Just because I fail to convince you of any Windows design flaws does not alter reality.
Certainly not due to stubbornness on my part -- I'm just asking you to specify a design/architectural flaw instead of using dubious links (rants actually) from people who know nothing.
You can call basic Windows security whatever you want -- "The best in the business!"
See -- this is a key difference. I'm not bad-mouthing any OS, or promoting any OS, or any agenda. I'm just debunking a very outdated myth.
if a fully patched Windows 7 machine without a firewall or AV software cannot last long before it is compromised
Who said it cannot last long? I merely said that you shouldn't even try this. Just be a little less stubborn and run AV. The outcome of this experiment is meaningless. Even if the OS is secure, you might be running a service that is not. You can contract a virus through ignorant user interactions. There are many ways of getting viruses that do not require compromising a security flaw in the OS. How do you not get this basic point??
then it sounds to me like you are either kidding yourself, or doing your best to sell a product.
Sure -- anybody defending Windows must have an agenda. Guys that writes articles title "Why windows security is awful" or "Why I hate Microsoft" are neutral third-party observers on the other hand.
The last time I asked you how long a fully patched Windows 7 machine without a firewall or AV software would last before it was compromised, you said that was immaterial -- but that is my whole point. To me, if Windows can never last long like that, that would be what I call intrinsically insecure.
My idea of an intrinsically secure OS is one that, under the same circumstances, can almost always be relied upon to survive uncompromised up to the next security update. An OS like that has to be designed from the ground up with security in mind. Somehow, though, I don't think it would be accurate to describe Windows that way.
You're effectively adjusting your definition for your own convenience -- you still cannot point out a design flaw. You need to point out a design flaw/architectural flaw to say that it's intrinsically insecure.
This is just a random list, compiled by someone on Wikipedia. From the article itself: In our context, "Security-focused" means that the project is devoted to increasing the security as a major goal. As such, something can be secure without being "security-focused." For example, almost all of the operating systems mentioned here are faced with security bug fixes in their lifetime. Regarding the highlighted part above: In who's content?
And this is an example of the blind leading the blind. You're willfully misinforming yourself by listening to people who know nothing. The guy calls DLLs insecure. Are you familiar with a.so in unix? Do you know the difference between a.so and a.dll? Answer -- there is none. The guy calls Active-X insecure -- (this is repeated ad-infinitum by people who basically know nothing about security). First -- Active-X itself was not the problem -- the problem was that it was enabled by default, which enabled sites use it to load malicious plugins. Problem fixed a very long time ago. In addition there are active-x killbits updates pushed out regularly (no other browser's gets these updates for their respective plugin technology, fyi). There is no material difference between active-x and any plugin technology for any other browser (for example look up mozilla's npapi -- they are equivalent, and do the same thing, and you can write malicious plugins using either one). Lastly, there are even more nasty things in the pipeline (look up NACL from Google) -- if you don't fear that one, and you fear Active-X, you've really outsourced all your thinking to slashdot, and decided not to do any of it yourself. Not to mention sandboxing for active-x again -- so again, your link is outdated and wrong, and your objection is outdated.
Next, the guy objects to OLE. Again -- do you think the equivalent technology does not exist in unix? The guy complains about macros -- yes, any time you have a parser, it is a security risk. This is well-known. This is one of the reasons browsers are such a huge target -- because they are parsers first and foremost, and what they parse is untrusted. Do you still never use a browser?? It goes back to what I told you earlier -- the only way to stay 100% uncompromised is to never use a computer at all. Is your goal to actually get some work done? If yes -- select the best tool for the job, and then secure the tool as best you can. That tool could very well be os-x, unix, linux, whatever. But you're fooling yourself if you think that
Just because I'm critical of Windows doesn't mean I'm spreading FUD. After all, if my opinion (and/or that list at vanwensveen.nl) was so terribly off, then why is Windows security still so dependent on firewalls and AV software? As I said, the individual applications that make up those systems are still not configured to be safe by default (I suspect because M$ think it's more user-friendly that way), which is what I mean by intrinsic insecurity. Windows doesn't have to be that way, you know.
Being critical when your criticism is based on facts is not FUD. Being critical (woeful intrinsic insecurity -- remember) without a single piece of evidence to back it up and just mere conjecture remaining (why is Windows security "still so dependant" on firewalls and AV software) -- that's FUD.
I understand your reasons for using Linux. Even without those reasons, it's entirely possible that Linux is the best tool for whatever task you might have. And even without those reasons, and even if Linux is not the best tool for the job, you can still use Linux just because you feel like it, and nobody can/should be able to tell you to do otherwise. My point is merely this -- you said Windows had woeful intrinsic insecurity, and I contend that your view is incorrect and outdated. FUD is FUD no matter who is spreading it.
I'm familiar / comfortable with every OS there is.. I use Windows and Linux a lot more than OS-X though..
But, if what you say about the current state of Windows security is true, then IMO it should no longer be necessary for Windows machines to rely so heavily on their own individual firewalls and AV software for security.
You're making a case that either Windows has "woeful intrinsic insecurity" or it is impenetrable. You don't see that there can be some shades of grey between those two stances? All OSes lie within those shades of grey. Show me an impenetrable OS, and I'll show you an OS with no external interfaces. You're also overlooking the fact that not all malware requires a security hole -- sometimes it just takes an uninformed user. So no -- at no point did I suggest that Windows should not require AV, and I don't understand how you can derive that from what I said.
