Slashdot Mirror
Community Comments To Security Absurdity Article
An anonymous reader writes, "Earlier this year Noam Eppel's Security Absurdity article generated much debate in the Information Security community (covered on Slashdot at the time). He claimed that we are currently witnessing a 'profound failure' in security. Now the author has posted a follow-up highlighting some of the community comments prompted by the article, titled 'Feedback to Security Absurdity Article — the Good, the Bad and the Ugly.'"
people would use common sense.
Windows Vista will solve every security problem imaginable, flawlessly. Eliminating the need for IT security professionals and their absurdities, entirely.
Only until other systems become prevalent enough to be viable targets, although having a diverse enough population will mean that fewer systems overall will be affected by any particular exploit.
You can a totally secure system. But it won't be doing much unplugged and locked up.
A game has objectives and is competitive, anything else is just play
Try to guess which one is a Slashdot headline:
"Alteration Frequents From Space-Age Poetry Bannister"
"From Tabletop Mannered Asterisk Will Age Understood"
"Community Comments To Security Absurdity Article"
"Likely Georgetown Under Wisely Instantiation If"
Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.
Windows Vista will solve every security problem imaginable, flawlessly. Eliminating the need for IT security professionals and their absurdities, entirely.
Then it is true: Windows Vista is Bill Gates' secret doomsday weapon, the final piece of his twisted plot for total domination, which will destroy humanity and bring about the rise of the machines in our place!
I always knew that paperclip looked shifty.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
We're taking the wrong approach to security. You can fight the symptoms like we have been doing and this will cost a LOT and never really make the system secure. Or you can fight a cause and however much it costs you that problem is solved for good.
Virus scanners, network behavior analyzers, "app armor", stack canaries, random load addresses, nothing. 'Search and destroy' the spybots? Please. The biggest problem is C and all the other non-typesafe languages. Safe languages simply trade a certain amount of performance for the impossibility of buffer overflows, underflows, stack 'smashing', heap corruption, double-free's, pointer arithmetic errors, and all of the other low-level attacks. Everything at that level is toast in Java or in "managed" C# for instance.
This entire class of low-level flaws can be solved completely. Then it's just the higher-level problems like impersonating web pages, xss, some trojans, that kind of thing. Still a problem, yeah, but without the entire class of automatic propagation it is so much less of one.
I assume the operating system was Windows? Solutions:
Find free books.
Soviets and East Germany were not Nazis, they were communists. Just thought I would point that out.
for example, American revolution. if you want the security of the British empire then go back. or you could grow some balls and fight for america in the revolution in an attempt to have freedom and liberty.
I'm not sure we are experiencing a "profound failure" of security. "Profound" is a pretty extreme description. To me it implies a whole lot more problems than we really see. Hacking multiple power utilities to fail an entire country's grid might apply. What we really see is the failure of a fair number of ignorant individual users to secure their systems and some odds and ends type of security breaches of business and government entities. It's not like the major stock markets of multiple countries are being brought down or nukes have been launched. That could always potentially happen but what kind of really dire (profound) consequences have been seen?
I reserve the right to think for myself. Others' opinions are optional. Puppy on lap = typos...not illiteracy.
You can fight the symptoms like we have been doing and this will cost a LOT and never really make the system secure.
Where I come from, they call this "securing your revenue stream."
Seems like the security companies are doing A-OK there; they've got more business than they can shake a stick at, and it's not going anywhere soon. They have a vested interest in not 'solving' the problem, even if they knew how to do it.
Like all arms races, if you're in the arms business, you can laugh all the way to the bank. (Until someone decides to rob you, that is.)
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Yeah. When Apache running on Linux ever breaks through and becomes a highly visible target, LOOK OUT.
Oh wait. That's right. Linux machines ARE visible targets, yet are not pwned in proportion to their use. "Ah," you cry, "but those are servers, not desktops." True. They are servers with purposefully exposed ports and running outside of firewalls; heck, many a Linux Box (PC or embedded) *IS* the firewall for Windows machines. They COULD in principle be compromised and used in botnets like any other computer out there.
The "bigger target, more problems" arguement is flawed. The underlying problem at the system level (ie, not coutnting phishing, physical security problems, etc) is WINDOWS, period. You can argue about whether it is simply the default security model or braindead design all you want, but until that basic reality is accepted, this point of Windows market share is a deflection from the issue.
Computational Chemistry products and services.
Well, I would be with you, except that if you believe the numbers in TFA (the original, not in the comments), cybercrime is more profitable than the illegal drug trade. I assume there's probably even more money being spent trying to prevent and defeat cybercrime, and on security. That's a lot of money diverted from legitimate enterprise, and a lot of missed opportunities.
When people don't trust technology and don't use online banking, then banks don't spend as much on it. Venture capital and other sources of funding start to dry up; the pace of development slows.
It's not a problem that's probably going to result in a city being vaporized overnight, but that doesn't mean it's not a problem. It's like muggings in a large city: sure, you can wave it off and say that it only happens to tourists, rubes, and the unwary -- why should street-smart people care about it? -- but over time it starts to take its toll everywhere. The economic cost alone starts to act like a tax on everything, and it drives away customers and new business.
People who understand computers and know what precautions to take to prevent being victimized, cannot just put their heads in the sand about the current situation. Particularly since most people who are capable of understanding the problem, earn their living in some technology-driven field, it's those people who stand to be affected by the 'downstream' effects of cybercrime and a culture of insecurity.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
they've got more business than they can shake a stick at, and it's not going anywhere soon. They have a vested interest in not 'solving' the problem, even if they knew how to do it.
Wow. That simple statement also sums up the War on Drugs.
disclaimer: USED to work in Law Enforcement as part of said "war"...
Computational Chemistry products and services.
Is this just a FUD ad for Microsoft's " Trustworthy Computing" or what?
Microsoft's work in training developers company-wide in secure coding practices is virtually unparalleled among major software vendors, and has resulted in their Security Development Lifecycle (SDL), a formalized process for incorporating secure coding and security testing into every phase of a product's lifecycle. Their Trustworthy Computing initiative so far looks like a success; one that has transformed Microsoft's and much of the industry's thinking about security in just four years.
Vista goes a long way in bringing protection mechanisms such as User Access Control, Kernel Patch Protection, Mandatory Driver Signing & Address Space Layout Randomization to mainstream computer users. If there is going to be any improvement of the current cybersecurity situation, it has to start with the operating system. In this regard, if Microsoft delivers on their promise to produce a secure operating system, it will be an important milestone for cybersecurity, and quite possibly a start to a security revolution. Vista also launches Microsoft's entry into the security space with anti-malware products and services such as Windows Defender, OneCare, and Forefront. The insufficiencies of today's anti-malware software have long been known. Microsoft's entry into the security space will force security vendors to innovate or be pushed out of the market. I, for one, applaud Microsoft's recent efforts and results. I predict that Vista will have quite a positive effect on the overall state of computer security and we may see a Vista Ripple Effect throughout the industry.
I'd love to hear a conclusive answer to this as well.
