Slashdot Mirror
The Windows Security Nightmare
latif writes "Microsoft has set aside a $5 million fund for paying off informants on malware authors. In my opinion a good chunk of this money deserves to be paid to individuals who help catch the Microsoft employees behind the design of Windows Registry and Windows Update. As I found out, the two mis-features work together to deprive Windows users of all protection from malware. The details of my experience are in the article Why Windows is a Security Nightmare." In a related story, Anonymous Wussie writes "This guy had family with a problem: A Windows XP computer hit by worms that couldn't stay on-line long enough to get patched. His solution? A CD. This article describes the custom made CD he sent to his family member with patches, tools, and instructions to make a fresh install of Windows XP Home Internet safe. I know I'll be doing this in the future."
A typical Windows system follows a simple lifecycle: it starts out with a clean Windows installation, which gradually deteriorates as programs are installed, and uninstalled. Eventually, the Windows registry accumulates so much crud that the user is forced to do a clean install. When a user does a clean install that user's system loses all the previously applied security updates, and becomes a sitting duck for worms and other malware.
Thats why I'm such a FreeBSD/Mac advocate.
-Imidazole2
From article:
"so simple, even my grandmother could implement it."
As a 48 yo grandmother, I am offended that technical incompetance is equated with being a grandparent. I don't think anyone would have said "so simple even my grandfather could implement."
I am incidentally, a C programmer of 20+ years.
People always complain about their computers getting infected before they are able to download the patches - but this is easy to prevent if you just switch on the included firewall software.
Better make that a rewritable...
the CD held knoppix
my windows security nightmare involves bill gates breaking all my boxen with a life size stainless steel Clippy.
This article describes the custom made CD he sent to his family member with patches, tools, and instructions to make a fresh install of Windows XP
I took the extreme opposite approach: I don't help family or friends with their Windows problems if they've asked me for advice and gone against it. (as written about in my journal last March.)
Trolling is a art,
Microsoft should send XP SP2 CD-ROM to everyone that has registered Windows XP. After user installs and visits some web site, they enter into Microsoft award contest. 100 random users that install XP SP2 receive 50.000$ award each. I guess everyone would upgrade if they could receive an award.
Small price for Microsoft, great effect on security.
This is a serious problem, actually. During the height of the worms last summer, we saw hundreds of machines that got infected while in the middle of downloading updates. It even got to the point that the WinXP "firewall" wasn't good enough, since it loaded *last* in the startup sequence, and there was a good 20 seconds to 2 minutes (depending on the speed of the machine) when the machine was on the net and unprotected, even if you had enabled the firewall settings.
It's the bigger problem of running services by default. The average user doesn't need half of the services that run. Linux figured that out years ago - most services are off these days, and those that are on are fairly secure (ie: sshd). Even if some of these services are required for system operation (like some folks have claimed), there's no reason for them to be listening on addresses other than 127.0.0.1.
There is no sig, there is only Zuul.
Ah yes, brought to you by the letter V, as in VMS. IIRC it was a few digital VMS engineers that left and help build many of the more functional components of WinNT. And apart from the ACL, i believe the registry (at least for pathworks) was another digital innovation...
Never forget there is very little you can credit Microsoft with...
was have them type 'shutdown -a' at the command prompt and the rebooting would have stopped. I have helped people remove this worm many times using Remote Assistance, over dialup without any issues. The firewall software is going to cause more problems in the long run as it will block some of their games, or even him remotely accessing the machines in emergencies.
I cannot help but see the analogy here.
...etc.), and not the root cause (flawed security design, ...etc.).
Microsoft takes the approach of fighting the symptom (malware,
This is the same way many governments approach things like terrorism. They address it like a security problem only, that Intelligence Agencies and the Military/police handle. Why these ideologies developed, and what are the social, economic, and political reasons that lead to it is never even attempted.
And it is not only America, this has happened before in Ireland, Spain, Egypt and elsewhere.
Unless the root cause is studied, a correct diagnosis is made, and then remedial actions are taken, no amount of policing will fix the problem for good.
2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
This isn't anything new -- I've sent plenty of patch CD's with customized .bat/.cmd files along with stupid-easy instructions thanks to an autorun.inf that takes care of everything from hotfixes to updating DirectX and IE, even restarting the box when it's done..all without bothering the user with confusing dialog boxes. It helps quite a bit when your family has dial-up and can't even get to Windows Update before Sasser or equivalent hoses their machine.
