Slashdot Mirror
Security Isn't Just Avoiding Microsoft
Jay Singala noted a story which points out "It's time for all the people who have entertained this fantasy to stop deluding themselves.
How would life without Microsoft be different? It wouldn't be in any meaningful way for those in charge of network security; there would just be a different vendor peddling the dominant operating system."
If the "market penetration" philosophy were true Unix would have been hacked to bits decades ago. There are a lot more Chevy's around than BMW's, but I bet that more Chevy's are stolen because their "security features" are easier get past rather then just because they're more prevalent.
If the Apple/Windows market positions were reversed (or Linux/Windows for that mater) Windows would still be less secure. Unlocked doors and windows are still less secure even though there are fewer of them (or in our case more of them).
If Microsoft is gone, someone else will have the biggest share of the market and thus make the biggest, most appealing target. It helps that Windows is perceived as more vulnerable (though it can be argued it isn't - not that I hold this position myself), but surely some of that is due to the combination of more attacks against it (more home users and businesses) and a less-than-instant response to security holes.
Whoever the biggest name in a Microsoft-free world was (assuming they were the biggest in a similar kind of space with businesses and home users, not biggest like the bajillion flavors of *nix kind of way), I'm sure things would be the same, and only the details would vary.
Evolution ceases when stupidity can no longer be fatal.
Since all other OSes/NOSes have/had the model of "everything is denied unless specifically given otherwise" and Microsoft's has always been, "everything is allowed unless specifically given otherwise," to say the least, things would be more secure.
... on and on. Please try disabling anonymous access on a windows domain controller. Users, suddenly, cannot see shares, change their passwords, etc. It is a registry setting that has to be left unsecured or else the windows NOS stops working.
Things were more secure when Netware was the NOS for businesses. Create a user, and they could see nothing unless you flipped a switch. Fire up bitchx and doesn't it say, if using as root, "using bitchx as root is stupid." Su, denial of anonymous access or even read access across the network
This says nothing for the hall-of-shame when trying to remove root access for users on their local boxes.
If not for microsoft, consumers might have saved billions on hardware by removing the microsoft tax. Dozens of smaller companies might still be in business.
If not for microsoft, I might still be managing a Netware NDS which, some dozen years ago now, was a far better directory service for a network than active directory is today, (I can only apply security settings at the domain level?). Oh for the days of right clicking anywhere -- I mean anywhere -- in the tree and setting a differnt password policy....
If not for microsoft, the first thought on computer security might be something other than a virus....
If not for microsoft, the word "rootkit" might not exist?
"All great things are simple & expressed in a single word: freedom, justice, honor, duty, mercy, hope." --Churchill
Got that? It's all about market share. There is no such thing as "security".
If everyone's house had no locks, they would be just as secure as if everyone's house had the best locks on the market.
I run Ubuntu (Feisty Fawn). By default it has NO open ports. That means that unless a worm can hit the TCP/IP stack, I am invulnerable to them.
He is an idiot. He doesn't even define "security" before he says that it doesn't exist.
My definition is: Security is the process of evaluating threats and reducing their effectiveness.
You're an idiot.
So if we replace Windows with Ubuntu, and the number of cracked machines goes down from 10,000,000 to only 1,000
Why do I get the feeling that this guy just bought stock in a training company?
If that approach was effective, we wouldn't have the problem we have today.
Sure Windows is a security nightmare, but the real problem is that just about everyone is content to use the same system as everyone else. Diversity is required for culture-wide strength. As much as the internet's proclivity for niche marketing has encouraged everyone to explore their individuality, most of us remain oddly content to behave nearly identical to everyone else. In a hypothetical world where 285 most-used operating systems compete on a wide variety of creatively different architectures, the issue of security of any one of those systems would be greatly diminished, and, as an added bonus, walking in to an average computer store would actually be exciting.
True, security isn't just about avoiding Microsoft.
