Slashdot Mirror
Microsoft Files Suits Against "Malvertisers"
eldavojohn writes "Reuters is bringing us news of five civil lawsuits filed by Microsoft against 'Soft Solutions,' 'Direct Ad,' 'qiweroqw.com,' 'ITmeter Inc,' and 'ote2008.info' that allege they 'used malvertisements to distribute malicious software or present deceptive websites that peddled scareware to unsuspecting Internet users.' Microsoft's Tim Cranton outlined the suits and provided links to all the filings for download. 'Cranton added that names of specific individuals behind these activities were not known and the lawsuits were being filed to help uncover the people responsible.'"
Shatnerian... levels... of... confusion...
Who... to... root... for... or... against...
Microsoft... or... the... malware... people...
I like you, Stuart. You're not like everyone else, here, at Slashdot.
The enemy of my enemy?
Nah!
I wish them joy of each other!
No sig for the moment.
I suspect the the main hurdle will be at getting the individuals behind the businesses. Must admit that this is the first time I've read about this approach to malware distribution, but I may simply be out of the loop.
Greg
I have a bad feeling about this...
Well said.
My webcomic
These activties hurt Microsoft's reputation as well as being a huge burden to users of their products. Microsoft has the money and power to put the hurt on the bad guys. This is win win.
It's a no brainer, there are two evils fighting.
One of them has some legal business, the other is purely illegal and harmful.
Choose the lesser evil.
Patents Drive Free Software as Hurricanes Drive Construction Industry
Wrong franchise
This is getting tagged 'irony'
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
He gets cranky.
...to the time blizzard sued several of the largest WoW gold farmers. Here's hoping it works better lol.
"Give someone a program, frustrate them for a day... Teach someone to program, frustrate them for a lifetime."
It's a no brainer for two reasons.
1. There are two evils fighting.
One of them has some legal business, the other is purely illegal and harmful.
Choose the lesser evil.
2. The malware people don't work to eradicate M$. So, if they 'win', it means both evils stay around.
M$ doesn't have much chance, but if they 'win', it means, one (or more) evil stops bothering us.
Choose the meaningful choice.
Patents Drive Free Software as Hurricanes Drive Construction Industry
After these fuckers spending years creating malware that specifically target's microsoft products, I say: ITS ABOUT FUCKING TIME. Go microsoft!
Must be hard casting everything as absolute good or evil.
Enjoy your cognitive dissonance. You may, in time, grow to have an intellectually mature point of view.
One of them has some legal business, the other is purely illegal and harmful.
Choose the lesser evil.
Yeah, but I still have a hard time supporting the malware vendors.
Is it just my observation, or are there way too many stupid people in the world?
I don't entirely understand the fight though. Is MS suing these folks for damage done only to their company directly? Or possibly for some kind of defamation by making Windows appear insecure? Or are they suing on behalf of everyone affected by these ass-hats? Like a class-action thing on behalf of everyone with a computer?
He's getting rather old, but he's a good mouse.
It's a no brainer, there are two evils fighting.
One of them has some legal business, the other is purely illegal and harmful.
Choose the lesser evil.
Which one is which, again?
I didn't RTFA, but who does? Anyway when I saw the description it instantly reminded me of those ads that pretend to popup a textbox stating that you have a virus.
"During My Service In The United States Congress, I Took The Initiative In Creating The Internet." -Al Gore
The article linked in the topic doesn't have very many details about who or what these companies are.
I imagine that the majority of Malware sources are from some overseas nation (Russian derivatives most likely) and that filing these suits probably will go no where.
It is possible this is just a Microsoft publicity stunt designed to deter these kinds of businesses from propagating.
Less malware = less infected Windows boxes = less useless traffic on the internet.
Linux users should applaud this too.
Of course BSD users can't applaud, because Netcraft confirmed they're dying.
Aside from customers perhaps decided to jump ship to a more secure OS, was Microsoft actually wronged in any direct sense here? Wouldn't they have to organize a class action for this to go anywhere?
One of them has some legal business, the other is purely illegal and harmful.
We know that Microsoft is harmful and has been convicted of an illegal monopoly, but I thought that people have also been jailed for distributing malware before.
So, you'll have be be more specific than "one of them" and "the other."
Let q be a radix > 1. I am in ur base-q, killing 10 d00ds.
Other stories have demonstrated that someone at Microsoft has finally recognized the threat of cloud computing. The apps which most people use today don't require Windows; they just require a browser. Since browsers are available on Linux and Apple systems, and these systems aren't plagued by the horrible malware situation of Windows, Microsoft has no choice but to attempt to clean up the malware situation. The alternative is a situation in which everyone who can get what they need from the cloud will have a strong incentive to move to MacOS or Linux.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
wish them joy of each other!
Anger is an aphrodesiac. The Malware companies have been seducing Microsoft for all this time, and now Microsoft has finally broken the ice. It's tsundere approach only quickens the heartbeat of the malware companies. Once Microsoft has them in court, the judge is throwing the book at them, the Malware companies will look up to Microsoft and say "You have me where you want me, now what do you want to do with me?"
At which point, Microsoft will smile, the fade of anger will reveal the flush of lust behind it. From the conjoining of these two, sweaty bodies of software production will emerge the glow of new life -- Microsoft Windows Lovechild.
The spawn of Microsoft and Malware will install itself upon any computer it comes in contact with. Lovechild (or MWL for short) will ask the user "You really want this installed on your system don't you?" If you type "N" it changes the background color to an alluring pink and says "Sometimes, when a user is scared, when they say 'no' they mean 'yes'" and then it proceeds to install itself upon your system.
I am the richest astronaut ever to win the superbowl.
What I see microsoft really doing is...
since microsoft can not (or will not) build secure operating systems and the operating systems they do produce has a long standing reputation of vulnerabilities they are going to sue the people that take advantage of the stupider customers of their products, so in the long run microsoft is just protecting the stupider customers proving microsoft likes stupid customers that do not tend to learn from their mistakes (whom are most likely the biggest part of their customer base)...
so it all boils down to the greedy protecting the stupid so the greedy can keep selling them poorly designed products...
Politics is Treachery, Religion is Brainwashing
Three words: Mutually Assured Destruction!
Steve, is that you?
I suspect the main hurdle here will be the court clerk reading "qiweroqw.com" aloud.
Kee-weh-roh-koo dot com, until corrected by a reputable witness. Perhaps some people who are linguistic Americans[1] might have trouble, but anyone exposed to other languages will try sounding out a word in all known languages at once, plus IPA notation.
[1] In the sense of the old joke: The word for understanding three languages is trilingual, two languages is bilingual, one language is American.
Who cares....? The only reason that anyone has to be sued at all in the first place is due to the fact that badly written software has no other defense these days.... MS is getting the courts to do it's dirty work and it's probably cheaper than just writing better software. Coporations eh?
I'm often modded down for trashing Microsoft, most of whose whose products and business practices I don't like, but in this case I'm cheering them on.
'scuse me, the phone's ringing...
It was Satan, she invited me to go skiing with her in her back yard. IN HELL.
Free Martian Whores!
Your sig line is ironic in relation to your post.
The users aren't stupid if they are confused by what looks like a legitimate warning telling them to update their virus-scanner.
If you don't know what AltaVista is (was), get off my lawn.
They're suing for "unjust enrichment and intentional interference with contractual relationships and business expectancies." They're additionally suing DirectAd for breach of contract and fraud. They claim that malvertisements and trojans were uploaded to their ad servers, that "scareware" sites use Microsoft trademarks illegally, and that Microsoft has suffered increased costs and harm to its reputation. They also say that DirectAd falsely claimed to represent a travel agency (featured in one of their malvertisements) when they placed ads with Microsoft.
If you can't choose a side in this, you're being disingenuous. Just stop it, and for once make sense.
Your only real complaint should be that the Department of Justice, multiple state Attorneys General, or motiviated citizens haven't already pursued these civil actions. And the DoJ etc. should be considering crminal actions, but are no doubt distracted by any number of safer, simpler, and easier to prosecute villains.
There is simply no excuse for going after the worst of these weasels, and expanding the fight overseas when they flee to supposed safe havens. I wish Microsoft good hunting on this one. Let's get after them to patch XP's TCP stack also, but at least DO SOMETHING, someone, please?
Me? I'm no good at suits.
deleting the extra space after periods so i can stay relevant, yeah.
The action here is simple. The enemy of my enemy is temporarily my friend. M$ go get them or better yet fix your damn security. The last few days have spun some heads, that's for sure.
You can blame "insecurity" of Windows all you want, but do you actually have an answer to how to make it better then? Before all the usual arguments come:
- These malware work just aswell on user account, you do not need admin/root access.
- Locking up the whole OS so that user is in 100% controlled environment is a no go, as seeing here on slashdot about iphone and other systems that do it.
- Malware goes where the user is. If linux had ~95% marketshare on desktops, majority of malware would be there because thats where the users are.
- Theres nothing on Linux that does anything to prevent this kind of malware - you only get more security because there's not many users. If you suggest everyone moving to it, what happens?
- Conficker excluded, theres not really exploits in the Windows itself now a days. They're mostly from third party software like Flash and PDF reader.
This isn't about OS security, its about user stupidity to install random crap. That wouldn't change even if the OS marketshare would be different.
The most secure OS in the world, not even Linux nor OSX, isn't going to be able to protect you when you decide to authorize and run an .exe file you downloaded.
