They replaced a bunch of firewalls running on Windows with a firewall running on OpenBSD. So? It sounds like Captain Obvious finally paid them a visit. Windows works great a ton of things, but being a network device is not one of them.
If Linux had 95% marketshare, I think the repository/package management paradigm would still work, because most people would still use the Free Software.
We're both thinking of two different realities here, both of which exist only in our heads. I'm placing Linux in the current reality of a software world where most of the apps built for the desktop market leader are proprietary. You are placing it in a world where the world has transitioned from a consumer software market dominated by proprietary applications to one dominated by open source ones.
But neither reality is here. Linux doesn't have the desktop market share, and the consumer software world is dominated by proprietary apps.
I didn't even think of the open source/closed source factor. My thoughts were focuced on who would pay to maintain and oversee such a massive repository used by so many people.
But when an OS has a 95% marketshare, centralized package managment for all software simple isn't feasable. I think the point of the parent (with which I agree) is that if Linux had the same market conditions as Windows, the malware situation would not be much different.
...when people don't bother to install the updates.
Look at any website's detailed statistics and I guarantee you you would find a sizable portion of the Firefox visitors are not running the latest version of Firefox.
Heck, I still get hits from "Firebird" on my site!
First of all you'll need a server equipped with tiny C4 charges embedded in each of the hard drives. This is a handy way of deleting data on your hard drives very quickly. I hear HP can furnish these.
Second, you will need to hire a troupe of security guards to watch over the computer. Equip them with an M16's, and have them work in shifts, escorting users to and from the computers. If you can't afford a humans, several dozen trained monkeys will do the job. Just make sure and keep at least three extra monkeys on hand so you can replace the dead ones. You'll need at least two monkey handlers if you go the monkey route - one to watch over the monkeys and one to fill in when the first one gets shot.
For a bit of extra security, you can purchase an used electric chair from one of the states that have switched to lethal injection and use it as the chair for the workstation. One armed guard can stand holding the red button, ready to fry to operator in case (s)he mishandles any data, or looks at the guards funny, while another guard stands ready to kill the other in case they refuse to press the red button.
If you can't afford or find an electric chair on the retail market, submit an "ask slashdot" article and I'm sure you'll get plenty of tips on how to build one yourself.
Or if you want to save money you could just install the super secure Gentoo Linux operating system and set it to update itself via emerge automatically every hour.
I replied before browsing all of the posts in this thread. After posting I thought "Doh, this is slashdot. I bet someone here already mentioned IPSEC". To my dismay not one fucking person even mentioned the possibility of using IPSEC.
What the fuck? Doesn't ANYONE know ANYTHING about Windows? I thought this was a site for nerds? Aren't nerds that partake in computer security discussions supposed to know about things like IPSEC? Hell, Windows has come with IPSEC built into in since Win2k. That's FIVE YEARS Windows has had this capability. I learned about it...FIVE YEARS AGO when I first got a copy of Win2k at work.
I watch idiots post all day on this site about how much Windows sucks, and how it can't be secured, yet they don't know one fucking thing about how Windows works, or about the methods available to secure it.
Jesus Christ people, get a fucking clue!
Oh, and excuse my foul language, I hope I didn't permanently damage the psyche of the numerous 12 year old Linux d00dz that are sure to be reading this.
"Anyhow, how does a firewall help one when an infected machine gets in the building (like a laptop)? You cannot block port 445 (which zotob uses) since that is what is used in part for file and print sharing."
You can't block the port outright, but you can block it from computers that are foreign to your domain. You can enforce IPSEC policies across your domain which require authentication and/or encryption for network traffic. A domain wide IPSEC policy that requires IPSEC authentication to communicate over the standard MS networking ports (139,445, 1025, etc) would keep outside machines from infecting your domain computers/servers.
Windows 2000/XP/2k3 all have IPSEC built into them.
"I read it. I took particular interest in the fact that Windows XP was on the vulnerable list. So you still get owned, only slightly less owned."
More like, "slightly *not* owned". You must not have read it very carefully.
In order to remotely exploit XPSP2 or 2k3 with this vulnrabililty the attacker must have administrative credentials on the machine. COrrect me I'm wrong, but if someone has an admin account on your Windows box, are not you already owned?
"There are many other examples of exploits that affect WinXP, and either don't work or don't work as well on 2000. I'll provide examples when you do."
Many of the examples I'm referring to are recent IE exploits I've seen which don't affect XPSP2. No, I wont look up examples for you, as you already seem have made up your mind.
