Being a security specialist, I can see how this would alarm you, but I think it's not so bad. There have been numerous 0-day IE exploits before and the world hasn't ended.
First of all, this worm requires SOME form of user interaction...they either must go to a website that uses it, or be chatting on specific IM app and get a malicious message. Second of all, due to the fact that 95% (yes, I pulled that stat out of my ass but I'm sure it's close) of Windows users run as admin, these exploits all assume admin privs and this fall flat on their face if run by a non admin user.
In a corporate setting users will normally (I HOPE) not be running as admin, which would effectively kill most if not all of the worms due to the fact that they assume admin rights, and AV apps are fully capable of deteting and blocking the actions of this exploit if they do get through.
There will be a patch soon, we will all apply it to our corporate networks and the world will continue to spin.
"Take out IE and crap from the kernel. There is no excuse for a virus running as an image with SYSTEM authority. None."
Not sure what propganda you are reading, but IE is not in the kernel and the vulnerability in this story in does not lead to an escalation of privledges. If a regular use gets hit with this exploit, the exploit code only gets the rights of the user.
"Default user setting is very limited. Right now windows doesn't even warn you (SP2) if you put a blank password as administrator. W-T-F?"
I agree, but by default, accounts in XP with blank passwords cannot be used to connect to the machine remotely. This doesn't solve the problem of exploit code listing the local users and trying to log on as them with blank passwords, and therfore escalating privledges. But IMO, even if everyone ran as a regular user, the malware problems in Windows would not decrease one bit, because malware authors simply would write their wares to install and run in the local users space.
Just wait. Vista will ship soon with all account being restricted by default and everyone will think it's going to solve the virus problem. The only thing it will do is make the viruses easier to clean up.
"It requires write permissions to a CD burner drive, or a set[ug]id cdrecord to a user or group with write permissions to a CD burner drive."
I know full well what is required to burn CD's in UNIX. I've gone through the hair pulling getting it working in FreeBSD. In my experience, you have to do both - set suid on cdrecord and the other utilities and set the permissions on the cd devices. And you can paint it anyway you want, but set[ug]id is the equivalent of root, when it comes to the binary in question.
I'm don't use linux, but Google tells me the same is required for it.
Technically, full Administrator rights are not required to burn CD's in Windows either. The proper permissions can be handed down to regular users. I just havn't bothered to do it in Windows, because I do most of my burning from BSD.
"Internet Explorer runs active X which runs with system wide permissions."
You are confused. In order to install ActiveX controlls you must have admin priveledges. So, if you can install an ActiveX control, then that ActiveX control will naturally run for the first time with...admin privledges. All of the ActiveX exploits for IE in the past have not worked unless the victim was running as admin.
Using Firefox/Opera and a thrid party firewall can stop ~60% of Windows security issues. Just by killing ActiveX.
Or you could just not run as an admin and accomplish the same thing.
"That's the truth behind MSFT security. As for market share, Apache doesn't run well on windows and has more than 60% of the server marketshare. Yet IIS is the most attacked and most flawed server."
According to the one website which records website defacement statistics, you are wrong.
But, hey...lets not let facts get in the way of good propaganda!
"Most Windows users run with the permissions of "Administrator". Otherwise their programs don't work."
Not really. I've been running as a regular user on my windows machines for a long time. Right now, there are only two programs I have installed that didn't run as a regular user properly when installed. one of them is CD Burning (which by the way requires root privs on UNIX too), and the other is a badly programed game which keeps it's settings in the program files folder.
"Well if you run a real OS, then the browser runs only with the permissions of a particular user"
Internet Explorer does run with the permissions of the user.
"Windows which has some security is designed to bypass that secuirty to give users an edge. "
WTF are you talking about?
"Take the number of *Nix viruses (included, BSD's, Linux, Unix, etc) and compare that to the number of windows viruses that showed up in the past 2 years alone."
That would prove nothing as Unix OS's don't have near the Desktop marketshare of Windows, not do they have the same type of userbase.
Your example reminds me of an experience I had about six years ago. I had just started my current job as a sysadmin and we an entirely Windows network. The network has recently been converted over from Novell to NT4. Our "head sysadmin", who had allready been there for two years, and had certifications (MCSE, CNA, A+) coming out of his ass, and because he was the only one of us with certs, he was only one who had domain admin priveldges. The rest of us had to get by calling him five times a day to have him do trivial things like join a machine to the domain. The problem was, "Mr. MCSE" really didn't know jack about how a Windows domain worked.
So one day, our of the blue, we start getting *TONS* of phone calls from people all over saying they can't log on to their computers. As I'm answering my phone assuring people that we were looking into the problem, I notice that I can't log in either. The departnment head comes in and says she can't log in either. So I log on my machine with a local account and verify that all of the servers are up and the network is working. It is. So I start poking around some more. I open up the "Network Neighboorhood" and find that instead of eighty-plus computers, there are about ten. The ten computers were all of the servers, plus "Mr. MCSE's" workstation.
I turns out "Mr. MCSE" thought the network Neighboorhood was "cluttered" (he didn't like having to sort through all of the computers when browsing for the servers) so he decided to do some "housecleaning" - by deleting every computer account in the domain, except of course for the servers and his workstation.
We had to go out to every workstation and rejoin it to the domain.
I had read about Taiyo Yuden media and how great it was for a couple of years, but never saw any in the store so never bought any. After getting a DVD burner. and bveing repeatedly frustrated with store bought media (all the brands sucked), I googled and bought some Taiyo Tuden DVD media online.
"What Express does not include when compared to SQL Server SE and above is Analysis Services, Reporting Services, Data Transformation Services, and Notification Services but some users would argue that these features are crippleware anyway."
Crippleware? What are the "some users" that argue this? The users that hate Microsoft? Also, DTS has been discontinued, and is not in any version of SQL Server 2005, so these guys obviously did not do their homework.
"There is no denying that SQL Server Express is the weakest of the databases in this group but..."
How exactly is there "no denying it"? Based on what is this claim made? Express isn't even designed for production use anyway...it aimed at developers and enthusiasts/students who want to learn their products.
