Slashdot Mirror
Security Isn't Just Avoiding Microsoft
Jay Singala noted a story which points out "It's time for all the people who have entertained this fantasy to stop deluding themselves.
How would life without Microsoft be different? It wouldn't be in any meaningful way for those in charge of network security; there would just be a different vendor peddling the dominant operating system."
If the "market penetration" philosophy were true Unix would have been hacked to bits decades ago. There are a lot more Chevy's around than BMW's, but I bet that more Chevy's are stolen because their "security features" are easier get past rather then just because they're more prevalent.
If the Apple/Windows market positions were reversed (or Linux/Windows for that mater) Windows would still be less secure. Unlocked doors and windows are still less secure even though there are fewer of them (or in our case more of them).
This smells of the anthropic principle...
-1 not first post
This must be a story which hopes to achieve security through obscurity.
MS's problem is they haven't had a real rival in years. They are so used to being the top dog they forget how to fight. It's the same way guys who work up from the bottom suddenly develope amnesia of exactly how difficult it was to get there until using "I came from the streets!" is going to help them in politics of some sort.
Things would be no better with any company having Microsofts history, but that doesn't mean MS was set on it's current course through fate or whatever else you wish to call it.
I like muppets.
This is the 3rd or 4th story in as many days that positively SCREAMS troll.
1. Find a common belief of Slashdot
2. Whine and bitch about "Slashdot bias" while not even understanding the point
3. When you don't get modded high enough for your complaining, find some blog that agrees with you
4. Get story linked to on Slasdot
4a. In this case, not even a link
5. Page Hits
Editors, I know you love to drive ad revenue by putting up these blatant trolls (OMG How Can I Love Open Source Without Copyright? If I Don't Like The RIAA I MUST Hate RMS!!!!!One!), but the joke's on you - most of us who respond to these out of annoyance run adblock.
Can we try for some actual stories now?
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
Since all other OSes/NOSes have/had the model of "everything is denied unless specifically given otherwise" and Microsoft's has always been, "everything is allowed unless specifically given otherwise," to say the least, things would be more secure.
... on and on. Please try disabling anonymous access on a windows domain controller. Users, suddenly, cannot see shares, change their passwords, etc. It is a registry setting that has to be left unsecured or else the windows NOS stops working.
Things were more secure when Netware was the NOS for businesses. Create a user, and they could see nothing unless you flipped a switch. Fire up bitchx and doesn't it say, if using as root, "using bitchx as root is stupid." Su, denial of anonymous access or even read access across the network
This says nothing for the hall-of-shame when trying to remove root access for users on their local boxes.
If not for microsoft, consumers might have saved billions on hardware by removing the microsoft tax. Dozens of smaller companies might still be in business.
If not for microsoft, I might still be managing a Netware NDS which, some dozen years ago now, was a far better directory service for a network than active directory is today, (I can only apply security settings at the domain level?). Oh for the days of right clicking anywhere -- I mean anywhere -- in the tree and setting a differnt password policy....
If not for microsoft, the first thought on computer security might be something other than a virus....
If not for microsoft, the word "rootkit" might not exist?
"All great things are simple & expressed in a single word: freedom, justice, honor, duty, mercy, hope." --Churchill
Got that? It's all about market share. There is no such thing as "security".
If everyone's house had no locks, they would be just as secure as if everyone's house had the best locks on the market.
I run Ubuntu (Feisty Fawn). By default it has NO open ports. That means that unless a worm can hit the TCP/IP stack, I am invulnerable to them.
He is an idiot. He doesn't even define "security" before he says that it doesn't exist.
My definition is: Security is the process of evaluating threats and reducing their effectiveness.
You're an idiot.
So if we replace Windows with Ubuntu, and the number of cracked machines goes down from 10,000,000 to only 1,000
Why do I get the feeling that this guy just bought stock in a training company?
If that approach was effective, we wouldn't have the problem we have today.
Sure Windows is a security nightmare, but the real problem is that just about everyone is content to use the same system as everyone else. Diversity is required for culture-wide strength. As much as the internet's proclivity for niche marketing has encouraged everyone to explore their individuality, most of us remain oddly content to behave nearly identical to everyone else. In a hypothetical world where 285 most-used operating systems compete on a wide variety of creatively different architectures, the issue of security of any one of those systems would be greatly diminished, and, as an added bonus, walking in to an average computer store would actually be exciting.
True, security isn't just about avoiding Microsoft.
