Open Letter to a Digital World

jg21 writes "Exasperated after spending 5 hours removing spyware and trojans from his wife's Windows PC, sysadmin Chris Spencer has written an impassioned Open Letter to a Digital World. In the letter he reviews the 'elephants in the closet' - i.e. unfixed bugs and glaring security vulnerabilities - that Microsoft in his view hopes ordinary users will ignore, including some discussed in previous Slashdot stories."

I don't get it.

[spacefight]

He has a CS degree, runs Linux himself and still let his wife surfing the web with IE? What went wrong? We all now that alternatives exist.

Re:I don't get it.

[Bagsy]

Not only that, I bet his wife belongs to the administrator group aswell. There are far too many people who have the wrong user rights.

Re:I don't get it.

He has a CS degree, runs Linux himself and still let his wife surfing the web with IE?

Yeah, it's almost as if she has a mind of her own.

Re:I don't get it.

[Soko]

He has a CS degree, runs Linux himself and still let(sic) his wife surfing the web with IE? What went wrong? We all now that alternatives exist.

Let his wife? Let?!?!?! You sir, are obviously not married.

Besides, we still have to deal with IE only websites, which perhaps his wife has to use in her career? You've made a faulty assumption, friend.

The only fault I can find with the author is that he didn't realise what his wife was dealing with in the first place. She should be using Firefox for browsing, unless she needs an ActiveX control for a particular site for some reason.

We know Windows has these problems, so we should take whatever steps we can to mitigate the risks when we need to use that OS.

Soko

Re:I don't get it.

[mentin]

I regret I don't have moderator points for parent.

He claims to be a "system administrator and have a degree in computer science", and he lets his wife run as admin.

More than that, with all that experience he is naive enough to believe that he can clean machine using the very same machine - have he ever heard of rootkits and stealth program? Maybe he is just an idiot?

Re:I don't get it.

[fishbot]

More than that, with all that experience he is naive enough to believe that he can clean machine using the very same machine - have he ever heard of rootkits and stealth program? Maybe he is just an idiot?

Doesn't that kind of prove his point? Joe Public wants to use the computer. The computer won't let him. Just run it as admin! That's the default, so it must be OK, right?

Now he's infested with spyware, trojans, viruses and the like. So, he installs SpyBot, AVG, ZoneAlarm, whatever. Nobody told him that wouldn't work because the processes are on the same box. Of course he has to go out and buy another machine for the sole purpose of disinfecting the first! (OK, he doesn't, but Joe Public won't understand the difference between 'installed on another hard drive' and 'another computer')

It just goes further to prove that to clean your PC of all these attacks the first thing to do is remove Windows and all its failings. Or buy a Mac.

Re:I don't get it.

Yeah, it's almost as if she has a mind of her own.

Which is exactly the point. In my experience, people will use whatever they have been innicially directed to use (Windows and Internet Explorer) and stick to it. Geeks don't understand how normal people see computers. Non-geeks don't understand the complexity of software. They don't understand there is anything more to a program than 'whats on the screen' and 'the icons' and so on. Geeks furthermore develop an unrealistic idea of what the average person understands of computers because their friends and family will be more computer-literate than the average person. But most importantly, computing is a tool for the non-geek rather than a social passion. They are unconcerned with the fight against the-great-satan-Microsoft which sites like Slashdot are always obsessing over. They don't think Linux is cool. This means they're not having their perceptions of Linux's & Firefox's shortcomings warped in favour like geeks always do; a true believer in Linux will insist it's as easy to use as Windows, or a true believer in Firefox won't acknowledge how slow XUL makes the GUI. The average person sees an OS they can't use and can't run their software, and a browser that takes longer to react to mouse-clicks and to launch. This matters.
How many people have I converted to Firefox? None. And I expect that won't change. Internet Explorer is prettier and has a more responsive and user-friendly U.I. That is all people understand of a browser, and as those two things are deficient in Firefox (as is the moronic name which puts people off), most people would choose IE over FF when given the choice, even when told about the security issues (which they ignore as they simply don't understand -- like how millions of Africans contract AIDS despite being told about the dangers, simply because they don't fully understand disease -- the lack of comprehension creates a suspension of reality).

