Slashdot Mirror
Security Isn't Just Avoiding Microsoft
Jay Singala noted a story which points out "It's time for all the people who have entertained this fantasy to stop deluding themselves.
How would life without Microsoft be different? It wouldn't be in any meaningful way for those in charge of network security; there would just be a different vendor peddling the dominant operating system."
If the "market penetration" philosophy were true Unix would have been hacked to bits decades ago. There are a lot more Chevy's around than BMW's, but I bet that more Chevy's are stolen because their "security features" are easier get past rather then just because they're more prevalent.
If the Apple/Windows market positions were reversed (or Linux/Windows for that mater) Windows would still be less secure. Unlocked doors and windows are still less secure even though there are fewer of them (or in our case more of them).
>Jay Singala noted a story which points out
...
Pity Jay didn't provide a link to that story
1 in 4 Maine children in struggle with hunger.
Isn't there suppose to be a link to a story? Am I missing something here?
time is a perception of a being's consciousness
time is your 6th sense, the wierd ones are 7+
I'm sure it's a fascinating story, but I can't read it if you don't provide a link.
Is it any particular story, or was the source far too uninteresting to do anything other than lift an completely unattributed quote from?
How would life without Microsoft be different?
WHY DON'T YOU TRY IT AND FIND OUT?
On desktops, I run myself and have administered studios of Macs 24/7 (at least 50 machine years or more) and I've seen no malware of any description since the 1980s. How's your Windows experience compare with that, numbskull?
On servers, I run Linux, Solaris 10, and even SunOS 4 for a year or two, for perhaps 100-200 server years (haven't counted them lately), on the public internet, with zero security incidents. Like those apples?
The options have always be there. Just use them and FIND OUT FOR YOURSELF what the difference from the Microshit ghetto is.
Life's too short for Microcrap.
you had me at #!
I guess this just means that the editors have come to realize that, since no one actually reads the stories posted here before bloviating, it's just more efficient to omit the story entirely.
NEXT!!!
This smells of the anthropic principle...
-1 not first post
This is slashdot. Nobody RTFA's here. He's just removing the charade.
(Score 5) Troll
It doesn't matter what OS, there is always a security risk. Although, have another vendor sell a similar functional OS as Microsoft with the same software/games available to them, you would see that most likely the system would cause less headaches. But nevertheless it would still be a cause a any security issues. But we should pose the question, is Microsoft prepared to give up some of the functionality of its software to try to eliminate the chance that feature might turn out to be exploitable. On the other hand, how would life be without people trying to exploit those 'features'.
If Microsoft is gone, someone else will have the biggest share of the market and thus make the biggest, most appealing target. It helps that Windows is perceived as more vulnerable (though it can be argued it isn't - not that I hold this position myself), but surely some of that is due to the combination of more attacks against it (more home users and businesses) and a less-than-instant response to security holes.
Whoever the biggest name in a Microsoft-free world was (assuming they were the biggest in a similar kind of space with businesses and home users, not biggest like the bajillion flavors of *nix kind of way), I'm sure things would be the same, and only the details would vary.
Evolution ceases when stupidity can no longer be fatal.
I for one welcome our new hypothetical non-existent overlords.
-1 not first post
MS's problem is they haven't had a real rival in years. They are so used to being the top dog they forget how to fight. It's the same way guys who work up from the bottom suddenly develope amnesia of exactly how difficult it was to get there until using "I came from the streets!" is going to help them in politics of some sort.
Things would be no better with any company having Microsofts history, but that doesn't mean MS was set on it's current course through fate or whatever else you wish to call it.
I like muppets.
what life without Microsoft "at all" would be like?
It's hard to answer, but it's possible that the market has room for a cheap, low security alternative, and a more expensive, high security alternative - because regular users just aren't aware of how unsafe their personal data is, and how valuable it is. So we would see something similar to MS Windows taking its place.
Or, we could see less people with computers. Or whatever, my point is without the article it's hard to know what the appropriate counterfactual is, but it shouldn't be taking everything else as it is today... Surely without MS in the picture, Apple/Mac would be different?
This is the 3rd or 4th story in as many days that positively SCREAMS troll.
1. Find a common belief of Slashdot
2. Whine and bitch about "Slashdot bias" while not even understanding the point
3. When you don't get modded high enough for your complaining, find some blog that agrees with you
4. Get story linked to on Slasdot
4a. In this case, not even a link
5. Page Hits
Editors, I know you love to drive ad revenue by putting up these blatant trolls (OMG How Can I Love Open Source Without Copyright? If I Don't Like The RIAA I MUST Hate RMS!!!!!One!), but the joke's on you - most of us who respond to these out of annoyance run adblock.
Can we try for some actual stories now?
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
He's just attempting to up magazine subscriptions. Note the credentials - CISSP. A CISSP writing an article about security is about as useful as a Liberal Arts major writing about quantum physics.
> How would life without Microsoft be different?
Think of lusers not using an Internet browser that sends "User-agent: RAPE ME LOL" every time they browse for porn in the stupid way they always do.
Think of lusers not running their OS in god mode when they couldn't tell a computer and a refrigerator apart.
Think of lusers not having a POP email client complete with an awesome support for scripting spambots.
Think of lusers having software written by people who give a damn about security (and functionality), not by businesstards who just want to lure lusers by offering stupid interfaces they saw in Star Trek.
You can ask any questions you like, but facts speak for themselves: if you get rid of MSIE, Outlook Express, MSN Messenger, and Windows altogether, you could be the worst systems administrator ever and you still wouldn't have 1/10 the security breaches and incidents.
(I, however, recommend getting rid of screensaver collecting, iTunes using lusers first.)
I was about to say 13256278887989457651018865901401704640, but it appears this number is private property.
Microsoft is insecure because they try to juggle security, performance, and being idiot-friendly. Windows is largely the dominant OS because people found it easier to use and more available than the alternatives in the mid-90s when the computing boom took place.
Now, MS is having to balance coddling those users who don't know jack about their OS and keeping the OS secure. Added security generally means more steps (or the same number of more complicated steps) to accomplish the same task.
