Slashdot Mirror
Is Your OS Tough Enough?
LE UI Guy writes "A Denver Post article examines the Internet 'horrors' Windows, Mac and Linux users face simply being connected to the Internet with only an out-of-box configuration. Over the course of a single week the machines were scanned 46,255 times. The test didn't look into additional security threats caused by surfing the web or reading e-mail, just the connection itself."
If you build it, they will come.
Lorem ipsum dolor sit amet
This news isn't news. What's news is this news is in the news!
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
I'm not that surprised, but Windows was the least secure. It should be noted that XP SP2 was installed and then the updates were applied "automatically" while none of the UNIX-ish systems had updates installed, just what came on the CDs. I know, competent admins can make any machine secure, but I wonder how MS can sleep at night knowing that their users are at such a high risk, even if they don't DO anything.
Look at all of the software and services running on a modern linux distro - FC3 for example. I have spent a great deal of time shutting off everything I really don't need and erasing piles of useless rpms installed by the distro (its 2005 - I don't need talk). Any software you don't use or services you do not need are just potential security holes.
Just because people can knock on every door doesn't mean that every door is as insecure as the next. You can knock on every door in a neighborhood, but some will be better constructed and have more secure locks. Still, none prevent one from knocking.
If they're only tracking ping/scan attempts, there is no reason to even include mac/linux in this.
These results mirror what I typically see on my workstation. I run a couple of websites on my workstation including our laboratory website, and my blog. Logs are monitored constantly with a nice tool called mkconsole that displays the logs transparently on my desktop. Several times a week, there is an attack. Most however are either scripted or fairly primitive, although last week there was a sophisticated attack that that bounced through a compromised Windows machine on campus. We tracked it back to an AOL user on the East coast and reported his IP address to the sysadmins. They sent an email back to me letting me know that they would follow it up. I've not heard anything else since, but in addition to using a more secure OS, one should also maintain a vigilance of your systems to help keep things under control and if you do use Windows, PLEASE keep it patched with recent security releases.
The truth is that if somebody really does want to get into your system, it can happen. In addition to using a secure OS and keeping the security updates current, securing physical access is your next line of defense.
Visit Jonesblog and say hello.
and count the seconds before it becomes a spam relay.
I don't think end users can be trusted to protect their computers. At a minimum, providers of Cable and DSL should make customers use modems with built-in NAT/firewall.
I got stuck in the self-checkout line at Walmart once, behind a lady who had this same problem.
"He who throws mud, loses ground." - proverb
Tell me I'm dreaming. Are these people really testing the old Mac OS X 10.2 (Jaguar)? And it withstood all atacks. Nice kitty.
TFA tells us that Windows XP SP2 is more secure than Windows XP SP1 (unbelievable!!) and that there are fewer attackers targeting Linux and MacOS than Windows (hmmm - I wonder why ?).
Very thought provoking and innovative information indeed.
And I quote:
Windows XP Service Pack 2
Attacks: 16
Results: Survived all attacks
Windows is *obviously* attacked more, simply because it is the most popular operating system. If I was a malicious coder, why would I want to spend time writing code that would only attack the 10% of computer users not running windows in the first place? It's simply more logical for those evil people to write software that attacks Windows... secure or not secure, it's going to be the primary target until it loses it's market dominance.
I was on a warez site last week looking for some serial numbers um.. i miss placed. anyway the amount of crap that was installed onto my win98se firefox box was incrediable. after uninstalling at least 4 pieces of spyware i had 860 odd errors in my registry.. lovely!
serenity now!
Imagine a reality show based on this...
"Coming up, we'll have Windows eat a big bowl of fried portscans!!!"
*circus music*
"And after the break, Linux will jump off of the gigantic Mount Exploit!"
*dark piano music*
(Reality check): It would probably fall off the air for requiring someone to think, though...
It is pitch black. You are likely to be eaten by a grue.
" But in the end, none of the attacks were successful."
So... Let's see how many people don't read the article and begin ranking on windows. Startttttinnnng NOW
Unpatched Windows: Bad.
Patched Windows, Mac, Linux: Good.
Point? We already hear how much worse security Windows has multiple times a day. This doesn't even say it outright...
The real thing I gained from the article is the fact that there are still an immense number of infected computers out there, and this brings me to the question: where? How many people could there possibly be out there whose computers are being run by various exploits? We already know that they're all thanks to people that suck at patching their machines, and I find that to be a much larger problem than the security of a fully patched OS.
webpage
So any resolution of this issue has to must be implemented on the OS side.
On that note, Windows is largely responsible for attacks on other operating systems--easily hacked Windows machines are what provides the cover for most blackhats, including those who are attacking Linux/BSD servers.
When things get complex, multiply by the complex conjugate.
Turn. Off. Unused. Services.
The most hilarious thing to me when someone gets hacked is looking at their box and a simple nmap shows every port under gods lcd monitor open.
Is not life a hundred times too short for us to bore ourselves? -Friedrich Wilhelm Nietzsche
This is not his first article. He is busy learning about Linux and OSS. You will see more articles coming from him as he dispels more FUD.
I prefer the "u" in honour as it seems to be missing these days.
>
Are you sure you can handle numbers that big.
Sendmail can be a bank vault or an open door.
It is up to you. The recent default mode seem closer to bank vault than open window.
From what I remember in Tron, this visually looks very cool. Digital warriors fighting on a neon grid, etc.
I'm pretty stumped, though. I tried to get my box pwned eight times, just to see the digital battle. I thought at the least Norton Antivirus would sent a digital probe destroyer bot out to eradicate the trojans. But all that happened was my computer got really slow, and pop-ups kept showing up, advertising herbal virility pills for men.
Come to think of it, Hollywood movies never seem to match up with what my computer does. That's it, I'm going to stop believing them movies and start reading Wikipedia instead.
"SP 1 is not a current operating system," said Sundwall. "It doesn't surprise me that it only took 18 minutes to get infected."
Ah, but would it have surprised him when it was still current? ISTR that back then, the time was a far more robust 20 minutes.
Registering accounts later than some other chrisb since 1997
Bet no attacks would bother a BeOS box! Seriously though, these tests are still pretty much bull. It's like leaving the keys in the ignition of an unlocked Lexus, in the bad part of town, then being shocked when someone takes it...
Face it, do something enough times, and it can cause problems.
According the article, no one was all that surprised Win XP SP 1 went down in 18 minutes. After all, it is not up to date... it is essentially an old OS, right? So this is expected, right? Old OSs should be broken into, right? And then we have OS X 10.2, aka, Jaguar. No successful attacks. Older OS, check. Not up to date with all the latest security features that are in Panther, check. And not one successful attack. One company makes on OS that still stands after two and a half years... one company makes an OS that only stands after a major major major patch and constant updates that sometimes break software. Now, which company's OS would I choose to build a secure network? Sure, it's a flawed argument, but still I think worth noting.
The article said that none of the attacks on any system except WinXP SP1 were succesful
"But in the end, none of the attacks were successful."
