Slashdot Mirror
No Defense Against Windows Rootkits?
An anonymous reader writes "Spyware bad guys (and also phishing people) started using rootkits technology to stay hidden in a system. The problem is that at the moment the technology to defend a Windows system from these things is very poor. In fact antivirus companies have just started adding basic anti-rootkits technology. So the problem is serious, and well outlined by this question: Is the closed source code of Windows preventing us from actively defending our systems?"
This would be a resounding YES.
And Butler and Hoglund's recent book on rootkits was pretty nice.
fast as fast can be. you'll never catch me.
Because Windows has no root!
No, seriously, I don't know the answer to this. :-)
-Rob
Biblical fiscal responsibility
Who has the chops to run through 800,000,000 lines of code to do the fixing of this OS?
I mean even if you find the problem can you honestly say you'd be sure you wouldn't leave Notepad.exe broken by making your changes?
Clearly Windows needs to be completely re thought with NO concern for legacy apps. See also OS X.
This
Is the closed source code of Windows preventing us from actively defending our systems?
Yes. We are at the mercy of Microsoft to patch the systems for us. At least with Open Source you have potentially thousands of programmers looking for security holes and reporting those security problems.
Bradley Holt
Shameless plug: I've written a script that should be able to help find any rootkits that are listening on tcp/udp on windows.
Heres the link
What it does is attempt to handshake with itself on every available tcp or udp port. If the handshake fails, that is an indicator that somebody else is already camping out on that port.
Source is GPL, feedback is always welcome.
*Root*kit for Windows? What an oxymoron. Baaaawhahahahaha.
Short answer is Yes. The closed source of M$ *IS* preventing us from actively defending. AFAIK, M$ feels that they will get around to it or another company will step up to fill in the gap forcing us either way, to purchase yet another piece of software or the uber upgrade. Kinda like the insurance industry.
Joe Consumer: "Do I really need this?"
Co. Thug: "No, not at all. However, you never know when you may have an accident."
Your actions in life will determine your children's future.
I have a question for the Windows developers out there...
Does Microsoft over share their code with developers?
While I am aware that MS does not legally publish their source code to Windows I do recall at one point that Microsoft did share some sections with a focus group of developers. It would only make sense that MS would share code with the big anti-virus firms in order to ensure a better product for their customers.
But I could be wrong about them sharing source with anyone.
Dedicated Cthulhu Cultist since 4523 BC.
.. RootkitRevealer is your friend.
This topic has been beaten to death a thousand and one times before but the reality still holds true: as long as a company holds the source of their software to their chest, you simply have to rely on them to provide the security for said software. By doing so you create the equivalent of a single point of failure that has to be addressed solely by the holding company, and as a result, you are subject to the "hurry up and wait" syndrome that accompanies it. That's when it comes back to "suck it up or don't use it," which carries all the arguments of "we don't have a choice" or "switching isn't an alternative for us."
This sig is six words long.
Let us not forget the wonders of ActiveX controls not to mention IE's ability to install items with out authentication. As far as that is concerned ANY installer should have to be authenticated as an ADMINISTRATOR before the install can proceed. I think this small step would curb many of the issues with spyware, adware, toolbars, etc.
has a "revealer" and a great write up
Sysinternals RootkitRevealer
Closed source is the problem? Maybe. Bad design is the problem? Definitely.
It's well known that the *nix operating system model is more secure by default, through good design. Now, having said that, any operating system (even Windows) can be made secure, but how much work does it take to overcome bad design?
Is the closed source code of Windows preventing us from actively defending our systems?
The right question is what is the vendor (Microsoft) doing about it. You purchased a product from a vendor, you should expect them to solve problems with that product or explain how to properly secure it, or just ignore the issue which says something about their product and commitment to support.
Strider Ghostbuster,, a Microsoft developed technique for detecting all persistant and stealthy rootkits .
Just convince Microsoft to make it available.
There is also SysInternal's Rootkit Revealer, which although not quite as general, is still hard to fool.
Test your net with Netalyzr
If the API were opened up not only would it have made it possible for someone to do a work-alike competitor to Gates's natural horizontal and vertical monopoly, it would have made open analysis of the potential security holes practical so that insurance companies could get into the business of software quality assurance -- which would have dramatically raised the quality of software professinals and computer security.
Seastead this.
After all, they launched their much-touted Secure Computing almost 4 years ago.
I guess that a complete redesign would be needed but that might break backward compatibility.
Of course, some of this might be addressed in Vista but that will leave a lot of older computers out in the cold.
Pain is merely failure leaving the body
I administer a network with about 50 workstations. We run Windows2000 with Symantec Anti-Virus Corporate (aka Norton). Symantec registered an internal attack by a root kit only two weeks ago. This stuff is in the wild now!
So we are left with two options:
a) Windows 2000 is impervious to rootkits, either off the shelf or through modifications unavailable to the general public
b) The US Navy is running an unsecurable OS for the most advanced surface ships in the world - with nuclear reactors to boot.
If the g'vt kept the data on you that google does you'd better believe you'd be calling it "doing evil"
I mean, if by some wonder rootkit detection became too good (like some av products that can list virus/variants not in some sort of db) some goverments/agencies/bofh can be serious mad about it, after all those sort of detection can prevent "wiretapping" a computer. (In a short range when you know were the computer are there are always other ways...)
YES!!!!!!! that is all...
If carrots got you drunk, rabbits would be fucked up. - Comedian Mitch Hedberg R.I.P. 03/30/68-2/24/05
It's also really hard to detect, inform users about, and/or remove rootkits without the user knowing a bit about the inner workings of the system. In a "root/administrator" world, there's no guarantee that a rootkit can be detected anyway, because there's nothing a detection app can look at that a rootkit can't obscure, if it knows what the detection app will be looking for.
Windows has problems that make rootkits easier, but it's not because it's closed-source.
I work with spyware infected systems every day, and I have never found a "rootkit" on one. But there is some really nasty stuff out there. Lots of spyware installs itsself as a service, but that is easy enough to get rid of, just use "msconfig". The trickier ones, however, install themselves as drivers. These require manual regedit hacking which is a major PITA.
The most effective method that I have found to get rid of spyware on an infected system, by the way, is to boot from a live Windows bootable CD to delete all the crappy spyware directories from c:\Program Files, then go into c:\windows and c:\windows\system32, sort the files by date, and delete the newest ones that look suspicious. Write these filenames down and remove them from the registry when you reboot.
The root of the problem may be the organizational structure of Microsoft. We have the mess that is/was longhorn/vista and the comments that it had to be re-written from the ground up.
d ral-bazaar/
The point made in the 'Cathedral and the Bazaar' may be coming to pass. It is impossible to manage very complex systems effectively. It is a question of distributed control vs. top down management. My favorite example is the Soviet Union vs. the US of A. A bureaucracy can't manage something as complex as a whole economy; maybe it can't manage something as complex as Windows.
The bottom line would seem to be that we will see a never-ending stream of problems like the one at hand.
www.catb.org/~esr/writings/cathedral-bazaar/cathe
www.uq.edu.au/news/index.html?article=6618
Isn't a rootkit easily detected by checksumming the system software against known-good sums? Put checks on normally unconnected (or read-only) medium, run checks periodically, done?
Please correct me if I got my facts wrong.
Is there any product for Windows like Bastille Linux that would help a user lock down any vulnerabilities in their system like file shares, unnecessary accounts, open ports, unnecessary services, IE settings, etc?
If not, there should be.
1. Buy a Mac! and be a little bit paranoid about security.
/. grade paranoid), but is doable.
2. Use Linux and be paranoid about security.
3. Buy a tinfoil hat.
4. Build a beowulf cluster of Linux enabled devices: an iPod, two toasters, one 'smart' fridge, and one spoon -anything runs Linux these days-.
5. Build your own OS!
Or you can keep on using Windows and trusting AV companies and its flawed model of "ok, we'll release the fix AFTER enough people have been screwed".
I don't think that the design of Windows, where changing an int to a float in the library that displays Clippy can crash MSN Messenger, would allow for easy fixes, regardless of closed or open source code.
You can actively defend your system anyway. It takes time and money (e.g. self-made hardware firewall with parts bought from the tinfoil-hat store, if you want to be
Disclosure: I'm stupid
But the fundamental problem is that if someone wants to install this garbage, the only way you can really stop them is by taking control of their computer away from them. I'm not sure that even Microsoft is willing to go that far yet, and I'm not sure I would want them to, anyway.
