Open Letter to a Digital World

jg21 writes "Exasperated after spending 5 hours removing spyware and trojans from his wife's Windows PC, sysadmin Chris Spencer has written an impassioned Open Letter to a Digital World. In the letter he reviews the 'elephants in the closet' - i.e. unfixed bugs and glaring security vulnerabilities - that Microsoft in his view hopes ordinary users will ignore, including some discussed in previous Slashdot stories."

I don't get it.

[spacefight]

He has a CS degree, runs Linux himself and still let his wife surfing the web with IE? What went wrong? We all now that alternatives exist.

Re:I don't get it.

[Bagsy]

Not only that, I bet his wife belongs to the administrator group aswell. There are far too many people who have the wrong user rights.

Re:I don't get it.

He has a CS degree, runs Linux himself and still let his wife surfing the web with IE?

Yeah, it's almost as if she has a mind of her own.

Re:I don't get it.

[Soko]

He has a CS degree, runs Linux himself and still let(sic) his wife surfing the web with IE? What went wrong? We all now that alternatives exist.

Let his wife? Let?!?!?! You sir, are obviously not married.

Besides, we still have to deal with IE only websites, which perhaps his wife has to use in her career? You've made a faulty assumption, friend.

The only fault I can find with the author is that he didn't realise what his wife was dealing with in the first place. She should be using Firefox for browsing, unless she needs an ActiveX control for a particular site for some reason.

We know Windows has these problems, so we should take whatever steps we can to mitigate the risks when we need to use that OS.

Soko

Re:I don't get it.

[Master+of+Transhuman]

"You sir, are obviously not married."

Not married?

This is /. - he can't even get a date!

Date? He hasn't even been apprised of the fact that there are two sexes!

Oh, wait, yes he has - vi and emacs...

Re:I don't get it.

[fishbot]

More than that, with all that experience he is naive enough to believe that he can clean machine using the very same machine - have he ever heard of rootkits and stealth program? Maybe he is just an idiot?

Doesn't that kind of prove his point? Joe Public wants to use the computer. The computer won't let him. Just run it as admin! That's the default, so it must be OK, right?

Now he's infested with spyware, trojans, viruses and the like. So, he installs SpyBot, AVG, ZoneAlarm, whatever. Nobody told him that wouldn't work because the processes are on the same box. Of course he has to go out and buy another machine for the sole purpose of disinfecting the first! (OK, he doesn't, but Joe Public won't understand the difference between 'installed on another hard drive' and 'another computer')

It just goes further to prove that to clean your PC of all these attacks the first thing to do is remove Windows and all its failings. Or buy a Mac.

Re:I don't get it.

[Soko]

My wife has a mind of her own.

As does mine, thankfully.

Let me tell you this: if she runs IE, it's not my fault. It's her computer. If I don't realize what she's doing, it's my fault for not invading her privacy and that's where that ends.

Hunh? I discuss these things with my bride. Such a trivial thing should not ba a matter of privacy. My wife knows why Firefox is a better browser, why I removed WebShots and why the computer is mostly booted into Linux. She realises I'm the sysadmin, an expert in my field, and is willing to trust my judgement, seeing as we're married and all.

I respectfully submit that if you can't relate such a simple thing to your life partner, there's something of a communications issue there.

Thank $DEITY I have no such problems.

Soko

Re:I don't get it.

Yeah, it's almost as if she has a mind of her own.

Not only a foreign concept for many Slahsdotters when it comes to women apparently :) but also increasingly when it comes to posting/modding.

I've been lurking here a long time, and still wonder when exactly this fundamentalist turn happened. Suddenly everything is either black or white. Only One Way. And bias and fud (the thing we used to be against) is more important than facts. Bullshit (and I don't mean opinions but facts) are rated +5 informative just because it is pro-Linux and/or anti-MS, while facts correcting this are modded down.

I've been using both Linux and Windows for a long time, and both have strength and weaknesses. I can see a lot of reasons for choosing one or the other, that varies with situation, needs and what people want (yes, they can prioritize different than You without making them Wrong, or Joe Schmoes or whatever the popular derogative is for people daring to think and choose different than You...)

