Slashdot Mirror
Is Your OS Tough Enough?
LE UI Guy writes "A Denver Post article examines the Internet 'horrors' Windows, Mac and Linux users face simply being connected to the Internet with only an out-of-box configuration. Over the course of a single week the machines were scanned 46,255 times. The test didn't look into additional security threats caused by surfing the web or reading e-mail, just the connection itself."
Like a good parent, I beat my OS until it's skin is thick and it responds to barked commands.
Do Not Eat iPod Shuffle
If you build it, they will come.
Lorem ipsum dolor sit amet
This news isn't news. What's news is this news is in the news!
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
I'm not that surprised, but Windows was the least secure. It should be noted that XP SP2 was installed and then the updates were applied "automatically" while none of the UNIX-ish systems had updates installed, just what came on the CDs. I know, competent admins can make any machine secure, but I wonder how MS can sleep at night knowing that their users are at such a high risk, even if they don't DO anything.
Look at all of the software and services running on a modern linux distro - FC3 for example. I have spent a great deal of time shutting off everything I really don't need and erasing piles of useless rpms installed by the distro (its 2005 - I don't need talk). Any software you don't use or services you do not need are just potential security holes.
Just because people can knock on every door doesn't mean that every door is as insecure as the next. You can knock on every door in a neighborhood, but some will be better constructed and have more secure locks. Still, none prevent one from knocking.
If they're only tracking ping/scan attempts, there is no reason to even include mac/linux in this.
These results mirror what I typically see on my workstation. I run a couple of websites on my workstation including our laboratory website, and my blog. Logs are monitored constantly with a nice tool called mkconsole that displays the logs transparently on my desktop. Several times a week, there is an attack. Most however are either scripted or fairly primitive, although last week there was a sophisticated attack that that bounced through a compromised Windows machine on campus. We tracked it back to an AOL user on the East coast and reported his IP address to the sysadmins. They sent an email back to me letting me know that they would follow it up. I've not heard anything else since, but in addition to using a more secure OS, one should also maintain a vigilance of your systems to help keep things under control and if you do use Windows, PLEASE keep it patched with recent security releases.
The truth is that if somebody really does want to get into your system, it can happen. In addition to using a secure OS and keeping the security updates current, securing physical access is your next line of defense.
Visit Jonesblog and say hello.
and count the seconds before it becomes a spam relay.
I don't think end users can be trusted to protect their computers. At a minimum, providers of Cable and DSL should make customers use modems with built-in NAT/firewall.
I got stuck in the self-checkout line at Walmart once, behind a lady who had this same problem.
"He who throws mud, loses ground." - proverb
Tell me I'm dreaming. Are these people really testing the old Mac OS X 10.2 (Jaguar)? And it withstood all atacks. Nice kitty.
TFA tells us that Windows XP SP2 is more secure than Windows XP SP1 (unbelievable!!) and that there are fewer attackers targeting Linux and MacOS than Windows (hmmm - I wonder why ?).
Very thought provoking and innovative information indeed.
And I quote:
Windows XP Service Pack 2
Attacks: 16
Results: Survived all attacks
Windows is *obviously* attacked more, simply because it is the most popular operating system. If I was a malicious coder, why would I want to spend time writing code that would only attack the 10% of computer users not running windows in the first place? It's simply more logical for those evil people to write software that attacks Windows... secure or not secure, it's going to be the primary target until it loses it's market dominance.
I was on a warez site last week looking for some serial numbers um.. i miss placed. anyway the amount of crap that was installed onto my win98se firefox box was incrediable. after uninstalling at least 4 pieces of spyware i had 860 odd errors in my registry.. lovely!
serenity now!
It was an interesting read. Although I don't know why they were using Jaguar for OS X. Panther has been out for a long time now. It's good to see that an older release can "hold its own" against the current OSes out there.
My out of the box gentoo is pretty secure, no ports are open and all my software is upto date.
Imagine a reality show based on this...
"Coming up, we'll have Windows eat a big bowl of fried portscans!!!"
*circus music*
"And after the break, Linux will jump off of the gigantic Mount Exploit!"
*dark piano music*
(Reality check): It would probably fall off the air for requiring someone to think, though...
It is pitch black. You are likely to be eaten by a grue.
" But in the end, none of the attacks were successful."
So... Let's see how many people don't read the article and begin ranking on windows. Startttttinnnng NOW
Unpatched Windows: Bad.
Patched Windows, Mac, Linux: Good.
Point? We already hear how much worse security Windows has multiple times a day. This doesn't even say it outright...
The real thing I gained from the article is the fact that there are still an immense number of infected computers out there, and this brings me to the question: where? How many people could there possibly be out there whose computers are being run by various exploits? We already know that they're all thanks to people that suck at patching their machines, and I find that to be a much larger problem than the security of a fully patched OS.
webpage
So any resolution of this issue has to must be implemented on the OS side.
On that note, Windows is largely responsible for attacks on other operating systems--easily hacked Windows machines are what provides the cover for most blackhats, including those who are attacking Linux/BSD servers.
When things get complex, multiply by the complex conjugate.
someone or many will use it
Turn. Off. Unused. Services.
The most hilarious thing to me when someone gets hacked is looking at their box and a simple nmap shows every port under gods lcd monitor open.
Is not life a hundred times too short for us to bore ourselves? -Friedrich Wilhelm Nietzsche
This is not his first article. He is busy learning about Linux and OSS. You will see more articles coming from him as he dispels more FUD.
I prefer the "u" in honour as it seems to be missing these days.
>
Are you sure you can handle numbers that big.
Sendmail can be a bank vault or an open door.
It is up to you. The recent default mode seem closer to bank vault than open window.
The rate at which the various attacks were effective against their target systems.
From what I remember in Tron, this visually looks very cool. Digital warriors fighting on a neon grid, etc.
I'm pretty stumped, though. I tried to get my box pwned eight times, just to see the digital battle. I thought at the least Norton Antivirus would sent a digital probe destroyer bot out to eradicate the trojans. But all that happened was my computer got really slow, and pop-ups kept showing up, advertising herbal virility pills for men.
Come to think of it, Hollywood movies never seem to match up with what my computer does. That's it, I'm going to stop believing them movies and start reading Wikipedia instead.
"SP 1 is not a current operating system," said Sundwall. "It doesn't surprise me that it only took 18 minutes to get infected."
Ah, but would it have surprised him when it was still current? ISTR that back then, the time was a far more robust 20 minutes.
Registering accounts later than some other chrisb since 1997
OpenBSD. Enough said.
Next question?
rh9 not receiving any attacks is curious. It kinda insinuates rh9 is the most secure when any OS can be attacked. It is how the OS handles being attacked is how we judge its security capabilities. Maybe this distro has a smaller attack surface with less server processes running?
or maybe they forgot to plug in the network cable.
In the Slashdot moderating system, humourless based offenses are considered especially heinous.
Bet no attacks would bother a BeOS box! Seriously though, these tests are still pretty much bull. It's like leaving the keys in the ignition of an unlocked Lexus, in the bad part of town, then being shocked when someone takes it...
Face it, do something enough times, and it can cause problems.
You've just discovered who finds linux on the desktop more usable than windows. May I suggest anything but redhat.
According the article, no one was all that surprised Win XP SP 1 went down in 18 minutes. After all, it is not up to date... it is essentially an old OS, right? So this is expected, right? Old OSs should be broken into, right? And then we have OS X 10.2, aka, Jaguar. No successful attacks. Older OS, check. Not up to date with all the latest security features that are in Panther, check. And not one successful attack. One company makes on OS that still stands after two and a half years... one company makes an OS that only stands after a major major major patch and constant updates that sometimes break software. Now, which company's OS would I choose to build a secure network? Sure, it's a flawed argument, but still I think worth noting.
First, comcast (with qwest be the 2'nd to last) is one of the last companies that I would trust. 2'nd, I do not use a NAT/firewall from the outside. I have several exposed boxes that do great jobs year after year. The last thing that I need is for a bunch of screw-ups to tell me how to run a secured system. As to all the insecured boxes out there, they can switch to Apple, Linux, or BSD. They do not have to be running windows.