Whoever corrects a mocker invites insult;
whoever rebukes a wicked man incurs abuse.
--Proverbs 9:7
http://www.sysinternals.com/Utilities/RootkitRevea ler.html
The availablitiy of the source code has nothing to do with it. Joe Beerbelly is not going to be looking at the source code of his operating system. You'd be lucky if he understands that a thing called an operating system exists and has something called source code associated with it.
If your solution is to fix it yourself, you've already lost. It needs to be fixed by the *official* software vendor so that the changes can be pushed automatically to all the Beerbellies and Flabbyasses out there.
And besides, even for those who can understand the source code, it's not like the changes required are simple. If you DO manage to understand the system enough to make some usefull changes, a vendor will not just blindly accept them. They will themselves have to review the changes and completely understand them anyways. So why not do it themselves the first time? And to the person spending all that time doing the vendors work for them, do you not have a life or a job or something?
``Is the closed source code of Windows preventing us from actively defending our systems?"''
Huh? How does availability of source affect being able to check for root kits?
Please correct me if I got my facts wrong.
Microsoft has this too. While i agree with the argument that 'openness' is better for security patches, thats not a good argument..
---- Booth was a patriot ----
This may be slighty OT, but I don't see ANY reason why a closed source system that's this vulnurable should be allowed in any Medical/Govermental or Military implementation. Sure, lot's of Apps are written ABOVE the OS and thus in control of the branch maintaining them, but damnit, the OS is at the root of the problem here! Makes you understand why trains all across Europe are still kept track of (punny, eh?) by old Digital DEC's running VMS or OpenVMS. The whole idea that mindshare of the mainframe is growing old and retiring is going to be an issue, Windows 2000 server is not a replacement for something like VMS.
fak3r.com
What if we as a community just put a 12 month moratorium on backfilling MS crappy code and the crappy job they do designing and then maintaining it. What if we simply let it go to shit and let MS deal with the consequences. Sometimes I feel like an ennabler for a crazy codependent cranked out asshole. What if we just said NO -it's your fundamental problem, you fix it. Maybe MS stock would go down, maybe not. Maybe some really important systems would fizzle up in flames. Who fucking cares? I say call them on their bluff and stop pretending that they're not sucking off OUR work and OUR integrity.
1. Get pair of scissors
2. Cut Ethernet Cable
3. Windows is now secure from attacks via the internet!
Oh, and don't forget to mention that you should run tripwire from a known-secure system (a Knoppix CD, for instance) at least once in a while. Indeed, if your system is infested by a good rootkit, it could itself so well that it would play back a phony, made to look innocent contents of any files that it had infected.
Same goes for lsmod, ps and other tools (it is however very rare that a rootkit is so thorough as to hide itself from all tools. Most often an rpm -q --verify -a finds the nasties). But if you're really paranoid, run your tripwire and rpm --verify from an external system, not from within the one you want to examine.
"the FU rootkit, which I wrote, is intended to demonstrate. It is not malicious but more proof of a premise."
"I do know that FU is one of the most widely deployed rootkits in the world. [It] seems to be the rootkit of choice for spyware and bot networks right now"
He wrote and distributed a rootkit for windows; for educational purposes only (!). It becomes one of the most widely used tools to propagate spyware and trojans. Does he bear any moral responsibilty for this?
I would answer positively. If I leave a loaded gun lying on the sidewalk and someone picks it up and shoots someone else, I think I may get some bad karma.
While this is an interesting proposal, my company (and many others) would come to a halt, so no paycheck for me since payroll won't run!
Is the closed source code of Windows preventing us from actively defending our systems?
No, it has nothing to do with source code, it has everything to do with people being morons who can't secure a Windows system. It's really not that hard, folks, pick up a book. Do you know how to secure a *nix box? You're halfway there! You use the same damn methodologies. God, why is this so hard for people to get? And people wonder why they're shipping IT jobs overseas. Let's see, we can get incompetent people for $30/hour, or incompetent people for $30/day. Hmmmmm...touch decision.
Which is more painful? Going to work or gouging your eye out with a spoon? Find out!
http://www.workorspoon.com
From http://www.viruslist.com/en/analysis?pubid=1687408 59
Currently, malicious code for Windows is more common than for UNIX because Windows is the most widely used operating system. However, if UNIX starts to gain popularity, then the situation will naturally change; new rootkits for UNIX will be written, and new methods of combating them will be developed.
This has been refuted time and again yet the various Windows-friendly analyst continually trot this one out as a rationale for the ( admittedly much improved but still ) relatively weak security design of M$ Windows.
Newsflash for those who didn't get the memo: Windows leads by a huge margin ON THE DESKTOP. On the server side the disparity, if one exists is a completely different story. Also, since there are many open source versions of Unix, such as Linux, *BSD, and Solaris, some of which have been available for more than a decade, it should have been relatively easy for Windows-loving, Unix-hating programmers to have designed the Unix-slaying, self-propagating daemon years ago. To date, the only thing that has come close was the Morris worm way back in the late '80s.
So guys, nice try - your explanation ( or rationale ) is leaking badly. If Windows represent a bigger target, it SUPPOSEDLY has the "advantage" of being closed-source but the open source Unices, which are fewer in number SHOULD be an easier target.
It's time to focus on what the true flaws of each platform are - their relative prevalence is no longer relevant to the discussion ( aka flamefest ).
Pain is merely failure leaving the body
Is the closed source code of Windows preventing us from actively defending our systems?
Windows being closed source in no way prevents me from defending my system. I just insert my Gentoo install disk and reboot.
``It's well known that the *nix operating system model is more secure by default, through good design.''
Is it the Windows design that is insecure, or the implementations? Of course, that begs the question if there actually _is_ a Windows design to speak of. Well, what is there in the APIs that Microsoft publishes that is necessarily insecure, and what is there in the Unix APIs that is necessarily insecure?
I can answer parts of the Unix side; the fact that software needs to be all-powerful to do a single privileged operation (such an binding to a port below 1024). Functions like tmpnam(3), which generate predictable filenames.
Things like the general lack of bounds checking (leading to buffer overflows) are implementation issues, and could be overcome by using better programming languages.
Please correct me if I got my facts wrong.
...Closed source also means that people have to take more time to find exploits. Closed source is good in that it takes longer to find exploits that people can use maliciously, but bad in that it takes longer for the exploits to be fixed. There's also the matter of updating everyone. You'll normally have at least one stubborn person that refuses to update their software, and then there's the people that expect auto-updates because they don't know how to do so manually.
In this world nothing is certain but death, taxes and flawed car analogies.
Hackers seem to have little trouble creating rootkits without access to the source. Maybe they do have access. I'm not sure. But people seem to have little trouble writing rootkit detectors either, once they've reverse engineered a rootkit to see how it works. But if one of Vista's DRM goals is to hinder reverse engineering, things could get a little more difficult, I don't know.
SecureWave which uses a small kernel agent that uses a whitelist approach. Anything not allowed by the admin is dropped and considered deadware.
It's the only thing out there like that!
http://www.securewave.com/home.jsp
My browser was obscured perfectly, so that the headline for this story read No defense against Windows. I very nearly shit myself. I thought slashdot had been hacked, you know, by one of those Windows things.
http://hxdef.czweb.org/about.php
The problem is not well-outlined by that question. In fact, the addition of the idea of closed or open source has nothing to do with it. Is the lack of attention paid to rootkits the source of the problem? Is this just the problem of the month that will be solved soon and replaced by another, bigger problem? The open/closed source question is important, but really doesn't have anything to do with the issue at hand.
No.
you insensitive clod!
Ubuntu is an African word meaning 'I can't configure Debian'
No, I don't have time to deal with the source code for any OS, let alone figure out how to defend it against attacks. I suspect the vast majority of “us” don't have time for it either.
Open Sauce zealots can look elsewhere for emotional support.
Thanks! I wonder if there's any good guide to fighting rootkits out there. (Apart from, of course, the above suggestions.) The idea seemed particularly scary to me, since it's not just a malicious program being installed---you can't even trust your own system. Brrr.
Laws do not persuade just because they threaten. --Seneca
That design being ?