I would contend that it was Windows' lack of security that made PCs accessible to the masses in the first place, in that during the 90s Windows was the *only* operating system for the "I just want it to work" crowd. Unless you want to argue that OS 7/8/9 was equally functional...in which case I'd argue that you haven't had to deal with it enough and didn't live in an area where Mac software simply wasn't sold in the days prior to commonplace broadband.
120 characters for a sig? That's bloody useless.
What would life on the Internet be without scriptable office documents/spreadsheets, email, web sites, and be like? A whole lot safer, regardless of the Operating System.
..when it ENTIRELY MISSES the POINT of the submission. It's as if you didn't bother to read TFA and just posted whatever rabid anti-M$ bullplop you could think of...wait, that actually sounds like pretty standard fare. Carry on.
I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
freeweed writes, "Microsoft secretly paid astroturfers to submit anti-Linux stories to Slashdot, as the following [link to freeweed's blog] story [/link] reports. ... "
Tsunami -- You can't bring a good wave down!
Since all other OSes/NOSes have/had the model of "everything is denied unless specifically given otherwise" and Microsoft's has always been, "everything is allowed unless specifically given otherwise," to say the least, things would be more secure.
... on and on. Please try disabling anonymous access on a windows domain controller. Users, suddenly, cannot see shares, change their passwords, etc. It is a registry setting that has to be left unsecured or else the windows NOS stops working.
Things were more secure when Netware was the NOS for businesses. Create a user, and they could see nothing unless you flipped a switch. Fire up bitchx and doesn't it say, if using as root, "using bitchx as root is stupid." Su, denial of anonymous access or even read access across the network
This says nothing for the hall-of-shame when trying to remove root access for users on their local boxes.
If not for microsoft, consumers might have saved billions on hardware by removing the microsoft tax. Dozens of smaller companies might still be in business.
If not for microsoft, I might still be managing a Netware NDS which, some dozen years ago now, was a far better directory service for a network than active directory is today, (I can only apply security settings at the domain level?). Oh for the days of right clicking anywhere -- I mean anywhere -- in the tree and setting a differnt password policy....
If not for microsoft, the first thought on computer security might be something other than a virus....
If not for microsoft, the word "rootkit" might not exist?
"All great things are simple & expressed in a single word: freedom, justice, honor, duty, mercy, hope." --Churchill
Got that? It's all about market share. There is no such thing as "security".
If everyone's house had no locks, they would be just as secure as if everyone's house had the best locks on the market.
I run Ubuntu (Feisty Fawn). By default it has NO open ports. That means that unless a worm can hit the TCP/IP stack, I am invulnerable to them.
He is an idiot. He doesn't even define "security" before he says that it doesn't exist.
My definition is: Security is the process of evaluating threats and reducing their effectiveness.
You're an idiot.
So if we replace Windows with Ubuntu, and the number of cracked machines goes down from 10,000,000 to only 1,000
Why do I get the feeling that this guy just bought stock in a training company?
If that approach was effective, we wouldn't have the problem we have today.
Sure Windows is a security nightmare, but the real problem is that just about everyone is content to use the same system as everyone else. Diversity is required for culture-wide strength. As much as the internet's proclivity for niche marketing has encouraged everyone to explore their individuality, most of us remain oddly content to behave nearly identical to everyone else. In a hypothetical world where 285 most-used operating systems compete on a wide variety of creatively different architectures, the issue of security of any one of those systems would be greatly diminished, and, as an added bonus, walking in to an average computer store would actually be exciting.
True, security isn't just about avoiding Microsoft.
But avoiding Microsoft is a good start. :-)
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
If you're just another corn stalk in a huge field, when the stalk 3 rows down breeds a new virus/bacteria/mold that you and the rest of the monoculture have no defence for, you're screwed.
That's part of why I run my home server with NetBSD on MIPS, and without the 'leading' servers for DNS, Mail, & http.
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
A 90% dominant market share is simply wrong and will cause problems in almost any situation.
my other sig is a 500 page novel
information security training and awareness programs for people like janitors may be hard to do as some of them work for out side janitorial services and even then some of them don't speak English that well.
This article is complete and utter rubbish. It makes random claims with no support. For example, "How would life without Microsoft be different? It wouldn't be in any meaningful way for those in charge of network security; there would just be a different vendor peddling the dominant operating system. " makes the assertion that it would not be any different and makes the implicit statement that there would be a single dominant operating system, all completely without any support for either of those statements. First, why would there be a single dominant OS and second, why, if that OS was Linux, would the same problems that occur with MS's monopoly not be completely undermined by Linux's licensing?
Networks in a world in which Apple had won the operating systems wars would still be insecure.Sure it would, but that's again assuming someone had to "win" and establish a monopoly. No evidence that this is the case has been provided. I know it is hard to imagine a world with multiple OS's and vendors that interoperate via these crazy things called "standards" but that is how most markets operate. Yeah if someone else had an abusive monopoly we'd still have a broken market, that's why we want to restore the market to a non-monopolized state.
If you put computers on a network and open that network to the outside world via the Internet, you're going to have security problems, regardless of whether you're running Windows, Mac OS, Linux or an operating system you created in your spare time.Except right now if you do that with Linux or MacOS you have a whole lot fewer problems, to the point where it takes no significant time.
User errors have long been the bane of security.No they're not. Most malware infections by number are still the result of automated attacks with no user interaction. Such malware is harder to write, but it spreads faster and further than other malware. As for user error, sure it will always be an issue, that is no reason to ignore other aspects of security or to implement ways of mitigating user error. You seem to think (like MS) that the user element should be isolated from the security mechanisms. You cannot ignore the user when planning security and the examples you point out are where that is exactly what failed. If the Nazis had planned realistically for what their users would do, they would have built a system that verified which keys were used and that they were unique.
So, what needs to be done? You must require users to attend formal information security training and awareness programs.Sure if you want to spend the money, go for it. It won't help very much though. Until the security of OS's is up to snuff and simple enough, the training will be mostly ineffective. What is a user supposed to do if they have a binary and aren't sure if it is safe? Windows has basically no mechanism for determining the trust level or for running it in a sandbox if it is not trusted enough. Until it does and it is brought to the user in a functional way, education will help very little. The OS actually has to have an easy way to let the user do what they want, or they will take risks out of laziness.
