Slashdot Mirror
Is Your OS Tough Enough?
LE UI Guy writes "A Denver Post article examines the Internet 'horrors' Windows, Mac and Linux users face simply being connected to the Internet with only an out-of-box configuration. Over the course of a single week the machines were scanned 46,255 times. The test didn't look into additional security threats caused by surfing the web or reading e-mail, just the connection itself."
If you build it, they will come.
Lorem ipsum dolor sit amet
This news isn't news. What's news is this news is in the news!
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
I'm not that surprised, but Windows was the least secure. It should be noted that XP SP2 was installed and then the updates were applied "automatically" while none of the UNIX-ish systems had updates installed, just what came on the CDs. I know, competent admins can make any machine secure, but I wonder how MS can sleep at night knowing that their users are at such a high risk, even if they don't DO anything.
Look at all of the software and services running on a modern linux distro - FC3 for example. I have spent a great deal of time shutting off everything I really don't need and erasing piles of useless rpms installed by the distro (its 2005 - I don't need talk). Any software you don't use or services you do not need are just potential security holes.
Just because people can knock on every door doesn't mean that every door is as insecure as the next. You can knock on every door in a neighborhood, but some will be better constructed and have more secure locks. Still, none prevent one from knocking.
If they're only tracking ping/scan attempts, there is no reason to even include mac/linux in this.
These results mirror what I typically see on my workstation. I run a couple of websites on my workstation including our laboratory website, and my blog. Logs are monitored constantly with a nice tool called mkconsole that displays the logs transparently on my desktop. Several times a week, there is an attack. Most however are either scripted or fairly primitive, although last week there was a sophisticated attack that that bounced through a compromised Windows machine on campus. We tracked it back to an AOL user on the East coast and reported his IP address to the sysadmins. They sent an email back to me letting me know that they would follow it up. I've not heard anything else since, but in addition to using a more secure OS, one should also maintain a vigilance of your systems to help keep things under control and if you do use Windows, PLEASE keep it patched with recent security releases.
The truth is that if somebody really does want to get into your system, it can happen. In addition to using a secure OS and keeping the security updates current, securing physical access is your next line of defense.
Visit Jonesblog and say hello.
and count the seconds before it becomes a spam relay.
I don't think end users can be trusted to protect their computers. At a minimum, providers of Cable and DSL should make customers use modems with built-in NAT/firewall.
I got stuck in the self-checkout line at Walmart once, behind a lady who had this same problem.
"He who throws mud, loses ground." - proverb
Tell me I'm dreaming. Are these people really testing the old Mac OS X 10.2 (Jaguar)? And it withstood all atacks. Nice kitty.
TFA tells us that Windows XP SP2 is more secure than Windows XP SP1 (unbelievable!!) and that there are fewer attackers targeting Linux and MacOS than Windows (hmmm - I wonder why ?).
Very thought provoking and innovative information indeed.
And I quote:
Windows XP Service Pack 2
Attacks: 16
Results: Survived all attacks
Windows is *obviously* attacked more, simply because it is the most popular operating system. If I was a malicious coder, why would I want to spend time writing code that would only attack the 10% of computer users not running windows in the first place? It's simply more logical for those evil people to write software that attacks Windows... secure or not secure, it's going to be the primary target until it loses it's market dominance.
I was on a warez site last week looking for some serial numbers um.. i miss placed. anyway the amount of crap that was installed onto my win98se firefox box was incrediable. after uninstalling at least 4 pieces of spyware i had 860 odd errors in my registry.. lovely!
serenity now!
Imagine a reality show based on this...
"Coming up, we'll have Windows eat a big bowl of fried portscans!!!"
*circus music*
"And after the break, Linux will jump off of the gigantic Mount Exploit!"
*dark piano music*
(Reality check): It would probably fall off the air for requiring someone to think, though...
It is pitch black. You are likely to be eaten by a grue.
" But in the end, none of the attacks were successful."
So... Let's see how many people don't read the article and begin ranking on windows. Startttttinnnng NOW
Unpatched Windows: Bad.
Patched Windows, Mac, Linux: Good.
Point? We already hear how much worse security Windows has multiple times a day. This doesn't even say it outright...
