Slashdot Mirror
Open Letter to a Digital World
jg21 writes "Exasperated after spending 5 hours removing spyware and trojans from his wife's Windows PC, sysadmin Chris Spencer has written an impassioned Open Letter to a Digital World. In the letter he reviews the 'elephants in the closet' - i.e. unfixed bugs and glaring security vulnerabilities - that Microsoft in his view hopes ordinary users will ignore, including some discussed in previous Slashdot stories."
He has a CS degree, runs Linux himself and still let his wife surfing the web with IE? What went wrong? We all now that alternatives exist.
Well, this is a nice letter and all, but I have a feeling the only people with the patience to read through the whole thing are already convinced of its content...
All this time, with all the antitrust lawsuits, and it turns out all Microsoft needed was a stern talking to. Man, wish I could think outside the box like that...
I've found a quicker way to get rid of those files, identify the executables through task manager and the "run" keys in the registry, then change filepermissions to block the system and user accounts on those files and/or directories, kill processes, remove registry entries, reboot, delete files. No more respawning webrebates etc..
And if you haven't set the filesystem to NTFS, you need to be slapped silly.
home
I was going to seriously reply, but this is a troll. He refers to Linux as if it were a type of computer, not a peice of software. Pure nonsense.
Sleep is futile.
Not by letting her run IE, but by letting her run IE on a Windows box as full admin.
"... despite the anti-virus, regular Windows updates, having the good sense not to open attachments, using a firewall, and avoiding any type of seedy activities online..."
Let's see, it's 2004, XP is two years old, 2K is four years old, and your wife got spyware for one of two reasons:
* You let her run too old a version of Windows (98/ME) with no built in security, (Melissa got past anti-virus software remember) or
* You let her run 2K or XP with full admin or "power user" access.
You two only have yourselves to blame for choosing to run a machine insecurely. Yes, you. You could've stopped all of this before the fact if you ran a modern version of Windows as limited users, if you used a mail program Designed for XP and kept that up to date as well as the OS, if you treated the 'net like any other public place instead of trusting everyone by default.
You chose Windows, and you chose to run it insecurely. If you think running Linux is the cure, go right ahead. But if you run it as root, you don't deserve any sympathy from me. And if you run XP as a full admin, you deserve even less sympathy.
Take charge of your own computer security already, however you do it. Don't whine at Microsoft because you let it happen.
And damn my slashdot karma to Hell anyway. I'm sick of this whining: "Microsoft (this), Microsoft (that), Microsoft (whatever)." Lazy bastards. How come MY MOTHER doesn't get spyware or viruses or whatever when she's running only XP Service Pack 1? Without any AV software? Explain that.
Use Evolution instead of Outlook? Bewa
Dear Mac user,
this is an automatic message from your ISP.
Due to the last batch of Viruses/Worms/Trojans affecting the Microsoft users that you so despise,
the network is congested, and you cannot reach Itunes stores and cannot download the Steve Jobs Picture of the day.
We apologize for the inconvenience.
Zed: Nothing is ever easy
I actually have exactly the opposite scenario. At my work, we have a fileserver running MS Windows 2000 Advanced Server, with a 2.4 TiB RAID NTFS filesystem. At home I run Gentoo on my box, w/ UATA/133 IDE drives using ext3fs. It takes slightly less time to _delete_ a 4 GiB file on the fileserver at work, than it took me to _move_ about 5.5 GiB from one drive to another in my box at home. The MFT for the NTFS filesystem on the fileserver at work is very very badly fragmented, drastically killing performance. Now, this is our fault for not keeping it defragmented (well, not mine, as it was already like this when I transferred to this department ;), but I've never defragged my box at home either, so...
Join moola.com, play games to earn money.
Why didn't he setup a non-root account for his wife on the windows box? Why didn't he install THE browser, Firefox, on his wife computer? Why didn't he enable excessive auditing so he could track down which app installed what and when?
Oh, that's too hard? If that's too hard, you're not a sysadmin.
True, spyware can be almost viral these days, but there is one factor which enables it in the first place: the user. "Oh, this nice free tool from www.[the tool's name].com is so handy!", should ring a bell, a lot of bells, alarmbells to be exact. NO search bar comes for free, unless it's open source, to name an example.