If you build it, nerds will come. Soylentnews.org
*backs away slowly*
I've lost all my marbles except one & It's fun to test angular & centripetal acceleration in my skull
You get modded down for trash talking MS? On which web forums? Certainly not slashdot. Getting Karma Excellente' is assured by trash talking MS.
I do not support "The Man". I also do not support your irrational stupidity
Darn it, qiweroqw.com got slashdotted, I just got my resume ready too!
Hang on a minute... I want to comment but the original article is scanning my hard drive for viruses and I'm afraid of what might happen if I press back... better let finish to be safe.
When visiting these sites you'll see a fake virus scan on your machine, your local C drive infected, a lot of malware in each dir, sounds silly but when I see them I laugh all the time....
because I've a Linux box :-)
A colleague of mine was even scared and he told me: "hey watch out, your computer is infected", I've replied : "nice warning but this is not the operating system you're looking for (StarWars), I'm using linux !"
I need a shower after reading that...
I don't think I will ever truly be clean again.
If I were God, wouldn't I protect my churches from acts of me?
I always run windows as a limited user , Malware has attacked me before, it wasn't allowed to be installed. Is this just me ? or is everyone who runs as administrator on the internet just crazy?.
In fact sometimes messages in my event log document the refusal something like insufficient permissions to install blah blah
"Is MS suing these folks for damage done only to their company directly? "
No, from TFA:
"Microsoft works vigilantly, using both technology and the law, to fight illegal activity that undermines people's trust in the Internet and online services."
But, it seems to me that if MS stopped working on superfluous bullshit, and concentrated on improving security, they might beat the malware people without ever going to court.
Yeah - security has improved with the release of Win7 - but give it time.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
You know, I think you need more perspective on this.
It's not the insecurity of Windows, it's the Insecurity of all these third party plugins (JAVASCRIPT, FLASH, I'M LOOKING AT YOU) that cause these problems to start with, plus DRM rootkits on music discs and movies that open up more holes in our system.
New technology, new vulnerabilities and exploits. Flash and JavaScript are the two most commonly used points of infection.
Really, the fault isn't entirely on Microsoft. Start blaming Adobe, Sun Systems, and the Music/Movie industry, as the biggest part of this lies squarely upon their shoulders.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
My definition of malicious advertising is, perhaps, different from most. To me, nearly all advertising these days are a nuisance, a bother and do not show adequate respect for my eyes or my attention. I recall the earliest days of advertising on the internet and how angry it made people back then. It wasn't nearly as bad as it is now and look at how passive people have become toward it. (I guess it is rather like taxation... the tax rates and practices that lead to the U.S. Revolutionary War were nothing compared to what we have today.)
I haven't yet read about what "grounds" these suits are being filed on. The public is harmed by the type of fraud these advertisers are perpetrating... not Microsoft... not directly. It does seem to weaken Microsoft's reputation for security and stability a bit, but no more than they do to themselves.
I hope Microsoft takes the "antibiotic" approach to the problem and kills them ALL. If you don't the survivors will come back stronger and harder to kill. Then we will have "super-lawsuit-resistant-malware-advertisers."
"superfluous bullshit"
Yes, because if they eliminated malware it would make Windows' vulnerabilities irrelevant and give users one less reason to switch to another OS. It's not really as if anyone cares about the users as long as they use the politically correct OS.
Yes, you may get modded down on /. for trash talking MS. It's happened to me multiple times. It depends on the topic -- in some topics, one can trash talk MS with impunity, in others the MS supporters will use their mod points against you.
The real "Libtards" are the Libertarians!
"We know that Microsoft is harmful and has been convicted of an illegal monopoly"
Well, now we know that you don't know the difference between criminal and civil law in the US.
Computer doesn't compute.
Generator doesn't gen.
Battery doesn't bat.
Pistons don't work either.
--
We do not repeat gossip, so listen carefully.
"since microsoft can not (or will not) build secure operating systems"
MS could build a more secure OS than Windows but nobody would buy it because they want to run Windows apps.
But, it seems to me that if MS stopped working on superfluous bullshit, and concentrated on improving security, they might beat the malware people without ever going to court.
I think Microsoft can afford to do both. Besides, perfect security may be achievable only if the end user is not physically allowed to install or run *anything* that MS haven't signed. Obviously that isn't going to work - and if MS allows users to install 3rd party apps that's where malware people come into play. Scare the user, offer a free remedy, and have him install and run your zombie!
The really odd thing here is the thought of cloud computing 'helping' Linux while at the same time hurting the FSF/RMS.
Microsoft doesn't need any help at all in looking bad.
True, but they could still get the clap from RMS.
Really?
by sqrt(2) .exe file you downloaded."
"The most secure OS in the world, not even Linux nor OSX, isn't going to be able to protect you when you decide to authorize and run an
Question. Since I've never had one single flying lesson in my life, would you say I was stupid if I got into a Learjet, only to crash and burn? Or, if someone who had never been in a tractor trailer decided to jump in and drive one - would he be stupid when he drove it off the side of a mountain?
I say, operating something that you are not qualified to operate is indeed a sign of stupidity. As sqrt points out, no amount of security will protect clueless.
Malware has been talked about in every major news outlet in the world. Only the braindead can be unaware of the risks of downloading executables from untrusted sites.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
What I see microsoft really doing is...
since microsoft can not (or will not) build secure operating systems and the operating systems ... so it all boils down to the greedy protecting the stupid so the greedy can keep selling them poorly designed products...
Personally I could see Microsoft just doing this so nobody notices that they're drowing baby kittens for fun. I mean it's easy to picture, right?
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
I could not be more tired of phone calls from family, friends, and even colleagues that begin with a breathless version of "Hey I need your help I think my computer is totally virus infected I got this warning the other day that I had 2342384 viruses in all these folders and did I want to install a free tool to clean them up and I said okay and it installed but I think I was too slow because now my computer is really slow and keeps doing strange things and I get all of these porn popups?!?! I wish I had clicked yes to automatically download and install it faster, but I clicked yes as fast as I could what should I do now nothing is working and these naked lady popups just keep coming!!!!!?"
STOP . AMERICA . NOW
Suppose that they can afford to do both. Why haven't they done the latter?
Choices include, 1: don't want to 2: don't know how 3: don't understand the need to do so 4: no amount of money would be enough 5: it's more lucrative to sell unsecure systems
Add more choices, as you see fit. Maybe Ballmer will sign in here, to explain which if any choice is right.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Which one?
For justice, we must go to Don Corleone
The words "malvertise", "malvertisement", "malvertising", and similar variants are registered trademarks of Microsoft Corporation. Slashdot's use of these words in this posting and accompanying comments are an infringement of Microsoft's intellectual property. Please remove all references to these words from this website, pending consideration for further action by our legal department.
Thank You.
Chairman, Bill Gates
and "Flying Chair Man", Steve Balmer
Actually the Conficker hole was patched nearly a year ago. Microsoft has gotten their shit together with security so much recently that you can legitimately argue that it may be comparable to your average Linux distro...I'm not saying that is the case, I REALLY do not want to go down that path, my overall point is that 5 years ago, anyone who made the statement I just did would have been ridiculed as a moron, and rightly so.
But you hit very good points...no matter how secure an OS is, it has to listen to its dumbfuck user. The only way to protect against stupid users is to limit rights to oblivion, but then you limit the usefulness of the system. In most cases, the OS cannot determine what is desired behavior of a program or not.
As our way of thanking you for your positive contributions to Slashdot, you are eligible to disable Slashdot 2.0.
if MS stopped working on superfluous bullshit
Bullshit is not superfluous to MS.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
No, the voters chose Gore over Bush. Even in Florida. Somehow, the greater evil took power anyway.
Microsoft should hire some hitmen and have them whacked.
How ya like dat?
Choose the lesser evil.
Isn't that how Bush and Obama got to be Presidents?
Your not just whistling Dixie, there..
... I'll have a Pan Galactic Gargle Blaster with a side of Plutonium Nyborg
Choose the lesser evil.
Isn't that how Bush and Obama got to be Presidents?
You're right. Choice can only lead to disaster. Dictatorship is the way to go.
- These malware work just aswell on user account, you do not need admin/root access.
I believe that is mostly, if not entirely correct. Obviously, there is a design flaw in security; a user account should never be capable of screwing up system files and system settings. Period.
- Malware goes where the user is. If linux had ~95% marketshare on desktops, majority of malware would be there because thats where the users are.
- Theres nothing on Linux that does anything to prevent this kind of malware - you only get more security because there's not many users. If you suggest everyone moving to it, what happens?
That is speculation, opinion, and FUD. Unix like systems are simply not prone to the types of exploits that Windows has always been wide open to. (ActiveX for example) It's easy to imagine that malware writers would shift to Linux, but Linux' response would be to write patches after patches, and shut each exploit down as it was exposed.
- Conficker excluded, theres not really exploits in the Windows itself now a days. They're mostly from third party software like Flash and PDF reader.
If that were entirely true, then the same exploits would work on Linux. I don't see that - can you provide any citations?
- Locking up the whole OS so that user is in 100% controlled environment is a no go, as seeing here on slashdot about iphone and other systems that do it.
Unix like OS's have set the example. Establish trusted repositories for software. TRUSTED repositories, not a bazaar type place where just everyone can put software. Publish everywhere possible all the information about those trusted repositories, and how to use them. Make it unequivocally clear that software from sources outside of those repositories is VERY HIGH RISK!!!
