Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Microsoft Operating Systems Security Software

Windows Is 'Insecure By Design,' Says Washington Post 1326

Posted by timothy
from the tradeoffs-are-everywhere dept.
Circuit Breaker writes "A Washington Post article says Microsoft Windows is insecure by design. Quote: 'Between the Blaster worm and the Sobig virus, it's been a long two weeks for Windows users. But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks -- just like in earlier "malware" epidemics. This is not a coincidence.'"
This discussion has been archived. No new comments can be posted.

Windows Is 'Insecure By Design,' Says Washington Post

Comments Filter:
  • Ummm... (Score:4, Funny)

    by Exitthree (646294) on Sunday August 24, 2003 @06:35PM (#6780013) Homepage
    But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks -- just like in earlier "malware" epidemics.

    Except the Mac and Linux users in charge of those systems... ;)

    • Re:Ummm... (Score:5, Insightful)

      by Li0n (110271) on Sunday August 24, 2003 @06:46PM (#6780102) Homepage
      indeed...

      I've had to patch and put up to date almost a dozen systems in my free time these weeks. Not seeing one penny for that since they all belong to friends and family... :/

      That aside from the bozos at work that got hit and the flood of questions along the lines of "my computer keeps rebooting on me everytime I connect to the Internet... what can it be?..."

      And people wonder why techies are grumpy...
      • Re:Ummm... (Score:5, Funny)

        by Geek of Tech (678002) on Sunday August 24, 2003 @07:35PM (#6780433) Homepage Journal
        And people wonder why techies are grumpy...

        Well, yeah, because you know we all make so much money...

        Yeah.....

      • Re:Ummm... (Score:4, Interesting)

        by Sandor at the Zoo (98013) on Sunday August 24, 2003 @08:20PM (#6780679)
        I've had to patch and put up to date almost a dozen systems in my free time these weeks. Not seeing one penny for that since they all belong to friends and family... :/

        That's why I tell my family: If you want help with your computer, buy a Mac. I don't support PCs.

        Just about everyone in my family has a Mac.

        It's a win-win for me, since the amount of support you have to do for a Mac user is virtually nil -- they just work. :-)

      • Re:Ummm... (Score:5, Funny)

        by SillySlashdotName (466702) on Sunday August 24, 2003 @09:03PM (#6780900)
        As well as bashful, sleepy, sneezy, dopey,...

      • Re:Ummm... (Score:5, Interesting)

        by oliphaunt (124016) on Sunday August 24, 2003 @11:02PM (#6781501) Homepage
        why not offer them a choice?

        I'll help you move to linux for free, or I'll charge you $50 to fix your system this time.

        tell them the charge will double each time they need help, for either system.
    • Re:Ummm... (Score:5, Insightful)

      by aussersterne (212916) on Sunday August 24, 2003 @06:50PM (#6780149) Homepage
      Not only for that reason.

      I don't have Windows anywhere and haven't for several years now. I don't run Outlook. But it turns out that at least one of the current batch of worms spoofs email addresses.

      So all week I've been getting email messages from postmaster@ saying "...your message to so-and-so will not be delivered because it contained the SoBig worm, we advise you to download a security update from..." I wrote a couple of them and got two responses from mail admins saying essentially "Yes, we know it spoofs your email, sorry there's nothing we can do, please understand that we're under tons of pressure on our end, everyone is infected, this worm sucks, you have it easy, you run Linux, stop complaining!"

      Anyway, people are receiving messages marked "from" my email address and are getting infected with a worm as a result. Obviously one or several people (editors, management, etc.) that have me in their Outlook address books have become infected and now the worm is spreading from their machines and spoofing my email address as the source. I totally resent this and actually worry about my liability.

      Do I now have to trademark my own email address or something and then include a disclaimer in my email saying "This email address is my trademark, you are not allowed to add me to your address book in any way"?

      The crap Windows security model has certainly affected me, a non-Windows user.
      • Re:Ummm... (Score:5, Funny)

        by theCoder (23772) on Sunday August 24, 2003 @07:08PM (#6780275) Homepage Journal
        "...you have it easy, you run Linux, stop complaining!"