But avoiding Microsoft is a good start. :-)
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
This article is complete and utter rubbish. It makes random claims with no support. For example, "How would life without Microsoft be different? It wouldn't be in any meaningful way for those in charge of network security; there would just be a different vendor peddling the dominant operating system. " makes the assertion that it would not be any different and makes the implicit statement that there would be a single dominant operating system, all completely without any support for either of those statements. First, why would there be a single dominant OS and second, why, if that OS was Linux, would the same problems that occur with MS's monopoly not be completely undermined by Linux's licensing?
Networks in a world in which Apple had won the operating systems wars would still be insecure.Sure it would, but that's again assuming someone had to "win" and establish a monopoly. No evidence that this is the case has been provided. I know it is hard to imagine a world with multiple OS's and vendors that interoperate via these crazy things called "standards" but that is how most markets operate. Yeah if someone else had an abusive monopoly we'd still have a broken market, that's why we want to restore the market to a non-monopolized state.
If you put computers on a network and open that network to the outside world via the Internet, you're going to have security problems, regardless of whether you're running Windows, Mac OS, Linux or an operating system you created in your spare time.Except right now if you do that with Linux or MacOS you have a whole lot fewer problems, to the point where it takes no significant time.
User errors have long been the bane of security.No they're not. Most malware infections by number are still the result of automated attacks with no user interaction. Such malware is harder to write, but it spreads faster and further than other malware. As for user error, sure it will always be an issue, that is no reason to ignore other aspects of security or to implement ways of mitigating user error. You seem to think (like MS) that the user element should be isolated from the security mechanisms. You cannot ignore the user when planning security and the examples you point out are where that is exactly what failed. If the Nazis had planned realistically for what their users would do, they would have built a system that verified which keys were used and that they were unique.
So, what needs to be done? You must require users to attend formal information security training and awareness programs.Sure if you want to spend the money, go for it. It won't help very much though. Until the security of OS's is up to snuff and simple enough, the training will be mostly ineffective. What is a user supposed to do if they have a binary and aren't sure if it is safe? Windows has basically no mechanism for determining the trust level or for running it in a sandbox if it is not trusted enough. Until it does and it is brought to the user in a functional way, education will help very little. The OS actually has to have an easy way to let the user do what they want, or they will take risks out of laziness.
Education is the last step, but first we need to fix the OS and fix the market to motivate the fixing of the OS's. Right now you need the equivalent of a 4 year degree to have a good chance of safely running a Windows box and accomplishing all the tasks you want to. That is simply not good enough. It needs to be down to a couple hours or training before we will see a widespread difference.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
Next time could you please choose a more loaded headline?
Thanks!
It is NOT about market share. It is about ease of penetration. There are MORE than enough *nix system that if they were easy to crack, than they would be. If nothing else, notice the .php/.asp world. Most php runs on *nix. They are attacked because it has been easy. Fortunately, the damage is limited, but it still allows such things as stealing information including credit cards and individual information via sql injection.
I prefer the "u" in honour as it seems to be missing these days.
This guy has one fault: faulty logic. Systems are not being attacked more under Windows because of user error, it's because of the holes in the OS. Training is not the main issue with security today, it's an operating system which continues to have a paradigm of an insecure kernel. Layering is a mantra of security, it's not by Microsoft
Finally, this "theory" should be quantitative, I question if sites which are linux only have the same number of vulnerabilities as Windows only. Why doesn't he give us some examples?
My summary: I am ashamed to have the same certification as the author.
No, Windows is the dominant OS because MS-DOS was the dominant OS. That happened because of the association between Microsoft and IBM back when IBM was the computer industry bogeyman.
The "ease" of Windows 3.1 or Windows 95 had nothing to do with it.
Win/DOS was already being pushed by Dell and the rest of his friends.
A Pirate and a Puritan look the same on a balance sheet.
"Security isn't just avoiding Microsoft..."
Sometimes a double negative can sum it up best: "but it isn't *not* avoiding Microsoft..."
Love many, trust a few, do harm to none.
Apps that where design back in the 9X and 3.1 days where there was little to no multi user, admin vs user, common dirs, and so.
Apps that need admin so they can auto update them selfs
A/V apps like Norton home that needs a admin users logged in for it to be able to get the updates.
Games copy protections that needs admin to run that should be other ways to do this with messing the the ide drivers or needing admin just to check if you have a good copy of the game.
It would be a big help if MS came out with a common update system that is easy for games and other apps to use and is free for developers to use. Then you can at lest get rid of having to deal with games and other apps having there own built in updates and needing admin just to run them as some force you to get the updates to use them. This system can also make it easy to keep your whole system up to date. You will just need to be an admin to run that common update system or even let it be setup to auto run in the back round at system level. Also MS needs to let get the all of the updates form windows update using auto update. Runas does not work for windows update in windows xp and 2000 and you need to run that to get the Optional updates.
Also put the full video drivers on windows / M$ update.