First I thought, hmm could be a great article, but after a few paragraphs it was clear this article is not great, it's the frustration of a person who doesn't WANT to understand windows and blames the consequences of that to the OS. I mean, blaming IE and not having firefox installed should be enough to categorize this article as "ordinairy propaganda".
Never underestimate the relief of true separation of Religion and State.
I don't run anti-virus. I don't have a firewall. I don't run spyware-removals under normal circumstances. If I feel the computer is feeling odd I download and run F-Prot's free DOS version followed by running Adaware 6. On some single occasion I've run Norton Anti-virus just to be on the safe side
I'm not alone in using this computer, my not quite so computer-literate girlfriend does too. I often download shareware games and freeware programes, not to mention warez every now and then.
Despite all this - I have never (*knock on wood*) been virus-infected. I have never gotten any spyware.
So I have to ask myself, what to do all these people do to get their computers so messed up? Why isn't it happening to me, when I run the same Windows without any protection? Is it really Windows fault?
Telling all the stories you like about how your (or your mothers/wives/SO's) machine has never had a virus/spyware attack even though you never run anti-virus software nor a spyware detection suite isn't going to mnean a lot.
The simple fact is that many of the people on this board have to work with windows (from 95 to 2003) everyday and can tell you horror stories about machines that have been secured, reside behind a natting firewall, etc etc but still they get slapped down by the newest virus which has snuck in through a vulnerability which was patched three months ago.
The other area you seem to be missing is the inate ability of users to fuck things up, no matter how secure you make it. All it takes is one innocent click on a link and all of a sudden you have spyware coming out your nose.
I read a number of people who indicate one should run Windows XP in user mode, but have they actually tried it? Unless you wish to simple browse the Internet, you are pretty restricted and unlike Linux, a myriad of programs require "root access" and cannot be installed locally.
The first thing one should do before connecting Windows to the Internet is simply install a firewall, then run Windows Update, then install Firefox -- sites exclusively reserved to Internet Explorer users are becoming decreasingly common, it should not be a problem anymore.
You know, that's pretty funny if you ask me, because I can usually do it in about 30-60 minutes or less (give or take), and with no degrees and no professional training whatsoever.
Here's how you do it....
1. Run msconfig
2. Uncheck all startup entries that look suspicious
3. reboot
4. Update and run Lavasoft AdAware
5. Update and run Spybot Search and Destroy
6. If you have them, and you should, update and run your favorite antivirus scanner.
7. Make sure all the spyware leftovers and their folders, if any, are deleted.
8. Run msconfig again and reenable anything legitimate that you might have disabled
9. reboot
Now, why do you want to disable the suspicious shit with msconfig first? If you ever get really 'stubborn to remove' shit like Ebates Moe Money Maker and friends, they're practically impossible to remove just by spyware scanning alone. You have to stop them from loading in the first place before you can get rid of them.
Well, other than the fact that he's laughably inept at cleaning spyware, he's still got a very valid point about just how utterly shitty and insecure the Windows platform is. It's been woefully insecure for years, it's woefully insecure now, and it will be woefully insecure for the unforseeable future. That's not just my opinion, it's a well known fact that Windows has been full of holes since at least since Windows 95, and likely earlier.
So, here we have a company that doesn't give a shit about it's product, doesn't give a shit about it's customers, doesn't give a shit about the law, and still it abuses its monopoly after being convicted of such in court. And as much as I blame Micro$oft for all the ills of the computer world, I'm a lot more pissed off at the consuming public for being the lazy, complacent sheep that they are for tolerating this abuse upon society for as long as they have, and instead of sitting on their fat asses allicted with "Homer Simpson Syndrome", they ought to be complaining to their government enmass and threatening to vote out the whole of Congress itself if that's what it takes to get them to do something about Microsoft. Damn! It's almost like walking into a run down crime ridden neighborhood, and looking at the people in it acting as though it's all normal that the neighborhood is all run down, vagrants and junkies sprawled out on the streets, drug pushers on every block, and hearing the sounds of gunshots, security alarms, and police sirens all the time.
Total batshit insanity, man! Just total batshit! But I guess it's what the people want. They don't really want freedom or justice, they just want to sit on their ass, watch that braindead 'Survivor' or 'American Idol' bullshit and wait for the TV to reprogram them into wanting the latest 'excercise in a bottle' weight loss fad or the latest $50,000 SUV that gets 3 mpg, has a DVD, and increases your penis size a whole 5 inches! What an utter travestry!