I'm using postfix/Amavisd-new/Spamassin setup at work, which works well enough, and will be moving over to a new box soon. I was going too set it up from scratch becauise I want to move it from OpenBSD to FreeBSD. I'll have to give Exim a look.:)
"Problem is that infection after infection after infection seems to keep happening to the Windows users and they just put up with it. If they started switching to Mac or Linux - or even if some of them wanted to give other alternatives like OS/2 or something a try, or whatever. . . then MS would lose its marketshare and clean up its act"
Rule #1: Functionality trumps everything else.
Windows offers the most functionality. Not because it's designed better, but just because of how many people use it. As I said, people are naturally inclined to form monocultures. Perhaps that is an effect of humans tendency to imitate each other? I have no doubt that if it wasn't Windows, it would be some other OS, and we'd all be discussing the virus problems with it today instead.
Occasionally I do side work on people's computers, and for the "problem people", the types who ALWAYS seem to screw up their computers, I allways suggest they consider buying an Apple instead of a PC. I managed to convince one person, so don't accuse me of not trying to help!:)
Microsoft never claimed any of the Win9x series of OS's to be secure. They specifically said that if you wanted security in their products to use NT. There was no security model at all in the 9x series of OS's, so 'security' as we know it today was not possible.
It would be nice if everyone was so forward thinking, but hardly anyone is. With Windows 95, Microsoft got caught with their pants down in regards to the internet and security, as right around the time windows 95 was released, internet usage started to explode. The first ever computer worm, "morris" afected unix machines running sendmail, and it took down virtually every unix machine on the 'internet' back when it was accidentally released. The scenario that led to morris was very similar to the one that led to all of the security problems with Windows. People just weren't very concerned about security back then and didn't see the potential security pitfalls that connecting a bunch of computers together could bring.
The comparison of the age of windows the age of linux isn't very fair. Linux has been a 32 bit operating system since it's birth in 1991 an it's overall design (a unix type OS) has not changed. Windows started being a true 32 bit OS with NT 4.0 which was released around 94 I believe, ad has absolutely nothng to do, in regards to it's core design, with any of the Windows 9x versions. All of your experience with Windows is with the 9x series which sole purpose was to transition customers over from a DOS based OS's to NT based OSs without breaking compatibility with legacy DOS programs. Obviosuly the transition was a rough one for many, for history has shown (read: Apple's transition from the Apple IIe to the Macintosh) that completely abandoning legacy technology and trying to force your customers straight into a new and improved technology without providing any legacy support is market suicide.
The reason XP was shipped making users admin by default was not because Microsoft didn't understand the security implications of it. It was a backwards compatibitly issue. Windows had a massive amount of old software written for Windows 95 and 98 and breaking compatibility withn them would be very very bad. Windows XP fully supports the installation of programs by regular users...*IF* the program is written with that in mind. When Microsoft shipped Windows 2000 and then XP, they tried to get windows developers to start coding their programs with security model in mind, but for the most part programmers ignored Microsoft's advice and continued to code their programs assuming that the end users would have admin rights.
"It wouldn't be too hard to make the OS tell you if the program's trying to change important system files, would it? "
No it's not hard at all. Windows has done it for ages by saying "access denied". All joking aside, Windows has had the capability of prompting you for admin rights when a properly written installer is launched under a non admin account. The problem is developers don't write their installers properly to take advanatge of this feature. I have the distinct feeling you're thinking of Mac OSX's ability to prompt for admin password when users try to install something. The reason this works so well in Mac OSX has tiny amount of software avaiable for it compared to Windows, and thus a much smaller pool of developers. Getting a group developers to all do something is akin to herding cats. Apple's "herd" is a hundred time smaller than Microsoft's "herd".
"Sorry, but Google says otherwise. First item on the page - New Version of MyDoom Worm in Zero-Day Attack."
This is not what I was talking about when I said "worm". I'm talking about things that replicate without user input. Something that spreads via an Intenet Explorer exploit requires user to go to a specially crafted web page to get infected. It's still bad, but IE has a very long history of being repeatedly exploited, much like sendmail in the 80's
There are a lot of banks that support multiple browsers. I know it's a PITA to switch banks, but if you feel compelled to do so, then at least you will have choices.
Unfortunately your scenario is the more likely one. Big banks are like that. Induvidual customers mean almost nothing to them. If a large bank lost every single customer that used a Mac, it would make no difference to them finacially.
It sounds like the last Windows you ran was Win9x series. To base all your arguments against windows based on a 7 year old version which didn't even *have* security is silly. That's like me saying desktop linux sucks because when I tried slackware 96 it took me an hour just to get my serial mouse to work, and even longer just to get the vesa driver to work with XFree86.
"Kinda made me mad that I had paid quite a bit of money for something that crashed more. The only thing I missed was the games."
Well now there are a few games that run on Linux.;) Not exactly a huge selection, but they do exist.
"And if software can't protect you from viruses, then why do Windows users run antivirus suites? Surely securely-designed software must be useful for some level of protection."
Because all of the computer viruses target Windows. In a good security plan, anti-virus is a last line of defense. If you practice other more important security practices (good ole' common sense goes a long way) then your AV should never detect anything. Mine hasn't in years. If some other OS had the marketshare that windows did, all of the computer viruses would be written for that OS, and everyone would still be running AV. Back when Macs has a 15% marketshare their were viruses for Mac and lots of Mac users ran antivirus. That's the only real comparison I can give you because in the history of home computing, those are the only two platforms that have ever had a sizeable amount of marketshare.
"Because Windows is meant so that even an idiot could use it, Therefore MS must expect that idiots WILL use it. Idiots don't know how to set up auto updates or that they should often check up on the latest security alerts. Microsoft should have it do their patches automagically."
There is catch-22 here. I agree 100% that Windows should come automatically update itself out of the box, but if it did, millions of people would bitch and moan about it. People want to have their cake and eat it too. They want their computer to be secure, but they want total control over their computer too. That means being able to choose weather or not they update it, and being able to run any untrusted code they want. Microsoft has found a middle ground by adding the 'security center' in XP that bugs you constantly if your auto updates is turned off, but you'll find that people even complain about *that*. You can't please EVERYBODY, but that's the thing Microsoft is forced to TRY to do...because EVERYBODY uses their operating system.