Education is the last step, but first we need to fix the OS and fix the market to motivate the fixing of the OS's. Right now you need the equivalent of a 4 year degree to have a good chance of safely running a Windows box and accomplishing all the tasks you want to. That is simply not good enough. It needs to be down to a couple hours or training before we will see a widespread difference.
Next time could you please choose a more loaded headline?
Thanks!
... but is a very good starting point. Is the main major vendor that somewhat, in a way or another (design choices, big implementation holes, monoculture, etc) always been the "weak point" of internet, the unsafe by default case study.
But even with a secure environment from the start you can make things very unsafe (i.e. using trivial passwords in open services)
It is NOT about market share. It is about ease of penetration. There are MORE than enough *nix system that if they were easy to crack, than they would be. If nothing else, notice the .php/.asp world. Most php runs on *nix. They are attacked because it has been easy. Fortunately, the damage is limited, but it still allows such things as stealing information including credit cards and individual information via sql injection.
I prefer the "u" in honour as it seems to be missing these days.
This guy has one fault: faulty logic. Systems are not being attacked more under Windows because of user error, it's because of the holes in the OS. Training is not the main issue with security today, it's an operating system which continues to have a paradigm of an insecure kernel. Layering is a mantra of security, it's not by Microsoft
Finally, this "theory" should be quantitative, I question if sites which are linux only have the same number of vulnerabilities as Windows only. Why doesn't he give us some examples?
My summary: I am ashamed to have the same certification as the author.
Where the uninformed wax on about something that can't be known with a useful degree of certainty. The whole "market share" argument is difficult if not impossible to demonstrate. Sure if you gave Linux, etc.. the same exposure to hackers (which in the case of servers I would argue that Linux has had this) you might have people might be complaining in the same way that people complain about MS. However that is both a) A red herring - it's not how much people complain but how much more secure they would be and b) It's a sub-moronic argument. You can just as easily say "In that case it might be so much better than there would be no real market for people like Ben Rothke". Hard to demonstrate one way or the other isn't it?
Ugh and this is from a CISSP? How does someone become a senior security consultant without knowing squat about logic?
"Security isn't just avoiding Microsoft..."
Sometimes a double negative can sum it up best: "but it isn't *not* avoiding Microsoft..."
Love many, trust a few, do harm to none.
True, "Security Isn't Just Avoiding Microsoft", but that's a helluva good start.
When we optimize code, we don't look in the part of the code that the program spends 5% of it's time doing, we look where it spends 80%. Microsoft stuff is incredibly insecure, both because of bad design and because there's little in the way of restrictions on amount of crap those boxes do.
Scrub them out, and a huge amount of security issues go away.
Then, THEN, you worry about the other stuff. ANd yes, then you actually DO worry about that other stuff.
All he said was I've actually tried the alternatives and the author has overstated things by a lot. Only on Slashdot is entirely reasonable argument modded as flaimbait by those who would defend Microsoft no matter how unreasonable the defense.
Davis http://davis.foulger.net
Apps that where design back in the 9X and 3.1 days where there was little to no multi user, admin vs user, common dirs, and so.
Apps that need admin so they can auto update them selfs
A/V apps like Norton home that needs a admin users logged in for it to be able to get the updates.
Games copy protections that needs admin to run that should be other ways to do this with messing the the ide drivers or needing admin just to check if you have a good copy of the game.
It would be a big help if MS came out with a common update system that is easy for games and other apps to use and is free for developers to use. Then you can at lest get rid of having to deal with games and other apps having there own built in updates and needing admin just to run them as some force you to get the updates to use them. This system can also make it easy to keep your whole system up to date. You will just need to be an admin to run that common update system or even let it be setup to auto run in the back round at system level. Also MS needs to let get the all of the updates form windows update using auto update. Runas does not work for windows update in windows xp and 2000 and you need to run that to get the Optional updates.
Also put the full video drivers on windows / M$ update.
I'd support this new category of mod points.
Except for ending slavery, the Nazis, communism, & securing American independence, war has never solved anything.
...it's burying Windows completely in a 43 foot hole in the ground (rocks and boulders should be fine).
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Even as a MS Fanboi, I found this article woefully shortsighted. Anyone who's tried to move or even talk about Security Policies apart from "change your password ever X days" knows its a political nightmare. For someone such as myself, its a great way to make sure I never look bad not having a project completed. All I do is submit a policy (or acceptable usage) surrounding whatever project I am working on. When my boss comes around asking "Why isn't this project done?" usually the response is "Your boss hasn't approved the policy surrounding the project" The suits will take between 1 - 2 months to get the finalized document back and by that time I've had plenty of time to correct any minor problems.
The argument has been out for a very long time now; "Any OS with this much market share would be subject to an equal number of attacks and breaches." But it's a weak argument; many point this out. The reason I'll pitch to the forefront is this: we have no evidence that it's true, and until another operating system has 80% market share for two decades, we simply won't have a baseline to compare.
What I find lamentable is that this article takes what might have otherwise been a good opportunity to echo a tired suggestion. Rather than denying it is impossible for anyone to do as well as Microsoft has, perhaps it would be important to drill down to some real reasons why MS has had so many issues, and why another OS - regardless of the technical features - might have similar difficulty. The number one reason I can come up with - off the top of my head - is feature management. 80% of the market is large. Huge. Gargantuan. There are many users with many wants, but they all want certain common ground across which all of them can function. They are asking a central authority - Microsoft - to provide that. Unix simply has not had that sort of crushing demand put on them, and I find that a more compelling argument than one whose support is based on a hypothetical. Microsoft has tried and not always succeeded to meet that demand while providing the features requested securely. Nothing is perfect - but they challenge anyone to do it better.
If Microsoft has faith in their product, they'll have faith that people will try, and fail, to do it better. If they don't, they'll reduce themselves to distractions and hand-waving - and the people making their money off of MS will throw any argument out there that will draw the least bit of attention away from their lack of confidence.
