Developer PROTIP: Unless you've fixed a huge, critical issue, just silently update your program the next time it's shut down. Don't notify me about regular updates, and don't make me manually check for them
Unless you're Microsoft... or Apple... If you're a major software vendor, don't even think about silently modifying your programs without letting the users know. Doing so would otherwise invoke the scorn and wrath of the/. community and other like minded, control freak zealots who see conspiracies behind every action.
In my experience the issue isn't with the Windows OS, but all of the applications. On my boxes I have Java wanting an update and Adobe products wanting updates. Firefox seems to want an update pretty frequently. The anti-virus starts to cry if it hasn't been updated lately. I think the point the report is making is that just about every application these days has its own update frequency. You can't manage non-Microsoft patches with WSUS. Even a product like SMS (or whatever they are calling it these days) requires someone to stay on top of all the recent releases, and create packages to push out to the workstations. The last time I tried to update Adobe Shockwave (and Flash) because of an update, the.msi installer version that Adobe puts out wasn't even up to date and didn't address the security issue. Adobe makes you jump through hoops to even get the.msi installer files in the first place.
I find it exasperating that my experience is almost always, "apply these patches", and then you can do some work with Windows. The good news (for me), I'm finally migrating EVERYTHING (as in replacing with) Macs and Linux. Time and money, that's all it takes.
Enjoy the brief respite while it lasts. My OSX box seems to want patches to be installed at least every couple of weeks. Even the Ubuntu server that I have in production seems to want an occasional reboot due to patch related processes.
Have you ever actually been to a conference? There are rows upon rows upon rows of chairs in large, or sometimes VERY large rooms. WTF are you talking about, run a CAT6 to every seat?
You bring up some interesting points about software RAID and server cores. You mention the performance benefit of hardware RAID, but you missed battery backed write cache. Now granted most people probably don't care, but again it comes down to the importance of the data. Unless you relish recommitting failed transactions, the BBWC is probably worth a few extra bucks.
Servers do have more cores these days, but the trend I've seen is toward virtualization. The box itself may have more cores, but those cores are being more heavily utilized than ever. What is your opinion of software RAID in that kind of environment? Granted, the question is sort of moot because most virtualized environments are going to SAN for storage, and that's one huge hardware RAID device, or is it a software RAID device?;)
If you go the tape route make sure that you create two backup sets. That way if one of the tapes goes bad you still have a duplicate. FWIW and YMMV, but in 15 years of dealing with DAT, DLT and LTO tapes, I've never had a single one of them go bad. Like another poster mentioned, it is likely that your drive is going to be obsolete before your media goes bad.
One benefit that tape might have over an archived RAID set is that I know for sure a backup tape doesn't depend on a particular controller. You can inventory and catalog a tape in any drive. Can you plug a bunch of drives that were setup as RAID5 on a Promise controller into an Adaptec controller?
The obvious application that comes to mind for me is situations where data retention / security are an issue. You don't want your IRS agent taking a laptop with information home or on the road. On the other hand, there's no reason not to give the same agent a laptop that they can remotely connect into a secure system with. The same thing goes for HIPAA or any other regulations.
but we're almost being forced to move things Windows-way out of necessity/attrition.
What is the necessity that is driving you onto Windows? I'm curious because I started my professional IT career working on Netware (3.12 and 4.11). I spent the better part of the last decade working with Windows. My boss who ran the consulting firm I was working for had originally been a Netware guy and saw the writing on the wall with regards to Windows and the Microsoft behemoth. It is interesting to me that in this day and age, people are still looking at a switch to Microsoft as a necessity in face of open source solutions.
Just the fact that most users can actually figure out how to set their out-of-office message when they go on vacation is amusing. Doing this in Outlook is laughably difficult.
Laughably difficult? What crack are you smoking? You click Tools > Out of Office Assistant. The only way it could get any easier is to have the application read your mind and prompt you with a dialogue when it recognizes that you are thinking about vacation.
So, it is quite amazing that humanity has effectively wiped out small pox and there are efforts to wipe out polio, yet there's some supreme denial that we could ever hope to have a computer ecosystem that approaches that sort of environment with malware presuming just reasonable efforts.