"But if it doesn't play without the rootkit, then how do you listen to it without installing the rootkit?"
I would return the CD to the store, and if they wouldn't give my money back I would sue Sony. If you read around I'm sure you've noticed that there are multiple lawsuits against Sony regarding this matter. The fact is tons of people run as admin in windows because that how Microsoft made it by default. Sony is evil for doing what they did and the blame lies on them, not the operating system that their "DRM" installs on. Lets say that Microsoft shipped XP back in 2001 and it created limited users account by default instead of admin accounts. Sony's CD would simply say "You must enter your administrator password to view the special feature on this CD", and you can bet that most people would blindly do it, not realizing (or caring about) the potential consequences.
"No vulnerabilities were exploited the day they were found out. Whoop de doo. Great. So they attacked an unfixed vulnerability from earlier. That's what you're saying. So what if they're attacked after the hole has been known a while? If that means no patch was released all this time, who cares?
Also, a simple Google search begs to differ. Right on the first page, what do I see? "Zero-day Microsoft Excel flaw for sale on eBay", "Zero-Day Exploit Targets IE", "Microsoft Promises to Quickly Solve a Zero-Day Vulnerability". . .
"So if malware authors are in it for the money, why don't they aim at the corporations with the big money?"
They do, and they succeed sometimes. Did you ever think that perhaps people target home Windows users because they are naive and are apt to fall for social engineering tricks?
"Contrary to what many seem to think here on/., I don't just pull things out of my ass. I do use actual statistics that I've heard of elsewhere. Windows does have more security holes, and hackers don't just hack Windows because of the money but also because there are plenty of tools on the 'Net for "script kiddies" to use."
No, you don't pull things out of your ass - You regurgitate propaganda that's been fed to you. That's even worse, because propaganda always has a partial truth to it and thus can easily be mistaken for fact. Just because some dude at linuxismygod.com told you so, doesn't make it so. Here's an excersize for you. Go to securityfocus.com or some other security site and compare the amount of vulnerabilities found in IIS6 vs the amount of vulnerabilities found in apache (version 1 or 2, take your pick) in the last two years. Then come back and tell me "Windows has more security holes". Or are you trying compare just the Linux kernel with the entire Windows operating system?
"Right. Because I'm sure Grandma uses XML-RPC for her PHP server, AWStats, and Webhints on her DESKTOP Linux PC like all the other DESKTOP Linux users."
But they would use apps like Firefox aned GAIM which from time to time have security flaws. You really missed the point when I made that comparison.
"When I used Windows, I ALWAYS installed all my patches, updated my software, ran regular spyware and virus checks. . . everything. And I still got spyware and viruses."
I'm sorry to hear that. That says more about you than it does about windows. If linux was the dominant OS, my bet is you would still get spyware and viruses. Operating systems can't protect you. They can only give you the tools to protect yourself. Right now, the obscurity of desktop linux is protecting you. Since linux will probably never gain much marketshare on the desktop, you should continue to be safe, so enjoy it.
"I've been using Linux for about 5 or 6 years now
And judging by our conversation, you haven't learned a goddamn thing in all that time.
(for a while I kept Windows just for games but now I'm all Linux)
Yay for you! Would you like a medal? I used FreeBSD as my desktop for about eight months, but I got a TV tuner card that didn't work with it, so I switched back to Windows. *nix is now relegated to web serving and routing in my house. I don't carry an emotional attachment to operating systems, like some others. They are tools, some more useful for certain applications than others.
and have been sitting back laughing when everyone else was worried about "Code Red"
Ahh yes, Code Red. That's that IIS worm that exploited a two month old vulnerability. FYI, there has NEVER been a Windows worm that exploited a zero day vulnerability. Every single one, has exploited vulnerabilities that have already been patched. The worst was SQL slammer. It exploited an eight month old vulnerability. How exactly are the success of these worms Windows' fault?
"And yet Windows users can't even listen to a music CD without worrying about root kits anymore."
Sure they can. They can use a non-admin account to listen to CD's.
Your posts perfectly illustrate your lack of understanding of exactly what computer security is. You think security is running software package (A) instead of software package (B) because software package (A) is better at protecting you. As I said above, software can't protect you.
"You're right, but any program that is run by a non-privileged user (without running su or sudo) can only affect the files and folders that can be modified by that user. Running a virus program as an unprivileged user will only infect that user's files - just delete the user's files, delete the account, create a new account, copy a backup of the user's files, and you're good to go. It might still be a pain in the ass, but it beats completely reformatting and then copying the backups to the user's folder."
So what? Malware nowadays doesn't try to delete data, it tries to steal information (hint: a users files!) or use the computer's resources for things like DoS attacks or spam. root is not required for any of these things.
"If the program is not executed, then how can it take advantage of the buffer overflow vulnerabilities? The virus has to be executed before it can start messing things up."
I suggest you go and look up what a buffer overflow is and how they can lead to security breaches.
"Sure, if you're stupid enough to install a program from just anyone who e-mails you.
People this stupid are rare nowadays, even in the Windows crowd."
With all of the major pub email worms have gotten over the past five or so years, you would think so wouldn't you? The unfortunate fact is, people this stupid are still in very high supply. Look at all of the successful email worms today for windows like "Sober", and read up on how they propogate.
"Linux chat clients/e-mail clients/etc. don't have stupid "features" like MS' VBScript (which is what makes Outlook/Outlook Express so vulnerable) that makes them auto-execute code. And, like I said, a user-space infection is a fairly easy fix since it only affects that user's files - yeah, you still better hope you've got a backup"
You are living in the 90's dude. Outlook and Outlook express are actually very secure email clients nowadays, and won't do shit by default. Outlook won't even render regular html email by default.
Regardless, features like these aren't needed. If the program accept user input, it has the potential to be exploited. Again, go look up what a buffer overflow is and what they can do.
"but you don't have to reinstall like you do in Windows."
