MS fixes many of its flaws for free (you cannot deny this).
I never denied it, but I also do not applaud them for it anymore than I would applaud an auto manufacturer for recalling faulty cars. It is just what you are supposed to do, it is expected.
In fact any known security holes it works on and releases. Maybe not as fast as some would hope, but it does it.
Possibly, I am still waiting on a few from 3 years ago, but whatever. I'd also be impressed if they could stop introducing new ones. Perhaps with some actual testing that emphasises security rather than marketing priorities. Some of the brightest people in computing work at MS, but I'll bet it was not them who made such decisions as outlook express executing email attachments without any user action required a few years back, or an RPC listener that could not be turned off and had to listen on every interface. Let us not forgot who invented the concept of executible email, word processor documents, and spreadsheets. And don't get me started on ActiveX.
So no, they did not actually write the viruses, but they sure created a nice environment for viruses and other exploit code to run easily. I would be more tickled if they abandoned the idea of marketing antivirus and antispyware tools and instead tried making their OS more secure. I seem to remember that was supposed to be their priority a year or so ago and frankly it has not been all that impressive.
And I am frankly a bit concerned with the idea of MS profiting from these vulnerabilities. I would hope that this would not impact their zeal for making security a number one priority, but then we are not dealing with a company that has the best ethical track record either.
So when there was a vulnerability in the RPC endpoint mapper on port 135, what did you do? Did you use your reading skillz to learn how to shut off that listener? (hint: you could not) Or did you just apply the standard windows fix of putting it behind a firewall running a real OS until MS got around to fixing it. Are you aware of a service on any other OS that has to be running, and has to be listening on every interface or the machine will automatically reboot? No, because that is a royally stupid idea and leads to a potential security problem that you (the administrator) cannot fix.
Face it, there have been cases where no matter how much mad reading skillz you have, you could not completely secure windows. Only recently have they shipped the OS (2003) so that it did not have every service running by default upon installing it.
It sucks because it is inaccurate? or it sucks because you cannot defend against the point it makes?
I'm thinking the latter, but feel free to come up with a different analogy.
I'm sure there are plenty that deal with the basic concept of Company A selling a shoddy product to Customer B that Bad Guy C takes advantage of. Then Company A tries to sell Customer B something additional to protect against the flaws in what they originally sold.
While what you have said is correct, one thing that you have not addressed is that, for some virus writers, getting their spooge to spread as far and as wide as possible is the goal.
I'd venture to guess this is the goal of most virus writers. My only point is that it is certainly possible for an OS to be both popular and secure, even with the added scrutiny. Totally secure? Of course not but proper response to security vulnerabilities would help the situation as well. Microsoft is practically a case study on how NOT to deal with vulnerabilities given their history of patches that break things, introduce additional vulnerabilities, fail to actually fix the problem in the first place, require registry editing to install (SQL Slammer), etc. Not to mention the fact that there are nearly 20 known unresolved vulnerabilities in IE alone, some from back in 2003.
It wouldn't take much for ANY OS to do better than this, even given added market share. Perhaps someday we will get to find out.
You are right, if I build a house for you that has a ton of literal backdoors and vulnerabilities, and someone robs you blind, it is still the fault of the robber.
I'm willing to bet you would be mad at me though. And offering to fix the problem by selling you an expensive security system would probably not make you feel any better.
One of the recent successful viruses (I refuse to use the term virii)
Thank you
required the user to extract the virus from the attached password protected zip file using the password supplied in the email, and run it.
Wouldn't that be a trojan than? I don't blame MS for its users doing dumb stuff like that (although they sure do make it easy for users to do stupid things), they have enough security problems that do not require the user to actively cause the problem.
You're right. Afterall, Linux has had more security problems in the past few years than Windows, so obviously that can't be the case.
Who asked you to bring Linux into this discussion? What does this have to do with a Unix clone?
And Linux most certainly has not had more security vulnerabilities in the past few years than windows, unless you are lumping every single piece of OSS software than is distrubuted with some distributions as "Linux".
Sendmail, gaim, awstats, bind, and tuxracer are not Linux.
Let's see you protect clueless users from themselves.
Since we are bringing up irrelevent OSes into this conversation, OSX does a pretty good job of this.
If MS Windows were not the dominant OS on desktop PCs, would it be as big of a target for virus writers?
Absolutely not, your logic holds up just fine so far...
