One frustrating aspect to running Windows desktops is its vulnerability to "malware" (worms, trojans, spyware, etc.). Linux is not without its vulnerabilities, however, the Linux kernel developers and the Distribution companies, do not require the end user to purchase or procure third party solutions to their security vulnerabilities.
My question is, why does Microsoft, with all of its resources, not correct their fundamental vulnerabilities to unwanted executables? Why does MS purchase Antivirus and Anti-Spyware companies and threaten to charge extra for fixing the problems that should be addressed at the root cause?
With Linux, though far from perfect, there has been tremendous effort to avoid white-washing over problems. I don't know of any viruses or trojans for Linux that are so easily executed. Though it's sometimes troublesome to manage each modular package that may be installed, there are no hidden costs and much effort has been made to simply updating (up2date, apt-get, etc.) While Windows update addresses some of these vulnerabilities, it seems to never be enough and without 3rd party anti-virus software, it surely isn't.
How is Microsoft supposed to expect its user base to respect and/or trust its secure computing initiative if the users have to spend extra money to plug the holes that shouldn't be there in the first place? It isn't as if these problems are new.
If the answer is Longhorn, I think the MS user community deserves better than a promise this time.
....be off! Before someone drops a house on you....
It could be worse, Carly--you could be in Jail with Martha and Lea Fastow. The golden parachute you're getting should buy you a small country somewhere.
Isn't awesome to see a large corporation gobble up smaller companies? On the upshot, all the people who started the smaller are now pretty well-off AND they don't have to worry about maintaining their software because they know, deep in their little hearts, that Microsoft will make their product better than it's ever been before!
And, think of the irony! The virus problem, if you really think about it, is really MSFT's fault because of fundamental design flaws in their OS. Rather than fixing the root cause of the problem, they buy someone else's solution. And then, they plan on CHARGING for the service! How f**ked up is that?
Ok...just observing the comments, I can tell that most people either loved her or hated her. That's got to mean something. I'd rather be loved or hated than just there all Luke warm like a glass of milk at room temperature. (yuck).
She must have done some things right to make her company some money and she must have pissed some people off, too.
No matter what you feel about her, she has more money than any of us and she's gone. She wins.
Attention All Slashdot Readers:
Maybe it would be a better idea not to name the specific places one cracks--esp. if you're doing the "journalism" to provide some sort of unrequested pro bono security audit to publish on the internet. If anywhere, your findings should first and primarily be reported to the parties respsonsible for a given system's upkeep and security. Publishing weaknesses is like putting an ad in the paper or signs in your neighborhood that indicate the addresses where all the broken door locks are. What about your first amendment rights? Well, my axiom is: just because you can doesn't mean you should. And I think this is on the same level of irresponsibility as yelling fire in a theater.
I think to do otherwise is simply exploiting a chance to grand-stand one's technical savvy at the expense of someone else. I think we see quite enough of that here at/.
I did have just this thing happen to one of my user's machines. It had a trivial dictionary password and SSH was enabled. You're quite right about root--but if you've learned the password for a user account who has sudo priviliges, you don't need root. The machine was used to launch attacks against other computers.
The problem is that some Mac users sometimes don't understand what all the check boxes mean when they're just trying to turn on file sharing--so they turn them all on. Their false sense of security makes them feel that nothing is going to hurt them.
But, this sort of thing is VERY rare. But it does happen.
But, you can see by my list for Windows basic security and maintenance (totally intended to be ironically long and tedious) that out of the box, Windows is pretty sucky. I mean, who in their right minds would want to live with an OS like that?
I've said it before, and I'll say it again: my post was meant to be quite ironic. I mean, what kind of "non-sucky" OS has a list of maintenance procedures like that? (notice the MacOS and Linux lists were rather small?). But, I didn't want to give the impression that OS X and Linux are not without their weaknesses, too. But, they're not as easily exploitable. The point of my list was to illustrate that.
First, let me say you make excellent points that I totally agree with. But, dude. I've had several MacOS X users who were running SSH broken into. I'm not just pulling that out of my ass.
