The Windows Security Nightmare
latif writes "Microsoft has set aside a $5 million fund for paying off informants on malware authors. In my opinion a good chunk of this money deserves to be paid to individuals who help catch the Microsoft employees behind the design of Windows Registry and Windows Update. As I found out, the two mis-features work together to deprive Windows users of all protection from malware. The details of my experience are in the article Why Windows is a Security Nightmare." In a related story, Anonymous Wussie writes "This guy had family with a problem: A Windows XP computer hit by worms that couldn't stay on-line long enough to get patched. His solution? A CD. This article describes the custom made CD he sent to his family member with patches, tools, and instructions to make a fresh install of Windows XP Home Internet safe. I know I'll be doing this in the future."
This is a serious problem, actually. During the height of the worms last summer, we saw hundreds of machines that got infected while in the middle of downloading updates. It even got to the point that the WinXP "firewall" wasn't good enough, since it loaded *last* in the startup sequence, and there was a good 20 seconds to 2 minutes (depending on the speed of the machine) when the machine was on the net and unprotected, even if you had enabled the firewall settings.
It's the bigger problem of running services by default. The average user doesn't need half of the services that run. Linux figured that out years ago - most services are off these days, and those that are on are fairly secure (ie: sshd). Even if some of these services are required for system operation (like some folks have claimed), there's no reason for them to be listening on addresses other than 127.0.0.1.
There is no sig, there is only Zuul.
I cannot help but see the analogy here.
...etc.), and not the root cause (flawed security design, ...etc.).
Microsoft takes the approach of fighting the symptom (malware,
This is the same way many governments approach things like terrorism. They address it like a security problem only, that Intelligence Agencies and the Military/police handle. Why these ideologies developed, and what are the social, economic, and political reasons that lead to it is never even attempted.
And it is not only America, this has happened before in Ireland, Spain, Egypt and elsewhere.
Unless the root cause is studied, a correct diagnosis is made, and then remedial actions are taken, no amount of policing will fix the problem for good.
2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
So your solution is to spend $80 on hardware to workaround a defect in $100+ software? Does he have to carry this device around with his laptop everywhere? This is a joke, right?
How do you know? If its not running a virus scanner how would you tell if it had a virus or not?
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
But, if you don't believe me try this little test:
Take an iPOD, a Laptop with a wireless card in it, and a wireless access point to a retirement home. Place them on a table right next to an Internet connection of any kind. Now ask if any of the residents can get a song from the iTunes store onto the iPOD.
I'll put dollars to doughnuts you won't find a single resident who can do it. Not because they aren't capable of learning how, but because they really just don't care about that kind of thing anymore.
$.02
"I'm just here to regulate funkiness."
Since a few people have mentioned this: He was using Windows 2000. It doesn't have a firewall.
Igor Presnyakov stole my hat
Wow. Think of what you're saying. You're telling users that they need to shell out almost a hundred bucks for a device that will allow them to safely download updates. Has Microsoft security gotten so bad that we're just going to accept that you need to buy a firewall just keep your OS up to date? Does anyone else see a problem with this?
There is no sig, there is only Zuul.
...and I don't believe obtaining a DHCP lease would be a problem through this.
Asking users to plug/unplug their network cable is just plain silly.
It's a rational expectation that a brand new machine, or one restored to factory configuration, should have no fatal problems - we certainly expect that the wheels don't fall off our cars just after we drive off the new car lot. We shouldn't have to *know* that we have to tighten the lugnuts or get new tires because the ones I juts bought are about to explode, and I shouldn't have to immediately change the locks because everyone and their grandmother can pick the one I just bought with a toothpick.
Perhaps I'm taking the analogy too far, but can you name another product that is widely sold brand new with massive known defects?
No, my suggestion was not a "solution" to the general problem. It was an idea for the supposedly technical person trying to fix a b0rked windows box which they couldn't get to stay up long enough to patch. For that person, I would have thought that unplugging a cable would be both obvious and straightforward. Should regular users be disconnecting their boxes every time they reboot? Of course not.