Sometimes I wonder if that sig someone had (no, not me :) saying "I see more xp ignorance in here than Linux ignorance in an AOL room" really is true, or if we just let it appear that way - so that facts don't mess up our world view, or something.

I guess for the young and righteous, this sounds like old people yapping about "the youth today" or "everything was better before". But I miss when it really was more News for nerds, and less religion for nerds.

Re:I don't get it.

[niiler]

It's one thing to have experience in secure computing; it's quite another to share that with someone else.

After securing my brother-in-law's household by setting up a specific administrator account for software installs, removing IE links where-ever I could find them and replacing them with Firefox, installing SP2, installing AdAware, installing a decent firewall and several other things, they are now constantly calling because such and such doesn't work properly.

The call is usually one of the following:
1) Such and such program that worked before you did the SP2 upgrade doesn't work anymore. Could you come over and figure out a way to fix it? I need to run it.
2) I can't use such and such website because it needs IE. (And no, the UserAgentSwitcher extension isn't working in this case). Please give me access to IE so I can circumvent all the security you've installed.
3) I really want to install known spyware/adware containing program, but I can't unless I get into the administrative account.
4) Why can't I just run as administrator? Aren't you a bit paranoid for putting all this security on our computer? Now I have to actually switch users in order to install stuff and the extra two or three clicks is really annoying.

Just for fun, I've given them an extra computer running KDE 3.3.0 on top of Linux with all the latest scanning, printing, image processing, instant messenging, browsing, cd-burning, dvd-watching software...but they won't use it because:
1) It looks different. They're deeply uncomfortable with that fact.
2) They try to download and install Windows programs, and of course, it doesn't work. This despite being given a compatibility list and where to get compiled binaries. (and an invitation for me to install things if they're really uncomfortable with nice GUI installer)
3) They want to buy software at Best Buy and install it on the computer and it won't run. Again, they tend to ignore the compatibility list.
4) Did I mention that it looks different than Windows?

The point is that you can educate users, but most simply don't want to be educated. They have gotten comfortable in their current paradigm (usually some mixture of the "freedom" of Windows 95/98 with the performance and "security" of windows XP) and don't want to change/learn anything different. Not only that, but remember that when it comes to family and friends, you can't set a policy like you can in a company. Telling the wife - NO - you cannot run that program that you love and have been using for ages because it is insecure is, in general a bad move.

In short, I've been where this guy has, and I'm totally sympathetic. Let's not take cheap shots and call the guy an idiot because he didn't go the next step and use a root kit.

Re:I don't get it.

[m50d]

I think it happened as more of us moved to linux and realised that EVERYWHERE on the web, it is completely against linux users. So we withdrew into our own fundamentalist community, shunning the outside, like those guys who recently emerged from the jungle and discovered the Korean war was over.

Re:I don't get it.

[ninewands]

I agree with the parent poster.

My wife Was using Win98 and IE6.1 SP whatever up until six months ago. Her IE installation got so corrupted with spyware that it wouldn't even launch, so I installed Firefox and Thunderbird with my favorite extensions (AdBlock, TTLO, User Agent Switcher, etc.) and it took her all of 3 days to fall in love with it.

I then picked up a cut-price generic Athlon box, that was some 12 times as fast as her old machine at Fry's for about $200.00, installed Fedora Core 2 on it and gave it to her. To make her feel like she had a safety belt, I also got her "Linux for Non-Geeks" which she has barely opened. Her first question when the box booted up after the install was "where's Firefox?"

She now snipes at Windows almost as much as the most zealous penguinista at your local Junior High. She will occasionally run into content on the 'net that won't load, but when she asks me about it, it's usually something designed to exploit Windows' poor security model (like ActiveX controls and browser hijacks).

She's happy with her newer, faster machine and is learning to love the penguin, but I would NEVER have done it if she wasn't: 1) willing to learn, and 2) pre-conditioned by a few months' favorable experience with Firefox and Thunderbird.

Re:I don't get it.