Also, I wonder what ports SP2 has open in its default, out-of-the-box configuration. Is it totally locked down, with no response to *anything* coming in from the outside? Or does it have a few services still running here and there that could be exploited? Plus, and perhaps this is a stupid question, if you're running a firewall on the local machine as opposed to on a dedicated box, isn't there always a problem of the firewall software having a vulnerability itself? Or the TCP/IP stack? (And why not -- stranger things have happened. Like firmware vulns.) I'm just thinking of everything on the machine that you could possibly overflow/break by sending malformatted packets, for example.
I suspect in the real world, most of the infections happen when users don't go straight to Windows Update right after taking their computer out of the box, and instead get excited and decide to browse around to their favorite forum or two. Since it's not unknown for vendors to load up PCs with all sorts of software, probably including compromised ActiveX controls, all it takes is a trip to the wrong site to get a rootkit/keylogger installed. From there, it's a one-way trip to reformatsville, at least if you're smart. (Which is a real trick, seeing as how many PCs don't even come with reinstall media, instead just taking a chunk of your hard drive for some shoddy "recovery partition.")
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
lunes, martes, miércoles, jueves, viernes, sábado, domingo
Gonna have to dig deeper.
This issue is a bit more complicated than you think.
Soviets and East Germany were not Nazis, they were communists.
They were pretending to be.
CC.
TaijiQuan (Huang, 5 loosenings)
* Don't click on links in email messages. Type the URL in your browser manually.
Too much work. I bought this computer to make my life easier.
* Disable the preview pane in all your inboxes.
How do I do that? I'm not smart like you when it comes to computers.
* Read all email in plain text.
I wouldn't get to see the pictures my friends send me if I did that.
* Don't open email attachments.
What? And miss out on the lasest web games my friends are playing?
* Don't use Java, JavaScript, and ActiveX.
No problem. I don't even know what those are. I'm not smart enough to learn all that fancy software.
* Don't check your email with Microsoft Outlook or Outlook Express.
But Outlook is what my computer came with. I can't afford a new computer this month.
* Don't display your email address on your web site.
Unacceptable. My customers need to be able to contact me.
* Don't follow links in web pages, email messages, or newsgroup without knowing what they link to.
How do I know what it links to before I click?
* Don't let the computer save your passwords.
Sorry, I don't have a photographic memory like you techno-geniuses. And don't tell me to write it down either, I'll just lose the piece of paper.
* Don't trust the "From" line in email messages.
Then how do I know who sent me the mail?
* Never Use Internet Explorer and instead Switch to Firefox.
I've used Internet Explorer for years. I have a busy life, I don't have time to learn Firefox or else I would.
* Never run a program unless you know it to be authored by a person or company that you trust.
How do I know who wrote the software, it just shows up on my computer?
* Read the User Agreement thoroughly on all software you download to ensure it is not spyware.
Yeah right. Those are longer than the internal revenue code, even my computer nerd brother doesn't read those.
* Don't count on your email system to block all worms and viruses.
Then what do I count on? And why can't a big company like Microsoft figure out how to block viruses?
* Get a Mac
At home? I can barely keep up with gas prices let alone get a new computer. At work? The company makes us use Windows, we don't have a choice.
Hear recorded Slashdot headlines on your phone! New service beta testing. Just call (248) 434-5508
To play Devil's advocate (hey, I'm in Gentoo) You are talking about servers versus single user systems. Linux isn't in the same class target wise as Windows simply because it isn't the OS of choice for Joe Sixpack. When that happens, I feel you will see just as many stupidly successful attacks as you see today in Windows. Why? Because the targets will be those same people that use "password" or "12345" for their security. Remember, rootkits existed for *nix long before they existed for Windows. The security of any system, be it Linux, Unix, Windows, OS X, etc... Is solely dependent on the one at the keyboard and unfortunately all too often that person is an idiot.
B.
This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
I know what you're thinking, mods. But it isn't just another "don't use Windows" post. TFA seems to concentrate on the dominant OS, so i will do the same.
I remember talking someone through setting up Tiscali broadband a few years ago using a Speedtouch and the Tiscali CD. His brand new, shiny Windows XP machine became infected over the connection in under 4 minutes. It's a classic catch-22 situation: You can't update your OS without a connection and you can't go online safely until you've updated your OS.
How about this: Virtualisation is a reality on most machines nowadays. Why doesn't MS use this technology to set up a simple one-time VM to connect and download from a single SSL connection, the public key of which is compiled into the VM, ignoring all other traffic with the single focus of fetching the patches for the worst vulnerabilities, those which have remote exploits? If this were mandatory before enabling the general TCP/IP stack for WAN connections, Joe Sixpack wouldn't be participating in quite so many botnets. Hello! New connection not in my private address checklist. Disable TCP/IP and get the updates before releasing the user to the big, bad Internet. Please wait whilst I sort my ragged arse out and stop you from becoming another statistic...
Or have I simply made the problem too simplistic in my own mind? It seems to me that a single connection from a single port over SSL with no intermediate DNS or man-in-the-middle stages makes sense, even more so if part of the download is the MD5 hash of the update image and the VM rejects any image not matching that.
Bear in mind that the above idea works only for machines using a direct non-RFC1918 or draft-manning address for Internet connections. Those using routers should already be protected from the worst culprits, attack vectors which utilise services running by default, as these usually cannot traverse NAPT, but the feature should include the option to enable manual initialisation over such connections.
Too simple?
Resistance is futile. Reactance buggers it up.
Auto-magically? And here I was looking for a fortified "barrier" spell to cast. Thank god I don't have to pretend to read and speak Latin, waive a pen in the air, and draw pentagrams on my boxes. Phew.. Dodged some bullets. Thanks. Thanks a lot.
... but I was under the impression that most "brand new expensive computers" would be running Windows XP with SP2 pre-installed, and that comes with a firewall which, while not exactly a suit of platemail, will certainly suffice to make sure that any security vulnerability exploited on your own machine came in from a connection you authorized.
Somebody tell the security writer what "trojan" means, by the way. I mean, I might have abandoned my history major halfway through, but I don't remember the moral of the story being "Beware when large wooden horses are outside your wall, because that means when you go on a coffee break the large wooden horse will teleport inside your wall, and then disgorge Greeks".
Help poke pirates in the eyepatch, arr.
There is a thing called email which is far more useful and has been around longer - you also can use mbox files readable even by a text editor instead of some weird database that requires shareware to fix when it gets corrupted. If Microsoft provided tools to support their own products properly I would recommend it - but no, conventional email servers available from a lot of different sources are superior in almost every way. Even the horrible sendmail configuration file is superior to weird registry hacks to change the behavior of exchange.
Disclaimer - I've only looked after 3 MS Exchange servers and one bare metal rebuild from backup to recover old mail (nightmare that would never be required with a sane mailbox format - the whole thing is just too fragile and finicky and required an install with the same service packs, identical company info strings in the install, same registry hacks etc). Open relay by default with one patch too aparently - or perhaps that just has to be fiction because they could not be that stupid could they?
referring to a partition into Kurdistan
Cool, I didn't know gparted could do a whole country!
