Slashdot Mirror
IE Holes Not Microsoft's Fault, Says Bill
thparker writes "As part of the Media Center release discussed previously, Bill Gates had an interview with USA Today. Best quote: 'Q: Speaking of security, Internet Explorer has had well-publicized holes... Gates: Understand those are cases where you are downloading third-party software.' Well now we know -- these problems have all been our own fault." Any counterexamples?
"Q: Might you add anti-virus/spyware protection in Windows?
Gates: It's not a thing you build in. You have to offer a service. There are third parties who are doing a good job. We're always taking a hard look, but we don't have any concrete plans."
So, apparently Ballmer isn't the only one there who Doesn't Get It.
John
Yes, viri, trojans and spyware tend to be third party. The problem is, IE lets you download these and execute, sometimes by just viewing a page.
Quid festinatio swallonis est aetherfuga inonusti?
Africus aut Europaeus?
so what you are basically saying is this is not an interview its an advert. See sig below
In the end, It's all bovine dung you know
So, pray tell, how is making a horribly insecure third-party application model (DirectX) and then complaining about how people are exploiting it supposed to hold water? YOU ARE THE API DEVELOPER. IT IS YOUR RESPONSIBILITY TO ANTICIPATE POTENTIAL ABUSES.
Because if I'm reading this right, then that's exactly what Gates is doing. No wonder Microsoft's products are so shitty; they think that security is something that happens to other people.
It's just a matter of scale.
;)
A pristine WinXP box will be compromised in 20 minutes (on average).
I'm still waiting for my unfirewalled 'nix box to be rooted
Anyone remember OS-9's CRCs?
How about putting a MAC on executables?
Of course, the question of who the clueless user trusts still remains.
Q: There is talk of a Google browser. Internet Explorer has had its security woes. How do you keep users?
Gates: More has been invested in making IE secure than any browser on the planet by a long shot. Nothing is going to change. That's the one over 90% of people are going to keep using.
Let us all remember the line above then. Nothing is going to change?
I think it will
The power of accurate observation is commonly called cynicism by those who have not got it. -- G.B. Shaw
I need lessons with Bill so I improve my english, I guess its easy to learn it, if you stretch the meaning of the words as much as bill.
Watching a website outside microsoft.com=downloading third party software.
Then you should use Portable Firefox on a flash drive at school. Jack in the thumb drive. Run PortableFirefox. You get to bring your own bookmarks and cookies with you, and leave nothing like log files behind. And 32MB drives are available for about $10.00 (check the clearance bins at places like Micro Center or wherever.)
John
Microsoft knew how people used they should have planed a better, more secure system. Microsoft blasé approach to system, for years (since when I was in high school, I just got my CS degree!) is directly responsible for the shit we are in today.
Yes, things are getting better, but they are not nearly where they need to be.
Microsoft needed to build a system that would protect the user from hurting themselves with the help of the criminals who write this Spyware crap (the fact that something may not be illegal does not make it not a crime (and vise versa)).
You know it honestly shocks me how bad the Spyware problem is now. Spam never shocked me this way, probably because I grew up with it. But the idea that, probably 90% of the people out there running windows have malicious software running on, and fucking up their machines is just amazing. And no one seems to care!!. The only people I know who don't have infected machines are hard-core computer nerds.
Hell, I remember a year or two ago the CEO of red hat said that if people wanted a desktop machine, they should just use windows, and this was when Spyware was just starting to pick up! What a horrible suggestion!.
Sorry to rant, but the whole situation irritates the hell out of me. I think the newer versions of windows are pretty nice, as long as you never run an EXE from an untrustworthy source... and make sure your system is patched up.
And I did, in fact, get infected by Spyware once, I didn't run a program at all, I simply visited a page and crap installed on my system. I had to clear it out by looking at newly created files on my system, if the Spyware makers had thought to change the file-creation date I'd probably had been hosed.
The situation bites ass.
sinfulshirts.com t-shirts that make baby ash croft cry.
autopr0n is like, down and stuff.
I have performed the experiment: Install Windows on a computer and hook it up to the Internet. Leave it hooked up without downloading one bit of software from anywhere! and the machine will be compromised.