But, then again, I've sent many times more Linux distro CD's to my friends.
You can get the same from MS, free.
RTFA. (Wow, what a concept!) He covers that.
"(AP) Dateline August 12, 2008. National and international commerce was brought to a halt as the "SugarCookie" worm infected and seized up the installed base of Windows 2006 computers. An FBI task force was able to determine that the worm was written by someone's grandmother who thought she was entering a cookie recipe into her computer. She was quoted as saying 'I did not know that Windows was so insecure that you could bring down networks with accidentally-written worm programs'"
Don't blame Durga. I voted for Centauri.
So your solution is to spend $80 on hardware to workaround a defect in $100+ software? Does he have to carry this device around with his laptop everywhere? This is a joke, right?
If you're going to go after Windows employees, don't bother with the registry and update guys. Nail the guys who made ActiveX and Outlook.
There ya go, I'm an informant now. When can I expect my check? =)
Weaselmancer
Weaselmancer
rediculous.
How do you know? If its not running a virus scanner how would you tell if it had a virus or not?
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
I think the biggest problem in making an update cd or instructions on how to update their computer is not getting the right programs together - it's getting them to properly use and learn how to be on top of security issues.
Case in point-
I return home for the semester break, and my sister's pc is riddled with spyware, malware, you name it. The thing is no longer functional, so I had to format the hard drive, yadda yaddda yadda...I gave her a full lesson, and made sure she knew exactly what to do. Yet a month later, the computer was back in the crapper again...She stated that she lost all of the programs she liked when I fixed her computer-
That's the problem...Unless I boot linux and pull the internet from the back of the machine, her pc will never be secure...No matter how many times you teach/tell someone about computers and online security, for most noobs or non-users, it just doesn't seem to click...
As far as issues with Windows Update...Best bet is to download from someone else's high-speed pc. I had a similar incident with SoBIG and a reinstallation of XP.
My MythTV HowTo
and have a hardware firewall, run ie and outlook express and have never had a problem. it can almost always be chalked up to not knowing how to operate things properly. i have made similar cds that are all automated. i used to sell them around the time the blaster worm came out on the side of the streets outside best buy etc for $20 a piece. made a few grand off that. best buy was chargin $80 for the same thing that my cd did =). either way... windows is only as safe as you make it. the only thing required to keep viruses from getting in a windows box is running the patches, and even that isnt that necessary if you have a firewall. all of the rest of the viruses are contracted through user error. poo!
If it has no virus scanner, how do you know that it's never been infected?
How about creating a CD to make the internet safe from Windows XP
Maybe something that strips out the entire TCP/IP stack - a castration of sorts for the good of all mankind
My name is Bill and I pronounce Windows -- WeenDOHS
Microsoft's Windows Security Update CD is great in theory, but almost worthless in practice. The lead time for delivery is so long, by the time you get the CD, another batch of viruses/worms are out exploiting newly discovered vulnerabilities.
sPh
But, if you don't believe me try this little test:
Take an iPOD, a Laptop with a wireless card in it, and a wireless access point to a retirement home. Place them on a table right next to an Internet connection of any kind. Now ask if any of the residents can get a song from the iTunes store onto the iPOD.
I'll put dollars to doughnuts you won't find a single resident who can do it. Not because they aren't capable of learning how, but because they really just don't care about that kind of thing anymore.
$.02
"I'm just here to regulate funkiness."
...why stupid people shouldnt use computers.
Just because its made by microsoft, that doesn't mean an idiot should administer it. It certainly doesn't mean its going to be secure and stable out of the box.
The huge divide between Unix/Linux and Windows is that Unix/Linux forces you to know what you're doing when you install something on your computer. Windows assumes the opposite.
However, if you do know what you're doing with Windows, problems of this nature are not really problematic. Fixing Windows without reinstalling is easy for competent administrators. Jeez, I can get around in Windows without a mouse and without explorer.exe.
Here's a hint guys: if something breaks on Windows -- don't install a program to fix your computer. It will break it further. Don't install registry cleaners -- they suck. Slick your system, ghost your system, take registry snapshots now and then. Don't install third party software on production machines without testing on crap boxes first. Do know your system in and out.