"Care to elaborate on this one? Because I'm going to call bullshit. Windows XP and 2000 are prone to pretty much the exact same vulnerabilities and exploits. XP has some 2000 doesn't, and vice versa."
You can call bullshit all you want, but you are wrong. Windows XP does have more security features than Windows 2000. If you had bothered to read Mirosoft's bulletin on the PnP vulnerability discussed in this article you would know that. There are many other example of exploits that affect Win2k, and either don't work or don't work as well on XP - especially XP with SP2 installed.
With XPSP2, and Win2k3, the plug and play exploit requires that the attacker to be able to initiate connections to TCP ports 139 and 445, and have an *ADMINISTRATIVE ACCOUNT* on the machine.
If the attacker has an adminstrative account on the machine, why the $#@! bother to exploit this vulnerability when they allreay have carte blanche access?
For WinXPSP1, and WIN2k it's more serious. For WinXPSP1 the attacker only needs a regular user account, and for Win2k, the exploit can be done anonymously.
The second exploit code affects Internut Exploder. For desktop users stupid enough to use IE as their browser, this is an issue, but it's not much of an issue for windows servers, and non IE users.
"Why in the world do you need to scare someone about "improper settings can cause data loss". It's a given fact that anything you do can and will lead to data loss, but you don't see that the minute you pop in a Windows XP or MacOS X CD!"
There are plenty of warnings in the Win2k/XP installers.
Warning -another version of Windows was detected! Warning - are you sure you want to delete this partiton? Warning - your hard drive is blank (yes it really does "WARN" you of this)
Slashdot Mirror
..to Microsoft in the security department.**
;)
**This is a serious post.
They replaced a bunch of firewalls running on Windows with a firewall running on OpenBSD. So? It sounds like Captain Obvious finally paid them a visit. Windows works great a ton of things, but being a network device is not one of them.
We're both thinking of two different realities here, both of which exist only in our heads. I'm placing Linux in the current reality of a software world where most of the apps built for the desktop market leader are proprietary. You are placing it in a world where the world has transitioned from a consumer software market dominated by proprietary applications to one dominated by open source ones.
But neither reality is here. Linux doesn't have the desktop market share, and the consumer software world is dominated by proprietary apps.
I didn't even think of the open source/closed source factor. My thoughts were focuced on who would pay to maintain and oversee such a massive repository used by so many people.
But when an OS has a 95% marketshare, centralized package managment for all software simple isn't feasable. I think the point of the parent (with which I agree) is that if Linux had the same market conditions as Windows, the malware situation would not be much different.
What's the matter the with *BSD?
My Sandisk 16MB compact flash card that I bought in 1999 along with a digital camera still works fine.
Hilarious! My new sig has arrived!
...when people don't bother to install the updates.
Look at any website's detailed statistics and I guarantee you you would find a sizable portion of the Firefox visitors are not running the latest version of Firefox.
Heck, I still get hits from "Firebird" on my site!
Semantics Shematics! By your narrow definition, there are no viruses on Windows machines today....only *worms* and *trojans*.
;)
How about we just use the term "malware" from now on.
[i]" Question - is it Intel that makes worms, bugs, trojans, etc. so easy to exploit a machine or is it the Operating System?"[/i]
Neither. It's the massive amount of gullible people that own computers.
You are right that Apple moving to Intel means nothing in terms of security.
Heck, even WIndows users will run any program they receive in their email. That's how 99% of email viruses spread nowadays.
Voyager was my favorite by far. TNG was cool, until I saw Voyager. I never liked any of the other ones.
First of all you'll need a server equipped with tiny C4 charges embedded in each of the hard drives. This is a handy way of deleting data on your hard drives very quickly. I hear HP can furnish these.
Second, you will need to hire a troupe of security guards to watch over the computer. Equip them with an M16's, and have them work in shifts, escorting users to and from the computers. If you can't afford a humans, several dozen trained monkeys will do the job. Just make sure and keep at least three extra monkeys on hand so you can replace the dead ones. You'll need at least two monkey handlers if you go the monkey route - one to watch over the monkeys and one to fill in when the first one gets shot.
For a bit of extra security, you can purchase an used electric chair from one of the states that have switched to lethal injection and use it as the chair for the workstation. One armed guard can stand holding the red button, ready to fry to operator in case (s)he mishandles any data, or looks at the guards funny, while another guard stands ready to kill the other in case they refuse to press the red button.
If you can't afford or find an electric chair on the retail market, submit an "ask slashdot" article and I'm sure you'll get plenty of tips on how to build one yourself.
Or if you want to save money you could just install the super secure Gentoo Linux operating system and set it to update itself via emerge automatically every hour.