Let's suppose that the Mac had made it big and held 70% of the market (work with me, here). It stands to reason that there would be a whole lot more Mac exploits, as it would be a bigger target and under the microscope a lot more.
And here it fails. It most certainly does NOT stand to reason. The only way this would be logically true is if all things other than popularity were equal. If OSX is less secure and even more poorly designed than Windows, it would have even more exploits than windows at the same popularity level. If it is more secure and better designed than it will have less, even at that same popularity level.
Popularity is not the cause of security vulnerabilities, shoddy programming is. If software is not popular, you can get away with it not causing many problems because it is a small target (literally security by obscurity). But if it is popular, then poor programming will become evident and it will be a security problem.
It is entirely possible (likely, from what I have seen) that if OSX were put under the microscope with 70% market share, it would still perform much better than Windows.
And of course, Apache has vastly more market share than IIS (and always has), yet IIS is the security nightmare.
Popularity does not lead to viruses, shoddy programming does. It is an achilles heel they created themselves. Now there is even LESS incentive for them to clean up their abysmal security, since they are making money off of it.
Well then jackass perhaps you shoudl expect the saem from others.
or wait, since it is MS are they held to an unachievable standerd.
You are a joke.
And your spelling sucks.
You know what, NOTHING is inheriently secure. However when you are making software for the masses (you know, like Microsoft does) it is inexcusable to HAVE a way to make it secure, but not ship it that way. There is no such operating system as Linux, that is a kernel. Perhaps you are taking about Fedora, or Ubunto, or something like that.
A default install of Fedora Linux, OSX, or Ubuntu is much more secure than a default install of Windows (perhaps not XP SP 2, they did finally do some things right with that one). They are basically locked down by default. However, comparing operating systems to web browsers is kind of silly anyway. So compare Opera or Firefox against IE. What is more secure by default? THAT is my point.
Obtuse, well you sir are a festisio. See I can make up words too:P
My point is that it from a user's perspective, it is completely irrelevent when microsoft claims to have fixed the problem, all that matters is when they release the fix. They can claim they fixed it quickly and had to wait for the arbitrary release date, or they can claim they fixed it a year ago. None of that matters one bit. For whatever reason, their history of timly releases simply sucks. They can excuse it however they want.
The limiting factor in this technology is battery power. I have vastly different levels of concern for battery life on my cell phone vs my music player. Keeping them seperate means I will use my music player a lot more, if I kill the battery, no big deal. If it is tied to my cell phone I will be much less eager to use it and risk killing the battery of something important.
Perhaps for it to come this way be default? Should every computer user assume that every piece of software they touch is insecure by default and needs to be insvestigated and tweaked to be secure? Would it not make more sense to ship it with this setting?
And yes jackass, mucking about with the control panel is obscure to many computer users. I'm sure you wrote your own OS and applications with nothing more than a magnet and some hard disk platters, but not everyone is as smart as you. You would think Microsoft would have figured that out by now.
Some twit just wrote a blurb at apple. If it was anyone with any technical sense, they'd know that it was Objective C. C++ IS an objective language. Objective C is the abortion of a language that Apple uses all over the place.
C++ IS an objective language, and Objective C is the abortion?
To reinstall it's put the restore CD in the drive and boot. Normally that will load up the correct 3rd party drivers as the PC manufacturer has put those into the restore process.
Yeesh, not with Dell laptops. Installing the Windows XP I got with mine still required I load a seperate driver disk and manually install about 10 different drivers. Granted it was still pretty simple, but it required about 6 reboots, not counting the windows update reboots.
In contrast, I tossed an Ubuntu Linux CD in and it installed itself, all necessary drivers, and configured all the hardware without my help. There is no reason why this cannot become the standard for Linux installs, and to an extent, it has. It has been a while that I have had any problems with Redhat or Fedora not recognising everything I have and setting the machine up accordingly.
If there is only one thing to learn from corporate, no, world history it is this: Nobody stays on top forever.
Is Linux going to wipe Windows off the desktop, probably not in the next few years but who knows. I never thought Firefox would do what it did either. And who predicted Apple making their comback? Little chips off of the Microsoft stranglehold on the PC industry, but with enough they will fall.
Bullshit. Microsoft fixes a lot of problems quickly but the monthly release schedule that they have moved to means that you'll only get those patches every four weeks unless it's critical.