Well, that's my rant. Probably won't do anything to change the world no more than that 'Open Letter to a Digital World' will, but who knows? It only takes a few angry and motivated people to get the ball rolling.
she tried to help Mariam Abacha, the widow of the now deceased General Sanni Abacha, move $80 million from Nigeria to the U.S. (God willing).
Sorry, but all my relatives who I have switched over to Firefox or Mozilla do not have ANY spyware. Nada. Nothing. I showed them a list of spyware apps, in other words what not to install and they have healthy and happy PCs.
Claiming switching to linux is the only solution is a huge admission of ignorance of how the spyware problem stems almost exclusively from one piece of software, namely Internet Explorer.
Windows, even as admin, can be safe for the technophobe. I've seen it and I continue to see it. The problem is IE. I don't care how savvy you are, if you're using IE to access the WAN (perhaps SP2 is an exception) you will get spyware and other nasties.
So many "linux advocates" are so ready to throw out the baby with the bathwater, its absurd and makes the zealots, well, look like the zealots they truly are. Not to mention, if Linux hits critical mass on the desktop (yeah Im not holding my breath either, OSX has a much beter chance of toppling Windows) then spyware developers will target it also. Grandma will still get emails like "Funnyshit.rpm" and the browser will ask if you want to install "super-search.xpi." These apps will hide themselves anywhere they can, just like they do in windows.
Better browsers and more informed users is the solution, not advocating one's pet OS.
Deleting 4GiB on NTFS *should* be in the range of 1 second, and is on most of the hosts at work (all formatted w/ NTFS). But on the badly fragmented filesystems, it's closer to a quarter of an hour (guesstimate, we did actually time it once, but I forget exactly what it was).
Oh, and moving from one filesystem to another is gonna be a whole ton more ops than deleting a file. It was a single file; a 4 GiB DVD ISO image. Delete op only needs to update the MFT freeing the space that had been used by the file.
Join moola.com, play games to earn money.
Let's see...
Let translate these answers to your wife...
She'll make it abundantly clear to you that you'll never ever will have sex with her again.
But my guess is that you don't care because you are single anyway.
Now Mozilla and Firefox will warn you and make you wait two seconds before you try to install something unsigned. IE won't even do that unless you instruct it to in the Advanced Settings and sometimes it will do it anyway, but that's what you get for the broken piece of shit they call ActiveX.
Granted, Linux is much more secure than Windows, but when you give Linux to a horribly inept AOL kind of luser, then it won't take long for him/her to get r00t3d, too if the distro leaves services running by default, like for example HedRat. At least with HedRat, you can shut down those services if you know how to do it. Meanwhile in XP, you can't shut down the RPC service without Windows going total batshit. XP won't even let you do it at all! You NEED a firewall just to sweep it under the rug. Now, if that's not a severe and utterly braindamaged flaw in OS design, then would someone tell me WTF is?!? (Aside from IE built into Windows)
...break.
/. article about MS buying up a spyware removal company.... but heres the deal. MS sees things from a commercial basic limited view money making perspective and as such they understand the value of spyware and such... so of course they support it. They will never really work to remove it, but rather use it.
There are several people whom I have cleaned their system from running IE on the internet. If its bad enough, where I have to do a fresh install, I set it up with a Linux partition, but in any case I install firefox as a default browser, etc...
90% of the time they go back to polluting their system.
Its frustrating, considering I'm doing the cleaning as a friend. But as soon as I find out they are contridicting my efforts, I tell them it up to them to clean it from now on.
Recent
Now my family uses Linux to surf the web and download MP3s. My wife copies selected files (over our LAN) over to Windows. My daughter continues to use Macromedia Dreamweaver and FlahsMX on Windows.
No more spyware, no more time wasted keeping virus definitions up to date. Ahhhhh! peace.
Slashdot entertains. Windows pays the mortgage.
*sigh* let me guess: using Debian or Gentoo without knowing how to turn HD optimizations on? I do not have the same problem.
Call me crazy but I am having a hard time finding any truth in the "facts" as reported by Microsoft.
