Microsoft a Weak Link In Possible Cyber War

climenole writes 'Microsoft has vast resources, literally billions of dollars in cash, or liquid assets reserves. Microsoft is an incredibly successful empire built on the premise of market dominance with low-quality goods,' says former White House advisor Richard Clarke in a recent book. Microsoft makes the list of risks because so many people have installed its software for critical systems.

He said what?

[siloko]

Microsoft is an incredibly successful empire built on the premise of market dominance with low-quality goods.

If he really said that I bet Microsoft execs are spewing their cornflakes as we speak!

Re:He said what?

[decipher_saint]

*in deep trailer-guy voice*

"In 2010; Chairs WILL be Thrown"

Re:He said what?

[StuartHankins]

If Microsoft execs aren't already aware of that, they should be fired. Part of managing a company is knowing your weaknesses.

Re:He said what?

[siloko]

Part of managing a company is knowing your weaknesses.

Knowing your weaknesses is not the same as having them advertised to the world by a White House advisor!

Re:He said what?

[StuartHankins]

It's not as if people didn't already know about Microsoft's abysmal security record. Just a simple query such as http://www.google.com/search?hl=en&safe=off&client=firefox-a&hs=kKP&rls=org.mozilla%3Aen-US%3Aofficial&q=site%3A*.gov+microsoft+advisory&aq=f&aqi=&aql=&oq=&gs_rfai= shows tens of thousands of hits. Maybe Microsoft will be shamed enough to take action and improve their products.

I guess the point of it is "Is Microsoft the weak link when it comes to security?" to which the only answer can be "Yes." Kudos to the White House team for telling it like it is!

Re:He said what?

[gstoddart]

If Microsoft execs aren't already aware of that, they should be fired. Part of managing a company is knowing your weaknesses.

I think by the time you get to the C-level execs, it's more about leveraging your synergies and maximizing your returns.

They don't likely know much about the technology, and believing in the company and drinking the Kool-Aid is mandatory.

In their mind, they produce high quality goods. The best there is.

Re:He said what?

[M.+Baranczak]

Clarke is not on the "White House team". He retired a few years ago. Come on, people, would it hurt you to at least read the summary?

Re:He said what?

[Foofoobar]

Oh give me a break! If the entire tech community doesn't realize that Microsoft's security is a wet paper sack and a sign that says 'do not lean against' then they've been in a coma since before Robin Williams was funny.

Re:He said what?

[causality]

No, there's a big difference. If he was a current government official, then the statement would represent a government policy.

"This company dominated the market with low-quality products" is not a policy. It is an observation. It's true or it's false no matter who says it or how "official" they are. Try thinking for yourself and being less impressed with authority.

Re:He said what?

[ackthpt]

Part of managing a company is knowing your weaknesses.

Knowing your weaknesses is not the same as having them advertised to the world by a White House advisor!

There was something in Hamlet about a ghost not needing to appear to tell us this.

Re:He said what?

[erroneus]

Could it be that someone "out of office" is the only one with the freedom to say such things in public? Anyone in office would fear for his job. It would be my guess that this statement was desired and even requested by people in office. Who better than someone who once held the seat (read: an expert on the topic) and someone who has nothing to lose (read: already out of office).

Microsoft Weak Link ...

[gstoddart]

Film at 11.

I mean, seriously, it's the most widely used OS on the planet. It's also the most likely target.

Re:Microsoft Weak Link ...

False.

It may be the most widely used desktop OS, but once you include servers and small devices, Linux beats it easily.

Re:Microsoft Weak Link ...

[UnknowingFool]

And Apache is the most widely used Web Server but its security record is far better than IIS. So what does that say. Also Unix/Linux far outnumber Windows Server in terms of presence on the Internet; however, they are more on the yet their track record is far better than Windows server.

Re:Microsoft Weak Link ...

[1s44c]

Film at 11.

I mean, seriously, it's the most widely used OS on the planet. It's also the most likely target.

That's a flawed argument. It isn't bad because lots of people use it, it's bad because it's bad.

Microsoft's Business

[HeX314]

One of my computer science professors once stated, quite succinctly, that Microsoft was not in business to make a quality operating system (or quality product). They are in business to make money.

On a related note, if they were in business to make a quality operating system, they would have a tough time selling "upgrades."

Re:Microsoft's Business

[Lunix+Nutcase]

One of my computer science professors once stated, quite succinctly, that Microsoft was not in business to make a quality operating system (or quality product). They are in business to make money.

What a stupid statement that is complete tautology. The entire point of starting a business is to make money. Otherwise the business *ahem* goes out of business.

Re:Microsoft's Business

[Em+Emalb]

The entire point of starting a business is to make money.

This is false. While a company needs to make money to be successful, this is not the only reason for a company to exist. And I thought I was jaded.

Re:Microsoft's Business

[Lunix+Nutcase]

The entire point of a business is to provide goods and services for money. Otherwise you're running an NPO.

Re:Microsoft's Business

[snowraver1]

One of my computer science professors once stated, quite succinctly, that Microsoft was not in business to make a quality operating system (or quality product). They are in business to make money.
On a related note, if they were in business to make a quality operating system, they would have a tough time selling "upgrades."

That's horseshit. When someone makes a better OS than MS, I'll start believing these stories. The level of complexity between Windows and OSX is incomparable. OSX works on like 5 hardware configurations, while windows will run on pretty much any hardware. OSX doesn't have enterprise level support/management, and it's arguable that the only reason that OSX is more "secure" is simply because they are less of a target.

