Slashdot Mirror


The Windows Security Nightmare

latif writes "Microsoft has set aside a $5 million fund for paying off informants on malware authors. In my opinion a good chunk of this money deserves to be paid to individuals who help catch the Microsoft employees behind the design of Windows Registry and Windows Update. As I found out, the two mis-features work together to deprive Windows users of all protection from malware. The details of my experience are in the article Why Windows is a Security Nightmare." In a related story, Anonymous Wussie writes "This guy had family with a problem: A Windows XP computer hit by worms that couldn't stay on-line long enough to get patched. His solution? A CD. This article describes the custom made CD he sent to his family member with patches, tools, and instructions to make a fresh install of Windows XP Home Internet safe. I know I'll be doing this in the future."

16 of 969 comments (clear)

  1. New "casino" concept is needed by Anonymous Coward · · Score: 5, Interesting

    Microsoft should send XP SP2 CD-ROM to everyone that has registered Windows XP. After user installs and visits some web site, they enter into Microsoft award contest. 100 random users that install XP SP2 receive 50.000$ award each. I guess everyone would upgrade if they could receive an award.

    Small price for Microsoft, great effect on security.

  2. Update CDs for family by thewldisntenuff · · Score: 5, Interesting

    I think the biggest problem in making an update cd or instructions on how to update their computer is not getting the right programs together - it's getting them to properly use and learn how to be on top of security issues.

    Case in point-
    I return home for the semester break, and my sister's pc is riddled with spyware, malware, you name it. The thing is no longer functional, so I had to format the hard drive, yadda yaddda yadda...I gave her a full lesson, and made sure she knew exactly what to do. Yet a month later, the computer was back in the crapper again...She stated that she lost all of the programs she liked when I fixed her computer-

    That's the problem...Unless I boot linux and pull the internet from the back of the machine, her pc will never be secure...No matter how many times you teach/tell someone about computers and online security, for most noobs or non-users, it just doesn't seem to click...

    As far as issues with Windows Update...Best bet is to download from someone else's high-speed pc. I had a similar incident with SoBIG and a reinstallation of XP.

  3. i use windows by takitus · · Score: 4, Interesting

    and have a hardware firewall, run ie and outlook express and have never had a problem. it can almost always be chalked up to not knowing how to operate things properly. i have made similar cds that are all automated. i used to sell them around the time the blaster worm came out on the side of the streets outside best buy etc for $20 a piece. made a few grand off that. best buy was chargin $80 for the same thing that my cd did =). either way... windows is only as safe as you make it. the only thing required to keep viruses from getting in a windows box is running the patches, and even that isnt that necessary if you have a firewall. all of the rest of the viruses are contracted through user error. poo!

  4. Re:Use the Firewall by jdreed1024 · · Score: 5, Interesting
    People always complain about their computers getting infected before they are able to download the patches - but this is easy to prevent if you just switch on the included firewall software.

    Too bad the firewall software loads *last* in the startup sequence, leaving a gaping hole of anywhere from 20 seconds to two minutes (on a slow machine) when your machine is on the net and unprotected. And during the height of worm activity, that's *more than enough* time to get infected.

    --
    There is no sig, there is only Zuul.
  5. Re:Burn a cd? by dicepackage · · Score: 5, Interesting

    I have found that a cheap USB key drive is a great way to keep all of the necessary patches in one place that can be re-written fast.

  6. Re:Use the Firewall by Sean80 · · Score: 5, Interesting
    I still don't get it sometimes when people say this. I would only feel comfortable making this sort of statement based on some evidence. Not a troll or anything, but has anybody ever seen any evidence which indicates what majority of the PC-using community understand what a "firewall" means, and, if they do, how to turn it on when they receive their brand-spanking new PC from Dell?

    If that number turned out to be unusually low, perhaps the key is to really shove this sort of education down people's throats. How? I don't know. A series of ads on TV? Not likely. Get it into the headlines? Not likely. So I'm just not sure how this could be done.