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
It's actually pretty simple to get most of the way there:
With those relatively minor changes, arbitrary code execution bugs (unless you can find a vulnerability in a system service that runs as root) can only succeed in destroying any currently open user file, and can neither permanently inflict harm on the OS or apps, nor persist after the app quits in any significant form. And to the extent that malware could cause harm by tricking the user into installing a system-level plug-in that causes bad behavior, removing such malware would require at most one click in the plug-in manager. At that point, 99.999% of the malware problem goes away. Sadly, these ideas are pretty similar to the ones I came up with when I was still in elementary school. They're beyond obvious....
Check out my sci-fi/humor trilogy at PatriotsBooks.
I don't believe you can run an .exe file on Linux or MacOSX. You can only do that in Windows.
MacOSX tells me whenever I ask it to run a file downloaded from the net for the first time. The OS needs to get in the user's face a little, because downloaded executables carry risks that executables installed from local media do not.
I think the #2 is most important here. Windows is just too big to be fully understood. I'm sure there are tons of security-critical bugs in the code that is rarely used. It is very difficult to review and sanitize that code, especially if it "just works" and changes are likely to add bugs, not to reduce them. Additionally, more and more (percentage-wise) malware is distributed through social engineering, running .scr attachments, etc. - and that path is hard to close without going iPhone all the way.
In any case, the technical side of things is handled by one department and the legal side of things is handled by another department. I see no reason to pit them against each other. There are complaints about technical faults of the OS, but they should be addressed only to the development side of the house.
the problem here is that Microsoft's best customers, those clueless fools who fall for these malvertisements are the same people who will get sick of paying over $200 a shot to have someone fix their computer and after 2 or 3 times will jump ship to the Mac. I've already seen this so I can see why this has Microsoft concerned.
These computer illiterates are the same people who just keeping using what is preloaded and what's on retail store shelves because they are already afraid of the computer and their only comfort is that they know what a few icons look like on Windows so they don't want to look at anything else. But when their computers keep falling to pieces and they keep hearing more and more about Apple and even hear things about this stuff called Linux, they find that cutting their losses and getting a Mac isn't so scary because they already have an iPod and others around them might have a Mac too. Linux might be around them but it's more likely buried so they don't know it or the geeks running it are not hanging out or talking about it to these neophytes.
I also wonder if the problem doesn't have something to do with selling advertising on BING and Microsoft's inability to figure out a way to block the bad stuff. Microsoft wants to use multimedia based ads while Google sticks to the simple text base ads which are tough to use to scare people with.
whatever happens it doesn't really bother me since those getting suckered into getting their systems whacked need an education one way or another so I could care less if Microsoft succeeds at this. Just as long as bandwidth stays high enough to still get stuff done.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
I'm sick of these malvertisements peddling scareware, crapulizing the comfuser's failurating system. It's just not cromulent.
Microsoft Vs Malware writers is like Megashark vs Octopus. In the end they both will destroy eachother so lets rejoice at this battle both sides will not win.
This increases the chances that they will destroy each other mutually.
Microsoft products are lame compared to industry averages, and they use network effects to cause their lack of quality to not harm their marketshare. In other words, they're evil -- but it's a limited sort of evil. It's not like they 're shredding puppies. All they have done is retard progress in the computer industry, and perhaps (though unlikely) the computer state of the art.
Whenever Microsoft is in court, though, I almost always root for them. Microsoft fucks with (or more often: gets fucked by) companies that are even more evil than them.
Now I just have to figure out why Microsoft thinks they have any standing to go after malware. But then I guess they have an office full of computers and unfortunately for them, they do eat their own dog food, so maybe all their computers got infected or something.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
"This kind of malware" is scareware. Scareware is software that claims you've been infected, probably through a software exploit, and that you need to install their software to fix the problem. It's social engineering. To that end, if Linux had significant market share, 99.999%* of installed software would come through a distribution's package management system. Ie, virtually all software installed would be vetted by a distribution.
Microsoft's problem, as it were, is that they don't vet software. This includes not only run of the mill software but also anti-malware software. As a result, people in the Windows world are left to fend for themselves when it comes to finding and installing anti-malware software. If Linux had significant market share, it's quite possible that there'd be more malware released for Linux. However, anti-malware would be vetted and be a part of most Linux distributions as well.
Ie, scareware websites couldn't work except on true idiots because people would know that on a Linux platform, downloading and installing programs off websites is dangerous and unnecessary. Windows users probably will never be able to have the same sentiment because there's no one in the Windows world that can be trusted to vet software. Microsoft has too much of a vested interest in their own software, and virtually no other company is in a position to withstand lawsuits when malware gets through. I'm not sure how immune Linux distributions would be in the same circumstance, but I think they'd be legally safer giving away the software for free.
*The number would be 100% for almost everyone, but people who still compiled things (and idiots) would drag down the average.
Eurohacker European paranoia, gun rights, and h
All reads and writes to user files (all files outside of the preferences or caches folders) can only occur after the file is opened through a standard file dialog, and only until the application closes the file.
This would stop command line programs that work on files - unless you also allow any file listed on the command line (either directly or globbed) to also be opened by the application.
Personally I think the system that NetBSD offers of allowing the kernel to refuse to run any application that doesn't have a matching hash in a secure list to be a better bet.
Getting excellent karma is assured by being insightful and informative, as well as getting stories posted to the front page. If you have excellent karma you don't have to worry about the occasional downmod.
Hell, I've been modded down for dissing Sony, of all people.
Free Martian Whores!
this is one of those times you hope for mutually assured destruction men.
I need a shower after reading that... I don't think I will ever truly be clean again.
format, rinse, repeat.
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
There is no such thing as an illegal monopoly or a legal monopoly. Period. What is not allowed is using a monopoly position (or near monopoly) in one sector to squelch competition in another. MS used their near monopoly position in the OS sector to squelch competition in the browser sector. The fact that they have a near monopoly on the desktop is perfectly legal. Monopolies exists. Sometimes they exist because they are granted by law (such as when a cable company is given a monopoly on service provision in an area to compensate for the actual cost of laying the cable. We won't argue on if it should be that way or not. It is.) Sometimes Monopolies exist because they provide a better product, sometimes it is from smart marketing. MS is even perfectly allowed to use its near monopoly position to its advantage to keep hardware manufacturers from selling systems with other OSes on them. Using marketing power to increases one's share further is legal. Its not legal to use it for peripheral markets.
Wow. I'm impressed. The list looks pretty darned comprehensive. What's more, some of those ideas Linux to improve security. The plugins thing, and the "authorized" repository for instance. My browsers are actually rather sloppy about that, now that you point it out.
You should get onto one of the major Linux development teams, and sell them on the idea. You know how Linux is - get great ideas incorporated in one distro, and the rest tend to pick them up. ;^)
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Well - I don't have the most_secure_configuration in the world. I can download and click a .exe on my Linux desktops, and since they are associated with Wine, they run. Of course, the random .exe will fail to install itself, because the malware writer wasn't targeting Linux or Wine.
If I'm ever bitten by this little bit of carelessness, I will do things differently.
BUT, we are right back to the idea that a user with a clue won't download and run that random .exe.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
A secure OS would make sure that all code downloaded from the net is identified to the user as code downloaded from the net and its source/publisher, and a secure OS does not allow the downloaded code to execute until after the user has acknowledged that it is a downloaded program and given explicit permission.
By that standard are there any secure OSs, I know it can be done with linux and apparmor+policykit, however i've never actually seen it done.
IranAir Flight 655 never forget!
The words "malvertise", "malvertisement", "malvertising", and similar variants are registered trademarks of Microsoft Corporation.
No. I looked it up just cause your post hadn't been modded Funny yet. But I did find that "MalwareBytes" is a registered trademark of the MalwareBytes Corp. of Bensenville, Illinois 60106.
"You can blame "insecurity" of Windows all you want, but do you actually have an answer to how to make it better then?" - by sopssa (1498795) * on Friday September 18, @02:37PM (#29469609)
First - See my subject-line above, & my response now to your quoted words:
Like MANY things? Hey - it starts (like ANY changes do, good ones included) with YOU!
E.G.-> AND, folks like those @ SANS are only apparently JUST NOW, "hitting upon" ->
SANS Report Says Organizations Focusing On the Wrong Security Threats
http://tech.slashdot.org/article.pl?sid=09/09/15/1621258
AND, that's a large part of what I alluded to in this guide I wrote up for securing Windows-NT based OS' (& more) back @ the end of 2007 (& years before in 1998 onwards @ NTCompatible.com + Neowin.com online via earlier (older & less effective security & speed guides I authored over the past decade & 1/2++ for others - like anyone, I learn more as I go)):
HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA, + make it "Fun-To-Do", via CIS Tool Guidance (& beyond):
-----
http://www.tcmagazine.com/forums/index.php?s=ece4b55a7490f8a09729caf1fea4b743&showtopic=2662
-----
TESTIMONIAL OF ITS EFFECTIVENESS FOR AN END-USER TECH & HIS CLIENTS:
----
http://www.xtremepccentral.com/forums/showthread.php?s=feead501552d2d549fc607f5ccb524fd&t=28430&page=3 [xtremepccentral.com]
"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local." THRONKA, user @ xtremepccentral.com
----
(He's one of many like that, because it REALLY works - most techs know this I figure, but, they also stand to "profit by others' misfortunes" because I had done my time on jobs of that nature & 90% of your day is clearing malware infestations up, & many "Mom & Pop" shop techs will tell you the same - for them? MALWARE IS MONEY IN THEIR POCKETS, albeit, @ the victim's expense (& it's NOT CHEAP to undo, if you do not know how that's done yourself (my guide has steps for that too, that I never once failed on in fact (only memory resident rootkits "stymie" me, & then it's repave time (thank goodness you rarely see those though)))
So far?