So, how long do you think your own fully patched Windows 7 workstation, connected to the Internet, used normally but without running its own firewall or AV software, would last without being compromised in some way? A day, a week, a month...?
Immaterial -- even if the machine got compromised eventually it would not prove your claim about "woeful intrinsic insecurity". Like I said -- many shades of grey between zero security and complete impenetrability. The world is not black and white like that.
That article doesn't say anything except that Apple have been caught producing sloppy code (mostly for Safari) after resting on their laurels (the reputation of their BSD-derived Darwin OS) for too long. If Dr. Miller currently finds it harder to find *new* vulnerabilities in Windows than in OS X, that doesn't mean Windows is now inherently more secure: it still has many other vulnerabilities that take too long to get fixed, and sometimes never do. Which is why the vast majority of all worms, viruses, etc. are still for Windows (and not just because of their market share).
The above applies for all OSes, bar none. Your comment about "woeful intrinsic insecurity" is simply outdated in the days of DEP, ASLR, LUA, sandboxing, user mode drivers, etc. (i.e. in the post-Vista world). If you disagree, please mention the instrinsic insecurity you're refering to. We can have a reasonable conversation about this if we cite specifics.
Furthermore, all versions of M$ Windows have a number of fundamental design flaws. Here's a nice list: A brief overview of Windows' most serious design flaws [vanwensveen.nl] Although this document appears to be four years old, I kind of doubt that many of these issues have been addressed in the mean time.
Was that piece titled "why I hate Microsoft"? It's objectivity is already in question for that title. It also looks incredibly stale to the point that it's disingenuous of you to post it! In any case:
1. Limited memory protection and memory management. He himself admits this was solved in Windows 2000. See what I mean about your views being outdated? It was actually never an issue in any NT-based Windows.
2. Insufficient process management. The OS relies heavily upon the application to release allocated resources. Wow! This goes back to the Win3.x/95/98 days (DOS kernel, before pre-emptive multitasking). It never applied to the NT kernel. Outdated view.
3. No adequate separation between user-level and kernel-level code. An outdated view again -- see what I wrote above about user-mode drivers. That especially applies to graphics drivers, which is the precise example taken in this blog. That change was also one of the main 'growing pains' with all the graphics drivers issues people experienced with Vista (due to OEMs being slow to update their drivers). His complaint about drivers signing shows a lack of understanding about the purpose of code-signing. It doesn't do anything to improve 'stability'. It protects your system by validating that the module you're about to load has not been tampered with, and by making the vendor of that module traceable (and therefore culpable for their actions).
4. No adequate separation of different kernel-level code types. Outdated. Read up on the modularization work that was done leading to the MinWin kernel.
5. Lack of meaningful error messages. Forget outdated -- this is subjective, and it is not a security issue, let alone "woeful intrinsic insecurity"
6. No maintenance mode. What does this even have to do with security? Never mind that there *is* a maintenance mode, and its better implemented than any other OS.
7. No code sharing. Only DLL code can be shared. WTF does this even mean? And how is it related to security?
8. No version control whatsoever on DLL code. Outdated again. Read up on WinSxS, shadowcopy, etc.
9. A very rudimentary and weak security model. Microsoft products have the worst security rating (and track record) in the industry. Their developers seem to have been completely unaware of even basic security issues. Outdated view again. And while the guy who wrote that felt free to write any thing that came to his mind, and provide no proof or references, I will provide some:
http://www.zdnet.com/blog/bott/windows-security-wrap-up-praise-for-vista-and-a-historic-first/375
This would be such a gigantic win for MS *and* consumers -- if govts prohibit this action it would be proof positive that antitrust law is for sale to the highest bidder..
Gigantic win:
1) Customers no longer need to spend money on alternative AVs unless they absolutely want to (most will not, some companies might).
2) Customers who don't know squat are automatically protected
3) As customers get more accustomed to not having to worry about antivirus, they will become less likely to fall prey to AV email spam and popup 'AV' tojan installers, etc.
4) MSE is one of the lower footprint AV engines out there -- again less hassle for users
5) MSE is also one of the better AV engines when it comes to just keeping itself up to date without hassling the user -- again users win.
6) The experience of booting a new computer the first time will be a lot less frightening for novice users (who usually get assaulted by a zillion notices about their AV being outdated)
One key piece of this puzzle is MS working with their OEMs. On paper all this is good and dandy. But if the Dells and HPs of the world still get $3 (I took that out of thin air) from Symantec for each trial copy of AV installed, complete with nag-screens and all, then they will not change their behaviour, and the end result is zero improvement for the user. MS needs to work with their OEMs and convince them that they will serve their customers better by not installing that crap aka scareware.. Remains to be seen if it will actually happen..
If there's any cases at all remaining, then there's a fundamental problem in the architecture. Why would there only be a few cases if the vulnerability still exists?
In the architecture of what? You're citing flaws from 10 years ago, and hanging your hat on one very tiny point, and behaving like an indolent child, all at the same time. Add some specifics, and let's talk.
Bullshit. If you can just click on an email and this leads to your system being rooted, there's something fundamentally wrong with the software architecture. Same goes for ads on websites. There should never be any way of executing arbitrary code from an email or web site.