I prefer the "u" in honour as it seems to be missing these days.
First of all, you should be behind a firewall that disallows incoming connections to almost everything. Even if you're not, FC3 has a kernel firewall enabled that blocks just about everything.
As for the packages, who cares if they're just sitting on your HD taking up space?
For a server machine "outside the wall" it's important to keep things as lean as possible. But for your desktop machine, who cares?
My other first post is car post.
OK, running P2P software is a slight hassle, but it isn't that hard to expose ports on a case-by-case basis. Certainly a lot simpler than fucking around with firewall softare.
Since a good firmware-based router costs less than a full suite of security software, this is a no-brainer.
Of course, it doesn't work with the "Spirit of the Internet" that says that every system on the net can provide services to or use services from any other system. But you know what? That "spirit" is long gone -- it only worked when the Internet was an academic toy.
"Honey pot" experiment shows unprotected Windows SP 1 at risk
Any version of Windows with any amount of service packs and/or updates is a scary thing to be online with. It's like having a grenade launcher in close-quarter combat. Boom.
With quotes like:
"Microsoft is racing to roll out its new Longhorn operating system in 2006.
But for the moment, it's sticking with Windows, for which it rolled out a new patch Tuesday."
I don't think so.
Can be avoided by plugging in a hardware firewall that does NAT between the cable/DSL modem and any computers. Operating system be damned.
I've seen Linksys BEFW's go for $10 on E-Bay.
Or go whole hog and get the Motorola SURFboard SBG900, combination DOCSIS 2.0 cable modem/wireless-G AP/firewall.
-Charles
Learning HOW to think is more important than learning WHAT to think.
Without the nasty /. IT theme.
Microsoft might have something with Windows Longhorn, since the entire API outside of the kernel will be written in C# completely sandboxed in a CLR, much like Java.
Combined with a monolithic auto-update system, Microsoft has no intentions of repeating the problems of Windows 2000/XP when they release Longhorn, much like they had no intention of repeating the problems of stability they had with Windows 95/98/ME when they designed Windows 2000/XP. For as much as they do, they mostly won with stability in 2000/XP, and they could win again, despite their market share, by sacrificing RAM (480MB commit charge, 1GB recommended) and processing power by implementing the .NET framework for their entire API.
I honestly hope open source has something to compete for their future desktop environments, or else desktop Linux could be relegated to processors too slow to deal with the overhead.
- - - - - Fear not the reaper, but my shiny white teeth.
From TFA: "Experts say spyware programs are also necessary for Windows users. Microsoft is offering a free beta version of its spyware program at www.microsoft.com/athome , and Webroot is offering its spyware program free to Colorado residents through April 15 at www.webroot.com Free spyware programs are available at www.download.com"
Of course Claria/Gator is also offering a free version of their spyware program, and it's not beta - it's an official, stable release, available to users from all over the world, and with no date limits!!
There are also other known spyware providers out there, all you have to do is to search the web for some pr0n and warez, and there you go.
Articulos para gente geek: Poleras, linux, libros y mas
Hi,
The sentences "[...]some of which I still continue My volunteer activities include[...]" could probably use a full-stop between them.
I wonder if the 43,000+ scans came from 43,000 Windows machines already infected with trojans...
My digital rights don't need management.
Why, why am I forced to recall that song. I realized there can be no caring god after hearing that song. Now, once again I am forced to recall that wretched piece of radio trash. Mercy.
If we don't make light of everything, we are just stumbling in the dark - Blank
Agreed, for instance, the default configs with FreeBSD 5.x are so secure, you can't even send mail from your own system. You can send between users, but that's it, no relays, no outbound of any kind. Of course, it would be nice if people who only need one element of sendmail (sending mail, not receiving it) would realize that a full-featured mailer daemon is overkill, and an invitation for problems. If all you need is something that can send alerts (like from your non-mail servers), use something like sSMTP, a sendmail workalike that can only send mail through your real mail server (even outside accounts, it can handle servers that require authentication). Don't blame sendmail for giving you a headache on 50 systems, when you should never have turned it on in the first place.
--That's the point of being root, you can do anything you want, even if it's stupid.
You didn't introduce any new insight, this idea has been known for years here on slashdot and it seems to be addressed in the article as well. The fact is, this statement doesn't help anything. Even if insecurity was only dependent on targeting windows would still not be an optimal platform just because of MS practices and ideology.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
If you're gonna put your system on a direct connection to the internet, you should use a secure operating system. And implicitly, if you want that operating system to go more than 2 months between r007ings, you should lock it down.
Nothing us geeks don't already know. Anyway, I can belive 6 systems got attacked 40 thousand times in one week. I check my own system logs often enough, and there's usually some inbound packet on a disallowed port dropped every 10 to 40 minutes. Usually two or more attempts or blocks of attempts to login via ssh every day. Probably 10+ malformed GETs a day in the Apache logs. And this is my little residential gateway that gets about 4 legitimate hits to it's Apache server (which I'm not supposed to run) per day. That's about 250 attacks per week per server, or close to 1500 for 6. Take a website with non-trivial traffic, and it's easy to reach 40K/week. Since I'm pretty sure that DenverPost.com gets more than 25x my traffic, I'm suprised it was only 40K.
Other than saying that a lot of shit flies around the internet, the article was very skimpy on details. Not suprising, since an article that explains what a 'worm' and a 'virus' is is obviously not aimed at 1337 geeks. But it would have been nice to know what's installed on them.
For example, was it a full server install of Linux? (CUPS, httpd, ftpd, ntp, ssh, sendmail, etc?) Or just a minimal install with no server software installed a la home Windows? Quite a difference. How long would either of the Windows machines have lasted if they'd had Microsoft's server software installed too? Check secunia.com for Windows XP home, IIS 6, or SQL Server - It seems that ~1/4 of the known security holes in Microsoft's software are always unpatched. Contrast that with Apache, proftpd, Mysql 4, cups, OpenSSH, and Sendmail, which on Secunia currently share 10 vunerabilities between them all (9 of them 1/ or 2/5 for severity, and one 3). Of the 3 tested Linux OSes, Red Hat 9 has one not-critical vunerability listed.
It is certainly possible to make a Windows server or desktop reasonably secure, but compared to comparably securing a Linux server or desktop, would seem to require a monumental effort. And it's not just that Linux is more configurable - The FOSS community (judging by open holes) has done a far better job patching their software than MS.
Well, off to overdose on the Numa Numa Dance...
NO ONE stops to think that there's just millions more Windows computers out there? Windows got the most attacks because there's MILLIONS more potential sources of attack. Those millions more units mean it's more worthwhile to hack Windows, because there's tons more systems at stake. So, a majority of hackers on the web are working on a base of computers whose OS absolutely dominates the marketplace.
I wonder why it tends to be "less secure" in the end... GET A CLUE! This test barely reflects anything other than Microsoft's market share, no matter how hard you want to tilt it in your own direction.
Not to mention the line "The good news is that none of the up-to-date, patched operating systems succumbed to a single attack." That. Includes. The up-to-date. Windows box. Too. Which suffered LOTS more attacks (again, more units, more at stake) and withstood them all- meaning it was technically MORE secure because it withstood harsher testing and came out unscathed.
computer scientists on a quest to design their own life in turn.
;)
Iteration X, I presume...
What, no sig flames yet on this thread?
... I suspect that the Denver Post may think that its server is coming under a massive attach at present from thousands of Slashbots...
I heard that your library burnt down and destroyed your only two books - and one was not even coloured in yet.
that there are still so many infected machines out there with sasser and blaster and other worms/viruses/etc and no one does anything about it!
ISPs should detect infected machines. Whenever these machines attempt to view a web page, show a page to download a removal tool as well as the latest patches. Allow the system to be repaired, and then reallow it on the network. Provide some override (and a number to call to access it) incase someone badly needs the internet and doesn't have time to fix the virus, but keep the machine marked and make sure to follow up on it. ISPs could call make this virus protection mechinism a compedative feature.
http://brandonbloom.name
Which worms are we talking about here?