As you can see? It really does work for better security AND a F A S T E R online experience as well...
In fact??
This guide I put out to others in late 2007/early 2008 (extending ones I had done a decade before @ NTCompatible.com + Neowin.com (where it is STILL featured & rated well)) was my "personal effort" to help others, & in this very capacity (& it was my New Year's Resolution in 2008 to do so in fact) that this article speaks of - educate users? They cannot be suckered (or, @ least as easily)...
E.G.-> On 15/20 forums it has been featured on, it has been rated "5/5 star" or made an "Essent
I'd probably say well done for managing to take off...
Except that IIS has fewer. Let's see:
IIS7, first released in a server OS (Win2K8 - it was actually present in Vista before that, but no-one would run a server using it, so we don't consider that period) in January 2008, has 2 vulnerabilities in its entire lifetime, and only one of those is remote. That makes it 1 vulnerability per 10 months, or 1 remote vulnerability (which is usually what you care about for servers exposed on the Net) per 20 months.
Apache 2.2, first released in December 2005, has 16 vulnerabilities in its entire lifetime, 15 out of which are remote. That's roughly 1 remote vulnerability every 3 months.
"Oh, but no-one uses Win2K8 and IIS7", I hear people saying. Very well, let's look at the generation before that - IIS6 vs Apache 2.0. IIS6 was released with Win2K3 in April 2003; Apache 2.0 was released in April 2002, a year before that. Lets see:
IIS6 - 8 vulnerabilities to date
Apache 2.0 - 38 vulnerabilities to date
In the interests of fairness it should be noted that a larger percentage - twice as many - of IIS6 vulnerabilities would give the attacker system access (i.e. provide an infection vector), compared to Apache. Even so, in absolute numbers, it's 3 system access vulnerabilities for IIS6 vs 7 such vulnerabilities for Apache. So, even accounting for that extra year, Apache still has worse security record overall for the last two major releases (or the last 6 years).
A secure OS would make sure that all code downloaded from the net is identified to the user as code downloaded from the net and its source/publisher, and a secure OS does not allow the downloaded code to execute until after the user has acknowledged that it is a downloaded program and given explicit permission.
This is precisely what Vista and Win7 do. If you download an executable, it will have a flag set in file meta-information that basically indicates that the source was network... when you run it, the OS will warn you and ask to confirm.
The problem is that this is not fool-proof. Consider this: how is the OS supposed to know that file comes from the network? From OS point of view, files don't "come" from anywhere - it's just that some application opens a file and starts writing data into it. The fact that said data was received from an open socket to a remove server a few milliseconds ago is not something an OS can reasonably detect. Thus, it really is all up to application to set the flag correctly. IE does that, and so does Firefox; other browsers might, or they might not.
Meanwhile, no other desktop OS that I know of does anything similar, and it's certainly quite possible for a Linux browser to download an executable file and chmod+x it - the OS won't stop it, because how could it possibly know that it's a bad thing, or even distinguish such a syscall from another one originating from user explicitly running chmod in the shell?
Wasn't this in The Fountainhead?
This would stop command line programs that work on files
Prompt, java-applet style if your in GUI, text prompt if you are on the CLI.
IranAir Flight 655 never forget!
He must mean Jobs. Ballmer wouldn't have any problem with supporting the malware vendors...
>Locking up the whole OS so that user is in 100% controlled environment is a no go, as seeing here on slashdot about iphone and other systems that do it.
Or a balance like running as limited user and upping your privs via the UAC, but people here complain about that too. Look, the slashdot mob isnt rational, its just people airing their frustrations in a two minute hate that never ends. Luckily, in the real world the slashdot mob doesnt exist. People deal with the UAC, run AV, and get on with their lives. Turns out Jane Computer User just wants the thing to work, not get into philosophical arguments over the UAC and MS's business practices.
MacOSX tells me whenever I ask it to run a file downloaded from the net for the first time.
So does Vista - in fact, if you have antivirus installed (and it properly integrates with OS by using the corresponding APIs), it will even make it scan the file before starting it for the first time.
And they can get Kobe to their celebrity spokesman!
Sure!
First, the easy one: switch to a Unix-like OS. Currently, I suggest Linux. If everyone switched to Linux, then everyone would be typing "chmod u+x malware.sh" prior to installing their malware. Keyboards would wear out and then people would lose the ability to install malware. Problem solved. But seriously: executable files is something that Windows gets just plain wrong, and we all know that now. Executable should not be a property of the contents of the file (e.g. a magic number like on my beloved AmigaOS) or file name (Windows). It should be something extra, that can't exist out of context, that a user adds. This is something Unix gets right.
(Well, Unix used to get it right, until Apple came along and fucked it up, by making a file type that a user can click and becomes an instantly mounted filesystem that isn't mounted noexec. Bad apple. And I'm sure someone can find some stupid Unix desktop that does something similarly stupid with tarballs. Bad desktop!)
Second, you mentioned Flash. Great example. Run plugins as nobody, not the current user. Arguably, most of the browser should be nobody, but I guess sometimes a user needs to load or save, so allow a pipe between the user's process and the nobody processes for that kind of thing. This isn't so much a Windows-Linux thing, as a shitty browsers thing. And I think Google may be moving us in a direction of finally making our browsers suck less in this regard.
Yes, things could be better, and people know how to make them better.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
OpenSSH.
Ever heard of it? Vulnerable for *years*...
Of course, it wasn't the OS, but a 3rd party app...installed on almost *every* Linux PC in the world.
"don't understand the need to do so" - this lawsuit clearly shows that at least now MS understands that their lack of security hurts them.
Close. This lawsuit shows that they understand that the existence of malware hurts them. It does not show that they see themselves as culpable in any way.
While I don't think this is the explanation you seek, I think you dismiss it to quickly. Surely there are many people at Microsoft who don't understand the need. It's a question of: "how many, and who?"
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
> Theres nothing on Linux that does anything to prevent this kind of malware
There is nothing in Linux to _allow_ this kind of malware.
Your arguments are the usual FUD and astroturfing direct from MS marketing.
Windows was never designed to be a networking system. MS were late to the internet and even then tried to carve off a separate corner, the original MSN, that did not talk to the rest. As a consequence the fundamental design never catered to any security needs, all this was added on top as extra layers. Unix/Linux started as multiuser systems and the security was in the base where it should be.
MS has added features to 'enrich the user experience', which create the malware problems that simply do not exist in Linux.
For example autorun on CDs and USBs. Put in a CD or USB and whatever is on it will execute. This does not happen in Linux.
For example Outlook will (or used to) execute attachments if the were .exe, and it would hide the fact that it was an .exe. No Linux email will do that.
For example MS Office will execute macros that can write to disk if an email attachment is opened just by clicking it. Linux does not do that.
For example a downloded file or saved attachment can be executable merely by having a (hidden) .exe 'type'. Linux does not do that.
Taking your "anything to prevent this kind of malware" shows that you _expect_ layers of code, anti-virus, scans of emails, popups, and other cruft that has been added layer upon layer to Windows to be needed by Linux.
Linux does not have this so called 'protection' because the security is underneath and in the fundamental design and not layered over all the cracks in Windows.
Don't feed the troll. He's intentionally, mostly right.
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
My guess is that Microsoft will have to worry about whiney users complaining about "The new DRM Microsoft wants us to use." And it will break things.
I have a question about this type of approach. Is hello.py (a script that deletes all my files instead of just saying hello) a "helper" for /usr/bin/python?
exhausted all technical options from some of the brightest and best engineers at redmond, Microsoft resorts to the time tested, tried and true method of problem solving: Throw money at it, and bleed it dry with lawyers.
Good people go to bed earlier.
I think it's ironic for MS to complain about "malvertisement" when they just confirmed to do it themselves at Best Buy stores.
Um... no. That didn't happen. How the hell did you get modded up?
But don't take my word for it - take PBS's word for it: Media Recount: Bush Won the 2000 Election
Given that PBS in general and News Hour in particular are notoriously liberal, if they say Bush won, Bush won.
WTF are you talking about, since when javascript is a third-party plugin? I think you need to switch to decaf and learn a little...
A secure OS would make sure that all code downloaded from the net is identified to the user as code downloaded from the net and its source/publisher, and a secure OS does not allow the downloaded code to execute until after the user has acknowledged that it is a downloaded program and given explicit permission.
Pointless. The user will give permission regardless of how many times you ask them if they're sure.
M$... how old are you? I thought most Slashdotters had left behind using this childish notation to refer to Microsoft.
Rather than support an international cat-and-mouse style manhunt for multiple unknown individuals and all of the tax dollars that would require ... I'd rather just use a more secure OS and let the people who run Windows deal with Windows problems. Simple.
Beware of politician's logic. Politicians logic goes like this: "we must do SOMETHING!" ... "this is something, so it must be done!"
Nor am I. However, I do have a skill that's useful, and that's careful decision-making. My choices are something like this:
For me, that second option was the clear choice because I am more than willing to put some effort towards having a better experience. If other users don't consider that a worthwhile trade-off, then they too are making their choices. There is always a certain mindlessness going on whenever people make a choice like this without realizing that they are choosing something. So they just use whatever the computer came with and don't even investigate whether other options are available, don't even evaluate what those other options would entail. Then they often get screwed and typically by malware of some kind. Thus, when users engage in this mindless, rather careless, and haphazard style of decision-making they leave themselves open to these kinds of problems, and all because they have convinced themselves that basic competence is "too hard." Sorry, but I don't see any injustice in this and frankly I don't want to hear them complain when they have to lay in the bed they have made.