You also don't have to run as an administrator in Windows. I don't. Right now, I could download all of the viruses in the world and run them and they couldn't do shit to my Windows installation because the account I'm logged on as right now doesn't have the rights.
"Say I'm a hacker, right? And I notice a bug in some open-source code and I notice a bug in MS' new version of IE.
Okaaay.
"Now I'm a good person, but I don't have access to the IE code."
So, why don't you just *report* it to them?
"So I can fix the open-source code, but all I can do about IE (or any other MS product) is tell them and hope they'll fix it but many don't since MS doesn't see them as a problem.
So quit bitching and just tell them about it. If they sit on it, release a POC on the net after 45 days or so. This is a rather flawed argument anyway because it is based on the presumption that A) and open source project would WANT your fix, and B) Open source dev teams never downplay vulnerabilities, abd C) Big coporations allways downplay vulnerabilites. The same ego that leads big corporations like Microsoft and Oracle to downplay vulnerabilities leads OS developers to do the same thing. The Mozilla dev team has done it multiple times since the release of Firefox 1.0.
"The only way to get them to fix it would be to prove to them that it IS a problem. "
The like I said, be nice and report it. If they ignore you force them to act by releasing a POC on the net.
"Why?" [would linux become a target if everyone used it on the desktop]
Because Malware authors today are in it for the money. There is a ton of money to made on owned machines, and peoples' idientities. Weather the dominant platform has a Window a Penquin or an Apple for a mascot means nothing to the people who are out to make money.
"Do you really think that if "a bunch of ignorant people used Linux" we nerds would switch over to something else, just because the average user is now using Linux?
Perhaps. If everyone's grandma started using Linux, it would become a haven for malware, and thus not as appealing as other good free OSs like FreeBSD or Solaris.
"There'd still be the same number (if not more) of contributors to Linux, so we'd still get problems fixed at the same speed or faster."
The speed at which problems get fixed is irrelevant when you throw ignorant users into the mix. Look at some weblogs, and you'll notice that a large percentage of firefox users are still using version 1.05 or earlier, a version for which remote code execution exploit code was released a few days ago. What do you think would happen if 70-90% of web users used Firefox? Do you think adware distributors who are out to make money on ad revenue not target firefox users because it's an open source app? There are remote code execution exploits for earlier versions of firefox too, and many users are still using 1.0. Firefox users are supposedly 'savy' web users yet they continue to click around the net using exteremely vulberable versions. The fact is, many people don't update their software like they should because they simply don't know any better. A recent linux worm is still out in the wild despite the fact that it exploits a couple of fairly old vulnerabilities and the worm itself is over a month old. I run awstats on one of my webservers and updated it at least a month before the worm came out, but it's pretty obvious that many other people didn't.
"And Windows is "in the crosshairs" (so to speak) because of its gaping security holes."
What "gaping security holes" are you speaking of? Do you mean the two months patched vulnerability that the newest windows worm exploits? How exactly are worms like this for linux any different? Windows is in the crosshairs because that's where the money is at.
"it seeks out random address and installs its self on unprotected systems, this could not happen on a *nix system, unless the person was running as root, on the Internet, reading email, randomly clicks ok to a package manager (even if they are not running it), or misses the big slowdown as software is compiled. So While you could make a keylogger for Linux... it would be really hard to get anyone to install it... even if it did say it could grab porn from the net.. too may steps for most to bother.."
Huh? Root is not required on Linux to run executables or connect out to the Internet, and software does not have to be compiled to run in Linux. If all of that was true, Linux wouldn't be a very appealing choice for a desktop system. A standard elf binary that relies on vanilla, or no libraries, or a simple shell script will run on 99% of Linux systems (and large chunk of BSD systems) out there. All that is required is a large number of users and a vulnerability in a common application or daemon. Buffer overflow vulnerabilities take care of the 'files not executing by default' problem in Linux. One a buffer overflow vulnerability is exploited, a binary can be dropped onto the system and it can set itself to run, in the user's crontab, in the ~/.kde/start folder, or whereever. Also, you should never underestimate the stupidity of computer newbies. If linux had the same number of naive users as Windows, mass email worms where executables are contained inside of archives would be able to propogate.
The malware could easily run under the user's permissions and connect out to random addresses trying to infect other hosts, connect to IRC servers and be a bot, or act as a file server. The possibilities for malware on Linux are as endless.
"The more people use it, the better it gets?" I don't get that train of thought. There are only so many people that can hack on Linux code, and most vulnerabilities in any platform are completely unrelated to the kernel anyway. If a bunch of ignorant people used Linux, it seems to me it would only make Linux what Windows is today - a platform with a huge bullseye on it.
Yeah! Let's drive all of the ignorant/apathetic users of Windows over to Linux. Then we can read about Linux worms that infect the millions of unpatched linux boxes.
"And once its taken away the adminstrator user cannot grant the privlege back to itself? Or would this require reinstalling the OS?"
Interesting. I've never though about windows security settings that insane, but...
The security policies in Windows are stored in a file called "secedit.sdb" in %windows%\security\database folder. Theoretically, you could make a backup copy of the secedit.sdb file, and then deny everybody, including the system, the right to modify the file. Then you would have to change the owner of the secedit file to a user other than the administrator...and then *delete* that user from the system. After that, the security policies would be pretty much set in stone. The only way to change policies on the machine would be to start the machine in the recovery console and restore the backup secedit.sdb file. This of course would require physical access to the machine.
I don't think the makers of Windows NT had this in mind when designing the security model, but that doesn't mean it couldn't work.;)
You can batch create users in AD using WMI scripts. No command line is neccessary. I prefer the alternate method of delegating the authority to the HR staff and letting them create the accounts. They are given the right to create new accounts in a specific AD OU. The accounts are are disabled via policies applied to the OU. Once they create them, we check them over and place them in the appropriate OU, which ativates them. We also give them the right to change certain attributes of all users, like Title, Department, Location, etc. They have to keep track of this crap anyway, and in my organization it is not uncommon for people to change departments or locations multiple times over their time of employment.
Slashdot Mirror
Being a security specialist, I can see how this would alarm you, but I think it's not so bad. There have been numerous 0-day IE exploits before and the world hasn't ended.