Seven puppies were harmed during the making of this post.
The security of any system ... Is solely dependent on the one at the keyboard and unfortunately all too often that person is an idiot.
Well, I think that's a bit of an over simplification. Sure, the end-user can screw things up - there's nothing you can really do to keep people from screwing up their own machines, if that's what they're into. However, the system design can push things one way other the other. For example, you can make the stack non-executable, getting rid of most buffer over-runs. You can run at a lower security level, requiring user interaction to get elevated privileges. You can default to a browser that runs at an ultra-low security level and reports phishing websites.
Alternatively, you can use a global, shared memory space, omit access controls, and maybe put a big red button on the desktop that will delete all files, and join a botnet. Then for fun, make it so the button can be activated remotely. As a corollary, you could include advanced safety measures, but require recompiling the kernel and hex-editing the resulting binary.
Given the same users, the system with the better design will generally be safer. Although, granted, Bonzi Buddy or Weatherbug could be designed for any OS.
Powered by Web3.5 RC 2
You are using Linux in a broader fashion than I would, considering there are over a hundred different distributions available. Let's say openSUSE replaces Windows as the dominant operating system, I think you'll find that the number times that they are "pwned" will increase significantly. If it's on a network then it's not secure, if someone really wants to screw with your systems then they will figure out how.
A game has objectives and is competitive, anything else is just play
No. Just no.
I hate this sort of comparison, because it's bogus. It's a classic apples and oranges situation. You are comparing the security of Apache to IIS, not Linux to Windows. Modern versions of IIS are pretty good from what I hear, and besides it's not very hard to be secure when all you run is a firewall and a web server.
If you want to do a real comparison you should compare the Linux desktop to the Windows desktop. Your average Linux desktop is a security nightmare. Firstly there's no active security whatsoever, it's all passive. IE there are no virus scanners/anti-malware tools in common deployment. If the passive defences fail you are screwed, you cannot easily distribute signatures etc to clean up the mess. Secondly, the Linux security model is simply the UNIX security model, which was designed in the 70s for a totally different set of threats. Your average desktop is not a mainframe and does not need to protect users from one another - instead it's decayed into some kind of trivial black/white coarse grained security model in which "root" has absolute power and "users" have less power.
Unfortunately, Linux trains the user to enter their password all the time, given an essentially random set of situations. You have to enter your password to install software, remove software, configure hardware, set the system clock and worst of all to install security updates. The tasks that require root are to the average user totally unconnected. If you are a UNIX geek you can probably figure out why something might need root, but you're in the minority. So users are trained to just enter their password whenever they are asked to, making it trivial to phish it out of them.
Even if you can't get root - who cares? On a modern Linux desktop you can do anything you need without it. Want to crack bank details? Go right ahead, Firefox runs as user and you can ptrace() it to your hearts content. Want to hook into startup so you always run? KDE and GNOME will be happy to oblige. Want to "hide" yourself without modifying the kernel? No problem either, just inject yourself into the address space of each program as it starts and then hook the syscalls at the libc level. Childs play.
So to put it simply - you are dead wrong. The underlying problem at the system level is the system, which is basically the same regardless of whether you use Windows, MacOS or Linux. The UNIX/NT security model is incapable of solving the problem of malicious software, period.
Using Firefox, Thunderbird and plus some antivirus program (like kaspersky) will save your ass. Of course I do not use my online banking accounts with windows.
And average Windows user does not know other than IE, Outlook, Office etc.
This is main problem, they do not know hot to protect themselves...
[My english is better than most other people's Turkish, so please point out mistakes politely. Thank you.]
Yes, this is clearly over the line. I mean, had it at least been child pornography, that would have been acceptable, but noo, they had to go all the way.
Yeah. When Apache running on Linux ever breaks through and becomes a highly visible target, LOOK OUT.
Not really. The proportion of internet-connected machines which are Linux/Apache servers is tiny and most of the people running them will detect and remedy any exploits in short order.
Oh wait. That's right. Linux machines ARE visible targets, yet are not pwned in proportion to their use. "Ah," you cry, "but those are servers, not desktops." True. They are servers with purposefully exposed ports and running outside of firewalls; heck, many a Linux Box (PC or embedded) *IS* the firewall for Windows machines. They COULD in principle be compromised and used in botnets like any other computer out there.
You do realise that the vast, vast bulk of exploited Windows machines weren't "pwned" by any sort of remote attack, right ?
Servers have _completely_ different risk and exposure profiles to desktop - particularly unmanaged desktop - PCs. So different that even trying to draw conclusions about one based on the other is laughable.
The "bigger target, more problems" arguement is flawed. The underlying problem at the system level (ie, not coutnting phishing, physical security problems, etc) is WINDOWS, period. You can argue about whether it is simply the default security model or braindead design all you want, but until that basic reality is accepted, this point of Windows market share is a deflection from the issue.
Except at the system level, Windows's security model is (relatively) quite solid. By any objective measure, the security infrastructure of Windows is (relatively) good. Clearly, the problem isn't there.
Vista will employ a new paradigm of security based on this article; it will be known as Security Through Absurdity.
OK, that's enough. When you start telling people that they shouldn't use hyperlinks or preview panes, then we're talking about moving backward.
I'm not sure I agree with this notion of putting all the security onus on the end user at all. What if every time I got on the subway it was my job to check to see if the wheels were about to fall off? Or if every time I sent a letter through the regular mail it was up to me to make sure the envelope was unopenable by anyone but my intended recipient?
When you start having the list of "common-sense" security measures taking up more than a paragraph, that means there's something wrong somewhere up the food chain from the end user.
I know it can be done. I work at a small University and I haven't seen a single spam in my inbox in the last year. I get a list every so often of what the spam filter caught and it's amazingly accurate. And this from a system that's run by the usual half-bright academic computer services staff member.
And what about an operating system that's basically a leaky boat? Before it wastes another minute on giving me transparent windows, Microsoft needs to make Windows impenetrable to spyware without the help of half a dozen spyware catchers, firewalls and adware monitors. If an operating system can't provide basic security, then what good is it anyway?
A huge percentage of the traffic in the internet's tubes goes through a limited number of systems and providers. They might start doing their part too.
And before you lazy bastards who are making a living at "internet security" tell me "you don't know anything about internet security"... You are goddamn right I don't know anything about internet security, and I have no interest in learning. In fact, I own a house and I don't know anything about motion detectors or satellite surveillance (well, actually, I do, but I shouldn't NEED to) to be able to secure my house. I lock the front door and feed my mastiff and that takes care of it.
I am getting impatient with the ever-lengthening list of security measures regular end-users are supposed to take to use the internet. And I'm way past impatient with security measures that involve giving up utility, such as "don't click on hyperlinks, type in your URLs".
Now you there, with the bad skin and "/." t-shirt. Get to work and figure this security thing out and leave me alone with your "common sense".
You are welcome on my lawn.
This isn't any surprise that Windows sucks.
What I'm more concerned about is, "How much of this problem extends to Mac/Linux?"
Phishing obviously does and can be avoided with sufficient electrical shock treatment.