Small pox and polio were arguably a survival of the species threat. A compromised machine sending out v1gr14 spam doesn't evoke the same, "Oh crap, we're going to DIE if we don't get this taken care of." level of response.
As others have pointed out, the issue with security and OS design comes down to cost. It involves a VERY LARGE number of production systems. Microsoft can't pull an Apple and just yank the plug on their 3% of the market and then release OSX and force everyone to buy their applications over again. Instead the best that we can hope for are incremental upgrades, and in the absence of upgrades, alternatives and better ways of doing things (in the form of Linux or what have you). Take a look at IE8 running on Win7 with DEP and ASLR. Will someone eventually break that combination of technology? Of course they will. But you can see the improvement. TFA this discussion is part of is about IE on XP. We might as well be crying about Netscape on Win95. Stop the presses! "Glitch found in 8 year old OS running legacy, depreciated browser!" It just re-enforces my statement about malware targeting. They go for the low hanging fruit. They go for the most widely adopted technologies. There are way more XP and IE6/7 boxes than there are Win7/IE8 boxes.
The last time I personally saw a compromised Windows server in the real world was in 2004. It was a NT 4.0 SP6a machine. A client, despite being told not to, setup an unsecured wireless access point. They were next door to a Starbucks. It lasted a little more than a week before some exploit code blue screened it. On the workstation front, I haven't seen a workstation that I was responsible for compromised in four or five years at this point. However having spoken to friends and colleagues, I know that Windows boxes are getting owned through no real fault of their users. I don't hold users responsible for not being able to cough up the cash for real, external to the box itself, security products.
There are mitigation measures available to address most of the security concerns, and for most people and organizations, those measures are good enough. It is a cost of doing business that Microsoft passes onto their customers. The customers eat the cost because they need the apps. Customers are faced with spending money one way or the other. They either spend on security products and software updates, or they spend on development resources and build their own applications. Microsoft isn't the only vendor that pushes security updates. It seems like my Java VM updates itself once a month or so. Apple is pushing updates. Adobe is pushing updates. My Ubuntu box runs apt on a cron job to get updates. Software needs to be kept up to date.
As I've said before, if I were a developer, I wouldn't be using Microsoft technology because I've seen first hand what happens when you expect a customer to cough up thousands of dollars for Windows Server and SQL licenses ON TOP OF the cost of your application. The hosted in house on a Microsoft server market is rapidly shrinking. There is a reason Microsoft offers SQL Server MSDE. It is hard to compete with free. But this is getting off on a tangent, and flying far afield of the original point about small pox and computer security.
To use the health analogy, there are vaccines available. There are IDS and IPS products. There are proxy security products. There are AV products. If you're a responsible parent, you innoculate your children.
It does sound "tired" and I appreciate that you are up-front enough to concede this, but in the same spirit I can admit that it's not unreasonable to wonder it. Still, I have a simple issue with this argument. While it has nowhere near the marketshare of Windows, there are still millions of Linux computers connected to the Internet. Compared to Windows, a disproportionately large number of Linux machines are beefy servers with large amounts of bandwidth. If they were as easy to take over as a home user's Windows machine, they would be more attractive targets. Yet there are no successful viruses or other self-replicating malware programs for Linux in the wild. There are proof-of-concept viruses, but they do not propagate on the Internet.
It comes down to target market. The people running Linux servers are qualified administrators. Linux servers are generally role specific. They probably only have a few apps running on them. Unless a network is being run by someone without a clue, Windows servers aren't getting taken apart by driveby downloads. The exploits are happening in one of two cases. Either internal users are leave the secured network and hitting compromised sites, or social engineering-esque exploits are coming in through the mail system, IM, etc.
You brought up Linux servers and then jumped sidways to talk about home Windows boxes. What are we talking about here, apples or oranges? Servers or workstations? What percentage of the Linux boxes are all running a uniform kernel and distro? Where are the consistent apps on every platform? Think like a malware writer for a second. Think like someone trying to find where in RAM an offset is going to be living. Think of an infection vector. What are you aiming for on Linux? KDE? Gnome? X? What revision? Be a serious for a second. If you know enough to write exploit code, what pool are you aiming for? Where you are going to focus the limited time that you have?