[Ego]out
I like how this guy is pretending like he's busting some giant myth, when really he's just peddling the standard low-market-share-equals-security myth.
The article, and many of the comments seem to think a system is either Secure or Insecure. I.e. it's either Perfect or Imperfect. The article talks about every system having holes, blah blah blah.
I'm sorry to say, but security isn't about having a perfect solution. It's a mistake many people make in the IT industry because on a low-level, you can perfectly solve small problems. Many people think this scales up to larger, more complex problems. It doesn't.
My point is that security is a continuum. Pointing out that all systems have flaws doesn't mean that Windows is just as secure/insecure as some alternate reality OS that doesn't exist but in the mind of the article writer.
AccountKiller
'If you put computers on a network and open that network to the outside world via the Internet, you're going to have security problems, regardless of whether you're running Windows, Mac OS, Linux'
Ok, given the number of web servers out there as reported by Netcraft, why aren't there 56% Linux breeches as against 31% MS.
davecb5620@gmail.com
I've been running windows since 3.1 and have never been affected by any malware. How did I manage that? Common security practices that you MUST adhere to in any operating system. 1. Firewall yourself (and your network) 2. NAT your clients 2a. Hey NAT your servers while your at it! 3. Don't run bins or web pages you aren't sure about 4. Only open ports on your FW that you know are secure If you fail to do any of these things on ANY operating system you will get screwed eventually. Why is Windows so insecure? High volume of bad bins and www's that take advantage of 'stupid users'. I can sum it up this way: If you want to secure windows you need to know a lot about computers. If you want to even USE *nix you have to know a LOT about computers, and even more if you want to secure it. If you want to use a mac, you'll need to know how to operate a TV, but don't expect to have as many bin's or help with the bin's that you can't get working. Security though obscurity is a double edged sword. Obscurity means you get less attention from malware writers as well as niceware writers. If you were a crook would you rob the bank with %90 of the money or %10 of the money? And finally a shameless plug for FreeBSD * stable IPF/IPNAT!
I personally welcome all flavors of OSes and all their attached vunerabilities as long as the 800lb Gorilla known as Cisco continues to reign supreme! The majority of exploits can be controlled at the network level if you know what you are doing. Virii? Try attaching a QoS policy to a virus that gives it no bandwidth to work in. Self defending networks are the future!
One big advantage of an open source OS is the source. Unfortunately, not everyone has the skill to take advantage of it. I do, and I have used it to close up holes that I have found. But that required C programming skills on the part of a system administrator. That is a combination that is all too rare and unlikely to ever be corrected.
One big advantage of a portable OS (which does not require being open source, though that helps) that can run on a different architecture is that binary code incompatibilities can block a lot of exploit attempts, revealing them in logs in many cases. I remember running an IMAP server online back in the late 1990's with an unpatched exploit on a Sun Sparc machine. There were numerous attempts to break in. All failed because the exploit code was for Intel x86. If architecture diversity existed, of course, crackers would have to change their habits. But that would slow them down and eliminate some of the lesser knowledgeable (e.g. many script kiddies).
What do you think would happen if Microsoft chose to open source their entire operating system with the right for a licensed user to rebuild it entirely from source for their own use (not just an inspection source)? We might see bugs and exploits reported back to Microsoft that included tested patches. I know this is possible because I did that with IBM's mainframe operating system VM/CMS back in the late 1970's to early 1980's, with those patches coming back in later releases.
now we need to go OSS in diesel cars
Perhaps Windows is attacked so much because it is the most popular operating system. However, those attacks succeed so frequently because the security architecture of Windows is so poor.
Possibly. But that doesn't take into account bad security designs.
As with my Ubuntu example, just having a default install have no open ports is a HUGE step in reducing the threat to that box.
Pretty much. Once you have a good security model, getting it to be MORE effective may take effort that the average person isn't willing to put into it.
But I never care about "uptime" as a measure of security. The system can be very insecure, but still never crash.
I prefer looking at data compromised vs data lost. If you maintain your system so well that you lose data more frequently by accidentally deleting it without a backup than the number of times you've been cracked, that's the best you can really hope for.
Just be so secure that your users (even if that is just you) will do more damage to their data than outside attackers will.
HELP! Vista blocked this link and all my Favorites. HELP!
I don't think that the removal of Microsoft as a dominant force would fix anything; if things had gone the other way 20 or so years ago we would be clicking on little Apples in the upper left-hand corner of the screen insteat of a "Start" button in the lower left. I think the only real fix is for Microsoft to develop a social conscience, which most large organizations in today's capitalist economy seem to have lost. They are not interested so much in the security and quality of the product that they provide, but more so in how well the release of a new product will line their stockholders pockets. I would say that the government should enforce some kind of security standard on any network-enabled application or NOS, but that would be impossible to enforce, since most companies can't enforce their own security policies anyway.
Also, on Microsoft's side, managing a program (or collection of projects, however you want to put it) on the scale of an operating system is fantastically difficult. Check out the Chaos reports (www.standishgroup.com) or just google "project failure rates".
Is the lack of Windows security finely-tuned to allow life or something?
Except for ending slavery, the Nazis, communism, & securing American independence, war has never solved anything.
'I can only assume you're referring to the IIS 5.0 buffer overflow which exploited systems, and here is the key, which were never intended to be web servers'
... aaahhh .. Dave, my mind is going. I can feel it. I can feel it.
Then please tell us what IIS 5.0 was actually designed for.
'As IIS 5.0 was installed and operational on all Windows 2000 Servers unless specifically disabled this led to a huge number of web servers which Netcraft can't account for (as they're internal)''
And can you produce some evidence that most of the hacks were on non-operational Servers that Netcraft didn't account for. And if Netcraft didn't count these non-operational non-web servers then how did they turn up in the count. And how did they get hacked if they were internal. And
was Re:Not exactly
davecb5620@gmail.com
for seven years. And it's GRRRRRRRRRRRRRREAT!!!