Windows leads by a huge margin ON THE DESKTOP. On the server side the disparity, if one exists is a completely different story.
On the server-side - and particularly the non-Windows server side - the single biggest vulnerability and attack vector - the user(s) - have a substantially different profile.
Also, since there are many open source versions of Unix, such as Linux, *BSD, and Solaris, some of which have been available for more than a decade, it should have been relatively easy for Windows-loving, Unix-hating programmers to have designed the Unix-slaying, self-propagating daemon years ago. To date, the only thing that has come close was the Morris worm way back in the late '80s.
Sure, if you ignore the long, glorious history of unix exploits (BIND, Sendmail ? I'm looking at you), that's true.
Not to mention the significant factor the user demographic plays in the equation. A seasoned unix user is inherently less vulnerable than the average desktop Windows PC user.
This is before even getting to the simple fact that unix has had 20 years more to harden itself from attackers.
If Windows represent a bigger target, it SUPPOSEDLY has the "advantage" of being closed-source but the open source Unices, which are fewer in number SHOULD be an easier target.
Targets are not only chosen because they're easy, but also because they're useful.
It's time to focus on what the true flaws of each platform are - their relative prevalence is no longer relevant to the discussion ( aka flamefest ).
Their relative prevalence is fundamental to the discussion - not only from a simple statistical perspective, but also because of the other factors that correlate with prevalence. To say platform prevalance is irrelevant ignores not only common sense, but mathematical fact.
Either that, or start publically executing the rootkit authors when you find them. I'm good for either of these ideas.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Does this question really need to be asked any longer?
Has this story teleported us all back to the year 2000? Hit the reset button? Is Slashdot's new motto "No hugging, no learning"?
I thought this was common knowledge. I didn't really expect a "pro-business" administration to do anything about it, did you? It's actually one of the few things that makes the rest of us feel safer.
Britain has the same problem, by the way:
Also see The Register which quotes an upbeat Armed Forces Minister:
Perhaps the Minister can now explain why his desktop PC doesn't even run properly.
Les Hatton gives his opinion at IT Week:
you had me at #!
Stop downloading pirated software and you will have done virtually everything you need to do to actively defend your computer from root kits!
Security is a process and UNIX people traditionally knew what they were doing, if you suddenly have a bunch of clueless clickmonkeys (AKA Windows admins) adopting *nix we will see increased virus and worm activity. Fear!
The trouble is that people do not listen. Unless they do not actually have admin access to the system, the chances are if a box pops up going "You need admin access to install this, if you have it then just shove in a username and password here:" people will do so regardless.
Hell, in XPSP2 it has this big balloon which pops up repeatedly going along the lines of "Listen you pillock, you don't have firewall or automatic updates turned on. You really do need these. Click here and I'll set it all up for you, it's about 3 seconds work!". I know people who, when have this pointed out to them, go "Oh I never read that, it just keeps popping up".
The only other thing to do with some people is forcibly configure things, which I'm sure we'd all hate. I use Active Directory to force fine-tuned update compliance and firewall settings across my home network, but home users can't even negotiate a simple dialogue going "Here's what you need to do, here's why you need to do it, here's how to do it".
So when IE pops up a convenient dialogue warning about the fact that HotPornDialer32.exe isn't signed and is in fact coming from a website with an invalid certificate, along with a warning about exactly why it's bad to click 'Install', people will do anyway. Perhaps a Firefox-esque forced delay is in order so people can't just click 'OK' without thinking.
How many people can read hex if only you and dead people can read hex?
If microsoft stopped empoying dumbshits, then maybe these problems wouldn't exist. supposedly in Vista they're removing a majority of the legacy code, though I highly doubt any computer system running windows could ever be called "secure", unless the user isn't an "average" user.
Let's put it this way. I run an anti-virus program, three forms of spyware/adware removal, and a firewall, yet I still get problems from shit getting installed on my system that I didn't specifically click the "yes" button, because stuff hijacks its way in when I install other programs. I'm not talkin' bout the "click yes to install bonzai buddy and lose all your personal information!!!11one!" things, either. I mean stuff that literally appeared without my knowledge. At this rate, when Vista comes out, I'm dropping money on something else. I could save 300 dollars, buy better hardware, and make a linux box and pray my games will run in the whatever windows emulators are out there.
Anyway, the rootkit problem isn't getting solved.
I forget who said it, but this axiom remains true: "The only safe computer is one not connected to the internet."
I got infected with a rootkit, and man was it a pain to get rid of it! The main problem for me was that Windows was not a modular system that I could boot in pieces and that there was no useful boot log, etc. In other words, the problem is that Windows is essentially a black box, and so it was very hard for me to make an intelligent decision on how to defend the system. Obviously something starts the rootkit, but WHAT? There are so many entry points, and they are so thoroughly block-boxed, undocumented (from a power user's perspective), non-logged, etc., that I think the answer to the question is yes.
Is the closed source code of Windows preventing us from actively defending our systems?
Yes, most definitely. If it was open source, it would be more modularized and I could better understand the boot sequence and various entry points. In my experience, main open source projects are documented far better than many closed source software packages. Some closed source vendors even go so far as to withhold documentation (*ahem*Adobe*ahem*).
> ..it is easier for the "bad" guys to find the security holes in open source
> software.
Is it? I wonder if this isn't a case where we don't look for proof becuase we've assumed we know the answer. Certainly, with open source, you can examine the source. But examining complex kernel source code is no trivial task. Given the large amount of practice and study on methods of hacking closed source systems, isn't is possible that this having the source doesn't really make it easier after all? That it just offers a method not available on closed source systems?
Sorry, but you're just plain wrong.
"This has been refuted time and again..."
Really? Got an example?
Try this one on for size: Firefox didn't have an security issues until it started becoming popular. The Mac had a few recently too.
Windows SERVERS are not the common target of these root-kits, the DESKTOP is because it IS the most popular.
If Joe Beerbelly used Linux on the desktop, you'd have to take away his ability to install programs to protect him. How useable is the system at that point?
"If Windows represent a bigger target, it SUPPOSEDLY has the "advantage" of being closed-source but the open source Unices, which are fewer in number SHOULD be an easier target."
Hogwash. Why would i target a system that fewer installs? I need an army of machines to get my spam out or to propagate my virus. *nix can't provide that right now.
I'm not saying that *nix is no good, but the logic that it is a smaller target therefore relatively unchallenged holds true.
Most Windows users I know wouldn't know how to tell other users are on the system in the first place, so a rootkit isn't even necessary. You just need the exploitable code to not take over too much system resources or bandwidth, which are the only clues most users will spot.
Even a noob in the unix world would use something like "w" at a command prompt to gain some basic knowledge of a user being connected in.
Back in the days when our company still had Windows servers it was a nightmare of patching, re-installing, retreiving backups, getting rid of viruses, chasing hackers, spending hours on the phone on Windows insecurity related service calls, etc. etc.
The easy job I have today I largely owe to Linux. The switch turned out the best decision our company has ever made and, especially in terms of security, has paid off many times already.
Does not knowing what's inside the Pentagon prevent American troops from defending our country?
I've had to deal with a highly infested windows system a few times. There are a lot of ways to deal with it; my favorite is reformat and hand them Mepis (or another easy distro) but some people can't handle that. I had one system in particular I couldn't completely clean up, I had logged in safe mode and cleaned, but there was still something (with no services or processes I could see running) going on. So I grabbed this Rootkit Revealer and it found my problems. It was a cinch to log in under dos and get rid of the problems (although in retrospect I could have used Knoppix or another LiveCD.
So there are good Windows rootkit revealers, you just have to look for them.
Before the solution to all problems on windows was antivirus. Then, when spyware came you needed antispyware. Now, you also need a rootkit detector (wich can be fooled pretty easy). The only way to be sure to find a rootkit is to read the harddisk from a trusted system. Couple this with Vista wich is alledged to have encrypted disk because of DRM and you have a heck of a hard time cleaning your computer.
The problem is that DRM only solves a small part of all things malicious, not everything. It doesnt defend against bad applications and all programming errors.
HTTP/1.1 400
Most people run Windows as Administrator. Why is that?
Because a lot of applications WON'T WORK if they're run as normal users. Why is that?
Because the Windows mindset comes from DOS, where there were no restrictions on what an application could do. Anything could put something anywhere it wanted to. So the developers got used to being able to do that.