Oh yeah, well Firefox fixes problems BEFORE THEY EVEN HAPPEN. Of course, due to their policy of not violating the flow of space time they are forced to wait a few days to release the fixes.
All I had to do was set ActiveX to always prompt, set the security and privacy to high, refuse cookies (not needed but I hate them) and I have never had a piece of spyware on my system.
That's all you had to do? It sounds so easy, intuitive even. I mean the first thing anyone using a computer instinctivly knows is that they have to master every obscure setting and learn which ones to change.
All this "IE is the Sux04rz" talk makes it very apparent that the people getting infected either have no clue about how to configure a secure computer, or have no scruples on what they click "OK" to.
Or perhaps they are in the 99% of computer users who do not dig through every config option and research the implications of each to tune their system so that it is usable to browse the web. (I am, but most aren't).
I agree many computer users are frighteningly stupid, but not in this way. I get irritated when things like common sense go out the door when a computer is involved (people who fall for too good to be true email scams and such). However what you described is not by any stretch of the imagination common sense.
Rather than go through all the trouble you described, it is much easier for me to install firefox on friend's and family's PCs and alert them when to update it. Heck, most of them are thrilled with the features like pop up blocking and tabs anyway so for them it is a win win situation.
Seems to me (in the two episodes I have seen) they primarily just used complex equations to develop probabilities. I didn't see much in the way of specific predictions. We do the same thing in wilderness search and rescue to calculate which areas are most likely to have the lost subject by taking into account the subject's profile, terrain, and about 20 other variables and then search based on those probabilities.
Ok, that makes sense. I wonder where the anticdotial evidence of people getting pushed backwards comes from though? Possibly the shock of being shot causes them to spring backwards I guess.
Slashdot Mirror
MS fixes many of its flaws for free (you cannot deny this).
I never denied it, but I also do not applaud them for it anymore than I would applaud an auto manufacturer for recalling faulty cars. It is just what you are supposed to do, it is expected.
In fact any known security holes it works on and releases. Maybe not as fast as some would hope, but it does it.
Possibly, I am still waiting on a few from 3 years ago, but whatever. I'd also be impressed if they could stop introducing new ones. Perhaps with some actual testing that emphasises security rather than marketing priorities. Some of the brightest people in computing work at MS, but I'll bet it was not them who made such decisions as outlook express executing email attachments without any user action required a few years back, or an RPC listener that could not be turned off and had to listen on every interface. Let us not forgot who invented the concept of executible email, word processor documents, and spreadsheets. And don't get me started on ActiveX.
So no, they did not actually write the viruses, but they sure created a nice environment for viruses and other exploit code to run easily. I would be more tickled if they abandoned the idea of marketing antivirus and antispyware tools and instead tried making their OS more secure. I seem to remember that was supposed to be their priority a year or so ago and frankly it has not been all that impressive.
And I am frankly a bit concerned with the idea of MS profiting from these vulnerabilities. I would hope that this would not impact their zeal for making security a number one priority, but then we are not dealing with a company that has the best ethical track record either.
Finkployd
So when there was a vulnerability in the RPC endpoint mapper on port 135, what did you do? Did you use your reading skillz to learn how to shut off that listener? (hint: you could not) Or did you just apply the standard windows fix of putting it behind a firewall running a real OS until MS got around to fixing it. Are you aware of a service on any other OS that has to be running, and has to be listening on every interface or the machine will automatically reboot? No, because that is a royally stupid idea and leads to a potential security problem that you (the administrator) cannot fix.
Face it, there have been cases where no matter how much mad reading skillz you have, you could not completely secure windows. Only recently have they shipped the OS (2003) so that it did not have every service running by default upon installing it.
Finkployd
It sucks because it is inaccurate? or it sucks because you cannot defend against the point it makes?
I'm thinking the latter, but feel free to come up with a different analogy.
I'm sure there are plenty that deal with the basic concept of Company A selling a shoddy product to Customer B that Bad Guy C takes advantage of. Then Company A tries to sell Customer B something additional to protect against the flaws in what they originally sold.
Finkployd
While what you have said is correct, one thing that you have not addressed is that, for some virus writers, getting their spooge to spread as far and as wide as possible is the goal.
