Slashdot Mirror
The Birth and Battle of Conficker
NewScientist has an interesting look back at the birth of the Conficker worm and how this sophisticated monster quickly grew to such power and infamy. "Since that flurry of activity in early April, all has been uneasily quiet on the Conficker front. In some senses, that marks a victory for the criminals. The zombie network is now established and being used for its intended purpose: to make money. Through its peer-to-peer capabilities, the worm can be updated on the infected network at any time. It is not an unprecedented situation. There are several other large networks of machines infected with malicious software. Conficker has simply joined the list. The security community will continue to fight them, but as long as the worm remains embedded in any computer there can be no quick fixes."
But I think we all saw that one coming.
The security community will continue to fight them, but as long as the worm remains embedded in any Windows computer there can be no quick fixes.
Fixed that for ya.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
n/t
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
If your ISP provided a free service where it would text or phone you and offer to help clean up your systems if it detected malware-ish behavior coming from your computer or network, would you sign up?
The only gotcha is that you would be inviting the ISP to watch your traffic.
OK, this is slashdot, so most people would say "no," but how many regular people would say "yes" and would that make much of a difference?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
No affiliation here to the website, just a really good podcast/netcast. http://twit.tv/sn193
If only we consider more thoroughly what single thing they all have in common, we might be able to find a cure.
Help stamp out iliturcy.
Just make it opt-out and the 10% of us (or whatever) that might not be comfortable can continue to use the service happily.
The problem with bot-nets is not that people don't care (exactly) but that they are ignorant, literally, they don't know. Everyone wouldn't fix it or know how or who to turn to but the net result would still be X percentage less infected computers. Probably even an X percent increase in awareness/interest (personal information accessible/business information-secrets accessible/illicit information accessible/etc). And of course importantly an X percent decrease in profitability for operators (or at least their end-users).
Kill the market.
Quack, quack.
We now have Windows Defender. MS should know every nook and cranny in MS Window. What is so special about Conficker that the best software company in the world can't protect it's user against a well known and defined threat. I realize that dumb users will often just go back and reinfect the computer, but then we would expect defender to block the reinstall.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
Botnets, worldwide botnets.
What kind of boxes are on botnets?
Compaq, H.P., Dell and Sony, true!
Gateway, Packard Bell, maybe even Asus, too!
Are boxes, found on botnets,
All running Windows! Foo!
Guaranteed! This comment 100% Anthrax free!
What I thought was interesting was the internet telescope mentioned in the article. No wonder we're running out of IPv4 addresses, someone's wasting millions of them!
Um, no. Unless you made it mandatory for everyone in the world this is not going to solve this problem. Probably not even then.
Credible network admins are having trouble getting rid of this thing, and they have Group Policy and Remote Admin access.
Help stamp out iliturcy.
I routinely encounter people who have disabled windows update because they believe Microsoft is out to get them. They worry that the updates their computer nags them about are filled with unnecessary crap. Crap that will spy on them, display advertisements, install toolbars and hijack their machine. I think this is largely due to some weird cultural concept that Windows is both evil and necessary. In truth, it's neither.
Conficker has reached level 6. It's pandemic now.
(founded 95,000,000 yrs ago, very space opera)
I've got it... It's people!
And more specifically the sort of people who would install stuff just because a pop up tells them they are infected and they should install "Antivirus 2009".
And those who would type in passwords for encrypted zipfiles to decrypt them and install the stuff inside them...
In theory they're not actually morons ;).
;).
Because in theory it's impossible to solve the halting problem.
In theory users have to figure out whether a program is safe (analogous to "halt") even though
1) They don't have the actual true description of the program
2) They don't know the full inputs of the program
And that's a harder problem than the halting problem
While you could say - nobody should install anything that's "Not Expert or Vendor Approved", to me that's a rather dismal state of things.
Things could be so much better. Really.
For instance if you had an O/S that will require applications/applets to list out the type of access they require.
Then the O/S can provide a meaningful and TRUE description to the user of what the application might do.
And the O/S can also enforce the limits of the access.
So if something says it's a screensaver, it's only going to get screensaver access. It's not going to be able to make recordings from your microphone and webcam, and send them to Elbonia behind your back. It's not going to be able to write to anywhere other than it's own designated scratchpad area, not even your USB drives.
And that would be a secure modern O/S.
Then you can tell your "morons" - "You can install whatever stuff you like, unless the O/S gives you that red warning dialog box about the program requiring full user or system privileges".
In terms of security, most current O/Ses aren't even better than what was available 40 years ago. Heck, Unix is a watered down Multics.
They're just decorated with fancy graphics and animations so most people think they're advanced.
Yes, Vista does have some sandboxing, but the way MS has implemented stuff makes many people turn off many of the protections. So they'll become the next hosts for the next Conficker.
As for Linux, Apparmor and SELinux don't appear "Desktop Ready" yet.
As a computer consultant that (has to) advocate Windows, allow me to answer this.
The average computer user in a company doesn't know jack about his machine. Fortunately, he's not required to do administrative tasks, but he's required to work with it. And he's required to produce. Trying to convince management that they should toss out all Windows machines and install Linux everywhere is something you should only try if you always wanted to take over bolder duty from Sisyphos.
Second, the average computer administrator in a company doesn't know jack about Linux. Why? Because he was hired to administrate Windows machines. More often that not, he can only do that, too, because Windows offers an easy to use GUI that forgives a lot of errors and asks at least 10 times before you can break something. If you hand these people Linux servers, you're opening a can of worms. No pun intended. They can, maybe, keep a Windows environment halfway stable and secure if you hand them the right tools and a good explanation how to use them. At least 'til you come the next time.
If you press them into Linux, you will come back to Linux boxes that have been crowbared open because "else it didn't work".