The argument has been out for a very long time now; "Any OS with this much market share would be subject to an equal number of attacks and breaches." But it's a weak argument; many point this out. The reason I'll pitch to the forefront is this: we have no evidence that it's true, and until another operating system has 80% market share for two decades, we simply won't have a baseline to compare.
What I find lamentable is that this article takes what might have otherwise been a good opportunity to echo a tired suggestion. Rather than denying it is impossible for anyone to do as well as Microsoft has, perhaps it would be important to drill down to some real reasons why MS has had so many issues, and why another OS - regardless of the technical features - might have similar difficulty. The number one reason I can come up with - off the top of my head - is feature management. 80% of the market is large. Huge. Gargantuan. There are many users with many wants, but they all want certain common ground across which all of them can function. They are asking a central authority - Microsoft - to provide that. Unix simply has not had that sort of crushing demand put on them, and I find that a more compelling argument than one whose support is based on a hypothetical. Microsoft has tried and not always succeeded to meet that demand while providing the features requested securely. Nothing is perfect - but they challenge anyone to do it better.
If Microsoft has faith in their product, they'll have faith that people will try, and fail, to do it better. If they don't, they'll reduce themselves to distractions and hand-waving - and the people making their money off of MS will throw any argument out there that will draw the least bit of attention away from their lack of confidence.
[Ego]out
The article, and many of the comments seem to think a system is either Secure or Insecure. I.e. it's either Perfect or Imperfect. The article talks about every system having holes, blah blah blah.
I'm sorry to say, but security isn't about having a perfect solution. It's a mistake many people make in the IT industry because on a low-level, you can perfectly solve small problems. Many people think this scales up to larger, more complex problems. It doesn't.
My point is that security is a continuum. Pointing out that all systems have flaws doesn't mean that Windows is just as secure/insecure as some alternate reality OS that doesn't exist but in the mind of the article writer.
AccountKiller
Perhaps Windows is attacked so much because it is the most popular operating system. However, those attacks succeed so frequently because the security architecture of Windows is so poor.
Possibly. But that doesn't take into account bad security designs.
As with my Ubuntu example, just having a default install have no open ports is a HUGE step in reducing the threat to that box.
Pretty much. Once you have a good security model, getting it to be MORE effective may take effort that the average person isn't willing to put into it.
But I never care about "uptime" as a measure of security. The system can be very insecure, but still never crash.
I prefer looking at data compromised vs data lost. If you maintain your system so well that you lose data more frequently by accidentally deleting it without a backup than the number of times you've been cracked, that's the best you can really hope for.
Just be so secure that your users (even if that is just you) will do more damage to their data than outside attackers will.
HELP! Vista blocked this link and all my Favorites. HELP!
'I can only assume you're referring to the IIS 5.0 buffer overflow which exploited systems, and here is the key, which were never intended to be web servers'
... aaahhh .. Dave, my mind is going. I can feel it. I can feel it.
Then please tell us what IIS 5.0 was actually designed for.
'As IIS 5.0 was installed and operational on all Windows 2000 Servers unless specifically disabled this led to a huge number of web servers which Netcraft can't account for (as they're internal)''
And can you produce some evidence that most of the hacks were on non-operational Servers that Netcraft didn't account for. And if Netcraft didn't count these non-operational non-web servers then how did they turn up in the count. And how did they get hacked if they were internal. And
was Re:Not exactly
davecb5620@gmail.com
> You would have also been laughed off of the local BBS in those days for suggesting something such as an email 'virus'.
Yea, it is a trusim that it took Microsoft to turn a hoax into reality.
But on the other hand, while Microsoft's ignorance, stupidity and arrogance made it a daily event we can't be totally smug either. We (including me, I was so sure back then too) have seen it happen to us as well. PINE, Evolution, Moz, all have had remote exploits in email. Gaim, etc has had remote IM exploits possible against it. And yes we too had the one I would tell people with confidence wasn't possible, a GIF/JPEG that would infect your computer just by looking at it.
Oh yea, I'd tell people the 'truth' about how only an executable could get ya, pure data like a picture was safe; so watch those file extensions carefully over there on DOS and it would be all right. But all that depends on programmers being good at defense, to keep on going and check every bit of data for sanity, every system call for an error return, etc. To not stop and release as soon as it 'seems to work' and move on to a more interesting problem.
Follow the errata stream from a major Linux distro for a few years and it will change your attitude. Thankfully though the trial by fire does help us. Sendmail went through it and emerged. Bind likewise, used to be a problem but fairly rare for a new bug. Now the meat grind seems to be focused more on the graphical apps like Mozilla/Firefox, OpenOffice, Gaim(whatever it is today) Ethereal/Wireshark. PHP, the databases and Squid seems to be the whipping boys in server space now.