I'd venture to guess this is the goal of most virus writers. My only point is that it is certainly possible for an OS to be both popular and secure, even with the added scrutiny. Totally secure? Of course not but proper response to security vulnerabilities would help the situation as well. Microsoft is practically a case study on how NOT to deal with vulnerabilities given their history of patches that break things, introduce additional vulnerabilities, fail to actually fix the problem in the first place, require registry editing to install (SQL Slammer), etc. Not to mention the fact that there are nearly 20 known unresolved vulnerabilities in IE alone, some from back in 2003.
It wouldn't take much for ANY OS to do better than this, even given added market share. Perhaps someday we will get to find out.
Finkployd
You are right, if I build a house for you that has a ton of literal backdoors and vulnerabilities, and someone robs you blind, it is still the fault of the robber.
I'm willing to bet you would be mad at me though. And offering to fix the problem by selling you an expensive security system would probably not make you feel any better.
Finkployd
One of the recent successful viruses (I refuse to use the term virii)
Thank you
required the user to extract the virus from the attached password protected zip file using the password supplied in the email, and run it.
Wouldn't that be a trojan than? I don't blame MS for its users doing dumb stuff like that (although they sure do make it easy for users to do stupid things), they have enough security problems that do not require the user to actively cause the problem.
Finkployd
You're right. Afterall, Linux has had more security problems in the past few years than Windows, so obviously that can't be the case.
Who asked you to bring Linux into this discussion? What does this have to do with a Unix clone?
And Linux most certainly has not had more security vulnerabilities in the past few years than windows, unless you are lumping every single piece of OSS software than is distrubuted with some distributions as "Linux".
Sendmail, gaim, awstats, bind, and tuxracer are not Linux.
Let's see you protect clueless users from themselves.
Since we are bringing up irrelevent OSes into this conversation, OSX does a pretty good job of this.
Finkployd
If MS Windows were not the dominant OS on desktop PCs, would it be as big of a target for virus writers?
Absolutely not, your logic holds up just fine so far...
Let's suppose that the Mac had made it big and held 70% of the market (work with me, here). It stands to reason that there would be a whole lot more Mac exploits, as it would be a bigger target and under the microscope a lot more.
And here it fails. It most certainly does NOT stand to reason. The only way this would be logically true is if all things other than popularity were equal. If OSX is less secure and even more poorly designed than Windows, it would have even more exploits than windows at the same popularity level. If it is more secure and better designed than it will have less, even at that same popularity level.
Popularity is not the cause of security vulnerabilities, shoddy programming is. If software is not popular, you can get away with it not causing many problems because it is a small target (literally security by obscurity). But if it is popular, then poor programming will become evident and it will be a security problem.
It is entirely possible (likely, from what I have seen) that if OSX were put under the microscope with 70% market share, it would still perform much better than Windows.
And of course, Apache has vastly more market share than IIS (and always has), yet IIS is the security nightmare.
Finkployd
Have you ever actually looked into TCPA? What about it makes you think you cannot run any code you want?
Finkployd
Popularity does not lead to viruses, shoddy programming does. It is an achilles heel they created themselves. Now there is even LESS incentive for them to clean up their abysmal security, since they are making money off of it.
Finkployd
Well then jackass perhaps you shoudl expect the saem from others.
or wait, since it is MS are they held to an unachievable standerd.
You are a joke.
And your spelling sucks.
You know what, NOTHING is inheriently secure. However when you are making software for the masses (you know, like Microsoft does) it is inexcusable to HAVE a way to make it secure, but not ship it that way. There is no such operating system as Linux, that is a kernel. Perhaps you are taking about Fedora, or Ubunto, or something like that.
A default install of Fedora Linux, OSX, or Ubuntu is much more secure than a default install of Windows (perhaps not XP SP 2, they did finally do some things right with that one). They are basically locked down by default. However, comparing operating systems to web browsers is kind of silly anyway. So compare Opera or Firefox against IE. What is more secure by default? THAT is my point.
Finkployd
Obtuse, well you sir are a festisio. See I can make up words too :P
My point is that it from a user's perspective, it is completely irrelevent when microsoft claims to have fixed the problem, all that matters is when they release the fix. They can claim they fixed it quickly and had to wait for the arbitrary release date, or they can claim they fixed it a year ago. None of that matters one bit. For whatever reason, their history of timly releases simply sucks. They can excuse it however they want.
Finkployd
The limiting factor in this technology is battery power. I have vastly different levels of concern for battery life on my cell phone vs my music player. Keeping them seperate means I will use my music player a lot more, if I kill the battery, no big deal. If it is tied to my cell phone I will be much less eager to use it and risk killing the battery of something important.
