Security Isn't Just Avoiding Microsoft

Jay Singala noted a story which points out "It's time for all the people who have entertained this fantasy to stop deluding themselves. How would life without Microsoft be different? It wouldn't be in any meaningful way for those in charge of network security; there would just be a different vendor peddling the dominant operating system."

Not exactly

[WrongSizeGlass]

If the "market penetration" philosophy were true Unix would have been hacked to bits decades ago. There are a lot more Chevy's around than BMW's, but I bet that more Chevy's are stolen because their "security features" are easier get past rather then just because they're more prevalent.

If the Apple/Windows market positions were reversed (or Linux/Windows for that mater) Windows would still be less secure. Unlocked doors and windows are still less secure even though there are fewer of them (or in our case more of them).

Re:Not exactly

[Gearoid_Murphy]

absolutely, but theres a considerable group of people out there who view animosity towards Microsoft as part of a broader resistance to big corporations, and as a consequence of this, view this resistance as being naive and unfounded. Unix style systems have been around for a long long time and have a well deserved reputation for stability and security, unlike windows products which I, as a computer scientist and software engineer experience as being badly concieved and poorly executed

Re:Not exactly

[ArchdukeChocula]

>If the "market penetration" philosophy were true Unix would have been hacked to bits decades ago.

It was! Today's script kiddies can't tell grep for the GIMP but back in the day BBSs were filled with philes on hacking UNIX. Most those files are useless now because BSD and Linux developers have worked hard to improved security. (And so have Windows developers, XP is harder to hack then Win95) The point is that any product as complex as an OS will be full of security holes. Sure UNIX may be more secure but as soon as you get lazy and think your safe someone will prove you wrong.

Re:Not exactly

[wframe9109]

That's pretty funny, because from my experience, Unix has had a history rife with exploits and security issues... It *was* hacked to bits long ago. Good job!!!

Despite it's lesser market percentage, we still see exploits for Unix variants, and the services offered within. It's not some sort of impenetrable OS.

Anyhow. Security is in the hands of the user. Someone with half-decent security knowhow will be able to secure a Windows box far better than a newbie running Unix.

Re:Not exactly

[DevStar]

Where do people get this illusion that Unix systems were secure in the past? As an undergrad we would drive our friends crazy hacking into computers. Just about every Unix program they ran, from mail to finger to rn had security holes you could drive a car through.

The difference back then was no one cared if we broke into a computer. It just didn't make news. Heck, I remember that remote exploits stayed open for years, and no one said a peep. The world was very different back then. Plus there just wasn't much interesting to hack into. People would generally hack into other students accounts -- erase homework, put a bug in a friends assignment, send a goofy email from their professor's account, etc... You didn't have organized crime stealing credit cards, because no one besides geeks used computers.

I know this doesn't fit into your mental model of how Unix was this secure fort in the old days, but you'd better think again. Those of us who were there, know better.

I hate to sound cliche, but as long as we have people programming systems, there will be security holes. And I've worked at enough places to know that no one has a silver bullet.

Re:Not exactly

[tbannist]

It's simple. The summary is quite obviously from a microsoft apologist. The author's just trotting out the old fallacy that "things couldn't be any different then they are now". While it is true that there is more to security than avoid Microsoft, there are very legitimate reasons to gripe about Microsoft's security. They've been told repeatedly before they did stupid, stupid things that they were creating security holes and leaving their customers vulnerable. They didn't care and now everyone else has to clean up their mess.

They've earned their damnation as the weakest link of security and if you eliminate the weakest link, the entire chain becomes stronger.

Re:Not exactly

[niiler]

You must be talking about Linspire or whatever they call it these days. Most Linuxes I've run out of the box are quite a bit more secure than their Windows counterparts. I just ran nmap on my local network. The result was that all computers running Windows XP were identified along with their open ports and services whereas none of the linux boxes (with default firewalls configured on install) showed much at all. Nmap guessed that they were running Linux or Unix, but that was it.

Nobody is claiming that any OS is perfectly secure. But I seriously question your statement about newbies running *nix being more insecure compared to their Windows counterparts as most modern distros seem to have firewalls enabled and extraneous services shut off by default.

Re:Not exactly

[the_womble]

There is also no reason why the market leader has to be dominant. The market leader could have 30%, another two big players 20% each and the remaining 30% split among the rest.

That way we get rid of the monoculture, which is a security disaster.