First of all, this worm requires SOME form of user interaction...they either must go to a website that uses it, or be chatting on specific IM app and get a malicious message. Second of all, due to the fact that 95% (yes, I pulled that stat out of my ass but I'm sure it's close) of Windows users run as admin, these exploits all assume admin privs and this fall flat on their face if run by a non admin user.
In a corporate setting users will normally (I HOPE) not be running as admin, which would effectively kill most if not all of the worms due to the fact that they assume admin rights, and AV apps are fully capable of deteting and blocking the actions of this exploit if they do get through.
There will be a patch soon, we will all apply it to our corporate networks and the world will continue to spin.
"Take out IE and crap from the kernel. There is no excuse for a virus running as an image with SYSTEM authority. None."
Not sure what propganda you are reading, but IE is not in the kernel and the vulnerability in this story in does not lead to an escalation of privledges. If a regular use gets hit with this exploit, the exploit code only gets the rights of the user.
"Default user setting is very limited. Right now windows doesn't even warn you (SP2) if you put a blank password as administrator. W-T-F?"
I agree, but by default, accounts in XP with blank passwords cannot be used to connect to the machine remotely. This doesn't solve the problem of exploit code listing the local users and trying to log on as them with blank passwords, and therfore escalating privledges. But IMO, even if everyone ran as a regular user, the malware problems in Windows would not decrease one bit, because malware authors simply would write their wares to install and run in the local users space.
Just wait. Vista will ship soon with all account being restricted by default and everyone will think it's going to solve the virus problem. The only thing it will do is make the viruses easier to clean up.
"It requires write permissions to a CD burner drive, or a set[ug]id cdrecord to a user or group with write permissions to a CD burner drive."
I know full well what is required to burn CD's in UNIX. I've gone through the hair pulling getting it working in FreeBSD. In my experience, you have to do both - set suid on cdrecord and the other utilities and set the permissions on the cd devices. And you can paint it anyway you want, but set[ug]id is the equivalent of root, when it comes to the binary in question.
I'm don't use linux, but Google tells me the same is required for it.
Technically, full Administrator rights are not required to burn CD's in Windows either. The proper permissions can be handed down to regular users. I just havn't bothered to do it in Windows, because I do most of my burning from BSD.
"Internet Explorer runs active X which runs with system wide permissions."
You are confused. In order to install ActiveX controlls you must have admin priveledges. So, if you can install an ActiveX control, then that ActiveX control will naturally run for the first time with...admin privledges. All of the ActiveX exploits for IE in the past have not worked unless the victim was running as admin.
Using Firefox/Opera and a thrid party firewall can stop ~60% of Windows security issues. Just by killing ActiveX.
Or you could just not run as an admin and accomplish the same thing.
"That's the truth behind MSFT security. As for market share, Apache doesn't run well on windows and has more than 60% of the server marketshare. Yet IIS is the most attacked and most flawed server."
According to the one website which records website defacement statistics, you are wrong.
But, hey...lets not let facts get in the way of good propaganda!
"Most Windows users run with the permissions of "Administrator". Otherwise their programs don't work."
Not really. I've been running as a regular user on my windows machines for a long time. Right now, there are only two programs I have installed that didn't run as a regular user properly when installed. one of them is CD Burning (which by the way requires root privs on UNIX too), and the other is a badly programed game which keeps it's settings in the program files folder.
"Well if you run a real OS, then the browser runs only with the permissions of a particular user"
Internet Explorer does run with the permissions of the user.
"Windows which has some security is designed to bypass that secuirty to give users an edge. "
WTF are you talking about?
"Take the number of *Nix viruses (included, BSD's, Linux, Unix, etc) and compare that to the number of windows viruses that showed up in the past 2 years alone."
That would prove nothing as Unix OS's don't have near the Desktop marketshare of Windows, not do they have the same type of userbase.
Your example reminds me of an experience I had about six years ago. I had just started my current job as a sysadmin and we an entirely Windows network. The network has recently been converted over from Novell to NT4. Our "head sysadmin", who had allready been there for two years, and had certifications (MCSE, CNA, A+) coming out of his ass, and because he was the only one of us with certs, he was only one who had domain admin priveldges. The rest of us had to get by calling him five times a day to have him do trivial things like join a machine to the domain. The problem was, "Mr. MCSE" really didn't know jack about how a Windows domain worked.
So one day, our of the blue, we start getting *TONS* of phone calls from people all over saying they can't log on to their computers. As I'm answering my phone assuring people that we were looking into the problem, I notice that I can't log in either. The departnment head comes in and says she can't log in either. So I log on my machine with a local account and verify that all of the servers are up and the network is working. It is. So I start poking around some more. I open up the "Network Neighboorhood" and find that instead of eighty-plus computers, there are about ten. The ten computers were all of the servers, plus "Mr. MCSE's" workstation.
I turns out "Mr. MCSE" thought the network Neighboorhood was "cluttered" (he didn't like having to sort through all of the computers when browsing for the servers) so he decided to do some "housecleaning" - by deleting every computer account in the domain, except of course for the servers and his workstation.
We had to go out to every workstation and rejoin it to the domain.
I had read about Taiyo Yuden media and how great it was for a couple of years, but never saw any in the store so never bought any. After getting a DVD burner. and bveing repeatedly frustrated with store bought media (all the brands sucked), I googled and bought some Taiyo Tuden DVD media online.
It absolutely rocks!
I'll never use another brand.
I loved these zingers:
"What Express does not include when compared to SQL Server SE and above is Analysis Services, Reporting Services, Data Transformation Services, and Notification Services but some users would argue that these features are crippleware anyway."
Crippleware? What are the "some users" that argue this? The users that hate Microsoft? Also, DTS has been discontinued, and is not in any version of SQL Server 2005, so these guys obviously did not do their homework.
"There is no denying that SQL Server Express is the weakest of the databases in this group but..."
How exactly is there "no denying it"? Based on what is this claim made? Express isn't even designed for production use anyway...it aimed at developers and enthusiasts/students who want to learn their products.