And, bluntly, security-wise I prefer a fairly well secured Windows server environment to completely insecure Linux boxes. Insecure, not because the system wouldn't allow it, but because the administrator is completely overtaxed by the task of securing them.
Yes, hiring another admin would be a good idea. Try rolling that bolder towards management, please.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Every trojan relies on a single component core to each and every desktop, laptop and server in existence. The user.
Tragically, as long as humans are allowed the use of these systems there will always be viruses. People should not allow pretentious Linux admins to tell them any different.
A computer worm that spreads through low security networks, memory sticks, and PCs without the latest security updates is posing a growing threat to users blitheringly stupid enough to still think Windows is not ridiculously and unfixably insecure by design.
Despite many years' warnings that Microsoft regards security as a marketing problem and has only ever done the absolute minimum it can get away with, millions of users who click on any rubbish they see in the hope of pictures of female tennis stars having wardrobe malfunctions still fail to believe that taking Windows out on the Internet is like standing bent over in the street in downtown Gomorrah, naked, arse greased up and carrying a flashing neon sign saying "COME AND GET IT."
Microsoft cannot believe people have not applied the patch for the problem, just because they keep trying to use Windows Genuine Advantage to break legally-bought systems."Don't they trust us?" asked marketing marketer Steve Ballmer.
Millions of smug Mac users and the four hundred smug Linux users pointed and laughed, having long given up trying to convince their Windows-using friends to see sense. "There's a reason the Unix system on Mac OS X is called Darwin," said appallingly smug Mac user Arty Phagge.
"It can't be stupid if everyone else runs it," said Windows user Joe Beleaguered, who had lost all his email, business files, MP3s and porn again. "Macs cost more than Windows PCs."
"Yes," said Phagge. "Yes, they do."
Ubuntu Linux developer Hiram Nerdboy frantically tried to get our attention about something or other, but we can't say we care.
http://rocknerd.co.uk
Thanks for taking the time to write a thoughtful though flawed response. The thing is, I never mentioned Linux. Furthermore, I would say that the continued existence and popularity of the Apple Macintosh refutes the rest of your arguments hinging on ease of use and technical support. In fact you have perfectly illustrated the point that I am making here.
There was a time when doctors routinely prescribed smoking cigarettes as a quick and easy fix to all manner of ills. The long term hazards and effects weren't properly understood, and by the time they were, there was such a huge vested interest in perpetuating the smoking habit that the battle to remove it for the common good is still far from over, and may never be.
Likewise it is all too easy to facilitate yet another Windows installation, rather than risking your income by swimming against the tide. Even if you already know that the software that you are installing is inferior, you will go ahead and install it anyway, putting your own self interest ahead of those of your unfortunate clients.
As for the attitude of management towards this corruption that is so pervasive throughout the industry, I think a quote from one of my own past employers sums it up the best. "If we adopt this other more cost effective technology it will reduce my departmental budget and then Bob (the manager of another department) will get a better parking spot than me."
or on some other non-Windows OS? This is a serious question ... what is the amount of exploits and similar with regard to non Windows computers. Is it known?
'The dry, technical language of Microsoft's October update did not indicate anything particularly untoward. A security flaw in a port that Windows-based PCs use to send and receive network signals, it said, might be used to create a "wormable exploit"'
Don't they mean a BUG in the Operating System and defects in the Memory Management unit lead to the worst virus/worm infestation in years.
'One major implication from the Conficker B and C variants, as well as other now recently emerging malware families, is the sophistication with which they are able to terminate, disable, reconfigure, or blackhole native operating system (OS) and third-party security services'
OK, just speculating. Tin-foil hat firmly in place.
I wonder if Conficker is a government (which government?) black-ops project disguised to look like organized crime?
The technology looks pretty sharp to me. Not to discount the skills and ability of any competent software developers, but ... I smell a rat.
Ah, the sweet sound of 20 lb. copier paper!
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I get my internet over avian carriers you insensitive clod!
My ISP's security system is a shotgun filled with bird-shot. Meet their head of security.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
> Do you have even the faintest idea what you're talking about? Didn't think so.
;).
That's not a nice thing to say. Why did you say that? Did I hurt you somehow before?
> The worst they can do is to nuke their own files.
Nah. As I've been saying - they could run the wrong program and then the bad bad things could happen.
While having their own data destroyed is typically far worse than losing their entire operating system, that's NOT the worst that could happen when a user runs the wrong program.
1) Their data could get silently corrupted. Silent corruption is often far far worse than complete data loss. When you have complete data loss, it's obvious. So you restore from backups, or deal with it in other ways. When something tampers with the data, you could be screwed so badly and not know why. By the time you realize something is wrong, all your backups could be of the corrupted data.
2) Their secrets could get exposed and abused.
3) Their computer could get taken over and used for illegal stuff. While they might eventually be exonerated, the pain and damage involved is likely to be more than mere data loss.
Plus it's probably easier to live if people think you're some incompetent loser who went out of business because of massive data loss, than if people think you really downloaded, stored and shared all those illegal and _disgusting_ porn.
I'm sure others can think of many other things worse than "nuking their own files".
e.g. they could unknowingly help Skynet survive and grow in strength
You want to convince management to buy even MORE expensive computers? Computers that they will dismiss as "fancy but impractical", with one less mouse button (read: you get LESS for MORE money!), computers that will (in their mind) break the all-holy compatibility with their clients (and competitors), no matter how much you explain to them that nearly all software is available?
Even Sisyphus would refuse to push that boulder.
According to your logic, they'd be happy to spend more money. Usually they're not. If they just want to spend more money, I'd be delighted to ease that burden for them. They want a solution that doesn't cost much, that doesn't take long and that allows them to keep or get their certificate. Period.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Hardened and resistant does not mean "Immune." Yes, flaws exist in the OS, but no where on the scale that it exists on the Windows platform.