So Microsoft should leave the Kelihos botnet running? I don't follow your point.
They're certainly being a bit hostile towards their users. To hide information from users is to disempower them.
Having settled on their policy to only support the latest version, why can't they just stand by that policy. Why do they need to hide information from users?
The mom-and-pop book stores you long for were dying out harder and faster than Borders did, and the ones that survive do so because they've found things beyond the collections of books you mention to sell...
The mom & pops were dying out because Borders undercut them on best sellers and the more popular specialized books. They would come to town, hoover (vacuum, for our American friends) up the customer base with "20% off all best sellers!" and also offering a wider selection of specialized books in knitting, cooking, history, science, etc. Very often, a best selling computer book would suddenly get "30% off!".
True enough -- and its the natural order of things. GP was dancing on their grave, and that's not cool. There was a time when groceries were always done at a local store -- supermarkets killed most local grocers. Once companies figure out how to sell groceries online, supermarkets will be in jeopardy as well. Technology and economies of scale constantly bring about the death of one model and replace it with another. We mourned the passing of mom & pop stores (quite rightly) and there's no need to celebrate Borders' demise. Whatever you choose to do, his point is correct that GP was talking out of ass when saying that Borders could have survived as a mon & pop.
Honestly they were overpriced on everything. I have not set foot in a borders or a Barnes and Noble for 3 years now because of their price gouging.
It might look that way but its just a case of their costs being higher. If you compare with Amazon, Borders has to transport books to stores, maintain a perpetual inventory of perhaps 1 million books at each store, still have a lower selection that whats available online, pay rent on the stores, payroll costs, etc. Their business model got outmoded by online booksellers and they got priced out of the market.
No I'm not a trendy yuppie who wants a $4.00 coffee while I browse your store trying to look trendy.
And that's alright.. you don't have to buy coffee, or look trendy.. you were always welcome to settle down in a chair and read as long as you wanted to or browse as long as you wanted to, and dress however you wanted to. The warmth and serenity in a bookstore is a wonderful thing.
Honestly they went for "upscale" instead of a model that would have survived..
At some point, changing your model means changing who or what you are. See the cost factor I mentioned above. The only way to get on par with Amazon's costs would have been to become like Amazon. That would transform them from a bookstore chain to a technology + logistics / fulfillment company.
If they would have stuck as a "mom and pop" ish look and had a big old book or used book section they would still be thriving today.
You don't seem to know anything about Borders. Borders Group Inc. has the large format Borders stores, the much smaller Waldenbooks stores that you see in malls / airports etc., and they sell online (relatively recent), they sell used books, etc. They were the second largest boostore chain in the US (perhaps in the world) with a presence in multiple countries (Australia, Singapore, UK etc.). You can't do that, and be a mom and pop store. You haven't run any numbers and don't seem to know anything about the book business -- on what basis do you think they would have survived if they emulated a mom and pop model / look?
Instead they took the "snobby U of M rich guy in a turtleneck" direction instead.....
This is just some silly preconceived notion you have about it.
I've seen lots of digital cameras (portable devices) that changed from portrait to landscape orientation using accelerometers. And they did that for at least 5 years before the iphone.
you'd think Microsoft Patch Tuesdays cause nuclear apocalypses every month
The security fixes in patch Tuesday don't contain new features. The assumption is generally made that when you run your monthly tests, the tests will pass, and then you will deploy the patches. That assumption fails when security patches are mixed with new features, mixed with ambiguous roadmap a mere 6+ months down the road.
We will test it in a lab environment and then push out the new version with our deployment software to all machines at once.
But if your testing fails, what is your recourse? Your scenario assumes your tests will always pass!
The app / plugin that broke could be authored in-house or externally -- fixing it (and deploying its fix) could take time. Do you run with an unpatched browser while waiting on that fix, or do you patch the browser (to stay secure) but break the app?
And what about having to do that all over again in 3 months.
This is why security fixes aren't co-mingled with features. Your above assumption of "tests will always pass" becomes a reasonable assumption when that's the case. That's what Mozilla / you / Peter Bright aren't getting. Mozilla in particular aren't just saying they'll mix features with security fixes -- they're saying it'll happen every 3 months. Is there even a roadmap for what your browser will have evolved into, a mere 1.25 years from now (i.e. 5 releases from now)?
He pulls Ballmer's strings? Since when has anyone pulled Ballmer's strings? The CEO of Google was on Apple's board, did he pull Job's strings? If you think that, you are delusional.
October 2010 -- The Microsoft board of directors cut Ballmer's bonus in half citing his performance. Link.
Pushed, as in Microsoft had an inside man who had a conflict of interest
You're still not getting the way this relationship works. The conflict of interest goes the other way. Suggest looking up how board of directors renumeration works. Netflix CEO gains (and has a conflict) in coaxing MS Execs to move towards Netflix. Reason: MS integrating Netflix into services gets Netflix more income so Netflix CEO's stock value increases, bonuses increase, salary increases. Netflix CEO gains nil when coaxing Netflix to move to MS technologies. Prove that statement wrong, and you have a case. In your analogy, btw, you're suggesting that Jobs had influence over Google because of Eric Smith being on Apple's board. How did that even parse?
The CEO made a choice that was against that of his customers (you can call it rambling, but when thousands of customers are simultaneously "rambling" it is usually a bad sign.