Apache has had the majority of the web server market share for a long time now. And they are by far the worst security record of all the web servers out there! Of course, it's only because of their market share!
What? They don't have the worst security record? Never mind.
If Linux were the mainstream desktop then there would be far more people looking for security problems and then fixing them. In fact this process would likely be faster since the same people looking for the problems can actually submit patches to fix them themselves! Also being mainstream projects like SELinux would likely become more mainstream as their user interfaces would be made more accessible and relevants to everyday tasks. there would be some changes though - I imagine that security testing would be more of a priority for Linux apps than it is now.
Microsoft can fuck their users over in outrageous ways which simply couldn't happen if the company was responsible to them financially.
For example, they do not equip even their Windows Vista Ultimate with a basic 1970's user account. In the 1970's you were on a small network managed by a guy wearing suspenders who had taken the vows yet you had a more secure environment than a 21st century Microsoft PC which connects to a global Internet with bot nets and who knows what.
Even the whole idea of shipping PC's with the head and body separate, it is ridiculous, done for financial reasons, not technical. When you look at what comes pre-installed on a Mac and imagine the "commodity" version of that, in your mind's eye you see a PC builder such as Dell should also be one of the main Linux distributions. The Mac software install is like a greatest hits of non-Microsoft computing, and includes software from thousands of Apple engineers, and thousands of community engineers also. In addition to maintaining the "Mac" part of Mac OS X, Apple-the-PC-builder maintains its own Unix distribution because every user needs that due to the Internet and also it is free software, it is like a Unix decoder ring for every Mac user so that they can interact on the network with every other user of every other platform. On a Microsoft PC it is all Microsoft-generated clones of the software that SHOULD be on your Dell or HP PC, and the quality is low, the compatibility is low. The idea that you buy a $499 PC and it doesn't have Apache on there it is actually a kind of sin. But it is even worse that you can buy a PC at all that doesn't set you up with a proper user account, that is like selling people cardboard helmets painted to look steel.
Maybe a few years ago this kind of apologizing for MS was more excusable. The Internet took MS by surprise in the mid-90's so much so that Windows 95 did not have a Web browser included, and Bill Gates 1995 book "The Road Ahead" mentioned the Internet once while dedicating a chapter to CD-ROM. So by Windows 2000 everybody is going, OK, they are getting their shit together now, but they have stumbled around like a drunk since then.
Also, even if you are an ignorant bastard and don't know about all the Unix software that is missing from every Dell or HP PC, you can see the same thing going on with the Mac. Apache and PHP are wonderful Photoshop accessories but also great accessories for business or whatever you are doing because it probably involves the Internet due to the century we are living in.
In short, you have to be an illegal monopoly to ship non-Internet-capable computers in 2007 when Unix itself is free. Nobody else but an illegal monopoly could get away with it.
I agree with what you say and have these explanations for your and my own observations. These differences are telling:
The net result of these differences is that it's much harder to screw over a GNU/Linux system, where it's hard to avoid the same for Windows. There are no successful auto-propagating worms for GNU/Linux in the wild. It takes a dedicated attack to penetrate a GNU/Linux system and an organization that uses it and recovery is much easier. Oh, it happens and operators have to be on their toes, but it will never, ever be as bad as the M$ monopoly or even their replacement with two or three other non free vendors.
The final and usual problem with the "popularity argument" so loosly thrown around the Wintel press is one of perspective. FUD is never for decision making - you always have to choose what works best right now. Choosing what does not work best because you think someting else may never be better only gives you something that's second rate and may never be any better. In this case the difference between the two on security is so enormous that FUD, based on projecting their own poor performance, is all the M$ camp has to offer.
Friends don't help friends install M$ junk.
Microsoft is insecure because they sell an O/S designed primarily to be an ad and vending platform. By design, it allows things to happen that are insecure but necessary in order to efficiently siphon the user's wallet.
Where is their motivation to do it? I believe there has become such an industry, third-party and well as within Microsoft, that exists to deal with Windows security, that improving their security would actually be a BAD business decision.
Color me cynical, but I think it's kind of like the cancer "industry". If cancer were cured, thousands (maybe millions) of jobs and billions of dollars in revenue from cancer treatment would be lost. Treating cancer is MUCH more profitable than curing it. Could it be the same with Windows security?
Things would be no better with any company having Microsofts history ...
Good thing free software is something users can control and will always be dominated by those with a fighting spirit. The differences are real.
Friends don't help friends install M$ junk.
> You would have also been laughed off of the local BBS in those days for suggesting something such as an email 'virus'.
Yea, it is a trusim that it took Microsoft to turn a hoax into reality.
But on the other hand, while Microsoft's ignorance, stupidity and arrogance made it a daily event we can't be totally smug either. We (including me, I was so sure back then too) have seen it happen to us as well. PINE, Evolution, Moz, all have had remote exploits in email. Gaim, etc has had remote IM exploits possible against it. And yes we too had the one I would tell people with confidence wasn't possible, a GIF/JPEG that would infect your computer just by looking at it.
Oh yea, I'd tell people the 'truth' about how only an executable could get ya, pure data like a picture was safe; so watch those file extensions carefully over there on DOS and it would be all right. But all that depends on programmers being good at defense, to keep on going and check every bit of data for sanity, every system call for an error return, etc. To not stop and release as soon as it 'seems to work' and move on to a more interesting problem.
Follow the errata stream from a major Linux distro for a few years and it will change your attitude. Thankfully though the trial by fire does help us. Sendmail went through it and emerged. Bind likewise, used to be a problem but fairly rare for a new bug. Now the meat grind seems to be focused more on the graphical apps like Mozilla/Firefox, OpenOffice, Gaim(whatever it is today) Ethereal/Wireshark. PHP, the databases and Squid seems to be the whipping boys in server space now.
Democrat delenda est
Apache has always been my example of how merely being the largest player in your field does not mean you will be the most hacked. Apache has a huge market share and a much better track record than other web servers, many of which have a much higher developer budget.
So, going back to the original question, yeah, there would be another vendor peddling the dominant OS, and there's a good chance it would be much more secure (if not only because every other mainstream OS on the planet is *nix, which is inherently more secure than MS's one-off security models.)