To say that ordinary people "should just use Linux" to avoid spyware is naive of what people are prepared to do. It is possible that a freesoftware OS and a freesoftware browser could've become standardised, but there are severe sociological shortcomings in programmers that have prevented this and will continue to prevent this. Linux and Firefox just aren't good enough where it counts, and almost nobody involved in programming understands why. Socially adeptivity and perceptivity are qualities that when present in a person are going to very, very likely preclude that individual from bothering with something as numerically mundane as programming. There are reasons why not many football players do ballet, for similar reasons.

Re:I don't get it.

Yeah, it's almost as if she has a mind of her own.

Not only a foreign concept for many Slahsdotters when it comes to women apparently :) but also increasingly when it comes to posting/modding.

I've been lurking here a long time, and still wonder when exactly this fundamentalist turn happened. Suddenly everything is either black or white. Only One Way. And bias and fud (the thing we used to be against) is more important than facts. Bullshit (and I don't mean opinions but facts) are rated +5 informative just because it is pro-Linux and/or anti-MS, while facts correcting this are modded down.

I've been using both Linux and Windows for a long time, and both have strength and weaknesses. I can see a lot of reasons for choosing one or the other, that varies with situation, needs and what people want (yes, they can prioritize different than You without making them Wrong, or Joe Schmoes or whatever the popular derogative is for people daring to think and choose different than You...)

Sometimes I wonder if that sig someone had (no, not me :) saying "I see more xp ignorance in here than Linux ignorance in an AOL room" really is true, or if we just let it appear that way - so that facts don't mess up our world view, or something.

I guess for the young and righteous, this sounds like old people yapping about "the youth today" or "everything was better before". But I miss when it really was more News for nerds, and less religion for nerds.

Re:I don't get it.

[niiler]

It's one thing to have experience in secure computing; it's quite another to share that with someone else.

After securing my brother-in-law's household by setting up a specific administrator account for software installs, removing IE links where-ever I could find them and replacing them with Firefox, installing SP2, installing AdAware, installing a decent firewall and several other things, they are now constantly calling because such and such doesn't work properly.

The call is usually one of the following:
1) Such and such program that worked before you did the SP2 upgrade doesn't work anymore. Could you come over and figure out a way to fix it? I need to run it.
2) I can't use such and such website because it needs IE. (And no, the UserAgentSwitcher extension isn't working in this case). Please give me access to IE so I can circumvent all the security you've installed.
3) I really want to install known spyware/adware containing program, but I can't unless I get into the administrative account.
4) Why can't I just run as administrator? Aren't you a bit paranoid for putting all this security on our computer? Now I have to actually switch users in order to install stuff and the extra two or three clicks is really annoying.

Just for fun, I've given them an extra computer running KDE 3.3.0 on top of Linux with all the latest scanning, printing, image processing, instant messenging, browsing, cd-burning, dvd-watching software...but they won't use it because:
1) It looks different. They're deeply uncomfortable with that fact.
2) They try to download and install Windows programs, and of course, it doesn't work. This despite being given a compatibility list and where to get compiled binaries. (and an invitation for me to install things if they're really uncomfortable with nice GUI installer)
3) They want to buy software at Best Buy and install it on the computer and it won't run. Again, they tend to ignore the compatibility list.
4) Did I mention that it looks different than Windows?

The point is that you can educate users, but most simply don't want to be educated. They have gotten comfortable in their current paradigm (usually some mixture of the "freedom" of Windows 95/98 with the performance and "security" of windows XP) and don't want to change/learn anything different. Not only that, but remember that when it comes to family and friends, you can't set a policy like you can in a company. Telling the wife - NO - you cannot run that program that you love and have been using for ages because it is insecure is, in general a bad move.

In short, I've been where this guy has, and I'm totally sympathetic. Let's not take cheap shots and call the guy an idiot because he didn't go the next step and use a root kit.

Re:I don't get it.

[laka21]

hah! what was that for ? degrees dont teach anything ?? well my friend school is the basis for education. I dont understand why have to make such a generalized statement here.
btw it was his wife who was using IE not him and if you are married then you wouldnt simply put the blame on him.
The person has written a credible article and he deserves some applause and not some useless 1 liners.