Democrat delenda est
Bingo!!! Mod up the parent.
Computers would be safer if there was not a dominant OS. If there were equal shares of Windows, Mac OS, and Linux/Unix, then none of them would be as subject to attacks. They would all have flaws, but each one would have different flaws, so viruses and malware could not hit all of them. There would be less attacks per OS and viruses would not be able to spread.
The problem with security is that computers are such a mono-culture entirely based upon Windows. Many viruses attack every version of MS OSes from Windows 95 through XP. That is the problem with security. It's the same issue in biology that genetic diversity is a good thing. Computer do not have it since 80+% of computers run Windows. The best thing that could be done to improve security is to diversify the operating system of all computers. Relying on one company to produce a safe experience has proven to not work.
If the "market penetration" philosophy were true Unix would have been hacked to bits decades ago.
There is some credence to the "market penetration" argument, because Unix systems WERE "hacked to bits" decades ago, when they were the dominant networkable operating system. Of course, there are always other factors that come into play, and ultimately nothing trumps a robust design for security (which is why BSD and Linux servers running Apache are hacked far less often than Windows/IIS despite haveing a much larger market share).
The article is kind of pointless because it answers the wrong question: there is nothing interesting about what would be different if a corporation other than Microsoft held a monopoly position in mainstream computing software--we all know that nothing would be materially different. If Apple was the monopolist you KNOW it would sit on its laurels and we'd probably have been stuck with MacOS9-based OS until security and stability problems go so baf that they'd have to do something radical. MS' competition is better because it HAS offer something better to be able to survive against the 800 pound gorilla.
If one were to imagine life without a MONOPOLY rather than life without Microsoft the situation would be VASTLY different. Just like genetic variation in a species of wildlife population provides some insurance against extinction, having a diversity of inter-operable computing platforms would provide inherent security against system-wide compromise. Right now, global computing infrastructure is a sickly monoculture that is vulnerable to electronic pandemics.
I think that without Microsoft there is an equally plausible alternative outcome to the one presented in the article: If no one player were to achieve market domination in a timely fashion we'd see growth slowdown and perhaps shakeup, as we did in the home computer hardware market in the 1980s. In order to survive, the remaining players would have to cooperate in terms of observing protocols and standards. One way or another, the market must achieve interoperability, and it happens either by one vendor achieving monopoly or by several vendors cooperating at a certain level.
That is what happened on the hardware side in fact--there was a shakeout, a major player emerged (IBM) and before it achieved an assured monopoly the likes of Phoenix and Compaq reverse-engineered the design and inadvertently created a vendor-neutral open systems specification. Today there is no hardware monopoly in the PC market, and hardware is cheap, plentiful and quite reliable overall. Within the silicon and circuits the designs are radically different, but they all have standard internal bus slots, external peripheral connectors and generally are all able to run the same software.
I'll always wonder why software didn't follow the same path, especially given the culture under which much of it was developed. In the 1970s hobbyists and upstart competitors were inspired by the Altair design to create the S100-bus standard platform around it, even with resistance from MITS against the whole effort. At the same time software enthusiasts and entrepreneurs were sharing software and working towards interoperability (much to the chagrin of BillG at the time). I'm not sure why the software wouldn't follow the path of hardware in terms of this gravitation towards interoperability.
We're actually setting the stage today for another opportunity to establish true interoperability--standards such as POSIX,SUS,LSB are well established (though still too often ignored) and Linux, MacOS and BSD share enough similarities that the idea is becoming feasible. The oft-criticised nature of open source to "re-invent the wheel" is key to making this a success--of course the other half of that success is to make sure all these new wheels will roll on the same set of tracks. I think it is looking promising that more and more Free software developers are starting to take that into consideration.
Take 20 boxes and then let a bunch of hacker lose on them. Pay them $money for every box they manage to crack. Make 10 of the boxes run fully patched Windows and 10 run the stable branch of OpenBSD and stick complete computer novices behind them. In fact, make the OpenBSD boxes run the OpenBSD project's apache version, OpenSSH server, give the hackers an account on it and have every daemon listen to every port and enable X11 forwarding through SSH. The windows machines can run a fully patched Vista with all the ports under a firewall. I bet most people would still prefer trying to compromise a Windows box. Seriously, don't come and tell me there wouldn't be fewer security problems if windows went away. Vista's security model is based on the "how do we design this so we can blame the user" while the open source distros are based on "lets be open about vulnerabilities so we can fix them asap". Heck, even if the open source ones were as vulnerable as windows I would still prefer them because at least then you can be relatively certain they will be open about it. With Microsoft you are more likely to get told of for being a user when they break something.