The real thing I gained from the article is the fact that there are still an immense number of infected computers out there, and this brings me to the question: where? How many people could there possibly be out there whose computers are being run by various exploits? We already know that they're all thanks to people that suck at patching their machines, and I find that to be a much larger problem than the security of a fully patched OS.
webpage
So any resolution of this issue has to must be implemented on the OS side.
On that note, Windows is largely responsible for attacks on other operating systems--easily hacked Windows machines are what provides the cover for most blackhats, including those who are attacking Linux/BSD servers.
When things get complex, multiply by the complex conjugate.
Turn. Off. Unused. Services.
The most hilarious thing to me when someone gets hacked is looking at their box and a simple nmap shows every port under gods lcd monitor open.
Is not life a hundred times too short for us to bore ourselves? -Friedrich Wilhelm Nietzsche
From what I remember in Tron, this visually looks very cool. Digital warriors fighting on a neon grid, etc.
I'm pretty stumped, though. I tried to get my box pwned eight times, just to see the digital battle. I thought at the least Norton Antivirus would sent a digital probe destroyer bot out to eradicate the trojans. But all that happened was my computer got really slow, and pop-ups kept showing up, advertising herbal virility pills for men.
Come to think of it, Hollywood movies never seem to match up with what my computer does. That's it, I'm going to stop believing them movies and start reading Wikipedia instead.
"SP 1 is not a current operating system," said Sundwall. "It doesn't surprise me that it only took 18 minutes to get infected."
Ah, but would it have surprised him when it was still current? ISTR that back then, the time was a far more robust 20 minutes.
Registering accounts later than some other chrisb since 1997
Bet no attacks would bother a BeOS box! Seriously though, these tests are still pretty much bull. It's like leaving the keys in the ignition of an unlocked Lexus, in the bad part of town, then being shocked when someone takes it...
Face it, do something enough times, and it can cause problems.
According the article, no one was all that surprised Win XP SP 1 went down in 18 minutes. After all, it is not up to date... it is essentially an old OS, right? So this is expected, right? Old OSs should be broken into, right? And then we have OS X 10.2, aka, Jaguar. No successful attacks. Older OS, check. Not up to date with all the latest security features that are in Panther, check. And not one successful attack. One company makes on OS that still stands after two and a half years... one company makes an OS that only stands after a major major major patch and constant updates that sometimes break software. Now, which company's OS would I choose to build a secure network? Sure, it's a flawed argument, but still I think worth noting.
First of all, you should be behind a firewall that disallows incoming connections to almost everything. Even if you're not, FC3 has a kernel firewall enabled that blocks just about everything.
As for the packages, who cares if they're just sitting on your HD taking up space?
For a server machine "outside the wall" it's important to keep things as lean as possible. But for your desktop machine, who cares?
My other first post is car post.
OK, running P2P software is a slight hassle, but it isn't that hard to expose ports on a case-by-case basis. Certainly a lot simpler than fucking around with firewall softare.
Since a good firmware-based router costs less than a full suite of security software, this is a no-brainer.
Of course, it doesn't work with the "Spirit of the Internet" that says that every system on the net can provide services to or use services from any other system. But you know what? That "spirit" is long gone -- it only worked when the Internet was an academic toy.
"Honey pot" experiment shows unprotected Windows SP 1 at risk
Any version of Windows with any amount of service packs and/or updates is a scary thing to be online with. It's like having a grenade launcher in close-quarter combat. Boom.
Can be avoided by plugging in a hardware firewall that does NAT between the cable/DSL modem and any computers. Operating system be damned.
I've seen Linksys BEFW's go for $10 on E-Bay.
Or go whole hog and get the Motorola SURFboard SBG900, combination DOCSIS 2.0 cable modem/wireless-G AP/firewall.
-Charles
Learning HOW to think is more important than learning WHAT to think.
Microsoft might have something with Windows Longhorn, since the entire API outside of the kernel will be written in C# completely sandboxed in a CLR, much like Java.