But what about the bots and such? I have a lot of hardware sitting online 24x7.
lets say the article is right
does it matter?
so far as i know, neither I, nor any member of my family, nor anyone i know, has actually been seriously hurt by malware, except for a few minutes removing viagra ads, and for me, spambayes does most of that pretty well
as we know, the whole id theft thing is a media exaggeration, like missing children: most of the id theft is from family or friends, and most of the missing children are out for a walk with their parents
"lets say the article is right does it matter?"
It does in that people will be wary of doing online commerce and that will hit the bottom line.
"so far as i know, neither I, nor any member of my family, nor anyone i know, has actually been seriously hurt by malware"
You must be the only one on the planet then.br>
"as we know, the whole id theft thing is a media exaggeration"
"An Emmy-winning film producer whose life was disrupted after hackers stole her Social Security number"
was Re:does it matter
davecb5620@gmail.com
Security Professionals are in the best position to create change and that is why we are responsible for this situation. If we lack certain laws then it is Security Professionals that can help politicians understand this and advocate for better laws. If software vendors are producing insecure products then it is Security Professionals that can assist (or pressure) them to improve their coding practices. If Universities lack security courses then it is Security Professionals that can raise awareness and promote security education at Universities.Security Professionals, as a class, are not really interested in create change that would be prejudicial to their bottom line. Period.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
gwb has been doing my whole country for 6 years. It took about 8 months to reformat. And about 2 more years to install operating systems in each partition. Now that it's been replaced by an odd-numbered development release, it's working to boot the world. Damn thing headcrashes every time it gets power.
--
make install -not war
The article doesn't have much to say outside of the world of Microsoft Windows.
Actually, he dismisses ALL things outside Microsoft and hypes Vista. "Get a Mac" is placed in his list of absurd recommendations along with manually typing links to your browser. Free software is is only implied as a passing part of his core thesis that "security" is so bad that you have to be a computer expert to do normal things with your computer. Putting that onto Mac use shows how absurd the omissions are. Paradoxically after showing just how bad M$ has made the world for us, he praises Vista as a potential savior of the masses.
That kind of advice is terrible and leads to more of the same. A diversity of strong and easy to use platforms is the ONLY solution to the problem. People can and should migrate to other platforms which are secure now and for the foreseeable future. If they don't migrate, M$ will continue to run the vast majority of the world's computers, something that's already a dissaster. If they don't migrate the other platforms will never be as easy and cheap as they should be and M$ will adjust their incompetence to match - they will never do more than they have to. In short, he's ignored viable options to hype one that's sure to fail. I'd call that an advertisement.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Linux isn't in the same class target wise as Windows simply because it isn't the OS of choice for Joe Sixpack.
In my opinion the fundamental problem here is that Windows is not the OS of choice for Joe Sixpack. He just buys a computer and Windows comes pre-installed. If he made a choice the competitive market would solve the malware problem.
When that happens, I feel you will see just as many stupidly successful attacks as you see today in Windows. Why? Because the targets will be those same people that use "password" or "12345" for their security.
It's easy to blame the user, but most infections of malware today involve no user interaction. Even for those that do, a properly designed OS can mitigate most of those problems.
The security of any system, be it Linux, Unix, Windows, OS X, etc... Is solely dependent on the one at the keyboard and unfortunately all too often that person is an idiot.
Scenario 1: malware is downloaded, the OS checks the binary against a known list detects and deletes it and blacklists the host you got it from. Have a nice day. Scenario 2: malware is downloaded and run and infects the user with no warnings from the OS. Is the OS in scenario 1 more secure than in scenario 2, or is the user at fault? Obviously the OS matters. Since I've demonstrated that conceptually the OS matters, all that remains to debate is how much it matters. The answer is a whole lot. Windows and most desktop OS's have really lousy security. New binaries should be sandboxed and restricted by default. The OS should tell you what they're doing and give you the power to decide what it can and can't do. Fix the OS first, then worry about the "idiot" user.
Also your point about your desktop doesn't need to protect against different users is somewhat subjective. Maybe you are thinking of all the rich families out there where each family member has their own PC. In reality, they often share a single PC, and just because all family members aren't logged on at the same time like a mainframe doesn't mean they shouldn't all use separate accounts for convenience and to protect against contamination. Same goes for Windows. I would actually go as far as to say this is the way most home PC's should be setup. You set your kids up with their own accounts, to limit access and damage etc. For their protection and the protection of the entire PC. Its still pretty common for home Windows boxes to still all use a single Admin account, because its default and people don't know any better. At least Linux tends to encourage proper use of accounts.
As for root having absolute power, perhaps it might seem more restrictive, but really it simplifies things and probably offers more real protection. If you really want to grant other users super privileges then you can give them sudo access. But normally just having root for total control means there is only one way in. Knowing the root mighty password. If you started giving Admin right to a few users and their passwords were flaky then its game over.
As for users having to enter password all the time for things. Well I think people have been spoiled rotten by the lax way Windows lets you do things. The clock (or any hardware device) is an important security feature of entire computer. People can moan about it all they want, but its a crucial system resource that if tampered with could be used maliciously or simply break things. Like for some network services, if you PC clock is not within a certain range of the server's clock, you will not be allowed to interact.
As for users becoming overly used to entering their password all the time, well again, Linux and OS-X try and keep it to a minimum. For normal usage they shouldn't run into it too much. Yeah to install software and tamper with hardware, they are just going to have to get a tad more educated. It can be taught, and hopefully they will learn enough about seeing it in context to know what a popup window could be a fake. One extra mental aid I read about ages ago was that the root user would be encouraged to associate a personal photo with that root password popup, so it appears as background image. That way it would be a queue to be suspicious if the background was different. Don't know if this feature exists tho. I believe Vista is going in the same direction but with excessive password prompting. But alternatives like running in root/admin mode all the time is just a ticking time bomb.
Sure 'the system' stuff is quite true, but I think most other OS's contain damage done by malicious programs run under a single user account (not installed with root password) alot better than Windows. Its quite easy to clean/wipe a Linux user's home directory startup files etc than perhaps registry or random locations on Windows file system. But sure if you want to stop any virus/ad/spyware getting installed/executed for any user then these anti-whatever programs need to exist and be run. Also I don't know the facts here, but Linux kernel may be more robust in terms vunerabilities for virus to bypass security and truely infect entire PC or root.But like I said, are there any actual cases of them for Linux/OS-X ???
If you want to do a real comparison you should compare the Linux desktop to the Windows desktop. Your average Linux desktop is a security nightmare.
You're mistaken. The average Linux desktop is a potential security nightmare, not an actual one. This is because most of the threats you address are not common on Linux so solutions are not as important. I contend that because of the development models, if such threats do become common on Linux, the security changes needed to deal with them will become common because developers are users and are motivated. The same is not true on Windows, because insecure, commonly compromised Windows boxes don't cost the developers any significant amount.
The underlying problem at the system level is the system, which is basically the same regardless of whether you use Windows, MacOS or Linux. The UNIX/NT security model is incapable of solving the problem of malicious software, period.
