Slashdot Mirror
The Windows Security Nightmare
latif writes "Microsoft has set aside a $5 million fund for paying off informants on malware authors. In my opinion a good chunk of this money deserves to be paid to individuals who help catch the Microsoft employees behind the design of Windows Registry and Windows Update. As I found out, the two mis-features work together to deprive Windows users of all protection from malware. The details of my experience are in the article Why Windows is a Security Nightmare." In a related story, Anonymous Wussie writes "This guy had family with a problem: A Windows XP computer hit by worms that couldn't stay on-line long enough to get patched. His solution? A CD. This article describes the custom made CD he sent to his family member with patches, tools, and instructions to make a fresh install of Windows XP Home Internet safe. I know I'll be doing this in the future."
A typical Windows system follows a simple lifecycle: it starts out with a clean Windows installation, which gradually deteriorates as programs are installed, and uninstalled. Eventually, the Windows registry accumulates so much crud that the user is forced to do a clean install. When a user does a clean install that user's system loses all the previously applied security updates, and becomes a sitting duck for worms and other malware.
Thats why I'm such a FreeBSD/Mac advocate.
-Imidazole2
From article:
"so simple, even my grandmother could implement it."
As a 48 yo grandmother, I am offended that technical incompetance is equated with being a grandparent. I don't think anyone would have said "so simple even my grandfather could implement."
I am incidentally, a C programmer of 20+ years.
Better make that a rewritable...
the CD held knoppix
my windows security nightmare involves bill gates breaking all my boxen with a life size stainless steel Clippy.
Microsoft should send XP SP2 CD-ROM to everyone that has registered Windows XP. After user installs and visits some web site, they enter into Microsoft award contest. 100 random users that install XP SP2 receive 50.000$ award each. I guess everyone would upgrade if they could receive an award.
Small price for Microsoft, great effect on security.
"(AP) Dateline August 12, 2008. National and international commerce was brought to a halt as the "SugarCookie" worm infected and seized up the installed base of Windows 2006 computers. An FBI task force was able to determine that the worm was written by someone's grandmother who thought she was entering a cookie recipe into her computer. She was quoted as saying 'I did not know that Windows was so insecure that you could bring down networks with accidentally-written worm programs'"
Don't blame Durga. I voted for Centauri.
I think the biggest problem in making an update cd or instructions on how to update their computer is not getting the right programs together - it's getting them to properly use and learn how to be on top of security issues.
Case in point-
I return home for the semester break, and my sister's pc is riddled with spyware, malware, you name it. The thing is no longer functional, so I had to format the hard drive, yadda yaddda yadda...I gave her a full lesson, and made sure she knew exactly what to do. Yet a month later, the computer was back in the crapper again...She stated that she lost all of the programs she liked when I fixed her computer-
That's the problem...Unless I boot linux and pull the internet from the back of the machine, her pc will never be secure...No matter how many times you teach/tell someone about computers and online security, for most noobs or non-users, it just doesn't seem to click...
As far as issues with Windows Update...Best bet is to download from someone else's high-speed pc. I had a similar incident with SoBIG and a reinstallation of XP.
My MythTV HowTo
Too bad the firewall software loads *last* in the startup sequence, leaving a gaping hole of anywhere from 20 seconds to two minutes (on a slow machine) when your machine is on the net and unprotected. And during the height of worm activity, that's *more than enough* time to get infected.
There is no sig, there is only Zuul.
How about creating a CD to make the internet safe from Windows XP
Maybe something that strips out the entire TCP/IP stack - a castration of sorts for the good of all mankind
My name is Bill and I pronounce Windows -- WeenDOHS
If that number turned out to be unusually low, perhaps the key is to really shove this sort of education down people's throats. How? I don't know. A series of ads on TV? Not likely. Get it into the headlines? Not likely. So I'm just not sure how this could be done.
One thing's for sure, my mom wouldn't know what a firewall is, nor how to turn it on, and I shudder at the thought of trying to explain it. Honestly.
...and I don't believe obtaining a DHCP lease would be a problem through this.
Asking users to plug/unplug their network cable is just plain silly.
I've been working tech support for an ISP for years, and this guys fundamental conclusion is correct - Joe User can't keep his system secure - he just can't. And Joe Sysadmin has a damn hard time of it himself.