Linux may have some technical merit, but is a mess where people without advanced computer skills are left in the dark. Sure windows had bugs, but many of those aren't MS's fault, but rather venders that write crap drivers.

P.S. MS is having problems selling upgrades. Why do you think ~90% of businesses are still on XP? Because it was/is a useable, relatively stable OS that did what people wanted. You can say what you want about MS, but the fact is, they are the best OS for Businesses, and most consumers. When OSX works for more than a handfull of hardware configs, I'll take it seriously. When Linux is usable by joe user, I'll take it seriously. Until then, we have MS.

Re:Microsoft's Business

[Narpak]

This is false. While a company needs to make money to be successful, this is not the only reason for a company to exist.

Agreed. Though a more important question, as far as I am concerned, is whether or not something as important, and voluntarily, as computer/network/internet infrastructure should be run for profit (specifically government/utility system software/hardware). One could argue that there is a financial incentive for companies to make a good product, but time and time again it seems that companies are happy sacrificing the long term for short term profit. Even when that means taking short cuts that risk creating significant problems down the road. Thankfully my country, Norway, has decided to start shifting all software used by the state over to Open Standard alternatives.

Re: Microsoft's Business

[Black+Parrot]

Linux may have some technical merit, but is a mess where people without advanced computer skills are left in the dark.

The same can be said of Windows. People ask me for help with their Windows computers all the time, but I can rarely help because I don't often use anything besides Linux, and contrary to what you'd like to believe, there's nothing inherently intuitive about the way Windows works.

Re:Microsoft's Business

[TheRaven64]

The level of complexity between Windows and OSX is incomparable. OSX works on like 5 hardware configurations, while windows will run on pretty much any hardware

Yup, OS X only runs on three hardware platforms; ARM, PowerPC, and x86. Five if you count the 64-bit variants of PPC and x86 as different. Windows runs on x86, x86-64, and PowerPC (XBox). It used to run on MIPS and Alpha as well, but hasn't since NT 4.

Or are you talking about device drivers? Because I hope that you realise that most of these are provided by the hardware manufacturers, rather than by Microsoft. So, your argument for Windows' superiority is that more third parties support it? That's certainly a valid reason for using it, but not really an indication of its intrinsic quality.

Re:Microsoft's Business

[Captain+Splendid]

The entire point of a business is to provide goods and services for money. Otherwise you're running an NPO.

No, the real world's not binary like that. Plenty of people running businesses not just (or not at all) for the money. Yes, the balance sheet at the end of every month needs to be right, but there's a huge difference between lots of profit, and enough to get by.

Re:Microsoft's Business

[Captain+Splendid]

I'm saying that supporting millions of different hardware configurations does

And a large portion of that hardware is nominally standards-compliant. Not saying you're wrong, but it's a monitor lizard, not Godzilla.

Re:Microsoft's Business

[slick7]

You can't really call it a competitive price when the competition is free. It's good enough for a premium, at best.

Prof. Lester C. Thurow said in his book "Head To Head" that it isn't about price or quality, but market share. Once you achieve the greatest share, you can control the market. Whether the product improves or not, only time will tell. Anyone who tries to enter the market has to have a better product at a lower cost than the holder of the market share. Although this is no guarantee of acceptance. This is how the Japanese got a foothold in the American auto industry, (but not in Europe) with cheap, crap automobiles. Over time, they improved in quality and the price went up. But then again, look at all the recalls. Market share can control the price. The product, quality, price don't really matter.

Re:Microsoft's Business

[tepples]

You praise Microsoft for "running on any hardware" while that is the vendors' drivers responsibility (and open standards such as SATA, PCI, USB).

The praise directed at Microsoft is for managing to convince hardware vendors to put a Windows driver on the included CD and not include a Linux driver.

Re:Microsoft's Business

[DrgnDancer]

A great deal of what you say is true, but is true mainly for circtuitous reasons. Some of it is false. The level of complexity between OSX and Windows is perfectly compareable. One of the reasons that OSX has had such a relatively good reputation for stabiltiy is the fact that they limit configurations and (here's the key) write or modify the drivers that they use for those configurations. If Apple were willing to allow OSX to be put on non-Apple hardware, it would simply be a matter of producing drivers. Microsoft doesn't produce drivers, at least not for the vast majority of the hardware they run on. The foist that job on the hardware vendors and they get away with it becasue they are so domintant that no vendor wants to not have ther hardware work in Windows. Essentially, Windows works on more stuff for two reasons: 1) They allow vendors to produce drivers, and 2) Their dominance essentially forces vendors to produce drivers. One of the major reasons for the vastly imporoved stabilty of Windows in recent years is that Microsoft has been instisting on quality drivers (there are other reasons, but this is a big contributor).

Linux is seriously no more complicated to adminster than Windows now, at least not at the invidiual user level. I've been staggered recently by my latest Ubuntu install. While I use the command line becasue I'm comfortable with it and can accomplish many tasks more quickly with it, it has become largely unecesary. There are three major reasons that Linux is unsuitable for "Joe User" at this point.

First, it has driver support problems. Since it's not hugely dominant in the OS field, it can't force ventdors to provide drivers in a timely manner or at all. Second, application support. This is similar to the driver problem. Third, lack of preinstallation by OEMS. As has often been said, installing Windows from scratch is not really any harder or eaiser than installing Linux from scratch. It's just that most people never do either. They simply buy a preinstalled machine (with Windows). All three of these problems relate to the Microsoft's dominance of the market and have little to do with the quality of Linux or its configuaration and administration tools. Since you forgive Microsoft for vendor problems that "aren't [its] fault" I assume you'll do the same for Linux.