"It takes a very long time to count to 2 in binary." ~'Fourlegged'
First, comcast (with qwest be the 2'nd to last) is one of the last companies that I would trust. 2'nd, I do not use a NAT/firewall from the outside. I have several exposed boxes that do great jobs year after year. The last thing that I need is for a bunch of screw-ups to tell me how to run a secured system. As to all the insecured boxes out there, they can switch to Apple, Linux, or BSD. They do not have to be running windows.
I prefer the "u" in honour as it seems to be missing these days.
First of all, you should be behind a firewall that disallows incoming connections to almost everything. Even if you're not, FC3 has a kernel firewall enabled that blocks just about everything.
As for the packages, who cares if they're just sitting on your HD taking up space?
For a server machine "outside the wall" it's important to keep things as lean as possible. But for your desktop machine, who cares?
My other first post is car post.
OK, running P2P software is a slight hassle, but it isn't that hard to expose ports on a case-by-case basis. Certainly a lot simpler than fucking around with firewall softare.
Since a good firmware-based router costs less than a full suite of security software, this is a no-brainer.
Of course, it doesn't work with the "Spirit of the Internet" that says that every system on the net can provide services to or use services from any other system. But you know what? That "spirit" is long gone -- it only worked when the Internet was an academic toy.
"Honey pot" experiment shows unprotected Windows SP 1 at risk
Any version of Windows with any amount of service packs and/or updates is a scary thing to be online with. It's like having a grenade launcher in close-quarter combat. Boom.
With quotes like:
"Microsoft is racing to roll out its new Longhorn operating system in 2006.
But for the moment, it's sticking with Windows, for which it rolled out a new patch Tuesday."
I don't think so.
Can be avoided by plugging in a hardware firewall that does NAT between the cable/DSL modem and any computers. Operating system be damned.
I've seen Linksys BEFW's go for $10 on E-Bay.
Or go whole hog and get the Motorola SURFboard SBG900, combination DOCSIS 2.0 cable modem/wireless-G AP/firewall.
-Charles
Learning HOW to think is more important than learning WHAT to think.
Microsoft might have something with Windows Longhorn, since the entire API outside of the kernel will be written in C# completely sandboxed in a CLR, much like Java.
Combined with a monolithic auto-update system, Microsoft has no intentions of repeating the problems of Windows 2000/XP when they release Longhorn, much like they had no intention of repeating the problems of stability they had with Windows 95/98/ME when they designed Windows 2000/XP. For as much as they do, they mostly won with stability in 2000/XP, and they could win again, despite their market share, by sacrificing RAM (480MB commit charge, 1GB recommended) and processing power by implementing the .NET framework for their entire API.
I honestly hope open source has something to compete for their future desktop environments, or else desktop Linux could be relegated to processors too slow to deal with the overhead.
- - - - - Fear not the reaper, but my shiny white teeth.
From TFA: "Experts say spyware programs are also necessary for Windows users. Microsoft is offering a free beta version of its spyware program at www.microsoft.com/athome , and Webroot is offering its spyware program free to Colorado residents through April 15 at www.webroot.com Free spyware programs are available at www.download.com"
Of course Claria/Gator is also offering a free version of their spyware program, and it's not beta - it's an official, stable release, available to users from all over the world, and with no date limits!!
There are also other known spyware providers out there, all you have to do is to search the web for some pr0n and warez, and there you go.
Articulos para gente geek: Poleras, linux, libros y mas
I wonder if the 43,000+ scans came from 43,000 Windows machines already infected with trojans...
My digital rights don't need management.
Agreed, for instance, the default configs with FreeBSD 5.x are so secure, you can't even send mail from your own system. You can send between users, but that's it, no relays, no outbound of any kind. Of course, it would be nice if people who only need one element of sendmail (sending mail, not receiving it) would realize that a full-featured mailer daemon is overkill, and an invitation for problems. If all you need is something that can send alerts (like from your non-mail servers), use something like sSMTP, a sendmail workalike that can only send mail through your real mail server (even outside accounts, it can handle servers that require authentication). Don't blame sendmail for giving you a headache on 50 systems, when you should never have turned it on in the first place.
--That's the point of being root, you can do anything you want, even if it's stupid.
You didn't introduce any new insight, this idea has been known for years here on slashdot and it seems to be addressed in the article as well. The fact is, this statement doesn't help anything. Even if insecurity was only dependent on targeting windows would still not be an optimal platform just because of MS practices and ideology.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
If you're gonna put your system on a direct connection to the internet, you should use a secure operating system. And implicitly, if you want that operating system to go more than 2 months between r007ings, you should lock it down.
Nothing us geeks don't already know. Anyway, I can belive 6 systems got attacked 40 thousand times in one week. I check my own system logs often enough, and there's usually some inbound packet on a disallowed port dropped every 10 to 40 minutes. Usually two or more attempts or blocks of attempts to login via ssh every day. Probably 10+ malformed GETs a day in the Apache logs. And this is my little residential gateway that gets about 4 legitimate hits to it's Apache server (which I'm not supposed to run) per day. That's about 250 attacks per week per server, or close to 1500 for 6. Take a website with non-trivial traffic, and it's easy to reach 40K/week. Since I'm pretty sure that DenverPost.com gets more than 25x my traffic, I'm suprised it was only 40K.
Other than saying that a lot of shit flies around the internet, the article was very skimpy on details. Not suprising, since an article that explains what a 'worm' and a 'virus' is is obviously not aimed at 1337 geeks. But it would have been nice to know what's installed on them.
For example, was it a full server install of Linux? (CUPS, httpd, ftpd, ntp, ssh, sendmail, etc?) Or just a minimal install with no server software installed a la home Windows? Quite a difference. How long would either of the Windows machines have lasted if they'd had Microsoft's server software installed too? Check secunia.com for Windows XP home, IIS 6, or SQL Server - It seems that ~1/4 of the known security holes in Microsoft's software are always unpatched. Contrast that with Apache, proftpd, Mysql 4, cups, OpenSSH, and Sendmail, which on Secunia currently share 10 vunerabilities between them all (9 of them 1/ or 2/5 for severity, and one 3). Of the 3 tested Linux OSes, Red Hat 9 has one not-critical vunerability listed.
It is certainly possible to make a Windows server or desktop reasonably secure, but compared to comparably securing a Linux server or desktop, would seem to require a monumental effort. And it's not just that Linux is more configurable - The FOSS community (judging by open holes) has done a far better job patching their software than MS.
Well, off to overdose on the Numa Numa Dance...
NO ONE stops to think that there's just millions more Windows computers out there? Windows got the most attacks because there's MILLIONS more potential sources of attack. Those millions more units mean it's more worthwhile to hack Windows, because there's tons more systems at stake. So, a majority of hackers on the web are working on a base of computers whose OS absolutely dominates the marketplace.
I wonder why it tends to be "less secure" in the end... GET A CLUE! This test barely reflects anything other than Microsoft's market share, no matter how hard you want to tilt it in your own direction.