The amount of "repair" functionality inside of MS products is a huge sign that users and developers are sick of the reinstall cycle, but that the OS design makes it very difficult to fix. Internet Explorer, Outlook Express, Office all have "repair my installation" tools built in, XP and ME have System Restore.
I have watched users get the Sasser virus, run system restore, have system restore break the XP firewall, cause a port lockdown, resolve the port lockdown so they can run windows update, only to become reinfected with the sasser. Maintainence of Windows is hard, OS reinstall is easy. OEM aren't value adding to the OS by providing solid maintanence tools, their providing restore disks, because writing such a maintanence tool is INCREDIBLY difficult.
I understand MS's need to stay commited to this design, at least through Longhorn and it's revs. But as long as you are, MS, please give us a non network dependent tool for maintaining and distributing patches and updates. Let OEMs and (in my case) ISPs ship critical fixes on CD so that we can help our users. Make System Restore a fine grained tool, where I can back up critical system files and DLLs, as well as the registry. Don't force me to go to a third party for a "registry cleaner". Provide me with the OS for the tools that I need and that vendors need to maintain the OS.
Okay. I'll climb under my desk, unplug my nic, climb out, power on the machine, wait until everything is loaded, climb back under my desk, plug it back in, then climb out and be productive.
That is a great solution. Maybe Microsoft should make a KB article and send it to all the upperlevel business types in corperate America. I can see all the suits in their lavish office hundreds of feed above the city streets doing the Microsoft Shuffle. Now all they need is a catchy pop song to go with it and they'll be on Casey Kasem's Top 40.
I'd rather just use my Mac.
It's a rational expectation that a brand new machine, or one restored to factory configuration, should have no fatal problems - we certainly expect that the wheels don't fall off our cars just after we drive off the new car lot. We shouldn't have to *know* that we have to tighten the lugnuts or get new tires because the ones I juts bought are about to explode, and I shouldn't have to immediately change the locks because everyone and their grandmother can pick the one I just bought with a toothpick.
Perhaps I'm taking the analogy too far, but can you name another product that is widely sold brand new with massive known defects?
Perhaps I'm taking the analogy too far, but can you name another product that is widely sold brand new with massive known defects?
Ask me again on election day.
"An unarmed man can only flee from evil, and evil is not overcome by fleeing from it." Col. Jeff Cooper
Asking users to plug/unplug their network cable is just plain silly.
I'd have to disagree. I think making someone work for something might make them a bit more appreciative of what needs to be done to maintain it.
I told my father to take his computer to a local shop to have it fixed rather than drive up to me. Once he learned how much it costs to have things fixed that can easily be avoided he seemed much more interested in learning how to take care of things than thinking "this thing should just do as I want it to" (and he stopped downloading stupid ass screensavers.
A little work goes a long way.
You see, it takes 20 seconds to 2 minutes from the network activation to the firewall start every time you turn on the PC, not just when you're getting the latest update. And if you think you only need a firewall when you're running Windows Update, then you're missing the whole point of having a firewall.
If all this should have a reason, we would be the last to know.
Best quote in the article: "Windows users are so accustomed to usability problems that they don't even recognize them as usability problems."
.NET fixes all that, spare me. As I pointed out, it has been true FOREVER that Microsoft has claimed that the next release of NT/Win2K/WinXP/Longhorn/whatever would fix all that.
...and formerly tame, humble consumer devices like televisions sets, cars, and cameras are getting computers built into them and are declining in usability too.
Unfortunately, this extends far, far beyond Windows. This is a problem for the entire industry.
It reminds me of the way nuclear power plants are (were?) licensed. If, during review, the nuclear regulatory commission finds a safety issue that is unique to the particular installation, the licensee must address it before it can be licensed. If, however, the licensee can demonstrate that the issue is actually "generic"--that is common to all nuclear power plants--the licensee need not do anything about it.
In the PC world, any problem that persists for more than a few years is not longer perceived as a problem. It becomes "generic."
The phenomenon is even getting worse over time, thanks to the general public's increasing familiarity with computers. During the eighties, when manufacturers were trying to seduce individuals into buying home PCs (and IT managers into abandoning those hard-to-use green screens for easy-to-use GUIs), usability disasters were treated as important. No more.