Re:I don't get it.

[fymidos]

>he is naive enough to believe that he can clean
>machine using the very same machine

well, he apparently managed to "clean machine using the very same machine" so that would make him a bit less "naive" and a bit more "capable".

>he lets his wife run as admin

some people buy their own computers,and they believe that they can do anything they want with them. Many people don't ask permission from their family members before they open their brand new computer - which by they way happens to automagically log you in as admin.

Re:I don't get it.

[mentin]

well, he apparently managed to "clean machine using the very same machine" so that would make him a bit less "naive" and a bit more "capable".

You don't get it. A good rootkit will only let you see what the rootkit wants you to see (when using the very same machine where rootkit runs). However capable he is, he (if the rootkit was installed) has no way to know whether the trojan was installed, far less being able to clean it.

You looks in the registry, but the rootkit intercept registry API. You looks at disk, but the rootkit intercept disk API. And so on. All he can claim is that he eliminated sindromes visible to him.

For me, his claims that he cleaned the machine worth nothing, they only say that this guy does not deserve his sysadmin's salary.

Re:I don't get it.

[WebCrapper]

Saddly, the whole "it looks different than Windows" is a major issue with my wife. I run FreeBSD, RedHat and recently setup Debian for a friend. During the initial setup of Debian, my wife came into the room and exclaimed "what the hell is that?!" Linux, more specifically, Debian "thats ugly, I'd never use that!"

Its sad to say that using something based on how it looks has become a major issue with people. Its better, more secure, but its damn ugly compared to what I've been using since 1995! I really don't get it.

Now, the other thing is that I'm starting a new company and one of our main issues is "no windows" - the only thing we're interested in windows for is software testing and technical support (for when we need to compare things we can't see with virtual apps).

One of the factors we have to deal with is training, but we don't have any major qualms with it. We figure 1 day should be enough for our reps to become familier with it at first. After that, we deal with class on a normal basis and teach certain things as we go.

preaching to the choir

[venicebeach]

Well, this is a nice letter and all, but I have a feeling the only people with the patience to read through the whole thing are already convinced of its content...

Re:preaching to the choir

[ninthwave]

No we usually get called in to fix the PHB's machine and we explain the situation we somehow find that our proxy servers are more restrictive and we can't download drivers and support files, yet the PHB a month later will call in with more problems, and his connection has the rights to make it through the firewall.

And we explain the issue again and we can only view the company intranet now. And still the PHB can view manhole or suicidegirls or hamsters in love .com or whatever his fetish of the week is.

The suggestion always means the tech's and regular staff need locked down but it never applies to the idiots that actually cause the most problems.

Not that I am bitter or anything.

Re:preaching to the choir

[FireFury03]

a contact manager that can sync with both an Ericsson and Motorola phone

I use Evolution and Multisync to sync my Sony Ericsson P900 over bluetooth.

EAC and LAME

Grip and Lame.

Now, the point of this post is this... each time I have looked at Linux to date I find it is not quite ready

I've not used a Windows machine (for anything serious) in over 2 years (and before then I wasn't using Windows very much). I've yet to find anything (that I want to do) that I can't do on Linux but I could do on Windows - infact most stuff would be a lot harder on Windows. Over the past year I've asked various friends why they use Windows at home and I haven't had any answer other than "because Linux doesn't run $latest_game" which totally reenforces my belief that Windows is a toy operating system.

When I'm lazy I stick to Windows, because it does work.

I don't understand how people can complain that Windows is easier - every time someone has a problem in Windows and asks me for help I'm left wondering how I fix it whereas in Linux the tools you need are just there. I.e. if I've got a networking problem, after checking the obvious I break out tcpdump and see what traffic is actually going where, that's something I can't do in Windows so I'm left without any clue what the problem is or how to fix it. And before you tell me to just download Ethereal or something, that isn't very easy when your network's broken now is it?

There are only 2 areas where Linux falls down IMHO:
1. Support for hardware is sometimes flakey or not there - usually this just means doing a little bit of googling before buying the hardware to check it works ok.
2. You can't just pick up $random_software from PC World and install it (in many cases there is a free alternative for Linux, so again often a little bit of research will help) - this is mostly a problem with games since there are no alternatives.