Suddenly here comes Windows, and suddenly your application can't save settings to the INI file in C:\WINDOWS anymore, because it doesn't have write access to that directory.
The correct thing is to get an upgrade for the app. But you can make it work by just running as an administrator. So they do. And Microsoft is complicit in this by not putting enough pressure on the application developers to fix their apps to not require administrator access.
Does the closed-source nature prevent people from defending against this? Not really. If everyone ran as root in their Linux systems all the time, there would be just as many exploits for Linux.
Windows is a closed source system. Yet crackers are still able to create malware which lodges itself in the deepest depths of the system. I'm not aware of the cracker community having signed an NDA with Microsoft. If the crackers can create rootkits using publicly available information and the fruits of their own research, then companies like Symantec and NAI, both of which almost definitely have privileged access to the Windows source code, should be more than capable of defending against these attacks. The number one reason why we see so many attacks on windows systems is that there are so many of them out there. Very few are properly secured or run by someone who knows the first thing about how to avoid getting hacked. Most windows systems are run by people for whom computer technology is indistinguishable from magic. Windows therefore represents a cornucopia of low hanging fruit for crackers, ripe for the picking. It would be shockingly amazing if Windows WASN'T the primary focus of their attacks.
Pointing out the popularity of Windows with crackers as further "proof" of closed source software being inherently broken only makes the open source community look bad. Open source has a lot going for it. There is no need to make claims such as this one which are highly questionable on the surface and do not stand up to deeper scrutiny.
Lee
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
"That design being ?"
For one, better user accounts and software that doesn't require root access to run (Windows is just getting there now). For another, better separation of executables making it very easy to lock out system binaries while still giving access to applications (sbin and bin). Let's not forget that with XP Home, Windows still defaults everyone to being an administrator. I think even Pro does that for the first user created.
"On the server-side - and particularly the non-Windows server side - the single biggest vulnerability and attack vector - the user(s) - have a substantially different profile."
Maybe, but we're not always talking about social engineering. There are plenty of real software vulnerabilities. Social engineering must be dealt with by proper training.
"This is before even getting to the simple fact that unix has had 20 years more to harden itself from attackers."
Are you conceding that Unix is more secure, but using this as an excuse? Even if it's a valid excuse, it still means Unix is more secure, which is all that's important.
"Targets are not only chosen because they're easy, but also because they're useful."
I'd say that huge databases of credit card numbers and other personal information is very useful. I reckon that Unix servers are probably the most useful to break into since they're run by banks and the government as well as large corporations. Some turd's desktop is ok at sending spam, but the big hackers would be after the big servers.
The global economy is a great thing until you feel it locally.
Will ReactOS save us?
http://www.reactos.org/
http://test.reactos.org/
If /dev/kmem is writable, the dropping CAP_SYS_MODULE only makes it a little more difficult to load a rootkit. I know X needs /dev/mem to be writable, but I'm not sure about /dev/kmem.
The living have better things to do than to continue hating the dead.
Find these badAsses.. ....problem solved....
mobilize a big mob to chase him and his cronies..
catch them..
beat the crap out of them...
then find those lawyers trying to defend them..
and beat the crap out of them...
I believe people will anyway -- they'll just learn that they have to wait a moment before they can click 'OK'... they still won't think. Maybe most of them never will.
Absolutely NOT. Actually it helped me a lot to defend it. Actively! By switching to open source.
"question: Is the closed source code of Windows preventing us from actively defending our systems?"
Of course not! Nothing MS and Co has done, so far, can stop you from running [LU]nix or Mac OSX!!
This should read: "No defence against rootkits"
The implication that the open nature of other kernels gives us any sort of real defence is pure fantasy.
- Every practical OS kernel allows, in some security state, for the kernel to be modified on disk. This is required to update your kernel. If you can update your kernel, you can install a rootkit. Simple as that.
- Any malicious kernel can hide its effects from userspace apps.
No OS I've encountered to date can reasonably defend against this in software. In hardware, you can use read-only media to prevent the first condition, and a TPM to prevent the second (but I'm sure everyone will tell me how 'evil' TPMs are since the threat of DRM is more important than detecting rootkits).
I've kinda made up a half-assed workaround to keep your systems semi-secure. The only problem is you need a few hubs and a couple of routers. Test systems on one router, your more-commonly used systems on the other router. Download programs, install to test machine, see what happens, if nothing, transfer install program to your more-commonly used computers. Yes, it'll take up more of your precious time and of course resources, but it's a small price to pay for security when you're running Windows.
Of course you can always do things like total lockdown of your system by making certain files read-only and password-protecting access to those files (to prevent some automated script from doing an auto attrib (filename).(extension) -r -a -h to modify the file, and then only allowing access to thse files when you're sure the program you're using is "safe" (by Microsoft's definition of safe, anyways.)
And if all else fails, since everyone's going after NT 5+ nowdays, why not move backwards to a less-often attacked OS? Read my most recent journal to see what I mean (plus you'll get a semi-decent speed comparison with older hardware/OS compared to newer hardware/OS. You probably won't be surprised at the results, but hey, it's worth a small read, and might provide some inspiration for your future systems.)
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
..... My other computer is YOUR computer.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
If you want to know more about the topic of rootkit detection, please see Phrack Volume 0x0b, Issue 0x3d, Phile #0x08 of 0x14. http://www.phrack.org/phrack/63/p63-0x08_Raising_T he_Bar_For_Windows_Rootkit_Detection.txt
Imagine a windows shop where:
All systems network-booted.
All writable media was on trusted servers, except maybe a floppy or writeable CD.
For speed, local copies of common unchanging files, i.e. 90% of MS-Windows and 90% of "c:\program files", were kept on read-only media such as a HD with the write line disabled or a flash card plugged into a r/o reader.
The network boot ties down configuration to a given machine and allows patching from a trusted source.
The local ro hard disk or flash gives you fast booting.
If a client is compromised, reboot, with speeds approaching a purely local reboot.
Every time the cumulative size of the patches gets too big, re-image the hard drives or flash media.
Now, you better watch your server very carefully and make sure there are no unauthorized boot servers.
What will this take on the client end that's not common today:
- read-only media
- a layered file system
- memory for ramdisk for volitile files you don't care to save on the server
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
"So the problem is serious, and well outlined by this question: Is the closed source code of Windows preventing us from actively defending our systems?"
The well thought out answer is that no, it isn't. But it does make us dependent on MS to protect us.
Which is exactly how I suspect MS wants it to be.
translation:
" I 'know' about computers as long as they run window$ but Mr. Gates just isn't serving me properly -- I don't *wanna* learn to use a real operating system, I spent years learning window$!!! OMG not the CLI!!!! Pleeeeeease, I'll paaaaaaaaayyyy! Can someone please help? waaaaaaaaaaaaaaaaah!"
Hang on, when I'm at home i am ADMINISTRATOR of my PC.
I have always found it extremely annoying that Windows allows you to set a flag that makes your process invisible to the process table. Gee, I can't see what's running so I have no clue as to what's running. What SFB thought that up? (I know, it was the guy that likes to spy on what you are doing while you are working.)
How do you get around the stuff that likes root to be r-w, like /etc/mtab? I know it's frequently suggested to replace this with a symlink to /proc/mounts, but I also understand that some software doesn't like this. There is also some other stuff that likes to write into /etc, like /etc/dhcpcd/dhcpcd-eth0.info.
The living have better things to do than to continue hating the dead.
rootkit revealer.
Is the closed source code of Windows preventing us from actively defending our systems?
Well, it's preventing US since we don't have the source code... but it's also not our job to fix Windows code. It's Microsoft's job, and that's what they get paid to do.
There is a common solution for computer security (not realistic)
- Install any OS
- Store in a concrete barracks
- Get Armed security
- DO NOT connect to the internet
SOLVED!!! (sarcasism)
-- Brought to you by Carl's JR
A fun read....
http://blogs.msdn.com/jeremyk/archive/2004/07/19/1 87696.aspx/
It's about an MSFT engineer tracking down a problem caused by a bug in a root kit.
The main problem when trying to get rid or detect rootkits on Windows XP/Server 2003 is that the "Safe Mode" is not at all safe at all.
By the time the system has booted far enough to get into "Safe Mode" it's already loaded so many DLL's, including the obfucating rootkit ones, that there's no way of accessing the filesystem to see the malware.