He's just attempting to up magazine subscriptions.
Yeah, but the author is so wrong about so much that the little CW with a yellow background associated with him is now equivalent to dog poop in my mind. Subscribe? You have to be crazy.
Friends don't help friends install M$ junk.
A quick Google reveals that Vista Ultimate does ship with an Apache equivalent, IIS; as do Vista's Business, Enterprise, and Home (albeit artificially limited in the Home edition).
What's purple and commutes? An Abelian grape.
What would life on the Internet be without scriptable office documents/spreadsheets, email, web sites, and be like? A whole lot safer, regardless of the Operating System.
Mixing executable code and data is a bad idea but it can and has been done with sandboxes on real OS with real users and privilege separation.
There are many other significant differences between free and non free software that have an operational impact. Some of the more obvious ones are:
Friends don't help friends install M$ junk.
That Windows is less secure because it has more market share. Let's debunk this once and for all.
In the author's view, security is quantitative, much like soldiers on the battlefield. That is, ability to comprise a system is determined not by the design and implementation of the system, but by the number of people trying to compromise it. In his warped view of the world, even a computer turned off and left in storage is hackable if you have enough script kiddies trying to own it.
But we know better: the reason why Windows has more security vulnerabilities than Linux and Unix is because it was poorly designed. The reason why there are more exploits for these vulnerabilities is because Windows systems make an attractive target; they are easily compromised, and the type of user who is lax with security typically stores important information - such as SSN's and credit card numbers - in unencrypted form on their hard drive.
Now, granted, Mac, Linux and Unix systems have had security vulnerabilities in the past, and they probably have a few right now. But the fundamental difference between them is that at any one given time, there exist hundreds or thousands of exploits for every exploit available for a non-Windows system. Thus, a hacker is pretty much gauranteed that he can compromise a Windows machine, because even fully patched Windows machines have hundreds or thousands of yet-to-be-discovered vulnerabilities. Contrast this with a Linux box, where even unpatched machines typically possess no more than a handful of weaknesses. Because Windows is so poorly designed, it is a virtual certainty that it can be compromised.
And that is why it is attacked. It is not because of its popularity.
The society for a thought-free internet welcomes you.
it's a good start.
If I wanted to share documents in 1999, or now...
I generate a PostScript file (possibly PDF) if I want "exact printing". I can test the PostScript against Adobe and Ghostscript (especially with gs' "safety" mode).
I generate an ASCII file, with illustrations in a neutral format (X bitmaps, XFig, JPEG, or PostScript).
I give a marked up document in (La)Tex, or TROFF.
(La)Tex is generally presumed "defect free", even though it does constitute a "monoculture" (Knuths bug pay-out policy contributes).
TROFF has two common implementations - AT&T (Solaris), and groff. Both considered very stable.
Ghostscript is very stable; I cannot speak to the Adobe implementation. There are other PostScript implementations available as well (Harlequin?)
These days, I still use (La)Tex for structured work, ODF for "ad-hoc" work (letters and throw-away memos, where the visual result is more important than sharing).
I view document preparation a bit like programming, in that the language should be considered as separate from the compiler implementation, and there should be tools to allow the language to be extended (elements by function or purpose, not format). Most wysiwyg systems fail at this (including Openoffice.org) which limits their usefulness to me.
Just another "Cubible(sic) Joe" 2 17 3061
Exactly. How is security defined in the design of windows? How was security defined in Unix systems? And that's just the secure by design part. Just as important the security of defaults setting: how secure are the default settings of windows and how is that with Unix (just to pick one flavor of unix: OpenBsd)? How fast is a security bug fixed and does the fix have it desired effect? Making stuff is easy. Making software which is performing, secure and usable is something completely different. There's too much shallow talk and little action. How much time programmers have to think or do something about security? How many programmers like to fix bugs all the time? Sendmail had a bug (a security flaw ) for 7 years. That bug had been misused by crackers for a long time. After those 7 years the bug had been officially found. Would you call that security? Unless you have proven mathematically that all has no bugs, security doesn't exist. Maybe you might feel secure, that is subjective. Security is like privacy, it doesn't exist in the real world.
I, Likewise am sick of hearing those who say exactly what this article is saying...Oh, If XXX OS we the most popular, it would suffer the same weaknesses!! Shut the hell up n00b!
"My immediate reaction is "WTF? What kind of moron doesn't make things 64-bit safe to begin with?" Linus
Bingo!!! Mod up the parent.
Computers would be safer if there was not a dominant OS. If there were equal shares of Windows, Mac OS, and Linux/Unix, then none of them would be as subject to attacks. They would all have flaws, but each one would have different flaws, so viruses and malware could not hit all of them. There would be less attacks per OS and viruses would not be able to spread.
The problem with security is that computers are such a mono-culture entirely based upon Windows. Many viruses attack every version of MS OSes from Windows 95 through XP. That is the problem with security. It's the same issue in biology that genetic diversity is a good thing. Computer do not have it since 80+% of computers run Windows. The best thing that could be done to improve security is to diversify the operating system of all computers. Relying on one company to produce a safe experience has proven to not work.
It only takes charisma and a big mouth and the whole OSS community could be corrupted. Some would argue it's already happening.
You also need talent, just like you need to penetrate a non free company.
Then there are multiple layers where malice is weeded out and non free software only shares one or two of them. First you have to screw things upstream. It would be hard to sneak something malicious past your peers working on the same program and their testers. Then you have to get it past the distribution maintainers and their testers. There are so many of these that this is virtually impossible. Next you would have to get it passed all the people who actually use the program on stable release. The non free software world, has only two of these layers but far fewer reviewers and much less transparency. Fewer checks means it's easier to get things through.
Real world experience backs my assertion up. There have been plenty of viruses and backdoors that made it to the customer in the non free world but I don't think you can show me any in the free software world.
Friends don't help friends install M$ junk.
If the "market penetration" philosophy were true Unix would have been hacked to bits decades ago.