Root was not enabled but the user passwords were stupid--like "orange." A dictionary attack takes little time. Shell access to an account with 'admin' privs (not root but can sudo) is pretty damn dangerous. In fact, our secrurity people alerted me to the MacOS X box because it was in the middle of a DDoS attack against some host in China.
Now, before you calling "BS" on me, think about people who use the Mac. Ok, now think about that false sense of security I was talking about--"It's OK, it's a Mac."
Now, you're right! Password security and complexity is always an excellent layer of security! But, if you're some secretary or professor on a university campus (like where I work), and you keep hearing people talk crap about Windows and praise the Mac for being bullet-proof, a secure password doesn't cross your mind so you use something easy to remember like your favorite color. Or maybe you just use the same password you use for say, oh, your POP account [which you didn't bother to setup with SSL because you didn't know what it means]. So, you're sending CLEAR TEXT passwords and USERIDS over your network. And now, thanks to the cracked windows boxes on your network, even your secure password has been sniffed.
Think it doesn't happen? Think again.
But, it certainly isn't often or as widespread as Windows. I purposely created a long ridiculous list of real maintenance issues with Windows to illustrate the point that Windows does still suck.:)
First off, there's a great deal of irony in my post--it's subtle, but it's totally intended. Notice the sections on Linux and MacOS are small? Notice that the list for windows is rather a ridiculous amount of maintenance?
And, just for the record, I work in technical support at a University. I have had several instances of Linux installations "secure out of the box" being broken into. I've also had MacOS X boxes cracked into with dictionary attacks because someone turned on SSH. Linux is not as safe as you seem to think it is. In the hands of a non-technical user, it can be just as dangerous as Windows on your network and patches need to be applied with just as much vigilance--but not nearly as many or as severe! Of course, they would have to turn on services, but if they do, they suddenly become just as vulnerable. In fact, some people use Linux AND MacOS X with the intention of running those services (gasp!). What now, Kemosabe? Patch. Patch often.
Re-read my post. If you can't tell that I think it sucks to run Windows, then maybe you just take everything way too seriously.
Well, I didn't want to go back too far and I never really used the original Windows much (trying to stick to what I know--otherwise it wouldn't be completely honest). I could talk about Apple ][, Commadore, and the original Mac, but I thought more recent comparisons were relevant if I was going to include Linux.
(Which wasn't quite ready to compare even in 1996 when I first installed it).
You hit the nail on the head--they're only as good as the programmers are. They're all tools. Arguing about the "best" is like arguing about Ford vs Chevy.
That article is pretty down on Windows. I don't usually defend MSFT, but when you're a target that big, everybody is gunning for you--the spammers, the spyware pimps, the skript kiddies, the crackers, and the phishers. If there were that many Macs, I'm sure they'd not enjoy their false sense of safty.
Windows 98? Sucked. No arguments from anyone about that. Windows ME? Sucked. Again, little defense even from MS. Windows 2000? Not as sucky--marked improvement in stability. Windows XP? Much better. Not perfect, but glad to see it's better.
If you're going to run Windows the simple fact of life you're going to have to get used to is this: high maintenance. Well, maybe it's not all that bad...
Patch and then patch again.
Before you even think about plugging into the network, patch it from CDs after you re-install the OS (don't trust what comes from the factory)
install your anti-virus and your adware prophylactics before you think about going on-line, too.
Install Firefox and turn off that damned built-in firewall on XP2 after you install a 3rd party firewall package like ZoneAlarm.
Don't log-in as Administrator ever and make sure you're using a 15 character password with a few unicode characters in it for all accounts.
Install a firewall router on your LAN and work from behind it.
Don't use the same password on any other computer.
Update your virus DAT files daily--maybe twice a day
Run RKDetector everynow and then just to make sure.
Boot from a Knoppix CD once in a while to make sure you're not owned.
If you enabled any kind of services, turn them off.
