for 3.5 years with the only problems coming from Creative Labs DXR3 and SoundBlaster Live! drivers, and Mozilla's graphics resource eating issues. I won't buy anything from Creative Labs again, and Mozilla have fixed their bugs. I only had to re-install Windows after I accidentally trashed the first part of its partition playing around under Linux (Grub, Lilo, dd
This is pretty typical of the FUD articles about Windows or Linux that /. has been publishing lately. Windows zealots send in articles written by MS puppet "research organizations" that belittle the OSS folks; then the Linux zealots respond in kind with this article.
It's really simple, people. Informed users will lock down their systems and know how to patch appropriately, regardless of their OS. Uninformed users will never lock down their systems or will get fooled into opening an exploit backdoor, regardless of their OS.
Sorry, but Zone Alarm, Black Ice, etc. are all PIECES OF SHIT. You have no idea how many times I've been troubleshooting broken internet apps only to find out that Zone Alarm/Black Ice is installed. One of my first questions now is to find out if those things are installed. The sole purpose of those software packages is to annoy you every time it blocks a connection and try and convince you to pay money for the enhanced version of the nagware.
You declare that the SP2 firewall broke your ability to print, but you do not know why. You just take a reactive stance and jump back to what works now instead of finding the underlying problem and solving it. I'm sorry, but I just don't believe that the firewall broke your ability to print unless there was an underlying reason. Outbound connections are not blocked by the firewall. The same statement goes for seeing others on the network. Maybe you were just impatient and didn't wait for browsing to stabalize which takes up to something like 15 minutes in a single broadcast domain. If you're really that anxious to connect to another computer and can't wait for the browse list, do a start | run | \\COMPUTERNAME.
If you want the computer to be seen on the network, create an exception list in the firewall configuration! It already has a preset for file and print sharing one tab over from where you enabled the firewall for crying out loud!
God I hate seeing ignorant fucks blaming the software vendor for their own ignorance, then getting modded up for it. It's not Microsoft's fault that you don't RTFM or open your eyes to see that there's other configuration options when you use a feature. Blaming Microsoft may be fun, but it's not always the answer.
-Lucas
he's paying him back. He's showing him that it's much better to not get your computer hosed in the first place, so he IS paying his dad back for his education, in exact kind. Adults can be wrong, but there's no easy way to point this out to them, in a father/son situation. And it worked according to the post, when his father realised what a PITA it is, what it really costs,both in cash in what might be done to his machine or credit card or other personal info, or how he could be used by a malicious zombie-running blackhat, etc, and how easily preventable it was,so he learned something useful and practical.
I think a lot of people honestly do not know that the primary reason they might get hacked is not to get their personal information, but to use their machine to distribute hacked warez and spam email and kiddie porn. So, it's much better to do what it takes to help people understand the ramifications of their actions-or non actions, and to perhaps take a more critical look at the software they are running. To me, it's like a traffic ticket (paying to have your machine cleaned and fixed), you are SUPPOSED to learn something (stop being a no-nothing lamer) about your behavior driving your car (computer) on the public road (internet).
Once people are REALLY aware of it, then they have a chance to correct the problem. If you can't get their attention in the first place, they won't ever learn. Sometimes it takes a fine to do that.
I FULLY support ISPs or private network admins yanking access to the network from infected machines. They don't do it enough, IMO, and if it happens to me because my machine gets hosed and zombied and I don't deal with it in a timely manner, then too bad for me, too. I'd rather be told about it if I don't know myself, and losing your net access is both protecting the innocents, and getting your attention for a problem. And if THAT then kept being pushed back up the food chain to the vendors, where they had to code better, release less often, and be forced to offer products good enough they could be warrantied, then I'm all for that, too.
It shouldn't take 20 years to come up with a more secure out of the box operating system that is network capable, is the real bottom line, no matter which one you are talking about.
You'd see it get chaotic in meatspace if any manufacturer were allowed to sell "caveat emptor" products with no government required warranty, of course they would skip doing quality work then, because there would be very little risk to them. It's time software played by the rules every other manufactuer has to play by, especially if they demand IP ownership and patents and huge profits. They want it treated like a normal product, swell, but let the law treat THEM like any other product as well.
Insightful? My ass.
Do you people have this same level of expectations for other products you buy? If something, right out of the box, is shitty to the point where it's humorous, why is it so wrong to say so?
You may not thing what you're saying is a joke, but it sure is damned funny. I wonder what other hoops we could get you to jump through.
It's especially ironic that you recognize time and effort as part of the overall cost, but you still find your suggestion reasonable.
"And if you're on a wireless LAN?" Then you should be running a router that runs a firewall anyway.
or just use the -y option