I personally think there is a lot of value in this. It's already put it back on my desk as a fun thing to do this afternoon (give Gentoo another try!).

I might point out that for your first outings into Linux land you probably want to pick a more friendly distribution. (I can't really comment here, having never used Gentoo, but I understand that it's probably not as friendly as Fedora or Mandrake).

Re:preaching to the choir

[tepples]

There are only 2 areas where Linux falls down IMHO [drivers and games]

I don't need to worry about games because I have a cube specially designed for them, but a lot of people like me can't afford to replace their hardware with Linux-certified hardware.

usually this just means doing a little bit of googling before buying the hardware to check it works ok.

Doesn't help if your ISP's custom dialer (netzero, aol, netscape, etc) is incompatible with Linux, because you can't even get so far as the Google home page.

I notice he could have fixed this.

.e. unfixed bugs and glaring security vulnerabilities - that Microsoft in his view hopes ordinary users will ignore,

The bugs he describes have already been fixed in Windows.

In other words, he's STILL using an unpatched system, and complains of unfixed bugs? Come off it. MS bashing might be a worthy cause, but this is like blaming Clinton for the war in Iraq.

You did a disservice to your wife

[gfecyk]

Not by letting her run IE, but by letting her run IE on a Windows box as full admin.

"... despite the anti-virus, regular Windows updates, having the good sense not to open attachments, using a firewall, and avoiding any type of seedy activities online..."

Let's see, it's 2004, XP is two years old, 2K is four years old, and your wife got spyware for one of two reasons:

* You let her run too old a version of Windows (98/ME) with no built in security, (Melissa got past anti-virus software remember) or
* You let her run 2K or XP with full admin or "power user" access.

You two only have yourselves to blame for choosing to run a machine insecurely. Yes, you. You could've stopped all of this before the fact if you ran a modern version of Windows as limited users, if you used a mail program Designed for XP and kept that up to date as well as the OS, if you treated the 'net like any other public place instead of trusting everyone by default.

You chose Windows, and you chose to run it insecurely. If you think running Linux is the cure, go right ahead. But if you run it as root, you don't deserve any sympathy from me. And if you run XP as a full admin, you deserve even less sympathy.

Take charge of your own computer security already, however you do it. Don't whine at Microsoft because you let it happen.

And damn my slashdot karma to Hell anyway. I'm sick of this whining: "Microsoft (this), Microsoft (that), Microsoft (whatever)." Lazy bastards. How come MY MOTHER doesn't get spyware or viruses or whatever when she's running only XP Service Pack 1? Without any AV software? Explain that.

Re:You did a disservice to your wife

[mattyrobinson69]

What about applications that for some reason need to be root, like the sims

Re:You did a disservice to your wife

[DocSavage64109]

Most consuner PC's are sold with Windows XP Home Edition preinstalled. There is no such thing as a non-"power user" login in XP Home Edition. It just seems silly for you to blame the author for a lack of security in an operating system when Microsoft itself purposely removed the security from said operating system.

Re:Oh, hey, Wow!

[levell]

He's not hoping to affect MS with stern words, he's hoping people start to switch away, which can happen when enough of the geek population think it's right (as Firefox is starting to show).

Once people in numbers start to switch away, it is possible Microsoft will react with better products (again, as an example they have restarted IE development because of Firefox), everyone wins then (even the people who haven't switched).

So he calls himself a sysadmin?

[Otis_INF]

Why didn't he setup a non-root account for his wife on the windows box? Why didn't he install THE browser, Firefox, on his wife computer? Why didn't he enable excessive auditing so he could track down which app installed what and when?

Oh, that's too hard? If that's too hard, you're not a sysadmin.

True, spyware can be almost viral these days, but there is one factor which enables it in the first place: the user. "Oh, this nice free tool from www.[the tool's name].com is so handy!", should ring a bell, a lot of bells, alarmbells to be exact. NO search bar comes for free, unless it's open source, to name an example.

First I thought, hmm could be a great article, but after a few paragraphs it was clear this article is not great, it's the frustration of a person who doesn't WANT to understand windows and blames the consequences of that to the OS. I mean, blaming IE and not having firefox installed should be enough to categorize this article as "ordinairy propaganda".