        That's when you snap your suspenders, scratch your beard, and remember why you have that smug look on your face :)

      • Re:Ummm... (Score:5, Insightful)

        by nikal (141824) on Sunday August 24, 2003 @07:39PM (#6780461)
        If you digitally signed all of your electronic communication then you could effectively get rid of this worry. People who trusted your key would know immediately that this was a spoof.
      • Re:Ummm... (Score:5, Insightful)

        by afidel (530433) on Sunday August 24, 2003 @07:46PM (#6780505)
        PGP sign all your email, that way you will be able to prove that an infecting email did not originate from you. Also the very fact that it is a windows worm and you run Linux should indemnify you.
        • Re:Ummm... (Score:5, Insightful)

          by Jerf (17166) on Sunday August 24, 2003 @07:52PM (#6780536) Journal
          To you and nikal, PGP does not prove X did not come from you, it only proves that X did come from you. Even if you are using PGP it is quite easy to send an unsigned message.

          Only somebody else's signiture, establishing that it came from them, could begin to establish that it did not come from you, and you would still need to establish that you aren't that somebody else, since having multiple signitures is trivial. (It would probably be reasonably satisfactory under most normal circumstances, though.)
      • Re:Ummm... (Score:5, Interesting)

        by Deusy (455433) <charlie@vBLUEexi.org minus berry> on Sunday August 24, 2003 @07:54PM (#6780545) Homepage
        On the subject of liability, I wonder why Microsoft is never held liabel for the billions of dollars that these incidents cost the world's economies. A little forethought this would never have happened.

        Imagine if Ford were to sell a car with a fundamental problem. One that potentially cost lives. They did and they had to recall it.

        Now these virus epidemics probably bring down some rather critical computers and potentially cost lives. (Yeah, yeah, mission critical machines should be kept uber patched...)

        Microsoft really comes across as untouchable.
        • Re:Ummm... (Score:5, Insightful)

          by Li0n (110271) on Sunday August 24, 2003 @08:03PM (#6780589) Homepage
          They cease to be liable the moment you click "I Agree"
        • Re:Ummm... (Score:4, Interesting)

          by Durandal64 (658649) on Sunday August 24, 2003 @08:37PM (#6780773)
          As sick as defending Microsoft makes me feel, I'm going to have to point out that your analogy isn't fair. A more apt analogy would be Ford making a car with a radio so defective that the car would explode if it received a signal of a certain frequency. Ford learns of this and initiates a recall. People ignore the recall, and then someone hijacks an antenna two weeks after the recall has been initiated and broadcasts said signal of said frequency. Cars explode.

          Did Ford send the signal out? No, so they are not directly liable. Did they attempt to correct this problem before it was taken advantage of? Yes. Should such a disastrously massive problem have been allowed to make it into the final design? Microsoft do share some liability for the damage done, but not all of it. It was, after all, their incompetence that created the problem in the first place. Is it all their fault? No, sorry.

          The other angle to look at is the cost of installing the patch. Since Windows requires you to reboot after changing all but the most trivial aspects of your system, this makes installing the patch extremely inconvenient for many server administrators. Administrators have no such excuse with a Linux system, which really only requires a reboot after changing the kernel. On Windows boxes, however, such required restarts can end up costing a lot of money, especially if the patch breaks a service that the server is running. So, one thing Microsoft could do would be to reduce the amount of required restarts. Good luck, since the GUI is the operating system, unlike a *nix box, where it's just another process that can be terminated without bringing down the system.

          As I said, I now feel sick for sticking up for the pricks in Redmond.
      • New sig file... (Score:5, Interesting)

        by MasonMcD (104041) <masonmcd@mac . c om> on Sunday August 24, 2003 @08:00PM (#6780570) Homepage
        I now have a new signature on my emails:

        *In light of the ability of some email viruses (eg SoBig.F) to spoof this address regardless of whether my machine is infected or not (for instance, pulling my address from a Windows user address book to use as a fake return address), if this statement is not included, consider a message from me to be a virus*

        I figure that will be good, going out a few dozen times a day. I urge everyone to pen something similar. Cause, ya know, MS can never have too much bad press... erm, room to innovate.
      • Re:Ummm... (Score:4, Interesting)

        by thx2001r (635969) on Sunday August 24, 2003 @08:36PM (#6780768) Homepage
        Windows security, (don't laugh) on NT 5 and up is not too shabby (when properly done... not to say that it is "secure", no systems plugged into electricity and a network are). The problem is not the security model, it's the default level of security applied out of the box. The default level is so lax, it is WISHING it were swiss cheese!

        There are so many open orifices by default, it's, honestly, frightening to release a Windows system to the wild of being connected to the Internet without extensive preventative measures. Of course, keeping safe in a Windows environment is very possible but almost exclusively for technically savvy people, the rest of the Windows users (almost all of them) are running Windows with it's default pants down, bent over, with a giant neon "Rape Me" sign on them.