Not to mention the line "The good news is that none of the up-to-date, patched operating systems succumbed to a single attack." That. Includes. The up-to-date. Windows box. Too. Which suffered LOTS more attacks (again, more units, more at stake) and withstood them all- meaning it was technically MORE secure because it withstood harsher testing and came out unscathed.
computer scientists on a quest to design their own life in turn.
;)
Iteration X, I presume...
What, no sig flames yet on this thread?
... I suspect that the Denver Post may think that its server is coming under a massive attach at present from thousands of Slashbots...
I heard that your library burnt down and destroyed your only two books - and one was not even coloured in yet.
that there are still so many infected machines out there with sasser and blaster and other worms/viruses/etc and no one does anything about it!
ISPs should detect infected machines. Whenever these machines attempt to view a web page, show a page to download a removal tool as well as the latest patches. Allow the system to be repaired, and then reallow it on the network. Provide some override (and a number to call to access it) incase someone badly needs the internet and doesn't have time to fix the virus, but keep the machine marked and make sure to follow up on it. ISPs could call make this virus protection mechinism a compedative feature.
http://brandonbloom.name
Which worms are we talking about here?
I honestly hope open source has something to compete for their future desktop environments, or else desktop Linux could be relegated to processors too slow to deal with the overhead.
Please rest assured that, by the time longhorn ships - as well as between today and that point - "open source" will offer plenty of competition.
Most companies, however, chose to pay a Linux vendor in order to receive security patches.
My golden rule:
apt-get update
apt-get upgrade
Once a week. For free.
"And then I visited Wikipedia
first, I didn't RTFA, but I wanted to relate our exprience at a recent technology conference my employer hosted. The names of the guilty/innocent have been scrubed to keep this post from being moderated into Flamebait.
Part of the conference was a series of hands-on labs that we were hosting using loaner equipment from major manufactures. The network was provided my a major ISP through a national hotel (where this part of the conference was being held).
The labs were assembled by volunteers, and were pretty much infected beyond use with spyware and viruses within about 10 minutes of coming online. It was the worst thing I'd ever seen. We had 20+ people scrubbing the machines off-line for literally HOURS, only to have them reinfected once they came back online (now behind a firewall).
To compound the issue, we couldn't feasibly reimage the machines because the vendor donating them gave us at least 10 different models with 2-3 variations on each model.
In the end we threw in the towel, refunded people's money, and let the Mac lab (which remained unaffected) continue their presentations.
just my $.023233432322
I wouldn't say they get a "pass", but lets just be thankfull that Microsft finally got it right by turning the damn firewall on by default with SP2.
Excuse my ignorance about Macs, but does OSX 10.2 come with a firewall turned on by default?
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Don't forget that their idea of being "attacked" included regular-old port scans and pings. Looks like they they just plum configured the network badly...
Or it means that RH9 wasn't logging portscans and pings... which, AFIK, it didn't do with any of the default firewalls. It is only newer distros that log potentially malicious traffic.
I drink to make other people interesting!
not sure about ntpd, but rhnsd does connect to the network and is turned on by default if i recall.
While this is true, the chances are that most services will not be started by default on such a system. I was quite impressed with the default FC3 install - (almost) no services running by default, and a packet filter in place anyway.
While it is better not to have the services installed at all, it makes relatively little difference since the attacker would need some form of local access in order to use them if they do not run by default.
You are anonymous, and most likely you are attempting to troll. I probably should not have bitten but what can I say, it gave me the chance to rant a bit.
If you notice, Jaguar (Mac OS X 10.2) was used in this test. This is an operating system that was phased out in late 2003.
There's something to be said about that VS a windows PC with SP1 installed.
I run two Windows boxes behind a BSD router. To avoid the pain of having to change my natd.conf file every time I want to try a new P2P app, I simply forward large group of ports to each of my Windows boxes. Ports 5000-8999 go to one and 9009-12999 got to the other. No *Windows* services run on these ports, so I don't lose any sleep over it.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
In any case regardless of the OS I think its good practice to remove all unused code.
The point was to test the "Out of Box" experience. XP with SP2 what users get out of the box now. The firewall is on by default and the automatic update is the default selection.
SP2 was such a large step forward in terms of user security that I'm sure they sleep quite well. This is yet more proof that these three OSs are now on even footing in terms of security.
Windows XP with Service Pack 1 was attacked 4,857 times and only infected once!
Windows XP with Service Pack 1 dynamically adapted to become immune to further attacks by the Blaster and Sasser worms in only 18 minutes!
Within one hour Windows XP with Service Pack 1 had apprised the situation and chosen to join the winning side!
Windows XP with Service Pack 1 single handedly fought 1600x as many viral foes as its nearest competitor! Yet it bravely continues to withstand the onslaught of its most cunning viral foe, the GPL!
The infidels are committing suicide by the hundreds on the gates of Windows XP... Be assured, Windows XP is safe, protected. Microsofties are heroes.
Liberals call everyone Nazis yet they are the closest thing to it.
Check for open ports on your pc. https://www.grc.com/
Religious adherence to evolution? Are you trying to be Ironic?
Don't look now but.... http://devolab.cse.msu.edu/software/avida/
The evolutionaries are one step ahead of you!
I don't know, that was a pretty cool song the first 4700 times I heard it. ;)
I watched C-beams glitter in the dark near the Tannhauser gate.
"A simple NAT is not enough. A firewall is required."
Required for what? What if you don't have any services listening on open ports?
"The best full security suites are free: linux, openbsd, etc. Run them on an old PC for your firewall/NAT. They are configurable to your heart's content, unlike cheap, buggy dlink and linksys hardware."
The last time I checked, Linksys routers ran Linux.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
One glitch was already mentioned, "Experts say spyware programs are also necessary for Windows users". I guess yeah, if you are a Windows user you are entitled to spyware soft and every virus out there but I don't think your help is really needed with installing it. Then, "Windows SP 1" and "Windows SP 2"... XP is mentioned only at the very end. Yes, it is obvious what Windows they are talking about but still, Windows is not the name, Windows XP is. Then, patching and builds. SP is just a service pack, there are security updates, patches, builds... Just saying "Windows XP" does not define what is actually installed on the machine. No details on atacks (except Windows SP1). On spyware, "Cookies are used by online companies to track user preferences". I hate when Ad-aware tells me that cookies are spyware but I understand the idea that it would not make sense to make a separate category for it. But an article?! IMO, lots of bull with conclusion that everybody except the author knew a while ago.
It may sound crazy, but Windows 3.1x will stand up to the test very easily out of the box. Just run the Shields Up test on grc.com and you'll find that Windows 3.1x has NO ports open by default, not even port 139 which is open on all versions of Windows from 95 onward.
Story about the firewall not blocking Windows shares. I think Slashdot carried this story a long time ago as well. Do not get me wrong, the firewall and steps in SP2 are a nice step, but they simply are not enough at this point. Unless the user is actively involved, no default Windows setup will be enough.
Ok, I'm responding to an ac, but oh well -
Which OS is propagating the viruses/trojans/malware?
Windows.
Which OS does it infect?
Windows.