[the_rev_matt]

Hear hear! I've had similar experiences with friends and family in the past. During the .com days I got calls all the time "can you come undo the stupid shit I did to my computer?" One of the biggest selling points of linux, to me, is that for four years I've not had to fix a single computer for software related issues. None of my computers has had any problems I didn't create myself (like accidentally deleting the home tree). The calls started tapering off real fast when I started saying "I don't use Windows, so I'm not up to date on what to do to fix it."

The sad part was realizing how many people were friends solely because I could fix their computers. Once I stopped being their free 24/7 tech support line they disappeared.

preaching to the choir

[venicebeach]

Well, this is a nice letter and all, but I have a feeling the only people with the patience to read through the whole thing are already convinced of its content...

5 hours!?

[JamesTRexx]

I've found a quicker way to get rid of those files, identify the executables through task manager and the "run" keys in the registry, then change filepermissions to block the system and user accounts on those files and/or directories, kill processes, remove registry entries, reboot, delete files. No more respawning webrebates etc..
And if you haven't set the filesystem to NTFS, you need to be slapped silly.

Re:5 hours!?

[tomjen]

And if you haven't set the filesystem to NTFS, you need to be slapped silly. Or you run a dual boot system and need linux to read/write your win files

Re:Dear Sir,

[rongten]

Dear Mac user,
this is an automatic message from your ISP.

Due to the last batch of Viruses/Worms/Trojans affecting the Microsoft users that you so despise,
the network is congested, and you cannot reach Itunes stores and cannot download the Steve Jobs Picture of the day.

We apologize for the inconvenience.

So he calls himself a sysadmin?

[Otis_INF]

Why didn't he setup a non-root account for his wife on the windows box? Why didn't he install THE browser, Firefox, on his wife computer? Why didn't he enable excessive auditing so he could track down which app installed what and when?

Oh, that's too hard? If that's too hard, you're not a sysadmin.

True, spyware can be almost viral these days, but there is one factor which enables it in the first place: the user. "Oh, this nice free tool from www.[the tool's name].com is so handy!", should ring a bell, a lot of bells, alarmbells to be exact. NO search bar comes for free, unless it's open source, to name an example.

First I thought, hmm could be a great article, but after a few paragraphs it was clear this article is not great, it's the frustration of a person who doesn't WANT to understand windows and blames the consequences of that to the OS. I mean, blaming IE and not having firefox installed should be enough to categorize this article as "ordinairy propaganda".

I get so tired by this kind of stuff

[Caine]

I run Windows. I didn't use to. Between 1993 and 2001 I ran Linux almost exclusively. When Windows 2000 was established I switched on the simple basis of that it was better.

I don't run anti-virus. I don't have a firewall. I don't run spyware-removals under normal circumstances. If I feel the computer is feeling odd I download and run F-Prot's free DOS version followed by running Adaware 6. On some single occasion I've run Norton Anti-virus just to be on the safe side

I'm not alone in using this computer, my not quite so computer-literate girlfriend does too. I often download shareware games and freeware programes, not to mention warez every now and then.

Despite all this - I have never (*knock on wood*) been virus-infected. I have never gotten any spyware.

So I have to ask myself, what to do all these people do to get their computers so messed up? Why isn't it happening to me, when I run the same Windows without any protection? Is it really Windows fault?

To all the astro-turfers &| geniune windows pe

[cranos]

Telling all the stories you like about how your (or your mothers/wives/SO's) machine has never had a virus/spyware attack even though you never run anti-virus software nor a spyware detection suite isn't going to mnean a lot.

The simple fact is that many of the people on this board have to work with windows (from 95 to 2003) everyday and can tell you horror stories about machines that have been secured, reside behind a natting firewall, etc etc but still they get slapped down by the newest virus which has snuck in through a vulnerability which was patched three months ago.

The other area you seem to be missing is the inate ability of users to fuck things up, no matter how secure you make it. All it takes is one innocent click on a link and all of a sudden you have spyware coming out your nose.

5 hours?!? (sigh)

[mjh49746]

It takes him no less than FIVE hours to clean all the spyware from a Windows PC? And he has a degree in computer science, RHCE, and ten years of system administration expirence?