Have you done the same experiment with win2k pro with either SP1 or SP2? It's only fair since boxes are shipping with both service packs. I don't disagree with you, i've noted that buying a PC equiped with winxp home edition to this day still will get infected right out of the box. I've not observed this under SP2.
Why is {[virus proection something]You have to offer a service} Mr. Gates? I would have thought that you would offer a secure environment as part of your product out of the box?
I have to agree with Bill on this one. Even if you are not paying a fee for your virus proection, it is a service that someone provides. This is diffrent from an automobile with airbags because you typicaly don't have to update/replace your airbags. You do have to pay to get your car serviced and you do have to update your virus definations. Now given that windows will auto update, you could argue that this is something that microsoft should provide out of the box. Frankly I'm glad they don't as compitition is good motive for the virus software companies to improve their product, and there are a number of free solutions that are really good. Avast and AVG come to mind.
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
anytime, anywhere, anyplace and you too can be a victim of the digital environment you call yours. why is it that neither the government nor the corporation can deliver a secure computing environment through coporate decision or legislation?
Could the state of computing security be just the way they want it? Is there a larger work at play here, the ability to get into what you want when you want whould you be the key master?
How can a non-US Government or Coporation even consider windows? What is it I am not getting?
NOthing has changed aside from security getting worse. A least I we have F I R E F O X , and I am not having to rebuild my laptop every 2 months due to unauthorized software.
How can it be this bad? What is it we are blinded by?
*sigh* I'm talking about viruses and malware, not remote exploits - don't worry though, I'm used to people mixing the two up.
There's also the (always ignored) point that most script kiddies "grow up" (you know what I mean) targetting Windows, and so once they've found an IIS exploit they have lots of ready-made 'ware and experience with which to root the box. On the other hand, the vast majority of apache installs are on Linux, for which they generally have neither.
With literally tens of millions of machines to choose from and generally nothing tangible to gain, why bother going for anything but the easiest of targets? That's ignoring the other fact that the vast majority of people targetting machines are just using exploits developed by one of handful of actual crackers, too. Besides which, by far and away the most commonly compromised type of box is the desktop, and the vast majority of those run Windows. It's very much rarer for a server to be compromised, mostly because most of them are maintained by people who know what they're doing, unlike the vast majority of desktops...
It's official. Most of you are morons.
Ahem......assuming D:\ is the USB key, before you plug it into a Windows machine. You can also set the read-only attribute via right clicking on the file in Explorer and going to properties (obviously, on your own, hopefully clean, Windows machine) There, all better now.
To the grandparent: Thank you for pointing that project out. It truly shows that having the source code to software open and available can lead to all sorts of interesting - and very useful - things.
Soko
"Depression is merely anger without enthusiasm." - Anonymous
They tried everything to stop people from doing safety studies and stopping laws making safety devices mandatory. It did not fit their marketing image to have to put safety features in.
Sounds very similar eh? Gates blames insecurity on bad users. The car industry blamed it on bad drivers (this fits marketing as noone thinks of themselves as a bad driver).
Until enough studies came out showing how dangerous cars were (things like the steering column being a spear aimed at your chest) and the public started to get aware and goverment was starting to take action ONLY then and very slowly did the car industry do something. That still won't do anything until laws enforce the use of seatbelts and even then you will have idiots claiming using seatbelts is unsafe. Same as I have met person (not heard about, actually talked to myself) who didn't use anti-virus software because it was reading their files.
So don't hold your breath waiting for MS to move on its own. SP2 was already a huge achievement. Anything more will only come after a long long struggle.
Or a very short one if you install the flippered OS. Or the horned one if your into necrophilia. Then again, that is like driving a volvo. Not cool. Sure your kids might survive an accident but who cares about that eh?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Not to sound like a Windows advocate, but:
I have performed the experiment: Install Windows on a computer and hook it up to the Internet. Leave it hooked up without downloading one bit of software from anywhere! and the machine will be compromised. Why is that Mr. Gates?
How long will a default installation of Redhat Linux+apache from three years ago last if you fired it up and left it online without updates? Wait, at the end of your message you sound like a die-hard Mac user, why would you waste 2 hours setting up a Windows box just to have it get exploited? There are many articles published online with this data already compiled on a global scale. I suspect a troll post.