All this hype I hear about the gaining market share of OSX also increasing the market share for malware, viruses, etc(trojans excluded, operator error when it prompts for username and password is something that no OS can really be hardened against, although recovery from such a idiot move can be, I don't know how well OSX handles being rootkitted or attacked after having a trojan rape the machine, but I can imagine recovery to be simpler than on a Windows box; which also makes up half of your little list), market share for similar vulnerabilities haven't gone up either the same way they do for Windows machines.
Taking a read of the various flaws listed(most of which are a year+ old, and many of which have been patched), it seems to secure a Mac install, all you have to do is power it on and turn off Bonjour(Although it seems like the DNS vulnerability has too, been patched). It seems like a majority of the flaws are very user specific, like abusing apple remote desktop, which is not enabled in the first place. Yes, Apple is a little slow with patching at times, they just now got around to releasing the Java patch that's been around for quite awhile, but it's done. Compare this with a typical windows exploit which is basically, "Turn on your PC to get owned."
While it's not the "it just works" setup, quite frankly, I like that a whole lot better than, "Turn off X, Y, Z, install A, B, C and D apps, block L, M, N and O ports, and don't use the computer on alternate mondays" route pro-windows people tend to be. Not every OS is perfect, but, the shit that Windows users go through is not worth it.
Also, with your list of vulnerabilities, are these services that the average user is going to be running? It doesn't help to list 90 vulnerabilities with Apache when, I'm clearly not talking about users who are running apache.
Non impediti ratione cogitationus.
You're an idiot. thankfully i've got insomnia and willing to go point to point here.
never ONCE said it was "immune", or ANY OS is "completely immune", did I? As you say, USERS THEMSELVES are a 'problem' (PEBKAC, ever heard of it? It too, though, can be corrected via education), first of all, & as I said?? New 'holes' show up, in the OS & its apps that run on it, plus drivers & services also.
HOWEVER?
It appears that after my setup, per my own experiences, & that of others I show proof of (& I can produce more than the 1 I did that showed 2 people experiencing practical immunity, as long as they obey a few simple rules my guide illustrates though - funny that, eh?) that Windows CAN BE MADE SO, & again:
SO CAN USERS - with a bit of "education"!
IN fact, education, such as my guide yields for them!!
(& I put it on "rookie user" forums, the most, not where 'security gurus' are - they KNOW about it, but can only reach so many people... & it's those "rookie users" that need that info., more than anybody else does)...
You're missing the point. Windows *can* be made to be secure. Sure. Great. So can VAX/VMS. That doesn't make the product that ships out the door from Redmond gold. Firewalls, antiviruses, and antimalware apps just try to put a gold plating on a giant stinking turd.
In fact, for YOUR OS of choice? IF you possess the skills/saavy to do so?? DO 'spread the word' to them, on any platform you wish, as I have!
Here's my OS X safety guide:
"Don't download warez. Or, if you do, whenever it prompts you for a username and password, never give it. Ever. Also, your computer will occasionally ask you to install updates and reboot. I suggest doing this. Unless you know what you're doing, never enable Apache, FTP access, SSH or remote desktop. Ever."
(Mine's been used to the tune of nearly 300,000 views in only a yrs' time & also to the tune of my guide becoming a "sticky/pinned thread" or "most viewed" on some pretty widely travelled/well known forums in that short time frame, in fact, if not more by now)
So, why's that?
Windows users are sheep and willing to put up with a trash OS?
Well, like THRONKA said in the example quote of his in my 1st reply to you?? BECAUSE IT ACTUALLY WORKS, if the user applies cis tool, & its points, plus others I add onto it, & evidences thereof exist (I posted only 1 though)).
So what if it works, windows is still trash.
And, as far as "no where on the scale it does on the Windows platform" in reference to *NIX's on the PC in general, especially for home users?
HEY: That's easy - 95% of the world's PC's run Windows NT-based OS', & how many of all the combined *NIX's do (especially on the most used CPU platform there is, in x86)?? Thus, Windows user represent the largest body of "ordinary grandma/uncle Joe type users", who are analogous to 1st year drivers of automobiles, when the MOST accidents tend to occur for them, until they become more experienced (I know, it happened to me in both cars & computers, & only makes sense it does then when you do not have a lot of experience or solid training).
Or let's look at this from a technical point of view. Windows ships with various WTFs out of the box. take for example, and this is a damn good example, the RPC service, the one responsible for the famous Blaster worm, is necessary for copy and fucking paste. Copy and paste. WHY?!
run an nmap on a given home user OS X machine and compare it with a given Windows machine. Be prepared to crap yourself. I worked at an ISP that had to block a largish array of ports because of all of the random shit Windows would keep open for something simple like File/Print sharing.
Also?
*NIX, on the PC, especially the "home user front", doesn't even SCRATCH the sur
Non impediti ratione cogitationus.
Noise.
Just. Noise.
I'm not sure if you're a clever troll or some sort of new take on Samir Gupta, or if you're just an idiot. But you're full of noise.
Clearly you don't know what a fallacy is, otherwise you wouldn't have used so many of them in your defense of Windows and limp wristed slapfight with Linux. Clearly you don't know what you're talking about. What the hell do you mean by "hardcodes?" Like, you helped some computer science phd remove hardcoded variable values out of some application? What does that have to do Windows security?
Please get off the internet. You clearly sound like a man who's never gotten laid. Ever. Try talking to a woman with out mentioning the CIS Tool and maybe, just maybe, you can have your tool serviced too.
Non impediti ratione cogitationus.
You're digging your heels in, not listening to anything anyone ever has to say to you, because as you describe your self, that you're above the level of experience of people who post here generally. I don't have a life. I'll admit it. But, I don't. So I'm biting.
Unfortunately, your conclusions are all wrong. Your history of past posting shows people pointing out everything wrong you've said.