Yes, other oses were attacked - [by windows zombies] - but not compromised, in fact there are very limited examples of exploits propagating through other oses aside from windows [I can find 7 linux viruses, all of which do not propagate nor are effective to any measurable extent].
It is likely in the future that one may find a way to compromise a linux/mac in the same way, but that day has yet to come.
And that is why we question findings that windows is more secure than linux. It is GLARINGLY obvious that this is untrue to anyone sane.
ymmv
Microsoft's leadership position means that more viruses are written for Windows, said Silver, who estimates that 96 percent of all desktops and laptops worldwide used Windows at the end of 2004.
So Microsoft get's a pass on viruses because it is popular and has a lot of software written for it? And then those same people use the amount of software available for MS Windows as a reason why Windows is superior. You can't have it both ways: if you think Windows has an advantage because of a larger application base you have to include the malware applications like viruses and spyware as well.
You could wrongly argue that when Linux has a larger installed base it will have the same problems as MS Windows. But even if that were true, it's new popularity would mean that more commercial applications like Photoshop would be written for it also. The blade turns both ways for better and for worse, yet MS Windows apologists try to claim the best of both worlds.
501 Not Implemented
The article makes great mention of "attacks" but fails to mention what an "attack" actually consists of.
For example: they say Windows XP SP2 got attacked 16 times.
Does that mean it got port scanned 16 times? It can't as i'm sure it got port scanned many more times than that.
or
Does that mean it got infected 16 times? It can't because they said it survived all attacks.
So what on earth were these attacks?
That could've been funny if i spelled "tough" right...oops, I meant to submit it as AC...oh screw that.
Hamster didn't know it was going to happen. That worm uncovered some great bugs in the early days.
Food run anyone?
The Macintosh system received three attacks. Two of the Linux systems received eight attacks each, though Red Hat's version of Linux received no attacks at all.
But in the end, none of the attacks were successful.
[...]
Windows Service Pack 1, or SP 1, however, was another story.
followed by...
Microsoft responded that the tests prove that any operating system is vulnerable when not patched.
Is this not the most blatant lie/doublespeak/misrepresentation-of-truth ever? Who in the world could stand behind a statement like that?
Direct away from face when opening.
At the risk of being redundant myself, I would like to reiterate my request to be able to mod articles.
Reread the post.
Only windows propagates the viruses, and only windows gets them.
No propagating virus etc has been written for *nix. Yet.
No matter your level of objectivity, the FACTS speak loudest.
ymmv
Did Windows 3.1 even have listening services by default? I recall having to add a separate TCP/IP stack, and being able to choose from several different vendors (which would bundle their daemons along with the stack).. I recall Chameleon, some FTP.com stuff, Trumpet Winsock...
It's hard to remote sploit something that isn't even listening....
Here's a useful link for securing Windows Systems: Black Viper.com
Now, let's say I ran just 90 services at random at the start. 8 of them have holes, by the assumption above.
90 services in each case, but one is secure and the other isn't. Arguably, then, it is NOT the number of services that is the deciding factor. It is the care with which they are selected and the environment they are placed in.
That latter part is more important than many think. Let's say you ran an FTP server. That's a fairly risky system, as it needs access to many different directories at some point or other.
A sensible way to run it would be to compartmentalize it as much as possible. If you're using a hardened Linux kernel, that would involve defining a very restricted role and placing the server within it. Breaking into the server then wouldn't do much, because the kernel would prevent an attacker from breaking out of the role.
The second defence is to run suspect servers inside a bounds-checker, to catch buffer overflows and other common methods of attack. It's not 100% secure, but it would limit the chances of an attack being successful.
The final measure is to make all connections indirect by using transparent proxies. If the proxy silently dropped anything that didn't make sense, vulnerabilities involving the faulty handling of malformed packets would be harder to exploit.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
it is the common ones that are the normal openings, such as 80 on windows with IIS.
I prefer the "u" in honour as it seems to be missing these days.
I'd recommend Snort or an IDS of some type. Sorting through the logs (pretty easy with some knowledge of them and sql commands) you could easy generate a count of a specific alert (port scans). I have a catch-all rule that looks for SYN packets and specify some specific ports as well.
Also, windows desktops tend to get turned off a lot. Linux (etc) desktops tend to get left on 24/7 (and generally better at networking anyway), so they would make a more desirable zombie machine, even if they only make up 5% of the "market".
Market share is not the reason for the relative lack of *nix viruses/worms/etc because there are enough of them out there to make a successful virus very much worth the effort. It's the shere difficulty of creating a successful virus for *nix that leads to the lack of *nix viruses etc.
Security has been on the minds of *nix developers longer than (networked, anyway) Windows has existed. UNIX might be 30+ year old tech, but that's 30+ years of evolution, including at least 15 of security audits (for the userland stuff) and new stuff tends to be developed with security in mind (sure, holes get in, but they also tend to get fixed quickly). I believe that is the real reason for the dearth of *nix viruses: they can only survive in virtual petri dishes; they just don't get far in the wild anymore. Sure the was the lion worm back in 2000, but it died out rather quickly (unlike those IIS worms of the same time that are still going).
Bill - aka taniwha
--
Leave others their otherness. -- Aratak
The data collected was interesting, in that it did show that admins were way too lazy and complacent. However, the resolution of the information presented was too low to actually do anything useful.
This is much the same. It is interesting, it does show the perils of negligence, but there are way too many variables and unknowns for this to be actually useful in preventing attacks.
Did attacks vary with time? Did attackers fingerprint the OS' and then target Windows (explaining why there were fewer attacks on other systems) or did they target all machines equally but with attacks assuming a Windows OS?
How were attacks counted? By what measure was something deemed an attack, as opposed to something accidental or incidental? (Broadcasts happen, guys, especially on something like cable where you've a shared line.)
For that matter, was this using a shared line or something dedicated? What was the bandwidth used? Would the stats have differed, if there had been a greater capacity to handle the traffic?
Although we're told this just dealt with machines "connected to the Internet" and not going to websites, that is not strictly the case. The Windows boxes did auto-updates, which means that they had transmitted data. If it was a shared line, or if there was a hacked machine en-route, the Windows boxes would have been visible and identifiable as Windows machines. The Linux boxes, transmitting nothing, would be much stealthier and therefore only prone to genuinely random scans.
In consequence, what can we really conclude from this test? I would say nothing, unless it was re-run with Linux simulating calls to the Windows update system at Microsoft.
If we saw an explosion of attacks, as a result, then we can argue that it is not Windows that attracts the assaults but the patching mechanism.
There is a lot that COULD be learned, through rigorous controlled tests, but as this was neither rigorous nor controlled, I don't see that we learn anything other than the world isn't 100% safe. If the researchers didn't know that beforehand, I pity the researchers.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
"Free spyware programs are available at www.download.com"
:-)
While I agree that it might have been instructive to include, say, RedHat 7 in the lineup, security of original XP is still an important consideration. First, to hear MS at the time, XP-SP1 should have been more solid then and should be more solid now. But far more importantly, we see how vital it is to fully patch your XP system before connecting it to the internet. And where do I get those patches from? Oops...