If you're running linux, you'll need to practice the same kind of vigilance. Those boxes are 0wn3d more often by "real" people instead of zombie processor or worms. In fact, crackers like Linux boxes much more than Windows because they're more fun and harder to 0wn.
Macs are easily knocked over two if you're running services like SSH. A dictionary attack is trivial.
They all still suck:(
I'm surprised the RIAA didn't dig her up and piss on her corpse. I mean, why should the bitch rest in peace when she's responsible for all that lost corporate revenue with all the Snoop Dogg, April Lavigne, Dr. Dre, and Eminem files she shared with her punk-ass octogenerian miscreant fileswapping feloneous scumbag friends? Right?
If OS/2 had the marketshare that Windows enjoys, perhaps there might not have been such interest in an OS "Messiah" like Linux which would not have led it's growth. But, maybe the user community might have resented OS/2 and sought MS as an alternative? Wouldn't that be ironic?
But, things are as they are. It's difficult to speculate how things would have been different. It's kinda fun having MS as the bad guy. They're so easy to loathe. Penguins are so cute, though. La la la.:)
But, just as people are tired of MSIE and going with Firefox, I think the same will happen with users pointing back to Google. Those "drone users" will eventually get tired of crappy search results. Google will have to take the hit--competition just does that. But unless their quality goes down the toilet (like Netscape), then they'll retain their dominant position--just with a little smaller numbers.
But, complacent users don't care about complacent technology or they wouldn't be using Windows to begin with [IMHO].
I think underestimating MSFT's audacity is a deadly business mistake. If they simply change the defaults to their own technologies, the millions of "drone users" out there won't know the difference--quality or not.
But, you're right! If the MS product/service sucks, people will get tired of it and install what they want. That's why Firefox is growing and why Google will probably survive unscathed.
Maybe I'm just pointing out the obvious, but I was only predicting MS's probable strategy not their success!
True about Netscape (hence my comments on their quality control issues). It will be interesting to see how MS tries to push its weight around. I suspect that this new search engine is another attempt at market dominance and control. But, like you said, Firefox is a new player and it's gaining ground.
I think it's important for web coders to adhere to W3C standards and not be sucked into IE-proprietary features. Once they've got you into their proprietary universe, you're M$ 0wn3d and they'll lock everyone else out.
I still think MS will try their same old tricks, but I agree that things are different this time.
Excellent point! The browser game has, indeed, changed. Thanks to Firefox, MSIE has real competition this time and there isn't the same margin of complacency they enjoyed against Netscape.
I think MS will try their same old brute-force tactics but they won't be as effective as long as Google keeps working towards excellence. MS just can't compete there.
How did MS's IE beat Netscape? By integrating IE it into Windows. Don't you think that the MS plans to make this search technology 'hard wired' into future (or even current) Windows releases to circumvent users's access or choice in using Google?
Netscape also had some serious quality control issues which was the final nail into its coffin. I suspect, however, that Google is in a much better position to compete than Netscape ever was. But, they're going to have a serious fight on their hands--it's not about quality, it's all about quantity to Microsoft. The more drones out there who start using MS's search engines because the next Windows iteration pushes Google aside will start to erode at Google's profitability and they will play a long hard war of attrition.
I'm an exempt employee on salary--however, I have standard office hours--8:30 to 5 Monday through Friday. I also have access to my employer's computers and network. I don't think it's right for me to use those resources during those times to bad mouth my company on a blog. In fact, that's not just ignorant, it's arrogant to think that I would be entitled to do so.
If you don't believe in "company time" then by your arguments you are either always on personal time or you're always on company time. You have to learn to set and respect your own boundaries or other people (or your company) won't respect them either. You can't blame your company for being a slave driver if you tacetly give them permission to do so by your lack of clear boundaries.
Slashdot Mirror
shhh...quiet, dude! or you'll hear jackboots outside YOUR door!
I'm looking forward to a post-nuclear winter as a nice seasonal change from global warming.