        Sigh. Perhaps someday MS will enable some more of their security features BY DEFAULT on Windows (well, lets say, all of them, and then let users drop their computer's drawers if they choose to). Until then, look at it this way... MS's (deliberate?) default swiss cheese security keeps many a person employed plugging the holes.

        If it were secure by default and kept itself in great working order automatically, what use would anyone have paying techies to do that? In a strange way, I owe my continued employment to MS's poor default practices.
    • Re:Ummm... (Score:5, Insightful)

      by cybermace5 (446439) <g.ryan@macetech.com> on Sunday August 24, 2003 @06:53PM (#6780169) Homepage Journal
      Also, don't forget the Mac and Linux users who unfortunately happened to be in the address book of some poor Windows user. I'm about to go nuts from the 50-100 autoreplies from corporate virus scanners, and I know I have it easy.
    • by ScottGant (642590) <scott_gant&sbcglobal,netNOT> on Sunday August 24, 2003 @08:47PM (#6780819) Homepage
      I'm not an XP lover, but it's the OS that's on my computer. It just is. I play games and run Photoshop and other programs...so I use XP because my favorite programs all run on this OS on fairly cheap hardware.

      Now, I may be doing something wrong here, but I've NEVER had a virus. I've never had a problem with a worm or anything really. XP hasn't even crashed on me before....ever. I've had programs hang up or crash...but the OS itself hasn't crashed.

      And this has been the same on the 2 different machines that I've run XP on.

      But yet, I always hear about everyone raking XP and Windows across the coals all the time. Yet I've never ever experienced nor do I know anyone anyone that's ever had major problems with XP. Oh, I know people out there have problems...but it's just that I personally have never known any.

      Why is that? Now, as I said, I'm not an XP zealot at all. I could take it or leave it. But after reading here on Slashdot the evils of Windows and XP it would seem that my machine should have burst into flames months ago, yet it's going on day after day, never turned off, always hooked to the net...and chugging right along.

      And I'm not really doing anything special. I keep up with all the updates to XP...which takes about 2 minutes out of my week. And I have basic Norton Antivirus running. I have Seti@home running when I'm away from the machine and I do a disk clean up and defragment maybe once a month or so.

      So again, I must be doing something wrong (or right) to where XP doesn't give me one iota of problem.

      I'm not praising XP...at least I don't mean to be praising it. You only see people bashing Windows, never praising it. To praise it would mean being thrown out of geekdom. So I think if XP or NT is working for you, you keep your mouth shut or just talk about how great Linux is.

      I guess your mileage may vary.
      • by naelurec (552384) on Sunday August 24, 2003 @10:27PM (#6781358) Homepage
        Its all a matter of perspective. It seems like Windows NT/2k/XP works pretty good for knowledgable end users (Which you seem to be one ...). I have a W2K box that as a box works pretty good at what it does (though it does have some rather strange memory related problems .. but not nasty enough to justify a re-install...) However, atleast for me, after running Linux, Mac OS X and now FreeBSD as my primary desktop, I have a different perspective on how an operating system should work. I actually find the *nix desktops to be easier to work with. Not only are there a lot more cool features (ie mozilla has lots of neat features over Internet Explorer, same with KDE vs Explorer, etc..) but the entire system seems laid out much more logical. When programs install on my FreeBSD box, I know exactly what files it has installed and where (not to mention it is really easy to remove ALL the related files compared to the add/remove feature in Windows). I can quickly find what applications are running, I have a lot more information available to me as far as what is going on "under the hood" and most importantly, I can access all critical features on a fast SSH connection instead of trying VNC or some other cumbersome GUI interface. So whats my point? Well I suppose when my Windows using buddies, relatives and customers call me with yet_another_windows_problem (sobig, blaster, other viruses, adware, whatever..) I tend to think that "well if they were running *nix, would they have this problem? (usually not)" and "if they were running *nix, I could simply SSH to their box and fix the problem in a few minutes instead of explaining how to setup VNC over the phone and trying to troubleshoot it remotely (with their side being a 28.8k dial up connection)) or hopping in my car and physically sitting in front of the computer and hacking away at it.. Whats my point? I dunno. I guess I have found the *nix systems to be generally better than the Microsoft offerings. Since using *nix, I have different expectations to how my computer should work and at this time, Microsoft does not meet these expectations. Infact, when I am using Windows boxes, I have found that I get frusterated with the machine because it doesn't work like I am use to.
  • There's a large difference between "Windows is insecure by design" and "Windows was not designed to be secure or with security in mind" just as there's a significant difference between saying "Impalas are deathtraps by design" and "Impalas were not designed with safety in mind".