Think about the real world. Movie-esque financial heists where you clear millions of dollars out of a compromised system don't happen (unless you work for Wall Street, and then it's legal). Real world fraud is done with compromised credit cards and bank accounts. That data is swapped across the web and kept in Quickbooks. It is locked up in bank websites that have easy to intercept (on a compromised system) authentication mechanisms. If you were going for money, where would you go? Windows, or Linux? Fraud is a numbers game. System cracking is mostly automated. You find an exploit, write a bot and start scanning for the vulnerability. Out of any given Class B block, what percentage of IPs are Windows boxes? What if you're targeting Charter, Time Warner or Cox?
It all comes down to the users, and the numbers of them. It takes time to write an exploit. If you were to roll out 450,000,000 Ubuntu 9.10 workstations with the same web browser and mail client and give them to the general public, you'd have exploits. You'd have exploits if the general public were storing data that thieves cared about. You'd have "Linux Antivirus 2010" the first time someone figures out how to trick a user into downloading a script that resizes their desktop, or randomly changes a.conf file. From there how long until a user "clicks here" on the identical to Canoncial's system message themed dialogue to fix it? How long do you really think it would be before someone finds where Thunderbird or whatever client you want to load with Ubuntu stores its address book? Does Ubuntu desktop even have ufw on by default? I know I had to enable it myself when I loaded 8.04 LTS server. What would stop someone from kicking off an smtpd process, or loading some code to piggy back on Thunderbird?
Arguing Linux versus Windows in the hands of John Q Public is sort of like trying to prove or disprove God at this point. We don't have a large enough sample size to make definitive statements on. IMO, human nature doesn't go away because people use different OSes. The
They think malware and other system compromises are an inherent aspect of owning a computer.
They are. In the 1990s, despite "Windows boxes in the internet" (if you had a SLIP connection), all of the exploits that I saw were targetting SunOS and BSD. They were going after Apache. When Aleph One was writing about buffer overflows, do you think he was working with Windows apps?
Computers are insecure. Networked computers are even more insecure. Windows is the low hanging fruit. I know it sounds tired, but if Linux had the same market share as Windows, you'd see the same kind of cat and mouse game going on between security researchers and malware programmers. If you put Ubuntu 9.10 on 80% of computers connected to the internet, and loaded it up with the 10 or so typical apps that people use (word processors, web browsers, Flash, etc), within six months you'd see vulnerabilities popping up left and right.
At the end of the day, it's all software running on an x86 processor. All it takes is one lazy coder, one tired QA guy, or one bad library and you have a zero day exploit. Computers need to execute code. You can only run so many checks on any given input. You can only limit the functionality of a module so much before it becomes useless. You can only bug users with "Are you sure you want to run this?" prompts so many times.
If you want an idea of a secure operating, turn your web browser security settings to Prompt/Ask. JavaScript, HTML, XML, EVERYTHING set to prompt. Spend a week browsing the web in that configuration. Let me know how you like it.
That seems to be a popular one these days. What preventative measures did you have in place to mitigate the infection vector? I haven't dealt with malware since I stopped working one people's home computers. My co-worker still does it for cash on the side and he's been dealing with that Internet Security 2010 a lot.
Given that you went to the trouble of rebuilding the whole thing, and I hope that after 10 hours, you really just formatted and reinstalled the apps. Why don't you image it, and have your wife save her files to a NAS? That way if it happens again, you can just load the image.
But I don't know anybody who uses the windows help system on purpose.
The people who use F1 for help are the same people who use WindowsKey+E instead of going to My Computer. F1 for help is standard for as long as Windows has been around and it is also context specific. If you hit F1 in an application, you get help for that application. Some applications take it even further and bring up function specific help depending on what portion of the application your mouse is hovering over, or your cursor is focused on.
Rather than taxing everyone before the fact it would make more sense to have ISPs tax the owners of infected computers. The government can develop a Snort-like product and mandate that ISPs use it. Any users that generate more than X number of alerts in Y period of time get charged. There would need to be some verification and appeal processes to weed out false positives.
If such an implementation is too expensive for a single ISP, move it up the chain. Monitor the peering points. Allow ISPs to tax each other on a quarterly basis. The ISPs that get taxed can figure out a way to pass on the costs to their customers.