But avoiding Microsoft is a good start. :-)
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
"Microsoft is insecure because they try to juggle security, performance, and being idiot-friendly."
No, windows is insecure because they put backwards compatibility over secure design, and as such have perpetuated several major insecure design flaws because fixing them would shatter all their legacy apps.
proper memory protection, and actual multi-user protection would go leaps, bounds, and miles to fixing a large number of their problems.
This article is complete and utter rubbish. It makes random claims with no support. For example, "How would life without Microsoft be different? It wouldn't be in any meaningful way for those in charge of network security; there would just be a different vendor peddling the dominant operating system. " makes the assertion that it would not be any different and makes the implicit statement that there would be a single dominant operating system, all completely without any support for either of those statements. First, why would there be a single dominant OS and second, why, if that OS was Linux, would the same problems that occur with MS's monopoly not be completely undermined by Linux's licensing?
Networks in a world in which Apple had won the operating systems wars would still be insecure.Sure it would, but that's again assuming someone had to "win" and establish a monopoly. No evidence that this is the case has been provided. I know it is hard to imagine a world with multiple OS's and vendors that interoperate via these crazy things called "standards" but that is how most markets operate. Yeah if someone else had an abusive monopoly we'd still have a broken market, that's why we want to restore the market to a non-monopolized state.
If you put computers on a network and open that network to the outside world via the Internet, you're going to have security problems, regardless of whether you're running Windows, Mac OS, Linux or an operating system you created in your spare time.Except right now if you do that with Linux or MacOS you have a whole lot fewer problems, to the point where it takes no significant time.
User errors have long been the bane of security.No they're not. Most malware infections by number are still the result of automated attacks with no user interaction. Such malware is harder to write, but it spreads faster and further than other malware. As for user error, sure it will always be an issue, that is no reason to ignore other aspects of security or to implement ways of mitigating user error. You seem to think (like MS) that the user element should be isolated from the security mechanisms. You cannot ignore the user when planning security and the examples you point out are where that is exactly what failed. If the Nazis had planned realistically for what their users would do, they would have built a system that verified which keys were used and that they were unique.
So, what needs to be done? You must require users to attend formal information security training and awareness programs.Sure if you want to spend the money, go for it. It won't help very much though. Until the security of OS's is up to snuff and simple enough, the training will be mostly ineffective. What is a user supposed to do if they have a binary and aren't sure if it is safe? Windows has basically no mechanism for determining the trust level or for running it in a sandbox if it is not trusted enough. Until it does and it is brought to the user in a functional way, education will help very little. The OS actually has to have an easy way to let the user do what they want, or they will take risks out of laziness.
Education is the last step, but first we need to fix the OS and fix the market to motivate the fixing of the OS's. Right now you need the equivalent of a 4 year degree to have a good chance of safely running a Windows box and accomplishing all the tasks you want to. That is simply not good enough. It needs to be down to a couple hours or training before we will see a widespread difference.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
It is NOT about market share. It is about ease of penetration. There are MORE than enough *nix system that if they were easy to crack, than they would be. If nothing else, notice the .php/.asp world. Most php runs on *nix. They are attacked because it has been easy. Fortunately, the damage is limited, but it still allows such things as stealing information including credit cards and individual information via sql injection.
I prefer the "u" in honour as it seems to be missing these days.
This guy has one fault: faulty logic. Systems are not being attacked more under Windows because of user error, it's because of the holes in the OS. Training is not the main issue with security today, it's an operating system which continues to have a paradigm of an insecure kernel. Layering is a mantra of security, it's not by Microsoft
Finally, this "theory" should be quantitative, I question if sites which are linux only have the same number of vulnerabilities as Windows only. Why doesn't he give us some examples?
My summary: I am ashamed to have the same certification as the author.
No, Windows is the dominant OS because MS-DOS was the dominant OS. That happened because of the association between Microsoft and IBM back when IBM was the computer industry bogeyman.
The "ease" of Windows 3.1 or Windows 95 had nothing to do with it.