Damned karma whore!
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
I'm probably on thin ice saying this here, but oh well.
I run three OSs at home: OS X, Fedora Core 3, and Xp Pro. At work, I admin XP Pro and Red Hat.
My company has about 150 PCs running some form of Windows. In the last year, we've had one infection. One.
At home, I've never had any. Ever.
While I totally support GNU/Linux (including monetary donations and buying distros like SuSE at retail price), I also pay for and use XP Pro for various reasons. I agree that Windows is deficient in many ways, and I agree that Microsoft could do things differently and be better for it in the long run.
However, I find it very difficult to understand how so many people's computers get infected. Windows or not. I do nothing special at home...the only thing I've done is use a broadband router from Netgear (because I have more than one computer), make sure I keep my XP Pro machine updated, install anti-virus and keep it updated (automatic) and use Firefox.
This guy is a sys-admin, and his wife's computer gets infected? How? If it is "his wife's" computer, that implies he has multiple computers at home. This implies some sort of router...even a $20 router uses NAT and has basic firewalling built in.
Either this guy is a poor sys-admin, or his wife did something with the computer to get it infected. So, Windows and Microsoft flaws aside, what we're really talking about here is a user education issue. I, as a user, at home, am educated about security issues on my PC. The people at work are educated. I don't have problems at home, and neither do we have problems at work.
So, while his open letter is all well and good, maybe in his case he should focus on better education at home and spend the $50 required to get a decent NAT router with firewalling, instead of bleating about Windows.
Don't know how things work in your home but in my home, I have a computer (Mandrake) and my wife has a computer (XP home). I don't 'let' her do anything with her pc, she does what she damn well wants thank you very much and god help me if I start screwing with her setup and make something burp... and yes, I do have to clean up the mess when things go bad.
the good news is that her system is well patched, runs zone alarm, avg, mozilla, and I just switched her from aim to gaim. Step by step the migration to FLOSS goes forward.
Keep in mind that 'her' computer is for more than home and has to work at her place of employ (Windows and apple shop) so some of the 'hands off' has to do with not screwing up use of the system at work.
Anyway - bottom line, at home you are NOT a sys admin, you're a spouse with special skills.
dogu
And the other 20% are unplugged.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
It will take a distro out of the basket or it will get the hose again....
I don't want knowledge. I want certainty. - Law, David Bowie
That because we don't want to play the "blame-game" like politicians and big corporations do. We want to play the "who can do something about it game" and MS is definitely the one entity that has the means to do something about this problems.
Linux is not Windows
Instead of writing "open letters," (also known as "pompous soliloquies") maybe he could try interacting with his wife once in a while to find out what the fuck she's up to. If she's really so clueless, he should configure the computer as a kiosk suited to whatever her normal tasks are. And pad the sharp corners of the monitor and case.
I have to wonder, are the OS and apps really at fault here? I know people who've run Windows OSes for a decade without once getting spyware, virii, trojans etc. on their machines. Therefore there must be some other element at work here. If you outfitted the reetee in question's computer with, say, Mandrake, and with no more information or interaction than you provided before, do you really think that she wouldn't be able to fuck it up in short order? I'll tell you what, I'm a bit skeptical of that.
In any case, blaming the world for your wife's stupidity is not going to fix it.
You don't run and you are not behind a firewall, you don't us AV and you don't use any spyware software. You download shareware/freeware/warez.
You have NEVER gotten spyware or a virus.
I cry bullshit.
You MIGHT be able to get away with that kind of system administration with WinXP SP2. If you hang an unprotected windows box onto an external (read, outside the firewalls) 100 meg network, you will be scanned within 30 seconds to a minute and compromised within an hour. Possibly longer, if you have really tweaked the machine. That would go against your premise though, if you spent any time securing your machine, then you probably needed a firewall.
There are trojaned machines constantly scanning for machines, like yours, in the wild. Microsoft patches have been too late to stop an infection more times than I can count.
I am a sysadmin and security engineer. I could secure a box, without third party apps, so that I could surf the web, download software (AND INSTALL IT) etc. It takes time and effort that I am not willing to spend. It also assumes that there is nothing on that workstation that I don't mind sharing with the world, since I am not perfect and any machine can be hacked/cracked if you put it on the Internet.