Windows, OS X, and Linux all have mandatory access controls, application trust verification, UI reforms, etc. in a semi-usable state. For any system besides Windows, they will become commonly deployed as soon as there is a need. The problem is motivating Microsoft (financially) to do the same.
. Let's say openSUSE replaces Windows as the dominant operating system, I think you'll find that the number times that they are "pwned" will increase significantly. If it's on a network then it's not secure, if someone really wants to screw with your systems then they will figure out how.
Wider adoption of a given Linux distro will increase the number of them compromised. That does not mean it will ever be as bad as Windows is now and let me tell you why. OpenSUSE cannot maintain a monopoly lock-in. It is GPLed and can be forked. That means the developers of OpenSUSE will always be motivated to solve security issues. Microsoft is not strongly motivated to do that.
If OpenSUSE had 90% market share it would be compromised regularly. It would be targeted by worms and trojans and the like. It would also adapt to prevent those problems and address security proactively and reactively. Because it is GPL, there would be little or no motivation for people to use really old versions and if they did, there would still be people providing automated security patches for those versions. It would never get to the state where automated worms compromising thousands of machines daily is commonplace.
You're looking at this in terms of the respective security technologies in the two OS's, but you're missing the underlying causes of those security technologies. The real problem here is that Windows is a monopoly on the desktop and the result of that is a product that dominates, but does not respond to the needs and wants of consumers.
Viruses and worms are now more commonly used for commercial gain then mere bragging rights. It's much easier to target the large, clueless Windows population (especially since so many are still running Windows 9x) then it is to target the much smaller Linux and Mac populations.
(NOTE: I did not say all Windows users are clueless. I merely said that there is a large population of Windows users who ARE clueless.)
IE there are no virus scanners/anti-malware tools in common deployment. If the passive defences fail you are screwed, you cannot easily distribute signatures etc to clean up the mess.
This is false. There are linux-based virus scanners, they just aren't used as frequently on Linux desktop because viruses are less of a threat. More likely, someone will install a virus scanner on Linux when it's a server, and the virus scanner is intended to protect Windows machines. For example, if you have a Linux mail server, it's good to scan e-mail for viruses in order to protect Windows clients.
Your average desktop is not a mainframe and does not need to protect users from one another - instead it's decayed into some kind of trivial black/white coarse grained security model in which "root" has absolute power and "users" have less power.
Even if you don't want to protect users from each other, it's good to protect one user for the spyware that another user runs, isn't it? And what's wrong with the root/user split? Someone needs to have absolute power, but most people shouldn't have it.
Even if you can't get root - who cares? On a modern Linux desktop you can do anything you need without it. Want to crack bank details? Go right ahead, Firefox runs as user and you can ptrace() it to your hearts content.
Well what security model can prevent a user from a program running under that user account modifying that user's files, but without denying access to that user when he wants it?
You do realise that the vast, vast bulk of exploited Windows machines weren't "pwned" by any sort of remote attack, right ?
You've made this claim before, but I've never seen you provide support for it. Most infections by number are remote with no user interaction.
Servers have _completely_ different risk and exposure profiles to desktop - particularly unmanaged desktop - PCs. So different that even trying to draw conclusions about one based on the other is laughable.
Yeah, which is probably why the previous poster used it to demonstrate that the concept being presented was flawed, as it does not hold true in all cases. Thus the burden of proof shifts to those claiming that market share is the only important factor, since it has been proven this is not always the case.
Except at the system level, Windows's security model is (relatively) quite solid.
He was using "system" to refer to the Windows desktop system that most people have to deal with, not some component of the core architecture, which he pretty clearly conveys using examples. He's saying Windows plus the included software as it makes its way onto the average user is flawed.
I am completing my degree program in network security, and this weekend we held our "wargames" to attack and exploit each team's network. The end result was a total and complete farce. Each team demonstrated a fundamental lack of understanding of networking and security, which isn't surprising because they're the kind of poeple that think daddy a deposit down on their degree that they get to collect at the end of four years. Nobody learned a damn thing and even when we tried to spell out what went wrong they wouldn't listen or couldn't understand.
Your average retarded security-ignorant end user in a company should at least be protected from himself to some degree by a trained IT security professional. The article mentions apathy of "professionals" when it comes to protecting their networks, but what about full blown ignorance? 75% of my graduating class couldn't outwit a used tea bag, but their social connections and rich parents will see to it they get a job where the 25% of the class that knows what they are doing (and has to work their ass off to stay in school) will be struggling at the end.
Home users are even worse. I have the priviledge of working in tech support to pay my way through school and I deal every day with the fucktards who think their computer is a magic box that brings porn and games. I get asked security questions all day but I have to lie becaause a) the truth will take too long to explain to someone that doesn't know how to find the radio switch on his laptop and b) the truth will get me fired.
You want security? It's your responsiblity.
Nowhere have I said that they would be compromised as badly as Windows. All I have stated is that you will have an increase in security issues. Besides which, my point is nothing is totally secure, if you can communicate out, someone can communicate in. It all depends on their level of commitment.
A game has objectives and is competitive, anything else is just play
It's easy to blame the user, but most infections of malware today involve no user interaction. Even for those that do, a properly designed OS can mitigate most of those problems.
Most malware infections come from uses running rogue ActiveX controls, email attachments and the like.
Scenario 1: malware is downloaded, the OS checks the binary against a known list detects and deletes it and blacklists the host you got it from. Have a nice day. Scenario 2: malware is downloaded and run and infects the user with no warnings from the OS. Is the OS in scenario 1 more secure than in scenario 2, or is the user at fault?
Scenario 1, of course, where you essentially describe an OS-integrated anti-virus and anti-malware solution.
Of course, if Microsoft actually did include the AV and anti-malware functionality you describe above in Windows, I've little doubt you'd be among the first - along with Symantec and Co. - running around yelling "anti-trust".
Your hypocrisy is a bit sickening. On the one hand you decry Microsoft whenever they add functionality to improve Windows, but nearly in the same breath you insist they should add functionality to improve Windows.
You've made this claim before, but I've never seen you provide support for it.
I provide as much support as people who write things like:
Most infections by number are remote with no user interaction.
Remote vulnerabilities for Windows - like most platforms - are few, far between and quickly fixed. Indeed, the vulnerabilities behind most high-profile remote exploits for Windows were typically fixed *before* those exploits occurred. A brief cruise around the various "security" sites shows this.
Yeah, which is probably why the previous poster used it to demonstrate that the concept being presented was flawed, as it does not hold true in all cases.
That must be why he wrote:
Seems to me the opinion is that Linux servers running Apache (or anything else, I imagine) are - in principal - just as vulnerable to being exploited as Windows desktops. An assertion that is ridiculous on its face.
Thus the burden of proof shifts to those claiming that market share is the only important factor, since it has been proven this is not always the case.
I don't believe anyone has said "market share" is the only factor. However, people frequently use "market share" as a general term to encompass a collection of relevant issues that correlate strongly with a platform's market share.
What truly boggles the mind is people who say "market share" is irrelevant...
He was using "system" to refer to the Windows desktop system that most people have to deal with, not some component of the core architecture, which he pretty clearly conveys using examples.