There is some credence to the "market penetration" argument, because Unix systems WERE "hacked to bits" decades ago, when they were the dominant networkable operating system. Of course, there are always other factors that come into play, and ultimately nothing trumps a robust design for security (which is why BSD and Linux servers running Apache are hacked far less often than Windows/IIS despite haveing a much larger market share).
The article is kind of pointless because it answers the wrong question: there is nothing interesting about what would be different if a corporation other than Microsoft held a monopoly position in mainstream computing software--we all know that nothing would be materially different. If Apple was the monopolist you KNOW it would sit on its laurels and we'd probably have been stuck with MacOS9-based OS until security and stability problems go so baf that they'd have to do something radical. MS' competition is better because it HAS offer something better to be able to survive against the 800 pound gorilla.
If one were to imagine life without a MONOPOLY rather than life without Microsoft the situation would be VASTLY different. Just like genetic variation in a species of wildlife population provides some insurance against extinction, having a diversity of inter-operable computing platforms would provide inherent security against system-wide compromise. Right now, global computing infrastructure is a sickly monoculture that is vulnerable to electronic pandemics.
I think that without Microsoft there is an equally plausible alternative outcome to the one presented in the article: If no one player were to achieve market domination in a timely fashion we'd see growth slowdown and perhaps shakeup, as we did in the home computer hardware market in the 1980s. In order to survive, the remaining players would have to cooperate in terms of observing protocols and standards. One way or another, the market must achieve interoperability, and it happens either by one vendor achieving monopoly or by several vendors cooperating at a certain level.
That is what happened on the hardware side in fact--there was a shakeout, a major player emerged (IBM) and before it achieved an assured monopoly the likes of Phoenix and Compaq reverse-engineered the design and inadvertently created a vendor-neutral open systems specification. Today there is no hardware monopoly in the PC market, and hardware is cheap, plentiful and quite reliable overall. Within the silicon and circuits the designs are radically different, but they all have standard internal bus slots, external peripheral connectors and generally are all able to run the same software.
I'll always wonder why software didn't follow the same path, especially given the culture under which much of it was developed. In the 1970s hobbyists and upstart competitors were inspired by the Altair design to create the S100-bus standard platform around it, even with resistance from MITS against the whole effort. At the same time software enthusiasts and entrepreneurs were sharing software and working towards interoperability (much to the chagrin of BillG at the time). I'm not sure why the software wouldn't follow the path of hardware in terms of this gravitation towards interoperability.
We're actually setting the stage today for another opportunity to establish true interoperability--standards such as POSIX,SUS,LSB are well established (though still too often ignored) and Linux, MacOS and BSD share enough similarities that the idea is becoming feasible. The oft-criticised nature of open source to "re-invent the wheel" is key to making this a success--of course the other half of that success is to make sure all these new wheels will roll on the same set of tracks. I think it is looking promising that more and more Free software developers are starting to take that into consideration.
How many locks do you have on your front door? More then one right? I bet if you have some pretty valuable stuff in your home you most likely have a monitored security system too. So why do you have all that added security if the $15 standard door lock from home depot is adequate? Just because something works and is easy to use does not mean it is secure. Try looking at your computer as a safe and your OS as the lock. How much security you need depends on how valuable your data is. An updated windows os, with some unneeded services turned off, a firewall, and antivirus/antispyware is a pretty secure environment. But most people/companies don't even have this because they don't know how or don't have the resources to do so
The article makes two valid points: yes, attackers will tend to attack the product with the most market share, and yes, it's not unlikely that OS X, Linux, and all the other alternative platforms have as-yet unknown vulnerabilities that would cause serious problems if those platforms ever came under concerted attack.
What this implies is that the security of a platform is effectively inversely proportional to its market share.
Let us assume that this is true. What do we conclude? Microsoft dominates the market; market domination implies a greater security threat; therefore, using Microsoft products increases the threat to your security; therefore, you are more secure if you avoid Microsoft.
Yes, it also follows that if Microsoft lost their monopoly, you would want to start avoiding products from a different source. But that's totally irrelevant. We live in the present day, when the dominant company is Microsoft, and that means that the first step in becoming secure is avoiding Microsoft products.
(In practice, it is pretty widely agreed that Microsoft products are in fact inherently less secure than the competition anyway. My point is that this is irrelevant, because the article's premise is self-defeating regardless of whether Windows is well-designed or not.)
Take 20 boxes and then let a bunch of hacker lose on them. Pay them $money for every box they manage to crack. Make 10 of the boxes run fully patched Windows and 10 run the stable branch of OpenBSD and stick complete computer novices behind them. In fact, make the OpenBSD boxes run the OpenBSD project's apache version, OpenSSH server, give the hackers an account on it and have every daemon listen to every port and enable X11 forwarding through SSH. The windows machines can run a fully patched Vista with all the ports under a firewall. I bet most people would still prefer trying to compromise a Windows box. Seriously, don't come and tell me there wouldn't be fewer security problems if windows went away. Vista's security model is based on the "how do we design this so we can blame the user" while the open source distros are based on "lets be open about vulnerabilities so we can fix them asap". Heck, even if the open source ones were as vulnerable as windows I would still prefer them because at least then you can be relatively certain they will be open about it. With Microsoft you are more likely to get told of for being a user when they break something.
Of course nobody can argue that any hypothetical vendor standing in the place of Microsoft (i.e. Apple, Red Hat, etc.) would not have any security issues, and all of the arguments about security problems caused by users and the ever-evolving ingenious malware authors are valid. However, my view is that the problem that has dogged Windows through it's whole life is that so many of the most serious security problems are inherent in the underlying architecture, and so they cannot be fixed without making significant alterations to the architecture of the system and hence obsoleting trillions of dollars in sunk investment in hardware and software.
Many of the potential alternatives to Windows do not have such fundamental problems. They have security problems, and always have, to be sure. But these problems can typically be solved without breaking the system, or the architecture is such that it can be modified without disrupting applications software and other higher-level entities in the system (i.e. these systems are more modular).
Windows seems to be a poster child for the problem of saving time and money by rushing to get a system out and deployed as widely as possible, before all of the security issues and concerned have been thought through and/or discovered. Once so many systems are out in the world, your hands are tied where making big changes is concerned.