Combined with a monolithic auto-update system, Microsoft has no intentions of repeating the problems of Windows 2000/XP when they release Longhorn, much like they had no intention of repeating the problems of stability they had with Windows 95/98/ME when they designed Windows 2000/XP. For as much as they do, they mostly won with stability in 2000/XP, and they could win again, despite their market share, by sacrificing RAM (480MB commit charge, 1GB recommended) and processing power by implementing the .NET framework for their entire API.
I honestly hope open source has something to compete for their future desktop environments, or else desktop Linux could be relegated to processors too slow to deal with the overhead.
- - - - - Fear not the reaper, but my shiny white teeth.
From TFA: "Experts say spyware programs are also necessary for Windows users. Microsoft is offering a free beta version of its spyware program at www.microsoft.com/athome , and Webroot is offering its spyware program free to Colorado residents through April 15 at www.webroot.com Free spyware programs are available at www.download.com"
Of course Claria/Gator is also offering a free version of their spyware program, and it's not beta - it's an official, stable release, available to users from all over the world, and with no date limits!!
There are also other known spyware providers out there, all you have to do is to search the web for some pr0n and warez, and there you go.
Articulos para gente geek: Poleras, linux, libros y mas
Agreed, for instance, the default configs with FreeBSD 5.x are so secure, you can't even send mail from your own system. You can send between users, but that's it, no relays, no outbound of any kind. Of course, it would be nice if people who only need one element of sendmail (sending mail, not receiving it) would realize that a full-featured mailer daemon is overkill, and an invitation for problems. If all you need is something that can send alerts (like from your non-mail servers), use something like sSMTP, a sendmail workalike that can only send mail through your real mail server (even outside accounts, it can handle servers that require authentication). Don't blame sendmail for giving you a headache on 50 systems, when you should never have turned it on in the first place.
--That's the point of being root, you can do anything you want, even if it's stupid.
If you're gonna put your system on a direct connection to the internet, you should use a secure operating system. And implicitly, if you want that operating system to go more than 2 months between r007ings, you should lock it down.
Nothing us geeks don't already know. Anyway, I can belive 6 systems got attacked 40 thousand times in one week. I check my own system logs often enough, and there's usually some inbound packet on a disallowed port dropped every 10 to 40 minutes. Usually two or more attempts or blocks of attempts to login via ssh every day. Probably 10+ malformed GETs a day in the Apache logs. And this is my little residential gateway that gets about 4 legitimate hits to it's Apache server (which I'm not supposed to run) per day. That's about 250 attacks per week per server, or close to 1500 for 6. Take a website with non-trivial traffic, and it's easy to reach 40K/week. Since I'm pretty sure that DenverPost.com gets more than 25x my traffic, I'm suprised it was only 40K.
Other than saying that a lot of shit flies around the internet, the article was very skimpy on details. Not suprising, since an article that explains what a 'worm' and a 'virus' is is obviously not aimed at 1337 geeks. But it would have been nice to know what's installed on them.
For example, was it a full server install of Linux? (CUPS, httpd, ftpd, ntp, ssh, sendmail, etc?) Or just a minimal install with no server software installed a la home Windows? Quite a difference. How long would either of the Windows machines have lasted if they'd had Microsoft's server software installed too? Check secunia.com for Windows XP home, IIS 6, or SQL Server - It seems that ~1/4 of the known security holes in Microsoft's software are always unpatched. Contrast that with Apache, proftpd, Mysql 4, cups, OpenSSH, and Sendmail, which on Secunia currently share 10 vunerabilities between them all (9 of them 1/ or 2/5 for severity, and one 3). Of the 3 tested Linux OSes, Red Hat 9 has one not-critical vunerability listed.
It is certainly possible to make a Windows server or desktop reasonably secure, but compared to comparably securing a Linux server or desktop, would seem to require a monumental effort. And it's not just that Linux is more configurable - The FOSS community (judging by open holes) has done a far better job patching their software than MS.
Well, off to overdose on the Numa Numa Dance...
Most companies, however, chose to pay a Linux vendor in order to receive security patches.
My golden rule:
apt-get update
apt-get upgrade
Once a week. For free.
"And then I visited Wikipedia
first, I didn't RTFA, but I wanted to relate our exprience at a recent technology conference my employer hosted. The names of the guilty/innocent have been scrubed to keep this post from being moderated into Flamebait.
