Slashdot Mirror
Microsoft Says Two Basic Security Steps Might Have Stopped Conficker
coondoggie writes "If businesses and consumers stuck to security basics, they could have avoided all cases of Conficker worm infection detected on 1.7 million systems by Microsoft researchers in the last half of 2011. According to the latest Microsoft Security Intelligence report, all cases of Conficker infection stemmed from just two attack methods: weak or stolen passwords and exploiting software vulnerabilities for which updates existed."
Troll much? Windows has nothing to do with it when you set all of your passwords to "123456".
Me Ballmer! Me blame users for our security holes! Ooh ooh ohh ooh! *hurls chairs* Get out now! Me angry!
So basically they're saying if you had better passwords and applied patches, you'd avoid security problems?
Nice to see MS on the cutting edge of security research.
I want to delete my account but Slashdot doesn't allow it.
We have better authentication methods, we are just not bothering to deploy them. How many times do passwords have to fail before we acknowledge that they do not provide the sort of security that we need?
Palm trees and 8
It's not my fault!
Revised: Step 1) Stop using computers
biometrics are not that much better and don't to well for say a sheared admin or other maintenance password.
Is that like locking your doors? But what if I need to run into my house in order to escape a horde of Zombies? What if I need to run into somebody else's house? What if my wacky neighbor needs to come in and deliver a punchline?
People just don't think!
True, but there are targeted attacks even in the Unix world, and if you don't keep it up-to-date, you could be owned by one of them
The software had a poor security model that allowed poor passwords, did not educate the customer with what a 'good' password choice is, and did not have a convenient update system easily understood by the customer.
And it's your friggin customers -- understanding how they work with your software is your core business. This is an interface failure.
It does on any reasonably well managed corporate machine.
Why can't that be the default in the consumer OEM copy?
Although the service in question likely has no business being anywhere it can be exploited anyways.
A Pirate and a Puritan look the same on a balance sheet.
there are targeted attacks even in the Unix world, and, if you don't keep it up-to-date, you will be owned by one of them.
FTFY
Fanboy? No, I actually run Mac and Linux at home and I program cross platform at work. The fact that Conflicker happened to be for Windows has nothing to do with this. Running old software with weak passwords is a recipe for disaster on any existing OS.
If possible and if the systems in question allow for it, you could still authenticate the admin with RADIUS+, and have the access to the RADIUS+ server done with two factor authentication or biometrics.
We had the conficker worm run wild at my work not long ago. Even systems that were well secured by passwords ended up falling victim to the worm due to unpatched vulnerabilities. Yes, bad passwords don't help, but Microsoft needs to own up to the fact that a worm such as conficker is perfectly capable of infecting well-secured (password-wise) machines if they are not patched for the vulnerabilities that Microsoft left behind.
And being as some patches and updated break compatibility with critical software, patching is not always a trivial matter. Some systems need to stay essentially frozen in time with regards to updates, while still being on the network. Of course then an infected system is added to the network and away we go again.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
If everyone stops using Windows then there will be no Windows worms, and the next popular OS will be targeted. That's economics. It's been shown repeatedly that Windows is more secure than Mac OS, just for example. Let's not argue about Linux. In fact, let's not argue about the fact that people should stop being stupid about security. The platform is really not as relevant.
If only:
1. Everyone were meticulous in following the guidelines which require passwords being more shift+number than letters, and capable of memorizing new ones on a regular schedule.
2. Everyone kept better care of their computers (regular updates) than they do for their own bodies (regular physicals, anyone?).
Then we could have prevented this whole thing!
Real world implications of having to remember numerous non-dictionary passwords, and expecting those who see the computer as a magic box to the interwebs to treat it better than many of them probably do their cars as far as maintenance goes, is far beyond simple.
They might as well be saying that mentally wiring humanity differently is simple. And that's just silly for Microsoft to say (because that's Apple's mindset!).
Which wasn't even properly disabled when you tried to disable it through the UI in Windows. Who were the idiots not following security best practices when they came up with that idea? Infected flash drives and non-disabled autorun were the main vectors for Conficker around here.
To be fair...
If Windows had a halfway decent package manager, most people would actually keep their stuff up to date instead of updating when they feel like it...
I think the joke is, for once, Microsoft gets to say, "hey we patched that before it was a problem". That's an unusual position for them to be in.
So of course they're going to get every last inch out of that little sound bite. Of course anyone at Microsoft condemning people for not, "sticking to security basics" is laughable.
Please name a Unix based attack that is equivalent to the malware being discussed.
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
1) Get rid of Windows
2) Never use it again
Because if we get rid of Windows, all the malware writers in the world will give up and stop trying to steal money from people who don't update software and use "pa55word" as their password...
Just two attack methods:
1. weak passwords
2. stolen passwords
3. software vulnerabilities
'nuff said
what about local admin / laptops that may not be linked to the sever?
What percentage of infected machines had pirated copies of Windows XP and couldn't get patches because of âGenuine Advantageâ validation?
If Microsoft really wants to help the security situation, when XP is officially EOLed remove the restriction on herring all the updates.
Learning HOW to think is more important than learning WHAT to think.
having to change passwords all the time leads to weak ones or the password being put on a post it note.
Seeing as Microsoft wrote it in the first place, I think it's fair for them to share some of the blame.
Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
The assumption here is that an attacker choosing the easiest way has no other route. It would be safer to say that the route used by the worm would have been unavailable if basic preventative steps had been taken.
It's like the old joke. "Ever wonder why whatever you're looking for is always in the last place you look?" "Well, sure, once you've found it, why keep looking?"
Microsoft seems to think the authors would have stopped looking without finding an exploit route. Instead, they found one, and stopped looking.
For example E-trade will give you the RSA key fob. Am I supposed to get a dozen key fobs from each of my bank, brokerage, mutual fund, anf 401-K administrator? Schwab would not let me use special characters in passwords. I think they also have a ridiculous 8 char limit. In this day and age where GPUs are being used for dictionary attacks? 8 char? Fidelity wanted an all numeric password because they wanted the phone based log-in used by their older customers to work in web too. On top of all that they have the password reset procedure which asks for stuff that you can find on the facebook profile.
Then there are idiotic Paychex which will lock you out after two failed login attempts. There is this site securetransfer.com that requires some 16 char password with at least two capitals two numerals and two special characters to get 100% strong password quality rating. Then there are clueless admins who tell you "never write down the password". Hello! Is there any end to this password madness?
Why can't they give me two levels of access? Read only access that lets me see account balances and verify that the check has cleared. And the write access that requires one more password that allows me to transfer funds and trade securities. May be even a third level password to send cash out of that institution to outside.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Yes, because it's completely impossible to turn that feature off. Oh wait...
http://windows.microsoft.com/en-US/windows7/Turn-automatic-updating-on-or-off
If you don't want them "forced down your throat", maybe you should change the setting to instead notify you that they exist and then let you pick and choose which ones you want to install as well as those you want to ignore permanently? How is that any different from any of the automatic update services in Linux distributions bugging you to update and you continually ignoring them?
I just got caught up on some of my reading. One of those articles was about how people who 'foolishly' applied their black Tuesday patches were unable to print out their tax forms. I think that might just explain why so many systems are so far out of date.
Even if you do keep it up to date, you could get potentially "owned" by someone. That's why it's a better idea to be more proactive and keep track of likely attacks and black list the attackers.
It also helps not to leave things in a state where they can be exploited to begin with.
A Pirate and a Puritan look the same on a balance sheet.
What's wrong with a password of "123456"?
It's 20% better than the combination on my luggage.
The difference is that unless it's a kernel update Linux doesn't really need a reboot on update.
I am Bennett Haselton! I am Bennett Haselton!