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
I could not help but find myself in quite a humorous state as I read that article. As a Support Analyst for a Fortune 50 company, I see many of the errors that the user was describing in the beginning of the article. Unforunately for him, he reinstalled the OS. All he needed to do was recreate his Windows profile.
The right click locking explorer and the functionality loss of Mozilla were most definely not caused by the Reg, but more likely caused by a corrupted NTUSER.Dat file in the profile folder of his machine.
Furthermore, if you are currently reading this article on your home PC and not sitting behind a firewall of some sort, please send an email to banme@slashdot.org with the attention line reading I am no longer worthy.....just kidding just kidding.
http://jayceecorder.blogspot.com
Asking users to plug/unplug their network cable is just plain silly.
I'd have to disagree. I think making someone work for something might make them a bit more appreciative of what needs to be done to maintain it.
I told my father to take his computer to a local shop to have it fixed rather than drive up to me. Once he learned how much it costs to have things fixed that can easily be avoided he seemed much more interested in learning how to take care of things than thinking "this thing should just do as I want it to" (and he stopped downloading stupid ass screensavers.
A little work goes a long way.
You see, it takes 20 seconds to 2 minutes from the network activation to the firewall start every time you turn on the PC, not just when you're getting the latest update. And if you think you only need a firewall when you're running Windows Update, then you're missing the whole point of having a firewall.
If all this should have a reason, we would be the last to know.
I was going to post something less colourfully phrased if no one else had.
The author of the article is either inept or trolling. Unless you are doing something dumb like downloading tons of shareware apps, installing them briefly, then uninstalling them, the registry should be fine.
Of course, he *does* seem to be the kind of person that does exactly that, based on his "I downloaded a random 'registry cleaner' program and trusted it with my computer's stability, and now my PC doesn't work!" thing.
The hotfix issue is a legitimate complaint, but anyone who is running Windows 2000 (an enterprise operating system) at home should be comfortable with making slipstreamed install CDs - especially if the user is someone with dialup access who regularly formats and reinstalls their system.
I'm sure MS would be happy to provide physical CDs with the updates on them if more than a tiny fraction of users were willing to pay a small fee for the convenience. It's not like Linux users get magic free CDs mailed to them from the groups that package the distributions.
"...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
Quoth the parent:
I read that and nearly spit coffee on my keyboard. OK, let's assume that the parent poster is being 100% honest, that he made "a few grand" selling home-burned CDs outside Best Buy at $20 a pop. That's, conservatively, 100 CDs!
In other words, at least one hundred people were perfectly willing to shell out money -- cash, presumably -- to some random guy in front of a store, then take this guy's CD home and blindly install whatever the hell he'd given them!
Folks, talk all the shit about Microsoft that you want, but there's your security problem! If this guy is on the level, we've just had a prime lesson in the reason why Blaster, et al spread like typhoid.
You know, don't you feel sorry for Microsoft, sometimes -- just a little bit? I mean, imagine you're a Microsoft engineer. You're hard-working. You really do try, given the massive user base you have to support and the cruft of legacy code you're stuck with. Reasonably fast patching for security holes, updates -- hell, they'll send you a damn CD of updates for free!
And then you read something like this. And request an immediate transfer to the Office development group...working with Clippy would seem like a joy.
And for all the linux advocates out there -- especially the zealots, the Stallman's Witnesses -- this is a cautionary tale. If and when linux starts to hit the desktops, you're going have this same problem. If 100 users are willing to take some guy's CDs and install them, no questions asked, they're not going to flinch when he says, "Oh, and it will prompt you for your administrator password. You'll need to enter that in order to make sure the system is scrubbed." Play out your own nightmare scenario, there. Linux is inherently more secure? Really?
Social engineering-based cracking can't be stopped. Not by Windows, not by Linux.
The whole idea of Windows Update is a joke. Using an unreliable and insecure network as the primary means of distributing security updates is simply idiotic. This is like asking people to walk through a minefield to get to a shelter.
And yet, people still want Windows. I work in a high-tech call center, and people still look at me with blank stares when I tell them I don't use Windows at all at home.
Q "What do you run for anti-virus?"
A "Nothing. Linux isn't as succeptible to viruses"
Q "What about spyware?"