Personally I'm against the whole idea. A tax requires some sort of monitoring. I don't like the idea of being monitored. If nothing else it adds latency and degrades the connection.
That sounds like a losing proposition. Most malware developers are looking at alternative vectors into the system because the core OS has been pretty well hardened.
The problem is that anti-virus alone can't handle malware. It does a pretty good job, but all it takes is one zero day Flash exploit, or a website with a compromised iFrame and your compute^H^H^HWindows box is hosed. By the time anti-virus starts throwing warnings, it is generally because the computer is already infected and it is trying to download other components that the AV software actually has signatures for.
That ES6000 is an email security appliance and not a firewall. Sonicwall firewalls are decent devices. I can only comment on them in the typical SMB deployment, but I've seen one handle 500 users on a DS3 connection without a problem. That included full IDS/IPS and gateway anti-virus on the connections.
If you need email security, why aren't you using Postini? They're ridiculously cheap for standard anti-spam / anti-virus filtering on your SMTP streams. We're paying about $4 per user for 125 users.
I just started playing the MW series with MW2. What is the benefit of having servers? The match making component seems to work fine. If you want to play with friends you can all join the same party. If you want to host a private game, you can setup your own match and invite whoever you want. The only lag I've ever dealt with in the game was network lag and not hardware lag. It seems like their P2P model works pretty well. I live in southern California and often times end up playing with other people in my region. During peak hours, it's pretty much 100% people from my region in a server of 12 or 18 people.
This thinking isn't new. It is the exact same thinking that has been prevalent among law enforcement and the government for as long as I've been working with networked computers. In the early to mid-1990s when I was young and cutting my teeth on all of these systems, there weren't any laws in place to punish offenders. The systems were wide open, using default passwords, hosting services that were wide open, etc. The hardest part of hacking a system was getting access to it, either by finding a dial up via wardialing or actually getting physical access to the site (in terms of phone switches and the like).
Two decades ago the government started passing a lot of laws that made it illegal to access systems that you don't own or have permission to audit. They never really locked down the systems. They never passed any laws that made it necessary to develop secure systems. They just implemented some pretty severe punishments for messing with the systems.
Rather than lock down the systems completely, they are going with surveillance and record keeping. Of course systems are way more hardened than they were in the past, but exploits are constantly coming out. Law enforcement online is like law enforcement in the physical world. They just want to clean up after the fact and try to hold some people accountable for illegal actions.
As responsible citizens our only choice seems to be to stop consuming the content that the corporations want to protect, while at the same time standing up for our Constitutional rights as we drag them online. We should be able to speak freely, peacefully assemble and the like. As far as I can tell, ACTA has to do with copyright law and intellectual property. If you aren't swapping warez or pirating movies and music and books, you should be fine.
Unless IT guys get bribed by MS or they are plain stupid/ignorant, there are very very good solutions to access Exhange/MS servers on Blackberry and Symbian. In fact, Symbian ones come free in general.
Don't forget that Apple finally got on the bandwagon and licensing Active Sync from Microsoft. Now the iPhone seamlessly syncs with Exchange mail, calendar and tasks. If I weren't such a purist and attached to the keyboard on my Blackberry, I'd consider an iPhone.
Apple needs more than a price drop to compete in enterprise space. They need a lot of developers and a good number of years to come up with worthwhile application stack that speaks to the business market. I doubt they will ever go there. As Apple fans are fond of saying, "You aren't Apple's target market." Apple's target market seems to be consumers with extra cash to spend, and consumers who want a reliable, consumer based computing experience. They don't care about ERP or CRM or IT.
Executives only care about being reliably connected to their information. The Blackberry is probably the worst device I have ever used, except for one feature: e-mail. It's always on, works well internationally, and their business devices have very type-able keyboards.
You got it mostly right. I'd suggest that a reliable Calendar is of equal importance to email. As soon as you make the jump from "doing things" to "meeting with and giving direction to people who do things", that calendar becomes very important.