01100111 01100101 01110100 00100000 01101111 01110101 01110100 00100000 01101101 01101111 01110010 01100101 00101110
The author's slanted raving is over the top. I could just as easily read about some Linux newbie's nightmare experience trying to get all of his hardware to work or how they had to rebuild the kernel after applying some new module to their system.
My main gripe with how things are is that all new PC's should be delivered fully patched as of their configuration date. And since Microsoft has switched to their license subscription model they should ship out CD's to all licensed customers with all rollup security packs available. Just like a TechNet subscription operates for previewing beta products. I don't mean a user calls into Microsoft to request a CD. It's their place to send them out. Just like an auto company would mail out recall notices.
Wow. Think of what you're saying. You're telling users that they need to shell out almost a hundred bucks for a device that will allow them to safely download updates. Has Microsoft security gotten so bad that we're just going to accept that you need to buy a firewall just keep your OS up to date? Does anyone else see a problem with this?
There is no sig, there is only Zuul.
I skimmed through the article, which didn't have many technical details. Here's what we do at work:
:-)
You can integrate the service pack into the setup (which will be especially useful when SP2 arrives) so that it's installed at the same time. This works with Windows 2000 and up.
You can then use Sysprep (brief introduction) to automatically deploy the latest patches the first time the machine boots.
Here's a nice article on how to burn the result to a bootable CD.
It's a bit of work, and requires constant maintenance but it saves a lot of headaches in the long run.
An easier method, if you have a lot of machines with identical specs. Build a template machine with the OS installed, adding all the service packs, patches, etc. Use software like Ghost to make an image for deploying to multiple machines.
Who says the stuff you learn on an MCSE isn't useful?
+5 insightful?
The total cost of his solution was the cost of the CD--your solution costs $80, and it isn't even complete.
He mentioned installing a firewall (such as ZoneAlarm) which is free and would do as effective a job as your $80 solution.
Also, one of the other large problems today is spyware (or hijackware as it should really be called), and that comes over the browser on port 80. Your $80 firewall is not going to stop that. However, the author of that article offered several free (and wise) solutions to combat this problem.
I know I'm not supposed to feed trolls, but common, at +5 I just had to respond.
If you're really pushing this $80 solution over a perfectly reasonable free solution, then you either work for D-Link or you shouldn't be taken seriously.
Also keep in mind that the article's author used a dial-up connection. Conventional hardware firewalls deal with ethernet...
I've been working tech support for an ISP for years, and this guys fundamental conclusion is correct - Joe User can't keep his system secure - he just can't. And Joe Sysadmin has a damn hard time of it himself.
The amount of "repair" functionality inside of MS products is a huge sign that users and developers are sick of the reinstall cycle, but that the OS design makes it very difficult to fix. Internet Explorer, Outlook Express, Office all have "repair my installation" tools built in, XP and ME have System Restore.
I have watched users get the Sasser virus, run system restore, have system restore break the XP firewall, cause a port lockdown, resolve the port lockdown so they can run windows update, only to become reinfected with the sasser. Maintainence of Windows is hard, OS reinstall is easy. OEM aren't value adding to the OS by providing solid maintanence tools, their providing restore disks, because writing such a maintanence tool is INCREDIBLY difficult.
I understand MS's need to stay commited to this design, at least through Longhorn and it's revs. But as long as you are, MS, please give us a non network dependent tool for maintaining and distributing patches and updates. Let OEMs and (in my case) ISPs ship critical fixes on CD so that we can help our users. Make System Restore a fine grained tool, where I can back up critical system files and DLLs, as well as the registry. Don't force me to go to a third party for a "registry cleaner". Provide me with the OS for the tools that I need and that vendors need to maintain the OS.
The free version of QNX comes with no inbound services enabled. Most of the standard UNIX-type services are available, but they're not installed by default. It's a pure client. In fact, it's very close to what the iOpener ran. Both dial-up and LAN connections are supported.
Mozilla 1.1 runs, but without Flash. There's a word processor, ABIword. The whole GNU toolchain is available. Unfortunately, OpenOffice hasn't been ported.
It's refreshing to run a system without all the Microsoft crap, or the Linux emulations of it.
Here's a possible solution I was discussing not twenty minutes ago.