Only a person who really wants to be a victim denies their own active involvement in the foreseeable things that happen to them. What sane person wants to complain about a thing and then disown the steps they are capable of taking that would reduce or eliminate that thing? Sure, go after the malware authors if it makes you feel better, but go after them with the understanding that they are symptoms. The reason why so many problems never seem to go away is that we focus entirely on symptoms.
It is a miracle that curiosity survives formal education. - Einstein
Why? All you have to do is hold up on the joystick until you reach a certain speed. I've done it in Battlefield 2, easy stuff.
The most secure OS in the world, not even Linux nor OSX, isn't going to be able to protect you when you decide to authorize and run an .exe file you downloaded.
What linux* does do however, is provide tested versions of all the applications you might need. So if you want an FPS shooter, or an image viewer, or a packet-sniffer, or a vector-graphics program, or a 3D graphics program, or a word-processor, or a webserver, or a screensaver, then just type some keywords into apt-cache search or kpackagekit and anything you install will be trustworthy.
It makes a lot more sense than trusting the top google search for 'free graphics program'
6. have a tradition of single-user systems and a blazing stream of past bad security decisions that lots of legitimate apps take advantage of, so they can't do security right without breaking a lot of malformed but useful apps 7. can't really stop somebody from installing software 8. work in a culture of running with maximum privileges, resulting in many apps being written by developers with elevated privileges and tested as such 9. work in a culture where people typically have access to one account, rather than a lower-privilege one to see if what they write will work without high privileges
Basically, Microsoft is in a very bad place between security and backwards compatibility. Granted that a lot of the problems are hangovers from bad decisions Microsoft made, it still hinders MS in developing a secure OS. Similarly, the extreme delay in even trying to close some of the traditional holes.
I see nothing coming out of Redmond that's inconsistent with security consciousness. They're just going to have a lot of trouble digging out from various holes, and the fact that they dug many of them themselves doesn't matter for their future actions.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Microsoft isn't legal, it just holds the law at bay with its army of shysters lawyers and billions of dollars of ill gotten gains.
The fact that a .exe is not executable on non-Windows systems isn't the point; it's that you can run executable code.
As for prompting when running a file from the net, Windows actually does that (unless it was downloaded using an old version of Safari for Windows, which stripped that information out and lead to the "blended threat" attack a while back where Safari spews local data on your desktop which is then earlier in the environment path lookup for applications launched from the desktop).
Whoever wins.... we lose.
> Yeah, but I still have a hard time supporting the malware vendors.
Yeah, it's hard to support Microsoft, isn't it?
This part could also describe MS's very own "Get The Facts" site.
'used malvertisements to distribute malicious software or present deceptive websites that peddled scareware to unsuspecting Internet users.'
Their site does not distribute MS software, but it is nothing but lies and deception aimed at pulling the wool over unsuspecting internet users by scaring them into using Windows which leave them and their private more prone to every piece of malware going today, and the millions created from today onwards.
The most secure OS in the world, not even Linux nor OSX, isn't going to be able to protect you when you decide to authorize and run an .exe file you downloaded.
Actually, no. It's quite possible to have a system where the downloaded .exe file is in an untrusted security compartment of a mandatory security system, such as SELinux provides. You can then run it, but it can only work on other untrusted data. That's good enough for a game.
For historical reasons, UNIX, Linux, and Windows tend to give applications the access privileges of the user using them. This is the real problem.
That did happen you moron, Al Gore had more votes than Bush in the 2000 elections. Bush had more electoral votes, though.
Oh My Dear Stallman!
Who should I go against now?
...against Microsoft for selling bloatware, which in my humble opinion is equally as bad as malware or even "malvertisements"? That is a company in serious need of being split up and diversified. TD
Todd: I hope it proves as delicious as the farmers that grew them
Meanwhile, no other desktop OS that I know of does anything similar
I stand corrected - OS X actually does the same thing. Anyone knows of any Linux DE or distro that does that? I certainly didn't ever see it in Ubuntu; though I guess the need to explicitly add executable bit for downloaded files before you can run them makes it kinda pointless there anyway.
I'm surprised someone didn't mod you up as "funny", because, what you said IS quite funny, & here is why, point-by-point:
"There is nothing in Linux to _allow_ this kind of malware." - by Anonymous Coward on Friday September 18, @04:56PM (#29471435)
Oh, really? SO, are you trying to tell us that javascript (which IS 'multiplatform' via webbrowsers, more-or-less) can't attack a Linux rig, if it was scripted to do so? Are you also telling us that Linux NEVER sees attacks, viruses, or being made part of a botnet?? The last one might be a surprise to you, but it wasn't to folks that come here regularly, per this article this week no less:
First Botnet of Linux Web Servers Discovered
http://linux.slashdot.org/article.pl?sid=09/09/12/1413246
Would you like examples of the rest of what I stated also? I can provide them in minutes (probably UNDER a minute, as I have an entire bookmark/favorites folder chock full of that, for nearly every OS under the sun (call it a "personal study" of mine I suppose)).
----
"Your arguments are the usual FUD and astroturfing direct from MS marketing. - by Anonymous Coward on Friday September 18, @04:56PM (#29471435)
Well, in response, one could say yours is just the "typical FUD & astroturfing" that the "*NIX UBER ALLES" Pro-*NIX crowd, especially around here, tends to 'rant & rave' about... that sword of yours? It cuts BOTH ways...
Anyhow/anyways...
----
"Windows was never designed to be a networking system" - by Anonymous Coward on Friday September 18, @04:56PM (#29471435)
Initially? No, not in the pre Win9x days, but it still was netorkable (there were 3rd party IP stacks you could 'tack on', like Chameleon &/or Trumpet Winsock, & they worked "ok" enough (not as good as the current ones, they're excellent for the MOST part, based off BSD stuff, best there is & the 'reference model' for most all OS' out there today in fact, iirc))... but, Windows does the job here, from end users online, up to mission critical servers online (exchange, sqlserver, or other 3rd party ones that run on Windows ring a bell here?)
----
"MS has added features to 'enrich the user experience', which create the malware problems that simply do not exist in Linux" - by Anonymous Coward on Friday September 18, @04:56PM (#29471435)
Are you trying to say there is no malware for Linux? If you are, say so, & I will come up with a slew of evidences above & beyond what I posted above, by the droves (not as much as exists for MacOS X or Windows, but then, they are MORE USED... security by obscurity is what protects Linux the most - Witness the fact that MacOS/Apple had to admit that they are "not bulletproof" after their "I'm a PC, I'm a Mac & the latter is more secure" P.R. work, because when Macs got more user/market share? More exploits popped up for MacOS X like mad!)
Plus, consider online criminals? They're like any other criminals - They go after where they can exploit the MOST folks online, & where do most folks "gather"? That's right - Windows!
They probably figure "I'll write my malware for profit to exploit the biggest target from a SINGLE codebase/shot - Windows", which only makes sense. Sure, Linux has some good things going for it, but it too can be hardened FAR MORE than the 'stock edition' via SeLinux kernel mode hooking addons (which add things Windows has, such as ACL's (MACs on Linux) which are for filesystem security... Linux needs bolted on addons for it. In fact, CIS Tool (a multiplatform security test that is quite respected in the security community in fact) can show ANYONE that a stock Linux setup straight from the OEM, needs to be security hardened (it, like Windows stock/oem setup, will only "bat" around a 46/100 on the CIS Tool test)).
Don't fool yourse
iPhone: v, to make a system so locked down as to call upon the wrath of federal regulators
n, a phone produced by Apple Inc.
also see: iPhone killer: a phone that has a touch screen and a brand name OS that *Might* take away some of Apple's marketshare.
Common Sense
I believe that is mostly, if not entirely correct. Obviously, there is a design flaw in security; a user account should never be capable of screwing up system files and system settings. Period.
Name a current Windows exploit that allows a user, with the default "User" permissions, to screw up system files and system settings. Name one.
The current version of Windows is Vista Service Pack 2.
That is speculation, opinion, and FUD. Unix like systems are simply not prone to the types of exploits that Windows has always been wide open to. (ActiveX for example)
Name an ActiveX exploit that works for the current version of Windows and IE with the default settings. (Obviously, if the user goes out of their way to disable security features, all bets are off.)
The current IE version is 8.
It's easy to imagine that malware writers would shift to Linux, but Linux' response would be to write patches after patches, and shut each exploit down as it was exposed.
As opposed to Microsoft's response, which is to... what? Hire belly dancers and throw a 1001 Arabian Nights theme party?
Seriously, WTF is going through your head when you write things like this. I simply can't imagine.
If that were entirely true, then the same exploits would work on Linux. I don't see that - can you provide any citations?
How about you prove your assertions first? You've made two big ones.
Unix like OS's have set the example. Establish trusted repositories for software. TRUSTED repositories, not a bazaar type place where just everyone can put software.
Yes, but you're breaking the rules of the original scenario: you can't turn Windows into an "iPhone App Store" for a half-dozen reasons, not least of which is it would be anti-competitive. Windows doesn't have the luxury of being able to completely shut-out commercial software development like Linux has.