What you've done has absolutely no bearing on whether or not you're right. We've got accomplished astronauts who say we've never gone to the moon and nobel prize winning doctors who said you could treat cancer with Vitamins. They're obviously proven wrong. You're either a troll, trying to get people to argue with you, or you're an idiot because you don't know what the argument from authority fallacy means. It means that your arguments need to stand up on their own. Most of your posts are hyping up how awesome you are, yet you're sitting here on slashdot trolling away trying to ... I really don't actually know what you're trying to do. Either you're in troll mode, trying to get people like me worked up or you're going through cognitive dissonance so hard you're like Ted Haggard at a Castro Street pride festival.
Further more, Secunia is listing 5 major desktop/workstation releases of OS X as well as 6 major server releases of OS X as a single OS. If we took this logic and ran with it, the Windows NT 5 family, 2000, 2000 Server, 2000 Advanced Server, 2000 Datacenter, XP Home, XP Pro, XP Media Center, XP Starter, XP Tablet, XP 64bit, XP 64bit Pro, 2003 Server, 2003 Server SBE, 2003 server web, 2003 server enterprise, 2003 server datacenter, 2003 Compute Cluster Server, Windows Storage Server, HPC Server 2003, Home Server, 2003 with Chipotle Mayonaise...
You'd wind up with *way* more listed vulnerabilities than you'd get from just counting a single version of NT5. That's why that number is pretty unreliable.
Plus they're listing things that aren't Apple's fault as being a "vulnerability."
(Same with Windows, but, this is why Secunia's listings are unreliable).
Also, things that Mark Russinovich has worked on really have no bearing on this discussion. THe point of the discussion is, if Mac OSX or Linux or Solaris were more popular, would they have the same level of reported vulnerabilities as Windows does? The answer is easily no. The evidence is out there, I've given you an outline of the baseline technical reasons why this is, and yet you dig your heels in and go on really long and amusing tirades about your own guidelines, your work, and CIS Tools.
Who won in this discussion? I don't have to cover my ass on the internet when I boot my computer up. You do. I win. Until that changes, I win.
Non impediti ratione cogitationus.
You still do. Think other remotely exploitable holes won't appear in Apple's MacOS X? Think again - this is the "nature of the beast", & up until yesterday, & our discussion began BEFORE that?? MacOS X had a java hole that was big enough to drive a truck through...
A single Java flaw that took months to patch with no actual threat in the wild, despite how many machines were vulnerable prior(hint: that same flaw hit across all platforms; even windows) versus...
ActiveX.
QED.
(THIS IS THE "SHEER ARROGANCE" as well as ignorance you display & others like yourself, that try to tell others "*NIX is impenetrable" when clearly, you STILL have a problem in MacOS X even now, & it produces 3 problems of System Access, DOS/DDOS, or Privelege Escalation possibilities - & the ONLY way you can 'shield yourself' vs. them, is to do SOME of what I do (alter permissions/access rights)).
Arrogrance or did i just not buy a crapware OS? I just now ran nmap and the only service running is Bonjour. Which has no current vulnerabilities right now.
I win. GTFO.
Non impediti ratione cogitationus.
LOL, grow up, & get this simple point thru your head, ok? You do NOT own this website, nor are you even a modeator here... so ordering me around? LOL, waste of time, you don't have the clout for it (or the ability to 'get the better of me', period) & anyone is free to read this exchange & see the numerous errors you made throughout it, vs. the points & evidences I put out vs. your "straight outta pravda" propoganda.
Still doesn't mean I can't tell you to get the fuck off the internet.
When you learn to THINK FOR YOURSELF one day, hopefully? You'll choose your words, & opponents, more carefully (because anyone here reading can see your "foaming @ the mouth raging frothing replies" replete with profanities doubtless out of frustration from making SO MANY ERRORS here? They will decide for themselves as to "who won" here (& I can assure you, it is NOT yourself, based on your 'performance', or rather, lack thereof)).
Being a dedicated Windows user for about 10 to 15 years has gotten me to really think for myself.
I thought, "Maybe I want a machine that isn't going to die just from browsing the web." Then I got a Mac.
By the way? WHY are you avoiding my questions now
Because you're an idiot. It's something I can't stress to you enough. Stop flogging WIndows. It's not secure. It's garbage.
Non impediti ratione cogitationus.
Fuck you.
Seriously. Fuck you.
Thomas Jefferson is often quoted with, "Ridicule is he only weapon which can be used against unintelligible propositions. Ideas must be distinct before reason can act upon them."
That is a way more valuable quote than it should be. It's almost my motto.
You follow him around, and mod him up.
I'd say that invalidates everything that he's been hyping about his own scores. Why isn't anyone else coming to his defense? It's because he's spouting largely bullshit non-sense.
Is OSX Flawed? Sure. Will running with a firewall or antivirus not completely trash my OS? No. Windows does not have that feature. It's a handy feature I like. Browser hijacks? Possible, but not likely. Nor is it any concern to me. it's an acceptable risk because quite frankly, Firefox is a difficult browser to hijack. Break, sure, that's one thing, but completely hijack it and do funny things to it? That's another story all together.
This is the put up or shut up moment. Put up a page i can go to, and I'll put a file on my desktop. It'll be chowned to root:root and if you can read it, I'll concede defeat.
Non impediti ratione cogitationus.
Clearly you're illiterate.
I said that "Yes, it occurs, but never has OSX been patched."
Wait, that's what you claim I said, what I actually said was:
"Yes, it occurs, but never has OSX been patched so copy and paste is no longer an infection vector. Or Autorun. Or..."
If you quote that entire statement I meant to say that there's never been a patch released for OSX to remove an infection vector that is caused by a basic OS function like copy and paste. This makes you, an asshole. A huge one at that.
Here's the put up and shut up moment I gave the other asshole.