Part of the conference was a series of hands-on labs that we were hosting using loaner equipment from major manufactures. The network was provided my a major ISP through a national hotel (where this part of the conference was being held).
The labs were assembled by volunteers, and were pretty much infected beyond use with spyware and viruses within about 10 minutes of coming online. It was the worst thing I'd ever seen. We had 20+ people scrubbing the machines off-line for literally HOURS, only to have them reinfected once they came back online (now behind a firewall).
To compound the issue, we couldn't feasibly reimage the machines because the vendor donating them gave us at least 10 different models with 2-3 variations on each model.
In the end we threw in the towel, refunded people's money, and let the Mac lab (which remained unaffected) continue their presentations.
just my $.023233432322
I wouldn't say they get a "pass", but lets just be thankfull that Microsft finally got it right by turning the damn firewall on by default with SP2.
Excuse my ignorance about Macs, but does OSX 10.2 come with a firewall turned on by default?
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Don't forget that their idea of being "attacked" included regular-old port scans and pings. Looks like they they just plum configured the network badly...
Or it means that RH9 wasn't logging portscans and pings... which, AFIK, it didn't do with any of the default firewalls. It is only newer distros that log potentially malicious traffic.
I drink to make other people interesting!
You are anonymous, and most likely you are attempting to troll. I probably should not have bitten but what can I say, it gave me the chance to rant a bit.
I run two Windows boxes behind a BSD router. To avoid the pain of having to change my natd.conf file every time I want to try a new P2P app, I simply forward large group of ports to each of my Windows boxes. Ports 5000-8999 go to one and 9009-12999 got to the other. No *Windows* services run on these ports, so I don't lose any sleep over it.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
The point was to test the "Out of Box" experience. XP with SP2 what users get out of the box now. The firewall is on by default and the automatic update is the default selection.
SP2 was such a large step forward in terms of user security that I'm sure they sleep quite well. This is yet more proof that these three OSs are now on even footing in terms of security.
Check for open ports on your pc. https://www.grc.com/
Religious adherence to evolution? Are you trying to be Ironic?
Don't look now but.... http://devolab.cse.msu.edu/software/avida/
The evolutionaries are one step ahead of you!
One glitch was already mentioned, "Experts say spyware programs are also necessary for Windows users". I guess yeah, if you are a Windows user you are entitled to spyware soft and every virus out there but I don't think your help is really needed with installing it. Then, "Windows SP 1" and "Windows SP 2"... XP is mentioned only at the very end. Yes, it is obvious what Windows they are talking about but still, Windows is not the name, Windows XP is. Then, patching and builds. SP is just a service pack, there are security updates, patches, builds... Just saying "Windows XP" does not define what is actually installed on the machine. No details on atacks (except Windows SP1). On spyware, "Cookies are used by online companies to track user preferences". I hate when Ad-aware tells me that cookies are spyware but I understand the idea that it would not make sense to make a separate category for it. But an article?! IMO, lots of bull with conclusion that everybody except the author knew a while ago.
Story about the firewall not blocking Windows shares. I think Slashdot carried this story a long time ago as well. Do not get me wrong, the firewall and steps in SP2 are a nice step, but they simply are not enough at this point. Unless the user is actively involved, no default Windows setup will be enough.
Ok, I'm responding to an ac, but oh well -
Which OS is propagating the viruses/trojans/malware?
Windows.
Which OS does it infect?
Windows.
Yes, other oses were attacked - [by windows zombies] - but not compromised, in fact there are very limited examples of exploits propagating through other oses aside from windows [I can find 7 linux viruses, all of which do not propagate nor are effective to any measurable extent].
It is likely in the future that one may find a way to compromise a linux/mac in the same way, but that day has yet to come.
And that is why we question findings that windows is more secure than linux. It is GLARINGLY obvious that this is untrue to anyone sane.
ymmv
Microsoft's leadership position means that more viruses are written for Windows, said Silver, who estimates that 96 percent of all desktops and laptops worldwide used Windows at the end of 2004.
So Microsoft get's a pass on viruses because it is popular and has a lot of software written for it? And then those same people use the amount of software available for MS Windows as a reason why Windows is superior. You can't have it both ways: if you think Windows has an advantage because of a larger application base you have to include the malware applications like viruses and spyware as well.