I honestly hope open source has something to compete for their future desktop environments, or else desktop Linux could be relegated to processors too slow to deal with the overhead.
Please rest assured that, by the time longhorn ships - as well as between today and that point - "open source" will offer plenty of competition.
Most companies, however, chose to pay a Linux vendor in order to receive security patches.
My golden rule:
apt-get update
apt-get upgrade
Once a week. For free.
"And then I visited Wikipedia
first, I didn't RTFA, but I wanted to relate our exprience at a recent technology conference my employer hosted. The names of the guilty/innocent have been scrubed to keep this post from being moderated into Flamebait.
Part of the conference was a series of hands-on labs that we were hosting using loaner equipment from major manufactures. The network was provided my a major ISP through a national hotel (where this part of the conference was being held).
The labs were assembled by volunteers, and were pretty much infected beyond use with spyware and viruses within about 10 minutes of coming online. It was the worst thing I'd ever seen. We had 20+ people scrubbing the machines off-line for literally HOURS, only to have them reinfected once they came back online (now behind a firewall).
To compound the issue, we couldn't feasibly reimage the machines because the vendor donating them gave us at least 10 different models with 2-3 variations on each model.
In the end we threw in the towel, refunded people's money, and let the Mac lab (which remained unaffected) continue their presentations.
just my $.023233432322
Windows tough ain't enough!
Pop Culture Theme Quizzes posted onto my blog. Have fun.
Linux is not an operating system for people to just install and windows is free of no problems it is a mac system. Secure? Yes we will see.
I wouldn't say they get a "pass", but lets just be thankfull that Microsft finally got it right by turning the damn firewall on by default with SP2.
Excuse my ignorance about Macs, but does OSX 10.2 come with a firewall turned on by default?
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
not sure about ntpd, but rhnsd does connect to the network and is turned on by default if i recall.
While this is true, the chances are that most services will not be started by default on such a system. I was quite impressed with the default FC3 install - (almost) no services running by default, and a packet filter in place anyway.
While it is better not to have the services installed at all, it makes relatively little difference since the attacker would need some form of local access in order to use them if they do not run by default.
So, let me get this straight...
You've turned an arguement about operating system security into an argument for "intelligent design"?
I'm sorry, but you are living proof that if there was ever any design involved, it certainly wasn't intelligent...
You are anonymous, and most likely you are attempting to troll. I probably should not have bitten but what can I say, it gave me the chance to rant a bit.
If you notice, Jaguar (Mac OS X 10.2) was used in this test. This is an operating system that was phased out in late 2003.
There's something to be said about that VS a windows PC with SP1 installed.
I run two Windows boxes behind a BSD router. To avoid the pain of having to change my natd.conf file every time I want to try a new P2P app, I simply forward large group of ports to each of my Windows boxes. Ports 5000-8999 go to one and 9009-12999 got to the other. No *Windows* services run on these ports, so I don't lose any sleep over it.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
I'm not that surprised that someone would post about how unsurprised they were that Windows was least secure, yet in articles that show Windows more secure than Linux, everyone questions it. Apparently, the rule of thumb is, if it doesn't praise Linux and bash Windows in some way, it can't be true. And the inverse is "not surprising."
In any case regardless of the OS I think its good practice to remove all unused code.
The point was to test the "Out of Box" experience. XP with SP2 what users get out of the box now. The firewall is on by default and the automatic update is the default selection.
SP2 was such a large step forward in terms of user security that I'm sure they sleep quite well. This is yet more proof that these three OSs are now on even footing in terms of security.
Windows XP with Service Pack 1 was attacked 4,857 times and only infected once!
Windows XP with Service Pack 1 dynamically adapted to become immune to further attacks by the Blaster and Sasser worms in only 18 minutes!
Within one hour Windows XP with Service Pack 1 had apprised the situation and chosen to join the winning side!
Windows XP with Service Pack 1 single handedly fought 1600x as many viral foes as its nearest competitor! Yet it bravely continues to withstand the onslaught of its most cunning viral foe, the GPL!
The infidels are committing suicide by the hundreds on the gates of Windows XP... Be assured, Windows XP is safe, protected. Microsofties are heroes.
Liberals call everyone Nazis yet they are the closest thing to it.
this is why i have iptables running.
to a local group of script kiddies if they'd hack a box of mine. Hard cash for getting in, reading a file, and e-mailing it to me.
They didn't get in.
It's a case of security through obscurity, though. I'd watch them nmap it, go, "WTF?", try some ssh exploits, and give up.
The box was running GNU. No, I won't give you the IP.
Just tell me your IP address and I'll attack you with my ping command! mwah ha ha ha
Are there any programs one may run that will log and/or count the number of random port scans to your machine?
It's really a silly argument because if someone turned on the firewall in XP SP0 they would be just as safe as SP2. The only story here is that firewalls work (duh).
Check for open ports on your pc. https://www.grc.com/
Religious adherence to evolution? Are you trying to be Ironic?
Don't look now but.... http://devolab.cse.msu.edu/software/avida/
The evolutionaries are one step ahead of you!
"A simple NAT is not enough. A firewall is required."
Required for what? What if you don't have any services listening on open ports?
"The best full security suites are free: linux, openbsd, etc. Run them on an old PC for your firewall/NAT. They are configurable to your heart's content, unlike cheap, buggy dlink and linksys hardware."
The last time I checked, Linksys routers ran Linux.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
One glitch was already mentioned, "Experts say spyware programs are also necessary for Windows users". I guess yeah, if you are a Windows user you are entitled to spyware soft and every virus out there but I don't think your help is really needed with installing it. Then, "Windows SP 1" and "Windows SP 2"... XP is mentioned only at the very end. Yes, it is obvious what Windows they are talking about but still, Windows is not the name, Windows XP is. Then, patching and builds. SP is just a service pack, there are security updates, patches, builds... Just saying "Windows XP" does not define what is actually installed on the machine. No details on atacks (except Windows SP1). On spyware, "Cookies are used by online companies to track user preferences". I hate when Ad-aware tells me that cookies are spyware but I understand the idea that it would not make sense to make a separate category for it. But an article?! IMO, lots of bull with conclusion that everybody except the author knew a while ago.
It may sound crazy, but Windows 3.1x will stand up to the test very easily out of the box. Just run the Shields Up test on grc.com and you'll find that Windows 3.1x has NO ports open by default, not even port 139 which is open on all versions of Windows from 95 onward.
Story about the firewall not blocking Windows shares. I think Slashdot carried this story a long time ago as well. Do not get me wrong, the firewall and steps in SP2 are a nice step, but they simply are not enough at this point. Unless the user is actively involved, no default Windows setup will be enough.
Pardon the shoddy grammar, it is rather late. Post AC to not whore karma.
Microsoft's leadership position means that more viruses are written for Windows, said Silver, who estimates that 96 percent of all desktops and laptops worldwide used Windows at the end of 2004.
So Microsoft get's a pass on viruses because it is popular and has a lot of software written for it? And then those same people use the amount of software available for MS Windows as a reason why Windows is superior. You can't have it both ways: if you think Windows has an advantage because of a larger application base you have to include the malware applications like viruses and spyware as well.
You could wrongly argue that when Linux has a larger installed base it will have the same problems as MS Windows. But even if that were true, it's new popularity would mean that more commercial applications like Photoshop would be written for it also. The blade turns both ways for better and for worse, yet MS Windows apologists try to claim the best of both worlds.
501 Not Implemented
Please note they say they did not patch the linuxs from default installs.
That's why I use DOS. Not a single attack, and it's so secure it hasn't needed a single security update for years!
HAhaha. Thats funny.
Oh, you're probably serious. Too bad.
AC
The article makes great mention of "attacks" but fails to mention what an "attack" actually consists of.
For example: they say Windows XP SP2 got attacked 16 times.
Does that mean it got port scanned 16 times? It can't as i'm sure it got port scanned many more times than that.
or
Does that mean it got infected 16 times? It can't because they said it survived all attacks.
So what on earth were these attacks?
It's touch alright. It's makin' me its bitch.