The catch-22 is that time-to-infection is much shorter than time-to-patch for Windows XP, even with a contemporary internet connection. If you don't have SP2 media, and don't have some other means of (manually) acquiring the latest patches, you're dead in the water. Yes, there are workarounds; you can install some ice of your own before you connect, for that matter, but that obviates all the really neat security features of SP2 with a 3rd-party solution. "Not the solution he had in mind..."
Admittedly, part of this is due to the fact that Windows is "productized", i.e. you have a box containing Windows and you can add patches. With Linux operating systems I think there's a lot more sensitivity to versioning and awareness of granularity; you aren't working on this monolithic thing in need of repair but on a collection of components which can be individually upgraded. Partly psychological, yes, but you also have the advantage of simply leaving out "risky" components until you can get everything up to date. You can run a Linux OS with no services, nothing particularly visible except the interface you're downloading updates through. That's not an option with Windows.
"There are hundreds of game theorists at the gates, sir, and they want to hold an election!"
I just used 'emerge -C security_holes', and it didn't find anything to remove. ;)
The only surefire protection against Microsoft infections is abstinence. - The Onion
I have no firewall, or router. I'm running XP SP1. And I've never had a single problem (my virus scanner hasn't even had to do any work . . . and I have open shares, including an upload folder!).
By conventional logic, my box should be dead by now. Especially since I keep it on nearly 24/7, connected up to teh intarweb. Go ahead and say I'm just lucky, but I think that if you just have a computer reasonably configured, the over-the-top security that most people think is necessary . . . well, it isn't. I do update with security patches often, and that's about as far along as I go with conventional means of protection.
So what's the secret, then? I don't entirely know, I think it must be alot of little things combining. Partially, I think things aren't quite as horribly insecure as people think; just that when they are, and they often are by default, things go so horribly wrong that it colours one's perspective on the issue. The other thing is, I don't use any Microsoft products other than Windows itself, really. Third-party chat, Eudora for e-mail, Firefox and Opera for browsing, WordPerfect and OpenOffice for all the office-style needs, etc etc. True, that isn't at all what the original article is talking about, but I'm hardly the first to deviate from topic here.
I remember sigs. Oh, a simpler time!
The Morris Worm
Of course I never turn it on, but if anyone tried to break into it the would have the door slam into them.
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
Unless you run a server, Apache isn't an issue. A security hole should be in something that is actually being used in some manner.
Just remember, whatever you do, stay away from that nasty dimensional science!
windows doesn't "automatically" install updates. It will automatically download them. IF you select the automatic updates in the setup. So to install them, you to tell it to install them. It takes user interaction. This isn't OUT OF THE BOX. out of the box would be no user interaction, save for installing the os. i don't want to just jump on the "hate windows" bandwagon, (surprise, i am a gamer, i use windows) but this wasn't done uniformly btw: WOOT WOOT FOR OSX. but hey, it's unix. what did you expect?
1: Most windows users think its some kind of toy or fancy game console. no joke. Security to them is locking the front door if you know what I mean.
Some of these people time to time MIGHT see something on TV about viruses, but other then that, they have no idea about patches.
The flip side to that is the people the see the AOL tv ad's. I feel really sorry form them, and for us that have to fix there computer afterwords.
2: Most of the "UNIX" community respects one another, and doesn't want to trash someone else's box "just for the fun of it".
That and its a lot harder to "hack" it because there is a lot more of a diverse range of programs and version of those programs.
The attack might only work for one version, but there is only a small percentage of computers out there that even run that version.
I hate to be the one to bring up the old argument, but Windows machines are attacked more often because there are more of them; it's the bigger, easier target.
One could make the case, in fact, that security holes are found in Windows more often because, as the bigger target, there are more people out looking for them - exploit a new vulnerability and you stand to compromise a lot more Windows machines than Mac OS X machines, or Linux machines, or whatever.
Using Mac OS X (or any other OS) because it's attacked less often is another form of security by obscurity, and it's no security at all. By your argument, everyone should run OS X, because it does not get attacked, but when they do, then they will be the new target. Any security holes in Mac OS X (and there are *always* security holes in any system) will be exploited much more aggressively than they are now.
You are only (reasonably) secure if you run a patched box, regardless of OS.
Secure by default. The users who are likely to be unable to keep up with patches are exactly the same users who don't know how to turn off services. So ffs don't have services running on a default install.
I am trolling
Well, the first worm of all times come to mind, the on robert t. morris released in 87/88(?). That one exploited holes in sendmail, fingerd and some other services I don't recall. There where a lot of theses in the years after that. So yes, Unix sure had a problem with worms.
Yes, because every mac comes with the web server enabled by default.
Integrate Keynote and LaTeX
And mod grandparent down, it's nothing but FUD.
There is absolutely no risk connecting an unpatched XP box to the Internet provided you firewall it first. And, oh looky, there's a firewall shipped with XP! It's more than adequate to prevent being compromised while you go to Windows Update and download the patches.
I'm absolutely not surprised that up-to-date systems survive current attacks. I'd even expect that from the vendor/distributor.
/. readers that tell something different for Fedora). And I think you can safely do a default install on these systems and then pull your patches from the internet.
The behavior of a not exactly up-to-date system would give much more insight in the overall security of an operating system. The authors tested Windows XP SP1. But what about outdated Linux distributions?
My personal experience is that it is virtually impossible to install Windows XP today on a system that is connected to the internet. You don't even have the chance to install SP2 fast enough. The article confirms this with its SP1 experiment (it survived 18 minutes).
In contrast, I'd expect any of the Linux distributions to survive way longer unpatched than Windows does. The distros I've seen (SuSE, Gentoo) have turned any useless service off on a default install since years (I wonder about
A few, say, one or two year old Linux distros would have been a very interesting contrast to the authors SP1 experience.
> Pardon the shoddy grammar, it is rather late. Post AC to not whore karma.
Yeah, cause I see this one getting modded up REAL REAL HIGH.
It's so funny to see something like Post is first bitches when it is nowhere near being first.
OK, to be on topic now. Notice how the article mentions that you need to pay to get Linux from a vendor. Now notice that what they say seems to say that the only way to get security updates is through a vendor.
Apparently the reporter and/or testers have never heard of Debian (ever notice the http://security.debian.org in your apt list?) or any other distro that has frequent updates.
I find it funny how they test Suse, RedHat (they must mean RedHat Enterprise), and Fedora - and then act like they just tested LINUX itself.
To be fair, if they want to test linux they need to go through Linux From Scratch and stop as soon as they get a bootable system - then test that. More than likely secure, as there is nothing besides the Kernel and a couple core utilities (maybe) to attack!
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
I'm sorry, what do you mean?
Maybe they think of attempts to ssh in as root and guess the password as attacks?
I suspect you are right. FTA:
The Windows Service Pack 2, or SP 2, system is the most up-to-date Windows operating system. It received 16 direct attacks.