Put up a page that I can get to that has some sort of browser hijack that can get you to read a file on my ~/Desktop directory that's chowned root:root. We'll work the details out later over email or something, but, put up or shut up.
Own my box or go the fuck home and stop bothering people.
Non impediti ratione cogitationus.
Blahblahblah.
Users shouldn't have to follow guides to make their computer secure. this is like saying, "Your car could explode at any moment, but if you listen to Car Talk, and follow their advice you'll be fine." Not that I don't like Car Talk, but I think it's abusive for an OS vendor to require this level of user diligence for a consumer OS.
As I told the other two assholes.
Put up or shut up.
Put up a page that can read the contents of a file on my desktop owned to root that isn't readable by everyone and it'sg roup is set to root. Do that, and i'll shut up and buy a Dell and follow your faggoty little guides to lock it down.
or if you can't, go the fuck home and stop bothering random slashdotters. You commented to me, and if I don't stop you no one will.
Non impediti ratione cogitationus.
Did I just fail the turing test?
Non impediti ratione cogitationus.
Fuck you.
it's not cracking or breaking if someone tells you in a public forum to do something and you do it. I know there are dozens of various browser cracking techniques that go across various browser platforms. From IE to Firefox to Webkit based browsers or even Opera. The challenge is I have for you is put up some sort of proof of concept. Prove in some sort of live environment that connecting with a Mac or *NIX machine is inherently as unsafe as Windows. Particularly when that machine has little to no outside listening services. You can sit here and link to me all the technical documents you want, the thing i"m asking you to do is *prove* it. *do* it.
I'm not claiming OS X is anyway invincible, but, what I am saying is that when you consider the typical system usage, OSX, *NIX, BSD, etc. all employ sane enough and safe enough security considerations for the average user and that by telling a user that if they don't follow your guides that you're going to risk your entire machine is pretty bogus. If the OS wasn't shit in the first place, then you wouldn't need to fill in the gaps. The browser's always a security risk, but I'm willing to bet that breaking any given Mac/*NIX browser is going to be more difficult than Windows and IE, or even Windows and Firefox/Opera/Webkit Browser Goes Here, because of how lax security is, even in Vista, even in Seven.
Non impediti ratione cogitationus.
Have you ever considered not posting unreadable walls of text?
Non impediti ratione cogitationus.
It surely seems that others understand me just fine, per the 100 or so "upward mods" I received here ->
Had you understood what a fallacy is, we wouldn't be having this conversation. Just because you were modded up doesn't mean that people agree with you or even understand you. Looking at your list of posts, it seems like you randomly pick fights and expect your friends to come by and mod you up. Unfortunately, there's no real way to determine why someone gave you +5 or +4. Clearly meta-moderation isn't working.
I'll explain this to you simply and i'll type slowly so you can understand this.
Those 4 posts where you got +5? 1 was a milquetoast post about graphics cards and the rest were misinformed IT rantings that everyone jumped on you about, one of which isn't +5 anymore, it's +2.
(Looking at your list of +4s, clearly I'm not the first one who's tangled with you.)
Why don't you just have a normal slashdot account where people can track your comment history so they can see that you're making more noise than signal? The last time I heard SNR this bad was when I used to listen to AM radio from several states away.
Or are you afraid of registering because you can't get banned as an A/C permanently? Looks like even Ars Technica got fed up with your shit and banned you. Are you sure you're not autistic? You keep ignoring the things people tell you, you're stubborn and you act like a child, oh yeah and you claim to be a computer programmer(I KID! I KID!). The signs are there.
Non impediti ratione cogitationus.
AND, there is the fact that around 100 people modded me up here also -> http://news.slashdot.org/comments.pl?sid=1229289&cid=27933241 that show others clearly do understand my comments! You may not like it, but the fact stands, I was modded up for good reasons (unlike yours here which my first post disproved right away & my continued posts got you "frothing @ the mouth" because that was all you had vs. their facts, lol!)
100 mod points isn't 100 people. It's 100 mod points. You can repeatedly mod someone up +1 over and over again. Someone with a good streak of luck and a whole lot of mod points could mod you up quick. Or a cadre of idiots who would follow you around.
(like your suggesting the use of chroot, breaking a constraint I had no less of using a browser in its default launch & setup online, where I showed you about "chroot jail breaks" even making THAT statement of yours null & void, as well as an ineffective measure for security online)
It's a put up or shut up moment. Either browsing is inherently safe or it's unsafe. Prove me wrong that running a default install of Mac OSX 10.5 with Firefox can be as unsafe as IE7 on Vista and I'll shut up. You don't even ahve to put something up, just point me to a proof of concept that someone else put up and I'll do it.
You said it: Any registered user here is TOO easily tracked, for "trolling purposes"... simple! I avoid it the easiest way possible or make it harder on trolls to do is all by posting as A/C... again, simple, & it works.
and running around signing your name on your posts isn't going to be tracked either? Christ, it's just a slashdot account, it's not a social security number.
Yes, the maximum one can be "modded up" here, no less... harder on us "A/C"'s by far, even getting a +1 mod up, because WE start @ zero!
This is where you lose this argument entirely.
I had more to that statement. Most importantly, that the times you got modded up +5 you were either saying something unrelated to OS/Browser security or you were contradicted. OR you were modded down.
Granted, that's 3 special cases, but...
And, like you? They too, lost badly... why else was I modded up THAT highly after all? Can you show me 100++ mod ups for you?? The +1 & +2 don't count for you, as you are a registered user, so, let's see a list of your +3 thru +5 then, ok???
http://slashdot.org/RyuuzakiTetsuya/comments
Or are you too much of a skilled programmer to find the "comments" section? Christ.
There is no "banning me": IF I want "in", I can be back in, in seconds... Heh, speaking of arstechnica? I learned how to do it from their trolls in fact by watching they do that to forums admins to harass them, from a old site called 3dFiles.