    That said, and though the Post's article was a little muddled in general I agree with the spirit of the article in that
    1). It's reprehensible that Microsoft apparently didn't have security (a broad term, but the literature to define it is out there) as a guiding design principle when they designed Windows, and
    2) As a result of this, Items central to the functioning of Windows do not lend themselves to good security.
    • I didn't take that phrase that way until I read your post. The writer isn't stating that Windows engineers designed the OS to be insecure, he's stating that the way Windows was designed lends itself to insecurity. Two different takes on the phrase "by design". Slightly misleading, sure, but he clarifies in the article, so it's cred by me. I particularly like the comparisons he makes with Windows, OS X, and Red Hat's default install.
      • by dhogaza (64507) on Sunday August 24, 2003 @08:20PM (#6780683) Homepage
        Do keep in mind that at major papers like the Post reporters don't write the headlines. Just as they don't decide where their story will run (or if it will run), how big the type used for the head will be, whether or not there will be a subhead, etc.

        So don't ding the reporter for the slightly misleading headline. Sounds like the reporter got it right in the part he or she wrote - the article.
    • The problems with Windows are largely what was pointed out in the article:
      • Users complain they don't trust Microsoft and don't apply Critical Updates
      • XP's firewall is off by default and takes at least five steps to turn on
      • XP leaves five ports open by default--three of them are 137, 138, and 139, the NetBIOS over TCP/IP ports
      I have the following to say on those issues, however:
      • If users don't trust that Microsoft can patch a hole, they shouldn't use Windows and shouldn't buy PCs preconfigured with Windows, no matter how crappy the software availability and quality for the alternatives
      • For the XP Home software, all dialup interfaces should have the firewall on by default. XP can automatically detect broadband connections as well, so on broadband internet connections the firewall should also be on by default
      • Ports 137 through 139 should be disabled by default until file sharing is turned on. And even then, those ports should be specifically closed on all internet-facing interfaces. The port that console messages are sent on should be closed to the internet-facing interfaces as well, and probably just closed period on Home since console messages are supposed to be used by administrators in domain environments
      These are not the only problems with Windows, nor are these solutions I propose going to be 100% fool-proof. But most of the problem comes to users' carelessness or naivete. By turning off all the unimportant messages in XP such as
      • Get a Passport
      • Take a tour of Windows XP
      should wait until after more important, security-related messages such as
      • If you choose to use Windows Automatic Updates, your computer will automatically update itself with the latest security patches. This will ensure fewer problems and enhanced reliability while your computer is connected to the Internet. Click here to learn more.
      • If this computer will be directly attached to the Internet through either a dial-up modem, a cable modem, or a DSL modem, you should enable the Internet Connection Firewall by clicking here and following the instructions. The firewall will help protect your computer from hackers and self-spreading worms on the Internet, keeping your computer working properly much longer.
      It's simple steps like these that, on top of proper security considerations and testing when designing and writing the code, will help protect users and the net in general from what we suffer right now.
      • by PygmySurfer (442860) on Sunday August 24, 2003 @07:35PM (#6780426)
        XP's firewall is off by default and takes at least five steps to turn on

        I seem to recall XP's firewall being turned on during the inital "Welcome to Windows" wizard that pops up after installation, if you choose the option "This machine will be directly connected to the internet" (Or something like that).

        That being said, I always turned the firewall OFF, it was too much of a pain to set up additional ports to allow.

        Since then, I've moved to a Mac, and OS X's firewall is much easier to configure.

        I certainly agree with the rest of your points though (and the majority of the article).
      • by hankaholic (32239) on Sunday August 24, 2003 @08:21PM (#6780684)
        Fair enough, but many people may opt not to download updates because of their rediculous size.

        Under Debian, at least, if a package is found to have a security hole, I have several options.

        I can download only the affected package. Of course, since it's Debian, I can always opt to just bring the whole system up to date. If bandwidth is really a problem, I can even manually rsync an older local copy of the package against the updated version upstream.

        Unfortunately, rsync isn't done by apt-get automatically, but the option to do it manually is there, as many Debian mirrors do support rsync.

        The point is, though, that with Linux and the BSDs, you can find out exactly what you're downloading, and determine exactly what effect the new package will have. With XP, you might have no idea what you're getting. Spending eight hours downloading MS updates when you don't know what you're getting isn't something most people consider worthwhile, especially when it's often the case that after updating Windows, it's found that there have been refinements to the updates that just occurred, and so Windows wants to download yet more stuff, and reboot yet again!

        People want to use their systems, not maintain them. As long as the MS "critical updates" take ages to download and often create the need for further updates, people will continue to ignore the "Windows updates are available" messages.