The Macintosh system received three attacks. Two of the Linux systems received eight attacks each, though Red Hat's version of Linux received no attacks at all.
But in the end, none of the attacks were successful.
So on up to date systems, none of them were successfully hacked. XPS1 got taken over in minutes though. Which just confirms what we already knew, that XPSP1 was an atrocious POS OS, and was released because of Microsoft's sloppy "release a beta-quality product way too early in order to gain market share quickly and then patch the inevitable mess later" attitude, but SP2 is definitely a move in the right direction, although years late, and a lot of damage has already been done. Has MS really changed, I wonder? Will they stay on this 'right track' where they 'care about security' or is it all necessary damage control + PR "for now", in their minds?
Hmm .. just thinking, the software update on my 10.3 Mac mini downloaded an update referred to as a 'security update' .. wonder if a known vulnerability was patched there-in.
Actually... you fell for Microsofts Marketing propaganda, Longhorn to my knowledge wont have the complete API rewritten in C#, it just will have a thin C# layer on top of all relevant APIs... This makes things more secure but not secure from a buffer overflow standpoint. What happens is, that the injected data is delegated over a thin C# layer into the win32 API in various parts and hence buffer overflows and other nastyness still is possible. Face it we are still 10 years away from being able to run windows in a VM with a vm based language having covered every aspect of 20 year old legacy code which by then is dumped.
There are going to be security holes in just about any operating system," said Silver
Sure. What matters is what can be done through those holes. This is where OSes differ greatly, and OS popularity has nothing to do with that.
"The honey pot test is a good indication that many small-business and home computers are still using older versions of Windows
No? Really? I mean, you really need a honey pot test to reach this conclusion?
I still have a bunch of unexperienced friends running w98. I spend a hell of time to bring them things they have no clue about (firewall? What the f**k is this for?). People using XPSP1 behind a dialup access are not much safer.
The problem starts by assuming most people have clues on computing. Automated updates is just a little part of the answer, and it takes connectivity not everyone have.
Leaving users out of admin privileges except in the rare occasions they need it is probably the key element, and none of those XP friends knew that because windows came preinstalled with a really dumb config. And guess what, they all call me when it's too late.
Uh-oh - bannination ensues for actually knowing how to administer Windows correctly! ( I got 150 boxes in a solid MS shop. It all works fine. Custom apps, everything, all my trouble just disappeared after we got rid of 98 finally). Congrats to you for bothering to RTFM that comes with Windows.
Vote Quimby!
While that wasn't a serious post (or at least I hope not), I'll try and offer a true argument in this vein:
/usr.
Hula. YOu know it. You love it. It's installed on your PC right now. Did you audit the code? No. Did you install it as someone other than root? No.
You have it sitting there, since it's not packaged yet, as a daemon, which is running as root, in
Totally safe!
(Before we go further, this is true of any software package. Hula's just been popular lately and thus helps to underline the point more clearly. I do not believe Hula is evil spyware, nor that anyone involve with it is now, nor has been, a member of the communist party.)
Except if it where spyware it could have wrote over who-knows-what and now is sending each shell command and bit of network activity to whomever. And it's root. So we've now a root server running on port 80 which has not been audited. Thank God sendmail taught us all our lesson, right?
Linux is no safer than any other OS at the moment. Hell, if we look at the fact that strlcat/cpy have been turned down for inclusion multiple times to the GNU libc because it would be "slower" when preventing a buffer vuln, if anything it's getting worse, and will continue down that slope.
It's as if we've forgotten all we know, and we're ignoring those who try to remind us.
Stable? Outdated for anything but the most basic of servers.
Testing? a) You get a lot of non-security updates and b) you don't get security updates
Unstable? I'm sure you have the latest security updates as well - when it isn't broken.
The key here is security patches. Things you can run on your production machine and be pretty damn sure it won't crash and burn.
Backporting fixes is not fun. It in not inventive. It doesn't improve the HEAD build of your project. If I wasn't getting paid, I'd rarely bother unless it was either a) really major or b) really easy to fix. 99% of the time, my answer would be "Upgrade to the latest version". No wonder there's a market for vendors here.
Personally, I wish Debian would create a "core" set of packages which would be in testing, yet have security fixes. In stable, everything and the kitchen sink gets security updates, but the version is ancient. I'd be nice if you could upgrade core stuff (I'm thinking X, Gnome, KDE and some core apps, max 1CD of Debian's 13? 14?) while still getting those hotfixes.
Kjella
Live today, because you never know what tomorrow brings
In the second, there are those who turned off (or had a "helpful" tech turn off) their automatic updates and have no idea how to update their system.
This isn't an entirely stupid thing to do - if someone is on a pay-per-minute dialup connection, they don't *want* to be automatically downloading hundreds of megabytes of updates. (Especially if a lot of those updates are to add stuff they don't need/want - i.e. DRM for Media Player, etc).
http://blog.nexusuk.org
From the article
"Microsoft responded that the tests prove that any operating system is vulnerable when not patched."
No. They KINDA show that only Microsoft products are vulnerable when not patched.
For what it's worth, IMHO, I think that SOME of the home users that don't patch their installs of MSXP are afraid that MS is trying to slip in some software that would automagically inventory thier MP3 collection, hacked software, etc and somehow "break" thier computer. I think many people think of MS operating systems as a "deal with the devil". They really DON'T want to use Windows, but isn't that Linux thing for computer gurus and really hard to use? It's really hard to combat that kind of FUD. If it wasn't, a HUGE number of corporate users would be using a *nix based solution, if only to shrink desktop support staff.
As a networking professional, I can tell you that the constant rolling out of virus and OS patching to our user base DOES impact network traffic and "regular job" throughput, but the top brass sees this as a necessary evil. But of course my corporation has MS stock in it's portfolio....
DId they also test to see how long a person would last in sub-zero temps without a jacket? Or how safe a 16 year old girl is walking through an inner city parking lot at 1am? Or how long an child can survive in the woods alone? This is the approach people need to take with their PC.
But in the end, none of the attacks were successful.
...
Windows Service Pack 1, or SP 1, however, was another story.
...
Microsoft responded that the tests prove that any operating system is vulnerable when not patched.
In reality it appears that the tests indicate that a windows box is vulnerable when not patched? (tho I'm sure had the test been run long enough, most/all of the unpatched boxes would have eventually been owned)
I work for the Department of Redundancy Department.
That's not surprising.
Anyway, that honeypot test that I am talking about put several older versions of Red Hat up, which I believ included Red Hat 7.3 (Which, if I am not mistaken was released around the same time as Windows XP was...)
In that test, the default installation, no pathed version of Red Hat 7.3 was secure for 6 months, before it was cracked with a brute force password crack. The Windows XP Machines were cracked on average 6 minutes after being hooked up.
Perhaps you should look up that past Slashdot article, it has far more detail then what I recall and offer here.
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
Use something else, sheesh. If managing something like Fedora is too much for you I would suggest running something like Slackware. If you are running services you probably aren't using it for a workstation anyway so I could only assume from your vaugue post that you dont need all that convoluted package management to begin with.