There was a substantial discussion of the "Enterprise Readiness" of Mac and Unix machines in another thread yesterday. This is largely a Red Herring. Capable admins can manage all the things that Active Directory does in a Mac, Unix, or heterogeneous Mac/Unix enviroments. The only things that create some problems are an equivilant to Group Policy Editor, which can be worked around, and the face that while all the Mac and Unix machines will happilly share directory data and files with each other Mircrosoft refuses to play ball. So anytime you you have an enviroment that includes Macs, Unix machines, and Windows machines you usally wind up with the "Windows Domain" and the "Everybody else Domain." Of course other vendors can't be blamed for Mirosoft both refusing to use standards and refusing to publish how their own system works.

Essentially, nearly all the problems with migrating off of Windows in the Enterprise or the home boil down to: "Microsoft is so dominant in the market that we can't really change off of them." We can't get drivers... Why? Becasue once you've made one driver that works on 90% of the computers in the world, why bother to make another two or three to placate the other 10%? We can't get apps... Why? Becasue again, if you wrote one piece of software and it works on 90% of the computer in the world, why bother to port it three or four times to get a pitance more systems? These systems won't integrate into out enterprise IT environment... Why? Becasue the vendor that sold them is so domiant that it doesn't need to make make sure it's compatible with anyone else. You aren't *supposed* to have a heterogeneous environment silly. We provide everything you need.

Re:Microsoft's Business

[Bert64]

There is only financial incentive to make a good product if you are in a highly competitive market and your product needs to be better than the competitors...
Otherwise, the financial incentive is to actually make a poor product so that you can sell upgrades more easily.

In the case of MS, lock-in ensures that competition is kept at bay enabling them to produce extremely poor quality products. Keeping customers locked in is also far more profitable for them than offering an open product and then having to face competition. This situation *ONLY* benefits MS, and is to the absolute detriment of everyone else, and so considering the importance of computers in todays society something should most definitely be done about it.

Re:Microsoft's Business

[ArcherB]

That's horseshit. When someone makes a better OS than MS, I'll start believing these stories. The level of complexity between Windows and OSX is incomparable. OSX works on like 5 hardware configurations, while windows will run on pretty much any hardware.

Uh, no. Windows runs on one, and only one platform, the x86 (x86-64 is still x86). OSX used to only run on RISC (PowerPC) but recently made the switch to x86 as well. It should be noted that Apple did a pretty good job making the old stuff written for RISC run on x86 for a time in order to complete the transition. The core of OSX also runs on a few different mobile platforms as well for i-phone/pod/pad devices.

Linux will run on just about anything. Sure, you can't download the latest Ubuntu and install it on an Alpha based machine, but you can find Linux distro's designed for just about any platform.

Linux may have some technical merit, but is a mess where people without advanced computer skills are left in the dark.

Linux is easier to set up or operate than either Windows or OSX. The problem is that 99% of all computers sold come with either Windows or MacOS installed, so it's what people learn. Once you learn a system, it is easy to you, even if it's some antiquated, console driven, remote accessible Unix app.

MS is having problems selling upgrades. Why do you think ~90% of businesses are still on XP? Because it was/is a useable, relatively stable OS that did what people wanted.

People are not upgrading because XP is good enough and it's cheaper to keep running XP than it is to upgrade. Even if the OS itself was free, you still have to pay your IT guys to create an image for every machine config in the office, install it, train your employees to use it, and pay for the downtime they experience backing up their old stuff and learning the new OS.

You can say what you want about MS, but the fact is, they are the best OS for Businesses, and most consumers

No. MS produces the OS used by most businesses and consumers, therefor, it is what most businesses and consumers choose when they upgrade. It's easier to make the upgrade from XP to 7 than it is to upgrade form XP to Ubuntu 10.4, just as it's easier to make the move from Ubuntu 9.10 to 10.04. When you upgrade to a newer version of your current OS, odds are that you lose nothing. If you switch OS's entirely, you have find replacements for every application you currently depend on and still convert all your files to the new format.

When Linux is usable by joe user, I'll take it seriously.

My three year old daughter runs Linux and she can't even read yet. Hopefully Joe User is more savvy than an illiterate three-year-old.

Re:Microsoft's Business

[burnin1965]

Microsoft was not in business to make a quality operating system (or quality product). They are in business to make money

I see you are getting hammered with comments that I believe misunderstand your professor's statement. Of course businesses are in business to make money, what people don't seem to get is that Microsoft's core competency, main objective, mission statement, sole purpose, etc. is to make money.

I could be wrong but I don't believe that Microsoft developers intentionally make bad products with the intention of getting customers hooked and then forced to upgrade. I believe this is just the end result of a business strategy that permeates virtually all of business management in the United States today. I would describe the U.S. business models as, greed is good slash and burn, hookers and extortion profit margin goals, end times are near hoarding and investment(or lack there of), and disaster focused management.

Greed is good slash and burn: There is an entire generation, perhaps more, of MBAs who watched Wallstreet and fell for Gekko's speech about greed as a driving factor for all human pursuits but either failed to watch the entire movie or did not make the connection to the plot where greed did not result excellence in business pursuits but instead led to cheating, destruction of other people's livelihoods to transfer wealth from a group of people to an individual, and out right criminal activity. And we don't need a movie to tell us that greed is not good, we have real life events that occur over and over and over that show us how greed left unchecked simply leads to crime not excellence.