Slashdot Mirror
Developer PROTIP: Unless you've fixed a huge, critical issue, just silently update your program the next time it's shut down. Don't notify me about regular updates, and don't make me manually check for them
Unless you're Microsoft... or Apple... If you're a major software vendor, don't even think about silently modifying your programs without letting the users know. Doing so would otherwise invoke the scorn and wrath of the /. community and other like minded, control freak zealots who see conspiracies behind every action.
In my experience the issue isn't with the Windows OS, but all of the applications. On my boxes I have Java wanting an update and Adobe products wanting updates. Firefox seems to want an update pretty frequently. The anti-virus starts to cry if it hasn't been updated lately. I think the point the report is making is that just about every application these days has its own update frequency. You can't manage non-Microsoft patches with WSUS. Even a product like SMS (or whatever they are calling it these days) requires someone to stay on top of all the recent releases, and create packages to push out to the workstations. The last time I tried to update Adobe Shockwave (and Flash) because of an update, the .msi installer version that Adobe puts out wasn't even up to date and didn't address the security issue. Adobe makes you jump through hoops to even get the .msi installer files in the first place.
I find it exasperating that my experience is almost always, "apply these patches", and then you can do some work with Windows. The good news (for me), I'm finally migrating EVERYTHING (as in replacing with) Macs and Linux. Time and money, that's all it takes.
Enjoy the brief respite while it lasts. My OSX box seems to want patches to be installed at least every couple of weeks. Even the Ubuntu server that I have in production seems to want an occasional reboot due to patch related processes.
I'm glad that someone got a chuckle out of it before it was modded into oblivion. Those OSX users sure are a sensitive bunch.
I want to throttle just about every OSX user I've ever met.
Have you ever actually been to a conference? There are rows upon rows upon rows of chairs in large, or sometimes VERY large rooms. WTF are you talking about, run a CAT6 to every seat?
You bring up some interesting points about software RAID and server cores. You mention the performance benefit of hardware RAID, but you missed battery backed write cache. Now granted most people probably don't care, but again it comes down to the importance of the data. Unless you relish recommitting failed transactions, the BBWC is probably worth a few extra bucks.
Servers do have more cores these days, but the trend I've seen is toward virtualization. The box itself may have more cores, but those cores are being more heavily utilized than ever. What is your opinion of software RAID in that kind of environment? Granted, the question is sort of moot because most virtualized environments are going to SAN for storage, and that's one huge hardware RAID device, or is it a software RAID device? ;)
If you go the tape route make sure that you create two backup sets. That way if one of the tapes goes bad you still have a duplicate. FWIW and YMMV, but in 15 years of dealing with DAT, DLT and LTO tapes, I've never had a single one of them go bad. Like another poster mentioned, it is likely that your drive is going to be obsolete before your media goes bad.
One benefit that tape might have over an archived RAID set is that I know for sure a backup tape doesn't depend on a particular controller. You can inventory and catalog a tape in any drive. Can you plug a bunch of drives that were setup as RAID5 on a Promise controller into an Adaptec controller?
The obvious application that comes to mind for me is situations where data retention / security are an issue. You don't want your IRS agent taking a laptop with information home or on the road. On the other hand, there's no reason not to give the same agent a laptop that they can remotely connect into a secure system with. The same thing goes for HIPAA or any other regulations.
but we're almost being forced to move things Windows-way out of necessity/attrition.
What is the necessity that is driving you onto Windows? I'm curious because I started my professional IT career working on Netware (3.12 and 4.11). I spent the better part of the last decade working with Windows. My boss who ran the consulting firm I was working for had originally been a Netware guy and saw the writing on the wall with regards to Windows and the Microsoft behemoth. It is interesting to me that in this day and age, people are still looking at a switch to Microsoft as a necessity in face of open source solutions.
Just the fact that most users can actually figure out how to set their out-of-office message when they go on vacation is amusing. Doing this in Outlook is laughably difficult.
Laughably difficult? What crack are you smoking? You click Tools > Out of Office Assistant. The only way it could get any easier is to have the application read your mind and prompt you with a dialogue when it recognizes that you are thinking about vacation.
It is used in quite a few large organizations and governments ... like the state of California.
So, it is quite amazing that humanity has effectively wiped out small pox and there are efforts to wipe out polio, yet there's some supreme denial that we could ever hope to have a computer ecosystem that approaches that sort of environment with malware presuming just reasonable efforts.