Win/DOS was already being pushed by Dell and the rest of his friends.
A Pirate and a Puritan look the same on a balance sheet.
No.
Trolling is going to a NY Nicks' fan forum after they lose a game and posting "SEE!!!! OMG THEY DO SUCK I TOLD YOU!!!". Trolling is hanging out in religious IRC chatrooms and doing nothing but posting links to atheist websites. Trolling is wandering down to the Holocaust museum in Israel and handing out pamphlets saying "hey, maybe Hitler was misunderstood".
Trolling is also getting pissed off because your understanding of security is shallow enough that you take it personally when someone points out that the OS you use isn't as secure as it could be, and yet, because you still need it to play your MMORPGs, trying to scream "OMG SLASHDOT BIAS" in the hopes that someone out there might believe you.
(Incidentally, that last line was also a bit of a troll).
Coming up with a story that completely misses the point about OS security and submitting it here is laughable. The entire point made is that there will always be stupid/ignorant users. The most famous and financially damaging network attacks in history all depended on Microsoft's decision to let every Windows machine listen to needless network traffic by default. You can't argue this. Users had nothing to do with Blaster, SQL Slammer, Code Red, Nimda, (list 100+ worms that made international news when they got released)... at best you could argue that users should be patching systems on a daily basis, but of course you'd be showing just how little experience you've had running a computer system outside of your own home (that's almost flamebait, by the way, even if it's the truth).
The "Windows is only hacked because it's the popular OS" is a myth. It's been debunked thousands of times. Believe me, if it was as easy to hack OS/400, or Linux, or HPUX, people would be doing it in spades - because there's a hell of a lot more juicy information behind those machines. All of Las Vegas runs on OS/400 - that's billions of dollars for the taking. Going after 100 million home users is pointless when you have a nice juicy target like that. As another example, cracking IOS would give you a LOT more power than some piddly country's desktops. Cisco gear is EVERYWHERE.
The common consensus isn't wrong. Hell, these days it's not even the common consensus. But it is accurate to anyone that's had more than a couple of years experience with network security. Or anyone who's had experience outside of running Windows, and trying out a Linux LiveCD one weekend only to give up because it's "too hard". - also Flamebait, yet true.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
The article, and many of the comments seem to think a system is either Secure or Insecure. I.e. it's either Perfect or Imperfect. The article talks about every system having holes, blah blah blah.
I'm sorry to say, but security isn't about having a perfect solution. It's a mistake many people make in the IT industry because on a low-level, you can perfectly solve small problems. Many people think this scales up to larger, more complex problems. It doesn't.
My point is that security is a continuum. Pointing out that all systems have flaws doesn't mean that Windows is just as secure/insecure as some alternate reality OS that doesn't exist but in the mind of the article writer.
AccountKiller
Perhaps Windows is attacked so much because it is the most popular operating system. However, those attacks succeed so frequently because the security architecture of Windows is so poor.
Possibly. But that doesn't take into account bad security designs.
As with my Ubuntu example, just having a default install have no open ports is a HUGE step in reducing the threat to that box.
Pretty much. Once you have a good security model, getting it to be MORE effective may take effort that the average person isn't willing to put into it.
But I never care about "uptime" as a measure of security. The system can be very insecure, but still never crash.
I prefer looking at data compromised vs data lost. If you maintain your system so well that you lose data more frequently by accidentally deleting it without a backup than the number of times you've been cracked, that's the best you can really hope for.
Just be so secure that your users (even if that is just you) will do more damage to their data than outside attackers will.
An issue with this point of view is that there is no intrinsic difference between code and data, as code is just data that has semantic meaning in the context of a physical or virtual machine.
In order to protect against exploits in "data", the data format must be defined in such a way that it can contain no actions, the operating system and/or hardware must provide a mechanism for quarantining blocks of memory from execution (check out Data Execution Prevention or DEP), and the applications must be written in to allow the protections to work.