There were no examples in the post I replied to. The only elaboration of the term "system" comes from:
Which seems to be referring to "the system" at a pretty low level by my interpretation.
He's saying Windows plus the included software as it makes its way onto the average user is flawed.
Of course it is - every platform is. That doesn't change the fact that the vast majority of Windows exploits do not originate from coding or security infrastructure flaws.
You cannot secure a general-purpose platform where ignorant end users have the ability to run arbitrary code, and have it remain usable.
Remote vulnerabilities for Windows - like most platforms - are few, far between and quickly fixed. Indeed, the vulnerabilities behind most high-profile remote exploits for Windows were typically fixed *before* those exploits occurred. A brief cruise around the various "security" sites shows this.
So what? They also account for most infections, since worms and Website exploits affect so many more targets than other malware. Every study I've seen shows this and it is supported by my own data.
I don't believe anyone has said "market share" is the only factor.
Yeah, I think it was "bigger target, more problems" which he showed was not a truism.
The only elaboration of the term "system" comes from... Which seems to be referring to "the system" at a pretty low level by my interpretation.
So what part of "the default security model" did you think did not apply to your argument about the security model? I think it was pretty clear he was referring to default settings of that system.
Of course it is - every platform is.
No it isn't. OS X and Linux desktops both are not seriously flawed as they appear to the average user. This is evidenced by the lack of widespread compromises on said platforms.
That doesn't change the fact that the vast majority of Windows exploits do not originate from coding or security infrastructure flaws.
Buffer overflows are the result of coding flaws. Failing to contain trojans and said overflows is a infrastructure security flaw.
You cannot secure a general-purpose platform where ignorant end users have the ability to run arbitrary code, and have it remain usable.
Well it looks as though Apple will make eat those words with OS X 10.5 which looks to include default mandatory access control settings based upon application signing levels. Care to bet how long it takes most Linux distros to do the same?
So what? They also account for most infections, since worms and Website exploits affect so many more targets than other malware. Every study I've seen shows this and it is supported by my own data.
What studies ?
Yeah, I think it was "bigger target, more problems" which he showed was not a truism.
No, he didn't (although it's not a "truism", I'll agree - it *is* a strongly correlated factor, however).
Windows suffers so much because it has a lethal combination of high marketshare and a largely ignorant userbase.
So what part of "the default security model" did you think did not apply to your argument about the security model? I think it was pretty clear he was referring to default settings of that system.
Seems to me it's a reference to the system security capabilities.
Not that the default config - the infamous "Administrator by default" - ends up making a huge difference in practical terms.
No it isn't. OS X and Linux desktops both are not seriously flawed as they appear to the average user.
Sure they are. They suffer basically the same problems Windows does only with one or two more dialog boxes in the way. Moreso, if anything, since code executing as root has more power than code executing as "administrator".
This is evidenced by the lack of widespread compromises on said platforms.
No, it's not. The primary contributor to the "lack of widespread compromises" on Linux is the relatively tiny number of suitably ignorant users. On OS X, it's the relatively tiny marketshare.
Buffer overflows are the result of coding flaws. Failing to contain trojans and said overflows is a infrastructure security flaw.
Most "compromises" aren't coming from buffer overflows - especially unpatched ones.
"Failing to contain trojans" is what happens when you allow ignorant users the ability to execute arbitrary code.
Well it looks as though Apple will make eat those words with OS X 10.5 which looks to include default mandatory access control settings based upon application signing levels.
So you're saying OS X won't let users run unsigned code ? Because that's going to be a legacy support cutoff so brutal I don't think even Apple would be game to carry it out.
Care to bet how long it takes most Linux distros to do the same?
Probably quite some time, although I'm sure Ubuntu will be quick to copy it. Should be funny watching the anti-Microsoft zealots try and spin mandatory signing of code it as suddenly being a good thing, as well.
Well what security model can prevent a user from a program running under that user account modifying that user's files, but without denying access to that user when he wants it?
Using a restricted shell in a separate directory. Restricted shells cannot do operations on directories above the current directory (ie. no ../ operations).
What studies ?
There was one at blackhat this year and two at Nanog. There was one at the ISP conference (whose name I forget) Canada last month. Pick up any trade journal and find me a study that doesn't show this.
Not that the default config - the infamous "Administrator by default" - ends up making a huge difference in practical terms.
If that were the only default config, maybe not. It isn't. Combine that with basically no use of the application specific security controls, really lousy UI defaults (hiding extensions anyone?), unneeded services enabled by default, etc. and you have a disaster.
Sure they are. They suffer basically the same problems Windows does only with one or two more dialog boxes in the way.
No they don't. Even if they are as vulnerable to the problems as Windows they don't suffer from them because they are not exploited.
Moreso, if anything, since code executing as root has more power than code executing as "administrator".
How odd. I'm logged into an administrative account right now (on another machine) and it is not a root account.
The primary contributor to the "lack of widespread compromises" on Linux is the relatively tiny number of suitably ignorant users. On OS X, it's the relatively tiny marketshare.
You know, repeating unsupported assertions over and over again doesn't actually lend them any more credibility. You actually have to present support for them, like facts.
"Failing to contain trojans" is what happens when you allow ignorant users the ability to execute arbitrary code.
Failing to contain trojans is what happens when you let the users that exist use Windows. You can argue that the user has failed, but it doesn't matter because so has the OS by not being designed to work properly for said user.
So you're saying OS X won't let users run unsigned code ? Because that's going to be a legacy support cutoff so brutal I don't think even Apple would be game to carry it out.
No, I'm not saying that. I'm saying they ported TrustedBSD's MAC system and combined it in some unspecified way with application signing trust levels. It would be stupid to try to stop users from running unsigned code. It makes a lot of sense to restrict the access of unsigned code by default.
Should be funny watching the anti-Microsoft zealots try and spin mandatory signing of code it as suddenly being a good thing, as well.
It is funny watching some Microsoft fanboy make up shit like "mandatory signing of code" when no one ever even suggested such a thing. Seriously though, you can tell me. Do you get paid to try to spin every failure of MS and Windows as someone else's fault while at the same time always referring to all of the security improvements from everyone else as impossible?
...but that restricted shell also won't be able to operate on the user's files when the user wants it to. I can't even logically think of a way to allow a service write access to user files and yet prevent that same service from writing to that same file in a bad way. Well, unless you had some sort of defined list of "valid" modifications, and the user files were constantly being monitored, but that'd just be crazy.
So services and programs either have access to user files or they don't. If Microsoft Word goes rogue and starts screwing with Word documents, it's not a solution to disallow Word from altering Word documents, or else, what's the point?
How odd. I'm logged into an administrative account right now (on another machine) and it is not a root account.
You are one misplaced password prompt away from code elevating itself to root. Which is likely not a big issue for you, personally, but is a significant risk for the generic "you".
You know, repeating unsupported assertions over and over again doesn't actually lend them any more credibility.
Something I keep telling people all the time. Never seems to sink in, though.
You actually have to present support for them, like facts.