10.2 had plenty of security holes. Many of them are patched. But then again, MS patched the holes found in SP1 also.
If you ran an unpatched 10.2 today you'd be putting yourself at serious risk. It had plenty of holes, like the Apache holes.
Quote from the article: "SP 1 was attacked 4,857 times. It was infested within 18 minutes by the Blaster and Sasser worms. Within an hour it became a "bot," or a machine controlled by a remote computer, and began attacking other Windows computers.
Microsoft responded that the tests prove that any operating system is vulnerable when not patched."
What a brilliant deduction, oh mighty evil overlord!
Two freaks, no foes. It takes absolutely nothing to make some people angry.
Hamster didn't know it was going to happen. That worm uncovered some great bugs in the early days.
Food run anyone?
The Macintosh system received three attacks. Two of the Linux systems received eight attacks each, though Red Hat's version of Linux received no attacks at all.
But in the end, none of the attacks were successful.
[...]
Windows Service Pack 1, or SP 1, however, was another story.
followed by...
Microsoft responded that the tests prove that any operating system is vulnerable when not patched.
Is this not the most blatant lie/doublespeak/misrepresentation-of-truth ever? Who in the world could stand behind a statement like that?
Direct away from face when opening.
At the risk of being redundant myself, I would like to reiterate my request to be able to mod articles.
Just about ever linux that I think of run iptable right away (assuming that you do not pick "welcome to crackers" mode during install). Has for years.
Over the last few years, I have been writing software for monitoring networks for federal and commercial(for the commercial side of the house, we were limited to OC-48). It was trivial to detect which boxes were owned, their IP, and what OSs they ran. The OSs were ~100 Windows. The windows machines % in the mix appeared to correspond roughly to what was in the wild (there was 33-43% XP during the time that I saw the stats ).
BTW, the sum of all the none-windows owned systems was less than .5% and yet, it appeared that the none-windows sytems totaled somewhere between 15-70% of all the machines (depended on which locations was being monitored. On a RBOC's dsl lines, the none-windows were about 10% with linux being #2. throw in a data center and things changed radically with as little as 5% windows).
My Linux server at the museum where I work was found 5 mins after we turned our new dsl modem on and opened the ssh port. Now I just give them a fake ssh port to waste there time with :)
Taco?
If you are the first person to make the first self propagating code that effects more then 10 OS X installs. Your name will go down in History. Do it for a windows, and its just another Me Too, no skill aol noobie coder.
Ok; I've been a Mac user since the Plus, so all this is pretty armchair quarterback for me. Disinterested, mostly. I use XP SP2 at work, and I've got a patched 2K box at home (with Zone Alarm and behind another firewall in the router).
Anyway: Microsoft's making great progress towards being as secure as everyone else. They really are. But what about the uncounted number of compromised boxes already out there? What about the army of bots that are working right now to clog the internet?
It's great Microsoft is finally making good, but why isn't the press talking about the massive number of victims of last year's crap security policies for Windows? And the damage they continually do to the rest of us? They mention that the SP1 box became a bot in short time, and report that many Windows boxes are still SP1, but never state the obvious conclusion.
Sorry; on-topic. Maybe a troll, I suppose, but I am curious.
Did Windows 3.1 even have listening services by default? I recall having to add a separate TCP/IP stack, and being able to choose from several different vendors (which would bundle their daemons along with the stack).. I recall Chameleon, some FTP.com stuff, Trumpet Winsock...
It's hard to remote sploit something that isn't even listening....
Here's a useful link for securing Windows Systems: Black Viper.com
Now, let's say I ran just 90 services at random at the start. 8 of them have holes, by the assumption above.
90 services in each case, but one is secure and the other isn't. Arguably, then, it is NOT the number of services that is the deciding factor. It is the care with which they are selected and the environment they are placed in.
That latter part is more important than many think. Let's say you ran an FTP server. That's a fairly risky system, as it needs access to many different directories at some point or other.
A sensible way to run it would be to compartmentalize it as much as possible. If you're using a hardened Linux kernel, that would involve defining a very restricted role and placing the server within it. Breaking into the server then wouldn't do much, because the kernel would prevent an attacker from breaking out of the role.
The second defence is to run suspect servers inside a bounds-checker, to catch buffer overflows and other common methods of attack. It's not 100% secure, but it would limit the chances of an attack being successful.
The final measure is to make all connections indirect by using transparent proxies. If the proxy silently dropped anything that didn't make sense, vulnerabilities involving the faulty handling of malformed packets would be harder to exploit.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
it is the common ones that are the normal openings, such as 80 on windows with IIS.
I prefer the "u" in honour as it seems to be missing these days.
"I honestly hope open source has something to compete for their future desktop environments, or else desktop Linux could be relegated to processors too slow to deal with the overhead."
SELinux.
Which one scares you the most, a penguin or bill gates?
That should answer your question
Didn't RTFA. They do not count portscans and pings as attacks.
The data collected was interesting, in that it did show that admins were way too lazy and complacent. However, the resolution of the information presented was too low to actually do anything useful.
This is much the same. It is interesting, it does show the perils of negligence, but there are way too many variables and unknowns for this to be actually useful in preventing attacks.
Did attacks vary with time? Did attackers fingerprint the OS' and then target Windows (explaining why there were fewer attacks on other systems) or did they target all machines equally but with attacks assuming a Windows OS?
How were attacks counted? By what measure was something deemed an attack, as opposed to something accidental or incidental? (Broadcasts happen, guys, especially on something like cable where you've a shared line.)
For that matter, was this using a shared line or something dedicated? What was the bandwidth used? Would the stats have differed, if there had been a greater capacity to handle the traffic?
Although we're told this just dealt with machines "connected to the Internet" and not going to websites, that is not strictly the case. The Windows boxes did auto-updates, which means that they had transmitted data. If it was a shared line, or if there was a hacked machine en-route, the Windows boxes would have been visible and identifiable as Windows machines. The Linux boxes, transmitting nothing, would be much stealthier and therefore only prone to genuinely random scans.
In consequence, what can we really conclude from this test? I would say nothing, unless it was re-run with Linux simulating calls to the Windows update system at Microsoft.
If we saw an explosion of attacks, as a result, then we can argue that it is not Windows that attracts the assaults but the patching mechanism.
There is a lot that COULD be learned, through rigorous controlled tests, but as this was neither rigorous nor controlled, I don't see that we learn anything other than the world isn't 100% safe. If the researchers didn't know that beforehand, I pity the researchers.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
"Free spyware programs are available at www.download.com"
:-)
While I agree that it might have been instructive to include, say, RedHat 7 in the lineup, security of original XP is still an important consideration. First, to hear MS at the time, XP-SP1 should have been more solid then and should be more solid now. But far more importantly, we see how vital it is to fully patch your XP system before connecting it to the internet. And where do I get those patches from? Oops...
The catch-22 is that time-to-infection is much shorter than time-to-patch for Windows XP, even with a contemporary internet connection. If you don't have SP2 media, and don't have some other means of (manually) acquiring the latest patches, you're dead in the water. Yes, there are workarounds; you can install some ice of your own before you connect, for that matter, but that obviates all the really neat security features of SP2 with a 3rd-party solution. "Not the solution he had in mind..."
Admittedly, part of this is due to the fact that Windows is "productized", i.e. you have a box containing Windows and you can add patches. With Linux operating systems I think there's a lot more sensitivity to versioning and awareness of granularity; you aren't working on this monolithic thing in need of repair but on a collection of components which can be individually upgraded. Partly psychological, yes, but you also have the advantage of simply leaving out "risky" components until you can get everything up to date. You can run a Linux OS with no services, nothing particularly visible except the interface you're downloading updates through. That's not an option with Windows.
"There are hundreds of game theorists at the gates, sir, and they want to hold an election!"
I just used 'emerge -C security_holes', and it didn't find anything to remove. ;)
The only surefire protection against Microsoft infections is abstinence. - The Onion
I have no firewall, or router. I'm running XP SP1. And I've never had a single problem (my virus scanner hasn't even had to do any work . . . and I have open shares, including an upload folder!).