Small pox and polio were arguably a survival of the species threat. A compromised machine sending out v1gr14 spam doesn't evoke the same, "Oh crap, we're going to DIE if we don't get this taken care of." level of response.
As others have pointed out, the issue with security and OS design comes down to cost. It involves a VERY LARGE number of production systems. Microsoft can't pull an Apple and just yank the plug on their 3% of the market and then release OSX and force everyone to buy their applications over again. Instead the best that we can hope for are incremental upgrades, and in the absence of upgrades, alternatives and better ways of doing things (in the form of Linux or what have you). Take a look at IE8 running on Win7 with DEP and ASLR. Will someone eventually break that combination of technology? Of course they will. But you can see the improvement. TFA this discussion is part of is about IE on XP. We might as well be crying about Netscape on Win95. Stop the presses! "Glitch found in 8 year old OS running legacy, depreciated browser!" It just re-enforces my statement about malware targeting. They go for the low hanging fruit. They go for the most widely adopted technologies. There are way more XP and IE6/7 boxes than there are Win7/IE8 boxes.
http://dvlabs.tippingpoint.com/blog/2009/03/27/pwn2own-ie8-exploit-foiled-is-the-browser-finally-secure
The last time I personally saw a compromised Windows server in the real world was in 2004. It was a NT 4.0 SP6a machine. A client, despite being told not to, setup an unsecured wireless access point. They were next door to a Starbucks. It lasted a little more than a week before some exploit code blue screened it. On the workstation front, I haven't seen a workstation that I was responsible for compromised in four or five years at this point. However having spoken to friends and colleagues, I know that Windows boxes are getting owned through no real fault of their users. I don't hold users responsible for not being able to cough up the cash for real, external to the box itself, security products.
There are mitigation measures available to address most of the security concerns, and for most people and organizations, those measures are good enough. It is a cost of doing business that Microsoft passes onto their customers. The customers eat the cost because they need the apps. Customers are faced with spending money one way or the other. They either spend on security products and software updates, or they spend on development resources and build their own applications. Microsoft isn't the only vendor that pushes security updates. It seems like my Java VM updates itself once a month or so. Apple is pushing updates. Adobe is pushing updates. My Ubuntu box runs apt on a cron job to get updates. Software needs to be kept up to date.
As I've said before, if I were a developer, I wouldn't be using Microsoft technology because I've seen first hand what happens when you expect a customer to cough up thousands of dollars for Windows Server and SQL licenses ON TOP OF the cost of your application. The hosted in house on a Microsoft server market is rapidly shrinking. There is a reason Microsoft offers SQL Server MSDE. It is hard to compete with free. But this is getting off on a tangent, and flying far afield of the original point about small pox and computer security.
To use the health analogy, there are vaccines available. There are IDS and IPS products. There are proxy security products. There are AV products. If you're a responsible parent, you innoculate your children.
It does sound "tired" and I appreciate that you are up-front enough to concede this, but in the same spirit I can admit that it's not unreasonable to wonder it. Still, I have a simple issue with this argument. While it has nowhere near the marketshare of Windows, there are still millions of Linux computers connected to the Internet. Compared to Windows, a disproportionately large number of Linux machines are beefy servers with large amounts of bandwidth. If they were as easy to take over as a home user's Windows machine, they would be more attractive targets. Yet there are no successful viruses or other self-replicating malware programs for Linux in the wild. There are proof-of-concept viruses, but they do not propagate on the Internet.
It comes down to target market. The people running Linux servers are qualified administrators. Linux servers are generally role specific. They probably only have a few apps running on them. Unless a network is being run by someone without a clue, Windows servers aren't getting taken apart by driveby downloads. The exploits are happening in one of two cases. Either internal users are leave the secured network and hitting compromised sites, or social engineering-esque exploits are coming in through the mail system, IM, etc.
You brought up Linux servers and then jumped sidways to talk about home Windows boxes. What are we talking about here, apples or oranges? Servers or workstations? What percentage of the Linux boxes are all running a uniform kernel and distro? Where are the consistent apps on every platform? Think like a malware writer for a second. Think like someone trying to find where in RAM an offset is going to be living. Think of an infection vector. What are you aiming for on Linux? KDE? Gnome? X? What revision? Be a serious for a second. If you know enough to write exploit code, what pool are you aiming for? Where you are going to focus the limited time that you have?