I use winxp sp2, firefox, proxomitron, adaware, symantec AV, spybot, sygate firewall and a couple of homerolled apps. Between my wife and my kids, we still get adware/spyware, we have not had a virus in years. A large percentage of the shareware out there has some kind of spyware. Many websites get you when you register. Etc etc etc
"So I have to ask myself, what to do all these people do to get their computers so messed up? Why isn't it happening to me, when I run the same Windows without any protection? Is it really Windows fault? "
Sorry, your post just doesn't ring true for a workstation that is actually used for daily, office automation type work and play. Microsoft doesn't even try to claim that you don't need a firewall or other protection. They don't hang windows boxes on the net unprotected.
"No Linux viruses in 2005"
Hey, when you return from 2005, can you tell me who wins the SuperBowl? I'd like to make some bets.
KDE and Gnome are the two GUI's we're looking at. While I am like you in preferring WindowMaker, its easier to teach Gnome/KDE to others. Who knows, during our training day, we may let each user decide on which one they will use, but thats a support headache as well.
I prefer the "u" in honour as it seems to be missing these days.
She understands me when I explain Limited User vs Administrator. I explain that it's like using safety guards on a power tool. She knows to switch users to the "Owner" account to use Windows Update and Office Update, and not to use anything else when using those update tools.
I only had to show my Mom once - some people I show more than once but that's OK - it's preventing problems before the fact.
Here's my Mom's config for the curious:
AMD K6-2 500, 256 MB RAM
Integrated LAN, DSL Internet
XP Home Edition, Service Pack 1 (She's waiting for me to visit to install SP2)
MS Office 2003 Student & Teacher Edition
Outlook 2003 for email
"Owner" Administrator account - password protected
"Mom" Limited User
"Kids" Limited User for the grand kids
I turned on the built-in firewall before connecting the LAN cable the first time. I explained to her why it needs to stay on, and she doesn't turn it off.
She's had this box for a year in this config and I set it up ONCE.
Is this a good enough example of XP security through proper management?
Use Evolution instead of Outlook? Bewa
There is. Firstly, Unix has been in use in university environments for nigh on a quarter-century now. Cracking systems has been a hobby for college comp-sci majors for as long as computer systems have been available to crack, and the operating-system-design classes in that major are often based around dissecting the actual source code of the very systems they're trying to crack which means they've far more detailed knowledge of Unix systems than of Windows. And yet, despite that, Unix remains relatively secure in that environment. Why should we assume this would change?
Secondly, track record. Apache on Linux is probably the most popular platform for Web servers based on NetCraft and other surveys. Apache on Unix of some sort definitely is not only more popular than any other option, it's more popular than all other options combined. Unix is the dominant OS there (and the traits that make Linux secure are simply the normal traits of any other Unix variant). Yet while we see regular compromises of Web servers, compromises of Apache on Unix are relatively rare. If it's not compromised often in an environment where it is the dominant platform, why would it be compromised often in another environment if it were the dominant platform?
I too hate the lack of security and the number of exploits that the typical Windows machine is exposed to. I feel that Microsoft has a responsibility to do something more than they are doing to fix the problem and sadly, I don't see them doing enough in the near future at least.
But I disagree that this is what it should take for people to migrate from Windows to Linux. People should make their choice for the right reasons and only one of those reasons is security. They also have to weigh things like user-friendlyness, support, cost, effort required to learn, availability of the applications that they require and probably a dozen other user variables.
Open Source in general and Linux in particular, has been making great progress in virtually every aspect that I can imagine. In many ways it is ready for "prime time." Yet to claim everyone should move to it, I can't quite accept that yet. In my business, you can't find particular applications (relating to "industrial formulation calculators" for instance) that are necessary for the operation of the business in open source (I've researched this).
While I am able to work my way around a Linux Desktop with KDE and be fairly comfortable with it, members of my family don't seem quite as capable and frankly, I don't want to spend the time teaching them.
Still, I spend close to fifty percent of my workday dealing with spyware (and another 1 or 2 percent dealing with viruses, worms, and trojans) and I hate it. I haven't found a single product out there that does an acceptable job of preventing it or cleaning it although on my home Windows machine the McAffee suite + AdAware + Yahoo Anti-Spy seems to mount a pretty good defense. The McAfee is always on and auto-updated, I run automated anti-virus scans every night. I run AdAware every couple of days, and right now, since it is new, I am running Yahoo Anti-spy every day. My ISP also filters my email with an anti-virus program and I practice all the common preventitive measures and am quite liberal at assigning "spam" tags on incoming emails.