Now, if Microsoft had added a single-tasking, statically linked command line emergency system which would allow you to just manipulate an NTFS filesystem this would be the greatest step forward in rootkit/malware removal.
Alternatively, "Safe Mode" should load only those DLL's which are hard coded into the kernel to load, along with signatures and checksums to make sure (as much as you can) that those files haven't been tampered with.
As it is, the only way I've found of de-rootkitting machine is using Knoppix 3.6 and captive-NTFS!
Agrajag: "Oh no, not again!"
Cisco Security Agent - CSA builds profiles of what programs/people do. When people do something they don't normally do, CSA stops them.
ie. Man walks into office every day, uses office, outlook, and web browses. Man web browses website, website tries to exploit IE vulnerability buffer overflow. CSA sees the browser trying to execute 'out of boundary' code and kills it. CSA does a WONDERFUL job of this. Being a Cisco product though, it isn't cheap. Then again, worms are never cheap either.
many linux 'distros' require kernel recompiles not to support the printer 'driver' but to support some obscure sub library that the printer drivers depend on and wasnt included in your xyzpdq flavor of linux for various obtuse reasons (The main dev had bad haddock for lunch and didnt like including libraries starting with letter h)
in the real, actual world, setting up printing on most falvors of linux is a pain in the butt. there are a few that do it well but they are just that, a few. anyone who says otherwise is either suffering from 'it worked for me, therefore it works for everyone' disease, or they are just zealots who are in it for an argument not to actually help computers get better for humanity.
At the risk of sounding trollish, I think it's kind of naive to expect Windows to be secured. I've been watching MS since the Windows 3.1 days, and I've never seen any improvement in regard to security. Sure, Microsoft talks a lot about it when their customers talk about it, but they don't actually do much toward that end. Why people still expect such a fundamentally flawed OS to be secure real soon now is beyond me. If Microsoft hasn't produced a secure OS in 20 years of business, what makes you think they're going to change now?
And honestly, I don't blame them. Windows was designed to put multimedia on the desktop, and turn the PC into a consumer-class appliance. And toward that end, Microsoft has been very successful. They know how to do the ease-of-use and multimedia stuff. Security isn't their strong suit. So what?
You probably know the saying about using tools for the purpose they were designed. If Windows is a tool, it was designed for games, not security, so don't expect it. If you want security, run Linux or UNIX, or perhaps an IBM mainframe. But don't install Windows on your machine and then start whining about how insecure it is. If your box gets owned, well, you've got only yourself to blame, because you knew Windows was insecure when you installed it.
If you must run Windows, just accept the fact that you're going to have to format and reinstall every year or so. This is what the rest of the world does, but here on ./, there's this expectation that computers can run forever without crashing. That might have been true when the mainframes and UNIXes were king, but now, for the average person, insecure systems are a fact of life.
The society for a thought-free internet welcomes you.
You can use a live CD like Knoppix to boot and examine your system for greeblies.. This applies to both Windows (( clamav )) and Unix (( chkrootkit )) issues. Note that doing an exaustive search of a large filesystem can take hours. If you're more 0worried about uptime than security, then take an image of your disks and do the checks on a different box. (exterma; 5" USB drives are really good for this).
Free Software: Like love, it grows best when given away.
Why would MS make that available?
Wouldn't they rather make DRM available, and promote that as the preferred "treatment"?
Step 1
"Users can't be trusted to not run the wrong programs, so let's 'protect' them from themselves"
Step 2
"Users can't be trusted to not run the wrong programs, so let's 'protect' us and our friends from them"
After all, Windows really isn't less secure than Linux. They're both in the same _class_ of security.
I daresay the same "download and run everything" users given a "Desktop Linux" would do the equivalent of switching to root to install a "Kournikova screensaver".
Seeing that so many windows users actually entered a password to unlock zipfiles and then ran the trojan executables in them, it can't be difficult to get these bunch to run su -; perl trojan.jpg (where trojan.jpg is a perl script) or even "./configure; make install".
So one way to protect these people from themselves is "Trusted Computing" (see Step 1).
I'm sorry, but anyone thinking that just running tripwire is going to save your butt is very sadly mistaken. Yes, tripwire will help. But it is not a silver bullet. There IS no single silver bullet.
/bin/find) can go a long way. Replace /bin/find with a static version on a CD-ROM if you like.
The problem with tripwire is that it is easy to overlook spots, most notably, directories which change often (E.g. logfile, lockfile and spool directories).
Once an attacker has root, s/he can install their binaries in one of these directories and it is highly likely that tripwire has been configured to overlook it.
All of the publically available standard tripwire config files that I have seen have this problem with them. The alternative is to constantly deal with lots and lots of output, which kind of defeats the purpose of tripwire.
Instead, you should combine tripwire with other tools to scan the weak areas. Just looking for setuid root files in odd places (via
When was the last time anyone in the FOSS world actually wrote a patch to protect against a known rootkit? Hmm? I'm waiting... The fact of the matter is that the security (while it will never be perfect for ANY OS) in FOSS software/OSes is much better than in the Windows world. Protections aren't written as a reaction to a known problem, they are written before it becomes a problem. Yes, that even means things like the recent Firefox revelations. There are no known exploits, just holes that could be used to exploit. In the Windows world, more often than not, there are several exploits utilizing a hole before it's patched. If they were to change their development model to FOSS, a lot of those holes would get cleaned up faster. End of story.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
Well, since you can't spell G-O-O-G-L-E, try this:
http://www.securityfocus.com/columnists/188
Jeez, Mr. Troll, if anyone is washing in Hog water, it's you. Unix machines ARE the army of the Internet and have been since its inception. So, for the sake of efficient distribution of malware, Unix machines should have been the logical target.
Of course, it would be double duty to write viruses for Windows but find a way to distribute them by way of Unix, but, oh wait, this has been done by E-MAIL!!
Pain is merely failure leaving the body
1. Open up the Security Center applet in the Control Panel.
2. In the left margin of the Security Center window, click the "Change the way Security Center alerts me" link.
3. In the window that appears, uncheck the alerts you don't want to see (Firewall, Automatic Updates, Anti-Virus) and click OK.
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
...it really isn't as effective as it could or should be
Does Microsoft over share their code with developers?
I'd say they "under share" if you ask me. My employer has a fairly close relationship with Microsoft and to my knowledge no one in our company is privvy to the source code to any of Microsoft's OS.
The "Shared source initiative" is really just a marketing term under which MS lumps all its programmes involving the disclosure of source code. These range from truly open source projects like those involving automated generation of application installers to special agreements with governments to permit government security audits on Windows OS source code.
The terms under which third-parties may obtain source code to operating systems is quite limited:
* you are only permitted access to Win2K, WinXP, Win2K3 server. You may NOT legally see the source to MSDOS versions 1.0 to 8.0 or their respective GUIs (Windows 1 to 3.11,95,98 or Me) under any circumstances as far as I know.
* generally, you must be a licensed user of at least 1500 seats--a large enterprise user--unless you are a government, or an affluent MS MVP. My employer qualifies here easily...HOWEVER...there is one problem:
* Quoted from MS' terms: "Source code may not be used to assist with the development of a commercially distributed product." In other words, not only can you look but not touch the source, you cannot eve look at it to make your software product better...oh yeah, and don't think ditributing GPLed software isn't "commercial distribution" because that is forbidden as well.
This third restriction, along with other NDA terms, make us and many others INELIGIBLE for viewing the source to any version of Windows. There is only one form of source licensing in which you CAN distribute software that you developed with the assistance of Windows source code--and that is if you obtain an OEM license agreement. The restriction is still pretty severe...these licensees can only distribute drivers for hardware which they develop and distribute. Since my employer sells more than driver software, if we wanted such a license we'd have to evoke our own "chinese wall" and be extremely careful that those who have access to Windows source code will NEVER work on the development of our commercially distrubuted applications.
Given these restrictions it looks rather unlikely that developers of antivirus software have source access to Windows since they commercially distribute the software. Unless, however, they have negotiated a specific, custom agreement with MS. This has happened at various times, and usually it ends up where MS licenses the outside party's technology for inclusin in their own products. A good example is Citrix--they negotiated for access to the source code of the NT kernel many years ago (before NT4 came out) because their WinFrame product basically installed a modified kernel and they needed access to enough of the source to build that kernel. Later MS strong-armed Citrix into a pretty sweet licensing deal to their MultiWin kernel for inclusion in NT4 TS edition and future NT-based Windows releases.
