The Windows Security Nightmare

latif writes "Microsoft has set aside a $5 million fund for paying off informants on malware authors. In my opinion a good chunk of this money deserves to be paid to individuals who help catch the Microsoft employees behind the design of Windows Registry and Windows Update. As I found out, the two mis-features work together to deprive Windows users of all protection from malware. The details of my experience are in the article Why Windows is a Security Nightmare." In a related story, Anonymous Wussie writes "This guy had family with a problem: A Windows XP computer hit by worms that couldn't stay on-line long enough to get patched. His solution? A CD. This article describes the custom made CD he sent to his family member with patches, tools, and instructions to make a fresh install of Windows XP Home Internet safe. I know I'll be doing this in the future."

Uh huh!

[imidazole2]

A typical Windows system follows a simple lifecycle: it starts out with a clean Windows installation, which gradually deteriorates as programs are installed, and uninstalled. Eventually, the Windows registry accumulates so much crud that the user is forced to do a clean install. When a user does a clean install that user's system loses all the previously applied security updates, and becomes a sitting duck for worms and other malware.

Thats why I'm such a FreeBSD/Mac advocate.

Re:Uh huh!

[zoloto]

"Microsoft has set aside a $5 million fund for paying off informants on malware authors


Maybe microsoft should pay the money to themselves and redesign their software

You know, if the next version of Windows(TM) pulls what Apple did with their OS X, built a bsd underbelly to it and didn't allow backwards compatibility outside of a sandbox of sorts I wouldn't cry. Then it would be possible to secure the system and hopefully they'd get rid of their god forsaken registry / file and drive permissions / insecure nature for the most part.

It won't be infallible, but simply less insecure for the current vulns out there.

Then again, MSFT might implement this shiz so badly and incorrectly that we'd be stuck with a bunch of new prolems of which we haven't a clue to fix.

just my 2cents

offended

[andy666]

From article:

"so simple, even my grandmother could implement it."

As a 48 yo grandmother, I am offended that technical incompetance is equated with being a grandparent. I don't think anyone would have said "so simple even my grandfather could implement."

I am incidentally, a C programmer of 20+ years.

Re:offended

[Turambar]

A troll is a post carefully crafted to attract predictable responses and/or flames. The moderator probably read the post, saw the poster was "andy666" and thought some guy was trolling. It was a mistake.

After looking at andy666's posting history, the moderator should have known that andy666 really is a French grandmother named Andrea Tilley, who apparently has a grandchild old enough to post the parent article, and isn't happy that her grandchild considers her technically inadequate for this job. Wow - French and thin-skinned; but I repeat myself.

It's SlashDot - what do you expect?

Use the Firewall

People always complain about their computers getting infected before they are able to download the patches - but this is easy to prevent if you just switch on the included firewall software.

Re:Use the Firewall

[jdreed1024]

People always complain about their computers getting infected before they are able to download the patches - but this is easy to prevent if you just switch on the included firewall software.

Too bad the firewall software loads *last* in the startup sequence, leaving a gaping hole of anywhere from 20 seconds to two minutes (on a slow machine) when your machine is on the net and unprotected. And during the height of worm activity, that's *more than enough* time to get infected.

Re:Use the Firewall

[Sean80]

I still don't get it sometimes when people say this. I would only feel comfortable making this sort of statement based on some evidence. Not a troll or anything, but has anybody ever seen any evidence which indicates what majority of the PC-using community understand what a "firewall" means, and, if they do, how to turn it on when they receive their brand-spanking new PC from Dell?

If that number turned out to be unusually low, perhaps the key is to really shove this sort of education down people's throats. How? I don't know. A series of ads on TV? Not likely. Get it into the headlines? Not likely. So I'm just not sure how this could be done.

One thing's for sure, my mom wouldn't know what a firewall is, nor how to turn it on, and I shudder at the thought of trying to explain it. Honestly.

Re:Use the Firewall

[dylan_-]

Since a few people have mentioned this: He was using Windows 2000. It doesn't have a firewall.

Re:Use the Firewall

[Marc+Desrochers]

How about Windows not enabling the network inteface before it has all of the network settings loaded for it.

...and I don't believe obtaining a DHCP lease would be a problem through this.

Asking users to plug/unplug their network cable is just plain silly.

Re:Use the Firewall

[somethinghollow]

Okay. I'll climb under my desk, unplug my nic, climb out, power on the machine, wait until everything is loaded, climb back under my desk, plug it back in, then climb out and be productive.

That is a great solution. Maybe Microsoft should make a KB article and send it to all the upperlevel business types in corperate America. I can see all the suits in their lavish office hundreds of feed above the city streets doing the Microsoft Shuffle. Now all they need is a catchy pop song to go with it and they'll be on Casey Kasem's Top 40.

I'd rather just use my Mac.