1) add private network ip address (10.0.1.1) to existing public server
2) do no NAT or other routing on this ip
3) have squid running on 10.0.1.1 to accept connections from a handful fo addresses in 10.0.1.x or do proxy authentication
4) when installing/updating/troubleshooting windows boxes assign them a 10.0.1.x address and set windowsupdate to use the proxy
Windows update runs, the machine is on its own tiny network isolated from all legit traffic and can't compromise your network plus it it can't be infected from outside as it's safe behind the proxy. When you feel it's safe (you've got all patches, firewall, etc configured) restart with DHCP and get an address on your "real" network.
Or you could roll your own installation cd with the correct service packs and security updated included, but why fix a software problem with software...?
-dameron
I could not help but find myself in quite a humorous state as I read that article. As a Support Analyst for a Fortune 50 company, I see many of the errors that the user was describing in the beginning of the article. Unforunately for him, he reinstalled the OS. All he needed to do was recreate his Windows profile.
The right click locking explorer and the functionality loss of Mozilla were most definely not caused by the Reg, but more likely caused by a corrupted NTUSER.Dat file in the profile folder of his machine.
Furthermore, if you are currently reading this article on your home PC and not sitting behind a firewall of some sort, please send an email to banme@slashdot.org with the attention line reading I am no longer worthy.....just kidding just kidding.
http://jayceecorder.blogspot.com
Son, I think it was a virus that took your name out of the will.
----- .dlls using the registry, Back Orifice, Sub7, and NetBus come to mind.
If the registry or the filesystem gets bloated because of malfunctioning application uninstallers, how is that MS' fault?
-----
The registry was a bad idea from the start. The registry may have been designed and implemented for storage of specific useful information which would contribute to interoperability between applications but it doesn't take a brain surgeon to look ahead and see that every screen saver, toolbar, and "neat app" author would start filling the registry full of excess junk keys that mean nothing to the rest of the system. Additionally there are more than a few ways to hijack
That is why I blame MS for the registry. It would be a good idea if the user was consulted for every new key added. That can't be done because the user can't be bothered. Unfettered, unrestricted application access to a housekeeping system with as much clout as the registry should plain not be possible. Since it's impossible to secure the registry the registry never should have been implemented.
KDE and Gnome are following the same path to h-e-double-toothpicks.
+++ATHZ 99:5:80
Cry me a river. A tool like Norton System Works that has both an installation watcher and a great Windows configuration diagnostic/repair tool would've solved his problems. Grabbing the first tool listed on Download.com when you type in "Registry Cleaner" is not the inteligent way to go about system maintenance.
I was going to post something less colourfully phrased if no one else had.
The author of the article is either inept or trolling. Unless you are doing something dumb like downloading tons of shareware apps, installing them briefly, then uninstalling them, the registry should be fine.
Of course, he *does* seem to be the kind of person that does exactly that, based on his "I downloaded a random 'registry cleaner' program and trusted it with my computer's stability, and now my PC doesn't work!" thing.
The hotfix issue is a legitimate complaint, but anyone who is running Windows 2000 (an enterprise operating system) at home should be comfortable with making slipstreamed install CDs - especially if the user is someone with dialup access who regularly formats and reinstalls their system.
I'm sure MS would be happy to provide physical CDs with the updates on them if more than a tiny fraction of users were willing to pay a small fee for the convenience. It's not like Linux users get magic free CDs mailed to them from the groups that package the distributions.
"...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
Best quote in the article: "Windows users are so accustomed to usability problems that they don't even recognize them as usability problems."
.NET fixes all that, spare me. As I pointed out, it has been true FOREVER that Microsoft has claimed that the next release of NT/Win2K/WinXP/Longhorn/whatever would fix all that.
...and formerly tame, humble consumer devices like televisions sets, cars, and cameras are getting computers built into them and are declining in usability too.
Unfortunately, this extends far, far beyond Windows. This is a problem for the entire industry.
It reminds me of the way nuclear power plants are (were?) licensed. If, during review, the nuclear regulatory commission finds a safety issue that is unique to the particular installation, the licensee must address it before it can be licensed. If, however, the licensee can demonstrate that the issue is actually "generic"--that is common to all nuclear power plants--the licensee need not do anything about it.
In the PC world, any problem that persists for more than a few years is not longer perceived as a problem. It becomes "generic."