Such cross-pollination generally happens pretty naturally and frequently in the open source world, but from what I gather the above was only accomplished with a lot of time, money, lawyers and legal documents generated in triplicate. I fear that in the closed-source-MS world the only way we'll get the most effective anti-malware technology possible into Windows will be when MS strikes such a cross-licensing deal and bundles antivirus functions into its OS. At that point, 3rd party vendors of antivirus products will have to shift focus, perhaps offering software that extends functionality or eases the management of the built-in AV functions. It's pretty much inevitable actually, since the closed model of development discourages diversity and friendly collaberation in favour of homogeneity and antagonism towards others.
i have the solution for the inept family members. If they demand to run windows then in order to get free IT support from me they have to let me install trustnoexe on their machine. I set it up via a vnc session after they start the vnc server by an icon on their desktop.
yes, they can no longer install software themselves. but no spyware or viruses can get past it as they are not on the approved to run list.
is it a PITA for the computer owner? yes. But they will accept it if they want free help from me. it works great for most of my family and typically most people do not install software often if at all after they get it set up to run the way they want.
Do not look at laser with remaining good eye.
Administrative tools being replaced by a root-kit happens after the hole has been discovered and penetrated. It is simply a way to make maximum use of the hole and cover the tracks. If there were no hole in the first place, because there were insurance companies paying real programmers real money to be real professionals -- the holes wouldn't be there.
Seastead this.
"The root of all evil is C:\
Firefox didn't have an security issues until it started becoming popular. The Mac had a few recently too.
I haven't seen or heard of a single Mac virus, worm, or rootkit in the wild since OS-X was released. I've gotten plenty of security updates from Apple, but these are patches, not exploits. In other words they're internal to the code, so they have no relation to popularity--the code has no idea how many computers it's installed on. Whereas exploits are human-created new code that could be inferred as being related to popularity. But I haven't heard of any. I'd love to know if some have actually been found (as opposed to hypothesized).
Build a man a fire, he's warm for one night. Set him on fire, and he's warm for the rest of his life.
>Perhaps a Firefox-esque forced delay is in order so people can't just click 'OK' without thinking.
:-)
It's funny you should say that - there's a fix for that bug and it comes in shape of a Firefox extension that helps you get rid of the nagging delay.
http://www.mrtech.com/news/messages/5071.html
Actually, if fewer people ran 2K/XP as admin, there'd be a lot fewer problems with viruses and trojans - many (most?) are unable to install using "normal means" (ie: through a browsers or email client) using non-admin accounts.
I've given some serious thought to doing that myself, but I've never been hit badly enough to worry about it.
That said, some of the new rootkits are very, very good and kind of frightening. Do a bit of investigating at some of the hacker websites (like the guy who wrote the trojan which was used at Valve for the famous HL2 theft), and you'll see how sophisticated they've become since that very early version that was relatively easy to detect compared to what's out now...
For the newest trojans, aside from actually physically booting windows from a clean source (ie: bootable clean CD-ROM that can check file signatures and such), these new trojans are undetectable by even the most current scanning software (including scanning tools from sysinternals and such). They hook the OS early enough, and at such a low-level that they're completely invisible when you're running the OS itself.
N.
"Nothing strengthens authority so much as silence." - Charles de Gaulle
This seems like a symptom of a different problem, not really a problem in and of itself. Users become complacent with dialog boxes, systray warnings, etc, because there are no limits or standards regarding when these warnings are issued.
In the same session I can recieve the "Take a tour of windows," "Your firewall is not turned on," "Clean up your desktop icons," and "Your hardware could not be installed" messages, all from the same section of the screen with the same look. Starting immediately after Windows installation users are taught those are 'random message bubbles' that could mean anything. Users just get discouraged when they have to acknowledge that they are sending information across the internet unencrypted, then acknowledge they are entering a secure site, then acknowledge they are leaving a secured site.
Especially if you have lots of data and are afraid that it might not all get backed up ("Damn, the computer doesn't know what songs are on my CDs any more, now I have to go to FreeDB for all of them...")
/y c:\windows. Then deltree /y c:\*.dat. This removes your Windows directory and your registry.
/y c:\*.sys /y c:\*.bin
/mbr (on the off chance that a virus or root kit has written itself to teh master boot record, like the old-skool floppy viruses did). Note that if you DON'T fdisk /mbr even reformatting the hard drive won't get rid of the rootkit, as a simple reformatting leaves the MBR intact.
/mbr" will wipe out grub or lilo, depending on which one you use.
...that said, yes it is often faster and easier to fdisk and reformat, especially if you have a ghost CD.
This is for the old win98, which a lot of folks still use and which should be regularly cleaned out anyway, since MS no longer supports it. The same will apply to XP, just the directory names will be different.
First, you MUST have made a bootable floppy when you installed Windows. No bootable floppy and you're SOL.
Boot your system with your (now write protected, of course) floppy. When you get an A: prompt, deltree
del C:\command.com (if "file not found" you're OK). del c:\autoexec.bat
deltree
deltree
Then get rid of the "program files" directory, then fdisk
Finally, reinstall Windows and all of your software.
Simple and easy, should only take you a full day or three. With win 98, repeat at least every three months.
If your machine is dual-boot with some flavor of Linux, you'll probably also have to also reinstall that as well, as the "fdisk
However, if you ARE running a dual boot machine, disable all networking on the Windows side. It's pretty hard to remotely break into a machine with no network support. If you're really paranoid, make sure your modem is shut off when you boot into Windows.
And if it's a games machine? Hell, just don't keep any data on it. You'll only be sending spam when you're playing DOOM anyway (and you'll no longer be an LPB)
These users have a machine that starts them with admin priviledges, and then does not tell them or help them to be anything different. It also does not tell them why they should. When they see a pop-up that tells them they need to need to be admin and to enable their antivirus, or firewall, or whatever, they say "What?!!" and then click on 'close this window', or if it sounds good they will click 'allow'.
Programmers need to understand that people need very-extremely-simple instructions that take them step-by-step through the setup that will make their computers safe. Yes, that takes a lot of time and will require testing by the little old lady cashier at the grocery, but once you master the fact that it can be made to work, computing will become safer for all of us.
Is the closed source code of Windows preventing us from actively defending our systems?"
If you can go in to the source code and tinker with it, chances are you don't need any help defending your system in the first place.
Since I am merely a stupid user how can I tell the different between the pop-up which says
"Listen you pillock, you don't have firewall or automatic updates turned on. You really do need these. Click here and I'll set it all up for you, it's about 3 seconds work!"
and then really does the work
and the pop-up which says
"Listen you pillock, you don't have firewall or automatic updates turned on. You really do need these. Click here and I'll set it all up for you, it's about 3 seconds work!"
and then installs a root kit then really does the work
Another benefit of a configurable kernel is that there are so many variations. The variety makes it much harder to write a worm that is effective againt a significant percentage of Linux boxes. Worm writers know that with Windows they can make alot of assumptions about what is where when writing shell code.
An automated attack against a RedHat box will usually fail miserably against a Slackware box, even if they have the same packages and security configuration (which they probably won't). When you consider the huge variety of distros and wacky hardware that people run Linux on, it no surprise that most successful attacks are 'manual'.
If you think about it, we have an OS that if someone wants to break into your boX, they WILL have to do it personally, as opposed to releasing a worm that attacks 1000's of machines at a time.
Seems to me you're less likely to get compromised in the first category. If someone *really* wants to get access, THEY WILL (regardless of OS), just don't make it easy.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
Newsflash for those who didn't get the memo: Windows leads by a huge margin ON THE DESKTOP.
Newsflash for those who didn't get the memo, or for that matter read the news recently. Malware goes where the money is, that happens to be delivering spyware/adware these days. The desktop is where most users reside thus it's also where the most malware shows up as well.
Secondly have you tried browsing the web lately without adblock? Servers don't need rootkits, they're already serving ads as fast as they can.
MS Research put together an elegant tool called GhostBuster, mentioned above in one of the +5 replies, which answers your question.
What does a rootkit do? It hides things. MS Research's insight is that this is all you need in order to detect one. Boot twice, once from CD and once from the suspect hard disk. Run a system inventory in each session. Then compare the two. Look for files and registry keys that a clean system can see that don't show up when you boot from the suspect system.