By conventional logic, my box should be dead by now. Especially since I keep it on nearly 24/7, connected up to teh intarweb. Go ahead and say I'm just lucky, but I think that if you just have a computer reasonably configured, the over-the-top security that most people think is necessary . . . well, it isn't. I do update with security patches often, and that's about as far along as I go with conventional means of protection.
So what's the secret, then? I don't entirely know, I think it must be alot of little things combining. Partially, I think things aren't quite as horribly insecure as people think; just that when they are, and they often are by default, things go so horribly wrong that it colours one's perspective on the issue. The other thing is, I don't use any Microsoft products other than Windows itself, really. Third-party chat, Eudora for e-mail, Firefox and Opera for browsing, WordPerfect and OpenOffice for all the office-style needs, etc etc. True, that isn't at all what the original article is talking about, but I'm hardly the first to deviate from topic here.
I remember sigs. Oh, a simpler time!
Of course I never turn it on, but if anyone tried to break into it the would have the door slam into them.
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
You are spreading lies. On FreeBSD 5.3 (and I'm sure the other 5.x releases but I've only verified this on 5.3) you can easily use sendmail which is listening on localhost port 25 to send mail to other internet users. This is on a default install with the default configs.
This is one of the things so obviously impossible to mistake if you've ever even attempted it, it leads me to conclude you are either a lying troll, or possibly the dumbest person using FreeBSD. Go back to linux.
>echo "message" | mail jmdority@hotmail.com
Just remember, whatever you do, stay away from that nasty dimensional science!
windows doesn't "automatically" install updates. It will automatically download them. IF you select the automatic updates in the setup. So to install them, you to tell it to install them. It takes user interaction. This isn't OUT OF THE BOX. out of the box would be no user interaction, save for installing the os. i don't want to just jump on the "hate windows" bandwagon, (surprise, i am a gamer, i use windows) but this wasn't done uniformly btw: WOOT WOOT FOR OSX. but hey, it's unix. what did you expect?
lousy kind of psycho babble is this?
1) How you can compare computer software being compromised by some other software to animals being killed by another (primarily) for the purpose of feeding is beyond my understanding.
a) The question if the term "evolve" can be applied to software is (at least for the moment) philosophical; some may duplicate itself, maybe even rewrite trivial parts of its code to elude scanners looking for certain signatures, but anything else requires a programmer.
b) as (most) software does not even duplicate itself (common operating system certainly don't), the 'lifespan' of a single instance is of no consequence to the survival of its kind; whereas a 'type of critter' mainly survives if the rate of birth is high enough (meaning entities survive long enough to reproduce).
2) [on to the ranting part]
a) If you think programs were 'intelligently designed', you have no idea of computer programming; most (good) software was created by someone to solve a problem (quick and dirty); why do you think we hear about exploits ALL the time?
Why do you think the average perl code looks like a bunch of random characters? Certainly there are exceptions (imo X11 protocol is one, maybe POSIX is another), but a design is only as good as the creator; and I consider the average human to be pretty dumb. Furthermore the combined IQ (whatever that means) of a group seems to be rather less then the sum of its parts (anti-synergy?! [I hereby declare that term my IP *g*]).
b) If you think programmers create programs to solve a problem of anybody else (unless payed for that purpose), you don't know anything about programmers at all. They are just a ignorant, selfish and egocentrical as any other human.
3) The last paragraph seems to imply that:
a) animals were designed (by some entity) for a purpose
b) you do not believe in the Darwin theory of evolution; I will grant you that science has replaced religion (at least somewhat), maybe even that science is a kind of religion (though I highly doubt you understand the meaning of this as I do), but (most of) the books of my 'religion' clearly state that they describe theories (meaning it could all be bullshit) mainly through the use of models (which means something we can imagine) to give an understanding about things we either don't know (or can not imagine). This stuff may be in some other religious books, but generally mixed with so much junk that you have to understand a concept before recognizing it. This seems like a very poor way to pass on knowledge; but that is just my opinion.
c) either humans may be able to create a digital form of life (which I don't think is likely, given that we can't define that word properly) or computer scientists are going to give up all those ones and zeroes to go outside and enjoy the world (which is even less likely)
To conclude:
1) you don't know jack about
a) computer programs
b) computer programmers
c) scientists
d) humans in general
e) science
f) critters, the jungle and life
You probably think you know about religion, but judging from your words and implications (especially those about animals being 'designed' to meet our (humans?) needs and the idea of humans playing 'god' and designing life themselves) I do assume you know less then you think.
I apologise for the harsh words, but I *really* find your statements offensive. This was beyond what I can tolerate without replying.
You != most people using Microsoft Operating Systems. Yes, it can be configured (i.e. patches, firewall, etc) so that it won't be compromised. The point is, how safe is the default install. Apparently OS X and various Linuxen have managed to keep clean without any updates. XP sucked in this way until SP2. How long do you think it will be until there are worms/viruses/etc that infect clean installs of SP2? We don't know yet. What we do know is that slightly older versions of Linux and OS X, unpatched, were uncompromised and until SP2 XP was not as lucky. Maybe MS has changed, maybe they haven't. From what I've seen over the years they're plugging holes rather than fixing their attitude towards security. Right now they're making a b ig hoopla about security as if it were something new. Hopefully something good will come of it.
Whether users will use their computers in a smart manner (NAT, firewalls, not downloading bad software, not clicking on the wrong things, not ordering viagra from an email) is a whole other matter.
WTF I don't care what Spy Sweeper or other companies tell you, browser cookies are NOT spyware, their a freaking part of the HTTP standard. They don't ill affect your life damnit. At worst they just mean you'll see ads you might actually want to see. Stupid sites like this make for dumb people running around saying all the cookies are the reason their computer is running so slow. Ross Wehner (the author of the aricle) is a dick for spreading this falicy.
1: Most windows users think its some kind of toy or fancy game console. no joke. Security to them is locking the front door if you know what I mean.
Some of these people time to time MIGHT see something on TV about viruses, but other then that, they have no idea about patches.
The flip side to that is the people the see the AOL tv ad's. I feel really sorry form them, and for us that have to fix there computer afterwords.
2: Most of the "UNIX" community respects one another, and doesn't want to trash someone else's box "just for the fun of it".
That and its a lot harder to "hack" it because there is a lot more of a diverse range of programs and version of those programs.
The attack might only work for one version, but there is only a small percentage of computers out there that even run that version.
I hate to be the one to bring up the old argument, but Windows machines are attacked more often because there are more of them; it's the bigger, easier target.
One could make the case, in fact, that security holes are found in Windows more often because, as the bigger target, there are more people out looking for them - exploit a new vulnerability and you stand to compromise a lot more Windows machines than Mac OS X machines, or Linux machines, or whatever.
Using Mac OS X (or any other OS) because it's attacked less often is another form of security by obscurity, and it's no security at all. By your argument, everyone should run OS X, because it does not get attacked, but when they do, then they will be the new target. Any security holes in Mac OS X (and there are *always* security holes in any system) will be exploited much more aggressively than they are now.
You are only (reasonably) secure if you run a patched box, regardless of OS.
Secure by default. The users who are likely to be unable to keep up with patches are exactly the same users who don't know how to turn off services. So ffs don't have services running on a default install.
I am trolling
Although your post is funnier if not intentionally humorous, I urge you to seek sterilization immediately if you were serious.
Well, the first worm of all times come to mind, the on robert t. morris released in 87/88(?). That one exploited holes in sendmail, fingerd and some other services I don't recall. There where a lot of theses in the years after that. So yes, Unix sure had a problem with worms.
Can somebody tell me what happens if someday we switch to ipv6, would that get rid of NAT?
"OSX is more secure"
"That's only because they have no market share and no one bothers to write viruses for them"
"So their market share is going to overtake Windows soon!"
"No chance, I don't care how many iPods they sell they'll be lucky to hit 4% in your lifetime"
"So... OSX is more secure"
And mod grandparent down, it's nothing but FUD.
There is absolutely no risk connecting an unpatched XP box to the Internet provided you firewall it first. And, oh looky, there's a firewall shipped with XP! It's more than adequate to prevent being compromised while you go to Windows Update and download the patches.