Think about the real world. Movie-esque financial heists where you clear millions of dollars out of a compromised system don't happen (unless you work for Wall Street, and then it's legal). Real world fraud is done with compromised credit cards and bank accounts. That data is swapped across the web and kept in Quickbooks. It is locked up in bank websites that have easy to intercept (on a compromised system) authentication mechanisms. If you were going for money, where would you go? Windows, or Linux? Fraud is a numbers game. System cracking is mostly automated. You find an exploit, write a bot and start scanning for the vulnerability. Out of any given Class B block, what percentage of IPs are Windows boxes? What if you're targeting Charter, Time Warner or Cox?
It all comes down to the users, and the numbers of them. It takes time to write an exploit. If you were to roll out 450,000,000 Ubuntu 9.10 workstations with the same web browser and mail client and give them to the general public, you'd have exploits. You'd have exploits if the general public were storing data that thieves cared about. You'd have "Linux Antivirus 2010" the first time someone figures out how to trick a user into downloading a script that resizes their desktop, or randomly changes a .conf file. From there how long until a user "clicks here" on the identical to Canoncial's system message themed dialogue to fix it? How long do you really think it would be before someone finds where Thunderbird or whatever client you want to load with Ubuntu stores its address book? Does Ubuntu desktop even have ufw on by default? I know I had to enable it myself when I loaded 8.04 LTS server. What would stop someone from kicking off an smtpd process, or loading some code to piggy back on Thunderbird?
Arguing Linux versus Windows in the hands of John Q Public is sort of like trying to prove or disprove God at this point. We don't have a large enough sample size to make definitive statements on. IMO, human nature doesn't go away because people use different OSes. The
They think malware and other system compromises are an inherent aspect of owning a computer.
They are. In the 1990s, despite "Windows boxes in the internet" (if you had a SLIP connection), all of the exploits that I saw were targetting SunOS and BSD. They were going after Apache. When Aleph One was writing about buffer overflows, do you think he was working with Windows apps?
Computers are insecure. Networked computers are even more insecure. Windows is the low hanging fruit. I know it sounds tired, but if Linux had the same market share as Windows, you'd see the same kind of cat and mouse game going on between security researchers and malware programmers. If you put Ubuntu 9.10 on 80% of computers connected to the internet, and loaded it up with the 10 or so typical apps that people use (word processors, web browsers, Flash, etc), within six months you'd see vulnerabilities popping up left and right.
At the end of the day, it's all software running on an x86 processor. All it takes is one lazy coder, one tired QA guy, or one bad library and you have a zero day exploit. Computers need to execute code. You can only run so many checks on any given input. You can only limit the functionality of a module so much before it becomes useless. You can only bug users with "Are you sure you want to run this?" prompts so many times.
If you want an idea of a secure operating, turn your web browser security settings to Prompt/Ask. JavaScript, HTML, XML, EVERYTHING set to prompt. Spend a week browsing the web in that configuration. Let me know how you like it.
That seems to be a popular one these days. What preventative measures did you have in place to mitigate the infection vector? I haven't dealt with malware since I stopped working one people's home computers. My co-worker still does it for cash on the side and he's been dealing with that Internet Security 2010 a lot.
Given that you went to the trouble of rebuilding the whole thing, and I hope that after 10 hours, you really just formatted and reinstalled the apps. Why don't you image it, and have your wife save her files to a NAS? That way if it happens again, you can just load the image.
But I don't know anybody who uses the windows help system on purpose.
The people who use F1 for help are the same people who use WindowsKey+E instead of going to My Computer. F1 for help is standard for as long as Windows has been around and it is also context specific. If you hit F1 in an application, you get help for that application. Some applications take it even further and bring up function specific help depending on what portion of the application your mouse is hovering over, or your cursor is focused on.
Rather than taxing everyone before the fact it would make more sense to have ISPs tax the owners of infected computers. The government can develop a Snort-like product and mandate that ISPs use it. Any users that generate more than X number of alerts in Y period of time get charged. There would need to be some verification and appeal processes to weed out false positives.