That is truly an orthogonal issue. You said Microsoft 'pushed' Netflix. This is your evidence?
You ignored, completely, the meaning of eat their own dog food. I pointed out, very clearly, that technical support is NOT (repeat: NOT) what I meant.
1. Maybe you should look up the term dogfood -- it refers to internal betas. Nevermind -- that's splitting hairs. I get your larger point.
2. Maybe you shouldn't have used the word 'stopped supporting' in your previous post, and then watered-down your claim to 'stopped dogfooding'.
3. They stopped using it on one site. From this you conclude 'stopped using'?
4. Support lifecycle is infinitely more important than 'oh, MS stopped using SL on skydrive'.
5. If you're not prepared to defend your inflammatory posts, maybe you shouldn't make them in the first place, instead of watering down your claim and then claiming that I'm ignoring your content.
That makes you either ignorant, or a troll. I quite honestly would respect you more if it were the latter.
See your original post in this thread. Evaluate it for inflammatory content, factual correctness, etc. Then call me a troll. I'll merely say this -- if my responses sound terse, it's not because i'm trying to be rude or anything.. just at work with limited time..
They share a board member, if I remember correctly.
You remember wrong. Reed Hastings is the Netflix CEO (not board member -- big difference) -- and he serves on Microsoft's Board. In short he gets to pull Ballmer's strings, but not vice versa.
They also did so to the ire of most users. Silverlight was initially not available on all platforms, such as linux. As a linux user myself, that meant the console I built for my TV no longer worked with Netflix. That support has been added, but is still not up to par (in my opinion) to Flash for in browser viewing. It was "pushed" because the it was NOT a user driven feature. In fact, the forums were filled with anger and hate. Whether it was DRM or not, MS pushed itself as a solution.
Orthogonal issue + rambling. You claimed Microsoft *pushed* Netflix to use Silverlight. How?
When they stop using it. A better term may have been to say that they stopped eating their own dog food. They don't support it in the sense of lending it credibility, not in terms of "customer support", but more in the sense of moral support. If Google employees stopped using Gmail and instead switched to Exchange, I'd consider that dropping internal support. They would no longer support Gmail as the best option, in that case.
http://support.microsoft.com/gp/lifean45
In short, you'll hear about it from Microsoft when they decide to discontinue support. And when you hear about it, you'll have 1 year to act, from that point. And you'll have paid support options past that date if you choose to use it. Suggest you stop spreading disinformation.
Man.. what kind of fact-free rant is that.. do you actually believe some of that nonsense?
I just don't have the patience to get into one of those "my platform is better than your platform" garbage discussions (and I really don't intend to diss your platform) so let me just ask you a couple of questions:
1. Where did you get the number (few hundreds) from?
2. Regarding the "only reason" -- you don't think an unsafe default setting (to run 'safe' files) combined with a murky definition of 'safe' files are contributing factors?
3. Why do you need to bring Windows into the conversation? I fail to see how its relevant to this topic. (not to mention that your comparison of registry vs. p-list is pure garbage!)
4. What's with using so much capitalization? I can see you're trying to be forceful about making your point, but don't you think you should know what you're talking about before you yell?
All this really 'proves' is that 95% of the people who are smart enough to download a free AV program....
This is a malware removal tool for people who already think they have a virus. See the Microsoft Safety Scanner main page. The very first words on that page are Do you think your PC has a virus? Not to mention it expires 10 days after download. Clearly not an AV for 'smart' people.
....except it probably can't possibly be LESS than 5%
Considering MSS is for people who think they already have a virus, I think the only conclusion you can draw is that slashdot headlines are some of the most worthless pieces of shit on the internet (and that's saying soemthing)
Can you help me observe this behavior? I don't know what to search for to make it happen.
I don't know what to search for either -- but that's what I gathered from what I've read about Mac Defender so far (seriously -- the lack of details is fucking apalling -- and the fan boy wars make it even harder to sift out details from among the rubble).
I read somewhere that Mac Defender relies on SEO poisoning to get users to get users to download the installer -- so putting on my thinking hat (a black hat obviously), my dream SEO poisoning exploit would try to present relevant images as the thumbnail in the result, but the link that the result points to is actually the installer (not a webpage). The user presented with a bunch of search results would have no way of knowing which results are benign and which ones are malicious. On clicking a malicious result, since that link points to an installer (i.e. a type of file that is to be automatically downloaded, and run, rather than a webpage), Safari will download the file, and run it.
Above paragraph is my conjecture, based on reading the words "SEO poising". I can't test it as I don't have a Mac. And I would rather kill myself than parse through a million fanboy comments hoping someone has provided pertinent details. Looking for a poisoned result on my Win7 machine would be rather brave (I mean, what if I find something?:P).. And I'm at work right now (late, I know) and my Narwhal laptop is at home so I can't use that either.
Slashdot Mirror
Just because I fail to convince you of any Windows design flaws does not alter reality.
Certainly not due to stubbornness on my part -- I'm just asking you to specify a design/architectural flaw instead of using dubious links (rants actually) from people who know nothing.
You can call basic Windows security whatever you want -- "The best in the business!"