        Rebooting is a lot to ask. Large downloads are a lot to ask. If I were to install all of the "important" updates available to Windows at the moment, it would require several reboots, especially since many components can't be installed at the same time. Under Debian, not even one reboot would be required, unless the kernel were updated. Under Windows, if I update Media Player, a reboot is required, and Windows won't even let me update other things at the same time!

        I'm just glad I'm behind a firewall.
    • by 1010011010 (53039) on Sunday August 24, 2003 @08:37PM (#6780774) Homepage

      Well, he could have mentioned a true "Insecure by Design" flaw in Windows: the fact that Windows determines that a file is executable based on its *name*. If a file ends in .exe, .vbs, .bat, .scr, or one of lots of other extensions, Windows assumes it's executable and will load and run it when the user clicks on it. Or a "shell" command references it, etc.

      On Unix and unix-like systems, one has to explicitly mark a file as executable before ths OS will try to run it, and it's even possible to deny the "execute" permission to an entire filesystem (for instance, users' read-write home directories).

  • Unless... (Score:5, Funny)

    by Chemical Serenity (1324) on Sunday August 24, 2003 @06:36PM (#6780020) Homepage Journal
    ... you count the *nix administrators who had to scramble to put in antivirus software on the corporate mail server to stem the tide of 50k+ virus mails per day.

    On the plus side, if you work as a contractor, it's billable hours. :D GG SoBillable^H^H^H^H^H^H^HSoBig!

  • by Anonymous Coward on Sunday August 24, 2003 @06:38PM (#6780031)
    The old DOS/Windows had security as a pretty secondary concern, it was just about getting things to run and not crash a lot of the time. NT/2K/XP is much imrpoved, but it still suffers from this legacy. For example, it's still difficult to run users in non-Admin roles because some applications expect the user to have full Admin rights. Only when most of these applications are update will the ability to use real user security settings become practical.
    • by manly_15 (447559) on Sunday August 24, 2003 @07:44PM (#6780491)
      If every software maker followed these Microsoft specifications [microsoft.com] Windows would be a much better operating system. A good example of a broken app is Palm Desktop. First of all, it only works with one user. Second, to install it, you have to give the limited user admin rights, install it, and bring them back down to limited rights. It's the same for Documents To Go. Talk about a PITA - and notice that neither of the apps boxes have the Windows logo on them.
  • by Anonymous Coward on Sunday August 24, 2003 @06:38PM (#6780033)
    To test if your linux box is secure, press alt f2 to open up the run dialog, then type
    yes > /dev/mem
    .

    If nothing happens then you have a reasonably secure linux box.
    • by Negative Response (650136) on Sunday August 24, 2003 @07:19PM (#6780339)
      I just did it and the result is:
      zsh: permission denied: /dev/mem

      You know, being funny aside, you just demonstrated one excellent point: Users should have enough rights to have work done, but not so much to easily screw up the system. Don't use root privilege in vain!

    • by donnz (135658) on Sunday August 24, 2003 @07:59PM (#6780568) Homepage Journal
      Oh, ha, yes, funny.

      Now connect your Windows PC to the internet and wait for someone in Khatmandu to type "format c:".

      The real issue however is that Windows * is still using a lot of code from DOS and Win3.1 for all sorts of shit. Those were the days, remember, when personal computers were just that, personal.

      *nix has a pedigree in networked computers. So whilst mistakes are made in code of each system, always, one paradigm is always going to be more secure than the other. Until MS really, really and truely re-writes its OS. Shame the article misses this point by such a wide mile.
  • by gl4ss (559668) on Sunday August 24, 2003 @06:39PM (#6780038) Homepage Journal
    the author makes nice (partial if you may)rebuttal of this myth, and also points to something to back it up like the number of open ports that create potential possibilities for holes,and that are for services that are default enabled, yet shouldn't be used in hostile environment(and how ms does nothing about it, and how xp was supposed to be more secure in matters like this). and frankly i haven't heard of non-hostile environment involving more than 10 people in a deserted island with lots of food and jolly sunshine happiness to keep them away from their computers.

    -
  • Linux users (Score:5, Funny)

    by jabbadabbadoo (599681) on Sunday August 24, 2003 @06:42PM (#6780069)
    "But nobody with a Mac or a Linux PC has had to lose a moment of sleep "

    Like a Linux PC owner sleeps anyway....

  • Good idea (Score:5, Funny)

    by Rosco P. Coltrane (209368) on Sunday August 24, 2003 @06:43PM (#6780076)
    Here's a modest proposal: Microsoft should use some of its $49 billion hoard to mail an update CD to anybody who wants one. At $3 a pop (a liberal estimate), it could ship a disc to every human being on Earth -- and still have $30 billion in the bank.