If such an implementation is too expensive for a single ISP, move it up the chain. Monitor the peering points. Allow ISPs to tax each other on a quarterly basis. The ISPs that get taxed can figure out a way to pass on the costs to their customers.
Personally I'm against the whole idea. A tax requires some sort of monitoring. I don't like the idea of being monitored. If nothing else it adds latency and degrades the connection.
That sounds like a losing proposition. Most malware developers are looking at alternative vectors into the system because the core OS has been pretty well hardened.
The problem is that anti-virus alone can't handle malware. It does a pretty good job, but all it takes is one zero day Flash exploit, or a website with a compromised iFrame and your compute^H^H^HWindows box is hosed. By the time anti-virus starts throwing warnings, it is generally because the computer is already infected and it is trying to download other components that the AV software actually has signatures for.
That ES6000 is an email security appliance and not a firewall. Sonicwall firewalls are decent devices. I can only comment on them in the typical SMB deployment, but I've seen one handle 500 users on a DS3 connection without a problem. That included full IDS/IPS and gateway anti-virus on the connections.
If you need email security, why aren't you using Postini? They're ridiculously cheap for standard anti-spam / anti-virus filtering on your SMTP streams. We're paying about $4 per user for 125 users.
I just started playing the MW series with MW2. What is the benefit of having servers? The match making component seems to work fine. If you want to play with friends you can all join the same party. If you want to host a private game, you can setup your own match and invite whoever you want. The only lag I've ever dealt with in the game was network lag and not hardware lag. It seems like their P2P model works pretty well. I live in southern California and often times end up playing with other people in my region. During peak hours, it's pretty much 100% people from my region in a server of 12 or 18 people.
This thinking isn't new. It is the exact same thinking that has been prevalent among law enforcement and the government for as long as I've been working with networked computers. In the early to mid-1990s when I was young and cutting my teeth on all of these systems, there weren't any laws in place to punish offenders. The systems were wide open, using default passwords, hosting services that were wide open, etc. The hardest part of hacking a system was getting access to it, either by finding a dial up via wardialing or actually getting physical access to the site (in terms of phone switches and the like).
Two decades ago the government started passing a lot of laws that made it illegal to access systems that you don't own or have permission to audit. They never really locked down the systems. They never passed any laws that made it necessary to develop secure systems. They just implemented some pretty severe punishments for messing with the systems.
Rather than lock down the systems completely, they are going with surveillance and record keeping. Of course systems are way more hardened than they were in the past, but exploits are constantly coming out. Law enforcement online is like law enforcement in the physical world. They just want to clean up after the fact and try to hold some people accountable for illegal actions.
As responsible citizens our only choice seems to be to stop consuming the content that the corporations want to protect, while at the same time standing up for our Constitutional rights as we drag them online. We should be able to speak freely, peacefully assemble and the like. As far as I can tell, ACTA has to do with copyright law and intellectual property. If you aren't swapping warez or pirating movies and music and books, you should be fine.
Unless IT guys get bribed by MS or they are plain stupid/ignorant, there are very very good solutions to access Exhange/MS servers on Blackberry and Symbian. In fact, Symbian ones come free in general.
Don't forget that Apple finally got on the bandwagon and licensing Active Sync from Microsoft. Now the iPhone seamlessly syncs with Exchange mail, calendar and tasks. If I weren't such a purist and attached to the keyboard on my Blackberry, I'd consider an iPhone.
If Apple dropped their prices
Apple needs more than a price drop to compete in enterprise space. They need a lot of developers and a good number of years to come up with worthwhile application stack that speaks to the business market. I doubt they will ever go there. As Apple fans are fond of saying, "You aren't Apple's target market." Apple's target market seems to be consumers with extra cash to spend, and consumers who want a reliable, consumer based computing experience. They don't care about ERP or CRM or IT.
Executives only care about being reliably connected to their information. The Blackberry is probably the worst device I have ever used, except for one feature: e-mail. It's always on, works well internationally, and their business devices have very type-able keyboards.
You got it mostly right. I'd suggest that a reliable Calendar is of equal importance to email. As soon as you make the jump from "doing things" to "meeting with and giving direction to people who do things", that calendar becomes very important.