See -- this is a key difference. I'm not bad-mouthing any OS, or promoting any OS, or any agenda. I'm just debunking a very outdated myth.
if a fully patched Windows 7 machine without a firewall or AV software cannot last long before it is compromised
Who said it cannot last long? I merely said that you shouldn't even try this. Just be a little less stubborn and run AV. The outcome of this experiment is meaningless. Even if the OS is secure, you might be running a service that is not. You can contract a virus through ignorant user interactions. There are many ways of getting viruses that do not require compromising a security flaw in the OS. How do you not get this basic point??
then it sounds to me like you are either kidding yourself, or doing your best to sell a product.
Sure -- anybody defending Windows must have an agenda. Guys that writes articles title "Why windows security is awful" or "Why I hate Microsoft" are neutral third-party observers on the other hand.
The last time I asked you how long a fully patched Windows 7 machine without a firewall or AV software would last before it was compromised, you said that was immaterial -- but that is my whole point. To me, if Windows can never last long like that, that would be what I call intrinsically insecure. My idea of an intrinsically secure OS is one that, under the same circumstances, can almost always be relied upon to survive uncompromised up to the next security update. An OS like that has to be designed from the ground up with security in mind. Somehow, though, I don't think it would be accurate to describe Windows that way.
You're effectively adjusting your definition for your own convenience -- you still cannot point out a design flaw. You need to point out a design flaw/architectural flaw to say that it's intrinsically insecure.
Regarding your links:
Security-focused operating system
This is just a random list, compiled by someone on Wikipedia. From the article itself: In our context , "Security-focused" means that the project is devoted to increasing the security as a major goal. As such, something can be secure without being "security-focused." For example, almost all of the operating systems mentioned here are faced with security bug fixes in their lifetime. Regarding the highlighted part above: In who's content?
Security-evaluated operating system
Again -- just a random list of OSes with certain certifications. What random criteria are you using when selecting these silly links??
Why Windows security is awful
And this is an example of the blind leading the blind. You're willfully misinforming yourself by listening to people who know nothing. The guy calls DLLs insecure. Are you familiar with a .so in unix? Do you know the difference between a .so and a .dll? Answer -- there is none. The guy calls Active-X insecure -- (this is repeated ad-infinitum by people who basically know nothing about security). First -- Active-X itself was not the problem -- the problem was that it was enabled by default, which enabled sites use it to load malicious plugins. Problem fixed a very long time ago. In addition there are active-x killbits updates pushed out regularly (no other browser's gets these updates for their respective plugin technology, fyi). There is no material difference between active-x and any plugin technology for any other browser (for example look up mozilla's npapi -- they are equivalent, and do the same thing, and you can write malicious plugins using either one). Lastly, there are even more nasty things in the pipeline (look up NACL from Google) -- if you don't fear that one, and you fear Active-X, you've really outsourced all your thinking to slashdot, and decided not to do any of it yourself. Not to mention sandboxing for active-x again -- so again, your link is outdated and wrong, and your objection is outdated.
Next, the guy objects to OLE. Again -- do you think the equivalent technology does not exist in unix? The guy complains about macros -- yes, any time you have a parser, it is a security risk. This is well-known. This is one of the reasons browsers are such a huge target -- because they are parsers first and foremost, and what they parse is untrusted. Do you still never use a browser?? It goes back to what I told you earlier -- the only way to stay 100% uncompromised is to never use a computer at all. Is your goal to actually get some work done? If yes -- select the best tool for the job, and then secure the tool as best you can. That tool could very well be os-x, unix, linux, whatever. But you're fooling yourself if you think that
Just because I'm critical of Windows doesn't mean I'm spreading FUD. After all, if my opinion (and/or that list at vanwensveen.nl) was so terribly off, then why is Windows security still so dependent on firewalls and AV software? As I said, the individual applications that make up those systems are still not configured to be safe by default (I suspect because M$ think it's more user-friendly that way), which is what I mean by intrinsic insecurity. Windows doesn't have to be that way, you know.
Being critical when your criticism is based on facts is not FUD. Being critical (woeful intrinsic insecurity -- remember) without a single piece of evidence to back it up and just mere conjecture remaining (why is Windows security "still so dependant" on firewalls and AV software) -- that's FUD.
I understand your reasons for using Linux. Even without those reasons, it's entirely possible that Linux is the best tool for whatever task you might have. And even without those reasons, and even if Linux is not the best tool for the job, you can still use Linux just because you feel like it, and nobody can/should be able to tell you to do otherwise. My point is merely this -- you said Windows had woeful intrinsic insecurity, and I contend that your view is incorrect and outdated. FUD is FUD no matter who is spreading it.
But, if what you say about the current state of Windows security is true, then IMO it should no longer be necessary for Windows machines to rely so heavily on their own individual firewalls and AV software for security.
You're making a case that either Windows has "woeful intrinsic insecurity" or it is impenetrable. You don't see that there can be some shades of grey between those two stances? All OSes lie within those shades of grey. Show me an impenetrable OS, and I'll show you an OS with no external interfaces. You're also overlooking the fact that not all malware requires a security hole -- sometimes it just takes an uninformed user. So no -- at no point did I suggest that Windows should not require AV, and I don't understand how you can derive that from what I said.
So, how long do you think your own fully patched Windows 7 workstation, connected to the Internet, used normally but without running its own firewall or AV software, would last without being compromised in some way? A day, a week, a month...?
Immaterial -- even if the machine got compromised eventually it would not prove your claim about "woeful intrinsic insecurity". Like I said -- many shades of grey between zero security and complete impenetrability. The world is not black and white like that.