Martin:
One frustrating aspect to running Windows desktops is its vulnerability to "malware" (worms, trojans, spyware, etc.). Linux is not without its vulnerabilities, however, the Linux kernel developers and the Distribution companies, do not require the end user to purchase or procure third party solutions to their security vulnerabilities.
My question is, why does Microsoft, with all of its resources, not correct their fundamental vulnerabilities to unwanted executables? Why does MS purchase Antivirus and Anti-Spyware companies and threaten to charge extra for fixing the problems that should be addressed at the root cause?
With Linux, though far from perfect, there has been tremendous effort to avoid white-washing over problems. I don't know of any viruses or trojans for Linux that are so easily executed. Though it's sometimes troublesome to manage each modular package that may be installed, there are no hidden costs and much effort has been made to simply updating (up2date, apt-get, etc.) While Windows update addresses some of these vulnerabilities, it seems to never be enough and without 3rd party anti-virus software, it surely isn't.
How is Microsoft supposed to expect its user base to respect and/or trust its secure computing initiative if the users have to spend extra money to plug the holes that shouldn't be there in the first place? It isn't as if these problems are new.
If the answer is Longhorn, I think the MS user community deserves better than a promise this time.
The last thing she heard from the board was:
....be off! Before someone drops a house on you....
It could be worse, Carly--you could be in Jail with Martha and Lea Fastow. The golden parachute you're getting should buy you a small country somewhere.
If I had mod points today, I'd mod you as "insightful" because this is, indeed, wisdom. It's funny because of the irony.
I genuflect in the general direction of your geekitude....
Selectively editing your logs to omit/obscure nefarious activity doesn't require any special tools--that only requires poor ethics.
Isn't awesome to see a large corporation gobble up smaller companies? On the upshot, all the people who started the smaller are now pretty well-off AND they don't have to worry about maintaining their software because they know, deep in their little hearts, that Microsoft will make their product better than it's ever been before!
And, think of the irony! The virus problem, if you really think about it, is really MSFT's fault because of fundamental design flaws in their OS. Rather than fixing the root cause of the problem, they buy someone else's solution. And then, they plan on CHARGING for the service! How f**ked up is that?
It's like a legalized Mafia!
Ok...just observing the comments, I can tell that most people either loved her or hated her. That's got to mean something. I'd rather be loved or hated than just there all Luke warm like a glass of milk at room temperature. (yuck).
She must have done some things right to make her company some money and she must have pissed some people off, too.
No matter what you feel about her, she has more money than any of us and she's gone. She wins.
I was just wondering about that title "Penetration Tester." Somehow, it seems to garner immediate respect.
Attention All Slashdot Readers:
/.
Maybe it would be a better idea not to name the specific places one cracks--esp. if you're doing the "journalism" to provide some sort of unrequested pro bono security audit to publish on the internet. If anywhere, your findings should first and primarily be reported to the parties respsonsible for a given system's upkeep and security. Publishing weaknesses is like putting an ad in the paper or signs in your neighborhood that indicate the addresses where all the broken door locks are. What about your first amendment rights? Well, my axiom is: just because you can doesn't mean you should. And I think this is on the same level of irresponsibility as yelling fire in a theater.
I think to do otherwise is simply exploiting a chance to grand-stand one's technical savvy at the expense of someone else. I think we see quite enough of that here at
IMHO
I did have just this thing happen to one of my user's machines. It had a trivial dictionary password and SSH was enabled. You're quite right about root--but if you've learned the password for a user account who has sudo priviliges, you don't need root. The machine was used to launch attacks against other computers.
The problem is that some Mac users sometimes don't understand what all the check boxes mean when they're just trying to turn on file sharing--so they turn them all on. Their false sense of security makes them feel that nothing is going to hurt them.
But, this sort of thing is VERY rare. But it does happen.
But, you can see by my list for Windows basic security and maintenance (totally intended to be ironically long and tedious) that out of the box, Windows is pretty sucky. I mean, who in their right minds would want to live with an OS like that?
Well...I totally agree.