Re:Use the Firewall

[One+Louder]

Unfortunately, that assumes that one is familiar enough with Windows to know that's the order in which things load, that unplugging the network cable won't make the machine somehow think it's not *going* to be on a network.

It's a rational expectation that a brand new machine, or one restored to factory configuration, should have no fatal problems - we certainly expect that the wheels don't fall off our cars just after we drive off the new car lot. We shouldn't have to *know* that we have to tighten the lugnuts or get new tires because the ones I juts bought are about to explode, and I shouldn't have to immediately change the locks because everyone and their grandmother can pick the one I just bought with a toothpick.

Perhaps I'm taking the analogy too far, but can you name another product that is widely sold brand new with massive known defects?

Re:Use the Firewall

[radish]

No, my suggestion was not a "solution" to the general problem. It was an idea for the supposedly technical person trying to fix a b0rked windows box which they couldn't get to stay up long enough to patch. For that person, I would have thought that unplugging a cable would be both obvious and straightforward. Should regular users be disconnecting their boxes every time they reboot? Of course not.

Re:Use the Firewall

[bryanp]

Perhaps I'm taking the analogy too far, but can you name another product that is widely sold brand new with massive known defects?
Ask me again on election day.

Re:Use the Firewall

[liquidsin]

Third sentence of the article: "This was the case with a family member's computer running Windows XP Home." Further down, he also talks about putting XP SP 1a on the disc.

Re:Use the Firewall

[needacoolnickname]

Asking users to plug/unplug their network cable is just plain silly.

I'd have to disagree. I think making someone work for something might make them a bit more appreciative of what needs to be done to maintain it.

I told my father to take his computer to a local shop to have it fixed rather than drive up to me. Once he learned how much it costs to have things fixed that can easily be avoided he seemed much more interested in learning how to take care of things than thinking "this thing should just do as I want it to" (and he stopped downloading stupid ass screensavers.

A little work goes a long way.

Re:Use the Firewall

[Rick+the+Red]

Leave ethernet disconnected right up until the moment you're ready to hit Windows Update. You're already booted up with the firewall enabled. Connect cable, wait a few seconds for XP to notice it, hit update. Voila.

Uh, huh. And then, the next day, you have to crawl under the desk and disconnect the NIC until you've booted up for the day, then plug it back in. And the day after that. And the day after that. And the day after that.

You see, it takes 20 seconds to 2 minutes from the network activation to the firewall start every time you turn on the PC, not just when you're getting the latest update. And if you think you only need a firewall when you're running Windows Update, then you're missing the whole point of having a firewall.

Re:Use the Firewall

[minotaurcomputing]

"And if you're on a wireless LAN?"

Wave you hands in front of the antenae to block the signal.

Re:Use the Firewall

[sik0fewl]

How about you wait until the firewall is loaded before plugging in the network cable?

Yeah, that's an elegant solution:

"Windows has finished starting. It is now safe* to plug in your network cable."
*Warning: may not actually be safe.

Re:Use the Firewall

[pohl]

How about you wait until the firewall is loaded before plugging in the network cable?

+5 Funny. This reminds me of a situation at work. We sort of have two separate halves of the software development department: Java and the Microsofties. One day I wandered by the server room where the most brilliant of the Microsofties was installing some sort PDF-indexing engine on one of their Windows servers. They were being thwarted by some dialog box that kept comming up during the install. His solution to the problem at the moment that I happened by was...I swear to god...to jam a penny into the keyboard such that it kept the return key held down, so that the key-repeat would dismiss the dialog box over & over again, in hopes that it would happen rapidly enough to get through the install.

I swear, it's a totally different culture. Some of us insist on good software architecture. Others have an amazing capacity to assfucked by bad software architecture and keep going back for more. You can bother about yanking and reinsertintg your ethernet if you really want to. I'll work around the problem by being a more selective consumer, thank you.

Re:Use the Firewall

[bonkedproducer]

I have Win XP SP2 Beta running on my XP box. I do notice that the firewall is much better and easier to use (seems like a weak ZA clone,) except it does some weird things. The first time I used Windows Media Player in SP2 Beta, to view some movie trailers, I had the player maximized and after watching three or four, I minimized the player to check my e-mail.

When I minimized I saw my first experience with the new and improved firewall, it was a nice message in the center of the screen that had been obscured by the player stating "The Program: Windows Media Player is trying to access the Internet, should I: Block this program, Unblock this program, Block this program but ask again in the future" (I'm paraphrasing there) even though I hadn't told it to unblock the program, it was allowing it download content from the web.

I thought this was odd, and assumed maybe it only received stuff but wouldn't allow sending. Well, when I used Yahoo Messenger the first time, same thing popped-up, so I left the box on screen and did some IMing, and sent some files to friends - all without interacting with the firewall. So I must assume the the firewall by default lets anything go through until told otherwise. This is security? I've noticed this behavior with many programs, and telling it to block does work, but until told to block it leaves the holes open.

