Security Isn't Just Avoiding Microsoft

Jay Singala noted a story which points out "It's time for all the people who have entertained this fantasy to stop deluding themselves. How would life without Microsoft be different? It wouldn't be in any meaningful way for those in charge of network security; there would just be a different vendor peddling the dominant operating system."

Re:Not exactly

[Gearoid_Murphy]

absolutely, but theres a considerable group of people out there who view animosity towards Microsoft as part of a broader resistance to big corporations, and as a consequence of this, view this resistance as being naive and unfounded. Unix style systems have been around for a long long time and have a well deserved reputation for stability and security, unlike windows products which I, as a computer scientist and software engineer experience as being badly concieved and poorly executed

Re:Story?

[Lazerf4rt]

This must be a story which hopes to achieve security through obscurity.

Re:Not exactly

[ArchdukeChocula]

>If the "market penetration" philosophy were true Unix would have been hacked to bits decades ago.

It was! Today's script kiddies can't tell grep for the GIMP but back in the day BBSs were filled with philes on hacking UNIX. Most those files are useless now because BSD and Linux developers have worked hard to improved security. (And so have Windows developers, XP is harder to hack then Win95) The point is that any product as complex as an OS will be full of security holes. Sure UNIX may be more secure but as soon as you get lazy and think your safe someone will prove you wrong.

Re:Not exactly

[wframe9109]

That's pretty funny, because from my experience, Unix has had a history rife with exploits and security issues... It *was* hacked to bits long ago. Good job!!!

Despite it's lesser market percentage, we still see exploits for Unix variants, and the services offered within. It's not some sort of impenetrable OS.

Anyhow. Security is in the hands of the user. Someone with half-decent security knowhow will be able to secure a Windows box far better than a newbie running Unix.

Seriously, editors... ENOUGH ALREADY

[freeweed]

This is the 3rd or 4th story in as many days that positively SCREAMS troll.

1. Find a common belief of Slashdot
2. Whine and bitch about "Slashdot bias" while not even understanding the point
3. When you don't get modded high enough for your complaining, find some blog that agrees with you
4. Get story linked to on Slasdot
4a. In this case, not even a link
5. Page Hits

Editors, I know you love to drive ad revenue by putting up these blatant trolls (OMG How Can I Love Open Source Without Copyright? If I Don't Like The RIAA I MUST Hate RMS!!!!!One!), but the joke's on you - most of us who respond to these out of annoyance run adblock.

Can we try for some actual stories now?

More secure?

[Himring]

Since all other OSes/NOSes have/had the model of "everything is denied unless specifically given otherwise" and Microsoft's has always been, "everything is allowed unless specifically given otherwise," to say the least, things would be more secure.

Things were more secure when Netware was the NOS for businesses. Create a user, and they could see nothing unless you flipped a switch. Fire up bitchx and doesn't it say, if using as root, "using bitchx as root is stupid." Su, denial of anonymous access or even read access across the network ... on and on. Please try disabling anonymous access on a windows domain controller. Users, suddenly, cannot see shares, change their passwords, etc. It is a registry setting that has to be left unsecured or else the windows NOS stops working.

This says nothing for the hall-of-shame when trying to remove root access for users on their local boxes.

If not for microsoft, consumers might have saved billions on hardware by removing the microsoft tax. Dozens of smaller companies might still be in business.

If not for microsoft, I might still be managing a Netware NDS which, some dozen years ago now, was a far better directory service for a network than active directory is today, (I can only apply security settings at the domain level?). Oh for the days of right clicking anywhere -- I mean anywhere -- in the tree and setting a differnt password policy....

If not for microsoft, the first thought on computer security might be something other than a virus....

If not for microsoft, the word "rootkit" might not exist?

Re:More secure?

[Corporate+Troll]

If not for microsoft, the word "rootkit" might not exist?

Is this a joke I hear whooshing past my head or are you being serious. You know that "root" part of "rootkit", it talks about the Unix superuser known as "root". The roots (pardon the pun) of a rootkit are most definitely in the Unix heritage. Look it up for yourself.

"Security" does not exist!

[khasim]

At least, that is what TFA says.

Networks in a world in which Apple had won the operating systems wars would still be insecure. What's that, you say? The Macintosh has had far fewer bugs reported and patched than Windows? That's true, but it's a consequence of the minuscule market penetration of Mac OS.

Got that? It's all about market share. There is no such thing as "security".

If everyone's house had no locks, they would be just as secure as if everyone's house had the best locks on the market.

If you put computers on a network and open that network to the outside world via the Internet, you're going to have security problems, regardless of whether you're running Windows, Mac OS, Linux or an operating system you created in your spare time.

I run Ubuntu (Feisty Fawn). By default it has NO open ports. That means that unless a worm can hit the TCP/IP stack, I am invulnerable to them.

He is an idiot. He doesn't even define "security" before he says that it doesn't exist.