The latter is one of the issues with DEP adoption, as some applications use programming tricks for performance or other reasons that blur the distinction, such as self-modifying code.
The process of securing computer systems against malformed data is happening, but like many things, it won't be without its trade-offs.
Bingo!!! Mod up the parent.
Computers would be safer if there was not a dominant OS. If there were equal shares of Windows, Mac OS, and Linux/Unix, then none of them would be as subject to attacks. They would all have flaws, but each one would have different flaws, so viruses and malware could not hit all of them. There would be less attacks per OS and viruses would not be able to spread.
The problem with security is that computers are such a mono-culture entirely based upon Windows. Many viruses attack every version of MS OSes from Windows 95 through XP. That is the problem with security. It's the same issue in biology that genetic diversity is a good thing. Computer do not have it since 80+% of computers run Windows. The best thing that could be done to improve security is to diversify the operating system of all computers. Relying on one company to produce a safe experience has proven to not work.
If the "market penetration" philosophy were true Unix would have been hacked to bits decades ago.
There is some credence to the "market penetration" argument, because Unix systems WERE "hacked to bits" decades ago, when they were the dominant networkable operating system. Of course, there are always other factors that come into play, and ultimately nothing trumps a robust design for security (which is why BSD and Linux servers running Apache are hacked far less often than Windows/IIS despite haveing a much larger market share).
The article is kind of pointless because it answers the wrong question: there is nothing interesting about what would be different if a corporation other than Microsoft held a monopoly position in mainstream computing software--we all know that nothing would be materially different. If Apple was the monopolist you KNOW it would sit on its laurels and we'd probably have been stuck with MacOS9-based OS until security and stability problems go so baf that they'd have to do something radical. MS' competition is better because it HAS offer something better to be able to survive against the 800 pound gorilla.
If one were to imagine life without a MONOPOLY rather than life without Microsoft the situation would be VASTLY different. Just like genetic variation in a species of wildlife population provides some insurance against extinction, having a diversity of inter-operable computing platforms would provide inherent security against system-wide compromise. Right now, global computing infrastructure is a sickly monoculture that is vulnerable to electronic pandemics.
I think that without Microsoft there is an equally plausible alternative outcome to the one presented in the article: If no one player were to achieve market domination in a timely fashion we'd see growth slowdown and perhaps shakeup, as we did in the home computer hardware market in the 1980s. In order to survive, the remaining players would have to cooperate in terms of observing protocols and standards. One way or another, the market must achieve interoperability, and it happens either by one vendor achieving monopoly or by several vendors cooperating at a certain level.
That is what happened on the hardware side in fact--there was a shakeout, a major player emerged (IBM) and before it achieved an assured monopoly the likes of Phoenix and Compaq reverse-engineered the design and inadvertently created a vendor-neutral open systems specification. Today there is no hardware monopoly in the PC market, and hardware is cheap, plentiful and quite reliable overall. Within the silicon and circuits the designs are radically different, but they all have standard internal bus slots, external peripheral connectors and generally are all able to run the same software.
I'll always wonder why software didn't follow the same path, especially given the culture under which much of it was developed. In the 1970s hobbyists and upstart competitors were inspired by the Altair design to create the S100-bus standard platform around it, even with resistance from MITS against the whole effort. At the same time software enthusiasts and entrepreneurs were sharing software and working towards interoperability (much to the chagrin of BillG at the time). I'm not sure why the software wouldn't follow the path of hardware in terms of this gravitation towards interoperability.
We're actually setting the stage today for another opportunity to establish true interoperability--standards such as POSIX,SUS,LSB are well established (though still too often ignored) and Linux, MacOS and BSD share enough similarities that the idea is becoming feasible. The oft-criticised nature of open source to "re-invent the wheel" is key to making this a success--of course the other half of that success is to make sure all these new wheels will roll on the same set of tracks. I think it is looking promising that more and more Free software developers are starting to take that into consideration.