Larry
there would just be a different vendor peddling the dominant operating system
I'm sorry, but this argument has always been full of sh^H^Hholes.
Call me when Apple or Linux gets 80% market share, then we'll talk about how "the monoculture argument" applies to them.
FOR RIGHT NOW, AND THE FORESEEABLE FUTURE: SECURITY *IS* "AVOIDING MICROSOFT."
Fact is, OS X -- a secure operating system -- or Solaris 10 -- perhaps an even more secure operating system -- will not get to 20% of the market. Why? Because people are ignorant, stupid, fearful, and every other reason for the mindless conformity that produced the Microslop monoculture in the first place, to most people's great detriment.
If you people can't work out for yourselves that you're being screwed with crappy product, enriching assholes, well, good luck to you.
you had me at #!
People who think the solution to all our problems would be to remove Microsoft from computing also think replacing a Republican with a Democrat would solve our worldly issues. With or without Microsoft there will be viruses, incompatibility issues, bugs, & crashes. With or without Republicans, we're still going to have problems to face.
This sounds an awful lot like ignorant creationist attacks on evolution.
Ken Ham: "Random chance cannot account for the diversity of life. Therefore God did it."
Richard Dawkins: "Well of course. But evolution is not random, dumbass."
Ben Rothke: "Security Isn't Just Avoiding Microsoft."
Bruce Schneier: "Well of course. But no one besides you is saying that, dumbass."
Edith Keeler Must Die
Of course security isn't just avoiding Microsoft. That's just the first step.
Nathan's blog
Which would have led to less chance of a monoculture.
By "extensive documentation", are you speaking of man pages (which there is a sore lack of in the Linux world when compared to BSD-based systems for example), info pages (which are quite well documented in most GNU software), or what? There are a lot of man pages on my Debian system for example that note that they were written for the Debian distribution because the original software didn't include any documentation. I can admit that I've neglected to write manpages for software/scripts that I've written, but once I found out how easy it was to write troff man pages (especially compared to the verbose docbook standard), I've written some man pages for software that doesn't even have them. Sometimes I don't even bother to type "man foo" and instead try "foo --help" first due to this lack of documentation effort.
'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
How would life without Microsoft be different?
Well, first of all we would throw a fanbloodytastic party.
And it seems that no matter what they do, Microsoft can't find it.
No, the reason Unix wasn't compromised was because people didn't know how to do it. The tools simply weren't available in the early days both cryptographical tools and hardware tools.
Unix passwords used to be encrypted with "crypt" which was a cipher based, roughly, on a German Enigma machine. Until the release of DES, Enigma was about the most advanced cryptography that anyone outside of intelligence agencies had any access to. Civilian cryptanalysis was almost non-existant so no one knew how to break it. Machines were pathetically slow so things like brute force attacks just didn't work.
The same goes true for wire traffic. A protocol analyzer in 1986 was an esoteric, *expensive* piece of equipment. You couldn't just walk up with a laptop (hey, what's that? - didn't exist in 1986) and plug it into the network and grab all the traffic. There weren't Ethernet ports in every office, either.
Times have changed and threats have changed. We used to worry about "war dialers" finding our unlisted modem numbers and people do password challenges. Tomorrow we may be worrying about people with quantum computers. Unix was secure in its time and continues to be secure. Windows has been insecure and continues to be insecure. Attach an unpatched XP box to the Internet and see how long before its owned.
this is just another instance of the Fallacy of Ubiquity - i.e. the claim that the reason why Microsoft Windows has so many viruses, trojans, etc is that it is ubiquitous....this is a bald-faced lie perpetrated by MS shills.
the actual reason why Microsoft programs have so much malware targetting them is because they are insecure pieces of crap that are trivially easy to exploit.
Come on guys, this is a computerworld article. It's just a come on to get you to look at the ads. They routinely run pieces that were written by an advertizers marketing department.
Do you really think that Microsofts marketing department will ever conclude that Windows is insecure, or that any other system might be remotely as good? If they did, they'd be out of a job, fast! Exactly the same as expecting Sun to ever admit that Linux might beat Solaris in some respects, or Red Hat saying that Windows is better for something (besides landfill) than Linux. It's not about facts, it's about spin. This is marketing. Computerworld is just an enabler.
Get over it.
Everybody knows 3 people with my name.
Who let this crap in? This article is so completely, utterly, gratuitously, gaudily wrong that your average high-schooler would call bullshit on it. The entire premise of the article is that "market penetration" (which brings up disturbing if apt images in the context of Microsoft) is the sole determining factor of an OS's security. Bull. SHIT.
I have an idea: put a few hundred systems of every flavor imaginable, unhardened from the default install, on a network without a firewall and see how many of the Windows boxen get owned versus, say, the OpenBSD machines. This guy is saying design doesn't matter, as if a house made of tinkertoys is no more flammable than one made of brick.
~Eien no Inori wo Sasagete~ Searching for my Hatsumi...
...you might just get some people on here a little too excited, that they might pee all over themselves...or hump your leg...
(nt)
but Just Avoiding Microsoft is a big step towards it
Parent is perhaps the longest post I've seen on /. that I agree with completely.
I'd add that even agreeing that the Network Admin basically still has a job and still has to secure stuff, the life of the poor user could be very different if it was less vulnerable by design.
For instance, regular people who have Macs just do not have the kind of problems they do with Windows. The DLL-hell, the extreme problems migrating to a new hard drive, the need to reinstall the OS due to entropy, the need to reinstall all your apps if you reinstall the OS, the constant spyware.
For the most part, these things don't happen to _well maintained_ corporate networks in modern versions of Windows. But there are a LOT of people that doesn't cover!
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
Enough of this. This isn't getting anywhere, and you're convinced you're right come hell or high water, so to hell with it. I'm not even going to point out how you misinterpreted or otherwise misunderstood the last post. I'm done wasting my time on you.
~Eien no Inori wo Sasagete~ Searching for my Hatsumi...
you are very fucked up