I get so tired by this kind of stuff

[Caine]

I run Windows. I didn't use to. Between 1993 and 2001 I ran Linux almost exclusively. When Windows 2000 was established I switched on the simple basis of that it was better.

I don't run anti-virus. I don't have a firewall. I don't run spyware-removals under normal circumstances. If I feel the computer is feeling odd I download and run F-Prot's free DOS version followed by running Adaware 6. On some single occasion I've run Norton Anti-virus just to be on the safe side

I'm not alone in using this computer, my not quite so computer-literate girlfriend does too. I often download shareware games and freeware programes, not to mention warez every now and then.

Despite all this - I have never (*knock on wood*) been virus-infected. I have never gotten any spyware.

So I have to ask myself, what to do all these people do to get their computers so messed up? Why isn't it happening to me, when I run the same Windows without any protection? Is it really Windows fault?

Re:I get so tired by this kind of stuff

So tell me, how do you know there is nothing wrong?

Re:I get so tired by this kind of stuff

[mindstrm]

It's not over the top at all. Spyware is a HUGE problem.

People who "never" get infected, (I'm like you in this regard), are a very small minority, and it's partly luck.

I administer a network of 300+ workstations. We have reasonably locked down computers, as up to date as humanly possible, and spyware is still a constant problems. Extreme vigilance with regards to updates and extreme restrictions on what users can do reduces this to only a few machines now and then, but the problem IS large, and is a constant threat. Believe me, if we could ignore it we would.

To all the astro-turfers &| geniune windows pe

[cranos]

Telling all the stories you like about how your (or your mothers/wives/SO's) machine has never had a virus/spyware attack even though you never run anti-virus software nor a spyware detection suite isn't going to mnean a lot.

The simple fact is that many of the people on this board have to work with windows (from 95 to 2003) everyday and can tell you horror stories about machines that have been secured, reside behind a natting firewall, etc etc but still they get slapped down by the newest virus which has snuck in through a vulnerability which was patched three months ago.

The other area you seem to be missing is the inate ability of users to fuck things up, no matter how secure you make it. All it takes is one innocent click on a link and all of a sudden you have spyware coming out your nose.

Windows user status sucks ...

I read a number of people who indicate one should run Windows XP in user mode, but have they actually tried it? Unless you wish to simple browse the Internet, you are pretty restricted and unlike Linux, a myriad of programs require "root access" and cannot be installed locally.

The first thing one should do before connecting Windows to the Internet is simply install a firewall, then run Windows Update, then install Firefox -- sites exclusively reserved to Internet Explorer users are becoming decreasingly common, it should not be a problem anymore.

Chris is wrong.

[gad_zuki!]

Sorry, but all my relatives who I have switched over to Firefox or Mozilla do not have ANY spyware. Nada. Nothing. I showed them a list of spyware apps, in other words what not to install and they have healthy and happy PCs.

Claiming switching to linux is the only solution is a huge admission of ignorance of how the spyware problem stems almost exclusively from one piece of software, namely Internet Explorer.

Windows, even as admin, can be safe for the technophobe. I've seen it and I continue to see it. The problem is IE. I don't care how savvy you are, if you're using IE to access the WAN (perhaps SP2 is an exception) you will get spyware and other nasties.

So many "linux advocates" are so ready to throw out the baby with the bathwater, its absurd and makes the zealots, well, look like the zealots they truly are. Not to mention, if Linux hits critical mass on the desktop (yeah Im not holding my breath either, OSX has a much beter chance of toppling Windows) then spyware developers will target it also. Grandma will still get emails like "Funnyshit.rpm" and the browser will ask if you want to install "super-search.xpi." These apps will hide themselves anywhere they can, just like they do in windows.

Better browsers and more informed users is the solution, not advocating one's pet OS.

Re:To all the astro-turfers &| geniune windows

Yep.

In linux cleaning out spyware is very simple.

tar zcsp /home/luser/ - > /home/locked/luser.tar.gz
rm -rf /home/luser/*
echo "We need to talk" > /home/luser/README
mkdir /home/luser/Desktop/
cp /home/luser/README /home/luser/Desktop/README.txt

The whole ordeal taken care of, thankyou very much.