Hookers and extortion profit margin goals: Profit margins are important for the viability of a business and its ability to expand and invest into future business opportunities, however, the greed mentality has created a deranged market concept that becomes detached from the real market and real viability of a product. I have seen this mentality at work at a hardware manufacturer during management and engineering meetings where Part B had a lower profit margin than Part A and it was repeatedly suggested that Part B should no longer be manufactured and Part A should be ramped up using the manufacturing capacity of Part B. Unfortunately the MBAs and engineers refused to listen to sanity, the bulk of the market wanted to buy Part B not Part A and the final products that used Part A also required Part B. Without the low margin Part B there was no market for Part A! Once logic failed I gave in to the greedy profit margin goal and suggested we replace all the engineers and manufacturing employees with hookers and thugs as the profit margin in the Hookers and Extortion business was probably better than making parts. As an engineer I would not be needed so I left.

End times are near hoarding and investment(or lack there of): Again driven by greed, rather than having long term multiple year future plans many U.S. corporations are more concerned with 3 month business plans as if there will be no future for the planet or business beyond the next 3 months. If your engineering project does not have an acceptable ROI within 3 months then it stays on the back burner. Even after presenting the same 3 year plan after 3 years on an annual basis and explaining that 3 years ago if it had been implemented the benefits would have been rolling in the project is perpetually placed on the back burner while the funds that could have financed the project are hoarded until upper management bonus time rolls around.

Disaster focused management: And as a result of the previous management techniques the focus of U.S. business management becomes continually locked in disaster recovery mode. With everything focused on greed the little things like safety, sustainability, future capability, etc. are all left to the way side until they becom

Re:Microsoft's Business

[Captain+Splendid]

Not many companies tell their shareholders that they `just want enough to get by`.

Correct, but that's not the point.

Do you have some examples?

Yep. My small business.

The point, in general, is this: There are many was to run a business. Just because 99% do it a very specific way doesn't mean it's the only way.

It is simple Darwinism

[filesiteguy]

If you look at any ecosystem, you'll find that there are pests trying to gain a foothold into that system by exploiting a weakness. If there is only one type of organism, the pests will adapt and exploit the weakness of that organism. This is why you need ever more powerful pesticides when cultivatign monoculture crops such as corn, wheat or even soybeans.

Same goes for ecosystems of comptuers. Given 90% are running Wintendo, you find that the pests (virus and other exploit authors) take adavantage of that monoculture. The weaknesses are then exploited and have to be "patched" in order to ensure survival of data and/or systems.

Given an ecosystem with multiple operating systems - Windows, Linux, Unix/OSX, zOS - you'll find a greater ability to defend against continual threats.

Re:It is simple Darwinism

[betterunixthanunix]

There is more to it than that. A very carefully managed Windows system can certainly withstand a number of attacks, just like a carefully managed *nix system. The problem is that most Windows systems are not carefully managed, and a carelessly managed Windows system is much more vulnerable than a carelessly managed *nix system. Windows started out as a single user OS, and even though the NT kernel has everything necessary to support multiuser setups, it is very difficult for Microsoft to push better security as the default in Windows -- there are just too many people who have a habit of doing everything as "Administrator," and too much software the relies on that sort of behavior. Things have started to change, but Windows XP is still widely deployed.

Really, if Microsoft wanted to, they could start marketing an OS designed for security sensitive environments (perhaps with a compatibility mode that allows Windows software to run in some kind of VM), and leave Windows as a "home PC" operating system. The fact that they are not doing anything like that, despite the fact that MSR developed such an OS, speaks volumes about Microsoft's priorities.

Re:It is simple Darwinism

[vcgodinich]

The fact that at the recent history of security conferences, widows did just as well out of the box as *nix did, and OSX was breached with ease speaks volumes as well.

No matter WHAT MS does, it isn't going to be able to secure home PCs against "cyber warfare" from China. end of story. MS's security isn't bad at all, in fact it's years ahead of it's nearest competitor (OSX).

Re:It is simple Darwinism

[TheCarp]

I would submit that most non-windows systems are also poorly managed.

The difference is monoculture vs diversity. Look at windows users, and you will find lots of people using the same tools. Outlook, as soon as a company installs exchange you can be sure that the vast majority will be using outlook to connect to it. You find a vulnerability in outlook, or word, or a system service, and you can suddenly hit huge swaths of machines.

Now, Unix? You have multiple hardware architectures, distributions of even similar systems like Redhat and Debian Linux have made different choices for default daemons for various services. A hole in pine or mutt may not effect evolution users, or thunderbird users.

So in addition to a smaller audience, you get a smaller percentage of that audience.

to put it in business terms, the ROI of windows vulnerability exploits is just higher. That is, unless you are targeting a specific system, in which case, well, I know that where I work, many more windows servers exist than the entire unix environment, but, the Unix environment has a higher percentage of the mission critical (or more to the point, patient care critical) servers.

So thats not to say there isn't definite ROI on such attacks, it can even be higher. However, I don't think that such attacks realy factor into this discussion since specific attacks on specific machines for their content is the exception rather than the rule for most systems/users.