You are about to give someone a piece of your mind, something which you can ill afford...
How long have cookies been a form of spyware?
This is from the end of the article.
Some forms of spyware:
Key loggers record keystrokes and then transmit credit card numbers and other sensitive information to identity thieves.
Cookies are used by online companies to track user preferences.
Adware causes annoying pop-up ads but often harvests information like spyware. The best way to know if your computer has spyware is to run an anti-spyware program.
> HELLO, Windows has something like 95+% marketshare. You don't think that factors just a teeny-weeny, tiny bit?
Lets see now..
Was Amiga OS ever popular to the point of having more then a 5% market share?
WHen it was popular, did it have internet conenctivity?
I think few will disagree that the answer to both questions is no.
Despite this, there are thousands of viruses for Amiga OS, which also managed to propagate, and running a virus scanner was a really good idea when using Amiga OS.
THis is not exactly the same as internet based attacks on WIndows/Linux/MacOS machines of course, but it strongly suggests that the 'market share' argument is at the very least not entirely true.
What saddens me the most is that there's a new cry out there stating that we all have to either, buy more hardware and software and/or become more savvy administrators to connect safely to the internet.
The true of the matter is that, yes, a reasonably safe-non-hackable OS can be created and sold to the masses. Heck, I can grab Mandrake Move and connect to the Internet and when Im done browsing and reading my email from some on-line service turn the machine off and puff!! THe system is clean as a whistle.
It appears we don't lack the resources, we lack the understanding.
- these are not the droids you are looking for -
I find that many Slashdotters are heartlessly callous towards end user needs and issues.
1. Filter all the comments up to 5
2. Print
3. Take to your favority end user
Even if they can follow the thread of the conversation, ask them if they would know how ACCOMPLISH the actual taks and tips given in the posts.
And please, no jejune whing about how you're tired of having to give out free help. If you're not a part of the solution...
I have noticed that my cable provider will periodically scan for web servers running off of people's home connections. I suppose they do it because they say you can't run a web server in their TOS.
Never argue with an idiot. They will just bring you down to their level and beat you with experience.
You're confusing your markets.
At least here in the UK, and in some places elsewhere in Europe, there was a time when the Amiga was the most popular home computer. If you decided to stick a virus on some cracked game, and you decided to choose the games platform with a large market share, the Amiga would be the obvious choice.
Yes, overall, due to the vast number of PCs used in business, the market share was low, but the point is that the Amiga was a prime target for virus writers because of it's market share in the home market. Meanwhile, the PC was also a target due to its dominance in business. No one cared about writing viruses for Macs, because it was dominant in neither.
Now we have a situation where Windows is dominant both in business and the home, so it's even more of a target.
I don't see what Internet connectivity has to do with it. Firstly the Amiga most certainly did have Internet connectivity, including "when it was popular", and I believe this was one method that viruses were distributed. Few people used Amigas with the Internet, but then few people used any home computer with the Internet, so obviously virus writers targetted other methods (eg, copied games on floppies).
Will Spybot, Adaware and a decent AV detect compromises? Especially boted machines? Is ZA enough to block bots?
Or is there something else that will do the job?
One thing I dislike about such articles is they discuss the problem without generally offering solutions.
How complete was the solution set offered at the end of the article?
I'm a consultant - I convert gibberish into cash-flow.
The article stated that MS will go on the offencive to 'get the facts out'.
Hey Steve Ballmer - why don't you get a good fucking product out the door then you wouldn't have to spend a coupla hundred million bucks spinning shit into gold, now would you?
Don't 'give me the facts' I know what the damn facts are. Just make Windows more secure. And here's a tip, Microsoft, just a thought....
Instead of carrying on about the animated 3D Video crushing interface in Longhorn THAT IS ALREADY 2 YEARS LATE....Why don't you spend that effort on making Windows more secure?
Or isn't that sexy enough for your PR guys. I swear you MS morons must go to sleep every night dreaming of new ways to be useless.
Exactly. And why do people even buy software based firewalls anymore. I've seen nothing by problems with Norton Firewall and McAfee then I care to rant about. I mean, when a user is constantly being bombarded with "Would you like program X to access the internet", it just gets confusing. So normally, they will say YES for fear with will block their internet access. Which BTW does happen.
c ription=33-124-010&DEPA=1
9 798939&skuId=6801785&type=product
For a better an ease solution, just get a hardware router/firewall that does SPI. If for some strange reason you have problems with it, just reboot it. With a software firewall, you have to find what you did wrong or be forced to reinstall it which is a PITA all togeather.
And last but not least. A Linksys Wireless-G router with SPI firewall costs just $10 more compared to Symantic Norton Personal Firewall 2005. It's a no brainer as to what is a better choice. Check prices on the links below.
http://www.newegg.com/app/viewproductdesc.asp?des
http://www.bestbuy.com/site/olspage.jsp?id=109109
Life is not for the lazy.
> You're confusing your markets.
I don't think so (living in the Netherlands myself, so that is continental Europe)
> At least here in the UK, and in some places elsewhere in Europe, there was a time when the Amiga was the most popular home computer.
No, it was for a little while the best selling machine meant as home computer, but even in 1991 when Commodore went bankrupt, the C64 was overall more popular still, and PCs had taken the 'new' market together with Apple.
> If you decided to stick a virus on some cracked game, and you decided to choose the games platform with a large market share, the Amiga would be the obvious choice.
For gaming it had a decent marketshare for sure, bigger then that of the PC in the late 80s.
What it had specifically is a substantial group of users that just popped in a disk and played a game without a clue about what went on underneath, quite similar to people using Windows machines right now.
I think that the whole problem is more related to how a machine can be used then how popular the machine is. Sure, it needs to be popular enough so that there are some around for spreading a virus, but beyond that it is more about how easy a virus can spread then how popular the platform is.
The same applies to hacking machines. THe total amount of efford is what matters, and there are 2 major factors in that:
1. how easy is it to find a target
2. how easy is it to hack the found target.
The first is easier for Windows then other platforms, but only marginally. Automated scanning makes it extremely easy to locate Linux/MacOS/*BSD/whatever boxes out there.
This means that the major factor is 2. and 1. is only of minor importance. The Amiga argument was just there to point this out (since 1. was easy there as well, people would share with other Amiga users, so finding the next target was not something a virus writer had to worry about at all)
Running that on the few 5.3 systems I've had will put the mail in the send queue, sure, but it won't send it. Once you tailor the configs, it will work, but out of the box your mail just sits there in the queue until it expires. It's partially the config, and partially a bug (ahem, I mean "feature"), but it won't send. It may work if the machine is the MX for the recipient domain, haven't tried that (I would assume it would work), but it won't work if it's not, the sendmail with 5.3 has some nasty DNS issues (It will find the name of the MX for the domain, but won't resolve it).
I never did solve that issue, since I didn't need sendmail on any of the machines, so I found ssmtp.
--That's the point of being root, you can do anything you want, even if it's stupid.
Just to clarify further, sendmail in 4.x works out of the box for me, 5.3 does not, from base or from ports.