I've said it before, and I'll say it again: my post was meant to be quite ironic. I mean, what kind of "non-sucky" OS has a list of maintenance procedures like that? (notice the MacOS and Linux lists were rather small?). But, I didn't want to give the impression that OS X and Linux are not without their weaknesses, too. But, they're not as easily exploitable. The point of my list was to illustrate that.
First, let me say you make excellent points that I totally agree with. But, dude. I've had several MacOS X users who were running SSH broken into. I'm not just pulling that out of my ass.
:)
Root was not enabled but the user passwords were stupid--like "orange." A dictionary attack takes little time. Shell access to an account with 'admin' privs (not root but can sudo) is pretty damn dangerous. In fact, our secrurity people alerted me to the MacOS X box because it was in the middle of a DDoS attack against some host in China.
Now, before you calling "BS" on me, think about people who use the Mac. Ok, now think about that false sense of security I was talking about--"It's OK, it's a Mac."
Now, you're right! Password security and complexity is always an excellent layer of security! But, if you're some secretary or professor on a university campus (like where I work), and you keep hearing people talk crap about Windows and praise the Mac for being bullet-proof, a secure password doesn't cross your mind so you use something easy to remember like your favorite color. Or maybe you just use the same password you use for say, oh, your POP account [which you didn't bother to setup with SSL because you didn't know what it means]. So, you're sending CLEAR TEXT passwords and USERIDS over your network. And now, thanks to the cracked windows boxes on your network, even your secure password has been sniffed.
Think it doesn't happen? Think again.
But, it certainly isn't often or as widespread as Windows. I purposely created a long ridiculous list of real maintenance issues with Windows to illustrate the point that Windows does still suck.
First off, there's a great deal of irony in my post--it's subtle, but it's totally intended. Notice the sections on Linux and MacOS are small? Notice that the list for windows is rather a ridiculous amount of maintenance?
And, just for the record, I work in technical support at a University. I have had several instances of Linux installations "secure out of the box" being broken into. I've also had MacOS X boxes cracked into with dictionary attacks because someone turned on SSH. Linux is not as safe as you seem to think it is. In the hands of a non-technical user, it can be just as dangerous as Windows on your network and patches need to be applied with just as much vigilance--but not nearly as many or as severe! Of course, they would have to turn on services, but if they do, they suddenly become just as vulnerable. In fact, some people use Linux AND MacOS X with the intention of running those services (gasp!). What now, Kemosabe? Patch. Patch often.
Re-read my post. If you can't tell that I think it sucks to run Windows, then maybe you just take everything way too seriously.
Well, I didn't want to go back too far and I never really used the original Windows much (trying to stick to what I know--otherwise it wouldn't be completely honest). I could talk about Apple ][, Commadore, and the original Mac, but I thought more recent comparisons were relevant if I was going to include Linux. (Which wasn't quite ready to compare even in 1996 when I first installed it).
You hit the nail on the head--they're only as good as the programmers are. They're all tools. Arguing about the "best" is like arguing about Ford vs Chevy.
Windows 98? Sucked. No arguments from anyone about that. Windows ME? Sucked. Again, little defense even from MS. Windows 2000? Not as sucky--marked improvement in stability. Windows XP? Much better. Not perfect, but glad to see it's better.
If you're going to run Windows the simple fact of life you're going to have to get used to is this: high maintenance. Well, maybe it's not all that bad...
- Patch and then patch again.
- Before you even think about plugging into the network, patch it from CDs after you re-install the OS (don't trust what comes from the factory)
- install your anti-virus and your adware prophylactics before you think about going on-line, too.
- Install Firefox and turn off that damned built-in firewall on XP2 after you install a 3rd party firewall package like ZoneAlarm.
- Don't log-in as Administrator ever and make sure you're using a 15 character password with a few unicode characters in it for all accounts.
- Install a firewall router on your LAN and work from behind it.
- Don't use the same password on any other computer.
- Update your virus DAT files daily--maybe twice a day
- Run RKDetector everynow and then just to make sure.
- Boot from a Knoppix CD once in a while to make sure you're not owned.