This approach cancel out all the problems with version management and undocumented files.
Why must an OS be all things to all people?
Maybe your mother can have a different OS than you. If you are an advanced user and she is a novice, why should you use the same OS?
This is like a Mac fanatic defending a one-button mouse because its easier for a novice. About 30 minutes of use moves a person above the state of pure novice.
Just imagine a world where people make their computer revolve around their own needs instead of sucumbing to it. A diversity of OS's means that any attacks are limited in scope. Everyone is better off.
Lets face it, windows is the best OS for some people, linux is the best for others, mac is the best for others, bsd is the best for others.....
Why should we choose an OS based on what Mom or Grandma needs? Get your OS for what YOU need. Mom and Grandma are smarter than you think, and can decide what makes their lives easier.
OT:
regarding the printer. when I bought a new printer for my linux box, I just plugged it in and the printer setup wizard started immediately. I was printing a test page in 30 seconds. The same printer on Windows XP took 5 minutes to setup and required a reboot
----- If communism is a system where the government owns business, what do you call a system where business owns govern
This all changes in Vista. However, it's all for nothing if the user types in his password to install malware anyway. Or if there's a priveledge-escalation bug (like the one recently discovered in OSX) to exploit. Ultimately, there's always adumb user, and always a security hole somewhere, but the fact we can't make security *perfect* shouldn't discourage us from making security *better*.
Socialism: a lie told by totalitarians and believed by fools.
The anti-spyware product SpyCatcher 2006 (free as in beer version) will detect rootkits when they are being run. It also uses some rootkit technology to foritfy itself from spyware trying to detect anti-spyware products.
--NerdMachine
This is neither a design problem, nor even a Windows problem. Software that (unnecessarily) requires Administrator access to run is the fault of the software developer, not Microsoft/Windows.
For another, better separation of executables making it very easy to lock out system binaries while still giving access to applications (sbin and bin).
You mean like, say, %SYSTEM% and %PROGRAMFILES% ?
Let's not forget that with XP Home, Windows still defaults everyone to being an administrator. I think even Pro does that for the first user created.
Again, this is not a _design_ issue, it's a default configuration issue. A _design_ issue would be if there were no way of creating non-Admin users (eg: like Windows 9x).
Maybe, but we're not always talking about social engineering. There are plenty of real software vulnerabilities. Social engineering must be dealt with by proper training.
It's not just social engineering. An experienced user will not only have a machine that is harder to penetrate, but also be able to identify that a machine has been exploited sooner, and fix it quickly.
Or, to put it another way, desktop users are highly unlikely to ever know their machine has even been exploited in the first place, let alone fix it.
Are you conceding that Unix is more secure, but using this as an excuse?
I'm pointing out why the GP's reasoning is specious. How secure a machine is has 99% to do with the user(s) and software and 1% to do with the OS.
Even if it's a valid excuse, it still means Unix is more secure, which is all that's important.
And if life were that simple, you'd have a point - but it isn't. It's just as possible to run a secure Windows machine as it is an insecure unix one. It's the user that has the biggest impact, not the OS.
I'd say that huge databases of credit card numbers and other personal information is very useful.
Certainly - it's also very difficult, because the people responsible for the servers know they have a juicy target and treat it appropriately (in both the pre-emptive and reactive sense).
I reckon that Unix servers are probably the most useful to break into since they're run by banks and the government as well as large corporations.
And I reckon they're among the hardest to break into and get away with it - thus making them highly unattractive targets.
Some turd's desktop is ok at sending spam, but the big hackers would be after the big servers.
"Big hackers" aren't using spyware and web-browser exploits.
This works on any OS! Amazingly effective technique!
This has probably already been said but I'm pissed and am having a casual browse before bedtime....
Sysinternals
If you must use Windows these fine folk are well worth a visit (should be mandatory...)
Sky subscribers are morons. They pay to be advertised at !
"If I leave a loaded gun lying on the sidewalk and someone picks it up and shoots someone else, I think I may get some bad karma."
...
... I dunno ... being shot? By publishing this you inform all the people that the protection they depend on is flawed, and they can fix it. You also inform all criminals of the problem and that makes them a bigger threat in the interim.
Indeed you might. I'd like to try a hypothetical to look at this differently:
Lets say you live in a world where everyone wears a bullet proof vest because people being shot is something you expect to see every day
If you discover that the most popular vests are actually vulnerable to
Is this bad karma? I would think it would be your responsibility to demonstrate the flaw.
a good step in the direction would be a big red message saying: $program is attemtion to change $(low-level,and important thing), PRESS NO unless you are installing new hardware. if you give the user a good reason to click no by default, that would remove a large number of problems where things that shouldn't be requesting system level changes do. possibly the real problem is that the average user doesn't know what actions require what permissions.
Also, by your calculations other 'propietary' operating systems like VMS and other 'old school' boxes that are outward-facing would be rooted every other day. Believe me, that's not the case.
It certainly seems to me that there are far more defacements and intrusions out there involving Unix-like OSes than Windows boxes. Of course Windows desktops are trapped in botnets and whatnot, but much of that can be traced back to user stupidity. The idea that a Windows computer cannot be successfully secured is a dear one to most open sores fanboys, but it's unfortunately not true.
Finally, all you need to do is to (theoretically at least) extrapolate the number of vulnerabilities Firefox (as an example of an 'open application') has had since it was first released and arrive at the conclusion that it will have a worse track record than IE. And isn't it interesting that the great majority of these vulnerabilities were discovered by people who were not looking at the source code? The same way vulns in IE are discovered. So if you are right we must have expected that Firefox should have shipped with zero bugs. None. But that's not quite the case, now is it?
And why doesn't IIS6 have more vulnerabilities than Apache 2?
Your logic seems leaky to me.
According to this link, Vista will include some protection against rootkits:
Windows Vista Security and Data Protection Improvements
"In addition to these features, Windows Vista can clean many worms, viruses, rootkits and spyware thereby ensuring the integrity of the operating system and the privacy of users' data."
The problem with the reason why most people dont install automatic updates and firewall is for 2 reasons, reason 1 windows firewall is a load of junk, no flexability in rule sets and REDUCES network efficiency (WTF?). Second windows update, click on and it will ask for another 200 megs worth of os junk to be installed, wait a month and it will need a crap load of patchs to be installed, Patch after patch after patch after patch when will it end?
No i can understand why people dont like this, run a linux box and you get a) a decent firewall that doesnt mess up the system, b) Source code patches for the kernel that can be compiled when required (and are tiny) and software updates which are package dependant, not just a big chunky block of programmed flabb that ms decides to dump in your desktop so make your machine even more slower performance wise because by now if your windows box has been running for more then 6 months the ammount of dodgy registry entries have made your pc 1/3 slower from what it was when you took it out of its box.
Agreed, there's a problem, and metamoderation doesn't help. I think part of the solution is to get rid of anonymous moderation - show the usernames of every mod when you click on a post and see the 'detailed' moderation breakdown, so moderators will think twice before hitting '-1', and those moderators pushing obvious agendas (e.g. the astroturfers, sock puppets and so on) could soon be exposed. Either that, or fix metamoderation, or build an interface for some kind of meta-moderation 'voting' into the general thread interface so anyone could immediately click it if they saw an unfair moderation.
These large Unix systems... you know the ones holding all the personal data are broken into on a regular basis. However you wont hear about it unless it effects you or is something that happens locally. you would be suprised has to how often a large corporation may have security issues, but wont disclose them unless they have to.
Try to post it as "code" instead of plain text.
From my testing (trying to post Perl code) that seems to bypass the junk character nonsense.
RPM already records checksums of every file it installs. It can also be run from a rescue CD pretty easily, and can use a known good backup of the RPM database to achieve similar functionality to tripwire.
Nothing against tripwire, if you didn't have RPM it'd be a fine tool, just checksumming everything twice for no reason sounds silly.
> Really? Got an example?
IIS. Less than half the market share of Apache httpd.
If popularity doesn't mean anything in terms of server exploits, why would it mean something in terms of desktop exploits?
Sorry, but you the (l)user have to give the openings before something happens now. Actually, with my setup here (WS2003Ent.), Firefox is the least secure browser I have which is strange to say the least. It's still my preferred browser though. I just had to put a proxy in front of it to filter out the active content, unless the site is granted permission, and tweak some settings away from the defaults.