At least it's once a month instead of every day *cough cough* ubuntu.
The difference is that unless it's a kernel update Linux doesn't really need a reboot on update.
A C library update is pretty noticeable too; you might be able to keep the kernel up, but there's not a lot of point given that virtually every user process is entangled with the library being updated. OTOH, if you're having to update the C library on a regular basis, you've got pretty serious problems anyway...
"Little does he know, but there is no 'I' in 'Idiot'!"
It's nothing like the Windows situation where you get a bag of critical patches forced down your throat every Patch Tuesday, and then your Windows box loves to reboot right in the middle of whatever you are doing. Sheesh.
1) Just as a point of clarification, Patch Tuesday is only once a month. And there's usually only about a dozen or so, only some of which are genuinely "critical". Obviously that varies though. 2) Windows Update has been a lot better for years, ever since Vista. There's nothing wrong with it now. You might be able to complain about the default settings, but they're right there and they're pretty straightforward. If you're logged in and it's set to restart automatically, it prompts you to restart or postpone it. And, obviously, you can shut down the automatic reboots or the automatically downloading/installation of updates. Besides, since moving Windows Update to an actual program after XP, there's also been a lot fewer updates that seem to require restarts. With XP, it seemed like you had to restart every single time you ran updates. Vista/7's a lot better with that.
having to make up your own passwords, then having to change them all the time leads to weak ones or the password being put on a post it note.
FTFY.
I used to work for a public university; when I started there, our passwords were auto-generated random strings of 8-12 alphanumerics and symbols, and we received new passwords every fiscal quarter. Our security team would run various password cracking apps on the systems, and only once did an auto-generated password get cracked.
Two years after I started there, they changed the password policy - users had to make up their own passwords. Still minimum 8 characters, at least 1 capitalized letter, 1 lower case letter, and 1 number, still changes every quarter.
With a faculty of about 150 users, we cracked approximately half of the user-defined passwords within 5 minutes of firing up JtR. My personal favorite was cracked in less than half a second:
Dolphin1
My experience is, it's less about how often the passwords change, and more an issue of users not having a good sense of what it takes to secure their data.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Microsoft gets to say, "hey we patched that before it was a problem". That's an unusual position for them to be in.
It's actually not an unusual position for them to be in at all. The vast majority of major Windows worms exploited vulnerabilities that had long been patched.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
It's nice to keep telling people "you wouldn't have the security issue if you did all the updates right away". But to that, I'd like to tell the OS developers something else:
You wouldn't have the concerns about unpatched systems if you designed the OS so it could apply the downloaded updates without requiring system reboots!
And yes, though I'm not a software developer, I do know a little bit about this, and why it's a "tall order" (core services you can't just delete and replace with updated versions while they're in use, etc.). But I guess I'm saying this doesn't seem impossible to overcome, if someone wanted to make the functionality a priority in a new OS's design?
Unless we reach that point, people will always be delaying installation of new updates because it interferes with work they need to get done, or they're afraid an update could potentially break something they rely on and don't have time to deal with, if it goes wrong. System patches/updates need to become a less intrusive, more seamless process -- and one that can easily "roll back" any new update that turns out to cause issues. It should automatically notify the developer when this happens, and should flag the problem update so it doesn't get re-installed (but subsequent, supposedly corrected versions DO get installed ASAP).
With today's multi-core CPUs, maybe it's even possible to design systems so two instances of the OS/application environment can be run in tandem during an update process? Hand off the running processes to a parallel copy of the current environment, invisibly to the user, when an update is about to take place. Then patch the first environment, which now has no "core services" in use by apps anymore, and shuttle the apps back over to the patched environment when it's ready?
Windows more secure than OS X? HAHAHAHAHA! Good one. Got any more funny jokes?
For this to work, companies would first of all have to agree to run their update process through said package manager. You don't think this will ever happen, do you?
What bugs me about Windows is that there is very often no way to do an unattended update at a certain time for many "packages". Windows being the notable exception. The average Windows day for the average customer runs a bit like this:
"Ok, I'd like to play a game. Let's double cli... huh? Oh, Acrobat update. Ok.... yes, accept license... wait ... download patch, watch download bar move... installing... watching bar move ... ok, we're set. Now lemme... huh? Oh, virus killer. Ok, 'tis important, go ahead and update yourself. Yes, license agreement... waiting for download (because experience taught us that you better NOT try to do anything as system critical as starting a game while something is being patched. Could upset the copy protection trojan). Huh? Failed? Oh, because the Acrobat update didn't finish yet. Ok, it's finished now insta... restart."
"And we're back after the break. Now, for the antivirus. download ... update... huh? New version? Ok, install it. Yes, I agree with the license... installing... reboot."
"Finally! Ok, first of all, let's take a look at some porn. Open Browser... oh, new version? *sigh* Ok, download and install it. ...waiting... Ok, now... huh? What happened to my plug... oh. Of course. Incompatible. Fine, but I'm not going to visit any porn pages without a decent ad blocker, so first of all, update the plugins."
(half an hour of browsing, finding them, or not finding them and searching for a replacement later ... And another few minutes later including washing your hands...)
So. Game time! Fire up Steam... updating... Ok, restart steam... While it's doing that, let's start Teamspeak... Oh. Updating... must be patch day all over the world...
Finally a good game of $whateverfps. Huh? Patch? I don't wanna, not again! Oh, no multiplayer without, huh? Ah, anti cheat stuff. Ok, make it so...
And so on, and so forth. THIS is what actually bugs me about Windows. The piecemeal updating process. You can't just keep your machine running to have it update its stuff and actually, you know, USE it when you are sitting in front of it. It seems to be critical to steal the user's time and show him that they actually patch their half baked software.
And it's not like the software (and its patchers, launchers and oh-so-important taskbar tools) wouldn't run anyways and could technically do a daily check for updates. Dear Adobe, care to inform me why you insist that your launcher is running (and turning it off only means it gets reinserted into the Run key as soon as I dare to open an Acrobat document) and steals my ram for zero return, yet STILL require me to be present for every damn update you might want to run? Why is there no option in Steam to automatically patch and restart Steam if I'm not currently playing a game?
Rolling that all into a single package handling goodie would be a blessing. And MS actually manages to do just that with their updates, the kicker is that of all the various companies that have their fingers in my system, MS bugs me the least!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Linux doesn't really need to be updated as a response to Windows viruses either.
Sure, you can choose to update at your leisure (as you can on a Windows box, btw), and that includes not updating, which is the condition the article describes, and then your Linux system is in a better position.. how?
And MS knew that.
I am literally 3000 tokens away from the chaotic crossbow --Stephen
Not only is it possible to overcome the rebooting issue, there are tools for Linux that all you to update the kernel while it is in use. Essentially it is possible to update an entire Linux system while it is in use. Had Microsoft implimented a similar feature in Windows and made updating less of an "in your face" process and combined that with some built in password management that's similar to keepass but more simple and integrated then the users would have more updated systems and stronger passwords.
Severed and sheared? Your workplace sounds way too violent.
It doesn't mean much now, it's built for the future.
The problem is that an update might involve any part of the system. What if it's the web browser? What if it's in the C standard library? What if it's in a library that is used pervasively but there's no good way to tell who's using it, like an encryption or compression library? How do you determine what needs to be restarted and what doesn't? What happens when something like an X server needs to be restarted (where restarting it means that all of its clients also need to be restarted)?
Making sure that all the running processes in your system are completely patched without simply rebooting is a non-trivial task. Generally you end up with one of the two extremes: Windows, where you usually just reboot; and Linux, where you usually don't restart everything that was patched so you have vulnerable processes still running.
dom
It's really hard for me to say that, but getting rid of Windows isn't going to do jack. Idiots using computers will be vulnerable to malware, no matter what kind of OS they use. Unless the OS is secured away from its user, there is no safety if the user himself is the biggest security hole.