My definition is: Security is the process of evaluating threats and reducing their effectiveness.

But once we've done all that, we're left with one unalterable fact: Users will still make errors galore.

You're an idiot.

So if we replace Windows with Ubuntu, and the number of cracked machines goes down from 10,000,000 to only 1,000 ... that doesn't mean that Ubuntu is more secure because 99% of the cracked machines would be Ubuntu.

So, what needs to be done? You must require users to attend formal information security training and awareness programs. No one should be left out.

Why do I get the feeling that this guy just bought stock in a training company?

If that approach was effective, we wouldn't have the problem we have today.

Re:Not exactly

[DevStar]

Where do people get this illusion that Unix systems were secure in the past? As an undergrad we would drive our friends crazy hacking into computers. Just about every Unix program they ran, from mail to finger to rn had security holes you could drive a car through.

The difference back then was no one cared if we broke into a computer. It just didn't make news. Heck, I remember that remote exploits stayed open for years, and no one said a peep. The world was very different back then. Plus there just wasn't much interesting to hack into. People would generally hack into other students accounts -- erase homework, put a bug in a friends assignment, send a goofy email from their professor's account, etc... You didn't have organized crime stealing credit cards, because no one besides geeks used computers.

I know this doesn't fit into your mental model of how Unix was this secure fort in the old days, but you'd better think again. Those of us who were there, know better.

I hate to sound cliche, but as long as we have people programming systems, there will be security holes. And I've worked at enough places to know that no one has a silver bullet.

Re:Not exactly

[tbannist]

It's simple. The summary is quite obviously from a microsoft apologist. The author's just trotting out the old fallacy that "things couldn't be any different then they are now". While it is true that there is more to security than avoid Microsoft, there are very legitimate reasons to gripe about Microsoft's security. They've been told repeatedly before they did stupid, stupid things that they were creating security holes and leaving their customers vulnerable. They didn't care and now everyone else has to clean up their mess.

They've earned their damnation as the weakest link of security and if you eliminate the weakest link, the entire chain becomes stronger.

The problem is Window's insecure architecture.

[QuietLagoon]

A simple application like the IE web browser is tightly integrated into the operating system in order to get around anti-trust laws. How dumb is that?

Perhaps Windows is attacked so much because it is the most popular operating system. However, those attacks succeed so frequently because the security architecture of Windows is so poor.

Re:Not exactly

[the_womble]

There is also no reason why the market leader has to be dominant. The market leader could have 30%, another two big players 20% each and the remaining 30% split among the rest.

That way we get rid of the monoculture, which is a security disaster.

Re:Not exactly

[Chris+Burke]

Well it's a matter of how you frame it.

"It wouldn't be in any meaningful way for those in charge of network security; there would just be a different vendor peddling the dominant operating system."

That's actually true in broad strokes, if you think of what a network administrator's job is relative to security. They maintain the system, keep up to date with what vulnerabilities exist, test any patches and apply them, and respond to any DoS or virus attacks that occur. They deploy spam filters and virus checkers, and keep up to date on patches for them. This won't fundamentally change -- there are still vulnerabilities for *nix whose fixes will need to be tracked -- so really they are doing the same thing with a different vendor.

In a less general "what is the nature of your job" sense, the above is absolutely not true. For instance the only reason we have a virus scanner on our *nix mail servers is to prevent viruses that depend on MS Outlook. While we've lost entire volumes to corruption by Windows viruses, nothing like that has happened to our *nix file servers. And whenever something like this happens, it means over-nighters for the sysadmins. Ask them if having to come in less often on a Saturday night is a "meaningful" change in the way they work.

There are two common couter-arguments to this. The first is the marketshare argument -- MS software isn't any more buggy, it's just more used and thus targeted more. This makes sense at first blush, but anyone putting forth this argument must explain why IIS is hacked more than Apache. Clearly there is more to it than the number of targets.

The second, more desperate argument is the "all software has bugs" mantra. I'll just be honest -- people who argue this are either idiots or extremely lazy programmers. Of course all software has bugs, the question is how many and why. All food has bugs in it, but don't tell me you can't distinguish between food with below the FDA standard for bugs and food that vastly exceeds that amount. Only a fool confuses "bugs exist" with "the quantity of bugs is the same". Only a fool thinks that you can't design a system to be more secure. The problem isn't that Microsoft's programmers just introduce more bugs, it's that the inherent design of Windows and associated software that makes it bug-prone. The worse your design, the more careful you have to be to avoid bugs. Avoiding bugs, and designing the system so that it is inherently more secure and bugs are easier to avoid, is what good programmers strive to do. You can never do it perfectly, but only lazy idiots think that means you can never succeed at all.

Well whatever. All I know is that once I got my father off Explorer and Outlook and onto Firefox and Thunderbird, I stopped having to clear spyware off his computer every single time I visited. Anecdotal for sure, but it's good enough for me.