The phenomenon is even getting worse over time, thanks to the general public's increasing familiarity with computers. During the eighties, when manufacturers were trying to seduce individuals into buying home PCs (and IT managers into abandoning those hard-to-use green screens for easy-to-use GUIs), usability disasters were treated as important. No more.
Computers hit their peak of usability sometime in the eighties and have been in steady decline ever since.
One of the biggest issues noted in the article is the instability of Windows over time as software packages are installed and uninstalled. But this is hardly limited to Windows. The irony here is that the ability to uninstall software properly was supposed to be a logo requirement for Windows NT 4.0 software, and one of the features that Microsoft used to urge its superiority to 3.5.
Unfortunately, software installation and uninstallation is not a trivial problem. To do it right would require a great deal of functionality that can only be performed by the OS, which would need, for example, to track which system components were in use by which applications. And it would need to have the ability to associate specific versions of system components with applications, so that it would not be vulnerable to the assumption that Version 3.6.1 of the Frammis Service is absolutely guaranteed to have fewer bugs and be totally backward compatible with every previous version of the Frammis Service that has ever been released.
And before sixteen people reply explaining that
Microsoft didn't solve the problem. They just sort of declared that it had been solved. Installshield and friends kludge their way through installations, merrily making clumsy guesses and assumptions about the history of the system and the needs of other applications and overwriting files and changing registry settings. SQA departments are happy if the installed application runs after installation on a clean OS with no other software installed and don't have the time or the mission to make sure that (say) installing the application doesn't break anybody else's application. (Indeed, one suspects that in some parts of the industry, it's consider a plus if installing one application breaks other applications, if they happen to be competing applications).
I could go on and on. (Indeed, I already have). In the world of PC's (and I include both WIndows and Macs--and nothing I've read makes me think Linux is very different), an awful lot of things don't work very well and NOBODY SEEMS TO CARE because it's "always" been that way. Laypeople have gotten accustomed to blaming themselves ("my computer hates me,") IT departments don't even expect computers to work properly after about three years; developers/hackers/sophisticated users enjoy the challenge of troubleshooting the latest glitch...
"How to Do Nothing," kids activities, back in print!
Well, while i agree with most of the point made, there are simple steps to prevent worms.
At my parent's home, there is a Linux box doing NAT, so, in the box, the windows box on the local network are protected from any worms. They end up having enough time to download all the necessary patches from Windows Update.
Recently, I reinstalled my windows XP. But before reformatting, the first thing i did was to burn a firewall like zone alarm. I then install my box without being connected the internet, and proceed to install the firewall. It is only then that i download the patches.
Else, it would be just plain nightmare.
AutoPatcherXP is an excellent collection of patches and updates that I've included on CD (along with some other tools) for our user's home computers. It contains about 300Megs of updates/patches/apps and is relatively up to date with all of the critical patches. :(
After running AutoPatcher, only a few critical updates are needed off of windowsupdate's site. Unfortunately, MS04-011 is one of the critical patches NOT included with AutoPatcher.
Wait a minute. I got it. You could play with your magic nose goblins.
You're telling users that they need to shell out almost a hundred bucks for a device that will allow them to safely download updates. Has Microsoft security gotten so bad that we're just going to accept that you need to buy a firewall just keep your OS up to date? Does anyone else see a problem with this?
/. crowd will never want filtered internet for themselves. But for your family? Wouldn't you want your mom on an AOL idiot proofed connection? If anything goes wrong, you could just tell her to call AOL and play dumb.
Our office lan has a hardware firewall and a network installed virsus scanner. I think every network should be secured.
As a home user, do you trust Cable One, AOL, or a generic small time ISP to keep you safe? Are they responible for filtering all network traffic before it hits you? I'm going to say they should have hardware firewalls of there own.
The
Custom Update CDs are by far the easiest way to fix most of your family members problems without actually having to be there (or netmeeting ect...)
/release" (die network!)