There is a advantage to having primitive and coarse permissions setup and have a history of applications that are designed since before Win95 to operate properly in a locked down enviroment.

It's all part of the legacy of Unix being a multiuser enviroment for high-end machines for critical data infrastucture and NT designed for a simple file server that was combined with a single user operating system (Win9x) to make WinXP. (and be backward compatable with Win9x)

Linux and Windows are not equal. Hackers are a problem with Linux, but malware isn't. Different OSes, different issues. Linux is difficult for many people to install, Windows is difficult for many people to operate in a safe and secure manner.

Which do you suppose is a worse trait?

No Linux viruses in 2005. Not one.

How many has Windows have? Maybe a thousand? 2 thousand variants?

Re:Won't Linux become infested as well?

[mjh49746]

It's not really Linux as much as it is the web browser.

Now Mozilla and Firefox will warn you and make you wait two seconds before you try to install something unsigned. IE won't even do that unless you instruct it to in the Advanced Settings and sometimes it will do it anyway, but that's what you get for the broken piece of shit they call ActiveX.

Granted, Linux is much more secure than Windows, but when you give Linux to a horribly inept AOL kind of luser, then it won't take long for him/her to get r00t3d, too if the distro leaves services running by default, like for example HedRat. At least with HedRat, you can shut down those services if you know how to do it. Meanwhile in XP, you can't shut down the RPC service without Windows going total batshit. XP won't even let you do it at all! You NEED a firewall just to sweep it under the rug. Now, if that's not a severe and utterly braindamaged flaw in OS design, then would someone tell me WTF is?!? (Aside from IE built into Windows)

Re:5 hours?!? (sigh)

[Daniel+Ellard]

2. Uncheck all startup entries that look suspicious.

And which ones are those? Seriously.

Given that the programs can register themselves by whatever name they like, this is non-trivial. Given that the names of many of the valid entries look pretty odd already, by just unchecking things you can quickly find yourself with an unusable system.

Thin ice

[boodaman]

I'm probably on thin ice saying this here, but oh well.

I run three OSs at home: OS X, Fedora Core 3, and Xp Pro. At work, I admin XP Pro and Red Hat.

My company has about 150 PCs running some form of Windows. In the last year, we've had one infection. One.

At home, I've never had any. Ever.

While I totally support GNU/Linux (including monetary donations and buying distros like SuSE at retail price), I also pay for and use XP Pro for various reasons. I agree that Windows is deficient in many ways, and I agree that Microsoft could do things differently and be better for it in the long run.

However, I find it very difficult to understand how so many people's computers get infected. Windows or not. I do nothing special at home...the only thing I've done is use a broadband router from Netgear (because I have more than one computer), make sure I keep my XP Pro machine updated, install anti-virus and keep it updated (automatic) and use Firefox.

This guy is a sys-admin, and his wife's computer gets infected? How? If it is "his wife's" computer, that implies he has multiple computers at home. This implies some sort of router...even a $20 router uses NAT and has basic firewalling built in.

Either this guy is a poor sys-admin, or his wife did something with the computer to get it infected. So, Windows and Microsoft flaws aside, what we're really talking about here is a user education issue. I, as a user, at home, am educated about security issues on my PC. The people at work are educated. I don't have problems at home, and neither do we have problems at work.

So, while his open letter is all well and good, maybe in his case he should focus on better education at home and spend the $50 required to get a decent NAT router with firewalling, instead of bleating about Windows.

'Let' his wife...???

[dogugotw]

Don't know how things work in your home but in my home, I have a computer (Mandrake) and my wife has a computer (XP home). I don't 'let' her do anything with her pc, she does what she damn well wants thank you very much and god help me if I start screwing with her setup and make something burp... and yes, I do have to clean up the mess when things go bad.

the good news is that her system is well patched, runs zone alarm, avg, mozilla, and I just switched her from aim to gaim. Step by step the migration to FLOSS goes forward.

Keep in mind that 'her' computer is for more than home and has to work at her place of employ (Windows and apple shop) so some of the 'hands off' has to do with not screwing up use of the system at work.

Anyway - bottom line, at home you are NOT a sys admin, you're a spouse with special skills.

dogu

80% Infected

[HangingChad]

80% of Windows users suffer from spyware

And the other 20% are unplugged.