That article doesn't say anything except that Apple have been caught producing sloppy code (mostly for Safari) after resting on their laurels (the reputation of their BSD-derived Darwin OS) for too long. If Dr. Miller currently finds it harder to find *new* vulnerabilities in Windows than in OS X, that doesn't mean Windows is now inherently more secure: it still has many other vulnerabilities that take too long to get fixed, and sometimes never do. Which is why the vast majority of all worms, viruses, etc. are still for Windows (and not just because of their market share).
The above applies for all OSes, bar none. Your comment about "woeful intrinsic insecurity" is simply outdated in the days of DEP, ASLR, LUA, sandboxing, user mode drivers, etc. (i.e. in the post-Vista world). If you disagree, please mention the instrinsic insecurity you're refering to. We can have a reasonable conversation about this if we cite specifics.
Furthermore, all versions of M$ Windows have a number of fundamental design flaws. Here's a nice list: A brief overview of Windows' most serious design flaws [vanwensveen.nl] Although this document appears to be four years old, I kind of doubt that many of these issues have been addressed in the mean time.
Was that piece titled "why I hate Microsoft"? It's objectivity is already in question for that title. It also looks incredibly stale to the point that it's disingenuous of you to post it! In any case:
1. Limited memory protection and memory management.
He himself admits this was solved in Windows 2000. See what I mean about your views being outdated? It was actually never an issue in any NT-based Windows.
2. Insufficient process management. The OS relies heavily upon the application to release allocated resources.
Wow! This goes back to the Win3.x/95/98 days (DOS kernel, before pre-emptive multitasking). It never applied to the NT kernel. Outdated view.
3. No adequate separation between user-level and kernel-level code.
An outdated view again -- see what I wrote above about user-mode drivers. That especially applies to graphics drivers, which is the precise example taken in this blog. That change was also one of the main 'growing pains' with all the graphics drivers issues people experienced with Vista (due to OEMs being slow to update their drivers). His complaint about drivers signing shows a lack of understanding about the purpose of code-signing. It doesn't do anything to improve 'stability'. It protects your system by validating that the module you're about to load has not been tampered with, and by making the vendor of that module traceable (and therefore culpable for their actions).
4. No adequate separation of different kernel-level code types.
Outdated. Read up on the modularization work that was done leading to the MinWin kernel.
5. Lack of meaningful error messages.
Forget outdated -- this is subjective, and it is not a security issue, let alone "woeful intrinsic insecurity"
6. No maintenance mode.
What does this even have to do with security? Never mind that there *is* a maintenance mode, and its better implemented than any other OS.
7. No code sharing. Only DLL code can be shared.
WTF does this even mean? And how is it related to security?
8. No version control whatsoever on DLL code.
Outdated again. Read up on WinSxS, shadowcopy, etc.
9. A very rudimentary and weak security model. Microsoft products have the worst security rating (and track record) in the industry. Their developers seem to have been completely unaware of even basic security issues.
Outdated view again. And while the guy who wrote that felt free to write any thing that came to his mind, and provide no proof or references, I will provide some:
http://www.zdnet.com/blog/bott/windows-security-wrap-up-praise-for-vista-and-a-historic-first/375
Look at it as a late attempt by M$...
Perhaps they would have done this earlier if Antitrust law did not prevent it?
...to compensate for the woeful intrinsic insecurity of their family of operating systems...
Your information is outdated by almost 5 years (you're talking about pre-Vista days). For example, read here: http://www.engadget.com/2011/11/18/the-engadget-interview-dr-charlie-miller/
That's a very unique and interesting take on the issue. Thanks.
This would be such a gigantic win for MS *and* consumers -- if govts prohibit this action it would be proof positive that antitrust law is for sale to the highest bidder..
Gigantic win:
1) Customers no longer need to spend money on alternative AVs unless they absolutely want to (most will not, some companies might).
2) Customers who don't know squat are automatically protected
3) As customers get more accustomed to not having to worry about antivirus, they will become less likely to fall prey to AV email spam and popup 'AV' tojan installers, etc.
4) MSE is one of the lower footprint AV engines out there -- again less hassle for users
5) MSE is also one of the better AV engines when it comes to just keeping itself up to date without hassling the user -- again users win.
6) The experience of booting a new computer the first time will be a lot less frightening for novice users (who usually get assaulted by a zillion notices about their AV being outdated)
One key piece of this puzzle is MS working with their OEMs. On paper all this is good and dandy. But if the Dells and HPs of the world still get $3 (I took that out of thin air) from Symantec for each trial copy of AV installed, complete with nag-screens and all, then they will not change their behaviour, and the end result is zero improvement for the user. MS needs to work with their OEMs and convince them that they will serve their customers better by not installing that crap aka scareware.. Remains to be seen if it will actually happen..
If there's any cases at all remaining, then there's a fundamental problem in the architecture. Why would there only be a few cases if the vulnerability still exists?
In the architecture of what? You're citing flaws from 10 years ago, and hanging your hat on one very tiny point, and behaving like an indolent child, all at the same time. Add some specifics, and let's talk.
Bullshit. If you can just click on an email and this leads to your system being rooted, there's something fundamentally wrong with the software architecture. Same goes for ads on websites. There should never be any way of executing arbitrary code from an email or web site.