    Please Microsoft, use CD-RWs. I already have a wall covered with silver AOL CDs ...
  • Nah... (Score:5, Insightful)

    by Faust7 (314817) on Sunday August 24, 2003 @06:44PM (#6780084) Homepage
    Here's a modest proposal: Microsoft should use some of its $49 billion hoard to mail an update CD to anybody who wants one.

    The sorts of people that would think to order such a CD in the first place are likely already patching their machines. Others will get the CD and misplace it, forget about it entirely, or mistake it for something like an AOL disc and toss it in the trash.
  • MS Bashing (Score:5, Insightful)

    by mOoZik (698544) on Sunday August 24, 2003 @06:47PM (#6780120) Homepage
    This is a bit unfair. Microsoft identified the problem and offered updates long before the worm hit the streets. Microsoft cares about the security of Windows, but it was the stupidity of the users which led to the compromise of their systems. If a Linux hole is found, nearly ever user would update to fix the change, because the average user of Linux knows what putting it off may entail. The average Windows user does not have the same computer knowledge, and hence, Microsoft gets the blame. Just another MS bashing is what it is!
    • by cduffy (652) <charles+slashdot@dyfis.net> on Sunday August 24, 2003 @07:18PM (#6780330)
      There're two issues:

      1. There's this bug users didn't patch for

      2. The system's default configuration made almost everyone vulnerable being attacked via the bug, even if the user isn't actually making use of the buggy service.

      On item [1], yes, there's a really strong argument that it's the user's fault. On item [2], though, it's pretty damn clearly the vendor's negligence.
  • by jdigriz (676802) on Sunday August 24, 2003 @06:47PM (#6780124)
    Some of us alternative OS users were actually affected by the virus, even if we weren't infected. In addition to the Net slowdown, the friggin SoBig.f virus forges emails. So if you have any windows using acquantainces, or even people who received a forward with your address on it, the SoBig.f virus will cheerfully send out copies of itself purportedly from you! It doesn't just stop at the address book either, but allegedly scans documents on the drive to harvest addresses. Evil, evil thing. So, no computational loss, but potential harm to reputation, even though it's easy to prove via the headers that it did not originate from you, the vast majority of those windows users who get infected with emails bearing your From: line don't know a header from a hole in the head.
  • quoth Marc Andriesen (Score:5, Informative)

    by Crashmarik (635988) on Sunday August 24, 2003 @07:02PM (#6780226)
    Regarding IE and Active X.

    Its nothing but a virus delivery system.

    That was about 8 years ago. Microsoft destroyed netscape and aside from some humorous footage of Bill Gates lying under oath nothing was done about it.

    Now someone in the mainstream press has actually done their homework. Are we supposed to be impressed ?
  • by leoaugust (665240) <leoaugust AT gmail DOT com> on Sunday August 24, 2003 @07:04PM (#6780241) Journal

    Not only are the security implications horrendous in the MS products, but servicing them is a nightmare ....

    This story just caught me at a bad time ... I have been trying to do a file/printer sharing between 2 computers running Win 2000 Prof and Win XP Prof using a hub. You would think it would be plug and play, and a little bit of configuration - and that is how I set out my cost estimates for a small business that wanted me to do it for them ... big mistake ...

    It is 3 days past now. I have read probably 100 + articles to understand the security implications for these windows products .... Used all sorts of keywords in google to get many articles to see how the damn networking is done in the first place. And I am now thoroughly confused, tired, and am spending a lot of unpaid hours getting this damn networking done. FOR GOD's sake I am trying to network two products from the same company ... How could MS screw it up and make it such a nightmare .... and do such dumb stuff as not turning the security features on by default so that I don't even know what I am exposing, all the patches that are being issued faster than I can download ...

    1. I have both the lights from the two computers in my hub flashing - thank god.
    2. I can connect via one computer to the internet - praise the lord.
    3. But I can't get the file/printer sharing done yet ... - Forgiveness is divine.
    4. And as the feed is provided by a cable internet operator, which has a pool of computers of its own, I am not even sure of what is secure and what is not - Ignorance is a bliss.
    5. And I have lost a lot of money and time ... Lord, give me the strength to forgive those who do not know what they are doing ....

  • by MBCook (132727) <foobarsoft@foobarsoft.com> on Sunday August 24, 2003 @07:09PM (#6780283) Homepage
    Everything I've heard on TV and Radio that's been more than just "There is a new virus" that has an attitude that I just can't stand. A thing I heard on NPR put it perfectly. Basically the attitude is that this is the way the computer industry is, and maybe they should do something about it.