The key to the whole issue is the Dancing pigs problem. In a nutshell:
"Given a choice between dancing pigs and security, users will pick dancing pigs every time."
People don't even notice the warning message, and they don't care. Why? Because they got way too used to it. UAC pops up and wants you to say yes to something, and people will click yes without thinking what's going on. Why? Because they learned the wrong lesson. They lesson they SHOULD have learned is that this window tells them to go and think whether what they are about to do should really require administrative privileges. Should displaying some childish webpage require the rights to dig into your system's bowels?
What they learned is "if I click no, it does not work". That's pretty much it, this is the way people work and think. They don't WANT to know what this window means. For them, it could as well not exist and if anyone ever tells them how to turn it off (and yes, you can), they will without thinking twice and be grateful that they got rid of that nuisance. And, bluntly, it doesn't make a lick of a difference for them anyway!
Why the heck would this be different with, say, SE-Linux? You know SE-Linux? Allegedly one of the more secure and hardened Linux flavors in the world. Hand it to Mr. Moron now using Windows 7 and it will be "pwned" in minutes. Allow me to illustrate.
Let's assume he is using Linux, even properly configured by a good friend of his who made the horrible mistake of telling him the root password. In comes my trojan, disguised as some kind of, say, torrent speed enhancer. I'll even be blunt and forward in the reasoning just why he has to install it as root.
"The software needs elevated privileges to install and properly configure the device driver needed to establish a secure connection with the controlling server to maximize the success and streamline the process. This also allows the software to work without any user interaction necessary, you will not have to enter the password ever again for this software to function properly"
In short, let me install my rootkit and hook up a connection to my bot herder server.
What will Mr. Moron read in this sentence. He doesn't understand it, at least not all of it, but he knows a few words out of that and here's what he puzzles together from this:
"The software ... technobabble ... install and properly configure (ok, it does that by itself, I guess, but only if I type in the password. If I don't, it probably won't work properly)... more technobabble ... server (server is good, I want to connect to one. I think) to maximize the success, streamline process (yeah, I want that!). No user interaction necessary later on. Never have to type the password again (great, so just once and then it works on its own. 'k, no problem, once doesn't count, right?)
He WILL hand over his credentials. Without thinking twice. And he will have forgotten about it before the trojan makes his first report to his controlling server.
It doesn't matter what system you give him. Security is the minimum of the system's capabilities and its user's capabilities. Not the average. The minimum thereof.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Updates are worse than just the hassle of them. Many of the updates take away, or fundamentally change, the way the underlying software works. IIRC, iTunes had a great example of this early in their release schedule... At some point, Apple wanted to stop people from doing something with their files...like being able to turn them into MP3's or something like that. They released an "Update" that stopped that ability. (I may be remembering some other similar functionality)... Anyway, I remember consciously NOT upgrading, even though it nagged every time it started up, so that I wouldn't have this functionality removed. At some point, one of my kids clicked "Yes" and the functionality I was trying to preserve disappeared. I abandoned iTunes at that point because Amazon had finally come up with a viable music store that sold MP3's directly. About a year later, after Amazon started eating their lunch, Apple allowed "unprotected" files, but they were still AAC files, not MP3... Like I said, I never went back.
The point is that as long as companies use updates to make things that used to be free cost something now, or otherwise preclude you from doing certain things, the "safe" thing to do from a users point of view is adopt the "If it ain't broke, don't fix it" mentality, thus opening their systems to unpatched and potentially dangerously out of date software. My main point is that this isn't all the user's fault.
Brawndo: It's what plants crave!
Thats a false argument. You give me equal amounts of clueless users using Linux as they are with Windows and I'll name one.
The vast vast vast majority (I'd say 90+%) of Linux PCs are (1) servers that are administered professionally or (2) locked down cell phone OS or (3) desktops that geeks use. There is no way you're going to be in the same situation as Windows is with that kind of demographics.
ELF, ld.so, and dynamic library versioning pretty much eliminated that. Or are you one of the few that actually manually removes an old C library version and then rebuilds every single executable that complains it can't find the old version?
>>>shown repeatedly that Windows is more secure than Mac OS
I've never heard that before. Where has it been shown? Where does Linux fall? More or less secure than Mac?
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
You forgot to finish that last sentence:
It's nothing like the Windows situation where you get a bag of critical patches forced down your throat every Patch Tuesday, and then your Windows box loves to reboot right in the middle of whatever you are doing. Sheesh.
No possible way to construe that as a troll, it is a fact. About Windows. The worst operating system ever forced on the world by illegal means.
When all you have is a hammer, every problem starts to look like a thumb.
Yes, because it's completely impossible to turn that feature off. Oh wait...
http://windows.microsoft.com/en-US/windows7/Turn-automatic-updating-on-or-off
If you don't want them "forced down your throat", maybe you should change the setting to instead notify you that they exist and then let you pick and choose which ones you want to install as well as those you want to ignore permanently? How is that any different from any of the automatic update services in Linux distributions bugging you to update and you continually ignoring them?
I use Windows maybe twice a year and I am not going spend hours fiddling with settings just for that. On Linux it Just Works[tm] and I usually do not have to reboot, even on the rare occasions there is a critical patch.
When all you have is a hammer, every problem starts to look like a thumb.
Part of the problem is also running unlicensed Windows, since those people that do -- don't get the security updates (or they may just turn off updates because they don't want to be tracked, or have some of their functionality remotely shut down). At least with Linux, there isn't much of an issue there. If someone wants to stop paying RedHat/Fedora, they can just switch to Cent OS. That's it.
And really, this wouldn't be a problem for the rest of us, except that those zombie PCs can affect the rest of us, even those of us that run legitimate copies of everything. This is just like when some parents decide to not vaccinate their children, or decide to use antibiotics for every little cold (without finishing the prescription). This is technically their decision, but then again, their decision can adversely affect the rest of us.
Or there's a mismatch between IT's perception of security with the user's. What did the password to your accounts control? If it was just access to a PC in the lab, most users would just go "meh" as they have their own PCs. And if it had any data, it would be schoolwork, work not regarded as super-secret.
OTOH, if it actually was important to them, say, it held the meal plan credit or something, they'd pick more secure passwords (if someone breaks in, I could starve).
Ditto grades and transcript - for a lot of people ,they don't care if a determined hacker sees their grades - big whoop.
You'll find the same thing applies to corporate users as well - they feel the stuff they do isn't as important as the company makes it out to be, and thus end up going "why bother - what can a hacker do with my data?".
One of IT's jobs is to stress how important the data is, and why. The HR person may not care about the data (it's not THEIR data), but they should because all the employee information is in there. What IT needs to stress is that aspect - that so few people have access to that information, should it get out, suspicion would fall on them
Insightful? Give me a break. Ditto for this troll's other posts.
Microsoft up to its usual tricks.
When all you have is a hammer, every problem starts to look like a thumb.
Show me the apache worms. And no, trotting out statistics that show lots of apache boxes getting owned enmasse because a stupid admin loaded front rage extensions on it does not count.
It's a known thing, actually. Criminals in general are looking for the quick buck. Rule #1 of home security, you don't need to live in Fort Knox, your house just needs to be more difficult to break into than Tommy's down the street. If every Microsoft user would keep their computer up-to-date, and stop clicking on stupid links in their email (We can dream, can't we?), then the hackers would look towards more easily exploitable sources, and if it came to light that the average Windows box was 5 times harder to break into than a Mac, we'd see the viruses and malware move over to the OS X platform, or the Android platform (which is beginning to happen). Unfortunately, right now it is harder to rip a wet piece of toilet paper than it is to break into the average (not all) Windows machines. This is the problem. Sure, Microsoft should take part of the blame (if they had more peer review over the code, maybe some obvious security flaws would have never made it into production), but in the end, as anyone who has worked a help desk job or on-call tech support job can tell you, the worst enemy is the user.
