Slashdot Mirror
NYT Security Tip - Choose Non-Microsoft Products
Giorgio Maone writes "The New York Times article 'Tips for Protecting the Home Computer' follows a story we recently discussed about the proliferation of botnets, and contains some statements which may sound quite unusual from mainstream press, especially if targeted to home users: 'Using a non-Windows-based PC may be one defense against these programs, known as malware ... Alternative browsers, like Firefox and Opera, may insulate users ... NoScript, a plug-in utility, can limit the ability of remote programs to run potentially damaging programs on your PC'."
I must admit that initially I was a bit humored by the idea that a New York Times author had a right to caution me about computer usage. But when I looked up his credentials, he seems to be a qualified and experienced tech writer who probably has good advice for the general public. Granted, his last recommendation: "Don't click if someone offers you something too good to be true. It is." worries me that people may be wary of certain open source projects but in the end, I'd agree that I'd tell my sister and friends just not to install anything and to ask me for specific links to programs that solve problems or fill needs.
In the end, it's a very short article and doesn't provide a very comprehensive picture of security for a home user. You may think its news that Mr. Markoff decided to push people away from Microsoft but he's only telling you the facts about the numbers. You won't have as many problems with Linux but there's no way your daughter's iPod will work with iTunes Music Store on your computer anymore. If he wanted to make this a notable article, he should have delved into trade offs and better coverage of issues.
So Markoff doesn't like the benefits of running Microsoft software. So what?
My work here is dung.
The only usable way to control Javascript is site by site, and turning it off by default slashes a whole army of exploits out of your life. Every browser should have this functionality built in.
Funny, where I come from, we call that the "don't use insecure products" solution.
Does this mean the main stream is finally (slowly) catching on to the reality of choices? It would make my day if the world would wake up and realize that they have options when they sit down in front of a computer.
Users don't like having to make choices about the innards of their computer; they just want shit to work.
This isn't security through obscurity. Security through obscurity would be saying "I'm safe because I run Windows and it's closed source". This is the claim that uncommon software is more secure because there are less exploits. While untrue mathematically, the reality is that you are still currently less likely to be exploited when running Mac OS X or Linux since script kiddies don't really care about you so much (for the same reason game developers don't, incidentally).
Same is true for biological systems - diversity is a good thing as it is less likely to be infected with a disease. Genetic diversity implies a more robust "operating system" species that's harder to destroy. Remember all the hell around the blaster worm. Imagine that MS, Apple, RedHat, Ubuntu... only had 10% marketshare each... it'd be bad, but not nearly as bad as it was.
If you're talking about a focussed professional attack on a specific system: to be honest, the OS you're running is probably pretty insignificant; the chances are there's a simple admin error somewhere along the line.
NoScript is nice, but it could use a large default whitelist, something like the AdBlock Plus subscription options. It gets pretty tedious to allow every site manually, especially when some only break in subtle ways.
LOAD "SIG",8,1
Is this really true? Anecdotal pronouncements like this never seem to come with any references. Everyone says the sky is firmly in place, but how many have looked up recently? It's falling at an amazing speed!
If you want news from today, you have to come back tomorrow.
There's only been 9 comments on this story at the time of this writing, and yet the following tags are already up: "flamebait, nytfud, troll". These guys work fast, don't they? What's flamebait, trolling, or FUD about this article? Avoiding Microsoft products is a perfectly prudent move, if you can. Is it untrue to say that Mac and Linux users are safer on the internet than Windows users, or that Opera or Firefox users are safer on the internet than Internet Explorer users? Far from it. It's demonstrable fact.
Viper is the preferred editor of the Emacs operating system.
It's all about diversity! If everyone has the same exact program running under the same exact OS with the same exact security flaw one blackhat can ruin millions of people's day with one little hack. Nature knows how important diversity is, hell, economic systems are supposed to know it too. It's unfortunate that Microsoft continues to be allowed to operate as an illegal monopoly based in the United States.
Haiku for you!
Microsoft wants to empower its users, and everyone else, for that matter. Don't you see how convenient it is that MS products execute treat every piece of data they ever come into contact with, no matter where it's from or whether it's a video, sound file, Office document, image-- whatever!-- as an executable? It's just like how you pick up every piece of garbage you see and put it in your mouth because it might be food. That's the taste of Freedom!