--That's the point of being root, you can do anything you want, even if it's stupid.
I'm still waiting for it to finish Doing It Right The First Time, you insensitive clod!
Just because nobody's written one for *nix yet doesn't mean nobody can. How about a virus/trojan called 'configure', or with a launching component called configure. Upload it to the right places (sourceforge CVS?) and give it the right description and hordes of admins will download it, su to root, run it and go out to lunch.
On saturdays some friends come over and we play hacker wargames, and I plan to use this method this weekend.
eBayDig 1s a typo saerch engien
Some Tuesday morning morsels for the troll:
... which is unprovable, of course, and could happen if certain mythical and unprovable assumptions turn out to be less mythical than reason would suggest, but in 2000 years of breathless expectation by those who do believe, has still failed to occur.
NO ONE stops to think that there's just millions more Windows computers out there? Windows got the most attacks because there's MILLIONS more potential sources of attack.
The intelligent among us (based on your mindlessly pro-microsoft rant/troll, this excludes you) have long considered this.
Your assumption that large deployment and large marketshare are what drives attacks, and successful attacks in particular, is a myth that has been dubunked long ago, by many, many people much more intelligent and knowledgable than you've shown yourself to be.
IIS has a smaller webserver marketshare than Apache, yet IIS is subject to many, many more successful attacks than Apache. This proves the notion that wider deployment and ubiquitiousness are what drive attacks, and not intrinsic vulnerabilities in the design, to be false.
As for the rest of your nonsensical "being more buggy and subjected to more attacks means we'll be more secure than those of you with secure systems today, because we've experienced more harm," that hardly deserves a response, except to say it bears an unsurprising resemblence to the religious notion that "Jesus will return someday and all you sinners will suffer"
Windows could end up more secure than Mac OS X, Free/OpenBSD, and GNU/Linux, but I suspect the second comming of Christ will happen first, and I say that as an athiest.
Nice troll, though. It was fun pointing out your stupidity, and a pleasure to discuss once again how poorly designed Microsoft products are, and how absurd the pro-Microsoft arguments are in the face of cold, hard facts, and the inescapable reality that their products are by far the worst in terms of security and stability, have been so for more than fifteen years, and remain so despite years of promises to the contrary.
Indeed, Microsoft's incompetence in software design and OS design with respect to security and stability is only exceed by the incompetence of its astroturfers in trying to convince the knowldegable otherwise.
The Future of Human Evolution: Autonomy
We were bringing up a 2k3 server at my friend's house and we knew it was up when we got the sasser message. "Hey, it has connectivity....where's my CD?"
I hate sigs.
Hm... The updates for MediaPlayer are still the only patches that come up with WindowsUpdate everytime I check for patches from my Win2K machine. As a matter of fact, the automatic updates install only the urgent patches anyway, and none of the "recommended".
That's probably just as well. I've seen WindowsUpdate decide to automatically update drivers and promptly break the machine.
Hmmm, I got "trolled" for this. Clearly I offended someone.
The point I was trying to make (badly apparently) was that there is this circular argument that pops up every time there is a study that shows Windows as "less secure" than another operating system.
The argument goes - "those other operating systems are only attacked less because there are less of them out there."
There are two points about that:
Firstly the argument should be taken to its logical conclusion: If security is all about market share then the number of successful attacks should represent market share. So do they? The original article stated 0 successful attacks against OS X. Now Apple's market share may be small but it is not 0.
Secondly, what if OS security actually is measurable by market share? I have not heard anyone seriously suggesting that OS X could even grab 10% market share. Therefore if it's true that OS security is tied to market share then you will probably always be 10 times better off with OS X.
The conclusion is that regardless of whether it's about technical superiority or smaller market share or the competing operating systems are more secure than Windows.
Or at least, wrong in my case, on all counts. Trust me, I run enough things that would be fucked up if there was any sort of firewall and I hadn't completely configured it, I know that there's no firewall. I know what each and every process listed in the "Processes" list in the task manager does (and I have a third-party app to get more details, so trust me, I'm not being fooled.
My old ISP didn't block anything. My new ISP is the local campus residence server, and I have explicitly told them that I wanted to completely opt out of any ports being blocked (it was either completely opt out, or let them decide).
I don't download the updates automatically, so I just keep opting out of SP2. No matter how many times I say "do not notify me of this update again," Microsoft keeps trying to tell me what's good for me. I disagree, as you can tell.
Interestingly, I've seen Cain (too lazy to find the link, but if you're wondering what I'm talking about it shouldn't be hard) log what definitely look like a few attempts to get into my computer. With the passwords set how they are, though, it's been impossible, and the examples are just interesting little bits in the log, no actual threat.
I understand why you would call me insane . . . by the logic most people go by, and indeed by what happens to most people (I'm not going to claim I'm even close to an average example), it would seem like this. But, reality is matching up with my ideas. It's not insanity if things end up acting the way I think they do for me. Go ahead, be paranoid if you want to be; I won't even object to your assumptions, you may be right in most people's cases.
But, not in mine.
I remember sigs. Oh, a simpler time!
I really, really don't like that thing. That's the first thing I turned off, waaaay back.
I remember sigs. Oh, a simpler time!
No, I am not updated to SP2. I have updates on to tell me when they're available, but not to actually download them. See my reply to another comment a bit above.
And, haha, dial-up, it's been over half a decade since I had that. I don't have comcast, no, I had a higher-end aDSL for a long time, and at the moment I'm on broadband-on-steroids (ie. university connection).
I remember sigs. Oh, a simpler time!
I should have elaborated, I guess. So, as I've elaborated here, your assumptions are completely incorrect. Furthermore, I do actually know for a fact that my modem on my old connection at home (it's an older aDSL modem--the newer ones might, actually, but I luckily got one before Telus switched over to the newer system) has no built-in firewall.
And you've hit upon the note I was trying to play with this. People are so very, very sure that without lockdown via extensive firewalling that boxes get taken over inevitiably, so convinced that it's not possible to defend one's computer other than with these over-the-top methods, that you've convinced yourself of things that I know for a fact, to a very extensive degree, are not true. And you probably won't believe me. But my point isn't that any user can survive, sans firewalling. I'm far from a normal case -- when you say that there "are many people out there like you", you're confusing things. The problem is partially that there aren't. I don't mean to sound egotistical, but yeah, I'll concede, though it sounds conceited, that it takes a bit of knowledge to pull off what I've done. But no one is babysitting me (as noted in my comment linked to above, I specifically told my current "ISP" not to).
Security is not a matter of checking off a list of things you have to have set up. There is no single path to having a hassle-free box---just because I don't use the method you think I should most certainly does not mean my method doesn't work. It works for me quite well indeed.
Alright, I've replied enough to my replies, if anyone still thinks I must be actually unknowingly following conventions, or alternatively I'm actually hacked without me knowing it . . . well, they can just keep on believing that. Their assurity doesn't stop me from enjoying the reality they're so sure isn't possible!
I remember sigs. Oh, a simpler time!