Re:Use the Firewall

[pyros]

Unlike in the Unix world, where you solve all these problems by simply not running as root. You might not be running as root, but how are all those various programs listening on ports below 1024 running, enk?*

Usually the process is launched by init as root, the port is bound, and then the process forks, calling setuid and setgid to loose root privileges. It's also not unheard of to chroot the fork too. So you're left with a program running in a sandbox without root privileges, bound to a privileged port.

* - bold added to separate GP quote from parent quote, not for emphasis on any particular content in the quote.

Re:Use the Firewall

[mav[LAG]]

Girls are like Internet domain names, the ones I like are already taken.

You can still get one from a foreign country :)

Re:Use the Firewall

[Nintendork]

"Sorry, but I just don't have time to figure out the settings needed to fix this when Zone Alarm is the real fix."

Sorry, but Zone Alarm, Black Ice, etc. are all PIECES OF SHIT. You have no idea how many times I've been troubleshooting broken internet apps only to find out that Zone Alarm/Black Ice is installed. One of my first questions now is to find out if those things are installed. The sole purpose of those software packages is to annoy you every time it blocks a connection and try and convince you to pay money for the enhanced version of the nagware.

You declare that the SP2 firewall broke your ability to print, but you do not know why. You just take a reactive stance and jump back to what works now instead of finding the underlying problem and solving it. I'm sorry, but I just don't believe that the firewall broke your ability to print unless there was an underlying reason. Outbound connections are not blocked by the firewall. The same statement goes for seeing others on the network. Maybe you were just impatient and didn't wait for browsing to stabalize which takes up to something like 15 minutes in a single broadcast domain. If you're really that anxious to connect to another computer and can't wait for the browse list, do a start | run | \\COMPUTERNAME.

If you want the computer to be seen on the network, create an exception list in the firewall configuration! It already has a preset for file and print sharing one tab over from where you enabled the firewall for crying out loud!

God I hate seeing ignorant fucks blaming the software vendor for their own ignorance, then getting modded up for it. It's not Microsoft's fault that you don't RTFM or open your eyes to see that there's other configuration options when you use a feature. Blaming Microsoft may be fun, but it's not always the answer.

-Lucas

Re:Use the Firewall

[silicon+not+in+the+v]

Sorry, but Zone Alarm, Black Ice, etc. are all PIECES OF SHIT.

...later...

God I hate seeing ignorant fucks blaming the software vendor for their own ignorance, then getting modded up for it.

Uh, yeah...me too. :)

Re:Use the Firewall

[nzkbuk]

or just use the -y option

Burn a cd?

[JustKidding]

custom made CD he sent to his family member with patches, tools, and instructions to make a fresh install of Windows XP Home Internet safe. I know I'll be doing this in the future."

Better make that a rewritable...

Re:Burn a cd?

[dicepackage]

I have found that a cheap USB key drive is a great way to keep all of the necessary patches in one place that can be re-written fast.

that's easy...

the CD held knoppix

my windows security nightmare..

my windows security nightmare involves bill gates breaking all my boxen with a life size stainless steel Clippy.

New "casino" concept is needed

Microsoft should send XP SP2 CD-ROM to everyone that has registered Windows XP. After user installs and visits some web site, they enter into Microsoft award contest. 100 random users that install XP SP2 receive 50.000$ award each. I guess everyone would upgrade if they could receive an award.

Small price for Microsoft, great effect on security.

Big problem

[jdreed1024]

A Windows XP computer hit by worms that couldn't stay on-line long enough to get patched.

This is a serious problem, actually. During the height of the worms last summer, we saw hundreds of machines that got infected while in the middle of downloading updates. It even got to the point that the WinXP "firewall" wasn't good enough, since it loaded *last* in the startup sequence, and there was a good 20 seconds to 2 minutes (depending on the speed of the machine) when the machine was on the net and unprotected, even if you had enabled the firewall settings.

It's the bigger problem of running services by default. The average user doesn't need half of the services that run. Linux figured that out years ago - most services are off these days, and those that are on are fairly secure (ie: sshd). Even if some of these services are required for system operation (like some folks have claimed), there's no reason for them to be listening on addresses other than 127.0.0.1.

Re:Big problem

[jdreed1024]

Am I the only one thinking:

1) Switch on computer
2) Login
3) Wait until everything is loaded and the disk stops chunking
4) Plug in network

Is that really hard?

Try telling that to an end user. They don't want to be bothered with that. And also, people forget to do things sometimes. And the one time you forget, you'll get infected.

Yes, yes, we all know the most secure computer is the one that doesn't have a network connection. But really, providing firewall software, and loading it last in the startup sequence, instead of immediately following network device startup is sloppy and wrong.

You Mean digital?