"[I]t is a wise man who admits the limits of his knowledge or skill, and that pretending either causes harm." --Terry Go
As for the technique, every loving file on my Windows boxen are MD5 checksummed and the master list is kept in an encrypted volume along with all my NDA stuff using DriveCrypt. If I have any reason to suspect something has tinkered with on my systems, and once a month no matter what along with other major maintenance, I do a diff on checksums. It's not hard, just a bit of tedium until you script it, just as with monitoring log files. I consider it right up there with my regular virus checks despite the fact that my security policies here would prevent one from even getting into a system in the first place. Insurance (risk management).
"[I]t is a wise man who admits the limits of his knowledge or skill, and that pretending either causes harm." --Terry Go
Not a single client of mine in over ten years has caught a worm or a virus. Users can learn, you just have to have patience and put it in terms they can understand. It also helps to reach out to their circle of friends to make sure that they are following safe practices as well. Unfortunately, I've noticed that all too many of my geek friends have neither the patience nor the willingness to speak anything resembling normal English or in terms people can relate to when talking about this subject. Sorry, but that's the truth.
"[I]t is a wise man who admits the limits of his knowledge or skill, and that pretending either causes harm." --Terry Go
One of them pops up a bubble in the system tray as soon as you log in, as well as popping up a big security centre window the first time you turn the machine on or install SP2. In fact, if you're not part of a domain, it kicks in the initial security centre configuration before you even get the chance to log in.
All it takes is for them to pay attention once.
How many people can read hex if only you and dead people can read hex?
When I first put XP on my home machine, I set it up with an admin account and normal users. After the third game my children wanted to put on it not only wouldn't install without admin rights, it wouldn't run either, I gave up and made everyone an admin.
rant
Is it bollocks. Most people wouldn't know about network efficiency, and with the speed of systems today and trickle updates, it doesn't make any difference if it's 200KB or 200MB.
Running a Linux desktop is a pain in the arse, whichever way you look at it. Yes you do get a firewall, after much prodding aboug, and people DO NOT WANT TO HAVE TO COMPILE THEIR OWN PATCHES INTO THE KERNEL. Linux is a moot point. Why not get a Mac instead, or a hardware firewall? We are dealing with Windows, and whilst Linux is a generally superior server OS it cannot yet compete for Joe Public on the desktop without someone to support it.
As it is, automatic updates and Windows firewall are designed to be a set-and-forget approach to security which for 99% of users works perfectly. They don't care about being able to allow specific ports outgoing access, or whether the packets are UDP or TCP. They don't want to have to recompile shit, they just want to be able to click a button and the machine does the rest. Which automatic updates and Windows firewall does quite well.
How many people can read hex if only you and dead people can read hex?
Most importantly...
"It's just as possible to run a secure Windows machine as it is an insecure unix one."
If we avoid the lowest common denominator, it's possible to secure a Unix system far more than it's possible to secure a Windows system. Tools such as SELinux and chroot aren't available on Windows (unless some 3rd party has made them). Chroot especially is a standard tool for securing a public-facing service such as web or ftp. SELinux is still young, but does wonders to prevent an exploited app from doing any harm.
The global economy is a great thing until you feel it locally.
It's called Knoppix!
THE Private Pilot Adventure Guide
TCSEC has apparently been superseded, and Windows 2000 is rated at Common Criteria level 4 out of 7.
Visual IRC: Fast. Powerful. Free.
Earth calling moron. PHP was an apache foundation project until within the last year when it was released to Zend to watch over the project. It is still released under an open source license (while the Zend engine is NOT).
And I like the way you admit that they are not amateurs and then contradict yourself yet again.
Let me know when you make up your mind or if you ever find out whose ass you are pulling this 99% stat from. I love the fact that you keep repeating it without saying where it comes from. Makes you look all the more like a Microsoft shill spreading FUD.
This is my sig. There are many like it but this one is mine.
Whatever you say Mr 'I make up stats'. It's not my fault that you make assumptions. Besides, my point still stands that it's an open source project and you have openly admitted that they are not amateurs. Hence the contradiction. But then 99% of FUD mongers like yourself lack the intellect to detect their own contradictions.
:)
This is mainly due to the fact that 99% of Fud mongers suffer from a form of premature retardation. This
See? It's amazing how easy it is to make up stats. 99% of people can do it.
Of course 99% of all people will call it FUD. But then 99% of FUD is a non-fat dairy substitute.
So when do we get to see where that 99% stat came from, hmmm? Which body cavity did you plummet to come up with it? Inquiring minds want to know.
This is my sig. There are many like it but this one is mine.
Still waiting on where you found that 99% stat? Methinks the lady doth FUD too much.
This is my sig. There are many like it but this one is mine.
It also turns out that 99% of FUD mongers don't understand simple dictionary definitions. So here you go, let me teach you at least one thing today and hope it sinks in.
:)
:)
amateur n.
1. A person who engages in an art, science, study, or athletic activity as a pastime rather than as a profession.
So all one of these guys has to do is get paid at some time to code. And hence, not amateurs. This definition does not apply to the project they work on but whether they have EVER gotten paid to write code.
I'll bet there is a 99% chance that you still won't understand this. And I'll bet there is a 99% chance that you still won't be able to find that made-up stat you keep quoting.
But hey, if it weren't for people as stupid as yourself, I'd never be able to laugh this hard.
Or should I say that there is a 99% chance that I would never laugh this hard.
This is my sig. There are many like it but this one is mine.
I understand your inability to comprehend this considering the the fact that your family tree is a straight line.
But the fact remains that in your earlier post, you asserted that 99% of open source developers were amateurs; a fake statistic which you stil refuse to backup. Since you haven't the capacity to read or just have never made the effort, I have recapped it for you. It's be nice to dumb animals day so I figured what the hell.
So indeed, you did say they were amateurs because they were open source developers. How else is that supposed to be interpretted? Did you mean that they were all cantalopes? Did you mean they were all flying butt monkeys resembling your mother?
If so then you should have said so. But in fact you didn't.
So tell us, did the labotomy hurt much?
This is my sig. There are many like it but this one is mine.
You're stupid. "Most open source programmers are amateurs working on junk like Drupal and the Jakarta Commons libraries." That's what I said. Where do you see, "99% of open source developers are amateurs?" Do you enjoy burning your straw man, or do you seriously not understand that I am not nurb432. I can see how a kindergarten-level grasp of the English language could lead to the latter.
"So indeed, you did say they were amateurs because they were open source developers." Care to point out where I said that? I said that most open source developers are amateurs, not that they are amateurs because they are open source developers. Again, if you understood your native language, we would not have this confusion.
Come back when you can understand the language in which we are arguing.
Now's your chance to claim to be someone else and not the original poster... which obviously is yet another lie in your tapestry of fabrications. But hey, it's worked worked so well for you now, why stop?
This is my sig. There are many like it but this one is mine.
Let us recap for the mentally stupid who apparently still cannot understand English.
From my post: "Do you enjoy burning your straw man, or do you seriously not understand that I am not nurb432. I can see how a kindergarten-level grasp of the English language could lead to the latter."
From your post: "99% of the people that donate time to OSS are amateurs. Its a matter of precentages. 1% does not make the *group* a bunch of professionals." -- nurb432
Oh yeah. You're stupid.
Sure you aren't. If you say so there Captain Retardo. That's about as believable as your 99% stat. Got an yother stories you wish to entertain us with?
This is my sig. There are many like it but this one is mine.
Ah hell... who am I kidding. Of course, I'm nurb. And I generally just like to make up stats out of my ass because I am a Microsoft shill. And you were right on about my brain damage. In fact, I'm a throwback and a scientific oddity and am having my cage cleaner type this for me.
Well I'm sorry about you being a neanderthal but perhaps cage life is the bet thing for you. And I'm glad that you finally admit to being a fesces throwing FUD monger. See, now don't you feel so much better? :)
This is my sig. There are many like it but this one is mine.
Yes I do feel better now having told you the truth and also having relieved myself on the floor of my cage. I'm sorry I'm such an imbecile and feel it necessary to lie and spread FUD. I've just never felt the love of a woman (sheep don't count) and this is my only outlet of entertainment.