A "Same thing. I don't run anti-spyware either because I don't get it. Oh, and I can update my computer without rebooting too"
I've even had a laptop running nothing but Slackware, and technical people _not_ believing that Windows wasn't somehow still on the machine! People just don't see computers with anything other than Windows. If computers = Windows, then how can people get sick of Windows and not be sick of computers? The fact is, Microsoft has done a brilliant job of equating computers with Windows, to the point where even most technical people don't see any other option.
I think my job as an Open Source advocate is to just let people see Linux run on a computer, and let them follow the inevitable logical conclusion themselves.
Ruby on Rails Screencast
Sorry, but Zone Alarm, Black Ice, etc. are all PIECES OF SHIT. You have no idea how many times I've been troubleshooting broken internet apps only to find out that Zone Alarm/Black Ice is installed. One of my first questions now is to find out if those things are installed. The sole purpose of those software packages is to annoy you every time it blocks a connection and try and convince you to pay money for the enhanced version of the nagware.
You declare that the SP2 firewall broke your ability to print, but you do not know why. You just take a reactive stance and jump back to what works now instead of finding the underlying problem and solving it. I'm sorry, but I just don't believe that the firewall broke your ability to print unless there was an underlying reason. Outbound connections are not blocked by the firewall. The same statement goes for seeing others on the network. Maybe you were just impatient and didn't wait for browsing to stabalize which takes up to something like 15 minutes in a single broadcast domain. If you're really that anxious to connect to another computer and can't wait for the browse list, do a start | run | \\COMPUTERNAME.
If you want the computer to be seen on the network, create an exception list in the firewall configuration! It already has a preset for file and print sharing one tab over from where you enabled the firewall for crying out loud!
God I hate seeing ignorant fucks blaming the software vendor for their own ignorance, then getting modded up for it. It's not Microsoft's fault that you don't RTFM or open your eyes to see that there's other configuration options when you use a feature. Blaming Microsoft may be fun, but it's not always the answer.
-Lucas
he's paying him back. He's showing him that it's much better to not get your computer hosed in the first place, so he IS paying his dad back for his education, in exact kind. Adults can be wrong, but there's no easy way to point this out to them, in a father/son situation. And it worked according to the post, when his father realised what a PITA it is, what it really costs,both in cash in what might be done to his machine or credit card or other personal info, or how he could be used by a malicious zombie-running blackhat, etc, and how easily preventable it was,so he learned something useful and practical.
I think a lot of people honestly do not know that the primary reason they might get hacked is not to get their personal information, but to use their machine to distribute hacked warez and spam email and kiddie porn. So, it's much better to do what it takes to help people understand the ramifications of their actions-or non actions, and to perhaps take a more critical look at the software they are running. To me, it's like a traffic ticket (paying to have your machine cleaned and fixed), you are SUPPOSED to learn something (stop being a no-nothing lamer) about your behavior driving your car (computer) on the public road (internet).
Once people are REALLY aware of it, then they have a chance to correct the problem. If you can't get their attention in the first place, they won't ever learn. Sometimes it takes a fine to do that.
I FULLY support ISPs or private network admins yanking access to the network from infected machines. They don't do it enough, IMO, and if it happens to me because my machine gets hosed and zombied and I don't deal with it in a timely manner, then too bad for me, too. I'd rather be told about it if I don't know myself, and losing your net access is both protecting the innocents, and getting your attention for a problem. And if THAT then kept being pushed back up the food chain to the vendors, where they had to code better, release less often, and be forced to offer products good enough they could be warrantied, then I'm all for that, too.
It shouldn't take 20 years to come up with a more secure out of the box operating system that is network capable, is the real bottom line, no matter which one you are talking about.
You'd see it get chaotic in meatspace if any manufacturer were allowed to sell "caveat emptor" products with no government required warranty, of course they would skip doing quality work then, because there would be very little risk to them. It's time software played by the rules every other manufactuer has to play by, especially if they demand IP ownership and patents and huge profits. They want it treated like a normal product, swell, but let the law treat THEM like any other product as well.
or just use the -y option