Are you suggesting that Linux doesn't have a relatively tiny number of ignorant users ? Or that OS X doesn't have a relatively tiny market share ?
Or are you arguing these two aspects of "security" are not significant ?
Failing to contain trojans is what happens when you let the users that exist use Windows.
Neither OS X, nor the vast majority of Linux installations, "contain trojans" in any meaningful way.
You can argue that the user has failed, but it doesn't matter because so has the OS by not being designed to work properly for said user.
Being that psychic OSes are still a ways off, I daresay you'll be waiting a while for the OS that "works properly for said user".
An Operating System does not - and can not - know what the user *wants to do*. It only knows what the user has *told it to do*. An OS can make *guesses* about what the user wants it to do, but these guesses are equally as likely to be wrong (eg: running a trojan that deletes important data) as it is right (eg: running some program).
No, I'm not saying that. I'm saying they ported TrustedBSD's MAC system and combined it in some unspecified way with application signing trust levels. It would be stupid to try to stop users from running unsigned code. It makes a lot of sense to restrict the access of unsigned code by default.
So are Apple going to break all those old, unsigned legacy applications by stopping unsigned code from doing anything interesting, or are programs still going to be able to do pretty much anything they want ? Because if it's the latter, the net benefit - at least in the short-, and probably in the medium- term is going to be basically zero.
Here's the problem with going down the path of signed apps and strict controls (which is probably the closest thing to a real, workable "security improvement" I think I've ever seen you suggest): to be effective, it must lock out pretty much any software that doesn't originate from high profile, professional, commercial software developers, released after those strict controlers were implemented.
I would have thought that Windows has demonstrated quite convincingly that good technology on its own is not enough to keep a platform from being compromised, when that technology is poorly used (if it is used at all) and utilisation of legacy software incompatible with its advantages is common.
On the other hand, Apple does have the advantage of a) a tiny, very loyal userbase and b) a ruthless approach to dropping legacy support when it becomes inconvenient. Linux, meanwhile, has the advantage of a userbase made up almost entirely of technically-proficient users and a miniscule presence on the unmanaged desktop (on the downside, it's got a large collection of advocates who make my "most security breaches are the human's fault" attitude look positively wishy-washy). So Apple might actually be able to pull off a migration to the sort of security model you're talking about in a ~5 year timeframe, rather than the ~10 - 15 it will take Windows. Linux.... Well, Linux will probably have all the infrastructure there, but it still won't be used by any meaningful proportion of the market because (like most things that come out of the OSS community) it's just so much freaking work to make it usable.
Personally, I think could help security a lot. So do Microsoft, obviously, because they've been working towards
You are one misplaced password prompt away...
You know it actually lends you credibility when you say, "I was wrong and I admit it" when you are caught making factually incorrect statements.
Are you suggesting that Linux doesn't have a relatively tiny number of ignorant users ? Or that OS X doesn't have a relatively tiny market share ? Or are you arguing these two aspects of "security" are not significant ?
I'm suggesting that no one has ever presented any evidence that marketshare is a significant contributing factor to the security of those platforms, or (if it is significant) how significant that one factor is.
Neither OS X, nor the vast majority of Linux installations, "contain trojans" in any meaningful way.
True, but neither most OS X machines nor most Linux machines are constantly being infected by trojans, so there isn't a lot of demand. It would be nice if the features used to contain trojans became more widespread and integrated on those platforms, but doing so is proactive security addressing a problem that has not really materialized yet. Not implementing them on Windows is simply negligence and lack of motivation on the part of MS.
Being that psychic OSes are still a ways off, I daresay you'll be waiting a while for the OS that "works properly for said user".
Why, OS X works properly for most people in this regard. So does Linux. It is simply a matter of giving the user enough information about what is happening and the right controls to do what they want for the tasks they normally do. There is no technical barrier to that. Psychic abilities are not needed as there are these things called mice, keyboards, and monitors.
An Operating System does not - and can not - know what the user *wants to do*. It only knows what the user has *told it to do*.
No, this is untrue. The OS knows what both the user and the OS programmer told it to do. Most users know nothing of the default settings on their computers, but they still function. In any case the problem is not one of the computer needing to do something neither the user or programmer has not told it, but of the OS needing the ability to do what the user tells it as well as the ability to inform the user when it does things.
So are Apple going to break all those old, unsigned legacy applications by stopping unsigned code from doing anything interesting, or are programs still going to be able to do pretty much anything they want ?
This is called a false dichotomy. We don't yet know what Apple is going to do, but you can bet it won't be either of the above. Most programs don't want to perform the behavior of malware, so simply restricting those behaviors by default will "break" only a few legacy apps. And by "break" I mean ask the user what they want it to be able to do and then do what the user tells it.
Here's the problem with going down the path of signed apps and strict controls (which is probably the closest thing to a real, workable "security improvement" I think I've ever seen you suggest): to be effective, it must lock out pretty much any software that doesn't originate from high profile, professional, commercial software developers, released after those strict controlers were implemented.
No it does not. Microsoft will probably got that route because it may profit them, but there is no motivation for other's to do so. Apple can maintain their own certificate signing authority and even package repository if they want. There is nothing to prevent users from adding more certifiers at whatever trust level they want. There is nothing stopping users from changing these levels for completely unsigned applications in general or for a given application. Even if a user runs a completely unsigned application they get in their e-mail, there is no reason to stop it from running by default. It can just be sandboxed so it needs explicit approval, with warnings to the user, if it tries to touch anything important or be
So services and programs either have access to user files or they don't.
That level of security granularity is no longer sufficient on Windows due to the high malware rate. The access should be calculated based upon a number of factors. First a given service or program should be granted a trust level based upon if it was a pre-instal app, signed and certified app from a given authority, signed app, or unsigned app. These should correspond to a default ACL for access to files and other resources. A good default for a signed but not certified app, might be access only to files that program itself created. Further, each program's ACL needs to be customizable. When a program wants to exceed its ACL, the user needs to be informed and asked. This should be a pretty rare occurrence for most users. "The program "IE_porn_toolbar6" wants access to access your e-mail address book This program is signed as belonging to "donkeysystems.net" but has not been certified as safe by anyone. (Stop it from accessing my e-mail addresses)(Let it read them once, but not write to them)(Let it read and write my e-mail addresses whenever it wants)(Advanced options)."
You'll note how the above message would not be triggered by 99% or more of even unsigned applications that are not malware and how the message is delivered in plain English with actions for buttons. This basic concept is a mixture of Application Signing and Mandatory Access Controls. Neither is widely used but the underlying plumbing has been available for many years. If MS had any motivation to solve their malware problem, this would take care of most of it.
This might work to some degree, but a lot of security problems occur in situations where there are warnings. All it takes is for an application to tell users, "This won't work unless you say 'ok'," and people will click on 'ok'. It might not make sense, but people don't understand computers to begin with, so if their spyware-toting emoticon program tells them to do something, they'll often do it.
In order to be reasonably successful, the ACL would need to be lenient enough that, indeed, it almost never triggered a user prompt. If users get prompted for half of their installations, they'll start clicking 'ok' out of habit.