    Computer industry? WHAT COMPUTER INDUSTRY? The VAST majority of these big viruses exploit who's products? All togerther now: MICROSOFT. This isn't Apple's fault, Macromedia's fault, iD's fault, or anyone else. These things are almost all MICROSOFT's. Finally someone in the media seems to get it.

  • by dwheeler (321049) on Sunday August 24, 2003 @07:18PM (#6780332) Homepage Journal
    GNU/Linux systems can be used to help Windows systems get a little more secure.

    A family member of mine got a new Windows XP system, installed it, and tried to download the security patches. Before the XP system managed to download the patches, it had already been 0wned by Blaster. It's really hard to keep a Windows system up-to-date when you can't connect to the Internet to update it.

    My solution?? I used Red Hat Linux to download the patch, and wrote it on some media. Of course, he can't really completely wipe his hard drive to be sure he's safe from any other attacks. Why? If the drive is fully wiped, Windows XP can't be installed any more - on his system, the CD doesn't contain the entire OS!

    Of course, I'm writing this from a Red Hat Linux system that has a nice built-in firewall, a "root" account that's not normally used, no externally-accessible ports, and lots of other designs that make it far more resistant to attack in the first place. Yum.

  • by cfoster611 (219409) * on Sunday August 24, 2003 @07:37PM (#6780443) Homepage
    In comparison, Mac OS X ships with zero ports open to the Internet.

    Actually, OS X does have (in most systems) some ports/services open by default. Here's a sample portscan with no user-services (ssh,httpd, afp, etc) running.
    Port Scan has started ...

    Port Scanning host: 127.0.0.1

    Open Port: 427
    Open Port: 631
    Open Port: 1033
    1033 is assigned to NetInfo
    427 is "server locator"
    631 is "IPP (Internet Printing Protocol)" ...according to the iana.
  • With write priviledges only to their own sandbox, then, none of this would be happening. Instead, you've got IE and Outlook running as a user's account, so, despite the prevalance of a workable user based access control list based security system in Windows, Microsoft does not use it where it really counts. Dumb dumb dumb.

  • by Ramion (178075) on Sunday August 24, 2003 @08:12PM (#6780641) Journal
    Today I sat down at my computer when I got a MSN message from a friend. That friend is complete noob with computers and now he had a problem.

    This is pretty much what was said:
    Friend: Hey. I got a problem with my computer. It has shut itself two times today, without me doing something. What do you think is wrong? I heard something about a virus.

    Me: Yeah there is a few major virus's flowing around the net right now. Have you patched your system?

    Friend: Patched ? ?

    Me: Yeah. You know downloaded updates for windows.

    Friend: No..

    Me: Oh well. Here is a link to a virus scanner try and run that first. .... After awhile, me trying to explain him how to scan for viruses. Yeah! It found a virus named blaster and I THINK he got it removed...

    Me: Good now to update your system. .... I, after awhile, get him pointed to the windows update and the patch for blaster. Again I think he got it installed ....

    Me: So, Now I suggest you update your system with patches from windows update.

    Friend: Why? What should I waste time download all that? What good does it do me ?

    Me: Well... It secures your system, give you updates to windows programs and IE and new drivers. You know. Makes it upto date.

    Friend: But how do I do it ? .... I try to explain him how to use windowsupdate but is almost giving up since he just dont get he just gotta press scan for updates and then install updates. Well in the end he gives up and says he dont care ....

    And there is the entire windows Security problem. Users that just come to their computer to surf abit and download a few programs like kazaa or emule just dont feel the need for updates. And they end up spreding the viruses to the entire net. Oh.. And it dont help that MS dont allow pirate versions of windows to be updated fully. I can see why it would in sense suck for them to give free updates to people that havent payed for the system. But people dont get updates when its all blocked. Which in end leads to viruses like this to run wild.
  • by htmlboy (31265) on Sunday August 24, 2003 @08:22PM (#6780698)
    it's dorm move-in weekend at the university where i work. after looking at a sample of the machines brought to school by students given the privilege of early move-in (ra's, mainly), we found that less than 5% of our students were patched for both blaster/lovesan and welchia/naichi. as such, it was decided that shutting off the entire residence hall network would be easier than shutting off ~95% of the ports once they got infected (typically takes 3-5 seconds in this environment). so our student workers and a few full-timers like me get to make our way to every single student machine (~8,000 students in the dorms) and analyze, clean, patch, and install a current virus scanner.

    overtime is great.
  • Conspiracy theory (Score:5, Interesting)

    by bokmann (323771) on Sunday August 24, 2003 @08:38PM (#6780778) Homepage
    I'm late to the party with this reply, but I'm posting it anyway for posterity. Someday I'll find this message and link back to it.