As someone who has worked several On-call Tech jobs, I've seen it all. From people putting a USB key in the CD Drive, plants being watered on top of towers (and dripping water down the vent hole covers onto the motherboard/processor, and what looked like hot chocolate poured all over the CD tray (I seriously hope that user didn't think the CD drive was a cup holder, but I was too confounded to ask at the time). We can't blame Dell or HP or Acer for these users stupidity, so when Tommy clicks on that "OMG YOU WON'T BELIEVE THIS WEBCAM VIDEO!" link, why do we blame Microsoft? This being said, I am not a Microsoft fan, and the only computer in my house that runs windows is one I use to play games (and nothing else). I'd prefer to run only Linux in my house, but until game developers start creating games for Linux, I'm stuck.
Unless you jerkoff to the output of the uptime command, does it really matter?
OS X also reboots for user-space updates ... takes about 20 seconds ... since you have to kill the user session and restart everything, why not just let the init scripts handle it?
Or there's a mismatch between IT's perception of security with the user's. What did the password to your accounts control? If it was just access to a PC in the lab, most users would just go "meh" as they have their own PCs.
Faculty and staff network access; pretty major stuff.
If I'm not mistaken, it was someone in the financial office (which handles not only student accounts, but payroll as well) who had the wonderfully secure password 'Dolphin1'
I wish it had been something as benign as lab computer access, would have made my job of patching up the holes created by user generated passwords a hell of a lot easier.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Instead of blaming the user, perhaps the *biggest and most successful software company in the world* can do something to help.
1) Bake-in a password-generator tool into IE (along the lines of 1Password).
2) Don't make the software update system suck balls so people want to turn it off.
On the former point, I know this isn't a magic bullet solution. You still need to remember a password. But it's one password, not 37. It at least makes it easier.
On the latter point, I have automatic updates turned on. Two things happen: the updates don't always download and install automatically (I am often bugged by security center telling me there are critical updates available - sometimes they just don't install automatically) and I often have to wait at log off and logon while updates are configured. That's beyond annoying.
I know 1 & 2 above won't solve the issue for everyone, but. The biggest software company in the world. C'mon. You can do better. Try harder. If we still suck at computers after that then fine, blame the user.
"We live in a global world" - Harvey Pitt, former Securities and Exchange Commission Chairman
You are completely wrong about that. Reflecting your vast Windows experience perhaps?
Library versioning generally takes care of of libc updates. Various daemons have to be restarted to re-open nscd sockets which is a minor blemish, but it usually just works.
When all you have is a hammer, every problem starts to look like a thumb.
Cue the app store.
does it really matter?
Yes. Or perhaps you are the sort who enjoys getting out of your care and running around it at every stop light. While perhaps emptying out all your luggage on the street and repacking it for good measure.
When all you have is a hammer, every problem starts to look like a thumb.
Microsoft were the ones who restricted updates to those who are running Genuine Windows via various measures...
It's Microsoft's harm they are inflicting on the net - licensed systems that are easy to pirate, with features that encourage users to disable the updates. They decided to generate revenue through annoyance. The end result is zombie systems that will never get updates.
It's all Microsoft's fault. There is not even an iota of blame that falls on the pirate, as the existence of same is only human and entirely predictable.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
The assumption here is that an attacker choosing the easiest way has no other route
No. That is YOUR assumption. Nobody has ever claimed that.
Microsoft seems to think the authors would have stopped looking without finding an exploit route. Instead, they found one, and stopped looking.
Where do they say that? Other than the thoughts rattling inside your mind, noone inside microsoft has ever said that or anything even close to that.
I know this is slashdot and facts are only slightly relevant to make way for MS bashing, but what they said can be factually tested.
Patch to fix bug used by Conficker. October 23 2008
http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx
Conficker started spreading in Late November. Gee.. its almost like they reverse engineered the patch to see what bug was patched and then created an exploit for it.
http://www.theregister.co.uk/2009/01/19/conficker_worm_feed/
20 seconds, plus waiting for your email to load back up, may as well update your local source code for the project you are working on since you have to recompile and relaunch your local dev environment in debug mode, plus waiting for your local test environment to compile and fire back up so you can continue dev-ing, plus having to log back into all your services, re-open any documents that explain what X interface is supposed to do ... it's a pain in the ass, not just 20 seconds. That popup dialog telling me to postpone for (arbitrary time) or "Reboot now!" is probably the most annoying dialog I can think of right now (thanks to the subject matter at hand.)
I've never had to kill my sessions or restart anything on my Debian machine unless it was a kernel update.
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
Steam is pretty much this for games. Does it look like it works?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
WordPress worms
Whatever it is that probes every *nix system for weak SSH passwords
"People don't even notice the warning message, and they don't care. Why? Because they got way too used to it. UAC pops up and wants you to say yes to something, and people will click yes without thinking what's going on. Why? "
Because Microsoft has desensitised every one with stupid window pop-ups for stupid reasons, Why? to make a false security industry, which is there is just so the user thinks they have to go out buy security software which still dose nothing to secure their systems.
1) Start.
2) Run.
3) sc stop wuauserv
4) And now Windows stops bugging me to restart my computer when I'm trying to read my webcomics.
(Of course, I install the update at a later time, but some of the "idiot-proofing" has made things a major pain in the ass for people who know what they're doing sometimes, such as the lack of easy customization in certain programs.)
Random Thoughts From A Diseased Mind (Not For Dummies)
Again. Just in case I didn't make my point clear.
The user hands over the password.
It's not a trojan reading the file where the password is stored. It's not a hacker getting in from the outside using some supersecret backdoor account. It's not any kind of hack whatsoever. How the heck do you want to keep a password secure from its rightful owner and user?
The USER is the problem. Not the system. And unless Linux has some magical ability that I didn't notice yet, namely the ability to know what the user WANTS, instead of just what he DOES, there is exactly zero chance to protect the password. No matter the system.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Well, believe it or not, there is actually a valid reason for the reboot. Any executable code running in memory is typically not patched by most operating systems. They will update the file stored in the filesystem but not the executable code already loaded in memory. For e.g. Shared libraries loaded in memory with ASLR and other OS protections will be untouched. (And no, KSplice is not even remotely relevant here). This means that you are at a risk of running a vulnerable piece of code. Real bad news if you're a server process that has to handle a ton of potentially unsafe external data.
Even otherwise, I wish MS would create some general infrastructure that software developers could plug into to update their software. They already have an OS component that is capable of dependency checks and other stuff, but they only use it for their OS updates and service packs. It will be used by small dev shops that will find it easy to let someone else manage updates, but a lot of big companies would not use it. So many of them use their shitty updaters to show advertisements for new products and as a way to bundle some toolbar or other unwanted crap. Oh .. and thats not even taking into account the shit tray apps and other BS they install during the first install. Sigh.. the windows world is a mess, its too late to fix it now IMO.
not rebooting leads to memory leaks and stuck software.
Even with a system to update stuff with out a full reboot what happens when it hits some thing stuck in the background or updates some thing that is leaking ram?
MS is in a bind here. They are very much aware of this problem, but there is very little they can actively do against it.
It's not even MS that is the problem here, it's the way some companies (notably game companies) abuse the system and don't write to spec. In Linux, you get ravaged (to avoid a less pleasant word) if your software required more privileges than it absolutely minimally needs, and you better have a GOOD reason to ask to run as root. Hell, most packages say explicitly that you should NOT run this as root.