You know, that's pretty funny if you ask me, because I can usually do it in about 30-60 minutes or less (give or take), and with no degrees and no professional training whatsoever.

Here's how you do it....

1. Run msconfig

2. Uncheck all startup entries that look suspicious

3. reboot

4. Update and run Lavasoft AdAware

5. Update and run Spybot Search and Destroy

6. If you have them, and you should, update and run your favorite antivirus scanner.

7. Make sure all the spyware leftovers and their folders, if any, are deleted.

8. Run msconfig again and reenable anything legitimate that you might have disabled

9. reboot

Now, why do you want to disable the suspicious shit with msconfig first? If you ever get really 'stubborn to remove' shit like Ebates Moe Money Maker and friends, they're practically impossible to remove just by spyware scanning alone. You have to stop them from loading in the first place before you can get rid of them.

Well, other than the fact that he's laughably inept at cleaning spyware, he's still got a very valid point about just how utterly shitty and insecure the Windows platform is. It's been woefully insecure for years, it's woefully insecure now, and it will be woefully insecure for the unforseeable future. That's not just my opinion, it's a well known fact that Windows has been full of holes since at least since Windows 95, and likely earlier.

So, here we have a company that doesn't give a shit about it's product, doesn't give a shit about it's customers, doesn't give a shit about the law, and still it abuses its monopoly after being convicted of such in court. And as much as I blame Micro$oft for all the ills of the computer world, I'm a lot more pissed off at the consuming public for being the lazy, complacent sheep that they are for tolerating this abuse upon society for as long as they have, and instead of sitting on their fat asses allicted with "Homer Simpson Syndrome", they ought to be complaining to their government enmass and threatening to vote out the whole of Congress itself if that's what it takes to get them to do something about Microsoft. Damn! It's almost like walking into a run down crime ridden neighborhood, and looking at the people in it acting as though it's all normal that the neighborhood is all run down, vagrants and junkies sprawled out on the streets, drug pushers on every block, and hearing the sounds of gunshots, security alarms, and police sirens all the time.

Total batshit insanity, man! Just total batshit! But I guess it's what the people want. They don't really want freedom or justice, they just want to sit on their ass, watch that braindead 'Survivor' or 'American Idol' bullshit and wait for the TV to reprogram them into wanting the latest 'excercise in a bottle' weight loss fad or the latest $50,000 SUV that gets 3 mpg, has a DVD, and increases your penis size a whole 5 inches! What an utter travestry!

Well, that's my rant. Probably won't do anything to change the world no more than that 'Open Letter to a Digital World' will, but who knows? It only takes a few angry and motivated people to get the ball rolling.

Re:You did a disservice to your wife

[Apathetic1]

Let's face it, Windows XP (and to a lesser extent Windows 2000) is designed to be run as an Administrator. They tell you in the documentation not to run the computer as an Administrator but the first user who logs into an XP Home machine is an Administrator by default. Several popular CD burning applications will not run correctly without Administrator priveleges. Hell, Diablo II won't run if the user is not an Administrator.

I have a heterogeneous network of a half-dozen computers here, some Windows, some Mac, some BSD, some Linux. Don't get me wrong, after it's been properly secured I don't mind running Windows but explaining to my mom why she couldn't burn CDs, install software, etc. was causing more headaches than it was worth. Other operating systems (notably Mac OS X) deal with this sort of thing fairly intelligently, why can't Windows?

'Let' his wife...???

[dogugotw]

Don't know how things work in your home but in my home, I have a computer (Mandrake) and my wife has a computer (XP home). I don't 'let' her do anything with her pc, she does what she damn well wants thank you very much and god help me if I start screwing with her setup and make something burp... and yes, I do have to clean up the mess when things go bad.

the good news is that her system is well patched, runs zone alarm, avg, mozilla, and I just switched her from aim to gaim. Step by step the migration to FLOSS goes forward.

Keep in mind that 'her' computer is for more than home and has to work at her place of employ (Windows and apple shop) so some of the 'hands off' has to do with not screwing up use of the system at work.

Anyway - bottom line, at home you are NOT a sys admin, you're a spouse with special skills.

dogu