My custom CD auto runs upon insertion, and with the help of a little autoit script, it does this
- Pops up a windows telling them to politely leave the PC the hell alone (and updates the status along the way)
- Locks all user keyboard and mouse input (don't want them screwing anything else up)
- Executes "ipconfig
- Runs the latest McAfee Stinger (silently)
- Runs the latest McAfee Command Line scanner from the extracted SuperDat files
- Checks Whether its 2000 or XP and makes sure that the latest SP is installed, if not, it installs it (and then reboots)
- Installs all the latest Critical Updates for that OS
- Updates their McAfee or Norton Anti-Virus with the lastest dats on the CD (unless older)
- Runs Spybot (copies config file over first, which autostarts/autofixes everything upon running)
- Verifies that several of the services are set to the correct status (stopped/disabled or started/automatic)
- Installs a registry file to help speed up the menus, ect...
- Reboots
This has saved me more time than I can possible count. Before switching to this method, my life was hell (not to mention how high my gas bill was), now I just Fedex them a Updated CD anytime they call, and 99% of all problems are solved.
The whole idea of Windows Update is a joke. Using an unreliable and insecure network as the primary means of distributing security updates is simply idiotic. This is like asking people to walk through a minefield to get to a shelter.
And yet, people still want Windows. I work in a high-tech call center, and people still look at me with blank stares when I tell them I don't use Windows at all at home.
Q "What do you run for anti-virus?"
A "Nothing. Linux isn't as succeptible to viruses"
Q "What about spyware?"
A "Same thing. I don't run anti-spyware either because I don't get it. Oh, and I can update my computer without rebooting too"
I've even had a laptop running nothing but Slackware, and technical people _not_ believing that Windows wasn't somehow still on the machine! People just don't see computers with anything other than Windows. If computers = Windows, then how can people get sick of Windows and not be sick of computers? The fact is, Microsoft has done a brilliant job of equating computers with Windows, to the point where even most technical people don't see any other option.
I think my job as an Open Source advocate is to just let people see Linux run on a computer, and let them follow the inevitable logical conclusion themselves.
Ruby on Rails Screencast
This guy's an idiot. He installs crap and unreliable third party applications and drivers on his system and then blames Microsoft! The article was a rant about security, so why the comments about the registry? It seems that was a dig based on some other personal dislike. He admits he placed his trust in some third party tool to clean his registry! Seems rather foolish.
/etc, /lib, rc scripts, etc. Just as time consuming and frustrating to fix. Just as painful for incompetent and computer illiterate people. Just as many people running with root level priviledges. Just as many boxes cracked automatically before security updates can be downloaded.
... oops!).
If Linux were as popular as Windows, there would just as much poor quality crap coming out for it trashing
I ran Windows 2000 for 3.5 years with the only problems coming from Creative Labs DXR3 and SoundBlaster Live! drivers, and Mozilla's graphics resource eating issues. I won't buy anything from Creative Labs again, and Mozilla have fixed their bugs. I only had to re-install Windows after I accidentally trashed the first part of its partition playing around under Linux (Grub, Lilo, dd
As we all know, computers, aren't meant to be in the hands of users, but strictly confined to (some) admins.
There is a solution that any knowledgable admin can use : whenever a new service pack is out, you create an updated Windows installation cd (or dvd) that include the latest service pack => When reinstalling, you do that from SP4k or whatever, and it gives you an nice, almost secure config to start updating from...
Also, a standard practice in my home is the use of Ghost just after the installation of all the basics softwares and updates...=> ditto.
Now, a solution I have personnaly used on a friend computer after the usual "crashed before it even updated" episode : I booted her compuer using knoppix, downloaded the latest service pack and quite a bit of separate updates on a separate partition and then made an install without the net on...Ironic, using Linux to get a windows install running...
Also (but that is only true on my own home network) I use a dedicated firewall (yeah, Linux) on my network, and I only keep open the ports I need...So, if I need to make a "virgin" Windows install, the firewall protects me from the nasty worms/exploits/whatsoever...
Repeat after me : No Lusers in my Computer room ! 8)
(Happily supporting my dad since Windows 3.11, I made my preceding comments a rule... backup often, streamline your updates, use a dedicated firewall...and NEVER let your dad (or any Luser) with a root/administrator account...btw, he's still using 98...
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
This is pretty typical of the FUD articles about Windows or Linux that /. has been publishing lately. Windows zealots send in articles written by MS puppet "research organizations" that belittle the OSS folks; then the Linux zealots respond in kind with this article.
It's really simple, people. Informed users will lock down their systems and know how to patch appropriately, regardless of their OS. Uninformed users will never lock down their systems or will get fooled into opening an exploit backdoor, regardless of their OS.