It's exactly the other way 'round for MS Windows. With both, old legacy reason and newer, at least as bad reasons.
The legacy reasons come from the times of the Win9x systems who arguably had zero real protection. Likewise, it didn't matter just what Registry tree you cluttered with your keys. And because it's easier and works for all users to simply slap it into the HKLM tree instead of the HKCU (aside of other, more serious, problems that you have to take into account when using HKCU), software creators didn't even think twice before sprinkling the Registry liberally with their crap. Of course, this flies right in the face of anything resembling security where HKLM or even HKCR are off limits for "user" privileged accounts. So every time this legacy junk was supposed to run, UAC throws a hissy fit.
The less acceptable reason and the one that irks me way more is that the various DRM schemes and anti-cheat crap make games require administrative privileges, not only for installation (where I could at least accept that, due to installing a device driver, these privileges are required) but also to run them. Again: To run a stupid, insignificant game, you have to bring out the big admin guns. And this is simply NOT ok.
But there is very little MS can actively do against that. As long as people buy those games despite the need for admin privs, companies will continue using DRM schemes that don't give half a crap about the system's security. And as long as this is the case, MS cannot do anything about it. What should they do?
As soon as a program requests permissions that can somehow harm the system, a sensible security watchdog function should report that something is happening that could be damaging. Else, what is it good for? The security of the system is the security of the weakest link. One link broken, the security breaks down. You can't simply "not ask just this one time". If you do that, disable it altogether. But if it really asks every time something could possibly be amiss, you get what UAC is today, along with its "allow and deny" jokes.
So please tell us, what should MS do?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
that's the most annoying thing ever! have steam download a game and updates..
then you go start it. AND IT UPDATES SOME MORE "PREPARING TO..".
world was created 5 seconds before this post as it is.
>>>shown repeatedly that Windows is more secure than Mac OS
I've never heard that before. Where has it been shown?
Pwn2Own, among other places. The Macs get hacked fastest. They simply have the least in terms of designed security.
Where does Linux fall? More or less secure than Mac?
It varies a lot on setup, distro, et cetera, but it's usually around Windows. Which is to say, exploits against the base OS distro are generally numerous vulnerabilities chained together to get one working one, and usually that doesn't matter much compared to the gaping holes existing in the third-party software that lets the malware right in...
Sure, sure, blame the users again, Microsoft.
How about educating them for once? You own, according to some metrics, 90 percent of the desktop market. Your operating systems in retail boxes don't even come with quickstart guides to basic security. No, you just leave your users to flounder about without any guidance at all, and if they want it, they have to pay extra for it.
At least when I was paying for boxed sets of SuSE Linux, it came with two well-written manuals, a user's manual, and an administrator's manual. I suspect that boxed sets still include these. It was in the grand old tradition of "when you get this software, we'll give you the manual too" like what you got when you bought DOS or CP/M.
But these days, I guess that user education is viewed as "intimidating" to users, because *shock* *horror* computers might be revealed as the complicated, useful, and powerful devices they actually are and heaven forfend users get any ideas beyond clicking on the pretty pictures. Microsoft does its damnedest to not give the user *anything* that might resemble common sense lessons in security.
There is a lot of energy pointed at the education of developers, but none that I can see at day-to-day users from Microsoft.
I just dealt with a user who has become so paranoid, she considers technet.microsof.com "foreign" because she's been so abused by the utter lack of guidance in the past with computers that she can no longer tell what's legitimate or not, wrt software. I was merely pointing out a sysinternals tool. This makes me a sad panda, and I don't blame her. I can't. Because I've seen it too many times to think it's just "dumb users" anymore.
Microsoft's blaming of the user is utter bollocks. It is entirely their fault now.
Yes, this makes me mad. Deal with it.
--
BMO
Where do you think the term "Root"kit came from?
Before NT Unix was the laughing stock off security seriously. Like Windows it is also written in C and uses the same apis for buffer overflows, stack over runs, and other crack attacks.
My old World Almanac from 1990 had an editorial on the first ever Worm which nearly took down the internet. Hint ... it was all Unix based.
This works the other way as well. Every day in class I had to cancel a Java Update notification that I neither wanted nor could do anything about, because I didn't have the privileges necessary to install the update on the classroom machines. This wasn't a "dancing pigs" problem, it was a "security update stupidity" problem. If I could have fixed the problem, I would have, but the OS was "secured from the user". Instead, the machine lays there as vulnerable as ever because those oh-so-important updates never got installed, and IT never bothered to walk in there and say "Yes, install it now" while logged into an administrative account. The good security intentions may have been there, but the implementation was rather annoying and completely ineffective.
Was a lot better than that, somehow that always seems to water down with Windows. With Ubuntu, I can at least keep my computer on (or, most of the time, sleeping or hibernating) more often than with Windows.
You did not get my meaning, or you intentionally denied it. Linux/Unux have a user culture that understands strong passwords and much infrastructure to support that. Windows has the opposite.
When all you have is a hammer, every problem starts to look like a thumb.
Save this article and email it to the idiot bean counters at work who say IE 6 is perfectly fine and so is XP so why upgrade until 2014?
I thought Conflicker came out in like 2004? It should not be infected machines today and this is stupid.
The problem is not IE and Windows. Windows 7 and IE 9 have been secure for awhile with ASLR, DEP, and sandboxing. The idiots are not the users (well most are not), but IT and CIOs and CEOs who refuse to look at things like computers as anything but cost centers. It is gray and not black and white like the CPA rules on GAAP are the golden rules for any business decision.
Use Windows Update and stop worrying if software will break. I have never heard of a piece of software not working with Windows Update for home users. If IT is looked up as tools and investments and people ran Windows Update, had proper staffing levels, and ran Windows 7 the problem wouldn't exist and it is purely preventable.
http://saveie6.com/
Yes, because it's completely impossible to turn that feature off. Oh wait...
http://windows.microsoft.com/en-US/windows7/Turn-automatic-updating-on-or-off
If you don't want them "forced down your throat", maybe you should change the setting to instead notify you that they exist and then let you pick and choose which ones you want to install as well as those you want to ignore permanently? How is that any different from any of the automatic update services in Linux distributions bugging you to update and you continually ignoring them?
I use Windows maybe twice a year and I am not going spend hours fiddling with settings just for that. On Linux it Just Works[tm] and I usually do not have to reboot, even on the rare occasions there is a critical patch.
That comment could only be a troll in the mind of a Microsoft Spinbot.
When all you have is a hammer, every problem starts to look like a thumb.
In one company I worked for, local admin laptops were not used for networking gear once it was up and running. Only if something failed, then there was the occasional factory reset and reuploading the last known good config.
Really?
What platform was the first worm written for? What platform for the first "Root"kit written on? Infact, I wonder how the word Root got in rootkit? Hmm
So if you run your Unix boxens with 10 year old, unpatched versions of Redhat 6.2 with passwords that are mediocre then it would be perfectly secure right?
Such a system would be hacked within 30 minutes if not behind a firewall. Maybe a few hours if it ran PHP or Mysql versions from 10 years ago unpatched. Why am I making this bizaare scanario? It is because all the mahcines infected ran XP (10 years old), IT failed to keep them updated, all used ancient versions of IE (like PHP/Mysql from 2002 are vectors), and users had some weak passwords. The culture is the same in corporate America today in unix platforms as good admins are let go because they are expensive cost centers that can be replaced by help desk interns for cheap.
If your network has great management that ran Windows 7, IE 8/9, and kept Windows up to date with the newest patches you were fine. Some of the passwords would be an issue but you would be fine overall from Conflicker.