Finkployd
Jesus fucking christ, what more do you want?
Perhaps for it to come this way be default? Should every computer user assume that every piece of software they touch is insecure by default and needs to be insvestigated and tweaked to be secure? Would it not make more sense to ship it with this setting?
And yes jackass, mucking about with the control panel is obscure to many computer users. I'm sure you wrote your own OS and applications with nothing more than a magnet and some hard disk platters, but not everyone is as smart as you. You would think Microsoft would have figured that out by now.
Finkployd
Some twit just wrote a blurb at apple. If it was anyone with any technical sense, they'd know that it was Objective C. C++ IS an objective language. Objective C is the abortion of a language that Apple uses all over the place.
C++ IS an objective language, and Objective C is the abortion?
Can I buy some pot from you?
Finkployd
To reinstall it's put the restore CD in the drive and boot. Normally that will load up the correct 3rd party drivers as the PC manufacturer has put those into the restore process.
Yeesh, not with Dell laptops. Installing the Windows XP I got with mine still required I load a seperate driver disk and manually install about 10 different drivers. Granted it was still pretty simple, but it required about 6 reboots, not counting the windows update reboots.
In contrast, I tossed an Ubuntu Linux CD in and it installed itself, all necessary drivers, and configured all the hardware without my help. There is no reason why this cannot become the standard for Linux installs, and to an extent, it has. It has been a while that I have had any problems with Redhat or Fedora not recognising everything I have and setting the machine up accordingly.
Finkployd
Love or hate Microsoft, its not going away.
If there is only one thing to learn from corporate, no, world history it is this: Nobody stays on top forever.
Is Linux going to wipe Windows off the desktop, probably not in the next few years but who knows. I never thought Firefox would do what it did either. And who predicted Apple making their comback? Little chips off of the Microsoft stranglehold on the PC industry, but with enough they will fall.
Finkployd
Bullshit. Microsoft fixes a lot of problems quickly but the monthly release schedule that they have moved to means that you'll only get those patches every four weeks unless it's critical.
Oh yeah, well Firefox fixes problems BEFORE THEY EVEN HAPPEN. Of course, due to their policy of not violating the flow of space time they are forced to wait a few days to release the fixes.
See how convincing that arguement sounds?
Finkployd
All I had to do was set ActiveX to always prompt, set the security and privacy to high, refuse cookies (not needed but I hate them) and I have never had a piece of spyware on my system.
That's all you had to do? It sounds so easy, intuitive even. I mean the first thing anyone using a computer instinctivly knows is that they have to master every obscure setting and learn which ones to change.
All this "IE is the Sux04rz" talk makes it very apparent that the people getting infected either have no clue about how to configure a secure computer, or have no scruples on what they click "OK" to.
Or perhaps they are in the 99% of computer users who do not dig through every config option and research the implications of each to tune their system so that it is usable to browse the web. (I am, but most aren't).
I agree many computer users are frighteningly stupid, but not in this way. I get irritated when things like common sense go out the door when a computer is involved (people who fall for too good to be true email scams and such). However what you described is not by any stretch of the imagination common sense.
Rather than go through all the trouble you described, it is much easier for me to install firefox on friend's and family's PCs and alert them when to update it. Heck, most of them are thrilled with the features like pop up blocking and tabs anyway so for them it is a win win situation.
Finkployd
Riders in the Senate happen all the time. This is neither novel nor shocking.
The fact that you do not find this shocking shows just how perverted the lawmaking process has become. We not only accept it, we expect it.
Finkployd
What makes you think building such devices is at all difficult? :)
Finkployd
Seems to me (in the two episodes I have seen) they primarily just used complex equations to develop probabilities. I didn't see much in the way of specific predictions. We do the same thing in wilderness search and rescue to calculate which areas are most likely to have the lost subject by taking into account the subject's profile, terrain, and about 20 other variables and then search based on those probabilities.
Finkployd
So Sun claimed it would ship in July, it is currently May. Where is this secrecy you speak of?
Finkployd
Ok, that makes sense. I wonder where the anticdotial evidence of people getting pushed backwards comes from though? Possibly the shock of being shot causes them to spring backwards I guess.
Finkployd
All that may be true, but at least I'm not a dick. Hope you enjoy it.
Finkployd