Computers hit their peak of usability sometime in the eighties and have been in steady decline ever since.
One of the biggest issues noted in the article is the instability of Windows over time as software packages are installed and uninstalled. But this is hardly limited to Windows. The irony here is that the ability to uninstall software properly was supposed to be a logo requirement for Windows NT 4.0 software, and one of the features that Microsoft used to urge its superiority to 3.5.
Unfortunately, software installation and uninstallation is not a trivial problem. To do it right would require a great deal of functionality that can only be performed by the OS, which would need, for example, to track which system components were in use by which applications. And it would need to have the ability to associate specific versions of system components with applications, so that it would not be vulnerable to the assumption that Version 3.6.1 of the Frammis Service is absolutely guaranteed to have fewer bugs and be totally backward compatible with every previous version of the Frammis Service that has ever been released.
And before sixteen people reply explaining that
Microsoft didn't solve the problem. They just sort of declared that it had been solved. Installshield and friends kludge their way through installations, merrily making clumsy guesses and assumptions about the history of the system and the needs of other applications and overwriting files and changing registry settings. SQA departments are happy if the installed application runs after installation on a clean OS with no other software installed and don't have the time or the mission to make sure that (say) installing the application doesn't break anybody else's application. (Indeed, one suspects that in some parts of the industry, it's consider a plus if installing one application breaks other applications, if they happen to be competing applications).
I could go on and on. (Indeed, I already have). In the world of PC's (and I include both WIndows and Macs--and nothing I've read makes me think Linux is very different), an awful lot of things don't work very well and NOBODY SEEMS TO CARE because it's "always" been that way. Laypeople have gotten accustomed to blaming themselves ("my computer hates me,") IT departments don't even expect computers to work properly after about three years; developers/hackers/sophisticated users enjoy the challenge of troubleshooting the latest glitch...
"How to Do Nothing," kids activities, back in print!
"And if you're on a wireless LAN?"
Wave you hands in front of the antenae to block the signal.
Yeah, that's an elegant solution:
I remember when legal used to mean lawful, now it means some kind of loophole. - Leo Kessler
Quoth the parent:
I read that and nearly spit coffee on my keyboard. OK, let's assume that the parent poster is being 100% honest, that he made "a few grand" selling home-burned CDs outside Best Buy at $20 a pop. That's, conservatively, 100 CDs!
In other words, at least one hundred people were perfectly willing to shell out money -- cash, presumably -- to some random guy in front of a store, then take this guy's CD home and blindly install whatever the hell he'd given them!
Folks, talk all the shit about Microsoft that you want, but there's your security problem! If this guy is on the level, we've just had a prime lesson in the reason why Blaster, et al spread like typhoid.
You know, don't you feel sorry for Microsoft, sometimes -- just a little bit? I mean, imagine you're a Microsoft engineer. You're hard-working. You really do try, given the massive user base you have to support and the cruft of legacy code you're stuck with. Reasonably fast patching for security holes, updates -- hell, they'll send you a damn CD of updates for free!
And then you read something like this. And request an immediate transfer to the Office development group...working with Clippy would seem like a joy.
And for all the linux advocates out there -- especially the zealots, the Stallman's Witnesses -- this is a cautionary tale. If and when linux starts to hit the desktops, you're going have this same problem. If 100 users are willing to take some guy's CDs and install them, no questions asked, they're not going to flinch when he says, "Oh, and it will prompt you for your administrator password. You'll need to enter that in order to make sure the system is scrubbed." Play out your own nightmare scenario, there. Linux is inherently more secure? Really?
Social engineering-based cracking can't be stopped. Not by Windows, not by Linux.
I had this issue just the other day. I found out that Microsoft provide a "hidden" option on Windows Update to allow downloading all patches for a certain operating system.
; en-us;323166
The following URL describes how to do it: http://support.microsoft.com/default.aspx?scid=kb
Basically, go to Windows Update, click on "Personalize Windows Update", and then turn on "Display the link to the Windows Update Catalog", and save. You then go back to the main page, where you can access the windows update catalog and download to disk all current patches for a particular OS automatically.
When I found that I was very pleased.
I think there is software to automatically install it all from disk, too, but I haven't had time to look for that, yet.