[Mordaximus]

the Microsoft employees behind the design of Windows Registry

Ah yes, brought to you by the letter V, as in VMS. IIRC it was a few digital VMS engineers that left and help build many of the more functional components of WinNT. And apart from the ACL, i believe the registry (at least for pathworks) was another digital innovation...

Never forget there is very little you can credit Microsoft with...

all he had to do

[xplosiv]

was have them type 'shutdown -a' at the command prompt and the rebooting would have stopped. I have helped people remove this worm many times using Remote Assistance, over dialup without any issues. The firewall software is going to cause more problems in the long run as it will block some of their games, or even him remotely accessing the machines in emergencies.

Ignoring the root cause and fighting the symptom

[kbahey]

I cannot help but see the analogy here.

Microsoft takes the approach of fighting the symptom (malware, ...etc.), and not the root cause (flawed security design, ...etc.).

This is the same way many governments approach things like terrorism. They address it like a security problem only, that Intelligence Agencies and the Military/police handle. Why these ideologies developed, and what are the social, economic, and political reasons that lead to it is never even attempted.

And it is not only America, this has happened before in Ireland, Spain, Egypt and elsewhere.

Unless the root cause is studied, a correct diagnosis is made, and then remedial actions are taken, no amount of policing will fix the problem for good.

A grandmother can do it

[AtariAmarok]

""so simple, even my grandmother could implement it."

"(AP) Dateline August 12, 2008. National and international commerce was brought to a halt as the "SugarCookie" worm infected and seized up the installed base of Windows 2006 computers. An FBI task force was able to determine that the worm was written by someone's grandmother who thought she was entering a cookie recipe into her computer. She was quoted as saying 'I did not know that Windows was so insecure that you could bring down networks with accidentally-written worm programs'"

Re:A grandmother can do it

[EvilTwinSkippy]

Grandma's gotta stop getting her recipes from the Anarchist's Cookbook.

Re:Not so fast, sir

[ivan256]

So your solution is to spend $80 on hardware to workaround a defect in $100+ software? Does he have to carry this device around with his laptop everywhere? This is a joke, right?

Re:its not that bad

[Kenja]

"It has no virus scanner, and they have never contracted a virus."

How do you know? If its not running a virus scanner how would you tell if it had a virus or not?

Update CDs for family

[thewldisntenuff]

I think the biggest problem in making an update cd or instructions on how to update their computer is not getting the right programs together - it's getting them to properly use and learn how to be on top of security issues.

Case in point-
I return home for the semester break, and my sister's pc is riddled with spyware, malware, you name it. The thing is no longer functional, so I had to format the hard drive, yadda yaddda yadda...I gave her a full lesson, and made sure she knew exactly what to do. Yet a month later, the computer was back in the crapper again...She stated that she lost all of the programs she liked when I fixed her computer-

That's the problem...Unless I boot linux and pull the internet from the back of the machine, her pc will never be secure...No matter how many times you teach/tell someone about computers and online security, for most noobs or non-users, it just doesn't seem to click...

As far as issues with Windows Update...Best bet is to download from someone else's high-speed pc. I had a similar incident with SoBIG and a reinstallation of XP.

i use windows

[takitus]

and have a hardware firewall, run ie and outlook express and have never had a problem. it can almost always be chalked up to not knowing how to operate things properly. i have made similar cds that are all automated. i used to sell them around the time the blaster worm came out on the side of the streets outside best buy etc for $20 a piece. made a few grand off that. best buy was chargin $80 for the same thing that my cd did =). either way... windows is only as safe as you make it. the only thing required to keep viruses from getting in a windows box is running the patches, and even that isnt that necessary if you have a firewall. all of the rest of the viruses are contracted through user error. poo!

Re:i use windows

[ForemastJack]

Quoth the parent:

i used to sell them around the time the blaster worm came out on the side of the streets outside best buy etc for $20 a piece. made a few grand off that.

I read that and nearly spit coffee on my keyboard. OK, let's assume that the parent poster is being 100% honest, that he made "a few grand" selling home-burned CDs outside Best Buy at $20 a pop. That's, conservatively, 100 CDs!

In other words, at least one hundred people were perfectly willing to shell out money -- cash, presumably -- to some random guy in front of a store, then take this guy's CD home and blindly install whatever the hell he'd given them!

Folks, talk all the shit about Microsoft that you want, but there's your security problem! If this guy is on the level, we've just had a prime lesson in the reason why Blaster, et al spread like typhoid.

You know, don't you feel sorry for Microsoft, sometimes -- just a little bit? I mean, imagine you're a Microsoft engineer. You're hard-working. You really do try, given the massive user base you have to support and the cruft of legacy code you're stuck with. Reasonably fast patching for security holes, updates -- hell, they'll send you a damn CD of updates for free!