So Microsoft should leave the Kelihos botnet running? I don't follow your point.
They're certainly being a bit hostile towards their users. To hide information from users is to disempower them.
Having settled on their policy to only support the latest version, why can't they just stand by that policy. Why do they need to hide information from users?
The mom-and-pop book stores you long for were dying out harder and faster than Borders did, and the ones that survive do so because they've found things beyond the collections of books you mention to sell ...
The mom & pops were dying out because Borders undercut them on best sellers and the more popular specialized books. They would come to town, hoover (vacuum, for our American friends) up the customer base with "20% off all best sellers!" and also offering a wider selection of specialized books in knitting, cooking, history, science, etc. Very often, a best selling computer book would suddenly get "30% off!".
True enough -- and its the natural order of things. GP was dancing on their grave, and that's not cool. There was a time when groceries were always done at a local store -- supermarkets killed most local grocers. Once companies figure out how to sell groceries online, supermarkets will be in jeopardy as well. Technology and economies of scale constantly bring about the death of one model and replace it with another. We mourned the passing of mom & pop stores (quite rightly) and there's no need to celebrate Borders' demise. Whatever you choose to do, his point is correct that GP was talking out of ass when saying that Borders could have survived as a mon & pop.
Honestly they were overpriced on everything. I have not set foot in a borders or a Barnes and Noble for 3 years now because of their price gouging.
It might look that way but its just a case of their costs being higher. If you compare with Amazon, Borders has to transport books to stores, maintain a perpetual inventory of perhaps 1 million books at each store, still have a lower selection that whats available online, pay rent on the stores, payroll costs, etc. Their business model got outmoded by online booksellers and they got priced out of the market.
No I'm not a trendy yuppie who wants a $4.00 coffee while I browse your store trying to look trendy.
And that's alright.. you don't have to buy coffee, or look trendy.. you were always welcome to settle down in a chair and read as long as you wanted to or browse as long as you wanted to, and dress however you wanted to. The warmth and serenity in a bookstore is a wonderful thing.
Honestly they went for "upscale" instead of a model that would have survived..
At some point, changing your model means changing who or what you are. See the cost factor I mentioned above. The only way to get on par with Amazon's costs would have been to become like Amazon. That would transform them from a bookstore chain to a technology + logistics / fulfillment company.
If they would have stuck as a "mom and pop" ish look and had a big old book or used book section they would still be thriving today.
You don't seem to know anything about Borders. Borders Group Inc. has the large format Borders stores, the much smaller Waldenbooks stores that you see in malls / airports etc., and they sell online (relatively recent), they sell used books, etc. They were the second largest boostore chain in the US (perhaps in the world) with a presence in multiple countries (Australia, Singapore, UK etc.). You can't do that, and be a mom and pop store. You haven't run any numbers and don't seem to know anything about the book business -- on what basis do you think they would have survived if they emulated a mom and pop model / look?
Instead they took the "snobby U of M rich guy in a turtleneck" direction instead.....
This is just some silly preconceived notion you have about it.
I've seen lots of digital cameras (portable devices) that changed from portrait to landscape orientation using accelerometers. And they did that for at least 5 years before the iphone.
Then don't take the shortcut of looking at the number and instead look at the changes.
I can't understand these responses!
What if you look at the changelist and see a major breaking change? Or discover one in your testing?
you'd think Microsoft Patch Tuesdays cause nuclear apocalypses every month
The security fixes in patch Tuesday don't contain new features. The assumption is generally made that when you run your monthly tests, the tests will pass, and then you will deploy the patches. That assumption fails when security patches are mixed with new features, mixed with ambiguous roadmap a mere 6+ months down the road.
We will test it in a lab environment and then push out the new version with our deployment software to all machines at once.
But if your testing fails, what is your recourse? Your scenario assumes your tests will always pass!
The app / plugin that broke could be authored in-house or externally -- fixing it (and deploying its fix) could take time. Do you run with an unpatched browser while waiting on that fix, or do you patch the browser (to stay secure) but break the app?
And what about having to do that all over again in 3 months.
This is why security fixes aren't co-mingled with features. Your above assumption of "tests will always pass" becomes a reasonable assumption when that's the case. That's what Mozilla / you / Peter Bright aren't getting. Mozilla in particular aren't just saying they'll mix features with security fixes -- they're saying it'll happen every 3 months. Is there even a roadmap for what your browser will have evolved into, a mere 1.25 years from now (i.e. 5 releases from now)?
New features in Firefox 5
Security updates don't contain new features. Mozilla themselves would take umbrage at your assertion.
He pulls Ballmer's strings? Since when has anyone pulled Ballmer's strings? The CEO of Google was on Apple's board, did he pull Job's strings? If you think that, you are delusional.
October 2010 -- The Microsoft board of directors cut Ballmer's bonus in half citing his performance. Link.
Pushed, as in Microsoft had an inside man who had a conflict of interest
You're still not getting the way this relationship works. The conflict of interest goes the other way. Suggest looking up how board of directors renumeration works. Netflix CEO gains (and has a conflict) in coaxing MS Execs to move towards Netflix. Reason: MS integrating Netflix into services gets Netflix more income so Netflix CEO's stock value increases, bonuses increase, salary increases. Netflix CEO gains nil when coaxing Netflix to move to MS technologies. Prove that statement wrong, and you have a case. In your analogy, btw, you're suggesting that Jobs had influence over Google because of Eric Smith being on Apple's board. How did that even parse?