Under your logic, those features would only work if I paid a monthly premium.
OSX has free, built-in anti-virus and anti-adware software? Last I heard, they had tried to charge for service packs. Are there still fixes/patches being published for OS 8 and for free?
You know, I kept waiting for something better to happen with Windows, but I have work to do and things to create, so I'll stick with OS X and my Macintosh. Thanks anyway.
I've been working and "creating" things happily with Windows and Linux for many years. Sure, I keep the Windows box protected with AV and a FW, I do weekly backups, and have access to a vast array of creation tools. I don't see where the snags are here.
Moderators: Read posts twice before wasting your points modding up trolls.
Good point. There are the stats from my online game. So it's not a Linux or windos site, it's not a geeks-only site, there's plenty of aol or hotmail users in the game:
Top 10 of 94 Total User Agents
# Hits User Agent
1 1122501 44.95% Mozilla/5.0
2 1057756 42.36% MSIE 6.0
3 186661 7.47% Opera/7.5
4 40541 1.62% MSIE 5.0
5 31246 1.25% Opera/7.2
6 12661 0.51% MSIE 5.5
7 7791 0.31% Feedreader
8 7377 0.30% Opera 7.5
9 4929 0.20% Ocelli/1.1
10 4456 0.18% iCab 2.9
Doesn't look like 90% IE to me. Then again, I don't work in microsoft PR, I'm sure there's a way to creatively interpret the stats.
Assorted stuff I do sometimes: Lemuria.org
To my mind, there's a clear distinction.
Anti-virus protection & firewalling are what the OS should be doing in order to keep itself working -- like journalling helps keep filesystems consistent and working.
The apps people object to being bundled are additiona abilities, above and beyond what the OS needs to stay alive.
I don't want to have to hold my machine's hand just to keep it alive. I don't want to have to install and learn additional software to keep what I already have working.
I understand the need for software updates -- that's the nature of the software beast. What I object to is the stack of 3rd party subsciption software Windows makes me require just to stop it falling over.
(warning: the following comment may be regarded as OS X zealotry. It's not -- it's just a comparison between my two most-used systems - Windows and OS X).
I can take a new Mac out of the box, hook it up to the net, and just let Software Update do its thing however often it needs. I don't have to construct a safe environment -- it already seeks to give me that. Of course there's going to be vulns discovered. So I appreciate the work that OSS contributors and Apple put into securing network services across all supported platforms.
What's the frequency, Kenneth?
Software CAN kill you though.
There have been cases where 911 systems went down due to software glitches(Windows IIRC), that can certainly put a hurt on your life expectancy(in the case I'm thinking of, the phones stayed on, but the computer systems died, so they had to dispatch the 'ol fashioned way).
Or Medical databases, mix up what drugs someone is taking when prescribing new ones and that software glitch can certainly be hazardous to your health, if not kill you. Small risk, since there's a double check(Doctor and Pharmacist), but there.
Or the computers in your car, big error in one of those chips and BAD things can happen. Or airtraffic control. SCADA(old crappy UNIX, being replaced by new crappy Windows) systems. Fly by wire. Etc. Etc.
Software can definately kill you, it permeates so much of our lives a glitch in the right place can actually kill you. Don't lose sleep over it, a real gremlin has to be in the works for this to happen and for no actual person to be there to compensate for it.
Now, your desktop software decision isn't likely to do so.
The key to the enjoyment of pop music is to replace any instance of "love" with "C.H.U.D."
I was amused by that, too. I was tempted to call bull, but technically they are interested in interoperability.
It's just that they seem to believe that everyone else should have to pay them for the privilege of being interoperable.
It's great from a business point of view, but not much use from a F/OSS point of view, unless projects manage to pick up a sponsor who would be willing to shell out to license the technology and manage to do it in such a way as is compatible with whatever license they're using.
Tiggs
"120 chars should be enough for everyone..."
Maybe the reason is different?
If you would steal a car, would it be Toyota or BMW? I mean, if I was a haxor trying to steal someones CC, it would be $3000 dual G5 owner rather than $500 Taiwan OEM owner.