It's your choice.
I replied before browsing all of the posts in this thread. After posting I thought "Doh, this is slashdot. I bet someone here already mentioned IPSEC". To my dismay not one fucking person even mentioned the possibility of using IPSEC.
What the fuck? Doesn't ANYONE know ANYTHING about Windows? I thought this was a site for nerds? Aren't nerds that partake in computer security discussions supposed to know about things like IPSEC? Hell, Windows has come with IPSEC built into in since Win2k. That's FIVE YEARS Windows has had this capability. I learned about it...FIVE YEARS AGO when I first got a copy of Win2k at work.
I watch idiots post all day on this site about how much Windows sucks, and how it can't be secured, yet they don't know one fucking thing about how Windows works, or about the methods available to secure it.
Jesus Christ people, get a fucking clue!
Oh, and excuse my foul language, I hope I didn't permanently damage the psyche of the numerous 12 year old Linux d00dz that are sure to be reading this.
"Anyhow, how does a firewall help one when an infected machine gets in the building (like a laptop)? You cannot block port 445 (which zotob uses) since that is what is used in part for file and print sharing."
You can't block the port outright, but you can block it from computers that are foreign to your domain. You can enforce IPSEC policies across your domain which require authentication and/or encryption for network traffic. A domain wide IPSEC policy that requires IPSEC authentication to communicate over the standard MS networking ports (139,445, 1025, etc) would keep outside machines from infecting your domain computers/servers.
Windows 2000/XP/2k3 all have IPSEC built into them.
" You're saying that a patched Windows XP machine is more stable than an unpatched Windows 2000 machine."
No, I did not say that.
I said a fully patched Windows XP machine is less vulnerable to this exploit than a fully patched Win2k machine.
I take it slashdot is handing out mod-points to the baboons today?
"I read it. I took particular interest in the fact that Windows XP was on the vulnerable list. So you still get owned, only slightly less owned."
More like, "slightly *not* owned". You must not have read it very carefully.
In order to remotely exploit XPSP2 or 2k3 with this vulnrabililty the attacker must have administrative credentials on the machine. COrrect me I'm wrong, but if someone has an admin account on your Windows box, are not you already owned?
"There are many other examples of exploits that affect WinXP, and either don't work or don't work as well on 2000. I'll provide examples when you do."
Many of the examples I'm referring to are recent IE exploits I've seen which don't affect XPSP2. No, I wont look up examples for you, as you already seem have made up your mind.
"Care to elaborate on this one? Because I'm going to call bullshit. Windows XP and 2000 are prone to pretty much the exact same vulnerabilities and exploits. XP has some 2000 doesn't, and vice versa."
You can call bullshit all you want, but you are wrong. Windows XP does have more security features than Windows 2000. If you had bothered to read Mirosoft's bulletin on the PnP vulnerability discussed in this article you would know that. There are many other example of exploits that affect Win2k, and either don't work or don't work as well on XP - especially XP with SP2 installed.
With XPSP2, and Win2k3, the plug and play exploit requires that the attacker to be able to initiate connections to TCP ports 139 and 445, and have an *ADMINISTRATIVE ACCOUNT* on the machine.
If the attacker has an adminstrative account on the machine, why the $#@! bother to exploit this vulnerability when they allreay have carte blanche access?
For WinXPSP1, and WIN2k it's more serious. For WinXPSP1 the attacker only needs a regular user account, and for Win2k, the exploit can be done anonymously.
The second exploit code affects Internut Exploder. For desktop users stupid enough to use IE as their browser, this is an issue, but it's not much of an issue for windows servers, and non IE users.
You we're probaly just missing Option "RenderAccel" "true" in your X config file.
"Why in the world do you need to scare someone about "improper settings can cause data loss". It's a given fact that anything you do can and will lead to data loss, but you don't see that the minute you pop in a Windows XP or MacOS X CD!"
There are plenty of warnings in the Win2k/XP installers.
Warning -another version of Windows was detected!
Warning - are you sure you want to delete this partiton?
Warning - your hard drive is blank (yes it really does "WARN" you of this)
I agree. My desktop is FreeBSD. I don't see this "sluggishness" mentioned.
I even benchmarked a couple of games in FreeBSD and Windows...and FreeBSD ran some of them *faster*.
http://toadlife.kicks-ass.net/bsdvswindows/
...and they are all things I enjoy about FreebSD, but the things that really got me stuck on FreeBSD, is the documentation.
Ditto.
I'm not an expert programmer (I know a little php, vbscript, SQL, DOS Batch), but the "False Detector" made made me 'lol' - literally.