And then you read something like this. And request an immediate transfer to the Office development group...working with Clippy would seem like a joy.

And for all the linux advocates out there -- especially the zealots, the Stallman's Witnesses -- this is a cautionary tale. If and when linux starts to hit the desktops, you're going have this same problem. If 100 users are willing to take some guy's CDs and install them, no questions asked, they're not going to flinch when he says, "Oh, and it will prompt you for your administrator password. You'll need to enter that in order to make sure the system is scrubbed." Play out your own nightmare scenario, there. Linux is inherently more secure? Really?

Social engineering-based cracking can't be stopped. Not by Windows, not by Linux.

A Different Perspective . . .

[pariahdecss]

How about creating a CD to make the internet safe from Windows XP
Maybe something that strips out the entire TCP/IP stack - a castration of sorts for the good of all mankind

My name is Bill and I pronounce Windows -- WeenDOHS

Whether you are offended

[2names]

or not is immaterial. The simple fact is that as one ages, one loses touch with new technology and advancements for many reasons, most of which have nothing to do with a person's abilities or intelligence. Mostly, people just stop caring about the latest gizmo and care more about things that are really important like family.

But, if you don't believe me try this little test:

Take an iPOD, a Laptop with a wireless card in it, and a wireless access point to a retirement home. Place them on a table right next to an Internet connection of any kind. Now ask if any of the residents can get a song from the iTunes store onto the iPOD.

I'll put dollars to doughnuts you won't find a single resident who can do it. Not because they aren't capable of learning how, but because they really just don't care about that kind of thing anymore.

$.02

Re:Whether you are offended

[captainClassLoader]

2names comments:

"Now ask if any of the residents can get a song from the iTunes store onto the iPOD.

I'll put dollars to doughnuts you won't find a single resident who can do it. Not because they aren't capable of learning how, but because they really just don't care about that kind of thing anymore."

Then again, you might be surprised. I once did a benefit ambient gig at a retirement home, and then wound up giving a seminar on my set-up after the gig, as a pile of people crowded around my gear to ask me how I got all those sounds. My impression was that this retirement home was a pretty boring place, and a guy showing up with a bunch of synths to crank out strange quiet downtempo stuff sorta made their day...

Re:Whether you are offended

[bloxnet]

Ridiculous.

My grandparents are in their 80s...and you are probably right, but the generation(s) in their 50s-60s are more likely to have been exposed to technology and it's increasing role in our day to day lives to completely invalidate your theory.

Even more so, each year that passes you will have more grandparents who are moderately tech saavy...it's not in anyway a question of age, but experience. There are still quite a few people in their 20s, 30s, etc who would also not be able to pass your IPOD+ITunes test, because (brace yourself for the shock), they don't drool over tech items like the majority of slashdot readers do.

It's just depressing to see that the rampant ageism that is applied to older people is still going strong in the tech industry...and does not seem to show signs of stopping.

The original poster was offended because she was both a grandparent and a woman into technology, and admittedly, she is a rarity even now....but the real point is that the more time passes, it's more and more possible that this will not be an exception to the standard. And in the spirit of fairness, she was kind of silly to be up in arms about it anyhow...although her point *was* and *is* valid.

Re:Whether you are offended

[jamesmrankinjr]

Take an iPOD, a Laptop with a wireless card in it, and a wireless access point to a retirement home. Place them on a table right next to an Internet connection of any kind. Now ask if any of the residents can get a song from the iTunes store onto the iPOD.

On the other hand, if you tell them that they can use it to download pictures of their grandkids, they'll probably have it up and running faster than a 19 year old nerd could :).

Peace be with you,
-jimbo

this is just a good example of...

[mgoodman]

...why stupid people shouldnt use computers.

Just because its made by microsoft, that doesn't mean an idiot should administer it. It certainly doesn't mean its going to be secure and stable out of the box.

The huge divide between Unix/Linux and Windows is that Unix/Linux forces you to know what you're doing when you install something on your computer. Windows assumes the opposite.

However, if you do know what you're doing with Windows, problems of this nature are not really problematic. Fixing Windows without reinstalling is easy for competent administrators. Jeez, I can get around in Windows without a mouse and without explorer.exe.

Here's a hint guys: if something breaks on Windows -- don't install a program to fix your computer. It will break it further. Don't install registry cleaners -- they suck. Slick your system, ghost your system, take registry snapshots now and then. Don't install third party software on production machines without testing on crap boxes first. Do know your system in and out.

Re:Not so fast, sir

[jdreed1024]

A D-Link port-80-only firewall can be had at any number of electronics stores (heck, probably at Walgreen's too) for $79. It isn't a total solution, but it will protect a personal machine long enough to get the Windows Updates installed.

Wow. Think of what you're saying. You're telling users that they need to shell out almost a hundred bucks for a device that will allow them to safely download updates. Has Microsoft security gotten so bad that we're just going to accept that you need to buy a firewall just keep your OS up to date? Does anyone else see a problem with this?