You could wrongly argue that when Linux has a larger installed base it will have the same problems as MS Windows. But even if that were true, it's new popularity would mean that more commercial applications like Photoshop would be written for it also. The blade turns both ways for better and for worse, yet MS Windows apologists try to claim the best of both worlds.
501 Not Implemented
The article makes great mention of "attacks" but fails to mention what an "attack" actually consists of.
For example: they say Windows XP SP2 got attacked 16 times.
Does that mean it got port scanned 16 times? It can't as i'm sure it got port scanned many more times than that.
or
Does that mean it got infected 16 times? It can't because they said it survived all attacks.
So what on earth were these attacks?
Congratulations on your narrow minded, immature, emotional "M$ is the Devil" reaction. The reverse FUD is working....really. In the meantime, I'll just continue running a Windows network the way it should be run and not lose any sleep over it. So will most other business networks. And so will the workers who want to use the same thing at home that they use at work. All the talk about Windows being insecure out of the box for the home user is now past tense as of SP2. Soon enough, it'll be another outdated argument right up there with "Windows is unstable" and "What about backward compatability with DOS apps? They can't force users to upgrade!"
If the developers of other OSes want to battle with MS for market share, they should focus on developing the product and deliver all the new features that people feel is worth paying for the latest version of Windows. While they stand around shouting about a particular advantage, Microsoft is moving to take that away while creating many more advantages of their own.
-Lucas
Reread the post.
Only windows propagates the viruses, and only windows gets them.
No propagating virus etc has been written for *nix. Yet.
No matter your level of objectivity, the FACTS speak loudest.
ymmv
Did Windows 3.1 even have listening services by default? I recall having to add a separate TCP/IP stack, and being able to choose from several different vendors (which would bundle their daemons along with the stack).. I recall Chameleon, some FTP.com stuff, Trumpet Winsock...
It's hard to remote sploit something that isn't even listening....
Here's a useful link for securing Windows Systems: Black Viper.com
I'd recommend Snort or an IDS of some type. Sorting through the logs (pretty easy with some knowledge of them and sql commands) you could easy generate a count of a specific alert (port scans). I have a catch-all rule that looks for SYN packets and specify some specific ports as well.
The data collected was interesting, in that it did show that admins were way too lazy and complacent. However, the resolution of the information presented was too low to actually do anything useful.
This is much the same. It is interesting, it does show the perils of negligence, but there are way too many variables and unknowns for this to be actually useful in preventing attacks.
Did attacks vary with time? Did attackers fingerprint the OS' and then target Windows (explaining why there were fewer attacks on other systems) or did they target all machines equally but with attacks assuming a Windows OS?
How were attacks counted? By what measure was something deemed an attack, as opposed to something accidental or incidental? (Broadcasts happen, guys, especially on something like cable where you've a shared line.)
For that matter, was this using a shared line or something dedicated? What was the bandwidth used? Would the stats have differed, if there had been a greater capacity to handle the traffic?
Although we're told this just dealt with machines "connected to the Internet" and not going to websites, that is not strictly the case. The Windows boxes did auto-updates, which means that they had transmitted data. If it was a shared line, or if there was a hacked machine en-route, the Windows boxes would have been visible and identifiable as Windows machines. The Linux boxes, transmitting nothing, would be much stealthier and therefore only prone to genuinely random scans.
In consequence, what can we really conclude from this test? I would say nothing, unless it was re-run with Linux simulating calls to the Windows update system at Microsoft.
If we saw an explosion of attacks, as a result, then we can argue that it is not Windows that attracts the assaults but the patching mechanism.
There is a lot that COULD be learned, through rigorous controlled tests, but as this was neither rigorous nor controlled, I don't see that we learn anything other than the world isn't 100% safe. If the researchers didn't know that beforehand, I pity the researchers.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
"Free spyware programs are available at www.download.com"
:-)
While I agree that it might have been instructive to include, say, RedHat 7 in the lineup, security of original XP is still an important consideration. First, to hear MS at the time, XP-SP1 should have been more solid then and should be more solid now. But far more importantly, we see how vital it is to fully patch your XP system before connecting it to the internet. And where do I get those patches from? Oops...