-Steve

Summary misdirected

[ATestR]

For once, I RTFA. The summary seemed interesting. However, the FA was even more interesting, although it had little to do with all the money that Microsoft had in its back pocket, and how it's market dominance was based on low cost products.

The main thrust of the FA, for those of you who don't want to click the link, is that because the Windows OS is so prevalent in civilian and corporate usage, a Cyberattack could devastate the economy (and western civilization).

Re:Summary misdirected

[vcgodinich]

Implying the Microsoft products are prevalent because they are "low cost" is absurd.

Granted, OSX in use is a bit pricier, but not -that- much, and Unix/Linux is as close to free as you can get.

Microsoft isn't low cost at all, if anything, it is high cost in a great many areas.

Re:Summary misdirected

Cost is not just the cost of the box.
Let us say, as a business, I want to run some servers.
A quick look over at a job site: Windows Admins - £25-30k, Unix - £30-45k.

Re:Summary misdirected

[Bert64]

While true, by the time MS became an expensive option it no longer mattered - millions of people were already locked in.

Back in the days, MS (and the cheap hardware they ran on) were a cheap option compared to Novell, Sun, DEC, SGI, IBM, Apple and all the other highend vendors... MS and x86 were massively inferior to everything else on the market, but with such a huge price differential they were able to make it up on volume...

Ford cars are clearly inferior to Rolls Royce or Ferrari, however you see a lot more Fords on the roads for the same reason. However, cars are standardised enough that its impossible to lock someone in, thus ensuring there is a healthy level of competition in the industry.

I disagree

[2names]

I am not a Microsoft fan, but I believe the weak link has much more to do with the meat sitting in front of the computer than the software on the computer.

Re:I disagree

[axl917]

I am not a Microsoft fan, but I believe the weak link has much more to do with the meat sitting in front of the computer than the software on the computer.

Well, that gets to the issue of who bears the responsibility; that which sells a poor but patchable/fixable product, or the buyer who is ignorant of the necessary fixes?

Is this more like owning a house, where the owner is responsible for regularly checking the foundations for cracks, the locks for security, etc... Or more like owning a car, where the owner is still responsible, but the manufacturer builds in many, many indicators and warnings when things need attention?

Re:I disagree

[mlts]

This is why I think and greatly fear that closed systems may end up in our future on mainstream computing just due to the dancing bunny problem.

Device operating systems are moving that way where if one wants to run stuff on a smartphone, it must pass a gatekeeper, either always like in the case of Windows Phone 7 or iOS, or a reactive system with an after the fact kill switch like Android has.

Because Joe Sixpack doesn't care about security, it really doesn't matter what OS he uses. He will su to root, log on as Administrator, turn the key and logon as SECOFR on AS/400, or whatever superuser access requires for the website that has the pr0n viewer to be installed. It doesn't matter what the OS is, the dancing bunnies "security hole" is going to kick any OS in the ass. This is one reason why closed environments such as on phones have a lot fewer security issues -- unless Joe Sixpack roots/jailbreaks the device (which will be past his competency and too much trouble in most cases), he most likely isn't going to get a Trojan because the Trojaned app would have had to pass some type of vetting first.

Yes, there are issues where one can get affected through a hole in a browser or add-ons. However, the advantage of a closed system is that if done right (where the OS has DEP, ASLR, and other base level ways to prevent code injection), sneaking executable code on a device is not going to work.

Maybe the compromise in the PC world will be going to a hypervisor based system admin access is available, but it takes some deliberate doing to get a superuser prompt, and applications are installed in VMs, where the compatible OS files are stored as an image. With decent deduplication, the OS files only need to be stored once, so installing a program into its own VM where it can only see what is present there, and perhaps files in a shared directory may end up being what is done. This way, a user ends up never needing admin access, and a Trojan is only limited to that VM.

Clark is all right

[Rogerborg]

Remember, he was the guy who warned Rice and President Cheney about an imminent Al Qaeda attack. Or depending how you view it, failed to convince them of it. Still, as ass covering goes, his was iron clad.

Microsoft created this problem

[bugs2squash]

But then, to a large extent they helped popularize the PC which became ubiquitous and hence became worthy of attack. The PC also became a reasonably standard platform upon which Linux etc. could be developed and cheap enough that we can all afford to own one and join in the fun. It is by no means certain that this would have happened otherwise because I don't believe security is the enemy of profit, in fact I think we'll see a future where security tightens to the point where hardware will be locked to only run a certain OS - where will Linux be then ?

Interesting

[DaMattster]

All of the money spent on lobbying the government against using Linux would have been much better spent on developing a reliable, secure operating system. The shortsightedness of large corporation never ceases to amaze me. Since they spent all of this money on lobbying, which ultimately was unsuccessful, they had to spend money on securing Windows anyway. So, Microsoft spent a large sum of money in total, when they could have just made a better product to being with.

Re:one sided

Why do you people always say this? Windows is the Single-User system botched into a multi-user environment, not Unix.

Weak links

[DaMattster]

I might argue that many operating systems would be wink links in the cyber warfare scheme. The most noteable exception would be OpenBSD. If I were in a decision-making capacity, I would reach out to Theo de Raadt, apologize for the way we previously treated him, and get him started immediately in developing a secure network. He and his team seem to have the understanding of security from the lowest level possible. The current en-vogue trend, end-point security, is useless if your web application leaks memory. Ostensibly, you would need a hole in the end-point to reach the application and that gets exploited opening the network wide open.