Also, I don't know about you, but I don't want Microsoft participating in software certification, where it's hard to install uncertified software. What about open-source products, for example, which won't necessarily have money to pay for certification? Even if it just gave a warning for valid OSS, it will scare off potential users. As if the Microsoft monopoly isn't enough of a problem, Microsoft is going to control which software you can run?
I recently had a problem with Windows server 2003. under the default settings, I couldn't download programs from untrusted sites. IE just wouldn't let me, and for whatever reason, there was a bug that wouldn't let me change this setting. I was trying to download Firefox as a work around, but ever time I clicked on the link, it directed me to a different mirror, and each time the new mirror wasn't in the "Trusted Sites" list. I figured, fine, I'll download a copy of Firefox from my file server, but then there was apparently some security setting which (I can't figure this out) would report valid EXE files as corrupted if they were downloaded from the local network via SMB/CIFS. They were fine, but Windows wouldn't run them. Finally, I went to ftp.mozilla.org and got a copy of Firefox, and installed it, and then I could download the programs I needed through HTTP.
And the whole thing was stupid. I was an administrator on the machine, and it just wouldn't let me do ordinary things without effort. So this, apparently, is Microsoft's solution to security: make it hard to do simple things, even if you have an administrator account. I don't want Microsoft or their software deciding what I'm allowed to download, install, or run.
This might work to some degree, but a lot of security problems occur in situations where there are warnings. All it takes is for an application to tell users, "This won't work unless you say 'ok'," and people will click on 'ok'. It might not make sense, but people don't understand computers to begin with, so if their spyware-toting emoticon program tells them to do something, they'll often do it.
Yes, this is true, especially for Windows users. Windows has ignored the UI component of security to an absurd degree. If you ever see the choice (OK)(Cancel) then the OS has failed. This is a system that operant conditions people to click "OK." Every dialogue box should be useful, their appearance should be rare, every comment should be in plain English, and every button should be an action unique to that dialogue, like "allow this program to send mail" instead of "OK."
In order to be reasonably successful, the ACL would need to be lenient enough that, indeed, it almost never triggered a user prompt. If users get prompted for half of their installations, they'll start clicking 'ok' out of habit.
Yeah, users should always have to read the button to decide which option to pick. As for the rarity, they need to be rare and so do other dialogue boxes. A start would be removing all the dialogues that only have the option "OK" as they are useless and don't give the user any choice. They serve only to make other dialogues less effective. Realistically, however, most people do not install many items of software on their computers, so this sort of a prompt would be fairly rare for the average user. It will take some time to uncondition everyone, but the sooner we start the sooner it will make a real difference.
In order to be reasonably successful, the ACL would need to be lenient enough that, indeed, it almost never triggered a user prompt. If users get prompted for half of their installations, they'll start clicking 'ok' out of habit.
Agreed. On Windows, Microsoft needs to bend over backwards to make such a system available to all developers and certifiers, including open source projects by default if they wish to avoid breaking antitrust law. I have no confidence at all that they will do this however. Luckily, other OS's will move this way and perhaps take some market share.
And the whole thing was stupid. I was an administrator on the machine, and it just wouldn't let me do ordinary things without effort. So this, apparently, is Microsoft's solution to security: make it hard to do simple things, even if you have an administrator account.
Yeah, making risky behaviors difficult is a flawed security design. The projects that have implemented this so far, like Solaris, SELinux, TrustedBSD, etc. have taken care to make sure the user can alter the default trust levels for different types of software and override those defaults for any given software, without any difficulty. I'm actually counting on Apple to do this properly and then have other's copy the UI they develop for it. They had documents about a MAC and application signing framework in their OS X 10.5 info for developers right up until two days ago when it vanished from their site. Hopefully this does not mean the feature was yanked, but only hidden until the announcement.
A start would be removing all the dialogues that only have the option "OK" as they are useless and don't give the user any choice. They serve only to make other dialogues less effective.
Unfortunately, most developers seem to like to use unnecessary buttons and dialogs. They like EULAs, and adding things where you have to click "next" or "ok" without any real options, but where there's an introductory screen, a warning, or something you're supposed to read. But nobody reads them. How many times do I have to click to perform a default install of a simple program? I haven't studied it, but most of the time I feel like it's usually more than 5.
You know it actually lends you credibility when you say, "I was wrong and I admit it" when you are caught making factually incorrect statements.
When I make a factually incorrect statement, I'll consider it.
I'm suggesting that no one has ever presented any evidence that marketshare is a significant contributing factor to the security of those platforms, or (if it is significant) how significant that one factor is.
"Market share" is a term used to capture the aspects of Windows's market presence that make it more widely compromised than any other platform. In particular, a high number of relatively ignorant users and a large number of machines, but additionally the greater ROI offered to developers of malicious code, the increased rates of infection, the greater level of damage, the greater level of visibility, the greater average age of installed machines, and so forth.
Market share does not have any influence on how secure a platform is relevant to objective measures. What it *does* have a significant impact on is the attractiveness, number, frequency, longevity and impact of exploits, when they occur - and since that's how everyone seems to measure "security" (especially on Slashdot), *that* is why market share is a significant factor relevant to a platform's "security".
So long as the market is using the term "security" in the way that it currently does, market share is an inescapable and significant factor in measuring that "security". Should people start measuring "security" using objective, neutral metrics, then the influence of market share will be reduced.
True, but neither most OS X machines nor most Linux machines are constantly being infected by trojans, so there isn't a lot of demand.
This does not change the fact that neither OS X or Linux "contain trojans", nor that "containing trojans" is a very difficult problem to solve.
It would be nice if the features used to contain trojans became more widespread and integrated on those platforms, but doing so is proactive security addressing a problem that has not really materialized yet. Not implementing them on Windows is simply negligence and lack of motivation on the part of MS.
Or it simply can't be done while retaining sufficient levels of usability and backwards compatibility.
This is called a false dichotomy. We don't yet know what Apple is going to do, but you can bet it won't be either of the above.
No, we don't. We do, however, know that if unsigned/unknown programs are restricted in any meaningful way, it's going to be a *lot* of applications that get broken (albeit likely proportionally less on OS X and Linux).
Most programs don't want to perform the behavior of malware, so simply restricting those behaviors by default will "break" only a few legacy apps. And by "break" I mean ask the user what they want it to be able to do and then do what the user tells it.
The problem is that most of the things malware does *is* - or was - considered quite innocuous, on its own.
No it [restricting who can sign/certify applications] does not.
Yes, it does. Because when any old Tom, Dick or Harry can have their piece of software "approved", every old Tom, Dick and Harry are going to be writing malware that conveniently circumvents all this security simply by virtue of the OS trusting it.
Apple can maintain their own certificate signing authority and even package repository if they want.
Apple are large, known, commercial vendor. Ie: a poor counter example to my point.
There is nothing to prevent users from adding more certifiers at whatever trust level they want. There is nothing stopping users from changing these levels for completely unsigned applications in general or for a given application.
At which point we just get back to the situation as it exists now - users can run any code they want that can do anything it wants.
Even if a user r