The first part is simply google for crackers interviews and see what they say. They will always tell you that they go for what is easy. Why? Because a number of them are there to make money and time is money. If the systems were equally easy to attack, then yes, go after the most numerous. But when one has so many easy points, then you persue it rather than the ones that are difficult.
The 2'nd part is compare bank robberies to 7-11 robberies. Back in the 60's, banks were robbed. BWhy? because they were easy and had lots of money. But then in the 70',s the banks took actions and made it difficult. They still had the money, but it became very difficult to rob them. So the robbers turned to convinence stores who had say a thousand dollars (acceptable), and were easy. At first 7/11 ignored it, but then their ppl were being killed. So they made it very hard for robberies to get a thing. Now, banks and 711 are == difficult, so the robbers are back after banks. WHy? Because if you are going to risk it, then go for the big score. Interestingly, the banks now limit how much money is available to the tellers as well as every teller has a loaded stash.
So what does that mean for Windows vs. OSS. While Windows is easy to crack, everybody will hit it. If ever it becomes >= to *nix in terms of security, then *nix will be hit, because overall, there is much more money on the *nix systems. And if *nix and Windows become better than mainframes, then they will turn to there because there is REAL money.
I prefer the "u" in honour as it seems to be missing these days.
I use NoScript but my wife found it very annoying that all the sites she wanted to visit would not work without having to allow them first. I don't think recommending it to the average home PC user is very helpful because they will just think that it broke Firefox.
:(){
The product is only as secure as its users. If the mainstream Windows userbase switched to Linux, they'd take their bad habits (neglecting security hole patches, installing supposedly-required software to view web pages, logging in as root by default, etc.) with them. Linux would be the new hot target for malware. The same goes for OSX or any other operating system. Sure, there would be fewer holes, assuming that people made sure to apply the appropriate security patches, but we're assuming again that they wouldn't take their bad habits with them again, aren't we?
These are the people who click OK just to get the box to go away. No operating system is going to save them from themselves without removing the luxury of convenience they insist on keeping.
The only usable way to control Javascript is site by site, and turning it off by default slashes a whole army of exploits out of your life. Every browser should have this functionality built in.
Amen to that. I use noscript and I have lost count of how many sites fail completely or outright refuse to load if JS is disabled. The number of sites which degrade gracefully is sadly quite small. If every browser had this, maybe web developers would finally get it through their thick skulls that JavaScript is best utilized to enhance the user's experience. Obviously, there are some exceptions, like AJAX applications and the like. It bugs me so much that I have never developed a site that did not degrade gracefully in the absence of JS. In fact, the only way the user would notice something was different was if they had first seen the site with JS and then later without or vice versa. Some of the worst offenders are the "major" tech companies. Try logging into Yahoo webmail with JS turned off to see what I mean.
I think your argument of "It's so simple a 5 year old can do it" is flawed for one big reason: The five year old isn't used to using IE.
You must have missed this article
, complete with screen shots about how inconsistent the M$ GUI has become. Just look at this screenshot. I thought the differences between KDE, Gnome and other toolkits was bad but that's way off, M$ has no excuse for the fundamental differences seen in their own tools. Why would you ever throw a new user into that mess? The worst part is how frequently they change the interface, No one else does it more.I'll conclude with
Friends don't help friends install M$ junk.
I disagree completely.
Windows makes it easy to practice these bad habits... default Administrator login, programs that don't work correctly when run without Admin access, ActiveX, etc. Contrast this with, say, Ubuntu... an excellent Linux distro even for newbies: by default the root account is disabled, when you want to do something system-alterating (e.g. temporarily gain root access), you have to put in your PASSWORD, not just click "Okay". The whole thing is so well-integrated that these password prompts aren't annoying or confusing. The system in general tries to explain to you what you're doing when it's something unusual.
Furthermore, most Linux distros are based on a central software repository which is supported, or at least approved, by the distro's developers. When you install open-source software from this repository, you can have confidence that you're not going to get spyware... and if you're running the stable distribution you can be pretty sure that you're installing software that has been thoroughly debugged as well--as opposed to some IE toolbar crap rushed out the door after a week's dev time.