    One thing's for sure, my mom wouldn't know what a firewall is, nor how to turn it on, and I shudder at the thought of trying to explain it. Honestly.

  7. Sucks, but he's right by erikharrison · · Score: 5, Interesting

    I've been working tech support for an ISP for years, and this guys fundamental conclusion is correct - Joe User can't keep his system secure - he just can't. And Joe Sysadmin has a damn hard time of it himself.

    The amount of "repair" functionality inside of MS products is a huge sign that users and developers are sick of the reinstall cycle, but that the OS design makes it very difficult to fix. Internet Explorer, Outlook Express, Office all have "repair my installation" tools built in, XP and ME have System Restore.

    I have watched users get the Sasser virus, run system restore, have system restore break the XP firewall, cause a port lockdown, resolve the port lockdown so they can run windows update, only to become reinfected with the sasser. Maintainence of Windows is hard, OS reinstall is easy. OEM aren't value adding to the OS by providing solid maintanence tools, their providing restore disks, because writing such a maintanence tool is INCREDIBLY difficult.

    I understand MS's need to stay commited to this design, at least through Longhorn and it's revs. But as long as you are, MS, please give us a non network dependent tool for maintaining and distributing patches and updates. Let OEMs and (in my case) ISPs ship critical fixes on CD so that we can help our users. Make System Restore a fine grained tool, where I can back up critical system files and DLLs, as well as the registry. Don't force me to go to a third party for a "registry cleaner". Provide me with the OS for the tools that I need and that vendors need to maintain the OS.

  8. Not a very convincing article by Quarters · · Score: 4, Interesting
    The author installed a bunch of 30 day trial software that borked his system. He then chose a registry cleaner without doing much research on them and ended up using a pretty poor one. Then he complains because his machine got fuggered when he had to reinstall the OS.

    Cry me a river. A tool like Norton System Works that has both an installation watcher and a great Windows configuration diagnostic/repair tool would've solved his problems. Grabbing the first tool listed on Download.com when you type in "Registry Cleaner" is not the inteligent way to go about system maintenance.

  9. "They don't recognize them as usability problems" by dpbsmith · · Score: 5, Interesting

    Best quote in the article: "Windows users are so accustomed to usability problems that they don't even recognize them as usability problems."

    Unfortunately, this extends far, far beyond Windows. This is a problem for the entire industry.

    It reminds me of the way nuclear power plants are (were?) licensed. If, during review, the nuclear regulatory commission finds a safety issue that is unique to the particular installation, the licensee must address it before it can be licensed. If, however, the licensee can demonstrate that the issue is actually "generic"--that is common to all nuclear power plants--the licensee need not do anything about it.

    In the PC world, any problem that persists for more than a few years is not longer perceived as a problem. It becomes "generic."

    The phenomenon is even getting worse over time, thanks to the general public's increasing familiarity with computers. During the eighties, when manufacturers were trying to seduce individuals into buying home PCs (and IT managers into abandoning those hard-to-use green screens for easy-to-use GUIs), usability disasters were treated as important. No more.

    Computers hit their peak of usability sometime in the eighties and have been in steady decline ever since.

    One of the biggest issues noted in the article is the instability of Windows over time as software packages are installed and uninstalled. But this is hardly limited to Windows. The irony here is that the ability to uninstall software properly was supposed to be a logo requirement for Windows NT 4.0 software, and one of the features that Microsoft used to urge its superiority to 3.5.

    Unfortunately, software installation and uninstallation is not a trivial problem. To do it right would require a great deal of functionality that can only be performed by the OS, which would need, for example, to track which system components were in use by which applications. And it would need to have the ability to associate specific versions of system components with applications, so that it would not be vulnerable to the assumption that Version 3.6.1 of the Frammis Service is absolutely guaranteed to have fewer bugs and be totally backward compatible with every previous version of the Frammis Service that has ever been released.