Windows and IE have both come a long way as unpopular as they are on slashdot in 10 years. If you have not ran these pieces of software in many years your bias is outdated. I am not saying its supurb but top security and performance are great reasons to leave XP and ancient IE behind. Not to mention the webmasters can celebrate with a bottle of champaign.
http://saveie6.com/
Well, you can't avoid the need to reboot when things crash. Nothing new there. But people have a need to apply updates far more often than they encounter stuck software and memory leaks crippling things, right?
With a seamless update process like I was suggesting, the need to *eventually* reboot probably doesn't go away. But uptimes would certainly improve over what you'd have if you applied, say, every Microsoft update on the day it was released. My experience with those is you get at least 3-5 of them every single week, and the vast majority of times, at least one in each set requires a system reboot to complete.
More than peddling your hippie liberal OSS non-sense.
Microsoft could create an API, that applications (during install) can register with (requiring an ActiveX, or .Net control, with an interface implemented). The windows API simply calls the application, which then self-checks for updates, and notifies the update manager that it, does/doesn't have updates... and upon user selection, or classification runs the updates via the update manager.
It doesn't need to be tight integration, just an API with rules for the various apps to follow. MS *COULD* have done that back in the mid-late 90's.
Michael J. Ryan - tracker1.info
Or you can just run Debian....
It's the Stay-Puft Marshmallow Man.
They arleady solved it with Windows 7. RTFA as if you ran that and were up to date you were secure and immune.
Yes some XP software is incompatible because of the reasons you cited. I hate being admin to run Star Wars The Old Republic and even had a hack to run a standard user that Bioware disabled. But that is a good thing for the security of the OS with that annoying UAC as it is unacceptable in the enterprise.
Sadly some accountants have become CIOs and the reason conflicker rained was because of using unpatched versions of XP and IE 6 and 7. It is because such crappy and terrible insecure architecture was needed for their old apps.
DRM has nothing to do with security but the UAC prompt is there because MS is trying to limit the damage apps can do by limiting access to it. That is a good thing.
Couldn't resist patting yourself on the back long enough to read the rest of the comment?
what about in the field or where you may not have a good remote link.
I just set my sudo password in Ubuntu to 'password' without so much as a warning. Seems to me like such malware would be trivial.
lol.
"Show me the examples! And no, the examples that I can think of don't count!!"
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Maybe if the IT departmentd did just that they wouldn't get infected.
Stay with XP and IE 6 and obsolete versions of Symantic to save money and you are asking for trouble. CIOs and accountants forget this at work and only look at GAAP rules for what is a cost center and a profit center and what looks nice in Excel to show a cost. This article shows the hidden costs. Most businesses are moving to Windows 7 this year thank God.
http://saveie6.com/
You hit the nail there.
ASLR and the other OS protections are untouched because most corporations still use XP and a 10 year old kernel. The reason most software doesn't use these things and tap into them is because they wont run on XP. Corporations wont leave XP because software doesn't use things and tap into them. Cost savings are on top of this.
This is a great reason to upgrade to Windows 7 and keep your systems patched. This was totaly preventable and IT departments got what they deserved for their short sightedness on only cost savings.
http://saveie6.com/
Isn't Conficker a Windows-only issue?
If so, wouldn't the obvious one basic security step be to stop using Windows?
Just sayin'...
It must have been something you assimilated. . . .
http://it.slashdot.org/comments.pl?sid=1159209&cid=27178753
Not that what MS says wouldn't!
It helps too.
(It ALL helps: "Layered-Security"-"Defense-In-Depth" is the best thing we've got going today vs. this nuttiness of outbreaks of malware-in-general galore...)
APK
P.S.=> At home especially, if you're not connected to a LAN/WAN? Hey: Then you've "got it made" & especially vs. CONFICKER!
(That's possible since cutting the server service does the job almost ALL by itself (along with cutting javascript & ACL + write protecting autorun.inf files))... apk
It doesn't even need a reboot for that. I have been using ksplice on my CentoOS servers for awhile now.
This, this, a thousand times this. If only I wasn't at work and unable to log in so I could mod you up.
It's like security companies see something happening, patch it, and go "yup, problem solved. Now I can go back to playing Minecraft for the rest of the day".
No. You just patched the lowest of the low hanging fruit. There's still plenty more kicking around up there... and odds are a lot of it is probably just as low, or lower but unnoticed earlier.
If your views are far right, or far left, the people in the centre tend to think you're opinions are far removed from reality. On a daily basis I work on mac, linux, ios, droid, PS3, Wii, 360, and yes, windows (and have worked on many by-gone platforms of old too). Some of those platforms are truly awful, but there is not a single one that I consider to be perfect. As a developer I don't really care which I work on. Some days I use windows, some days I use linux, some days I use a mac. I really couldn't give a shit to be honest. I'm competent enough to avoid idiotic user errors. All my OSes are kept patched and up to date, I don't go installing any old shite off the internet, and as a result, I haven't been affected by a virus on any platform, for many many years.
The problems you attribute to windows are ridiculous frankly. If you want to experience the truly terrible, go get a lung full of the smell emanating from android. Go drown in the pit of despair that is the PS3 devkit. Go bang your head against the rather obtuse tools that come with the Wii. Once you've started to appreciate how computing on the other side of the fence looks, you'll realise that windows isn't the worst thing out there.
I modded you as a troll. Your opinions are pure superstition. Your opinions do not match the reality I see on a daily basis. You are a jumped up IT technician, working in a university, and your opinions have been coloured by cleaning the laptops of clueless students every day for the last 10 years.
That last part is a guess, but the only people I've ever met that share your opinions, tend to be people who are forced to support a myriad of porn watching clueless idiots (aka students). If you moved all those users to linux, I can assure you nothing would change. It's remarkable how many people will hand over their root password in exchange for a picture of lady gaga's snatch, and strangely enough, that was the point of the article.....
I just use a spectrum 48K. I haven't had a virus for almost 20 years now.
So how in the hell do you explain updates that require 2 or 3 reboots in succession? What the fuck is with that?!? I'm sorry, here I am doing shit, and some update happens in the background and asks me to reboot. Fine, whatever, I quickly finish what I was doing, and reboot. God help that program if it's one of the ones that automatically shuts down and reboots. Unless it's absolutely vital, it will find itself quickly uninstalled and boycotted from that point on.
So I shut down the computer and wait for it to boot up. On a somewhat older machine, this is not a particularly fast process. Sure, it's only 5 minutes or so, but that 5 minutes is really fricking annoying when I'm in a rush, need to do things, and am stuck staring at the wall while the computer ever so slowly loads itself to the desktop (and this is AFTER I've gutted all that I can from msconfig).
After it boots up, it immediately says it's updating AGAIN... because clearly that update needed an update... which takes god knows how long, and reboots AGAIN! And I've encountered one time where it decided to go for a round 3 after that.
Please explain to me why this is necessary. Why it's infeasible or impossible to just do all the fucking core system updates needed and THEN reboot to have them running.
The alternative explanation: You use an OS twice a year, attempt to speak with authority about it, and yet my 73 year old mother solved the problem in less than five minutes? (I was actually quite proud that she finally learnt how to use google!). Hand in your geek card, my mother has taken your place at the table.....
I use Linux, but you sound like a troll to me too. You claim you only use Windows twice a year, and yet you complain about the number of updates that are supposedly forced on you?
We hope your rules and wisdom choke you / Now we are one in everlasting peace
Do you not sleep, or do you just like wasting electricity? Turn off windows updates, and you can keep it running for as long as you like.
Keeping your computer on 24/7 is not a badge of honour my friend....
That's why the correct question is, "Why is it that things are always in the last place I *think* of to look?" Critical difference. ;-)
Wow. Having read your continued bullshit over the last few minutes, each reply from you features a different dick in your ass. You've moved the goalposts three times in this chain alone.