I also think that Firefox 2.0 is far superior to IE 6 (haven't used 7 yet) in terms of alerting the user to potentially dangerous actions. When you install extensions, Firefox adds a 5-second time delay before you can click on "OK" to force you to actually read those stupid pop-up boxes. It detects suspicious obfuscated URLs, won't run downloaded executables without additional intervention, and checks HTTPS sites that improperly mix secure and non-secure content.
So I *do* think that PC security would improve substantially if the Windows userbase switched en masse to Linux. Granted, there'd be some of the problems with people doing stupid things and not reading warnings, but I don't think it'd just be same-old-same-old...
My bicyles
Don't you recognize his reasoning? It's not based on facts, it's based on the theory that both programs have bugs, therefore they must be just about as secure as the other.
:]
Never mind the recent story that Firefox was vulnerable to a critical (one where "visit bad web page" == pwn3d), unpatched, published exploit for all of 9 days last year (IE was vulnerable for 9 months). This is called a "vulnerability window" and is an important part of any security assessment attempting to measure how secure bits of software are without having to rely on vendor claims. Obviously, that's too quantifiable for use with such a reasoning process. Then we have to reason about all the exploits that aren't public, as if people can silently exploit computers en masse with private exploits and no one will notice. Sure, if they're not interested in a botnet of random computers, they'll stick to targeting specific people and keep their exploits quiet, but that doesn't really impact the security of the population in general. It's also funny that people have this perception sometimes that they only visit "safe" sites. Even assuming they're not one of the porn viewing public, and that they never install smilies or screen savers (great way to get infected) or other such crap, that ignores that we've seen major advertising networks get compromised and serve up exploits. Not to mention the shady ad networks that do that deliberately...
Ironically, when it comes to open vs. closed source, it's usually argued that open source helps make the vulnerabilities more public, so that puts things even more in Firefox's favor. So to argue that IE is even as secure as Firefox requires you to use ridiculous metrics touted only by PR departments in media releases.
So yes, it's true--Firefox does have bugs. There were even 9 days last year when you could've been 0wn3d by an unpatched exploit (assuming you haven't learned to use the noscript extension). But there's no way to hide the sheer magnitude of the difference: 9 days vs. 9 months. Yeah, they can improve. Maybe they'll even manage to do things a lot better. And maybe you can find a few things to quibble with in that story. But the fact is that Microsoft has a terrible security record. Period. No one else is perfect, sure, but let's call a spade a spade here instead of being distracted by a dirty hoe
- CookieSafe
- Adblock Plus
- Flashblock
- httpOnly
- SafeHistory
- SafeCache
- IDND
- Link Alert
- BlockSite
- Master Password Timeout
- no-referrer0
- NoScript
Other useful support Add-Ons are:- SwitchProxy Tool
- User Agent Switcher
- Adblock Filterset.G Updater
For Linux users, I also have this useful add-on:I'm a firm believer in the theory that regular users need System Administrators. Maybe home users do too. If I could come up with a business model for a company that provided System Administrator services to home computer users i'd be rich!
If you must!
- Most OEM installations of Windows will have administrator as the default user, not requiring any logon at startup. In most Linux distros, you are disuaded or even cannot do this (e.g. Ubuntu), instead you work as a non-root user and sudo to do admin tasks.
- Even with SP2 Windows XP enabled the infamous NetBIOS file and print services, just for one example. Nice summary of this and other "features" here
- A Windows user can readily execute an EXE or VB script etc, e.g. a dodgy email attachment or download from a shady website, simply by double-clicking it from Explorer. Depending on the level of access to resources (see 1) the system may be totally compromised. In Linux by contrast, executing anything beyond what can safely be installed through the software repository requires knowledge of setting file permissions (and often how to build and install from source).
- Similarly for ActiveX, given the user confirms they want to run it, the system is left totally open to abuse.
Small wonder all the spambots, key loggers, spyware and viruses out there in the real world live in Windows, right? Its not simply because of Windows' popularity, doesn't the Mac have 5-10% market share?