1) run any security updates
;)
2) strongly suggest not using Outlook
3) Completely lock down the "Internet" security zone in IE and force users to add sites that don't function properly (due to scripting turned off) to "Trusted Sites" (which has scripting on)
4) Strongly suggest that users use Firefox instead of IE wherever possible
5) Install antivirus software
6) Install Spybot Search & Destroy and AdAware
This keeps most spyware, virii and worms out.
As a curious side-note, the first thing I do with a new OS X install is...
1) Apply security patches
2) There is no Step 2
he's paying him back. He's showing him that it's much better to not get your computer hosed in the first place, so he IS paying his dad back for his education, in exact kind. Adults can be wrong, but there's no easy way to point this out to them, in a father/son situation. And it worked according to the post, when his father realised what a PITA it is, what it really costs,both in cash in what might be done to his machine or credit card or other personal info, or how he could be used by a malicious zombie-running blackhat, etc, and how easily preventable it was,so he learned something useful and practical.
I think a lot of people honestly do not know that the primary reason they might get hacked is not to get their personal information, but to use their machine to distribute hacked warez and spam email and kiddie porn. So, it's much better to do what it takes to help people understand the ramifications of their actions-or non actions, and to perhaps take a more critical look at the software they are running. To me, it's like a traffic ticket (paying to have your machine cleaned and fixed), you are SUPPOSED to learn something (stop being a no-nothing lamer) about your behavior driving your car (computer) on the public road (internet).
Once people are REALLY aware of it, then they have a chance to correct the problem. If you can't get their attention in the first place, they won't ever learn. Sometimes it takes a fine to do that.
I FULLY support ISPs or private network admins yanking access to the network from infected machines. They don't do it enough, IMO, and if it happens to me because my machine gets hosed and zombied and I don't deal with it in a timely manner, then too bad for me, too. I'd rather be told about it if I don't know myself, and losing your net access is both protecting the innocents, and getting your attention for a problem. And if THAT then kept being pushed back up the food chain to the vendors, where they had to code better, release less often, and be forced to offer products good enough they could be warrantied, then I'm all for that, too.
It shouldn't take 20 years to come up with a more secure out of the box operating system that is network capable, is the real bottom line, no matter which one you are talking about.
You'd see it get chaotic in meatspace if any manufacturer were allowed to sell "caveat emptor" products with no government required warranty, of course they would skip doing quality work then, because there would be very little risk to them. It's time software played by the rules every other manufactuer has to play by, especially if they demand IP ownership and patents and huge profits. They want it treated like a normal product, swell, but let the law treat THEM like any other product as well.
Insightful? My ass.
Do you people have this same level of expectations for other products you buy? If something, right out of the box, is shitty to the point where it's humorous, why is it so wrong to say so?
You may not thing what you're saying is a joke, but it sure is damned funny. I wonder what other hoops we could get you to jump through.
It's especially ironic that you recognize time and effort as part of the overall cost, but you still find your suggestion reasonable.
Okay, let's get one thing straight. The only reason Windows is so easily attackable (and why Mac OS X and Linux are not) is that Windows ships with 10 million services running and listening on well-known ports. It's not the registry (although that contributes to instability over time), it's not Windows Update (although that could be much better designed - resumability, and fewer reboots!). The reason Windows is so vulnerable is it has far too many open avenues of attack.
Try to hack a default OS X install, or many default Linux installs - sorry, *no* ports are open by default, so what can you attack? At best you minght be able to DDOS the box, or some upstream piece of network equipment, but you can't crash or hack the box itself.
On my OS X box all I have open is SSH and everything else configured to only listen to localhost. If you manage to crack that, I have a lot more to worry about.
I don't know what kind of crack I was on, but I suspect it was decaf.
Well, first off, there's nothing to stop you doing this now. You can just download all the patches individually and burn them to a CD. But what's the problem with this?
The short; this just means you'll be distributing virii by sneakernet. (Which is, admittedly, much slower than the Internet, but none the less...)
You know, back before we had this newfangled "interweeb", we still had virii and worms. They were passed around on corperate networks, from networks to other machines and networks by floppy disk, and also they were sometimes distributed on BBSs with sloppy sysadmins.