    And before sixteen people reply explaining that .NET fixes all that, spare me. As I pointed out, it has been true FOREVER that Microsoft has claimed that the next release of NT/Win2K/WinXP/Longhorn/whatever would fix all that.

    Microsoft didn't solve the problem. They just sort of declared that it had been solved. Installshield and friends kludge their way through installations, merrily making clumsy guesses and assumptions about the history of the system and the needs of other applications and overwriting files and changing registry settings. SQA departments are happy if the installed application runs after installation on a clean OS with no other software installed and don't have the time or the mission to make sure that (say) installing the application doesn't break anybody else's application. (Indeed, one suspects that in some parts of the industry, it's consider a plus if installing one application breaks other applications, if they happen to be competing applications).

    I could go on and on. (Indeed, I already have). In the world of PC's (and I include both WIndows and Macs--and nothing I've read makes me think Linux is very different), an awful lot of things don't work very well and NOBODY SEEMS TO CARE because it's "always" been that way. Laypeople have gotten accustomed to blaming themselves ("my computer hates me,") IT departments don't even expect computers to work properly after about three years; developers/hackers/sophisticated users enjoy the challenge of troubleshooting the latest glitch... ...and formerly tame, humble consumer devices like televisions sets, cars, and cameras are getting computers built into them and are declining in usability too.

  10. Re:Use the Firewall by pohl · · Score: 4, Interesting
    How about you wait until the firewall is loaded before plugging in the network cable?

    +5 Funny. This reminds me of a situation at work. We sort of have two separate halves of the software development department: Java and the Microsofties. One day I wandered by the server room where the most brilliant of the Microsofties was installing some sort PDF-indexing engine on one of their Windows servers. They were being thwarted by some dialog box that kept comming up during the install. His solution to the problem at the moment that I happened by was...I swear to god...to jam a penny into the keyboard such that it kept the return key held down, so that the key-repeat would dismiss the dialog box over & over again, in hopes that it would happen rapidly enough to get through the install.

    I swear, it's a totally different culture. Some of us insist on good software architecture. Others have an amazing capacity to assfucked by bad software architecture and keep going back for more. You can bother about yanking and reinsertintg your ethernet if you really want to. I'll work around the problem by being a more selective consumer, thank you.

    --

    The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...

  11. Re:Use the Firewall by bonkedproducer · · Score: 4, Interesting

    I have Win XP SP2 Beta running on my XP box. I do notice that the firewall is much better and easier to use (seems like a weak ZA clone,) except it does some weird things. The first time I used Windows Media Player in SP2 Beta, to view some movie trailers, I had the player maximized and after watching three or four, I minimized the player to check my e-mail.

    When I minimized I saw my first experience with the new and improved firewall, it was a nice message in the center of the screen that had been obscured by the player stating "The Program: Windows Media Player is trying to access the Internet, should I: Block this program, Unblock this program, Block this program but ask again in the future" (I'm paraphrasing there) even though I hadn't told it to unblock the program, it was allowing it download content from the web.

    I thought this was odd, and assumed maybe it only received stuff but wouldn't allow sending. Well, when I used Yahoo Messenger the first time, same thing popped-up, so I left the box on screen and did some IMing, and sent some files to friends - all without interacting with the firewall. So I must assume the the firewall by default lets anything go through until told otherwise. This is security? I've noticed this behavior with many programs, and telling it to block does work, but until told to block it leaves the holes open.

    --
    Clothes make the man. Naked people have little or no influence in society - M. Twain
  12. Re:Whether you are offended by captainClassLoader · · Score: 4, Interesting

    2names comments:

    "Now ask if any of the residents can get a song from the iTunes store onto the iPOD.

    I'll put dollars to doughnuts you won't find a single resident who can do it. Not because they aren't capable of learning how, but because they really just don't care about that kind of thing anymore."


    Then again, you might be surprised. I once did a benefit ambient gig at a retirement home, and then wound up giving a seminar on my set-up after the gig, as a pile of people crowded around my gear to ask me how I got all those sounds. My impression was that this retirement home was a pretty boring place, and a guy showing up with a bunch of synths to crank out strange quiet downtempo stuff sorta made their day...