The CEO made a choice that was against that of his customers (you can call it rambling, but when thousands of customers are simultaneously "rambling" it is usually a bad sign.
That is truly an orthogonal issue. You said Microsoft 'pushed' Netflix. This is your evidence?
You ignored, completely, the meaning of eat their own dog food. I pointed out, very clearly, that technical support is NOT (repeat: NOT) what I meant.
1. Maybe you should look up the term dogfood -- it refers to internal betas. Nevermind -- that's splitting hairs. I get your larger point. 2. Maybe you shouldn't have used the word 'stopped supporting' in your previous post, and then watered-down your claim to 'stopped dogfooding'. 3. They stopped using it on one site. From this you conclude 'stopped using'? 4. Support lifecycle is infinitely more important than 'oh, MS stopped using SL on skydrive'. 5. If you're not prepared to defend your inflammatory posts, maybe you shouldn't make them in the first place, instead of watering down your claim and then claiming that I'm ignoring your content.
That makes you either ignorant, or a troll. I quite honestly would respect you more if it were the latter.
See your original post in this thread. Evaluate it for inflammatory content, factual correctness, etc. Then call me a troll. I'll merely say this -- if my responses sound terse, it's not because i'm trying to be rude or anything.. just at work with limited time..
They share a board member, if I remember correctly.
You remember wrong. Reed Hastings is the Netflix CEO (not board member -- big difference) -- and he serves on Microsoft's Board. In short he gets to pull Ballmer's strings, but not vice versa.
They also did so to the ire of most users. Silverlight was initially not available on all platforms, such as linux. As a linux user myself, that meant the console I built for my TV no longer worked with Netflix. That support has been added, but is still not up to par (in my opinion) to Flash for in browser viewing. It was "pushed" because the it was NOT a user driven feature. In fact, the forums were filled with anger and hate. Whether it was DRM or not, MS pushed itself as a solution.
Orthogonal issue + rambling. You claimed Microsoft *pushed* Netflix to use Silverlight. How?
When they stop using it. A better term may have been to say that they stopped eating their own dog food. They don't support it in the sense of lending it credibility, not in terms of "customer support", but more in the sense of moral support. If Google employees stopped using Gmail and instead switched to Exchange, I'd consider that dropping internal support. They would no longer support Gmail as the best option, in that case.
http://support.microsoft.com/gp/lifean45 In short, you'll hear about it from Microsoft when they decide to discontinue support. And when you hear about it, you'll have 1 year to act, from that point. And you'll have paid support options past that date if you choose to use it. Suggest you stop spreading disinformation.
Microsoft made Silverlight, pushed a lot of sites to use it at the displeasure of many (Netflix), now they are dropping support?
1. How did Microsoft "push" Netflix?
2. When did Microsoft "drop support" for Silverlight?
Man.. what kind of fact-free rant is that.. do you actually believe some of that nonsense?
I just don't have the patience to get into one of those "my platform is better than your platform" garbage discussions (and I really don't intend to diss your platform) so let me just ask you a couple of questions:
1. Where did you get the number (few hundreds) from?
2. Regarding the "only reason" -- you don't think an unsafe default setting (to run 'safe' files) combined with a murky definition of 'safe' files are contributing factors?
3. Why do you need to bring Windows into the conversation? I fail to see how its relevant to this topic. (not to mention that your comparison of registry vs. p-list is pure garbage!)
4. What's with using so much capitalization? I can see you're trying to be forceful about making your point, but don't you think you should know what you're talking about before you yell?
All this really 'proves' is that 95% of the people who are smart enough to download a free AV program....
This is a malware removal tool for people who already think they have a virus. See the Microsoft Safety Scanner main page. The very first words on that page are Do you think your PC has a virus? Not to mention it expires 10 days after download. Clearly not an AV for 'smart' people.
....except it probably can't possibly be LESS than 5%
Considering MSS is for people who think they already have a virus, I think the only conclusion you can draw is that slashdot headlines are some of the most worthless pieces of shit on the internet (and that's saying soemthing)
Can you help me observe this behavior? I don't know what to search for to make it happen.
I don't know what to search for either -- but that's what I gathered from what I've read about Mac Defender so far (seriously -- the lack of details is fucking apalling -- and the fan boy wars make it even harder to sift out details from among the rubble).
I read somewhere that Mac Defender relies on SEO poisoning to get users to get users to download the installer -- so putting on my thinking hat (a black hat obviously), my dream SEO poisoning exploit would try to present relevant images as the thumbnail in the result, but the link that the result points to is actually the installer (not a webpage). The user presented with a bunch of search results would have no way of knowing which results are benign and which ones are malicious. On clicking a malicious result, since that link points to an installer (i.e. a type of file that is to be automatically downloaded, and run, rather than a webpage), Safari will download the file, and run it.
Above paragraph is my conjecture, based on reading the words "SEO poising". I can't test it as I don't have a Mac. And I would rather kill myself than parse through a million fanboy comments hoping someone has provided pertinent details. Looking for a poisoned result on my Win7 machine would be rather brave (I mean, what if I find something? :P).. And I'm at work right now (late, I know) and my Narwhal laptop is at home so I can't use that either.