The catch-22 is that time-to-infection is much shorter than time-to-patch for Windows XP, even with a contemporary internet connection. If you don't have SP2 media, and don't have some other means of (manually) acquiring the latest patches, you're dead in the water. Yes, there are workarounds; you can install some ice of your own before you connect, for that matter, but that obviates all the really neat security features of SP2 with a 3rd-party solution. "Not the solution he had in mind..."
Admittedly, part of this is due to the fact that Windows is "productized", i.e. you have a box containing Windows and you can add patches. With Linux operating systems I think there's a lot more sensitivity to versioning and awareness of granularity; you aren't working on this monolithic thing in need of repair but on a collection of components which can be individually upgraded. Partly psychological, yes, but you also have the advantage of simply leaving out "risky" components until you can get everything up to date. You can run a Linux OS with no services, nothing particularly visible except the interface you're downloading updates through. That's not an option with Windows.
"There are hundreds of game theorists at the gates, sir, and they want to hold an election!"
Because the majority of Windows boxes are run with Admin level privileges full time, by people who have a difficult time setting their microwave to the 'popcorn' setting. Does SP2 come slipstreamed in the box that I can buy at Walmart? Will the old 10.0 OS X be auto-hacked in 20 minutes? How many viruses does Windows support? How many does OS X?
Sure, new Dell-ightful computers will have SP2, some Norton thing, maybe some spyware removal stuff too. Why is everyone falling over themselves to pat MS on the back with the recent acquisitions of antivirus and antispyware software? Why not do it right to begin with?
I don't think MS is the Devil for making crappy, hole-filled software, or embracing and extending open protocols and formats, or using their market share to stifle competition, or pushing a DRM-laden vision, or patenting obvious things, or being a charter member in the BSA, or purposely breaking competing software, or EULAing their way out of responsibility, or creating Powerpoint; I think MS is an unfortunate sign of the times, and a giant bloated zombie corpseanimated by the devil. Why would I wait for new features in Windows, when I can use them 3-5 years before?
My post rambles, I am tired. Congrats on your happy Windows boxes; it's good to hear it can be done.
I have no firewall, or router. I'm running XP SP1. And I've never had a single problem (my virus scanner hasn't even had to do any work . . . and I have open shares, including an upload folder!).
By conventional logic, my box should be dead by now. Especially since I keep it on nearly 24/7, connected up to teh intarweb. Go ahead and say I'm just lucky, but I think that if you just have a computer reasonably configured, the over-the-top security that most people think is necessary . . . well, it isn't. I do update with security patches often, and that's about as far along as I go with conventional means of protection.
So what's the secret, then? I don't entirely know, I think it must be alot of little things combining. Partially, I think things aren't quite as horribly insecure as people think; just that when they are, and they often are by default, things go so horribly wrong that it colours one's perspective on the issue. The other thing is, I don't use any Microsoft products other than Windows itself, really. Third-party chat, Eudora for e-mail, Firefox and Opera for browsing, WordPerfect and OpenOffice for all the office-style needs, etc etc. True, that isn't at all what the original article is talking about, but I'm hardly the first to deviate from topic here.
I remember sigs. Oh, a simpler time!
The Morris Worm
1: Most windows users think its some kind of toy or fancy game console. no joke. Security to them is locking the front door if you know what I mean.
Some of these people time to time MIGHT see something on TV about viruses, but other then that, they have no idea about patches.
The flip side to that is the people the see the AOL tv ad's. I feel really sorry form them, and for us that have to fix there computer afterwords.
2: Most of the "UNIX" community respects one another, and doesn't want to trash someone else's box "just for the fun of it".
That and its a lot harder to "hack" it because there is a lot more of a diverse range of programs and version of those programs.
The attack might only work for one version, but there is only a small percentage of computers out there that even run that version.
I'm absolutely not surprised that up-to-date systems survive current attacks. I'd even expect that from the vendor/distributor.
/. readers that tell something different for Fedora). And I think you can safely do a default install on these systems and then pull your patches from the internet.
