Slashdot Mirror
Microsoft vs. Computer Security
ArieKremen writes "The Slate has a piece written for the average user attempting to explain why Windows is `still` grappling with security issues. Although Gates made security and privacy top priority four years ago, not much progress has been made." From the article: "Microsoft customers haven't stopped worrying. A year later, Windows was hit with several nasty worms, including Slammer, Sobig, and Blaster. The viruses caused major traffic bottlenecks throughout the world, which cost tens of billions of dollars to clean up. Vulnerabilities deemed 'critical' have forced the company to release an almost unending stream of patches and fixes to the Windows operating system, Microsoft Office, and Internet Explorer." An interesting look at the whole issue.
Gates urged that new design approaches must "dramatically reduce" the number of security-related issues as well as make fixes easier to administer. "Eventually," he added, "our software should be so fundamentally secure that customers never even worry about it."
Fair enough, but regardless of what is happening in the way of "new design approaches", the current installed base is the problem. The best ways to show dedication to the reduction of security issues would be a) rigorous code review + pre-emptive bugfixes and b) more rapid response to issues that are found elsewhere. There have been improvements, but the sum of the successes will not outweigh the sum of the failures.
I want to drag this out as long as possible. Bring me my protractor.
Considering where they started, just getting to BAD is a tenfold increase! And to be honest, they have come a long way. They just have a VERY long way to go.
Perhaps more accurately, users of windows have made no progress. Quite a few of the worms that have made big headlines over the last few years are ones that make use of exploits for which patches were already available. It's long been said that people are the greatest security problem. And I believe that applies to Microsoft's security problems as well. As long as the education of Microsoft's user base is neglected (or actively refused by some), MS's efforts (feeble as they may seem at times) will have limited success.
Yeah, I started to make a similar post, but then I decided it wasn't so absurd. Probably on the high side, but it's not as much as it sounds like. 10M IT workers, even if they only averaged a salary of $100/day would be $1B. And that doesn't even factor in possible data loss which would result in users redoing their work.
https://www.eff.org/https-everywhere
One thing to help would be a default account type in the Users group, and if currently an admin, switch your group to Users. Third parties need to fix their programs that requires more privileges (not necessarily admin) after the program is installed because of write access to system folders and HKEY_LOCAL_MACHINE. Vista fixes this, but if you ask me I think MS is only encouraging the bad behavior of alot of third party programs by providing this method of keeping non-compliant applications compatible with least privilege. (Keep in mind, there are a$$holes like Even Balance who purposely wrote their anti-cheat to require true admin privileges)
Sure they have a firewall... you're screwed as admin because the code that launched can also create an exception for itself via netsh command or damn it all to hell and disable the firewall via "net stop". Malware does do this today, and sad how easy it was stopped.
Don't want to run as non-admin? XP can run specified apps automatically with User privileges even if you are admin (and I am not talking about Run As with a lower privileged account). And for fuck's sake, don't take the default of "SYSTEM" for your apache or whatever server software services.
Blame the user, not the software.
I was wondering why the fact that they keep releasing a "constant stream" of patches is a bad thing, since the OSS community does the same thing (Now, I'm not trying to compare the quality or the type of patch).