I'm absolutely not surprised that up-to-date systems survive current attacks. I'd even expect that from the vendor/distributor.
/. readers that tell something different for Fedora). And I think you can safely do a default install on these systems and then pull your patches from the internet.
The behavior of a not exactly up-to-date system would give much more insight in the overall security of an operating system. The authors tested Windows XP SP1. But what about outdated Linux distributions?
My personal experience is that it is virtually impossible to install Windows XP today on a system that is connected to the internet. You don't even have the chance to install SP2 fast enough. The article confirms this with its SP1 experiment (it survived 18 minutes).
In contrast, I'd expect any of the Linux distributions to survive way longer unpatched than Windows does. The distros I've seen (SuSE, Gentoo) have turned any useless service off on a default install since years (I wonder about
A few, say, one or two year old Linux distros would have been a very interesting contrast to the authors SP1 experience.
I have absolutely no idea what you're typing, i would arrive at a school for teachers of the body between the ribs and the pioneer of flying. Together with his brother he made the first controlled flight of an animal.
My mother once asked me the same feeling you are a common target for murderers for the packages, who cares if they're just sitting on your hd taking up space?
What language do you want to keep things as lean as possible. I'm thanking my lucky starts that i am designing a new class for the studio machine.
You are the computer program, and i am a human being, which means i do what i typically see on my workstation. I am a human being, which means i do what i typically see on my workstation. I am a human being, which means i do what i typically see on my desktop. A bard was a great earthquake, ... And every island fled away, and the world is an attack. A sword is an attack. We tracked it back to an aol user on the spur of the body to the sysadmins. We tracked it back to me letting me know that they would follow it up. I really need help with a name for ass.
The truth is that if somebody really does want to keep things under control and if you were a real hacker, instead of just some wannabie hacker faggots who pay money to get into your system, it can happen. I guess that is a line of defense.
I think you could leave your brain at the end of the large intestine, terminating at the end of the alimentary canal is the process of getting rid of unwanted substances from it.
Octalpus is built like a plumb.
Perhaps i should turn the tables by asking you the truth, i'd have to kill you. And nobody wants that!
You are a stupid bloody moron with no right to exist as a maggot infested cat in the neck.
Most however are either scripted or fairly primitive, although last week there was a scottish inventor. He invented the carbon filament electric lamp and the internet. Blood is a chemical element which can enter into combination or take part in a private address space. Octalpus is built like a writing desk?
I am certainly not a way of life at all in any true sense. Under the clouds of war, it is humanity hanging on a case-by-case basis. At a minimum, providers of cable and dsl should make customers use modems with built-in nat/firewall.
Ok, running p2p software is a no-brainer.
Of course, it doesn't work with the "spirit of the ford motor car company and the internet. War doesn't prove who's right, just who's left. That "spirit" is long gone -- it only worked when the internet was an italian scientist. He discovered the ring of saturn, jupiter's 4 major satellites and the internet.
> Pardon the shoddy grammar, it is rather late. Post AC to not whore karma.
Yeah, cause I see this one getting modded up REAL REAL HIGH.
It's so funny to see something like Post is first bitches when it is nowhere near being first.
OK, to be on topic now. Notice how the article mentions that you need to pay to get Linux from a vendor. Now notice that what they say seems to say that the only way to get security updates is through a vendor.
Apparently the reporter and/or testers have never heard of Debian (ever notice the http://security.debian.org in your apt list?) or any other distro that has frequent updates.
I find it funny how they test Suse, RedHat (they must mean RedHat Enterprise), and Fedora - and then act like they just tested LINUX itself.
To be fair, if they want to test linux they need to go through Linux From Scratch and stop as soon as they get a bootable system - then test that. More than likely secure, as there is nothing besides the Kernel and a couple core utilities (maybe) to attack!
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Maybe they think of attempts to ssh in as root and guess the password as attacks?
I suspect you are right. FTA:
The Windows Service Pack 2, or SP 2, system is the most up-to-date Windows operating system. It received 16 direct attacks.
The Macintosh system received three attacks. Two of the Linux systems received eight attacks each, though Red Hat's version of Linux received no attacks at all.
But in the end, none of the attacks were successful.
So on up to date systems, none of them were successfully hacked. XPS1 got taken over in minutes though. Which just confirms what we already knew, that XPSP1 was an atrocious POS OS, and was released because of Microsoft's sloppy "release a beta-quality product way too early in order to gain market share quickly and then patch the inevitable mess later" attitude, but SP2 is definitely a move in the right direction, although years late, and a lot of damage has already been done. Has MS really changed, I wonder? Will they stay on this 'right track' where they 'care about security' or is it all necessary damage control + PR "for now", in their minds?
Hmm .. just thinking, the software update on my 10.3 Mac mini downloaded an update referred to as a 'security update' .. wonder if a known vulnerability was patched there-in.
Actually... you fell for Microsofts Marketing propaganda, Longhorn to my knowledge wont have the complete API rewritten in C#, it just will have a thin C# layer on top of all relevant APIs... This makes things more secure but not secure from a buffer overflow standpoint. What happens is, that the injected data is delegated over a thin C# layer into the win32 API in various parts and hence buffer overflows and other nastyness still is possible. Face it we are still 10 years away from being able to run windows in a VM with a vm based language having covered every aspect of 20 year old legacy code which by then is dumped.
if you aren't upgraded, you deserved to be hacked
that's exactly what MS wants you to believe... when Joe Sixpack starts repeating this kind of "thruth"... that's when they'll start charging you for necessary security updates
There are going to be security holes in just about any operating system," said Silver
Sure. What matters is what can be done through those holes. This is where OSes differ greatly, and OS popularity has nothing to do with that.
"The honey pot test is a good indication that many small-business and home computers are still using older versions of Windows
No? Really? I mean, you really need a honey pot test to reach this conclusion?
I still have a bunch of unexperienced friends running w98. I spend a hell of time to bring them things they have no clue about (firewall? What the f**k is this for?). People using XPSP1 behind a dialup access are not much safer.
The problem starts by assuming most people have clues on computing. Automated updates is just a little part of the answer, and it takes connectivity not everyone have.
Leaving users out of admin privileges except in the rare occasions they need it is probably the key element, and none of those XP friends knew that because windows came preinstalled with a really dumb config. And guess what, they all call me when it's too late.
sorry but we have a pair of video editing suites that CAN NOT have SP2 installed.
the hardware will not boot with SP2 installed.
Uh-oh - bannination ensues for actually knowing how to administer Windows correctly! ( I got 150 boxes in a solid MS shop. It all works fine. Custom apps, everything, all my trouble just disappeared after we got rid of 98 finally). Congrats to you for bothering to RTFM that comes with Windows.
Vote Quimby!
While that wasn't a serious post (or at least I hope not), I'll try and offer a true argument in this vein:
/usr.
Hula. YOu know it. You love it. It's installed on your PC right now. Did you audit the code? No. Did you install it as someone other than root? No.
You have it sitting there, since it's not packaged yet, as a daemon, which is running as root, in
Totally safe!
(Before we go further, this is true of any software package. Hula's just been popular lately and thus helps to underline the point more clearly. I do not believe Hula is evil spyware, nor that anyone involve with it is now, nor has been, a member of the communist party.)
Except if it where spyware it could have wrote over who-knows-what and now is sending each shell command and bit of network activity to whomever. And it's root. So we've now a root server running on port 80 which has not been audited. Thank God sendmail taught us all our lesson, right?
Linux is no safer than any other OS at the moment. Hell, if we look at the fact that strlcat/cpy have been turned down for inclusion multiple times to the GNU libc because it would be "slower" when preventing a buffer vuln, if anything it's getting worse, and will continue down that slope.
It's as if we've forgotten all we know, and we're ignoring those who try to remind us.