The weak link is old Software

[Toreo+asesino]

There's nothing wrong with the newer rounds of MS software; the problem is the older stuff, which as time goes further back, tends to get less & less secure (all the way to Win98/95 which actually had no security at all).

Even now I occasionally run into boxen running thoroughly rooted Windows.....98. That's your problem.

Microsoft is the market leader.

[miffo.swe]

As such you would expect them to excel at security nowadays since it seems a very big concern amongst most users. Still their security efforts are pretty laid back and half assed. Microsoft dont take security seriously, its a pr problem for them at the most.

As a market leader one would expect Windows spanking Linux, BSD and Apples behinds but in reality Windows security sucks. Not because its more prevalent but because its a sitting duck. At Microsoft, features and ease of development has always stood higher than security on the priority lists. The only thing that can change that is monetary pressure like demand for accountability of their products. Until then, Microsoft security is a game of statistics, lies and damn statistics.

Windows is widely used where it matters

[tepples]

[Windows] may be the most widely used desktop OS, but once you include servers and small devices, Linux beats it easily.

Compared to home desktop PCs, servers are more likely to be administered by someone with a clue about locking down and updating the system. Small mobile devices have only a sporadic connection to the Internet, much like home PCs in the dial-up era, and many use an executable whitelist managed by the device maker. So barring a security hole in something like a home router appliance, desktop PCs running Windows are likely the juiciest targets for establishing a botnet.

Re:Windows is widely used where it matters

[causality]

Compared to home desktop PCs, servers are more likely to be administered by someone with a clue about locking down and updating the system.

Most of whom choose a non-Windows OS. When people with a clue avoid something and people who don't know better flock to something, it says a lot about that something.

To put it another way, I have never met a person who was highly competent with using Windows and also highly competent with using a Unix-like OS (Linux, *BSD, etc) who still preferred Windows. I'm sure someone will pipe up now that I've posted this but the point remains, such people are quite rare. Your preference for one thing is meaningless if you are not at least as familiar with an alternative.

So barring a security hole in something like a home router appliance, desktop PCs running Windows are likely the juiciest targets for establishing a botnet.

Actually a beefy *nix server with extremely high bandwidth, multiple CPUs, and multiple gigs of ram is the juiciest target to be a member of a botnet. It's also a lot more difficult to compromise. Windows PCs are not the juiciest targets. They are the low-hanging fruit that can be harvested in large numbers with automated tools, making it not worthwhile for the botnet owners to spend too much effort taking over any one target no matter how tempting it is.

Re:Windows is widely used where it matters

[Amouth]

Actually a beefy *nix server with extremely high bandwidth, multiple CPUs, and multiple gigs of ram is the juiciest target to be a member of a botnet. It's also a lot more difficult to compromise. Windows PCs are not the juiciest targets. They are the low-hanging fruit that can be harvested in large numbers with automated tools, making it not worthwhile for the botnet owners to spend too much effort taking over any one target no matter how tempting it is.

I'd tend to disagree with that comment - look what bot nets are used for?? very rarely are they used for mass processing power or for anything more than a spamming and dos'ing..

- A personal computer on a basic always on connection which tend to keep a dynamic ip for several days then move (some providers it is longer) VS a server that doesn't..

- a Home computer with a user none the wiser that doesn't even bother to see what is running VS a server that would have an Admin responsible for it and regulatory checking up on thing

- a home computer on a dynamic ip block owned by a large telcom who doesn't give a shit about crap on that part of the network that won't cut it off or relay infection details or won't respond to your calls VS a server on a company owned block that will checkup on reports and will respond.

In my experience when we are getting spam or bot attacks - if the source is coming from a private company's network or anyones owned IP block (not blocks for residential service) they always respond to inquiry and normally say thank you. I've NEVER had one blow me off - Now when it's coming from some dynamic block I've been blown off so many times that i don't even bother calling them.

Take it how you will but i think you are confusing what you personally would want to have with what is sufficient and functional for bot nets.

Re:Windows is widely used where it matters

[Amouth]

http://news.cnet.com/8301-1009_3-10413951-83.html

they already have - seems like they did exactly what they did with other setups..

Re:Windows is widely used where it matters

[causality]

I'd tend to disagree with that comment - look what bot nets are used for?? very rarely are they used for mass processing power or for anything more than a spamming and dos'ing..

Things that require little processing power but do require lots of (aggregated) bandwidth. This is where it's easier for botnet owners to compromise a thousand Windows PCs connected via cable modems than one or two high-end multi-homed Unix servers that could handle the same load.

Botnet owners also have a disadvantage: they don't want their malware to be easily detected. Thus the less it burdens the host PC, the less likely that it will be detected and removed. Massive processing power certainly does have applications. It's that botnets are working with what is available and readily feasible and this naturally places limits on their uses, the same way a lack of money would prevent you from purchasing a private jet.

Take it how you will but i think you are confusing what you personally would want to have with what is sufficient and functional for bot nets.

Actually I sought to explain why the low-hanging fruit is even more desirable than the "juciest" targets available. That doesn't mean the juicy targets are less juicy or that the low-hanging fruit isn't low-hanging. It means botnet owners want maximum return for the least possible effort and big-iron Unix systems run by competent admins don't accomplish that goal like expendable Windows machines that are a dime a dozen though individually far less capable. What I personally like or don't like has nothing to do with this.