    --
    "The plural of anecdote is not data" -- Bruce Schneier
  13. oki, here is a nice solution or two : by da5idnetlimit.com · · Score: 4, Interesting

    As we all know, computers, aren't meant to be in the hands of users, but strictly confined to (some) admins.

    There is a solution that any knowledgable admin can use : whenever a new service pack is out, you create an updated Windows installation cd (or dvd) that include the latest service pack => When reinstalling, you do that from SP4k or whatever, and it gives you an nice, almost secure config to start updating from...

    Also, a standard practice in my home is the use of Ghost just after the installation of all the basics softwares and updates...=> ditto.

    Now, a solution I have personnaly used on a friend computer after the usual "crashed before it even updated" episode : I booted her compuer using knoppix, downloaded the latest service pack and quite a bit of separate updates on a separate partition and then made an install without the net on...Ironic, using Linux to get a windows install running...

    Also (but that is only true on my own home network) I use a dedicated firewall (yeah, Linux) on my network, and I only keep open the ports I need...So, if I need to make a "virgin" Windows install, the firewall protects me from the nasty worms/exploits/whatsoever...

    Repeat after me : No Lusers in my Computer room ! 8)
    (Happily supporting my dad since Windows 3.11, I made my preceding comments a rule... backup often, streamline your updates, use a dedicated firewall...and NEVER let your dad (or any Luser) with a root/administrator account...btw, he's still using 98...

    --
    It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
    1. Re:oki, here is a nice solution or two : by Pxtl · · Score: 4, Interesting

      1) working from behind a standard router is good, as you say. Any basic NAT will block most attacks.

      2) you outline a problem - using anything but windows update for updating a machine is the domain of super-l33t windows geeks. Not normal people. I know my way around a windows box very very well, but trying to update anything on a win box without the updater I find nearly impossible. Yes, there are admin downloads, but I find them outright scary to slog through.

      IMHO, they need something simpler - 2 things.
      a) a way to generate an updater CD to re-apply all windows update patches currently installed on your PC (for when you wipe) and b) up-to-date updater CD ISO's available to download for each currently supported MS OS for when you need to set up a friends computer. I recently set up a friends '98 box and it was a headache - a nice "download this disk and burn it for patching" that I could launch from XP would be ideal. If they're concerned about bandwidth, throw some of their mass of coders to make an MS torrent-a-like for said ISOs.

  14. First thing I do with a new Windows install is... by 5n3ak3rp1mp · · Score: 4, Interesting

    1) run any security updates
    2) strongly suggest not using Outlook
    3) Completely lock down the "Internet" security zone in IE and force users to add sites that don't function properly (due to scripting turned off) to "Trusted Sites" (which has scripting on)
    4) Strongly suggest that users use Firefox instead of IE wherever possible
    5) Install antivirus software
    6) Install Spybot Search & Destroy and AdAware

    This keeps most spyware, virii and worms out.

    As a curious side-note, the first thing I do with a new OS X install is...
    1) Apply security patches
    2) There is no Step 2 ;)

  15. Re:Uh huh! by zoloto · · Score: 4, Interesting

    "Microsoft has set aside a $5 million fund for paying off informants on malware authors


    Maybe microsoft should pay the money to themselves and redesign their software


    You know, if the next version of Windows(TM) pulls what Apple did with their OS X, built a bsd underbelly to it and didn't allow backwards compatibility outside of a sandbox of sorts I wouldn't cry. Then it would be possible to secure the system and hopefully they'd get rid of their god forsaken registry / file and drive permissions / insecure nature for the most part.

    It won't be infallible, but simply less insecure for the current vulns out there.

    Then again, MSFT might implement this shiz so badly and incorrectly that we'd be stuck with a bunch of new prolems of which we haven't a clue to fix.

    just my 2cents