The behavior of a not exactly up-to-date system would give much more insight in the overall security of an operating system. The authors tested Windows XP SP1. But what about outdated Linux distributions?
My personal experience is that it is virtually impossible to install Windows XP today on a system that is connected to the internet. You don't even have the chance to install SP2 fast enough. The article confirms this with its SP1 experiment (it survived 18 minutes).
In contrast, I'd expect any of the Linux distributions to survive way longer unpatched than Windows does. The distros I've seen (SuSE, Gentoo) have turned any useless service off on a default install since years (I wonder about
A few, say, one or two year old Linux distros would have been a very interesting contrast to the authors SP1 experience.
Lucas,
That's great that you keep your Windows ship running rightly. I work in IT and we have a 1200 Workstation/30+ server/5 site Windows network with a few *nix boxes here and there. We do SUS, AV, deploy apps via group policy - the whole nine yards - a model windows shop if you ask me, but that doesn't take away from the fact that most Windows admins don't know a *damn* thing about computer/network security.
Let me ask you a question...do you run your computer as a local admin at work? A domain admin? Don't lie! I bet 90% of Windows admins happily run their boxes as domain admins at work. It's just too much trouble for them to shift-click and do a "run as" (or worse, they don't even *know about* "run as") when they want to open up ADUC.
Four years ago, our Exchange 5.5 server suddenly stopped responding. I went in to take a look and it was throwing all kinds of crazy error messages that I had never seen before. I did a virus scan on it and discovered that it was infected with the Klez virus.
Every executable on the machine (thousands of them) was infected. This was our f******g first in site Exchange server for Christ's sake! After hours of researching the virus, and scanning over and over again, I managed to clean the entire server. After getting it clean, tons of executables on the system that had been 'cleaned' were corrupted. I had to reinstall exchange 5.5. It was a nightmare.
Wanna guess how out first in site Exchange 5.5 server got infected with the Klez virus? Our f******g Exchange admin installed Outlook 97 on it and was using it to test out new email accounts while logged on as a domain admin account! Unf*****gbeleivable!!!! He had like 20 drives mapped while he was doing it, and he ended up infecting 3 other servers in the process.
After that I went to our boss, and told her what happened. I demanded that she make everyone who had privledged accounts create new accounts for themselves and start logging onto their machines as regular domain user accounts. After that I felt like the geeky hall monitor everyone hated, walking around asking my coworkers - you're not logged on as an admin are you? They ALL resisted this, but finally I got them to start practicing sane computing.
I've met MANY other windows admins that are the same way. They just don't understand security. We can thank the MCSE boot camps from the 90's for this. They turned out millions of monkeys, who now run many of our nations Windows networks.
The only way Microsoft can fix this is by putting the smack down on their users, and locking things up tight by default. They also need to make thing EASIER to do for the home user. As far as ease of use goes, they need MUCH more separation between their home/pro products.
As far as locking things down, they are starting to do the right thing with with XPSP2, and Server 2003. Another thing they have done that is excellent, is revise ALL of their official curriculum to where lab exercises are done while logged on as a regular user with the "Run as" command. Hopefully the MCSE monkeys from the 90's will slowly be weeded out, and things will get better on the corporate front. I am sent to Microosft training from time to time, and the oeverall security awareness of the people I train with has *slowly* gotten better over the last couple of years.
Anyhow, just because your network is clean doesn't take away from the fact that many corporate networks aren't and even more home Windows boxes aren't.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
I agree that this is a secure thing. The problem is, nowhere does it tell a novice user that you should enable the firewall, connect to the net then, download patches, then you're secure
The problem with the security is not that the machine can never be made secure, but that it starts out as a terribly insecure product. This is a problem. Most users are out of the box users. They have no understanding, so they don't know about the firewal etc.. They're told by MS that for security they need to patch using windows update. The point above is that this isn't actually that secure, and while this is happening a compromise can take place.
The main issue here is the slack standards Microsoft use to get their products out the door, and their trade off of complexity to security. They are scared of treating their customers with intelligence, and educating them correctly about the actual process of securing and methods of attack (not necessarily at too technical a level) so good practices are used. For fear of confusing the users the XP SP1 firewall is off, and it's not the only software that has all the security off by default.