Re:Windows is widely used where it matters

[eth1]

To put it another way, I have never met a person who was highly competent with using Windows and also highly competent with using a Unix-like OS (Linux, *BSD, etc) who still preferred Windows. I'm sure someone will pipe up now that I've posted this but the point remains, such people are quite rare. Your preference for one thing is meaningless if you are not at least as familiar with an alternative.

OK, I'll bite :)

Most people that are competent couldn't answer the question "Do you prefer Linux (etc.) or Windows?" (unless the answer is "both"). It begs the question, prefer it for *what* exactly? At work, I have both Windows 7 and Ubuntu systems at my desk running Synergy. I use whichever one happens to be best suited for my current task. Same at home, except that the Linux box has been decapitated and shoved in a closet. I prefer windows (7) on the computer I sit at at home, because in my experience, I spend far less time screwing with it trying to get stuff to work (Mac might be an option, if it wasn't for games).

i'm still waiting for the warhol worm

[circletimessquare]

http://en.wikipedia.org/wiki/Warhol_worm

one of these days, some genius asshole is going to, just for the lulz, shut down the whole goddamn internet in 15 minutes. he or she is going to it with a worm that, of course, will be based on something in the microsoft constellation of oses/ products/ third party software. perhaps from our other security averse friend, adobe

i thought it was going to be code red or sql slammer, but no, these infections were content to zombify, not zombify and enslave the nonzombies (see below):

http://en.wikipedia.org/wiki/Code_Red_(computer_worm)

http://en.wikipedia.org/wiki/SQL_Slammer

enslave the nonzombies: of course there are other oses out there, but they are in the minority. so listen up genius asshole: whoever writes this worm will cleverly make sure that all compromised systems DDOS non-microsoft os ip addresses on purpose. sql slammer and code red just blindly reached out to all ips and latched on to any promiscuous microsoft bitches that proved to be receptive to getting fucked. but you, oh genius asshole, will take note of those ips which defy you and share this list dynamically and automatically in real time between your other pwn3d machines

if a machine does not respond to your rude advances to be fucked, or can otherwise be quickly and reliably sniffed out as a non-microsoft os ip, punish the defiant, hard and cruel

you leveraging your growing zombie horde of microsoft os monoculturalism to mount a directed attack on nonmicrosoft machines. DDOS the responsible and the vigilant. leverage the power of the insecure to take down the secure. if the bitch won't fuck you, slap that bitch. if they will not be defeated, then they will be enslaved in a deluge of requests until they succumb. none shall survive, all shall be zombified or enslaved

and therefore completely wipe out the whole goddamn internet. for the lulz, you see

i'm still waiting, and when it happens, even though my means of livelihood is based on the internet, i'll be clapping and eating popcorn, reveling in the sheer armageddon horror of it all. awesome dude!

so where are you, genius asshole? make it happen

please don't let it happen for some insipid mundane making-up-for-my-small-penis-through-nationalism reason like cyberwarfare between usa/ russia/ china/ iran. that would be boring. nationalism is fucking retarded

get it done FOR THE LULZ my genius asshole friend, where ever you are. i'm waiting to be adequately entertained by global internet meltdown. MAKE IT HAPPEN

You can't have secure AND popular

[petes_PoV]

For software to be used by "everyone" it must put as few complications as possible between its users and their objectives. Since most people's objectives are focussed on results, not security, if you try to make an operating system or application suite secure, people will find a simpler, more direct way of achieving their goals. One where their perceived balance of speediness and security (i.e. as fast as possible and damn the consequences) is met.

Once you get away from using popular applications and O/S's, the price rises incredibly quickly. Instead of spreading (say) a billion dollar development costs across 100 million product sales, you have maybe 10,000 customers who can be persuaded to pay for a product. This immediately means no-one will buy it unless forced to by law, or unless they can in turn, pass on the costs to their customers. The smaller market also means there will be fewer suppliers - probably just one. Which in turn will drive up costs due to lack of competition and decrease any incentives to fix problems or develop new wares in a timely fashion.

We know what a secure operating system for the year 2010 will look like. It will look like VMS from 1995, for all the reasons discussed above. Now, which are we prepared to pay for: Microsoft products on every store shelf, running the country or critical systems with the security, features, lack of connectivity from the mid-90s?

Apologist much?

[HiggsBison]

That's horseshit. When someone makes a better OS than MS, I'll start believing these stories. ... while windows will run on pretty much any hardware.

Set the koolade down and step back. Microsoft Windows works on a much wider range of hardware than OSX, but it's still quite limited. I will concede that only Microsoft Windows excels at making use of a proprietary piece of crap like a Win-modem or a Win-printer.

Linux may have some technical merit, but is a mess where people without advanced computer skills are left in the dark.

My experience is that the average XP user is more baffled by Windows 7 than by Ubuntu. And don't even think of suggesting that Ubuntu can't be set up by someone knowledgeable.

Sure windows had bugs, but many of those aren't MS's fault, but rather vendors that write crap drivers.

Microsoft provides an ever-changing foundation of thick muck. And like you, they are quick to blame others for any problems.

Re:The weak link is old^H^H^H NEW Software

[petes_PoV]

The other weak link is new software that is rushed to market without being tested properly Adobe Since the market pressures require as short a development time (and preferably no testing - since yo might find bugs that have to be fixed: more delays) in order to keep the cash-flow flowing.

Only government agencies can afford to spend a year designing a bullet-proof system, then another year writing the software and a year or two more making sure that no-one can ever break in to it. Are yo prepared to slow down software development by a factor of 8, from 6-monthly release cycles to a new version every 4 years? It would be commercial suicide and far too expensive.