Strange, that with full source code and documentation available, nobody has come up with a major hack for Linux.
if you hadnt noticed. it is mainly windows that get taken over in a matter of seconds after a fresh install. linux doesnt have this because there are not that many worms for linux. i put my computer on dmz yesterday for 30 minutes. my computer was scanned 100 times. 70 of them hits were for netbios ports 135 137 139 and 445. if you have read the white paper by honeypot.org you will know that a default linux install(even from 5 years ago!) can last 3 months. but a default xp sp1 install will last 5 minutes unless its firewalled. and you know who we have to thank for this?? you guessed it MICROSOFT FOR SUCH A BAD SECURITY POLICY. i wonder if theres even a worm for mac?
Stable? Outdated for anything but the most basic of servers.
Testing? a) You get a lot of non-security updates and b) you don't get security updates
Unstable? I'm sure you have the latest security updates as well - when it isn't broken.
The key here is security patches. Things you can run on your production machine and be pretty damn sure it won't crash and burn.
Backporting fixes is not fun. It in not inventive. It doesn't improve the HEAD build of your project. If I wasn't getting paid, I'd rarely bother unless it was either a) really major or b) really easy to fix. 99% of the time, my answer would be "Upgrade to the latest version". No wonder there's a market for vendors here.
Personally, I wish Debian would create a "core" set of packages which would be in testing, yet have security fixes. In stable, everything and the kitchen sink gets security updates, but the version is ancient. I'd be nice if you could upgrade core stuff (I'm thinking X, Gnome, KDE and some core apps, max 1CD of Debian's 13? 14?) while still getting those hotfixes.
Kjella
Live today, because you never know what tomorrow brings
In the second, there are those who turned off (or had a "helpful" tech turn off) their automatic updates and have no idea how to update their system.
This isn't an entirely stupid thing to do - if someone is on a pay-per-minute dialup connection, they don't *want* to be automatically downloading hundreds of megabytes of updates. (Especially if a lot of those updates are to add stuff they don't need/want - i.e. DRM for Media Player, etc).
http://blog.nexusuk.org
From the article
"Microsoft responded that the tests prove that any operating system is vulnerable when not patched."
No. They KINDA show that only Microsoft products are vulnerable when not patched.
For what it's worth, IMHO, I think that SOME of the home users that don't patch their installs of MSXP are afraid that MS is trying to slip in some software that would automagically inventory thier MP3 collection, hacked software, etc and somehow "break" thier computer. I think many people think of MS operating systems as a "deal with the devil". They really DON'T want to use Windows, but isn't that Linux thing for computer gurus and really hard to use? It's really hard to combat that kind of FUD. If it wasn't, a HUGE number of corporate users would be using a *nix based solution, if only to shrink desktop support staff.
As a networking professional, I can tell you that the constant rolling out of virus and OS patching to our user base DOES impact network traffic and "regular job" throughput, but the top brass sees this as a necessary evil. But of course my corporation has MS stock in it's portfolio....
DId they also test to see how long a person would last in sub-zero temps without a jacket? Or how safe a 16 year old girl is walking through an inner city parking lot at 1am? Or how long an child can survive in the woods alone? This is the approach people need to take with their PC.
But in the end, none of the attacks were successful.
...
Windows Service Pack 1, or SP 1, however, was another story.
...
Microsoft responded that the tests prove that any operating system is vulnerable when not patched.
In reality it appears that the tests indicate that a windows box is vulnerable when not patched? (tho I'm sure had the test been run long enough, most/all of the unpatched boxes would have eventually been owned)
I work for the Department of Redundancy Department.
That's not surprising.
Anyway, that honeypot test that I am talking about put several older versions of Red Hat up, which I believ included Red Hat 7.3 (Which, if I am not mistaken was released around the same time as Windows XP was...)
In that test, the default installation, no pathed version of Red Hat 7.3 was secure for 6 months, before it was cracked with a brute force password crack. The Windows XP Machines were cracked on average 6 minutes after being hooked up.
Perhaps you should look up that past Slashdot article, it has far more detail then what I recall and offer here.
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
Use something else, sheesh. If managing something like Fedora is too much for you I would suggest running something like Slackware. If you are running services you probably aren't using it for a workstation anyway so I could only assume from your vaugue post that you dont need all that convoluted package management to begin with.
You are about to give someone a piece of your mind, something which you can ill afford...
How long have cookies been a form of spyware?
This is from the end of the article.
Some forms of spyware:
Key loggers record keystrokes and then transmit credit card numbers and other sensitive information to identity thieves.
Cookies are used by online companies to track user preferences.
Adware causes annoying pop-up ads but often harvests information like spyware. The best way to know if your computer has spyware is to run an anti-spyware program.
What saddens me the most is that there's a new cry out there stating that we all have to either, buy more hardware and software and/or become more savvy administrators to connect safely to the internet.
The true of the matter is that, yes, a reasonably safe-non-hackable OS can be created and sold to the masses. Heck, I can grab Mandrake Move and connect to the Internet and when Im done browsing and reading my email from some on-line service turn the machine off and puff!! THe system is clean as a whistle.
It appears we don't lack the resources, we lack the understanding.
- these are not the droids you are looking for -
...are we going to post the same DAMNED STORY!?! Its been done, get the fuck over it!
I find that many Slashdotters are heartlessly callous towards end user needs and issues.
1. Filter all the comments up to 5
2. Print
3. Take to your favority end user
Even if they can follow the thread of the conversation, ask them if they would know how ACCOMPLISH the actual taks and tips given in the posts.
And please, no jejune whing about how you're tired of having to give out free help. If you're not a part of the solution...
I have noticed that my cable provider will periodically scan for web servers running off of people's home connections. I suppose they do it because they say you can't run a web server in their TOS.
Never argue with an idiot. They will just bring you down to their level and beat you with experience.
Will Spybot, Adaware and a decent AV detect compromises? Especially boted machines? Is ZA enough to block bots?
Or is there something else that will do the job?
One thing I dislike about such articles is they discuss the problem without generally offering solutions.
How complete was the solution set offered at the end of the article?
I'm a consultant - I convert gibberish into cash-flow.
The article stated that MS will go on the offencive to 'get the facts out'.
Hey Steve Ballmer - why don't you get a good fucking product out the door then you wouldn't have to spend a coupla hundred million bucks spinning shit into gold, now would you?
Don't 'give me the facts' I know what the damn facts are. Just make Windows more secure. And here's a tip, Microsoft, just a thought....
Instead of carrying on about the animated 3D Video crushing interface in Longhorn THAT IS ALREADY 2 YEARS LATE....Why don't you spend that effort on making Windows more secure?
Or isn't that sexy enough for your PR guys. I swear you MS morons must go to sleep every night dreaming of new ways to be useless.
Exactly. And why do people even buy software based firewalls anymore. I've seen nothing by problems with Norton Firewall and McAfee then I care to rant about. I mean, when a user is constantly being bombarded with "Would you like program X to access the internet", it just gets confusing. So normally, they will say YES for fear with will block their internet access. Which BTW does happen.
c ription=33-124-010&DEPA=1
9 798939&skuId=6801785&type=product
For a better an ease solution, just get a hardware router/firewall that does SPI. If for some strange reason you have problems with it, just reboot it. With a software firewall, you have to find what you did wrong or be forced to reinstall it which is a PITA all togeather.
And last but not least. A Linksys Wireless-G router with SPI firewall costs just $10 more compared to Symantic Norton Personal Firewall 2005. It's a no brainer as to what is a better choice. Check prices on the links below.
http://www.newegg.com/app/viewproductdesc.asp?des
http://www.bestbuy.com/site/olspage.jsp?id=109109
Life is not for the lazy.
Running that on the few 5.3 systems I've had will put the mail in the send queue, sure, but it won't send it. Once you tailor the configs, it will work, but out of the box your mail just sits there in the queue until it expires. It's partially the config, and partially a bug (ahem, I mean "feature"), but it won't send. It may work if the machine is the MX for the recipient domain, haven't tried that (I would assume it would work), but it won't work if it's not, the sendmail with 5.3 has some nasty DNS issues (It will find the name of the MX for the domain, but won't resolve it).
I never did solve that issue, since I didn't need sendmail on any of the machines, so I found ssmtp.
--That's the point of being root, you can do anything you want, even if it's stupid.