RTFA

[interiot]

RTFA, please.

• Actually, Microsoft does offer a security update CD, and is willing to ship it to customers free of charge. But, as always Microsoft has made a mockery of a decent idea. First of all, 2-4 weeks are needed to deliver the CD. Then there is the problem of availability, the CD is not available everywhere (I live in Pakistan, and the CD is not available for Pakistan). Also, the CD Microsoft is offering is horribly out of date. There is no fix for this last problem, if Microsoft starts updating the CD every other week, then people will start asking for a new CD every other week. Obviously, shipping a CD to every customer every few weeks is quite an expense, and Microsoft doesn't want that. So, the Microsoft Update CD is there just for moral support.

Sucks, but he's right

[erikharrison]

I've been working tech support for an ISP for years, and this guys fundamental conclusion is correct - Joe User can't keep his system secure - he just can't. And Joe Sysadmin has a damn hard time of it himself.

The amount of "repair" functionality inside of MS products is a huge sign that users and developers are sick of the reinstall cycle, but that the OS design makes it very difficult to fix. Internet Explorer, Outlook Express, Office all have "repair my installation" tools built in, XP and ME have System Restore.

I have watched users get the Sasser virus, run system restore, have system restore break the XP firewall, cause a port lockdown, resolve the port lockdown so they can run windows update, only to become reinfected with the sasser. Maintainence of Windows is hard, OS reinstall is easy. OEM aren't value adding to the OS by providing solid maintanence tools, their providing restore disks, because writing such a maintanence tool is INCREDIBLY difficult.

I understand MS's need to stay commited to this design, at least through Longhorn and it's revs. But as long as you are, MS, please give us a non network dependent tool for maintaining and distributing patches and updates. Let OEMs and (in my case) ISPs ship critical fixes on CD so that we can help our users. Make System Restore a fine grained tool, where I can back up critical system files and DLLs, as well as the registry. Don't force me to go to a third party for a "registry cleaner". Provide me with the OS for the tools that I need and that vendors need to maintain the OS.

Run QNX on the desktop

[Animats]

One safe option is to run the free version of QNX on the desktop.

The free version of QNX comes with no inbound services enabled. Most of the standard UNIX-type services are available, but they're not installed by default. It's a pure client. In fact, it's very close to what the iOpener ran. Both dial-up and LAN connections are supported.

Mozilla 1.1 runs, but without Flash. There's a word processor, ABIword. The whole GNU toolchain is available. Unfortunately, OpenOffice hasn't been ported.

It's refreshing to run a system without all the Microsoft crap, or the Linux emulations of it.

I am asking for it but here goes....

[jwcorder]

I could not help but find myself in quite a humorous state as I read that article. As a Support Analyst for a Fortune 50 company, I see many of the errors that the user was describing in the beginning of the article. Unforunately for him, he reinstalled the OS. All he needed to do was recreate his Windows profile.

The right click locking explorer and the functionality loss of Mozilla were most definely not caused by the Reg, but more likely caused by a corrupted NTUSER.Dat file in the profile folder of his machine.

Furthermore, if you are currently reading this article on your home PC and not sitting behind a firewall of some sort, please send an email to banme@slashdot.org with the attention line reading I am no longer worthy.....just kidding just kidding.

your dad says...

[blastedtokyo]

Son, I think it was a virus that took your name out of the will.

Not a very convincing article

[Quarters]

The author installed a bunch of 30 day trial software that borked his system. He then chose a registry cleaner without doing much research on them and ended up using a pretty poor one. Then he complains because his machine got fuggered when he had to reinstall the OS.

Cry me a river. A tool like Norton System Works that has both an installation watcher and a great Windows configuration diagnostic/repair tool would've solved his problems. Grabbing the first tool listed on Download.com when you type in "Registry Cleaner" is not the inteligent way to go about system maintenance.

Re:This article is a disgrace to slashdot

[blincoln]

I was going to post something less colourfully phrased if no one else had.

The author of the article is either inept or trolling. Unless you are doing something dumb like downloading tons of shareware apps, installing them briefly, then uninstalling them, the registry should be fine.

Of course, he *does* seem to be the kind of person that does exactly that, based on his "I downloaded a random 'registry cleaner' program and trusted it with my computer's stability, and now my PC doesn't work!" thing.

The hotfix issue is a legitimate complaint, but anyone who is running Windows 2000 (an enterprise operating system) at home should be comfortable with making slipstreamed install CDs - especially if the user is someone with dialup access who regularly formats and reinstalls their system.

I'm sure MS would be happy to provide physical CDs with the updates on them if more than a tiny fraction of users were willing to pay a small fee for the convenience. It's not like Linux users get magic free CDs mailed to them from the groups that package the distributions.