If normal users understood that direct connections to the net were bad, they'd all buy routers, they'd consider firewalls, probably ones configured to block all but MSN, E-mail and web access, and we'd live in a considerably more worm free world.
The OS may be securable, but it is not secure by default!. That is the problem, because most users don't do anything but the default (hence Explorer's 90% market share)
While that wasn't a serious post (or at least I hope not), I'll try and offer a true argument in this vein:
/usr.
Hula. YOu know it. You love it. It's installed on your PC right now. Did you audit the code? No. Did you install it as someone other than root? No.
You have it sitting there, since it's not packaged yet, as a daemon, which is running as root, in
Totally safe!
(Before we go further, this is true of any software package. Hula's just been popular lately and thus helps to underline the point more clearly. I do not believe Hula is evil spyware, nor that anyone involve with it is now, nor has been, a member of the communist party.)
Except if it where spyware it could have wrote over who-knows-what and now is sending each shell command and bit of network activity to whomever. And it's root. So we've now a root server running on port 80 which has not been audited. Thank God sendmail taught us all our lesson, right?
Linux is no safer than any other OS at the moment. Hell, if we look at the fact that strlcat/cpy have been turned down for inclusion multiple times to the GNU libc because it would be "slower" when preventing a buffer vuln, if anything it's getting worse, and will continue down that slope.
It's as if we've forgotten all we know, and we're ignoring those who try to remind us.
If normal users understood that direct connections to the net were bad, they'd all buy routers, they'd consider firewalls, probably ones configured to block all but MSN, E-mail and web access, and we'd live in a considerably more worm free world.
I think you are giving many users far too much credit. 90% of the cases where I have to deal with customers who have misconfigured their mail server as a spam relay, I get a response similar to "Yeah, I know that's really insecure and lets spammers use it, but it was [easier to set up]/[only going to be like that for a few weeks]/[not as if I was telling the spammers the open relay was there]" (delete as appropriate).
The point is that these people *knew* that what they were doing was really stupid, but were doing it anyway because they couldn't be bothered to be secure. Of course it always comes back to bite them in the ass when their server falls over with several million spams in the mail relay queue and a completely saturated ADSL connection.
http://blog.nexusuk.org
In the second, there are those who turned off (or had a "helpful" tech turn off) their automatic updates and have no idea how to update their system.
This isn't an entirely stupid thing to do - if someone is on a pay-per-minute dialup connection, they don't *want* to be automatically downloading hundreds of megabytes of updates. (Especially if a lot of those updates are to add stuff they don't need/want - i.e. DRM for Media Player, etc).
http://blog.nexusuk.org
From the article
"Microsoft responded that the tests prove that any operating system is vulnerable when not patched."
No. They KINDA show that only Microsoft products are vulnerable when not patched.
For what it's worth, IMHO, I think that SOME of the home users that don't patch their installs of MSXP are afraid that MS is trying to slip in some software that would automagically inventory thier MP3 collection, hacked software, etc and somehow "break" thier computer. I think many people think of MS operating systems as a "deal with the devil". They really DON'T want to use Windows, but isn't that Linux thing for computer gurus and really hard to use? It's really hard to combat that kind of FUD. If it wasn't, a HUGE number of corporate users would be using a *nix based solution, if only to shrink desktop support staff.
As a networking professional, I can tell you that the constant rolling out of virus and OS patching to our user base DOES impact network traffic and "regular job" throughput, but the top brass sees this as a necessary evil. But of course my corporation has MS stock in it's portfolio....
The article stated that MS will go on the offencive to 'get the facts out'.
Hey Steve Ballmer - why don't you get a good fucking product out the door then you wouldn't have to spend a coupla hundred million bucks spinning shit into gold, now would you?
Don't 'give me the facts' I know what the damn facts are. Just make Windows more secure. And here's a tip, Microsoft, just a thought....
Instead of carrying on about the animated 3D Video crushing interface in Longhorn THAT IS ALREADY 2 YEARS LATE....Why don't you spend that effort on making Windows more secure?
Or isn't that sexy enough for your PR guys. I swear you MS morons must go to sleep every night dreaming of new ways to be useless.