- If you enabled any kind of services, turn them off.
If you're running linux, you'll need to practice the same kind of vigilance. Those boxes are 0wn3d more often by "real" people instead of zombie processor or worms. In fact, crackers like Linux boxes much more than Windows because they're more fun and harder to 0wn.Macs are easily knocked over two if you're running services like SSH. A dictionary attack is trivial.
They all still suck
I'm surprised the RIAA didn't dig her up and piss on her corpse. I mean, why should the bitch rest in peace when she's responsible for all that lost corporate revenue with all the Snoop Dogg, April Lavigne, Dr. Dre, and Eminem files she shared with her punk-ass octogenerian miscreant fileswapping feloneous scumbag friends? Right?
I'm sorry...was I on a sarcastic rant? he he
If OS/2 had the marketshare that Windows enjoys, perhaps there might not have been such interest in an OS "Messiah" like Linux which would not have led it's growth. But, maybe the user community might have resented OS/2 and sought MS as an alternative? Wouldn't that be ironic?
:)
But, things are as they are. It's difficult to speculate how things would have been different. It's kinda fun having MS as the bad guy. They're so easy to loathe. Penguins are so cute, though. La la la.
Dude--EXACTLY! That's going to be their strategy.
But, just as people are tired of MSIE and going with Firefox, I think the same will happen with users pointing back to Google. Those "drone users" will eventually get tired of crappy search results. Google will have to take the hit--competition just does that. But unless their quality goes down the toilet (like Netscape), then they'll retain their dominant position--just with a little smaller numbers.
But, complacent users don't care about complacent technology or they wouldn't be using Windows to begin with [IMHO].
I think underestimating MSFT's audacity is a deadly business mistake. If they simply change the defaults to their own technologies, the millions of "drone users" out there won't know the difference--quality or not.
But, you're right! If the MS product/service sucks, people will get tired of it and install what they want. That's why Firefox is growing and why Google will probably survive unscathed.
Maybe I'm just pointing out the obvious, but I was only predicting MS's probable strategy not their success!
Let's see what Cringley will say! (heh!)
True about Netscape (hence my comments on their quality control issues). It will be interesting to see how MS tries to push its weight around. I suspect that this new search engine is another attempt at market dominance and control. But, like you said, Firefox is a new player and it's gaining ground.
I think it's important for web coders to adhere to W3C standards and not be sucked into IE-proprietary features. Once they've got you into their proprietary universe, you're M$ 0wn3d and they'll lock everyone else out.
I still think MS will try their same old tricks, but I agree that things are different this time.
Excellent point! The browser game has, indeed, changed. Thanks to Firefox, MSIE has real competition this time and there isn't the same margin of complacency they enjoyed against Netscape.
I think MS will try their same old brute-force tactics but they won't be as effective as long as Google keeps working towards excellence. MS just can't compete there.
Let's take a look into the recent past:
How did MS's IE beat Netscape? By integrating IE it into Windows. Don't you think that the MS plans to make this search technology 'hard wired' into future (or even current) Windows releases to circumvent users's access or choice in using Google?
Netscape also had some serious quality control issues which was the final nail into its coffin. I suspect, however, that Google is in a much better position to compete than Netscape ever was. But, they're going to have a serious fight on their hands--it's not about quality, it's all about quantity to Microsoft. The more drones out there who start using MS's search engines because the next Windows iteration pushes Google aside will start to erode at Google's profitability and they will play a long hard war of attrition.
I'm an exempt employee on salary--however, I have standard office hours--8:30 to 5 Monday through Friday. I also have access to my employer's computers and network. I don't think it's right for me to use those resources during those times to bad mouth my company on a blog. In fact, that's not just ignorant, it's arrogant to think that I would be entitled to do so.
If you don't believe in "company time" then by your arguments you are either always on personal time or you're always on company time. You have to learn to set and respect your own boundaries or other people (or your company) won't respect them either. You can't blame your company for being a slave driver if you tacetly give them permission to do so by your lack of clear boundaries.