Or... Something real interesting showed up when I check my Internet Plugins folder (Yes, mac IE even uses Netscape plugin arch)
cable25-100:/Library/Internet Plug-Ins ilgaz$ ls -l
total 72
drwxrwxrwx 3 ilgaz ilgaz 102 9 Oct 15:08 DRM Plugin.bundle
drwxrwxr-x 3 root admin 102 6 Jul 22:00 Flash Player.plugin
-rwxrwxr-x 1 root admin 963 22 Jul 17:09 Java Applet Plugin Enabler
drwxrwxr-x 3 root admin 102 22 Jul 17:23 Java Applet.plugin
drwxrwxr-x 3 root admin 102 31 Aug 05:17 JavaPluginCocoa.bundle
-rw-rw-r-- 1 root admin 4752 22 Jul 17:09 NP-PPC-Dir-Shockwave
drwxrwxr-x 3 root admin 102 1 Apr 2004 QuickTime Plugin.plugin
-rw-r--r-- 1 ilgaz admin 0 15 Oct 11:42 RealPlayer Plugin
-rw-r--r-- 1 ilgaz admin 0 15 Oct 11:42 RealPlayer Plugin.xpt
drwxrwxrwx 3 ilgaz ilgaz 102 9 Oct 15:08 Windows Media Plugin
-rw-rw-r-- 1 root admin 856 22 Mar 2004 flashplayer.xpt
-rw-rw-r-- 1 root admin 2394 1 Apr 2004 nsIQTScriptablePlugin.xpt
Look which companies plugin is installed in awful insecure way?
Microsoft!
While at it, if you don't have "spyware" concerns, as a admin user, go to www.pcpitstop.com (in fact, they aren'T spying) and run their tests...
See the amazing things ActiveX can do! Thats the root of problem.
Gates: What the consumer wants is pretty clear: a single remote control that lets them navigate photos, music, videos, TV in a very rich way. They want to see that on any screen in the house and then have a great portable device where they can take that stuff wherever they want anytime. The full realization of that dream is still years away, but we've taken a dramatic step in delivering that with Media Center.
I think it'd be great if we could beat Microsoft to the punch by offering all of this and more using Linux and open formats (not WMA Bill!). It seems like there is already a lot of work in the area going on (MythTV, Freevo, Mister House, VLC) but is any of this ready to be easily set up by the average Joe? Is there any work being done to put all the pieces together. Perhaps a modded distribution geared specifically to creating and setting up a Media Center type environment. Not only could a Linux based solution put anything from MS to shame it could also force Movies/TV/Music industries to support open formats if the Linux Media Center becomes the dominant player.
Am I dreaming or can the open source community take the lead here?
Tony Blair didn't lie over Iraq, but whether he was completely open and frank is another matter. There were cavaets about the evidence for WMDs in Iraq that we were not told. Now, is that lying? Probably not, but it's dishonest.
There's also the thing of playing on people's assumptions - you make a declaration, which people interpret in a certain way based on normal rules, history etc. When it isn't delivered, you can then fall back on exact wording.
Ahem... ...assuming D:\ is the USB key, before you plug it into a Windows machine. You can also set the read-only attribute via right clicking on the file in Explorer and going to properties (obviously, on your own, hopefully clean, Windows machine) There, all better now.
C:\>attrib +r D:\*.exe
C:\>attrib +r D:\*.dll
What makes you think that setting a file read-only prevents a virus from modifying the file?
Read-only is only advisory; you can still write to the file, IIRC.
Coming soon - pyrogyra
Utter crap.
If you know your customers are going to behave "unreasonably" ie, you know, actually *use* the computer, browse web pages, click stuff, then the OS should protect them guide them etc. So why is it that Windows installs a huge sign saying "COME FUCK WITH ME I'M OWNED BY SOME TWAT WHO CHOSE TO USE WINDOWS"?
The fact that OSX can and does do so much better proves that it's Windows fault. Or are you trying to say that Windows users are a self selecting bunch of morons? For those that *choose* Windows I'd agree, but most people don't get to choose: they either don't realise there's a choice or they have Windows forced on them.