Still, all of this amounts to a lot of work. I do think Microsoft shares the blame with the malware authors in the same way that car manufacturers used to carry part of the blame for car thefts (since cars were so easy to steal). Microsoft it would seem to me has the same kind of responsibility that car makers had, to develop a safer product. I am willing to share part of this expense (developing products costs money and that cost is passed on to customers - it is what for-profit companies have to do). I also hope we get help from legislators and from ISP's, and even hardware companies who each in their own way can develop things that would make malware harder to propogate.
I'd also like to challenge computer makers to provide us with additional choices, like packaged Linux boxes, better secured Windows boxes, and software that actually works that comes bundled with machines so that so many people don't download "free" spyware-laden products to do something they expected their computer to do out of the box (Dell, Sonic - do you hear me?).
As far as I'm aware, none of the legacy Mac software requires root access - not anything I've run into, anyway.
My username does not make me Apathetic. It's irony, get it?
Since the OSX and "classic" systems are completely separate (i.e., OS 9 apps aren't even aware of the /Library directory), I would imagine that the number is just about zero. Win32, OTOH, was first put together in a world that expected no network, a single user, etc. It expects to have as much access to the system files as it wants. The difference is, Apple built a secure multiuser system and then bolted its old single user system in as an application that a user could run on it's own, while MS took a single user system and tried to "bolt on" a secure multiuser system...
I hate these types of "letters". All they do is make Microsoft look bad, but they don't make Linux look very good. Most people I talk to that are frustrated with Microsoft look at linux (on the desktop) and say - OK, it's free, but it isn't as "nice" as windows.
Those same users really like OS X - but they don't want to buy an expensive computer to run it.
The reason spyware is not a problem for linux yet is two-fold:
1. Marketshare - if you are writing spyware, wouldn't you want to "spy" on the largest user base?
2. Application installation ease - most spyware does not install itself. Most spyware i've run into came from users directly downloading and double-clicking files. Installing apps on Linux is not nearly that easy - and that's why my sisters, neices and nephews don't like Linux. They can't double-click and install.
Sure, eventually Linux will HAVE to be that easy to get the marketshare that Microsoft has. Don't rattle off the excuse about being prompted for a password in OS X - i've seen users blindly type in an admin password every time the installation box pops up.
When *nix becomes easy (and popular), spyware will become a problem on *nix.
-ted
How do people get +3 Insightful for completely missing the point?
First, I don't know about anyone else, but it is an incredible pain trying to run Windows (2000, at least, in my experience) as anything but Administrator.
Second: what is this "Maybe he is just an idiot" crap? He could easily have a wife who, like anybody else, would prefer to have their computer how they want it and for others to leave it alone. I know plenty of people who get irritated if anyone changes things on their personal computers--much less use them. As for rootkits, etc., are 80% of Windows users (the people who have this problem) really going to have access to those things, the skills to use them, or even the dimmest knowledge of their existence? Of course not.
Jumping down this guy's throat over the state of his wife's computer is completely missing the point. His point is that there are millions of people just like her, and his weighing of the pros and cons makes Windows an absurd choice for a desktop OS. Address that. Stop grasping for ways to tear him down instead of his argument.
It's not as if (for most people) changing ISP is difficult or traumatic.
Which Linux-compatible ISP is as inexpensive as NetZero or Netscape? The amount that a NetZero or Netscape subscriber saves over a year compared to a full-price ISP such as AOL is nearly enough to pay for a Windows tax. Besides, some people can't even get as far as starting the dialer because many winmodems have no driver.
After years of "you're in computers, I'm having a problem...." and having to explain that not every "computer person" knows everything about every computer program, operating system, peripheral, etc. I know ask "Is this on Windows?" If yes I say "Sorry, I don't do Windows, don't know anything about windows, and really do not want to." But what about if they said no? That's happened about 3 times, in each case a simple google found the solution, the user was savvy enough to fix it, done.
a polar bear is a rectangular bear after a coordinate change.