"They don't recognize them as usability problems"

[dpbsmith]

Best quote in the article: "Windows users are so accustomed to usability problems that they don't even recognize them as usability problems."

Unfortunately, this extends far, far beyond Windows. This is a problem for the entire industry.

It reminds me of the way nuclear power plants are (were?) licensed. If, during review, the nuclear regulatory commission finds a safety issue that is unique to the particular installation, the licensee must address it before it can be licensed. If, however, the licensee can demonstrate that the issue is actually "generic"--that is common to all nuclear power plants--the licensee need not do anything about it.

In the PC world, any problem that persists for more than a few years is not longer perceived as a problem. It becomes "generic."

The phenomenon is even getting worse over time, thanks to the general public's increasing familiarity with computers. During the eighties, when manufacturers were trying to seduce individuals into buying home PCs (and IT managers into abandoning those hard-to-use green screens for easy-to-use GUIs), usability disasters were treated as important. No more.

Computers hit their peak of usability sometime in the eighties and have been in steady decline ever since.

One of the biggest issues noted in the article is the instability of Windows over time as software packages are installed and uninstalled. But this is hardly limited to Windows. The irony here is that the ability to uninstall software properly was supposed to be a logo requirement for Windows NT 4.0 software, and one of the features that Microsoft used to urge its superiority to 3.5.

Unfortunately, software installation and uninstallation is not a trivial problem. To do it right would require a great deal of functionality that can only be performed by the OS, which would need, for example, to track which system components were in use by which applications. And it would need to have the ability to associate specific versions of system components with applications, so that it would not be vulnerable to the assumption that Version 3.6.1 of the Frammis Service is absolutely guaranteed to have fewer bugs and be totally backward compatible with every previous version of the Frammis Service that has ever been released.

And before sixteen people reply explaining that .NET fixes all that, spare me. As I pointed out, it has been true FOREVER that Microsoft has claimed that the next release of NT/Win2K/WinXP/Longhorn/whatever would fix all that.

Microsoft didn't solve the problem. They just sort of declared that it had been solved. Installshield and friends kludge their way through installations, merrily making clumsy guesses and assumptions about the history of the system and the needs of other applications and overwriting files and changing registry settings. SQA departments are happy if the installed application runs after installation on a clean OS with no other software installed and don't have the time or the mission to make sure that (say) installing the application doesn't break anybody else's application. (Indeed, one suspects that in some parts of the industry, it's consider a plus if installing one application breaks other applications, if they happen to be competing applications).

I could go on and on. (Indeed, I already have). In the world of PC's (and I include both WIndows and Macs--and nothing I've read makes me think Linux is very different), an awful lot of things don't work very well and NOBODY SEEMS TO CARE because it's "always" been that way. Laypeople have gotten accustomed to blaming themselves ("my computer hates me,") IT departments don't even expect computers to work properly after about three years; developers/hackers/sophisticated users enjoy the challenge of troubleshooting the latest glitch... ...and formerly tame, humble consumer devices like televisions sets, cars, and cameras are getting computers built into them and are declining in usability too.

Problems is Computers = Windows for most people

[Ridgelift]

The whole idea of Windows Update is a joke. Using an unreliable and insecure network as the primary means of distributing security updates is simply idiotic. This is like asking people to walk through a minefield to get to a shelter.

And yet, people still want Windows. I work in a high-tech call center, and people still look at me with blank stares when I tell them I don't use Windows at all at home.

Q "What do you run for anti-virus?"
A "Nothing. Linux isn't as succeptible to viruses"

Q "What about spyware?"
A "Same thing. I don't run anti-spyware either because I don't get it. Oh, and I can update my computer without rebooting too"

I've even had a laptop running nothing but Slackware, and technical people _not_ believing that Windows wasn't somehow still on the machine! People just don't see computers with anything other than Windows. If computers = Windows, then how can people get sick of Windows and not be sick of computers? The fact is, Microsoft has done a brilliant job of equating computers with Windows, to the point where even most technical people don't see any other option.

I think my job as an Open Source advocate is to just let people see Linux run on a computer, and let them follow the inevitable logical conclusion themselves.

oki, here is a nice solution or two :

[da5idnetlimit.com]

As we all know, computers, aren't meant to be in the hands of users, but strictly confined to (some) admins.

There is a solution that any knowledgable admin can use : whenever a new service pack is out, you create an updated Windows installation cd (or dvd) that include the latest service pack => When reinstalling, you do that from SP4k or whatever, and it gives you an nice, almost secure config to start updating from...

Also, a standard practice in my home is the use of Ghost just after the installation of all the basics softwares and updates...=> ditto.

Now, a solution I have personnaly used on a friend computer after the usual "crashed before it even updated" episode : I booted her compuer using knoppix, downloaded the latest service pack and quite a bit of separate updates on a separate partition and then made an install without the net on...Ironic, using Linux to get a windows install running...