Comment of the year
"Rather than support an international cat-and-mouse style manhunt for multiple unknown individuals and all of the tax dollars that would require ... I'd rather just use a more secure OS and let the people who run Windows deal with Windows problems. Simple."
Obviously simple. In fact, so obvious that you could be asking yourself "Well, why haven't we gotten a secure OS yet?" Well, why not? Ask some security professionals. It's nit just the OS, it's also the application. Case in point - Email users that click on attractive attachments can easily execute a program that is indistiguishable from any other user-accepted application, but of course is malware. An OS that is secure might be able to limit the harm, but the real issue is the user chose to run it. How do we keep users from running these apps? I dunno. But more later on how to choose the target.
"Beware of politician's logic. Politicians logic goes like this: "we must do SOMETHING!" ... "this is something, so it must be done!""
My point was that Microsoft is avoiding a significant patch to the TCP stack for Xp - the one that can permit remote access and control, you know of it. Similar problem with DNS recently, and still we avoid signing root servers. Perhaps I should rephrase, to do what 'we know needs to be done', instead of just 'something'...?
Your comments on people who use tools they don't understand and then complain about the harm caused by predictable problems reminds me of the table saw industry. SawStop is an insanely clever solution to the problem of users dismembering themselves while using table saws. Not cheap, but how much is a finger worth nowadays? The industry in general seems both unwilling to offer this technology on their brands, and equally unwilling to even admit it works. Possibly cost is a factor, but more likely they need to deny the effectiveness to give them plausible deniability for injury suits. Suing isn't the answer, as I know of only one lawyer who can reattach a severed finger, and he has to do that before he files suit... But there it is, a good solution to the safety issue, and unused. I have a feeling I just made your point, somehow... Darn.
The reality is that Windows is the dominant OS, that it is not likely to get more secure in a hurry due to market resistance to the massive changes necessary, that there are any number of security solutions that cannot be relied upon for 100% protection, and users will continue to be both the primary source of security lapses and generally unskilled in proper security actions.
And since the weasels are in fact doing things that are or should be illegal or at least unethical, why shouldn't we go after them? If they are accessible, can be brought to trial, and we have good reason to believe they are doing something illegal, to not ALSO do this makes less sense to me.
And yes, I am proposing something that might not work. Doing nothing, again, is pretty much certain to have no effect.
I'm worried, of course, that pursuit by the legal system may only drive them offshore, to places less antognistic.
Perhaps, we need to recognize something else - That the proper place for Internet security is on the Internet. I'm ready for my ISP to shut off obviously infected hosts for 24 hours a week, with 24 or more hours notice. And no, I don't work for Geek Squad. At least this would wake up users who, as you point out, are not even aware of their predicament. But there are smarter people than me out there who may have better ideas.
deleting the extra space after periods so i can stay relevant, yeah.
Meanwhile, no other desktop OS that I know of does anything similar
Safari On Mac OS X at least (I don't know if any other browser) does the same "flaging" of downloaded files
Read the original post. The voters chose Bush. Period.
In Florida, a majority of voters even elected Bush. Period.
That's what happened, no matter how many people want to pretend otherwise.
Obama really didn't win the Democratic nomination by a majority vote, though. Hillary had more delegates, but... for some reason, they weren't allowed to vote.
Even today nobody really uses Apache 2 though, most production sites are still using 1.x. Apache 2 is basically a beta product so that comparison doesn't really stack up.
Your right, but the results don't reflect the popular vote because of the system of zoning. For instance when i was watching the McCain-Obama race, I wondered what the "Electoral College" meant (I'm Antipodean:)), and it's basically the voting power of a state. It's supposed to be based roughly around the population of that state, but in reality it doesn't work like that. One big factor is the prison population of the state, they don't get to vote but they still count towards the total population, and hence the electoral college of that state. Anyway what it amounts to is that a vote in one state can be worth considerably more than a vote in another. I noticed this in the McCain-Obama race, Obama had only a small percentage greater vote than McCain, yet he won by a landslide because these votes happened to be worth more electoral college. A similar thing occurred in the Gore-Bush race, Gore actually got the popular vote by a slim margin, but Bush achieved a higher electoral college.
FYI, Gore actually won the popular vote by 500,000 votes nationwide, not even taking into account the dodgyness that occured in Florida.
Obama won the popular vote by ~9,000,000
"Name a current Windows exploit"
The vast majority of CURRENT Windows users are on XP. If you can't find an exploit all on your own, you most likely don't know how to turn your machine off and on. No, you DO NOT get to pick your favorite flavor of Windows, and hold that up for a "standard". You certainly don't pick the OS that almost no one is adopting - huge numbers of people waited for 7 to avoid Vista! (Especially since MS isn't all that concerned about "standards")
As for today's most up-to-date version of Windows - Win7 will most likely be broken real soon. Personally, I'm waiting for the timebomb crack. (What, you didn't think I was going to PAY for it, did you?)
What goes through my head when I write stuff like this? http://blogs.zdnet.com/security/?p=3207 Sometimes I think about other things: http://windows7center.com/news/prepared-for-conficker/
Have they fixed this one yet? http://www.neowin.net/news/main/09/04/24/unfixable-windows-7-exploit-created-by-security-experts
What goes through YOUR head when YOU make posts like that?
Oh, how 'bout that IIS? Is Win 7 / Vista secure from IIS?
Don't worry, we'll be seeing more exploits in coming months. ;^)
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
While some malware does rely on security holes and/or bad design descisions in windows a significant proportion of malware is spread through social engineering/user stupidity (see for example the fake virus scan adverts). Short of forcing all software to be approved (see the iphone/ipod touch app store for the downsides of that approach) there isn't a lot that can be done about this. Some malware does both of course.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
The Electoral College gives each state 2 votes *plus* the population apportionment. That's what skews it so much.
It's a small-state/large-state compromise that's been around since this country's Day 1.
http://en.wikipedia.org/wiki/File:ElectoralCollege2000.svg
It looks like most of the states Gore won were big ones and vice versa. Hence, Bush got more of a boost from the votes-per-state floor.
Similar patterns can be seen in other recent maps, but it seems especially pronounced here.
I listen to both RIAA and non-RIAA stuff if I like the music, tangential business/politics nonwithstanding.
[IIS7] has 2 vulnerabilities in its entire lifetime, and only one of those is remote.
Well, 2 vulnerabilities that MS has acknowledged. IIS is still a closed-source app, so third-party security researchers can't audit it and announce vulnerabilities as they can with Apache. Meanwhile, the black hats don't share the ones they find.
IIS7 is no doubt better than IIS6 and perhaps is decent. But if I wanted to run a web server, I'd run Apache 1.x on Debian Stable; I don't trust the combination of Windows+IIS as much as I trust Linux+Apache. And it looks like actual web sysadmins agree with me, because according to Netcraft, in August 2009, Apache had twice the server share as Microsoft (46% vs. 23% if I read that chart correctly; it looks like the ruled lines represent 8% increments, which seems strange).
steveha
lf(1): it's like ls(1) but sorts filenames by extension, tersely
Well, 2 vulnerabilities that MS has acknowledged. IIS is still a closed-source app, so third-party security researchers can't audit it and announce vulnerabilities as they can with Apache. Meanwhile, the black hats don't share the ones they find.
This could be turned around, of course: black hats can find vulnerabilities in Apache much easier because the source code is available for analysis, and they still won't share the ones they find.
Also, did anyone actually do a full security audit of Apache 2.x? I know that OpenBSD guys did one for 1.x, and even then only for their own fork of it.
I don't trust the combination of Windows+IIS as much as I trust Linux+Apache. And it looks like actual web sysadmins agree with me, because according to Netcraft [netcraft.com], in August 2009, Apache had twice the server share as Microsoft (46% vs. 23% if I read that chart correctly; it looks like the ruled lines represent 8% increments, which seems strange).
I dare say that discrepancy between IIS/Win and Apache/Linux might have more to do with the fact that the latter is free, while the former costs quite a bit. Furthermore, Apache was a stable solution for much longer than IIS - IIS5 was bad in terms of security, among other things - so there are many more experienced admins out there who are proficient with Apache. And, of course, bad reputation sticks around, too.
If you ask me, the only combo I would really trust is OpenBSD, and the Apache 1.x fork that comes in the base system for that. But aside from that, I do not think that there are any security reasons to prefer IIS7 to Apache nowadays. Numerous companies running IIS6/7 servers with uptime of 3+ years is a testament to that.
Correction: The only way to protect against stupid users is to not let them within twenty feet of a computer to start with. Outside of this, there is no stopping them, no matter if you set their rights into oblivion or not. They always find a way to fsck something up.
@Mindless Drivel: 100% of Twitter posts ever Tweeted.
I see what you did there. You did the old double turn-erino on us. We thought that Microsoft was... but then you switched it and... hilarious!
MacOSX tells me whenever I ask it to run a file downloaded from the net for the first time.
So does Vista - in fact, if you have antivirus installed (and it properly integrates with OS by using the corresponding APIs), it will even make it scan the file before starting it for the first time.
Of course, One of the big complaints with Vista was that the OS got in your face every time you tried to do something that could cause problems, simply because Windows Users became acclimated to being logged in as Administrator and being able to do whatever the heck they wanted without question. Granted, Windows Vista was a little extreme with the amount of times that they asked if you wanted to allow something to run. I don't know for sure, but I do not think that you could adjust the alert levels in Vista. They changed this in Windows 7 so you can make your User Account control get in your face some of the time, all of the time, or none of the time.