Bad analogies are like waxing a monkey with a rainbow.
Pardon my ignorance, but what exactly happens to a non-firewalled Windows machine attached to, say, a cable modem? Do attackers find your ip address by random guessing and then exploit services that are left running by default? That must be the case, but I've never read an explanation. (For that matter, I've never learned much about Windows networking at all, being more interested in Linux). I know on my Linux box, I remove or deactivate everything that can be accessed remotely and I've never had a problem.
I suggest that M$ removes all IExplorer, WMplayers, CD burning etc. software from Windows, and sell them for $10. The price is reasonable becouse you don't need to pay extra developers fot this stupid programs. Then we will have free comptetition market, and choise. Maybe then M$ Windows would be on any PC.
well, it is mentioned here [microsoft.com], but yes, it should certainly be more prominent than that. that's the first example I could find after probably 10-15 minutes of looking.
Yeah, it's possibly mentioned on the web, but why not in their OS? Why not hide the admin account after a Windows install? Why not have a red bar at the top of the Windows screen saying "Warning: You are logged in as an administrator. Click here for the implications this cause"?
No one should need to be logged in like that except in very rare cases, like when upgrading system drivers. The annoying part is that Windows is nowadays a multi-user OS with personal user profiles and healthy amounts of file system and OS restrictions one can set. They just make use of them incredibly poorly for the average user, which needs some restrictions most of all because of their inexperience.
Beware: In C++, your friends can see your privates!
*sigh* having more market share is not an excuse. Just look at Apache vs. IIS and you'll see that more market share does not automatically equal more security holes.
There are two problems:
1) Security of the default install. Microsoft isn't too bad in this department, but OS software tends to be better.
2) Technical capability of the users. OS wins, hands down, in this department. If OS ever replaced MS for the masses, I'm sure we'd have many viruses running around. Window VB viruses don't even need a security hole -- there are enough ignorant people out there who will happily run as root and click on executable attachments. Speaking of security holes, there are many more users that will happily run a box unpatched.
#2 is a valid excuse, and I don't fault Microsoft for mentioning it.
As for #1, does the average user want a secure OS? MacOS X, another OS-for-the-masses, appears to be able to impliment some security features (auto-updates, root password prompt) without confusing non-technical users, which indicates room for growth, but to be honest, the same marketing decision behind many other poor-security decisions is active in Windows.
Kell, get a clue and stop using HTTP logs for your FUD. You simply can't get an accurate picture of browser market share by looking at HTTP logs. Can't be done. Not in the technology. HTTP isn't designed that way.
1. USB memory is FAT. Everybody has full access on all files.
2. attrib -r is trivial to accomplish inside virus
For what it's worth, Ubuntu actually disables the root account by default so you have to sudo everything.
(I'm sure other distros do that too, but Ubuntu stands out in my mind because I had to wrestle with it unexpectedly over the weekend.)
"Lawyers are for sucks."
- Doug McKenzie
That is a fringe example and doesn't have any effect on the main thrust of the argument. Making the boot media read-only in an effort to stop security holes is like cutting off your legs so that you won't accidentally stub your toe. You are right that Microsoft will never provide that as an option - because it doesn't make any sense for ordinary use.
Karma: -2147483648 (Mostly affected by integer overflow)
1. His point on hardware read-only is still valid
2. Cite? I haven't seen one yet.
After all, our customers had a choice.
Just to get the question of bias out of the way, I'm typing
on an Apple laptop.
Twice this week I've had to help customers either remove or
completely rebuild/restore Windows because of spy/malware.
In the first case the machine was 'enhanced' with a 'search-bar'
that replaced key parts (read dll's) of IE, removal of this
'enhancement' would render the machine unuasable, while
this software was installed previous to installed SP2 and the most recent batch of Microsoft issued security patches it none the less went undetected by the OS and was only found when NAV was ran.
Now I understand that Microsoft has argued that what you add to IE is your own fault and to some point I agree, but only in
the case where you realize your installing software; If you install fast freddy's pronfinder tool bar you most likely want others to watch you. But Microsoft should concede that the browser, which they've stated is truly part of the OS should be treated wtih more care then if it were just an application (as it should be).