Just to clarify further, sendmail in 4.x works out of the box for me, 5.3 does not, from base or from ports.
--That's the point of being root, you can do anything you want, even if it's stupid.
I'm still waiting for it to finish Doing It Right The First Time, you insensitive clod!
Windows is *obviously* attacked more, simply because it is the most popular operating system. If I was a malicious coder, why would I want to spend time writing code that would only attack the 10% of computer users not running windows in the first place?
Wouldn't it make sense to target the 65%-70% Apache servers instead? It would be far more destructive to bring down, say, a major online retailer than Joe Blow's personal peecee.
Nice troll.
Some Tuesday morning morsels for the troll:
... which is unprovable, of course, and could happen if certain mythical and unprovable assumptions turn out to be less mythical than reason would suggest, but in 2000 years of breathless expectation by those who do believe, has still failed to occur.
NO ONE stops to think that there's just millions more Windows computers out there? Windows got the most attacks because there's MILLIONS more potential sources of attack.
The intelligent among us (based on your mindlessly pro-microsoft rant/troll, this excludes you) have long considered this.
Your assumption that large deployment and large marketshare are what drives attacks, and successful attacks in particular, is a myth that has been dubunked long ago, by many, many people much more intelligent and knowledgable than you've shown yourself to be.
IIS has a smaller webserver marketshare than Apache, yet IIS is subject to many, many more successful attacks than Apache. This proves the notion that wider deployment and ubiquitiousness are what drive attacks, and not intrinsic vulnerabilities in the design, to be false.
As for the rest of your nonsensical "being more buggy and subjected to more attacks means we'll be more secure than those of you with secure systems today, because we've experienced more harm," that hardly deserves a response, except to say it bears an unsurprising resemblence to the religious notion that "Jesus will return someday and all you sinners will suffer"
Windows could end up more secure than Mac OS X, Free/OpenBSD, and GNU/Linux, but I suspect the second comming of Christ will happen first, and I say that as an athiest.
Nice troll, though. It was fun pointing out your stupidity, and a pleasure to discuss once again how poorly designed Microsoft products are, and how absurd the pro-Microsoft arguments are in the face of cold, hard facts, and the inescapable reality that their products are by far the worst in terms of security and stability, have been so for more than fifteen years, and remain so despite years of promises to the contrary.
Indeed, Microsoft's incompetence in software design and OS design with respect to security and stability is only exceed by the incompetence of its astroturfers in trying to convince the knowldegable otherwise.
The Future of Human Evolution: Autonomy
nft
Like, wow. Where can I buy stock?
Oh yeah, Novell. Maybe by then it will have reached the magic $8 mark with all those server licenses flying off Provo.
It is obvious that Microsoft has a lot to be worried about.
Then you should not have a firewall at all as there are no hardware firewalls. Open up your linksys router and you will see it is just a computer running a stripped down OS (often Linux or *BSD). Even the ones that cost thousands of dollars and have hardware (ASIC) acceleration for certain tasks are still software based. A true hardware firewall would require fabricating new chips every time you wanted to change port forwarding or any other configuration option. Since no one is going to pay for custom chip fabrication which costs millions of dollars each time they want to change the configuration of their firewall everyone will keep using software based firewalls.
We were bringing up a 2k3 server at my friend's house and we knew it was up when we got the sasser message. "Hey, it has connectivity....where's my CD?"
I hate sigs.
Hm... The updates for MediaPlayer are still the only patches that come up with WindowsUpdate everytime I check for patches from my Win2K machine. As a matter of fact, the automatic updates install only the urgent patches anyway, and none of the "recommended".
Okay, it is clear that several things are going on here:
As parent implies, these articles about the horrors of the wild wild internet are clearly out to make sensational-news points.
Second, I wanna know where these OPEN PIPES exist, that these horror stats come from. It has been years since I have even been on a connection that:
-did not start with 192.168.*
-passed smtp to the servers I have auth for [myrealbox, gmail, my college, my *other* college, my boxen at the office...]
-passed bittorrent thruput
AND
-passed ssh thruput
From this experience, it seems clear that router owners have gotten just as slap-happy about shutting everything down as so-called n00b lusers are about leaving everything open. Forget usefulness: except for the boss's http to his pr0n, the networking game is strictly about ass-covering security any more.
Does anyone remember how surprised everyone was at a networking convention last year or so, when the convention's wifi was deliberately put on an open pipe, and everyone suddenly started getting hit by hack attempts? Apparently nobody there had plugged into such an environment before.
The fact is, genuine internet access practically doesn't exist any more. Anyone who wants to get hands-on training in security operations has to pay a serious premium for the privilege--if they can get it at all.
The internet is dead; and the "live test" horror stories are mostly legend. Long live the p2p metanets!
That's probably just as well. I've seen WindowsUpdate decide to automatically update drivers and promptly break the machine.
Whore.
It's been 9 seconds since you hit reply.
Or at least, wrong in my case, on all counts. Trust me, I run enough things that would be fucked up if there was any sort of firewall and I hadn't completely configured it, I know that there's no firewall. I know what each and every process listed in the "Processes" list in the task manager does (and I have a third-party app to get more details, so trust me, I'm not being fooled.
My old ISP didn't block anything. My new ISP is the local campus residence server, and I have explicitly told them that I wanted to completely opt out of any ports being blocked (it was either completely opt out, or let them decide).
I don't download the updates automatically, so I just keep opting out of SP2. No matter how many times I say "do not notify me of this update again," Microsoft keeps trying to tell me what's good for me. I disagree, as you can tell.
Interestingly, I've seen Cain (too lazy to find the link, but if you're wondering what I'm talking about it shouldn't be hard) log what definitely look like a few attempts to get into my computer. With the passwords set how they are, though, it's been impossible, and the examples are just interesting little bits in the log, no actual threat.
I understand why you would call me insane . . . by the logic most people go by, and indeed by what happens to most people (I'm not going to claim I'm even close to an average example), it would seem like this. But, reality is matching up with my ideas. It's not insanity if things end up acting the way I think they do for me. Go ahead, be paranoid if you want to be; I won't even object to your assumptions, you may be right in most people's cases.
But, not in mine.
I remember sigs. Oh, a simpler time!
I really, really don't like that thing. That's the first thing I turned off, waaaay back.
I remember sigs. Oh, a simpler time!
No, I am not updated to SP2. I have updates on to tell me when they're available, but not to actually download them. See my reply to another comment a bit above.
And, haha, dial-up, it's been over half a decade since I had that. I don't have comcast, no, I had a higher-end aDSL for a long time, and at the moment I'm on broadband-on-steroids (ie. university connection).
I remember sigs. Oh, a simpler time!
I should have elaborated, I guess. So, as I've elaborated here, your assumptions are completely incorrect. Furthermore, I do actually know for a fact that my modem on my old connection at home (it's an older aDSL modem--the newer ones might, actually, but I luckily got one before Telus switched over to the newer system) has no built-in firewall.
And you've hit upon the note I was trying to play with this. People are so very, very sure that without lockdown via extensive firewalling that boxes get taken over inevitiably, so convinced that it's not possible to defend one's computer other than with these over-the-top methods, that you've convinced yourself of things that I know for a fact, to a very extensive degree, are not true. And you probably won't believe me. But my point isn't that any user can survive, sans firewalling. I'm far from a normal case -- when you say that there "are many people out there like you", you're confusing things. The problem is partially that there aren't. I don't mean to sound egotistical, but yeah, I'll concede, though it sounds conceited, that it takes a bit of knowledge to pull off what I've done. But no one is babysitting me (as noted in my comment linked to above, I specifically told my current "ISP" not to).
Security is not a matter of checking off a list of things you have to have set up. There is no single path to having a hassle-free box---just because I don't use the method you think I should most certainly does not mean my method doesn't work. It works for me quite well indeed.
Alright, I've replied enough to my replies, if anyone still thinks I must be actually unknowingly following conventions, or alternatively I'm actually hacked without me knowing it . . . well, they can just keep on believing that. Their assurity doesn't stop me from enjoying the reality they're so sure isn't possible!
I remember sigs. Oh, a simpler time!
+1, Engrish