Re:Never once

[Taladar]

That because we don't want to play the "blame-game" like politicians and big corporations do. We want to play the "who can do something about it game" and MS is definitely the one entity that has the means to do something about this problems.

Wrong strategy

Instead of writing "open letters," (also known as "pompous soliloquies") maybe he could try interacting with his wife once in a while to find out what the fuck she's up to. If she's really so clueless, he should configure the computer as a kiosk suited to whatever her normal tasks are. And pad the sharp corners of the monitor and case.

I have to wonder, are the OS and apps really at fault here? I know people who've run Windows OSes for a decade without once getting spyware, virii, trojans etc. on their machines. Therefore there must be some other element at work here. If you outfitted the reetee in question's computer with, say, Mandrake, and with no more information or interaction than you provided before, do you really think that she wouldn't be able to fuck it up in short order? I'll tell you what, I'm a bit skeptical of that.

In any case, blaming the world for your wife's stupidity is not going to fix it.

whatever

[texassage]

You don't run and you are not behind a firewall, you don't us AV and you don't use any spyware software. You download shareware/freeware/warez.

You have NEVER gotten spyware or a virus.

I cry bullshit.

You MIGHT be able to get away with that kind of system administration with WinXP SP2. If you hang an unprotected windows box onto an external (read, outside the firewalls) 100 meg network, you will be scanned within 30 seconds to a minute and compromised within an hour. Possibly longer, if you have really tweaked the machine. That would go against your premise though, if you spent any time securing your machine, then you probably needed a firewall.

There are trojaned machines constantly scanning for machines, like yours, in the wild. Microsoft patches have been too late to stop an infection more times than I can count.

I am a sysadmin and security engineer. I could secure a box, without third party apps, so that I could surf the web, download software (AND INSTALL IT) etc. It takes time and effort that I am not willing to spend. It also assumes that there is nothing on that workstation that I don't mind sharing with the world, since I am not perfect and any machine can be hacked/cracked if you put it on the Internet.

I use winxp sp2, firefox, proxomitron, adaware, symantec AV, spybot, sygate firewall and a couple of homerolled apps. Between my wife and my kids, we still get adware/spyware, we have not had a virus in years. A large percentage of the shareware out there has some kind of spyware. Many websites get you when you register. Etc etc etc

"So I have to ask myself, what to do all these people do to get their computers so messed up? Why isn't it happening to me, when I run the same Windows without any protection? Is it really Windows fault? "

Sorry, your post just doesn't ring true for a workstation that is actually used for daily, office automation type work and play. Microsoft doesn't even try to claim that you don't need a firewall or other protection. They don't hang windows boxes on the net unprotected.

Re:Don't get me wrong I like Linux (and dislike M$

[Todd+Knarr]

There is. Firstly, Unix has been in use in university environments for nigh on a quarter-century now. Cracking systems has been a hobby for college comp-sci majors for as long as computer systems have been available to crack, and the operating-system-design classes in that major are often based around dissecting the actual source code of the very systems they're trying to crack which means they've far more detailed knowledge of Unix systems than of Windows. And yet, despite that, Unix remains relatively secure in that environment. Why should we assume this would change?

Secondly, track record. Apache on Linux is probably the most popular platform for Web servers based on NetCraft and other surveys. Apache on Unix of some sort definitely is not only more popular than any other option, it's more popular than all other options combined. Unix is the dominant OS there (and the traits that make Linux secure are simply the normal traits of any other Unix variant). Yet while we see regular compromises of Web servers, compromises of Apache on Unix are relatively rare. If it's not compromised often in an environment where it is the dominant platform, why would it be compromised often in another environment if it were the dominant platform?

Respectfully, I disagree

[gone.fishing]

I too hate the lack of security and the number of exploits that the typical Windows machine is exposed to. I feel that Microsoft has a responsibility to do something more than they are doing to fix the problem and sadly, I don't see them doing enough in the near future at least.

But I disagree that this is what it should take for people to migrate from Windows to Linux. People should make their choice for the right reasons and only one of those reasons is security. They also have to weigh things like user-friendlyness, support, cost, effort required to learn, availability of the applications that they require and probably a dozen other user variables.