Given that security usually comes at the cost of some
ease of use; Microsoft has choosen to make its OS easy and
at the same time they choose to ignore the customers demands
for more secure default for firstrun. It would not be hard to lock the machine down until its had a chance to check for patches/updates/service packs (call them what you will).
Recently I've read about motherboard manufacturers building appliance style firewalls into their onboard ethernet, sounds like a cool option but they're doing it because their primary audience *NEEDS* it, and truly this might be best for all of us, so long as the filters can be configured to curb outbound traffic as well.
Unix, an obscure operating system developed by bored researchers in an attempt to get a better game playing experience.
I recently installed Windows 2000 on my sister's computer. For some reason I forgot to disconnect the network cable ahd before I had even started to install a firewall, it was compromised.
In all seriousness, the time of first boot to compromisation was under three minutes.
I daresay it was my own fault for forgetting about the network cable, but even so...
After that, I experimented with a Unix computer connected directly to the internet instead of being behind a router, as is my normal practise. Like you said, I waited a month for it to get rooted. Never happened. Eventually I put it back behind the router.
Yes, Angula. I've seen Demudi run off CD Live with zero configuration. It worked well on a 1GHz class computer. Show me a CD from M$ that does half as much.
Knoppix does some of the same.
Mepis also does much of the same but comes with non free goodies like Flash, Real Audio and a version of Xine that plays WMF.
I also think that players like Xine, Noatum etc. have been able to play non free formats for a long time. While it sucks that companies continue to make devices that use such nasty formats, it sucks even worse to not be able to use all those toys. Free software is more than up to the challenge. Sooner or later, those companies are going to turn to free formats as it's cheaper and better.
Friends don't help friends install M$ junk.
Did nobody else notice the complete lack of information in that interview? It seemed to me that Gates had two major responses:
1) We're looking into that and we're going to do it better than everyone else.
2) We suck at that so we're pretending to look into it, but don't expect any actual products.
There was no real information there. Reading that interview was a complete waste of my time and bandwidth. What a complete piece of shite. Whatever happened to hard-hitting journalists that won't let CEOs and others like them just dodge every question?
Then again, what can should I have expected? Fantastic answers to interesting questions? Gates can't really say anything because there's nothing to talk about.
Interviewer: Blah, blah, blah?
Gates: Blah, blah, longhorn. Ooh look, shiny thing.
Hmpf!
*grumble, grumble, grumble*
--James
Developers, developers, developers.
You know, the guys who come up with third party software. Last week, your allies. This week, your scapegoats.
Weaselmancer
rediculous.
> Gates: It's not a thing you build in.
This is because Microsoft allows spyware to be installed as part of its critical updates!
Last month I watched as a friend:
During the last update and spyware scan cycle, AdAware discovered a spyware issue in the registry!
FYI: The spyware entry came into by friends system as a result of one of these Microsoft critical updates:
AdAware discovered:
For more info on ALEXA spyware see:
This is not the 1st time that I have seen somebody install a Microsoft critical update and receive spyware. No wonder Gates is not interested in building anti-spyware into his products!
chongo (was here)
$ whois 63.161.169.137
Sprint SPRN-BLKS (NET-63-160-0-0-1) 63.160.0.0 - 63.175.255.255
FEMA SPRINTLINK (NET-63-161-169-0-1) 63.161.169.0 - 63.161.169.255
whitehouse.gov is on FEMA's network? Interesting. Though it kind of makes sense if you think about.
Accept Eris as your Fnord and personally sate her
"Just look at Apache vs. IIS and you'll see that more market share does not automatically equal more security holes."
No, but it DOES equal more attempts to attack. Troll IRC for a while. People are constantly trying to find new ways to break into Apache.
On Windows, you have rw permissions on everything
Not in my experience, I've always found switching between windows and linux frustrating because Administrator *doesn't* have 100% access to everything. Have you never clicked "End Process" in task manager and had it tell you you don't have permission even when you're logged in as Administrator? Also, try changing the security settings of a file so that only one specific user has permission to do anything to it and then try bypassing those permissions as Administrator.