Sure, change your IP on your NIC, get a spare gmail account, and creating a new account can easily swerve a ban. But that doesn't take the stink and disgrace of being banned from a major, reputable tech site because you were an idiot who wouldn't shut up or stop using symbols in place of common, every day words.
Oh, by the way? Answer these questions please, & quit evading them (and try not to go "off topic" anymore & be profane):
It's my right as an American to be a filthy son of a bitch. But I'll answer your questions anyway.
A.) HOW WOULD YOU SECURE THE SINGLE KNOWN MacOS X (971 total exploits discovered over time) security vulnerability?
install 10.5, run software update and not install any app that I didn't trust.
Done. Takes less than 20 minutes to run software update.
B.) Can you do it as easily as I can in fixin
Non impediti ratione cogitationus.
Also, my bad.
my comments section is at:
http://slashdot.org/~RyuuzakiTetsuya/comments/
Non impediti ratione cogitationus.
HOW CAN YOU STATE THAT, when I quote each of your points & reply to them? Explain that...
Easily. Take this snippet:
"Those 4 posts where you got +5?" - by RyuuzakiTetsuya (195424) on Saturday June 20, @01:05AM (#28399371)
Yes, the maximum one can be "modded up" here, no less... harder on us "A/C"'s by far, even getting a +1 mod up, because WE start @ zero!
From: http://slashdot.org/comments.pl?sid=1267281&cid=28399371
What you will do is snip off where ever it is convenient for you not to have to face a certain reality then quote that and take that on like it's the point I'm making. That's called the straw man fallacy.
The full quote was:
Those 4 posts where you got +5? 1 was a milquetoast post about graphics cards and the rest were misinformed IT rantings that everyone jumped on you about, one of which isn't +5 anymore, it's +2.
Anyone following this thread would see that you're an asshole, a troll, an idiot or painfully all three.
On a debate level, you are losing. This would be an F- in any college level debate class. Maybe an F+.
Non impediti ratione cogitationus.
1.) When you get your PHD in English? Then, you can comment on others writing...
Are you a native English speaker? Your English is terrible for a native speaker. It's great and above average for a non native. Talk to me when you can put "a" and "t" together and not get @.
2.) When you get your PHD in psychiatry?? Then you can say I have 'autism' etc. et al (which without one, & a formal analysis being performed on myself for that? You're also now libelling me here)...
Pointing out the obvious signs of autism isn't libel, it's a statement of fact. Asking isn't implying, it's genuinely asking, have you ever been diagnosed autistic? Is it libel? No. Cheap shot? Sure.
(Libel only applies if you can make a case my statement would damage your image in an untrue sort of way. Asking is not making a statement; the Enquirer knows this first hand).
3.) When you have appeared 10x or more in respected publications in this field, as I have, or have commercial code for a serverware maker that takes that company to a finalist position 2x in a row @ Microsoft tech ed or other noted competition etc. or when you have had freeware/shareware do as well as mine had over time???
Being published in your field doesn't make you more or less right, it makes you incredibly embarassed if you're ever proven wrong by someone who isn't. That's the fallacy of arguing from authority alone. "Because I am in position, I am right." As opposed to, "Experience tells me will happen for reasons, therefore I am right."
Non impediti ratione cogitationus.
One last thing, I meant change MAC on your nic, renew IP from your ISP, not change IP on NIC.
(Changing mac will for DHCP to spit out a new IP and let you browse with a new IP address.)
Non impediti ratione cogitationus.
(like your suggesting the use of chroot, breaking a constraint I had no less of using a browser in its default launch & setup online, where I showed you about "chroot jail breaks" even making THAT statement of yours null & void, as well as an ineffective measure for security online)
Actually my suggestion was to make a file on my machine somewhere chowned to root:root(user:group). Not chrooting Firefox, the browser I'd be using to attach to whatever honey pot you'd have set up.
Chroot only affects processes that have chroot jails setup. :) I knew something was fishy when I read that statement. I'm talking about you exploiting my browser, escalating Firefox's privs to root, then doing *something* demonstrable with it. You're talking about chroot, I'm talking about actual system security.
Non impediti ratione cogitationus.
"Anyone following this thread would see that you're an asshole, a troll, an idiot or painfully all three" - RyuuzakiTetsuya (195424) on Sunday June 21, @11:38PM (#28416257)
Sure, sure - after the 100's of profanities you spoied here when frustrated, I am certain they'd think otherwise... just like your reply now, above...
APK
Saying "fuck" doesn't make me wrong, it makes me an asshole. There's a difference.
Falling FAR SHORT of those from APPLE themselves above, in addition to SECUNIA.COM's reocmmendation vs. the single exploit unpatched & present on MacOS X also, which do MUCH of what I suggest for Windows folks with proofs via the quotes of others that used them in addition to being either most viewed, sticky pinned threads, essential guides, & 300,000++ views in a single year of them across 20 forums...apk
Those are the security guidelines if you're in the mood to lock down your machine incredibly tight; not usable. Data encryption, disabling mic input, password protecting startup, etc. all are great if you're a corporate user and you're worried about someone snooping in on your machine, or the target of industrial sabotage. Not average home user concerns. What I was talking about in the original post versus what you're advocating are two different things.
No, average users shouldn't have to lock down their machines like this. If Apple proposed this be the case for the average home user, that too, would be user abuse.
If you're a business and you're handling sensitive data, sure, go right ahead, but, if you're not, why bother?
Non impediti ratione cogitationus.
Yes, I am.
If you're a native english speaker, then please, type like you have a greater than average command of the language.
How the hell did you get published with your atrocious use of the language?
It's libel if you don't have a PHD & cannot practice psychiatry, and if you have not performed such an analysis formally on me... and?
I was asking if you were diagnosed. I wasn't practicing psychiatry. I was just putting 1 and 1 together to try to get 2.