Re:Not exactly

[Spazmania]

Where do people get this illusion that Unix systems were secure in the past? As an undergrad we would drive our friends crazy hacking into computers. Just about every Unix program they ran, from mail to finger to rn had security holes you could drive a car through.

In 1995, most of the US military facilities on the Internet had no firewall. I still remember logging on to the MS Lan Manager servers at work from home using Samba over a 28.8 modem and exporting X-Windows to Sun workstations 600 miles away. That was the normal level of information security and both Windows and Unix met it.

In 2007 the expected level of information security is rather different. In 2007, Unix and Linux have adapted to the new requirements and excelled at meeting them while Windows works only moderately better than it did in 1995.

So you're right, but you're wrong. Unix and Linux consistently met or exceeded the appropriate level of security at the time. That the target moves doesn't change the fact that they keep on hitting it. Windows, on the other hand, hasn't hit the target for the better part of a decade now.

Re:Not exactly

[Chris+Burke]

Well it's a matter of how you frame it.

"It wouldn't be in any meaningful way for those in charge of network security; there would just be a different vendor peddling the dominant operating system."

That's actually true in broad strokes, if you think of what a network administrator's job is relative to security. They maintain the system, keep up to date with what vulnerabilities exist, test any patches and apply them, and respond to any DoS or virus attacks that occur. They deploy spam filters and virus checkers, and keep up to date on patches for them. This won't fundamentally change -- there are still vulnerabilities for *nix whose fixes will need to be tracked -- so really they are doing the same thing with a different vendor.

In a less general "what is the nature of your job" sense, the above is absolutely not true. For instance the only reason we have a virus scanner on our *nix mail servers is to prevent viruses that depend on MS Outlook. While we've lost entire volumes to corruption by Windows viruses, nothing like that has happened to our *nix file servers. And whenever something like this happens, it means over-nighters for the sysadmins. Ask them if having to come in less often on a Saturday night is a "meaningful" change in the way they work.

There are two common couter-arguments to this. The first is the marketshare argument -- MS software isn't any more buggy, it's just more used and thus targeted more. This makes sense at first blush, but anyone putting forth this argument must explain why IIS is hacked more than Apache. Clearly there is more to it than the number of targets.

The second, more desperate argument is the "all software has bugs" mantra. I'll just be honest -- people who argue this are either idiots or extremely lazy programmers. Of course all software has bugs, the question is how many and why. All food has bugs in it, but don't tell me you can't distinguish between food with below the FDA standard for bugs and food that vastly exceeds that amount. Only a fool confuses "bugs exist" with "the quantity of bugs is the same". Only a fool thinks that you can't design a system to be more secure. The problem isn't that Microsoft's programmers just introduce more bugs, it's that the inherent design of Windows and associated software that makes it bug-prone. The worse your design, the more careful you have to be to avoid bugs. Avoiding bugs, and designing the system so that it is inherently more secure and bugs are easier to avoid, is what good programmers strive to do. You can never do it perfectly, but only lazy idiots think that means you can never succeed at all.

Well whatever. All I know is that once I got my father off Explorer and Outlook and onto Firefox and Thunderbird, I stopped having to clear spyware off his computer every single time I visited. Anecdotal for sure, but it's good enough for me.

Philosophy

[youthoftoday]

This smells of the anthropic principle...

Re:Story?

[Lazerf4rt]

This must be a story which hopes to achieve security through obscurity.

Seriously, editors... ENOUGH ALREADY

[freeweed]

This is the 3rd or 4th story in as many days that positively SCREAMS troll.

1. Find a common belief of Slashdot
2. Whine and bitch about "Slashdot bias" while not even understanding the point
3. When you don't get modded high enough for your complaining, find some blog that agrees with you
4. Get story linked to on Slasdot
4a. In this case, not even a link
5. Page Hits

Editors, I know you love to drive ad revenue by putting up these blatant trolls (OMG How Can I Love Open Source Without Copyright? If I Don't Like The RIAA I MUST Hate RMS!!!!!One!), but the joke's on you - most of us who respond to these out of annoyance run adblock.

Can we try for some actual stories now?

More secure?

[Himring]

Since all other OSes/NOSes have/had the model of "everything is denied unless specifically given otherwise" and Microsoft's has always been, "everything is allowed unless specifically given otherwise," to say the least, things would be more secure.