I'm using postfix/Amavisd-new/Spamassin setup at work, which works well enough, and will be moving over to a new box soon. I was going too set it up from scratch becauise I want to move it from OpenBSD to FreeBSD. I'll have to give Exim a look. :)
"Oh wait, that wasn't really theirs was it..."
No, it was theirs. They have the receipt to prove it.
"Problem is that infection after infection after infection seems to keep happening to the Windows users and they just put up with it. If they started switching to Mac or Linux - or even if some of them wanted to give other alternatives like OS/2 or something a try, or whatever. . . then MS would lose its marketshare and clean up its act"
:)
Rule #1: Functionality trumps everything else.
Windows offers the most functionality. Not because it's designed better, but just because of how many people use it. As I said, people are naturally inclined to form monocultures. Perhaps that is an effect of humans tendency to imitate each other? I have no doubt that if it wasn't Windows, it would be some other OS, and we'd all be discussing the virus problems with it today instead.
Occasionally I do side work on people's computers, and for the "problem people", the types who ALWAYS seem to screw up their computers, I allways suggest they consider buying an Apple instead of a PC. I managed to convince one person, so don't accuse me of not trying to help!
And all banks are just like your bank right?
A few points....
Microsoft never claimed any of the Win9x series of OS's to be secure. They specifically said that if you wanted security in their products to use NT. There was no security model at all in the 9x series of OS's, so 'security' as we know it today was not possible.
It would be nice if everyone was so forward thinking, but hardly anyone is. With Windows 95, Microsoft got caught with their pants down in regards to the internet and security, as right around the time windows 95 was released, internet usage started to explode. The first ever computer worm, "morris" afected unix machines running sendmail, and it took down virtually every unix machine on the 'internet' back when it was accidentally released. The scenario that led to morris was very similar to the one that led to all of the security problems with Windows. People just weren't very concerned about security back then and didn't see the potential security pitfalls that connecting a bunch of computers together could bring.
The comparison of the age of windows the age of linux isn't very fair. Linux has been a 32 bit operating system since it's birth in 1991 an it's overall design (a unix type OS) has not changed. Windows started being a true 32 bit OS with NT 4.0 which was released around 94 I believe, ad has absolutely nothng to do, in regards to it's core design, with any of the Windows 9x versions. All of your experience with Windows is with the 9x series which sole purpose was to transition customers over from a DOS based OS's to NT based OSs without breaking compatibility with legacy DOS programs. Obviosuly the transition was a rough one for many, for history has shown (read: Apple's transition from the Apple IIe to the Macintosh) that completely abandoning legacy technology and trying to force your customers straight into a new and improved technology without providing any legacy support is market suicide.
The reason XP was shipped making users admin by default was not because Microsoft didn't understand the security implications of it. It was a backwards compatibitly issue. Windows had a massive amount of old software written for Windows 95 and 98 and breaking compatibility withn them would be very very bad. Windows XP fully supports the installation of programs by regular users...*IF* the program is written with that in mind. When Microsoft shipped Windows 2000 and then XP, they tried to get windows developers to start coding their programs with security model in mind, but for the most part programmers ignored Microsoft's advice and continued to code their programs assuming that the end users would have admin rights.
"It wouldn't be too hard to make the OS tell you if the program's trying to change important system files, would it? "
No it's not hard at all. Windows has done it for ages by saying "access denied". All joking aside, Windows has had the capability of prompting you for admin rights when a properly written installer is launched under a non admin account. The problem is developers don't write their installers properly to take advanatge of this feature. I have the distinct feeling you're thinking of Mac OSX's ability to prompt for admin password when users try to install something. The reason this works so well in Mac OSX has tiny amount of software avaiable for it compared to Windows, and thus a much smaller pool of developers. Getting a group developers to all do something is akin to herding cats. Apple's "herd" is a hundred time smaller than Microsoft's "herd".
"Sorry, but Google says otherwise. First item on the page - New Version of MyDoom Worm in Zero-Day Attack."
This is not what I was talking about when I said "worm". I'm talking about things that replicate without user input. Something that spreads via an Intenet Explorer exploit requires user to go to a specially crafted web page to get infected. It's still bad, but IE has a very long history of being repeatedly exploited, much like sendmail in the 80's
There are a lot of banks that support multiple browsers. I know it's a PITA to switch banks, but if you feel compelled to do so, then at least you will have choices.
Unfortunately your scenario is the more likely one. Big banks are like that. Induvidual customers mean almost nothing to them. If a large bank lost every single customer that used a Mac, it would make no difference to them finacially.
It sounds like the last Windows you ran was Win9x series. To base all your arguments against windows based on a 7 year old version which didn't even *have* security is silly. That's like me saying desktop linux sucks because when I tried slackware 96 it took me an hour just to get my serial mouse to work, and even longer just to get the vesa driver to work with XFree86.
;) Not exactly a huge selection, but they do exist.
"Kinda made me mad that I had paid quite a bit of money for something that crashed more. The only thing I missed was the games."
Well now there are a few games that run on Linux.
"And if software can't protect you from viruses, then why do Windows users run antivirus suites? Surely securely-designed software must be useful for some level of protection."
Because all of the computer viruses target Windows. In a good security plan, anti-virus is a last line of defense. If you practice other more important security practices (good ole' common sense goes a long way) then your AV should never detect anything. Mine hasn't in years. If some other OS had the marketshare that windows did, all of the computer viruses would be written for that OS, and everyone would still be running AV. Back when Macs has a 15% marketshare their were viruses for Mac and lots of Mac users ran antivirus. That's the only real comparison I can give you because in the history of home computing, those are the only two platforms that have ever had a sizeable amount of marketshare.
"Because Windows is meant so that even an idiot could use it, Therefore MS must expect that idiots WILL use it. Idiots don't know how to set up auto updates or that they should often check up on the latest security alerts. Microsoft should have it do their patches automagically."