Ummm...you just finished arguing that market share is unimportant to security. So clearly it is valid, in YOUR stated opinion, to consider the security of Vista SP2.
Considering desktop/laptop OS's, Vista's deployment is second only to XP, so if you can't compare against Vista because its marketshare is too low, then you can't compare the security of anything to anything else.
You need to pick a consistent position.
It's no more extreme than Ubuntu, and easier to handle because you don't have to type a password (this isn't necessarily more secure, however). Actually, I run into more privilege escalation screens when I am first setting up Ubuntu than I do after I install Vista or Windows 7. I've done each probably hundreds of times now with various configurations.
If you build it, nerds will come. Soylentnews.org
But WHY WOULD firefox download the file and then chmod +x it? That wouldn't make any sense.
.deb files, sort of. Ubuntu requires me to enter my password when I attempt to install a .deb file.
However, Your point does hold for
As far as I'm concerned, every OS will have one vulnerability. It's user(s).
ERROR: SIG NOT FOUND (A)bort, (R)etry, (F)ail?:
I have to say that one thing I've always admired about Microsoft is how aggressive they are at going after spammers, malware creators, etc. It's easy to know who to root for in these cases.
It's true no man is an island, but if you take a bunch of dead guys and tie 'em together, they make a good raft.
Gees, get over it already, absolutely everyone recognises M$ where as MS can be mistaken for many other institutions and, seriously the only people that complains are M$'s micro trolls, the softies if their various marketing department. Childish is the M$ marketing department reaction to it, oh no, it hurt's us, my precious logo, it burns our public public image. Insults, offtopic attacks, slurs and it cycles on and off, tytpical of a professional marketing tactic, try it on for a while see how it works, not working back off for a while and try again and, again and, again and ad nauseam. M$, M$, M$, if you hadn't been so naughty quite so many times it wouldn't be taken in such a bad light ;).
Now back to this article my main thought on this, why is M$ tackling it, where are the various government funded consumer protection agencies, are they all asleep and not paying much attention. In light of M$'s public pursuit of this case, perhaps they should consider contacting M$, obtaining the evidence and pursuing it themselves.
Then again M$ might not wont the various consumer protection agencies to pay to much attention to M$'s own questionable behaviour (there 12 M$s, ooww, does it burn).
Chaos - everything, everywhere, everywhen
Javascript is not required to view the web, therefore it is a third-party piece of crap to me.
THE WEB IS HTML. Anything else is third-party, I don't give a fuck what you say.
iPhone killer: a phone that has a touch screen and a brand name OS that *Might* take away some of Apple's marketshare.
2. A phone with said interface that doesn't operate in remotely the same market. "This cool CDMA Palm phone is totally an iPhone killer"
The Electors, nuance
That was only one of Debian's dumbass in-house patches that never made in the upstream - so only one of, what, 4 families of Linux distros affected by the bad decisions of the debianites? Not my fault if people like script packs and nih syndrome.
LOL, who are the morons who modded it insightful :p - true though, I can run some malware in wine and watch the fireworks with amusement :p
Question. Since I've never had one single flying lesson in my life, would you say I was stupid if I got into a Learjet, only to crash and burn? Or, if someone who had never been in a tractor trailer decided to jump in and drive one - would he be stupid when he drove it off the side of a mountain?
Yeah but then I'd expect it to be obvious to most people that planes and road vehicles are dangerous and that most people will have been told that it is illegal to drive them without proper licensing.
Only the braindead can be unaware of the risks of downloading executables from untrusted sites.
The problem is that even when they hear that they lack the knowledge/experience to understand that clicking yes to those warning dialog boxes is equivalent to downloading and running an executable (or even what it means to download and run an executable), that adverts even from "trusted" sites are not to be trusted (thanks to the wide use of advertising networks who don't check up on their advertisers) or that the pop-up that claims to be a virus scan isn't really one. Afaict at least around here the education system does not (or at least didn't when I went through it) teach the stuff you need to stay safe on the internet.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Yeah, I go defend M$, and see what i got for it. Fuck them, astroturfers.
Patents Drive Free Software as Hurricanes Drive Construction Industry
First of all, it's "Sun Microsystems", not "Sun Systems". Second, JavaScript (despite the name) is not related to Java and not made by Sun Microsystems.
Why is Microsoft able to find these scumbags and the US government can't? Right before I read this I sent a phony phishing scam to the IRS because it perported to come from our government. If our government would go after these scams like it goes after legitimate tax-payers who are a little behind, the world would be a better place. Good for Microsoft.
Brain...*already* locked up. Isn't the Market Share Myth getting old? Does anybody [I mean, besides MicroSoft apologists] *really* believe it? I mean, really, the argument is bogus. "If Linux had ... 95%"
Well, Mr. Rocket Scientist, what share of *its* respective market does *Apache* have? You know, on servers? Compared to IIS? I thought so. You don't want to talk about it do you?
Your own logic paints you into a corner and leaves you feeling kind of foolish.
So, what is it? Market Share significant or not?
Code is King. Code is, in the end, all that matters.
Software either works, or it doesn't.
People who cite "user stupidity" frequently and ad nauseam are almost invariably MCSE Monkeys and MS Shills who can't seem to face the reality that *some* programmers are doing their job better than others.
You can cite Market Share all you want to. It's not going to make it the truth. Apache is just one inconvenient Truth you'll have to deal with and be embarrassed by.
Go run and hide, now.
-- "I'm not in a hurry; I'm in Hawaii." The Homeless Guy
Why is this in YRO? this is a GOOD thing. Granted, Microsoft could do well to make it harder for these entities to survive by virtue of changes to their OS, but there's only so much you can do to curb the naivety of the average user. Not that there's a whole lot that will come out of something like this, I suspect that most of these ads come from a jurisdiction that cares little for American Jurisprudence.
Stupid is as stupid dies.
The problem is that "malvertising" contains scripts. From the blog by Microsoft's attorney:
"Our filings in King County Superior Court in Seattle outline how we believe the defendants operated, but in general, malvertising works by camouflaging malicious code as harmless online advertisements. These ads then lead to harmful or deceptive content. For example, ads may redirect users to a website that advertises rogue security software, also known as scareware, that falsely claims to detect or prevent threats on the computer. Malvertising may also directly infect a victim's computer with malicious software like Trojans - programs that can damage data, steal personal information or even bring the users' computer under the control of a remote operator."
Last weekend the New York Times distributed an ad like the one described which redirected browsers to a "scareware" site. The Times reported later that an apparently legitimate advertiser bought availabilities on its site, distributed legitimate advertising for a few days, then switched to distributing the ad containing malware over the weekend.
Advertising distributors should automatically scan all advertising for embedded scripts and refuse to distribute them. Suing fly-by-night operators isn't going to solve this problem. The advertising syndicators and their clients like the Times need to step up and start filtering the content they distribute.
IIS5 and IIS6 still is bad in terms of security. As an aside - Secunia explicitly warns that comparing vulnerability counts will lead to misrepresentation. As I am sure you are aware of.
He asked for a citation, I provided one.
You can make all the excuses for it you want, but it stands as an example, regardless.
Which has nothing to do with OpenSSH but boneheaded Debianoids. The fact that it could be missed had nothing to do with OpenSSH's dev model and everything to do with the fact that they tried to work around but were too lazy to fork it outright.
Java is just as bad with some update or another required almost weekly.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
I have my license, so I am qualified to operate a vehicle. If I follow the sign that says "Stay Left" and it leads my into a ditch, was that MY fault for trusting a sign that should be protecting me?
You might say "You should know when to trust the software or not, if you don't know who made it, don't trust it." Well, there is Bobs signs, there is Lyles signs, Anchor inc. etc... All make road signs. There may be some I don't know, but what I do know is that sign has been able to protect me before, even from threats I have still not seen.
When I get a message from AVG that says there was some kind of threat found, I trust it, and it delivers a solution, and fixes the issue. If I were to get a message from something that looked exactly like AVG, it may fool me, I trust it, I'm screwed. Who's fault was that?
I don't doubt I'll be modded down for this, because everyone loves to jump on and be upset at Microsoft on Slashdot. But think about this, Windows is popular, not everyone uses it just because it's the only option. I installed Ubuntu less than a month ago, and had the worst experience in getting support, or help from this "Community" that claims to have a great alternative. TO something that already is working!
Needless to say, I need to reinstall anyway because now all I get is some screwing static, instead of my desktop.
As long as Windows is the most popular OS, it will be the most insecure, just by the sheer number of people attacking it. Regardless of how secure they try to make it, someone will find a vulnerability. I see Microsoft's solution to going after (at least some) of the people responsible for the attacks that the average user has to deal with, is admirable. Regardless if Microsoft makes any money off of it, at least they are also trying to solve the issue.
If a cobbler makes me a shoe, and that shoe is a good shoe, and I can walk/run/hike in it, this is good. If I unsuspectingly step on a nail, that goes clear through the sole, who's fault was that? The cobblers? I'd shake his hand if he went after the Bastard that dropped that nail.
Indoctrinate : to instruct especially in fundamentals or rudiments Educate : to develop mentally, morally, or aestheti
Welcome to $lashdot.
You are in a maze of twisty little passages, all alike.