How long ago was that? I just installed Ubuntu for the first time in years (Normally use Debian) and it told me my password strength.
Right. Windows updates and reboots every time I use it, because I use it rarely. And with that kind of crap I am highly unlikely to increase my Windows usage. I feel genuinely sorry for the unlucky folks who do not have the option.
When all you have is a hammer, every problem starts to look like a thumb.
The 6 rules of enlightenment on the way to an informative-mod:
...
1. Always refer to microsoft as M$ - It makes you look witty and clever!
2. Try removing vowels, punctuation, and grammar from your posts - they only serve to confuse your message!
3. ALWAYS SPEAK IN CAPITAL LETTERS - it imbues your posts with an air of informed wisdom.
4. Always end numerical lists with:
5.
6. PROFIT!
I have to use Windows regularly and I can tell you I don't have the problem you do. Disabling automatic updates is trivial, in fact I'm pretty sure the option is stuck right in your face when you first setup windows so you can't miss it. It's really your own fault if you left it on.
We hope your rules and wisdom choke you / Now we are one in everlasting peace
"For this to work, companies would first of all have to agree to run their update process through said package manager. You don't think this will ever happen, do you?
Ubuntu manages to do this through Synaptic and Update Manager
AccountKiller
If you haven't restarted your session, you haven't fixed the vulnerability. Your false sense of security is probably exactly why MS & Apple force a reboot.
Yes, monolithic LAMP servers are nice and simple: update Apache, restart, done. However, there's no *nix magic which saves you with complex library dependancies, background tasks, etc.
There are perfectly legitimate, but poorly designed, applications that do this too.
You do see some people, usually sysadmins on larger systems, that will flat out refuse to install anything that does this. However that requires training, discipline, and backbone. Not to mention a managerial structure that will not override such people.
As you say, there are millions of people who do not have any kind of functional radar warning system for dangerous activities.
I had a manager once who set his password to ch0pper... that's wood-related brit slang.
Yes, because it's completely impossible to turn that feature off. Oh wait...
http://windows.microsoft.com/en-US/windows7/Turn-automatic-updating-on-or-off
If you don't want them "forced down your throat", maybe you should change the setting to instead notify you that they exist and then let you pick and choose which ones you want to install as well as those you want to ignore permanently? How is that any different from any of the automatic update services in Linux distributions bugging you to update and you continually ignoring them?
I use Windows maybe twice a year and I am not going spend hours fiddling with settings just for that. On Linux it Just Works[tm] and I usually do not have to reboot, even on the rare occasions there is a critical patch.
That comment could only be a troll in the mind of a Microsoft Spinbot.
Forget the instructions at the link. If it takes him hours for four clicks, make a selection, and then one final click I don't think being considered a troll is his biggest problem.
1) Start.
2) Run.
3) sc stop wuauserv
4) And now Windows stops bugging me to restart my computer when I'm trying to read my webcomics.
(Of course, I install the update at a later time, but some of the "idiot-proofing" has made things a major pain in the ass for people who know what they're doing sometimes, such as the lack of easy customization in certain programs.)
1. Click Start
2. Click Control Panel
3. Click System and Security
4. Click Turn Automatic Updating On or Off
5. Select "Never Check for Updates (not recommended)
6. Click OK
I thought mine was going to be easier, but seeing the two together I like yours better.
getting rid of Windows isn't going to do jack. Idiots using computers will be vulnerable to malware, no matter what kind of OS they use. Unless the OS is secured away from its user, there is no safety if the user himself is the biggest security hole.
Linux/Unix have a well established culture and plenty of infrastructure to support the concept of strong password protection. Unlike Windows.
u mad? I agree my mom (and probably most of the people at Costco buying PCs) don't have a concept of strong password protection. If I put her on Linux/Unix how does that change?
Easy. Refuse to write anything to the system areas while not in some sort of maintenance mode. Stupid games will fail. There will be much wailing and gnashing of teeth... but my god, it should have been that way since day one (of ANY operating system). Seriously folks, this is a basic step in trustworthy (not trusted (TM)) computing.
strike
If you haven't restarted your session, you haven't fixed the vulnerability.
True. You will be fixed when you restart, though. I do the updates, and then, periodically, when it is safe to do so, restart daemons that have been updated. That is the point where I'm running with the fix, not merely updating the code. It's not instantly, but it does allow me to update the code even under load and defer the outage to a less sensitive time.
Reloading the desktop? That's more work as then I have to close down everything except the daemons. More of a headache. But still no reboot.
Your false sense of security is probably exactly why MS & Apple force a reboot.
No. MS forces a reboot for historical (hysterical?) reasons: they could not update files that are "in-use" because FAT, FAT32, and early versions of NTFS couldn't handle hardlinks the way that unix filesystems do. (NTFS probably could, but NT didn't use it.) Files that were "in-use" could only be updated during the reboot before they were first loaded. There was no way to get the updated code without the reboot.
Apple probably forces a reboot because their users used to use Windows where it was expected, and because it's far easier to document "reboot" than how to figure out which processes need restarting and how to restart them (safely).
This might have been true at one time, but it's not anymore. You can download a Windows 7 ISO and install it and it'll activate and be indistinguishable from a boxed copy with a legitimate license.
If you build it, nerds will come. Soylentnews.org
Those are all flaws in 3rd party add-ons, or the default browser, Safari. Pwn2Own just proves that using the default browser on a platform with scripting enabled is unsafe regardless of platform. You shouldn't use IE on Windows, you shouldn't use Safari on OS X (at least without scripting disabled). So don't do that, and all the tricks used at Pwn2Own on the Macs will be rendered ineffective.
If you build it, nerds will come. Soylentnews.org
There were certainly some that were worse. SGI shipping all boxes with hosts.equiv set to '+' for a while. There was a period in the 90's when an awful lot of the big name Unices (IRIX/Solaris/HP-UX) had some huge gaping holes that shouldn't never been there (passwordless accounts like lp, broken uucp installations). There were also numerous services like rpc.mountd that were perennial favorites for zero day buffer overruns.
Granted that was a long time ago and modern BSD/Linux distros are much more secure by default and even more secure through proper installation but the argument then was it was no big deal, just fix them at install time unless you were a clueless git. For windows it's the same deal just a much larger set of gits.
I'd consider technet.microsof.com to be untrusted. Hackers love to take advantage of URL typos to post fake sites. This is just one more thing that users need to be aware of. Some DNS servers will auto-correct a mis-typed URL (by redirecting to the correct one), but until this practice is standardized, this will be a problem.
for say a sheared admin...
Is that what you get when you shave off his beard?
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
The system is still at fault (particularly badly with Windows, but still a long way from the optimum with Unix). It shouldn't say "This application is requesting administrator privileges.". It should say "This application wants to be runnable by all people who use this computer." or "This application wants to steal your banking password and send it to Nigeria.", depending on what the application is trying to do.
Mobile phone OSes are actually doing better at this than desktop OSes: they tell you whether the application is going to use your GPS, access your contact list, etc. Though they still need a "deny" option (or, rather, "allow access to a fake contact list so the application will run normally without harvesting my info").
i made a typo and you're a fuckwad.
Have a nice day.
--
BMO
Your story is a pile of bullshit. Windows' auto update software has always asked you to click a button before rebooting. If you don't click the button, you don't reboot and you continue on with what you're doing.
Not to mention that they allege this was the case six months ago. Curious--albeit not enough to RTFA--as to why they sat on such a golden nugget of PR for so long. My inner cynic is tempted to envision this:
Hrm... Okay, next security vulnerability. This one was submitted 2011/09/29.
(several minutes of analysis pass)
Hey! We fixed this one already. Hey boss! Come here! I GOT ONE!!!