Did I say it did in regards to this exchange & topic (which you have gone off topic on numerous times already in)... I only posted it in response to what you asked of "WHO ARE YOU?" is all... &, it also showed yuo have done not even 1/10th of what I have in this field that others noted as good.... mpr 1/100th of the mods I have here even either!
Yes, yes you have. You've made statements that, because you've been published and had your work everywhere that it makes you immune to criticism. It does not.
Non impediti ratione cogitationus.
HURR
DURR
HURRDURRR
This i going to keep going in circles. I'm tired of it. You have no intentions at all with seriously answering point to point in an honest fashion or even keeping up with the conversation at hand. I keep advocating what the typical user will see. They're not going to see people trying to break their browser and access their microphone. They should not be expected to face the kinds of automated, distributed attacks that would require a firewall. it's excessive.
Finally no amount of external hardening is going to change the fact that Windows itself is about as solid and reliable as cardboard is as a building material. Yes, by being extremely careful, picking software, components, drivers and vendors with care you can hit the magical 5 9s of reliability and higher, but, this doesn't change the fact that you've got to tip toe around it like it could break at any moment.
Non impediti ratione cogitationus.
Let me ask you this one thing.
When you are using a computer, are you going to advocate complete safety with no margin for error or failure? No acceptable risk at all?
If so, would you get into a car that only had lap and shoulder belts and moderately used tires or would you be not happy unless you had a 5 point racing harness and fresh tires and brakes?
Non impediti ratione cogitationus.
Users of my guide apparently do as I have seen, no problems... & it works, AND FOR LESS THAN THE UPWARDS OF (or greater than) the $3,000 you spent on your Mac!
My macmini was only 500 and my macbook was only 999. You can get a MacBook Pro for 1,129. MacBook Airs are now only 1,500! Talk about a straw man argument.
Non impediti ratione cogitationus.
Do you ever shut up?
Non impediti ratione cogitationus.
Well, users can take 1-2 hours & get the SAME from Windows... for less than $3,000, this is certain!
No, you don't. You get open user permissions and a kernel that's more than happy to escalate privileges to System just by asking *really* nicely. You also don't get a real file system either. or a real TCP/IP stack. Or memory management worth a damn. Or a graphical subsystem that's been doing what Aero glass has been doing since 2001. or a sane driver model. or...
Non impediti ratione cogitationus.
A straw man argument is an argument made when you make up some point about your opponent's argument and then accuse your opponent of taking a stand on that point. YOu made up the point that Macs cost over 3000, when you can buy a mac for under a grand.
You are officially an idiot.
Non impediti ratione cogitationus.
No amount of hardening is going to change the fact that UAC is a complete joke when it comes to system security, or that DirectX is a hopeless kludge or that the networking stack completely sucks.
Also, a Windows Server license for 2003 and 2008 is about a thousand dollars. A Leopard Server license costs something like 500 bucks. Who overspent now?
Non impediti ratione cogitationus.
I do have the facts.
The fact is, unless you're running something that opens ports and leaves you waiting to accept packets from somewhere, you're safe. Period. Your browser is always a vector for infection, but nothing you can(Other than regular patching) do can really stop a compromised browser from performing a privilege escalation then doing whatever the fuck it wants. I chose Mac OS X because that's a little bit more difficult than under Windows(well, one of the many reasons; Windows *sucks* and *NIX variants really don't have the app support I want; Linux is pretty damn close though, but between various window managers, Xfree, X.org, etc, usability sucks compared to OSX).
Period.
Non impediti ratione cogitationus.
You spent #2,000 for a Mac?
Actually, the day I left the windows world was when I came home from work, found that there was a lovely little love letter from the OS, "Disk not found." Disk shit itself due to motherboard failure. I needed a new motherboard, a new HD, a new PSU(Voltages were a little funny when I went to check whether or not the board failed because I bought the cheapest PSU I could find), and other various pieces of new hardware.
Instead, I bought a Mac Mini. $500 bucks. Came with XCode too. My crappy choices in hardware wasn't what pushed me to buy a Mac. I knew that I chose the cheapest parts on the market, and I got what I paid for. I knew I was going to buy an OEM machine instead of build a new one because I now really don't have the care to choose good parts, choose good suppliers and build the whole thing. When I considered new hardware I also considered a new OS. Sun puts out a Solaris box for under a grand and that was tempting, but the Mini was simply cheaper and had *much* better app support.
It's got security issues galore in it's time too
yes, because Linux boxes are more likely to run stuff like ssh services, web services, ftp services, so on and so forth. That's where the security failures are.
& other hassles (sound system coding Adobe said, for instance, is a nightmare & recently, ext4 caused file damage/losses & still does if a coder doesn't alter his coding (how many can be reached for that @ once etc. et al) for filesystem usages, forcing wholesale rebuilds of any app that talks to the system possibly (not all, but most do though for MANY things)... printer support, & usb problems are others I have heard over time, as well as the "this runs on Windows but not Linux" variety (Gigabyte IRAM, anyone, as a SINGLE example with many more I could put out?))
and this is why I bought a mac! :D
Further more:
http://www.infoworld.com/t/platforms/windows-inherently-more-vulnerable-malware-attacks-os-x-489?page=0,2
QED.
Non impediti ratione cogitationus.
NOW - the day that MacOS X can run as many softwares for as many purposes as Windows does, as well as MacOS X being able to run as many hardwares for varieties of purposes? THEN, then the Apple folks have something to cheer about - but, that day's not here now, & hasn't been for the existence of the Mac! AND THE DAY MacOS X can be shown to keep a high tpm stock exchange up & running into the "fabled 5-9's" as Windows Server has for 5 yrs. now running stable/secure & F A S T? Then, maybe, I'll listen to b.s. like the above...... apk
OSX *can* pull five nines. it's only on windows where five nines of reliability are fabled.