Things were more secure when Netware was the NOS for businesses. Create a user, and they could see nothing unless you flipped a switch. Fire up bitchx and doesn't it say, if using as root, "using bitchx as root is stupid." Su, denial of anonymous access or even read access across the network ... on and on. Please try disabling anonymous access on a windows domain controller. Users, suddenly, cannot see shares, change their passwords, etc. It is a registry setting that has to be left unsecured or else the windows NOS stops working.

This says nothing for the hall-of-shame when trying to remove root access for users on their local boxes.

If not for microsoft, consumers might have saved billions on hardware by removing the microsoft tax. Dozens of smaller companies might still be in business.

If not for microsoft, I might still be managing a Netware NDS which, some dozen years ago now, was a far better directory service for a network than active directory is today, (I can only apply security settings at the domain level?). Oh for the days of right clicking anywhere -- I mean anywhere -- in the tree and setting a differnt password policy....

If not for microsoft, the first thought on computer security might be something other than a virus....

If not for microsoft, the word "rootkit" might not exist?

Re:More secure?

[Corporate+Troll]

If not for microsoft, the word "rootkit" might not exist?

Is this a joke I hear whooshing past my head or are you being serious. You know that "root" part of "rootkit", it talks about the Unix superuser known as "root". The roots (pardon the pun) of a rootkit are most definitely in the Unix heritage. Look it up for yourself.

"Security" does not exist!

[khasim]

At least, that is what TFA says.

Networks in a world in which Apple had won the operating systems wars would still be insecure. What's that, you say? The Macintosh has had far fewer bugs reported and patched than Windows? That's true, but it's a consequence of the minuscule market penetration of Mac OS.

Got that? It's all about market share. There is no such thing as "security".

If everyone's house had no locks, they would be just as secure as if everyone's house had the best locks on the market.

If you put computers on a network and open that network to the outside world via the Internet, you're going to have security problems, regardless of whether you're running Windows, Mac OS, Linux or an operating system you created in your spare time.

I run Ubuntu (Feisty Fawn). By default it has NO open ports. That means that unless a worm can hit the TCP/IP stack, I am invulnerable to them.

He is an idiot. He doesn't even define "security" before he says that it doesn't exist.

My definition is: Security is the process of evaluating threats and reducing their effectiveness.

But once we've done all that, we're left with one unalterable fact: Users will still make errors galore.

You're an idiot.

So if we replace Windows with Ubuntu, and the number of cracked machines goes down from 10,000,000 to only 1,000 ... that doesn't mean that Ubuntu is more secure because 99% of the cracked machines would be Ubuntu.

So, what needs to be done? You must require users to attend formal information security training and awareness programs. No one should be left out.

Why do I get the feeling that this guy just bought stock in a training company?

If that approach was effective, we wouldn't have the problem we have today.

True

[Fujisawa+Sensei]

True, security isn't just about avoiding Microsoft.

But avoiding Microsoft is a good start. :-)

Dreck!

[99BottlesOfBeerInMyF]

This article is complete and utter rubbish. It makes random claims with no support. For example, "How would life without Microsoft be different? It wouldn't be in any meaningful way for those in charge of network security; there would just be a different vendor peddling the dominant operating system. " makes the assertion that it would not be any different and makes the implicit statement that there would be a single dominant operating system, all completely without any support for either of those statements. First, why would there be a single dominant OS and second, why, if that OS was Linux, would the same problems that occur with MS's monopoly not be completely undermined by Linux's licensing?

Networks in a world in which Apple had won the operating systems wars would still be insecure.

Sure it would, but that's again assuming someone had to "win" and establish a monopoly. No evidence that this is the case has been provided. I know it is hard to imagine a world with multiple OS's and vendors that interoperate via these crazy things called "standards" but that is how most markets operate. Yeah if someone else had an abusive monopoly we'd still have a broken market, that's why we want to restore the market to a non-monopolized state.

If you put computers on a network and open that network to the outside world via the Internet, you're going to have security problems, regardless of whether you're running Windows, Mac OS, Linux or an operating system you created in your spare time.

Except right now if you do that with Linux or MacOS you have a whole lot fewer problems, to the point where it takes no significant time.

User errors have long been the bane of security.

No they're not. Most malware infections by number are still the result of automated attacks with no user interaction. Such malware is harder to write, but it spreads faster and further than other malware. As for user error, sure it will always be an issue, that is no reason to ignore other aspects of security or to implement ways of mitigating user error. You seem to think (like MS) that the user element should be isolated from the security mechanisms. You cannot ignore the user when planning security and the examples you point out are where that is exactly what failed. If the Nazis had planned realistically for what their users would do, they would have built a system that verified which keys were used and that they were unique.