There is catch-22 here. I agree 100% that Windows should come automatically update itself out of the box, but if it did, millions of people would bitch and moan about it. People want to have their cake and eat it too. They want their computer to be secure, but they want total control over their computer too. That means being able to choose weather or not they update it, and being able to run any untrusted code they want. Microsoft has found a middle ground by adding the 'security center' in XP that bugs you constantly if your auto updates is turned off, but you'll find that people even complain about *that*. You can't please EVERYBODY, but that's the thing Microsoft is forced to TRY to do...because EVERYBODY uses their operating system.
"But if it doesn't play without the rootkit, then how do you listen to it without installing the rootkit?"
I would return the CD to the store, and if they wouldn't give my money back I would sue Sony. If you read around I'm sure you've noticed that there are multiple lawsuits against Sony regarding this matter. The fact is tons of people run as admin in windows because that how Microsoft made it by default. Sony is evil for doing what they did and the blame lies on them, not the operating system that their "DRM" installs on. Lets say that Microsoft shipped XP back in 2001 and it created limited users account by default instead of admin accounts. Sony's CD would simply say "You must enter your administrator password to view the special feature on this CD", and you can bet that most people would blindly do it, not realizing (or caring about) the potential consequences.
"No vulnerabilities were exploited the day they were found out. Whoop de doo. Great. So they attacked an unfixed vulnerability from earlier. That's what you're saying. So what if they're attacked after the hole has been known a while? If that means no patch was released all this time, who cares?
Also, a simple Google search begs to differ. Right on the first page, what do I see? "Zero-day Microsoft Excel flaw for sale on eBay", "Zero-Day Exploit Targets IE", "Microsoft Promises to Quickly Solve a Zero-Day Vulnerability". . .
"So if malware authors are in it for the money, why don't they aim at the corporations with the big money?"
/., I don't just pull things out of my ass. I do use actual statistics that I've heard of elsewhere. Windows does have more security holes, and hackers don't just hack Windows because of the money but also because there are plenty of tools on the 'Net for "script kiddies" to use."
They do, and they succeed sometimes. Did you ever think that perhaps people target home Windows users because they are naive and are apt to fall for social engineering tricks?
"Contrary to what many seem to think here on
No, you don't pull things out of your ass - You regurgitate propaganda that's been fed to you. That's even worse, because propaganda always has a partial truth to it and thus can easily be mistaken for fact. Just because some dude at linuxismygod.com told you so, doesn't make it so. Here's an excersize for you. Go to securityfocus.com or some other security site and compare the amount of vulnerabilities found in IIS6 vs the amount of vulnerabilities found in apache (version 1 or 2, take your pick) in the last two years. Then come back and tell me "Windows has more security holes". Or are you trying compare just the Linux kernel with the entire Windows operating system?
"Right. Because I'm sure Grandma uses XML-RPC for her PHP server, AWStats, and Webhints on her DESKTOP Linux PC like all the other DESKTOP Linux users."
But they would use apps like Firefox aned GAIM which from time to time have security flaws. You really missed the point when I made that comparison.
"When I used Windows, I ALWAYS installed all my patches, updated my software, ran regular spyware and virus checks. . . everything. And I still got spyware and viruses."
I'm sorry to hear that. That says more about you than it does about windows. If linux was the dominant OS, my bet is you would still get spyware and viruses. Operating systems can't protect you. They can only give you the tools to protect yourself. Right now, the obscurity of desktop linux is protecting you. Since linux will probably never gain much marketshare on the desktop, you should continue to be safe, so enjoy it.
"I've been using Linux for about 5 or 6 years now
And judging by our conversation, you haven't learned a goddamn thing in all that time.
(for a while I kept Windows just for games but now I'm all Linux)
Yay for you! Would you like a medal? I used FreeBSD as my desktop for about eight months, but I got a TV tuner card that didn't work with it, so I switched back to Windows. *nix is now relegated to web serving and routing in my house. I don't carry an emotional attachment to operating systems, like some others. They are tools, some more useful for certain applications than others.
and have been sitting back laughing when everyone else was worried about "Code Red"
Ahh yes, Code Red. That's that IIS worm that exploited a two month old vulnerability. FYI, there has NEVER been a Windows worm that exploited a zero day vulnerability. Every single one, has exploited vulnerabilities that have already been patched. The worst was SQL slammer. It exploited an eight month old vulnerability. How exactly are the success of these worms Windows' fault?
"And yet Windows users can't even listen to a music CD without worrying about root kits anymore."
Sure they can. They can use a non-admin account to listen to CD's.
Your posts perfectly illustrate your lack of understanding of exactly what computer security is. You think security is running software package (A) instead of software package (B) because software package (A) is better at protecting you. As I said above, software can't protect you.
"You're right, but any program that is run by a non-privileged user (without running su or sudo) can only affect the files and folders that can be modified by that user. Running a virus program as an unprivileged user will only infect that user's files - just delete the user's files, delete the account, create a new account, copy a backup of the user's files, and you're good to go. It might still be a pain in the ass, but it beats completely reformatting and then copying the backups to the user's folder."
So what? Malware nowadays doesn't try to delete data, it tries to steal information (hint: a users files!) or use the computer's resources for things like DoS attacks or spam. root is not required for any of these things.
"If the program is not executed, then how can it take advantage of the buffer overflow vulnerabilities? The virus has to be executed before it can start messing things up."
I suggest you go and look up what a buffer overflow is and how they can lead to security breaches.
"Sure, if you're stupid enough to install a program from just anyone who e-mails you.
People this stupid are rare nowadays, even in the Windows crowd."
With all of the major pub email worms have gotten over the past five or so years, you would think so wouldn't you? The unfortunate fact is, people this stupid are still in very high supply. Look at all of the successful email worms today for windows like "Sober", and read up on how they propogate.
"Linux chat clients/e-mail clients/etc. don't have stupid "features" like MS' VBScript (which is what makes Outlook/Outlook Express so vulnerable) that makes them auto-execute code. And, like I said, a user-space infection is a fairly easy fix since it only affects that user's files - yeah, you still better hope you've got a backup"
You are living in the 90's dude. Outlook and Outlook express are actually very secure email clients nowadays, and won't do shit by default. Outlook won't even render regular html email by default.
Regardless, features like these aren't needed. If the program accept user input, it has the potential to be exploited. Again, go look up what a buffer overflow is and what they can do.