Mom says my
> True. You will be fixed when you restart, though.
Do Linux users generally understand this? nschubach didn't seem to. He just brags that Linux doesn't bother him about restarting his (vulnerable) software.
> Apple probably forces a reboot because ... it's far easier to document "reboot" than how to figure out which processes need restarting and how to restart them
Exactly my point! :) It's far easier to let the init scripts do this job than invent some other mechanism. In fact, with complex desktop software it is nearly impossible to figure out the dependency chains and restart mechanisms. Maybe Apple isn't stupider than Debian after all.
But on some level I think Linux users just love to generalize their simpleton LAMP server and pretend those experiences apply to the desktop.
Uhhuh. Great idea, if you want to have a "new coke" OS. Let's play the scenario, shall we?
Let's imagine for a moment that MS pushes Win8 with these ideas in place. You can only make changes to the system in some kind of "safe mode" where you can't run any consumer software.
Cue the reviews that talk about incompatibilities and how 90% of legacy software won't run. People who care not about security but about a system that "works the way they want" (read: 99.9% of the customer base of MS) will avoid the system like the plague. The blame will not fall on the makers of games that broke standards, MS will be blamed because hey, it worked in Win7, so it has to be MS' fault that it doesn't in Win8.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I'm not aware of the way phone apps work, but I don't really see a sensible way to identify the plans of a PE file just by looking at it without running it. There is simply no telling what is going to happen before the system requests the rights by calling the relevant API functions. The way this could be done is by blocking the program when it tries to access some sensitive system areas (install a driver, launch another program, write to sensitive parts of the registry...), but that opens a completely different can of worms, especially with legacy programs that don't really expect to be blocked.
To be fair, it is easier for phone OSs to do that. They were developed after security became an issue.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Yes, yes they do.
But your original request to get rid of Windows will move these users over to Linux (provided you can "force" them to abandon Windows, which is highly unlikely to succeed since they do NOT have "the Linux culture", and hence the understanding of the importance of security and how it is more important than ease of operation). And then you have the user problem over in Linux.
Changing the system does not change anything. People would have to change.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Yeah, because if I don't reboot on Tuesday at the exact moment the updates are complete instead of Friday the world will collapse in on my system and it will all come to an end!
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
And not following any of my recomendations. It keeps me employed.
Apparently, someone has no idea how to use Windows. (And you guys want everyone to *learn* Linux?)
Oblivion Awaits
If a scheduled restart causes you any problems, your system architecture is broken.
educating you is no one elses job. it is not microsofts job to make sure you dont ruin your fucking data through failure to understand the tools you're using.
take some personal responsibility for your actions or put yourself out of our misery.
To me this Conflickr virus was the new blaster. Microsoft patched this vulnerability long before the virus hit the problem is a lot of IT professionals and home users do not realize the important of patching and a good anti-virus.
http://thetechnologygeek.org/
This is just a temp fix - it kills the Update service for just that session. (You can restart it, stop it, change settings, etc. via Control Panel > Administrative Tools > Services). If you want to kill the service permanently you would do it via this menu.
Random Thoughts From A Diseased Mind (Not For Dummies)
... you don't have to care about users getting upset when you blame THEM!
Currently re-reading Alan Cooper's The Inmates Are Running The Asylum, so the blame the users apologist stance seems especially unsteady right now.
getting rid of Windows isn't going to do jack. Idiots using computers will be vulnerable to malware, no matter what kind of OS they use. Unless the OS is secured away from its user, there is no safety if the user himself is the biggest security hole.
Linux/Unix have a well established culture and plenty of infrastructure to support the concept of strong password protection. Unlike Windows.
Does that mean members of the Linux/Unix community use stupid and easy to guess passwords on websites? We've seen that most people do, so I'm just trying to determine if the strong password protection is due to the operating system or due to the actual user.
The difference is that unless it's a kernel update Linux doesn't really need a reboot on update.
Rebooting is obsolete.
http://www.ksplice.com/
Are you trying to prove his point here? :)
>didn't read a goddamned thing I wrote
>put myself out of your misery
Get fucked. Don't like me? Login, set your foes setting to -6 and never see me again. It's that simple. It seems to me that your inability to perform this simple operation means that you are mentally deficient.
--
BMO
Look up the Pwn2Own contests. They're specifically designed to remove both the economic advantage of targeting the widely-used platform, and the issues of patching frequency and amount of vulnerable third-party software.
Apple typically does worse than Microsoft, who in turn are behind "Linux" (typically Ubuntu, which consists of software written by a wide range of groups).
There's no place I could be, since I've found Serenity...
That's why my passwords are all set to 012345. That's way more secure.
cry more
Yeah, because if I don't reboot on Tuesday at the exact moment the updates are complete instead of Friday the world will collapse in on my system and it will all come to an end!
Well...it's good of you to admit it. ;)
1. Click Start 2. Click Control Panel 3. Click System and Security 4. Click Turn Automatic Updating On or Off 5. Select "Never Check for Updates (not recommended) 6. Click OK
1. Click Start
2. Click Run
3. Type 'cmd'
4. Click OK
5. Type 'ls'
6. Notice error message saying something about an invalid command
7. What the fuck? Who secretly replaced my Linux box with Windows?!?
Do you not sleep, or do you just like wasting electricity? Turn off windows updates, and you can keep it running for as long as you like. Keeping your computer on 24/7 is not a badge of honour my friend....
Yeah--I love it when the internet shuts down in the evening at 8 PM (9 PM Central) when all the engineers go home for the evening and decide to stop 'wasting electricity'.
There's no place like
You claim that popularity is the significant factor for insecurity yet at the same time most popular OS in existence is the secure one? At least keep your incompatible trolling separated by a few posts or something.
""Variants B and C place a copy of their DLL form on any attached removable media (such as USB flash drives), from which they can then infect new hosts through the Windows AutoRun mechanism." - http://en.wikipedia.org/wiki/Conficker. Nice try." - by Anonymous Coward on Friday April 27, @05:16PM (#39826583)
Big deal, autorun is disabled by default in Windows from the end of 2009 onwards & MS update makes sure this is so in fact... it's been that way since long ago:
http://www.zdnet.com/blog/security/microsoft-disables-autorun-on-windows-xpvista-to-prevent-malware-infections/8123
---
PERTINENT QUOTE/EXCERPT:
"Microsoft disables AutoRun on Windows XP/Vista to prevent malware infections
By Dancho Danchev | February 10, 2011, 6:54am PST
Summary: Microsoft has decided to disable the AutoRun feature on Windows XP. The âoenon-security updateâ doesnâ(TM)t affect shiny mediaâ such as CDs or DVDs that contain Autorun files."
---
(Even Linux does that, and they were 'bitten" by that mistake later too... )
* The new variants may overcome a couple things like autorun.inf, but I covered that too, as well as the service service & shares + more...
Read closer next time fool!
APK
P.S.=> You also must have missed the part where I noted ACL protecting the autorun.inf file as well (dumb of you there too)... apk
http://linux.slashdot.org/story/11/02/07/1742246/USB-Autorun-Attacks-Against-Linux
Thus, you see, even LINUX had hassles with AutoRun, & AFTER Windows fixed them, per the link below...
Also, a slight "amendment" to my initial words per this article:
http://www.zdnet.com/blog/security/microsoft-disables-autorun-on-windows-xpvista-to-prevent-malware-infections/8123
Windows has had autorun disabled since before the date of that article (not 2009 as I stated, my bad, but correcting NOW vs. nitpicker "Cardinal Richelieu" AC stalker harasser trolls I have here on /.)
APK
P.S.=> Plus, of course, my points on what to do with the server service, shares, OR autorun.inf itself... apk