"Brain...*already* locked up. Isn't the Market Share Myth getting old? Does anybody [I mean, besides MicroSoft apologists] *really* believe it? - by baristabrian (1635747) on Saturday September 19, @07:37AM (#29475607)
See my subject-line above, because Apple computers has been forced to believe it & concede the whole "MacOS X is more secure than Windows" was a sham... per this article:
----
Mac OS X's Reputation for Security Wearing Thin:
http://www.eweek.com/c/a/Security/Mac-OS-Xs-Reputation-for-Security-Wearing-Thin-845683/?kc=EWKNLSTE08112009STR4
----
Once Apple's MacOS X started gaining more marketshare & user's "mindshare"? They started getting attack more & more... disproving the entire line of b.s. you heard around here and elsewhere that "% of market doesn't matter" etc. et al, because it does & the facts tend to bear that much out on Windows vs. Mac @ least.
Now, as I said here in this very exchange -> http://yro.slashdot.org/comments.pl?sid=1373959&threshold=-1&commentsort=0&mode=thread&pid=29471435#29472419
?
Well, again: IF Linux ever suddenly "took the planet by storm" & displaced Windows NT-based OS as the "King of the Hill", marketshare-wise? I think most of you guys on Linux would start seeing EXACTLY what I am talking about, as the folks @ Apple have had to. It is, how it is. Period.
The more folks gather on a particular OS, the more criminals will show up to take advantage of them. That is the way it works, and the way it has always worked, period. This is just human nature's bad side is all.
APK
"I have my license, so I am qualified to operate a vehicle. If I follow the sign that says "Stay Left" and it leads my into a ditch, was that MY fault for trusting a sign that should be protecting me?"
Unequivocally, YES!! You see the sign, the FIRST thing you should do is, not "keep left", but "slow down". Then "look", then "think". That is all part of driver's education. Mindlessly obeying a sign doesn't get you off the hook with Charles Darwin.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Oh of course, mindlessly obeying would be a stupid thing to do. But you did miss my point, did you even read my whole post?
Assuming my analogy has me ignoring all the obvious things you should do while driving, gets you no points, anywhere.
But I'll humor you, let's say I did slow down, I looked, assessed the situation, the sign says "keep left", and the left seems to be a safe route (for more reasons than the sign, because we slowed, and did all those obvious things that our drivers eduction taught is), and yet there is a ditch that can't be seen till you are in it. I mean, should I get out of my car and look?
I may not have said it, but a driver should know not to mindlessly follow the sign. This should be obvious. But go ahead and read the rest of my original post, so you can get my point. After that, you can tell me what you disagree with, rather than nitpicking my imperfect analogy.
Indoctrinate : to instruct especially in fundamentals or rudiments Educate : to develop mentally, morally, or aestheti
*sigh* Yes, I did read your entire post. Since you started out with that flawed analogy, without considering the obvious answers to it, I kinda figured you might realize there are equally obvious answers to the rest of the post.
To date, I've not seen one of those warnings that look just like a genuine alert from any of my AV's. But, let's say they are out there - someone has tailored their warning to look just like AVG. Since I run Avast, I'm immediately going to scratch my head. "Something isn't right, here." Alright - a few days later I get one that looks just like Avast. Well - Avast doesn't ask me to click anything. The pop-up slides up from the toolbar to inform me that it has found and quarantined something nasty. In a few seconds, it slides away out of sight.
But - first, how did I get to such a site? In all likelihood, I've ignored some warning or other offered by Google safe search, I've turned off phishing protection in my browser, I have Javascript enabled for all sites - in short, I've disabled or ignored several protections.
Navigating the web with all protections turned off implies that I'm either accepting the risk, or I'm to ignorant to assess the risk. Those who are to ignorant to assess the risk shouldn't be on the web. And, THAT is the core of my argument.
Now, the fact is, I DO browse the internet almost naked. All of my Windows machines are inside of VirtualBox. Windows isn't installed on hardware anywhere in my house, except the son's laptop. (no version of Linux that we've tried will install on the blasted thing!) If I run into something really nasty, all I have to do is roll the machine back to a recent snapshot. It never fails.
Outside of the VM's, I don't even trust Linux to protect me entirely. I turn off Javascript, and turn on AdBlock Plus, with all subscriptions. I don't use any Phishing alert services - but before browsing to something like a banking site, I open a new instance of a different browser, where I use a bookmark to navigate to the bank site.
So - I still say that it's stupid to operate a piece of equipment which you are untrained and/or improperly trained to use.
And, yes, ultimately, if you drive into the ditch, you are responsible. Tough luck that some kids from the 'hood came out, and moved that sign to the wrong side of the road.
And, finally - it seems that you think I'm bashing Microsoft? Not sure - it's just the feeling I get. Actually, my original post up at the top is bashing the USERS of Microsoft. Yeah, I most certainly feel that MS products are less secure than they could be, and I've witnessed some pretty crazy exploits being taken advantage of. But, ultimately, at LEAST 75% of all infections and exploits that I've ever seen were the result of operator stupidity. That loose nut on the keyboard screws things up more often than anything else.
Remove the loose nuts.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
This may make me sound like a complete n00b idiot but I'll ask anyway..... Since UAC doesn't use something like SUDO in Linux where a password is needed, couldn't a piece of malicious software from a website simply run a little bit of Javascript to send an "Enter" keystroke in order to approve whatever UAC is asking for? Heck, even VBScript Sendkeys would seem to work for this. UAC can't possible ask you every time a web site runs any type of script. Or when the UAC box is up is the Operating System more or less locked out for anything other than local input somehow?
IIS5 and IIS6 still is bad in terms of security
IIS5 and IIS6 are two very different products.
Yes, you give a link for one vulnerability. That's a single data point. What is it supposed to show? That IIS has vulnerabilities? I did not claim otherwise.
As an aside - Secunia explicitly warns that comparing vulnerability counts will lead to misrepresentation. As I am sure you are aware of.
It's good that I also compared how critical vulnerabilities are, and where they can be used from, then. Do you have any specific objections to the numbers quoted in my previous post (and also those on the pages I've linked), or my analysis of them? If so, then please write your own, to demonstrate where I am wrong.
Your claim was that IIS5 used to be unsafe. With IIS5 having an unpatched DOS exploit currently under attack, I'm trying to point out that your statement is rather inaccurate.
Vendors rate the criticality themselves - don't they? Additionally - Microsoft seems higly reluctant to acknowledge and patch flaws. Comparing the flaws that leaks out this regime to a open source project which hides nothing yields a result that will invariably favour the secretive part. Your "analysis" is deeply flawed.
Your claim was that IIS5 used to be unsafe. With IIS5 having an unpatched DOS exploit currently under attack, I'm trying to point out that your statement is rather inaccurate.
It is a misunderstanding, then - I refer to IIS5 in past tense because it hasn't been updated in a long time, and is not supported anymore (it's a part of Win2K Server, which is itself an unsupported OS). Discussing its vulnerabilities is about as useful as discussing those of NT 4.0 or SQL Server 6 at this point.
Vendors rate the criticality themselves - don't they
Criticality isn't so interesting to look at, more important is where the attack can come from (remote/local), and what it can achieve (DoS / privilege escalation / system access). Those aren't set by vendors, and those are what I looked at.
icrosoft seems higly reluctant to acknowledge and patch flaws. Comparing the flaws that leaks out this regime to a open source project which hides nothing yields a result that will invariably favour the secretive part.
Even assuming an average delay of 2 years in vulnerability reporting from the vendor (which is pretty insane - I have reported critical security vulnerabilities to MS myself, and disclosure didn't take anywhere that long), and assuming that vendor is the sole source of such reports, and extrapolating the rate of discovery, IIS would still have less flaws than Apache.
Your "analysis" is deeply flawed.
Go ahead, make your own, non-flawed one, to prove your point - that would show me.
By the way, in case you didn't notice, I was merely replying to a poster who claimed that "IIS has more vulnerabilities than Apache", with no sources. So far not a single person replying to my post have given any numbers to back up that claim. Why not start there?
This is precisely what Vista and Win7 do. If you download an executable, it will have a flag set in file meta-information that basically indicates that the source was network... when you run it, the OS will warn you and ask to confirm.
....snip.....
Meanwhile, no other desktop OS that I know of does anything similar, .....snip.....
MacOS X, at least when you use Safari, is also flagging content downloaded from the network.
Or? There is no or.
Neither. ^^
(I root for me. No exceptions.)
Any sufficiently advanced intelligence is indistinguishable from stupidity.
This could be turned around, of course: black hats can find vulnerabilities in Apache much easier because the source code is available for analysis, and they still won't share the ones they find.
On balance, though, the security consequences are a win for open source. If it's easier for white hats to find and close holes, the product can be more secure.
But you can't be more secure than 100%, and in theory a closed-source system could be 100% secure, so in theory both open and closed source could be equally secure. But I still view the open development of Apache and Linux as an advantage.
Also, did anyone actually do a full security audit of Apache 2.x? I know that OpenBSD guys did one for 1.x, and even then only for their own fork of it.
I'm not sure. I'm not any kind of security expert, just an opinionated guy.
I dare say that discrepancy between IIS/Win and Apache/Linux might have more to do with the fact that the latter is free, while the former costs quite a bit.
Well, of course. But the cost of your site being 0wned would exceed the savings, so I doubt anyone would deploy Apache if it were insecure.
If you ask me, the only combo I would really trust is OpenBSD, and the Apache 1.x fork that comes in the base system for that.
No doubt about it, if you want the most secure system you can possibly get, use OpenBSD. But Linux is secure enough for me, just as IIS 7 seems to be secure enough for you.
steveha
lf(1): it's like ls(1) but sorts filenames by extension, tersely