So, what needs to be done? You must require users to attend formal information security training and awareness programs.

Sure if you want to spend the money, go for it. It won't help very much though. Until the security of OS's is up to snuff and simple enough, the training will be mostly ineffective. What is a user supposed to do if they have a binary and aren't sure if it is safe? Windows has basically no mechanism for determining the trust level or for running it in a sandbox if it is not trusted enough. Until it does and it is brought to the user in a functional way, education will help very little. The OS actually has to have an easy way to let the user do what they want, or they will take risks out of laziness.

Education is the last step, but first we need to fix the OS and fix the market to motivate the fixing of the OS's. Right now you need the equivalent of a 4 year degree to have a good chance of safely running a Windows box and accomplishing all the tasks you want to. That is simply not good enough. It needs to be down to a couple hours or training before we will see a widespread difference.

Re:No

[$RANDOMLUSER]

if you get rid of MSIE, Outlook Express, MSN Messenger, and Windows altogether, you could be the worst systems administrator ever and you still wouldn't have 1/10 the security breaches and incidents.

You've almost put your finger on it. It's not the products themselves, but Microsoft's love of having applications do whizzo shit that looks great in demos, but shouldn't be done in the first place. Think Active-X webpages, auto-preview in Outlook, .WMV files that can perform system-level operations, macros that execute on load in Word and Excel, executing code from files when viewing directories in thumbnail mode, etc., etc., etc.

Dear Editors

[DigitAl56K]

Next time could you please choose a more loaded headline?

Thanks!

How silly

[WindBourne]

It is NOT about market share. It is about ease of penetration. There are MORE than enough *nix system that if they were easy to crack, than they would be. If nothing else, notice the .php/.asp world. Most php runs on *nix. They are attacked because it has been easy. Fortunately, the damage is limited, but it still allows such things as stealing information including credit cards and individual information via sql injection.

Holy crap, my CISSP value just went down!

[harris+s+newman]

This guy has one fault: faulty logic. Systems are not being attacked more under Windows because of user error, it's because of the holes in the OS. Training is not the main issue with security today, it's an operating system which continues to have a paradigm of an insecure kernel. Layering is a mantra of security, it's not by Microsoft

Finally, this "theory" should be quantitative, I question if sites which are linux only have the same number of vulnerabilities as Windows only. Why doesn't he give us some examples?

My summary: I am ashamed to have the same certification as the author.

M$ lack of Security comes from

[Joe+The+Dragon]

Apps that where design back in the 9X and 3.1 days where there was little to no multi user, admin vs user, common dirs, and so.
Apps that need admin so they can auto update them selfs
A/V apps like Norton home that needs a admin users logged in for it to be able to get the updates.
Games copy protections that needs admin to run that should be other ways to do this with messing the the ide drivers or needing admin just to check if you have a good copy of the game.

It would be a big help if MS came out with a common update system that is easy for games and other apps to use and is free for developers to use. Then you can at lest get rid of having to deal with games and other apps having there own built in updates and needing admin just to run them as some force you to get the updates to use them. This system can also make it easy to keep your whole system up to date. You will just need to be an admin to run that common update system or even let it be setup to auto run in the back round at system level. Also MS needs to let get the all of the updates form windows update using auto update. Runas does not work for windows update in windows xp and 2000 and you need to run that to get the Optional updates.

Also put the full video drivers on windows / M$ update.

Another Lost Opportunity

[EgoWumpus]

The argument has been out for a very long time now; "Any OS with this much market share would be subject to an equal number of attacks and breaches." But it's a weak argument; many point this out. The reason I'll pitch to the forefront is this: we have no evidence that it's true, and until another operating system has 80% market share for two decades, we simply won't have a baseline to compare.

What I find lamentable is that this article takes what might have otherwise been a good opportunity to echo a tired suggestion. Rather than denying it is impossible for anyone to do as well as Microsoft has, perhaps it would be important to drill down to some real reasons why MS has had so many issues, and why another OS - regardless of the technical features - might have similar difficulty. The number one reason I can come up with - off the top of my head - is feature management. 80% of the market is large. Huge. Gargantuan. There are many users with many wants, but they all want certain common ground across which all of them can function. They are asking a central authority - Microsoft - to provide that. Unix simply has not had that sort of crushing demand put on them, and I find that a more compelling argument than one whose support is based on a hypothetical. Microsoft has tried and not always succeeded to meet that demand while providing the features requested securely. Nothing is perfect - but they challenge anyone to do it better.