Also (but that is only true on my own home network) I use a dedicated firewall (yeah, Linux) on my network, and I only keep open the ports I need...So, if I need to make a "virgin" Windows install, the firewall protects me from the nasty worms/exploits/whatsoever...

Repeat after me : No Lusers in my Computer room ! 8)
(Happily supporting my dad since Windows 3.11, I made my preceding comments a rule... backup often, streamline your updates, use a dedicated firewall...and NEVER let your dad (or any Luser) with a root/administrator account...btw, he's still using 98...

Re:oki, here is a nice solution or two :

[Pxtl]

1) working from behind a standard router is good, as you say. Any basic NAT will block most attacks.

2) you outline a problem - using anything but windows update for updating a machine is the domain of super-l33t windows geeks. Not normal people. I know my way around a windows box very very well, but trying to update anything on a win box without the updater I find nearly impossible. Yes, there are admin downloads, but I find them outright scary to slog through.

IMHO, they need something simpler - 2 things.
a) a way to generate an updater CD to re-apply all windows update patches currently installed on your PC (for when you wipe) and b) up-to-date updater CD ISO's available to download for each currently supported MS OS for when you need to set up a friends computer. I recently set up a friends '98 box and it was a headache - a nice "download this disk and burn it for patching" that I could launch from XP would be ideal. If they're concerned about bandwidth, throw some of their mass of coders to make an MS torrent-a-like for said ISOs.

First thing I do with a new Windows install is...

[5n3ak3rp1mp]

1) run any security updates
2) strongly suggest not using Outlook
3) Completely lock down the "Internet" security zone in IE and force users to add sites that don't function properly (due to scripting turned off) to "Trusted Sites" (which has scripting on)
4) Strongly suggest that users use Firefox instead of IE wherever possible
5) Install antivirus software
6) Install Spybot Search & Destroy and AdAware

This keeps most spyware, virii and worms out.

As a curious side-note, the first thing I do with a new OS X install is...
1) Apply security patches
2) There is no Step 2 ;)

the kid is educating his dad

[zogger]

he's paying him back. He's showing him that it's much better to not get your computer hosed in the first place, so he IS paying his dad back for his education, in exact kind. Adults can be wrong, but there's no easy way to point this out to them, in a father/son situation. And it worked according to the post, when his father realised what a PITA it is, what it really costs,both in cash in what might be done to his machine or credit card or other personal info, or how he could be used by a malicious zombie-running blackhat, etc, and how easily preventable it was,so he learned something useful and practical.

I think a lot of people honestly do not know that the primary reason they might get hacked is not to get their personal information, but to use their machine to distribute hacked warez and spam email and kiddie porn. So, it's much better to do what it takes to help people understand the ramifications of their actions-or non actions, and to perhaps take a more critical look at the software they are running. To me, it's like a traffic ticket (paying to have your machine cleaned and fixed), you are SUPPOSED to learn something (stop being a no-nothing lamer) about your behavior driving your car (computer) on the public road (internet).

Once people are REALLY aware of it, then they have a chance to correct the problem. If you can't get their attention in the first place, they won't ever learn. Sometimes it takes a fine to do that.

I FULLY support ISPs or private network admins yanking access to the network from infected machines. They don't do it enough, IMO, and if it happens to me because my machine gets hosed and zombied and I don't deal with it in a timely manner, then too bad for me, too. I'd rather be told about it if I don't know myself, and losing your net access is both protecting the innocents, and getting your attention for a problem. And if THAT then kept being pushed back up the food chain to the vendors, where they had to code better, release less often, and be forced to offer products good enough they could be warrantied, then I'm all for that, too.

It shouldn't take 20 years to come up with a more secure out of the box operating system that is network capable, is the real bottom line, no matter which one you are talking about.

You'd see it get chaotic in meatspace if any manufacturer were allowed to sell "caveat emptor" products with no government required warranty, of course they would skip doing quality work then, because there would be very little risk to them. It's time software played by the rules every other manufactuer has to play by, especially if they demand IP ownership and patents and huge profits. They want it treated like a normal product, swell, but let the law treat THEM like any other product as well.

Downlaoding all "Windows Updates" is possible

[comcn]

I had this issue just the other day. I found out that Microsoft provide a "hidden" option on Windows Update to allow downloading all patches for a certain operating system.

The following URL describes how to do it: http://support.microsoft.com/default.aspx?scid=kb; en-us;323166

Basically, go to Windows Update, click on "Personalize Windows Update", and then turn on "Display the link to the Windows Update Catalog", and save. You then go back to the main page, where you can access the windows update catalog and download to disk all current patches for a particular OS automatically.

When I found that I was very pleased.

I think there is software to automatically install it all from disk, too, but I haven't had time to look for that, yet.