As it happens, there are ways around all this (you can use kill.exe for the first and change the permissions for the second) but if Administrator actually were a direct equivalent to root, you could just do rm -rf / and kill the lot. You could cat /dev/zero > /proc/kmem and totally b0rk your entire system. Not that you'd want to, but at least if you *do* want to, you *can*.
At the end of the day, Administrator is dangerous enough that you *really* don't want to run random stuff as Administrator, but not powerful enough to do all the stuff I want to do without having to battle through another half-dozen bloody stupid click-click-click interfaces. Gimme root and properly administrated normal users with a workable CLI any day!
</rant> I guess
Cheers & God bless
Sam "SammyTheSnake" Penny
The idea of mounting a filesystem read-only isn't all that far fetched. In a product environment mounting the OS and application file systems as read-only prevents modification. On several production environments for clients I've dealt with, I've seen where only the only r/w filesystems were the /var directory, home directories and a couple data directories. A configuration like this may not work for all environments (software development, maybe a home system where frequent software installs occur, etc...), but it has reasonable uses.
So are you suggesting that Windows comes bundled with Norton Antivirus/Firewall, that you shouldnt get a choice, and that we should add another $50 to the cost?
It would sure be a nice option. Options, we want options.
Take a look everywhere else: you can buy a computer built to order, you can buy a sandwich built to order, you can a car built to order, you can buy clothes, shoes, or a backpack built to order.
These are real-life items assembled by humans. Information technology has allowed companies to find new ways to make us, the customer, happy.
Why not software too? Why can't I have Dell build a computer and give me a choice of MacAffee, Norton, or Microsoft virus scan? Seems like a small technical challange compaired to custom building an entire computer.
Really, slashdotters, just because you're used to a crummy situation, doesn't mean that it's the way it should be.
Actually, this is being dealt with by the NSA. Look for the selinux patches. A homepage for this is at: http://www.nsa.gov/selinux/index.cfm
If you are interested in this sort of thing, you'll find the selinux stuff fascinating.
I believe the patches should be going into the kernel very soon - like in the next weeks or so.
But I may be wrong - I haven't checked on the status for several months.
"Q: Speaking of security, Internet Explorer has had well-publicized holes ...
Gates: Understand those are cases where you are downloading third-party software."
Ah, that's it. Viruses, worms, spyware, adware, and other nefarious programs, being 3rd-party applications, aren't an issue caused by the OS manufacturer.
It's kind of like a house builder bearing no responsibility for buglary, because it is a 3rd party. Never mind that there might be design or implementation defects in the doors. And don't forget that any potential responsibility is waived anyway when you sign the house EULA.
Um, I know that this is supposed to be a humorous commentary on the obscene vulnerability of IE (dubbed Internet Exploit me), but the actual truth is even worse. The notion that IE is safe until you use it to browse web sites isn't strictly true. IE becomes unsafe the moment you boot into Windows while connected to the Internet. I've become quite adept at disentangling spyware and malware from a good number of the thousands of desktops my company uses, and I can assure you that IE doesn't even have to be fired up for malicious programs installed in it to run. In fact, if not properly "patched" and firewalled, IE doesn't even have to be running for spyware and malicious logic to get installed in it.
A truer statement would be that a Windows computer is completely safe until you plug the power cord into the wall socket.
I agree that the read-only isn't appropriate for every environment, but it can be effective. System security is still the best practice for any system (read-only or read-write). Even on the r/o system, you still want to secure information (if you password resides in /etc/passwd or /etc/shadow, you'll still want to lock it down, even if r/o) to protect it.
The systems in question are critical systems so the additional lock down is justified. The customers really didn't want anyone changing configurations without a bit of effort.
As for future systems, a multi-layer approach to security will likely be used but may differ from system to system based on user requirements. In some systems, the r/o approach may still fit in their scheme. The securing method will all depend on security requirements.
Just the names that MS gives to applications give them a very very big advantage over Linux Open Source applications.
"Welcome to President Bush, Mrs. Bush, and my fellow astronauts."
"The future will be better tomorrow."
"We have a firm commitment to NATO. We are part of NATO. We have a firm commitment to Europe. We are part of Europe."
check out the best blog ever:
http://oehlberg.com