If Microsoft has faith in their product, they'll have faith that people will try, and fail, to do it better. If they don't, they'll reduce themselves to distractions and hand-waving - and the people making their money off of MS will throw any argument out there that will draw the least bit of attention away from their lack of confidence.

Security isn't Binary.

[Vellmont]

The article, and many of the comments seem to think a system is either Secure or Insecure. I.e. it's either Perfect or Imperfect. The article talks about every system having holes, blah blah blah.

I'm sorry to say, but security isn't about having a perfect solution. It's a mistake many people make in the IT industry because on a low-level, you can perfectly solve small problems. Many people think this scales up to larger, more complex problems. It doesn't.

My point is that security is a continuum. Pointing out that all systems have flaws doesn't mean that Windows is just as secure/insecure as some alternate reality OS that doesn't exist but in the mind of the article writer.

The problem is Window's insecure architecture.

[QuietLagoon]

A simple application like the IE web browser is tightly integrated into the operating system in order to get around anti-trust laws. How dumb is that?

Perhaps Windows is attacked so much because it is the most popular operating system. However, those attacks succeed so frequently because the security architecture of Windows is so poor.

Re:The problem is Window's insecure architecture.

[Foolhardy]

IE consists of a front-end launcher and a few shared libraries that implement parts of the back-end like an HTML renderer. The only thing that the IE back-end is integrated with is parts of shell environment. It's a few shared libraries that are loaded into iexplore.exe, and explorer.exe when it needs to do HTML rendering. OSX has a similar architecture, called WebKit. KDE also shares Konqueror's back-end.

IE is just a few user mode shared libraries. It doesn't have hooks into the kernel. It runs with whatever privileges the user has; it doesn't have some magical security back door. It's not used by any system services. A vulnerability in IE can lead to the compromise of the process it is loaded into, but that's true of any library. IE's vulnerability record is awful, but it can only compromise the system as much as any of your other applications. If IE was a totally standalone program, its security track record would be exactly the same; it's (in)ability to compromise the machine exactly the same. If you run an app as admin, and its compromised, the entire machine is compromised. If you run an app as a normal user, and its compromised, only the user's account is compromised. IE has nothing to do with the security architecture of Windows.

In court, Microsoft said that IE was an integral part of the Windows experience, and that removing it would diminish that experience and break their right to sell a software package with whatever features they liked.

Good vs Bad.

[khasim]

Any such system that's tight enough to meet conventional ideas of 'security' is tough to build, and even harder to maintain. The effort and diligence curves are way above what you can expect from the everyday person on the street.

Possibly. But that doesn't take into account bad security designs.

As with my Ubuntu example, just having a default install have no open ports is a HUGE step in reducing the threat to that box.

Security is measured like system uptime: in orders of magnitude. One-nine security (90%) is easier to achieve than two-nines (99%), with each additional nine being harder and more expensive to tack on. It's very unlikely that we'll ever see the general public acquire the knowledge and discipline necessary to maintain overall five-nines security (99.999%), because somebody just won't think the payoff is worth the effort.

Pretty much. Once you have a good security model, getting it to be MORE effective may take effort that the average person isn't willing to put into it.

But I never care about "uptime" as a measure of security. The system can be very insecure, but still never crash.

I prefer looking at data compromised vs data lost. If you maintain your system so well that you lose data more frequently by accidentally deleting it without a backup than the number of times you've been cracked, that's the best you can really hope for.

Just be so secure that your users (even if that is just you) will do more damage to their data than outside attackers will.

Re:Email virus

[intchanter]

An issue with this point of view is that there is no intrinsic difference between code and data, as code is just data that has semantic meaning in the context of a physical or virtual machine.

In order to protect against exploits in "data", the data format must be defined in such a way that it can contain no actions, the operating system and/or hardware must provide a mechanism for quarantining blocks of memory from execution (check out Data Execution Prevention or DEP), and the applications must be written in to allow the protections to work.

The latter is one of the issues with DEP adoption, as some applications use programming tricks for performance or other reasons that blur the distinction, such as self-modifying code.

The process of securing computer systems against malformed data is happening, but like many things, it won't be without its trade-offs.