Re:Windows, vs. LINUX, vs. MacOS X (security vulns

[oakgrove]

Linux 2.6x KERNEL SECURITY VULNERABILITIES

It doesn't make sense to compare a line of kernels dating back to 2003 to an operating system that came out last year. The 7 kernel is just a derivative of the Vista kernel, for example. And in '03, XP was still going strong. Furthermore, 2.6 or whatever is just a name. I am running 2.6.32. How does the NT 6.1 you are presumably running compare to that?

Do you have any support facts?

And Apache is the most widely used Web Server but its security record is far better than IIS. So what does that say. Also Unix/Linux far outnumber Windows Server in terms of presence on the Internet; however, they are more on the yet their track record is far better than Windows server.

I often see this wives tale but have yet to see any supporting data.

Re:Windows, vs. LINUX, vs. MacOS X (security vulns

[quickOnTheUptake]

Right. Let's feed the troll, and spin it another way:
Look at the severity of the advisories (They are rated from 1-5). Neither windows nor Linux has any unpatched vulnerability rated higher than "less critical" (i.e., neither has anything unpatched that is 3 or higher). So for vulnerabilities >2/5, they both have a 100% patch rate. The difference is in "less critical" advisories, (1 or 2).
Window's 7, in its short life, has had 8 advisories rated "less critical" or lower. Of these 2 are unpatched. That means the patch rate for less pressing vulnerabilities is 75% (a full 25% are unpatched).
Linux (if I counted right) has had 191 advisories that were rated 1 or 2, since 2003, of these 11 remain unpatched, or ~5.8%.
The difference in the overall patch rate is due to the fact that far more of Window's vulnerabilities have been critical, >3/5, (specifically 12 of the 20) than linux's (26 of 217).
Also note that linux has never had a vulnerability rated 4 or 5, it's highest vulnerability has been a 3. But eight of Window's 20 advisories have been 4's and one was a 5.

Difficult to assess impact of the strategy

[daboochmeister]

Not sure I agree their attempts via lobbying were unsuccessful. Linux is used in a significant way in government/DoD systems, as noted in the article, Mr. Clarke surprised many by insisting on an evaluation of Linux in 2004 - and I remember how that study and its results ran into resistance across the boards, before the electronic ink was dry. Without lobbying efforts having tipped the playing field, Linux could very well have significantly more penetration in government infrastructure than it does today.

And note that on the desktop front, Microsoft's strategy arguably has worked bizarrely well ... the irrational resistance in federal circles to Linux desktops that prevails to this day is amazing.

Re:Windows, vs. LINUX, vs. MacOS X (security vulns

[erroneus]

It's a frequently used troll post. It has been completely debunked in the past several times. All of the critical bugs listed for the Linux kernel, for example, were local exploits only -- NONE were remote. In contrast, Microsoft's exploitable bugs are famously remote exploits meaning they can be done over a network connection. Mac OS X is another bag of worms... but thankfully, Apple controls and limits its users such that it will never be big or ubiquitous enough for large scale general use like Windows and will never likely get used in critical government or business operations.

Re:That's LINUX 2.6x current info. @ SECUNIA... ap

[oakgrove]

I was comparing the "latest/greatest" from Apple, Microsoft, & the LINUX camp

If you're including linux from 2003, you have an odd and erroneous definition of "latest/greatest". Not only that, Windows 7 is an OS, Linux is not. And, furthermore, if you are comparing kernels, you have to include the Vista kernel to the 7 kernel which you did not.

I'm not going to bother refuting the rest of your drivel since it all rests on this one blatant fabrication. If you want to attack Linux's security record, at least do it in good faith then people might be willing to listen to your arguments. Your original post is little more than noise and it just sets you up for ad hominems and derision as no one can really take you seriously.

Re:Windows, vs. LINUX, vs. MacOS X (security vulns

[oakgrove]

That's not a troll post.

Even if his post is false,

It's a troll for one very simple reason. He's including 2.6 kernels from 2003 and comparing them to Windows 7 which uses the NT 6.1 kernel which is a derivative of the NT 6 kernel used in Vista. Intentionally distorting facts to support your argument is trolling. Furthermore, he's bringing up secunia stats as if that is the whole story without mentioning the relative severities. Of course, it's a red herring anyway as I've already pointed out.

i am internet final boss

[circletimessquare]

if you defeat me, you get a live-action cutscene of me doing your mom

unless you won teh internets by traversing the far more difficult /b/tard PvP realm in the Retards and Trolls Comment Board (tm) expansion pack (beta)

in which case you get a hentai animated cutscene of rule 34 THAT NEVER ENDS AN ETERNAL HELL OF FURRIES GROUP SEX OH MY GOD MY EYES

Re:Debunked? Then do so now... lol, good luck!

[erroneus]

I have checked various registries of accreditation and do not find Anonymous Coward in any of them. Perhaps you should start by revealing your identity and proving your assertions of credentials. Next, don't assume I have less experience and no accreditation. I have a degree. I have certifications and I have been in the industry since I was 16... I am 42 now. I have experience with everything from mainframes to the most obscure PCs and just about everything in between. I know the lay of the land. I know it too well. I was there for the birth of Unix (sort of... it coincides with my own birthday) and have followed the tech since then. It has been my life and obsession. Do not begin to believe that degrees and certifications even BEGIN to make someone qualified to understand what is really going on.

What you have is "product training" and little more.