Open Source in general and Linux in particular, has been making great progress in virtually every aspect that I can imagine. In many ways it is ready for "prime time." Yet to claim everyone should move to it, I can't quite accept that yet. In my business, you can't find particular applications (relating to "industrial formulation calculators" for instance) that are necessary for the operation of the business in open source (I've researched this).

While I am able to work my way around a Linux Desktop with KDE and be fairly comfortable with it, members of my family don't seem quite as capable and frankly, I don't want to spend the time teaching them.

Still, I spend close to fifty percent of my workday dealing with spyware (and another 1 or 2 percent dealing with viruses, worms, and trojans) and I hate it. I haven't found a single product out there that does an acceptable job of preventing it or cleaning it although on my home Windows machine the McAffee suite + AdAware + Yahoo Anti-Spy seems to mount a pretty good defense. The McAfee is always on and auto-updated, I run automated anti-virus scans every night. I run AdAware every couple of days, and right now, since it is new, I am running Yahoo Anti-spy every day. My ISP also filters my email with an anti-virus program and I practice all the common preventitive measures and am quite liberal at assigning "spam" tags on incoming emails.

Still, all of this amounts to a lot of work. I do think Microsoft shares the blame with the malware authors in the same way that car manufacturers used to carry part of the blame for car thefts (since cars were so easy to steal). Microsoft it would seem to me has the same kind of responsibility that car makers had, to develop a safer product. I am willing to share part of this expense (developing products costs money and that cost is passed on to customers - it is what for-profit companies have to do). I also hope we get help from legislators and from ISP's, and even hardware companies who each in their own way can develop things that would make malware harder to propogate.

I'd also like to challenge computer makers to provide us with additional choices, like packaged Linux boxes, better secured Windows boxes, and software that actually works that comes bundled with machines so that so many people don't download "free" spyware-laden products to do something they expected their computer to do out of the box (Dell, Sonic - do you hear me?).

These suggestions won't fix the spyware problem.

[zerofoo]

I hate these types of "letters". All they do is make Microsoft look bad, but they don't make Linux look very good. Most people I talk to that are frustrated with Microsoft look at linux (on the desktop) and say - OK, it's free, but it isn't as "nice" as windows.

Those same users really like OS X - but they don't want to buy an expensive computer to run it.

The reason spyware is not a problem for linux yet is two-fold:

1. Marketshare - if you are writing spyware, wouldn't you want to "spy" on the largest user base?

2. Application installation ease - most spyware does not install itself. Most spyware i've run into came from users directly downloading and double-clicking files. Installing apps on Linux is not nearly that easy - and that's why my sisters, neices and nephews don't like Linux. They can't double-click and install.

Sure, eventually Linux will HAVE to be that easy to get the marketshare that Microsoft has. Don't rattle off the excuse about being prompted for a password in OS X - i've seen users blindly type in an admin password every time the installation box pops up.

When *nix becomes easy (and popular), spyware will become a problem on *nix.

-ted

Straw Man + Ad Hominem = +3 Insightful!

[stealth.c]

How do people get +3 Insightful for completely missing the point?

First, I don't know about anyone else, but it is an incredible pain trying to run Windows (2000, at least, in my experience) as anything but Administrator.

Second: what is this "Maybe he is just an idiot" crap? He could easily have a wife who, like anybody else, would prefer to have their computer how they want it and for others to leave it alone. I know plenty of people who get irritated if anyone changes things on their personal computers--much less use them. As for rootkits, etc., are 80% of Windows users (the people who have this problem) really going to have access to those things, the skills to use them, or even the dimmest knowledge of their existence? Of course not.

Jumping down this guy's throat over the state of his wife's computer is completely missing the point. His point is that there are millions of people just like her, and his weighing of the pros and cons makes Windows an absurd choice for a desktop OS. Address that. Stop grasping for ways to tear him down instead of his argument.

Re:5 hours?!? (sigh)

[Daniel+Ellard]

The original context was that five hours was longer than necessary. Now you're telling me that in order to do this, I need to monitor my config constantly, and then spend "years of trial and error" to "work it down to an artform" and then it will pay off by saving me a few hours?

Thanks, but no thanks.