    Windows IS insecure by design. The Virii and worms that are happening now are pissing people off. In the future, Microsoft will bring the 'security' scheme from the XBox to Windows... code will have to be signed by Microsoft in order to run on Windows. the press will love it, and you will see tons of articles saying things like "Microsoft gets Security Right" and "Microsoft Announces the End of Virii".

    And in the end, you and I won't be allowed to fire up a compiler and write a trivial little 'Hello World' program without buying a runtime license from Microsoft, which will be embeded in every program you write.

    Innovation will be stifled... I doubt Microsoft will be very license-friendly to Sun, or Apache, or Cygwin, etc.

    Microsoft's own lax security is a plan to pave the way to their heavy handed takeover of your computer.

    mark my words.
  • by Animats (122034) on Sunday August 24, 2003 @10:02PM (#6781247) Homepage
    On August 13, 2003, with little publicity, the NSA Secure Linux [nsa.gov] was merged into the mainline Linux kernel. It's in 2.6.0-test3 and later kernels. There's also useful documentation at the sysadmin level [nsa.gov], and the beginnings of a multilevel secure X-windows system.

    It's not a magic bullet, but mandatory security just went mainstream.

    What this all means is the ability to put programs into levels and compartments from which they can't escape. Security breaches in the mail handler or the web server can't propagate to the rest of the system.

    The code is open source, GPL, and written by the United States Department of Defense's National Security Agency. It looks like Microsoft's attempt to shut down that project [theregister.co.uk] failed.

  • by spoot (104183) on Sunday August 24, 2003 @11:34PM (#6781606) Homepage
    I thought it was amusing when I surfed over to the Post to read the article there was an ad for "Windows 2003 Server" on the page. I had to take a screen shot. If you want it it's here --> http://johnford.net/images/windows_ad01.jpg [johnford.net]
  • by facelessnumber (613859) <drewNO@SPAMpittman.ws> on Sunday August 24, 2003 @11:37PM (#6781618) Homepage
    ...Or, "The Tecn Commandments of Windows Security."

    I run Linux on my servers, but for compatibility, certain programs I need, etc., etc., my workstations use XP. I haven't patched anything. I don't trust the patches and especially not the Service Packs. They can break things and slow things down. If my box is working, why tempt fate? There are a few, very simple things to do that will keep Windows almost entirely secure:

    1 - No scripting host. If you don't need it, kill it.

    2 - No Outlook. Outlook is bad. IE is almost as bad. Everyone should know this by now. And if you must use it...

    3 - Don't open file attachments from anybody unless you know what the hell they are! Why is this so difficult? Well, it's because people never...

    4 - Unhide the file extensions. You wouldn't eat something from a package simply labled "food" without having some clue what's in it, so why double-click an icon without knowing what it will do? Learn what these extensions are, and Google it if you're not sure what a given one means.

    5 - Don't use IE if you don't have to. Mozilla's now advanced and stable enough that you should almost never have to use IE to properly view a site. I never have a problem with popups, and I've never had my browser hijacked. Using IE tempts people to break #6...

    6 - Read the question before you answer "Yes." Do you walk around at work slackjawed and answering "yes" to every question you're asked without listening? If you weren't specifically looking for what a site wants you to install, chances are you don't need it.

    7 - Firewall. Buy a $30 broadband router, build a Linux gateway, enable XP's own, built-in, pre-installed firewall, or get something like Zone Alarm, depending on your needs and/or level of computer literacy.

    8 - Don't download software without knowing exactly what it is. Read the license agreement. Sure, I like to check out neat toys on Download.com too, but not if I have to install Gator or GAIN to use them. See #6. Read!

    9 - Check your processes. and read what's going on in there. Google each one. This is a pain in the ass the first time, but do it once and then you'll know when something's not supposed to be there.

    10 - Watch who gets your email address. Get two. One for ordering/registering things, and one that you only give to real people.

    That's it. I run no antivirus software and my system thanks me for it with good performance. I have not loaded a Service Pack, a patch, anything. None of this is difficult. These rules are simple enough for almost anyone to follow, and the major ones are extremely easy.
  • by inkswamp (233692) on Monday August 25, 2003 @02:47AM (#6782300)
    So Windows is insecure by design, huh?

    It's so nice to see Microsoft finally get something right.

Possessions increase to fill the space available for their storage. -- Ryan

Working...