A "sharable" disk means that, instead of going through the effort of downloading those hundreads of megs of patches, I can just go copy a friend's disk. A copy of a "friend or an aquaintence"'s disk, however, is not a copy from a trusted source. Where did they get the disk from anyways? Who did they copy it from? It would strike me as very easy to craft a disc which would install a few intentionally malformed patches.
There are a couple of solutions to this problem. You could, for example, make your machine compare a the cryptographic hash of each patch against a known cryptographic hash. In order to get the known hash, however, you'd have to connect to that ol' public network again, with an unprotected machine. Since this functionality does not exist in current versions of Windows, you would also need some kind of initial patch from Microsoft to pull this off.
Another fix would be to cryptographically sign everything with a public key cryptosystem. This works great, so long as noone breaks your cryptosystem and/or finds the private key. Again, the functionality doesn't exist in today's implementations of Windows, so you still need another initial patch. (At least, as far as I know... I suppose XP might have signed updates; I've never tried to forge one.) This might be promising for future versions of windows. Microsoft has already bet your system security on a public key system with signed .NET objects, so this isn't so bad.
Both of these can easily be circumvented by a "sharable CD" that uses autorun to install nasty things before you install any patches at all. Of course, autorun is another feature of windows with questionable security.
In the end, the public network isn't really such a bad tool for delivering patches. Microsoft's implementation could be improved upon; upon installation of a "fresh" copy of XP, for example, the install could connect to the net and download all required patches prior to opening any ports on the system. (You don't need RPC to download patches, afterall). This is, more or less, the idea behind having the personal firewall enabled by default (only that's a little more kludgey).
I had this issue just the other day. I found out that Microsoft provide a "hidden" option on Windows Update to allow downloading all patches for a certain operating system.
; en-us;323166
The following URL describes how to do it: http://support.microsoft.com/default.aspx?scid=kb
Basically, go to Windows Update, click on "Personalize Windows Update", and then turn on "Display the link to the Windows Update Catalog", and save. You then go back to the main page, where you can access the windows update catalog and download to disk all current patches for a particular OS automatically.
When I found that I was very pleased.
I think there is software to automatically install it all from disk, too, but I haven't had time to look for that, yet.
FTC warranty info
From that page, scroll down some:
Implied Warranties
Implied warranties are created by state law, and all states have them. Almost every purchase you make is covered by an implied warranty.
The most common type of implied warranty--a "warranty of merchantability," means that the seller promises that the product will do what it is supposed to do. For example, a car will run and a toaster will toast.
Another type of implied warranty is the "warranty of fitness for a particular purpose." This applies when you buy a product on the seller''s advice that it is suitable for a particular use. For example, a person who suggests that you buy a certain sleeping bag for zero-degree weather warrants that the sleeping bag will be suitable for zero degrees.
If your purchase does not come with a written warranty, it is still covered by implied warranties unless the product is marked "as is," or the seller otherwise indicates in writing that no warranty is given. Several states, including Kansas, Maine, Maryland,
Massachusetts, Mississippi, Vermont, West Virginia, and the District of Columbia, do not permit "as is" sales.
If problems arise that are not covered by the written warranty, you should investigate the protection given by your implied warranty.
Implied warranty coverage can last as long as four years, although the length of the coverage varies from state to state. A lawyer or a state consumer protection office can provide more information about implied warranty coverage in your state.
---this is why they don't "sell" you software, they "license" it, and in the fine print it is most prominent that it has no fitness for purpose, or merchantability, etc.
That's the part that is a scam, IMO,it's leaglistic legislated snakeoil fraud, and needs to change. It's like GM offering cars "for license" instead of "for sale", and because they got 100 yards mileage on them driving them on and off transporters before they get to the dealers saying they are "used" and "Licensing" them to you for big money "as is". That would be stupid and a scam, and it's the same with software that they "license" but everyone on the planet can see they "sell".
And if you are saying "too bad, that's the contract they click agree on", then I agree, that's why I think it should be outlawed,the law NEEDS to be changed, maybe from a serious major class action suit, because it's a freeking sale, and it needs at a minimum implied warranties like every other product out there. I'm just the kinda guy gonna call a spade a spade, that software is sold. there's free software, then there's for-sale software, everyone knows the difference. They can legal mush mouth it all they want to, it's still sold, that's how most people treat it and think of it, so it needs a warranty, for merchantability and fitness of purpose and so on.