Non impediti ratione cogitationus.
HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA, + make it "fun-to-do", via CIS Tool Guidance (& beyond):
http://www.tcmagazine.com/forums/index.php?showtopic=2662 [tcmagazine.com]
I'd hate to break this to you, but when I made the switch, my PC had died. Dead HDD, dead motherboard, dead PSU, and possibly dead RAM. Your guide is not a guide to necromancing dead PC hardware for free or even cheap. It's how to harden a crapware OS.
Non impediti ratione cogitationus.
You would have said it many posts ago...
It wasn't relevant. Why I made the switch and what ultimately forced me into it are two different things.
Show me once where I said it was for THAT? Thanks...
Yea, lol, U can blow THAT much ca$h, or this 4 free:
I had the choice of either blowing 500 dollars on a OEM Windows machine that would utterly suck or 500 bucks on a unix workstation that's roughly the size of a plate of toast. Granted the graphics chip on it sucks but that's why i own a ps3.
Non impediti ratione cogitationus.
What EXACTLY "forced you into it"?
Not having a computer forced me to buy one, considering how necessary one is to even keep up these days.
I was considering best quality for price, this included OS. Had I bought a cheapass Windows machine, it'd still come with Windows. Had I bought a mac, it would come with a real OS.
Non impediti ratione cogitationus.
You realize that APK, MEK_LoveBug, and the other AC's responding to you are all the same person right? I salute your stamina in bothering to try and talk sense to him.
:)
He's an ill-informed troll, and his posts usually simply break down into pointless ranting about how you can't say anything because you're not an "expert" - as defined by him - whereas he is an expert based on a handful of online journal publications, and thus his statements are unassailable.
But I suppose you've worked that out for yourself already.
Yep. That's what I said, and I don't believe I stuttered, so I guess you read me properly.
You are an ill-informed troll.
I never said anything about RyuuzakiTetsuya, so I don't know why you're trying to criticize him to me. I merely provided independent confirmation to him that you are an ill-informed troll, because I've seen your foaming-at-the-mouth rants in previous articles too.
For the record, I happen to agree with his assessment of the relative merits of Windows security versus Mac/Linux security - Mac & Linux are - by default - more secure than a default Windows install. Any system (including Windows) can be made insecure, and any system (including Windows) can be hardened. However, out of the box, Linux & Mac OS have more sensible security defaults for a hostile network environment than Windows does, and require less hardening to get secure & less patching to keep secure.
None of the three are perfect. In my opinion, Mac OS is more locked down than I'd like in some respects, and doesn't support some software that I'd love to see ported over there; Linux has a generally lackluster user experience and requires to much fiddling to configure; Windows requires too much patching, is unstable, and provides a "middle of the road" user experience at the expense of a lot of administration work.
However, let's assume that comparing raw numbers of vulnerabilities means anything. Let's look at the number of patched advisories, and their relative criticality.
Secunia has issued 130 advisories since 2003 for Mac OS X - that's all versions of Mac OS X. Of them, 5 out of 130 advisories remain unpatched, and the most critical of those patches is rated as "Moderately Critical" - a 3/5 on a 5-point criticality scale.
Now let's look at your precious Microsoft Windows Server 2003 Enterprise Edition, even though 1 version of Windows versus every version of Mac OS X is not a true apples-to-apples comparison. There have been 191 Secunia advisories since 2003 for that operating system. Of those, 13 out of 191 remain unpatched, with the most critical unpatched advisory rated as an "Extremely Critical" (a 5/5 on a 5-point criticality scale. The worst possible.)
So, Windows 2003 server has more unpatched vulnerabilities in absolute numbers, and also it's unpatched vulnerabilities are more critical in terms of the amount of access an attacker can gain by exploiting the vulnerabilities.
So what about my statement that "Windows is less secure, by default, than Mac OS" is disproved by these statistics? Raw numbers of vulnerabilities are absolutely not to be used to compare the "relative security" of two systems, which Secunia themselves go out of their way to state.
You fail. You didn't read any of my post, or any of the links. You've proven your inability to read or formulate a coherent thought. Secunia themselves state that the numbers of vulnerabilities should not be used to compare the security of two different products.
By "1 unpatched", I presume you mean "1 unpatched advisory that was discovered in 2009," right? What about ones discovered in previous years that are still unpatched, which are included in the numbers I provided to you? You keep linking to Secunia, I suggest that you learn how to read their advisories.
I also provided links to the relevant "list of advisory" pages where advisories for Mac OS X and Windows Server 2003 EE are described, and the numbers I quoted you are directly from those pages.
Advisories are the actual confirmed issue writeup Secunia does. Vulnerabilities are simply "a big list of things people have reported to us as being a problem." Vulnerabilities have not been vetted or inspected for accuracy, duplication, or anything else.
In summary: Advisories are what matter. Unpatched advisories are what matter. Windows Server 2003 Enterprise Edition has more unpatched advisories than does Mac OS X, and it has more severe unpatched advisories than does Mac OS X.
The question was not "Can these problems be fixed?" The question was, "Which is more secure by default?" By default, Windows has more unpatched problems with more critical impact.
I can't say this any more plainly: YOU ARE WRONG. If you cannot read Secunia and understand what you are reading, and how it relates to Mac OS and Windows, then we have no basis for conversation.
You have demonstrated your inability to do this at every turn.
Good day.
First, let's look at the open issues, and how they're exploited:
So how do I secure my system against these attacks? Simple, really:
My Mac has been on the internet for 2.5 years with these precautions, and I've never once had to do anything more than apply system updates as they're rolled out to keep my system secure.
You can dick around with crippling your Windows box so it can't play videos and mess around with ACLs on your files all you want. Have fun - while you're doing that, I'll be busy over here, actually using my more-secure-by-default computer to do things that are productive and enjoyable.