"but you don't have to reinstall like you do in Windows."
You also don't have to run as an administrator in Windows. I don't. Right now, I could download all of the viruses in the world and run them and they couldn't do shit to my Windows installation because the account I'm logged on as right now doesn't have the rights.
"Say I'm a hacker, right? And I notice a bug in some open-source code and I notice a bug in MS' new version of IE.
Okaaay.
"Now I'm a good person, but I don't have access to the IE code."
So, why don't you just *report* it to them?
"So I can fix the open-source code, but all I can do about IE (or any other MS product) is tell them and hope they'll fix it but many don't since MS doesn't see them as a problem.
So quit bitching and just tell them about it. If they sit on it, release a POC on the net after 45 days or so. This is a rather flawed argument anyway because it is based on the presumption that A) and open source project would WANT your fix, and B) Open source dev teams never downplay vulnerabilities, abd C) Big coporations allways downplay vulnerabilites. The same ego that leads big corporations like Microsoft and Oracle to downplay vulnerabilities leads OS developers to do the same thing. The Mozilla dev team has done it multiple times since the release of Firefox 1.0.
"The only way to get them to fix it would be to prove to them that it IS a problem. "
The like I said, be nice and report it. If they ignore you force them to act by releasing a POC on the net.
"Why?" [would linux become a target if everyone used it on the desktop]
Because Malware authors today are in it for the money. There is a ton of money to made on owned machines, and peoples' idientities. Weather the dominant platform has a Window a Penquin or an Apple for a mascot means nothing to the people who are out to make money.
"Do you really think that if "a bunch of ignorant people used Linux" we nerds would switch over to something else, just because the average user is now using Linux?
Perhaps. If everyone's grandma started using Linux, it would become a haven for malware, and thus not as appealing as other good free OSs like FreeBSD or Solaris.
"There'd still be the same number (if not more) of contributors to Linux, so we'd still get problems fixed at the same speed or faster."
The speed at which problems get fixed is irrelevant when you throw ignorant users into the mix. Look at some weblogs, and you'll notice that a large percentage of firefox users are still using version 1.05 or earlier, a version for which remote code execution exploit code was released a few days ago. What do you think would happen if 70-90% of web users used Firefox? Do you think adware distributors who are out to make money on ad revenue not target firefox users because it's an open source app? There are remote code execution exploits for earlier versions of firefox too, and many users are still using 1.0. Firefox users are supposedly 'savy' web users yet they continue to click around the net using exteremely vulberable versions. The fact is, many people don't update their software like they should because they simply don't know any better. A recent linux worm is still out in the wild despite the fact that it exploits a couple of fairly old vulnerabilities and the worm itself is over a month old. I run awstats on one of my webservers and updated it at least a month before the worm came out, but it's pretty obvious that many other people didn't.
"And Windows is "in the crosshairs" (so to speak) because of its gaping security holes."
What "gaping security holes" are you speaking of? Do you mean the two months patched vulnerability that the newest windows worm exploits? How exactly are worms like this for linux any different? Windows is in the crosshairs because that's where the money is at.
"it seeks out random address and installs its self on unprotected systems, this could not happen on a *nix system, unless the person was running as root, on the Internet, reading email, randomly clicks ok to a package manager (even if they are not running it), or misses the big slowdown as software is compiled. So While you could make a keylogger for Linux... it would be really hard to get anyone to install it... even if it did say it could grab porn from the net.. too may steps for most to bother .."
Huh? Root is not required on Linux to run executables or connect out to the Internet, and software does not have to be compiled to run in Linux. If all of that was true, Linux wouldn't be a very appealing choice for a desktop system. A standard elf binary that relies on vanilla, or no libraries, or a simple shell script will run on 99% of Linux systems (and large chunk of BSD systems) out there. All that is required is a large number of users and a vulnerability in a common application or daemon. Buffer overflow vulnerabilities take care of the 'files not executing by default' problem in Linux. One a buffer overflow vulnerability is exploited, a binary can be dropped onto the system and it can set itself to run, in the user's crontab, in the ~/.kde/start folder, or whereever. Also, you should never underestimate the stupidity of computer newbies. If linux had the same number of naive users as Windows, mass email worms where executables are contained inside of archives would be able to propogate.
The malware could easily run under the user's permissions and connect out to random addresses trying to infect other hosts, connect to IRC servers and be a bot, or act as a file server. The possibilities for malware on Linux are as endless.
"The more people use it, the better it gets?" I don't get that train of thought. There are only so many people that can hack on Linux code, and most vulnerabilities in any platform are completely unrelated to the kernel anyway. If a bunch of ignorant people used Linux, it seems to me it would only make Linux what Windows is today - a platform with a huge bullseye on it.
Yeah! Let's drive all of the ignorant/apathetic users of Windows over to Linux. Then we can read about Linux worms that infect the millions of unpatched linux boxes.
"And once its taken away the adminstrator user cannot grant the privlege back to itself? Or would this require reinstalling the OS?"
;)
Interesting. I've never though about windows security settings that insane, but...
The security policies in Windows are stored in a file called "secedit.sdb" in %windows%\security\database folder. Theoretically, you could make a backup copy of the secedit.sdb file, and then deny everybody, including the system, the right to modify the file. Then you would have to change the owner of the secedit file to a user other than the administrator...and then *delete* that user from the system. After that, the security policies would be pretty much set in stone. The only way to change policies on the machine would be to start the machine in the recovery console and restore the backup secedit.sdb file. This of course would require physical access to the machine.
I don't think the makers of Windows NT had this in mind when designing the security model, but that doesn't mean it couldn't work.
You can batch create users in AD using WMI scripts. No command line is neccessary. I prefer the alternate method of delegating the authority to the HR staff and letting them create the accounts. They are given the right to create new accounts in a specific AD OU. The accounts are are disabled via policies applied to the OU. Once they create them, we check them over and place them in the appropriate OU, which ativates them. We also give them the right to change certain attributes of all users, like Title, Department, Location, etc. They have to keep track of this crap anyway, and in my organization it is not uncommon for people to change departments or locations multiple times over their time of employment.