Microsoft vs. Computer Security 439
ArieKremen writes "The Slate has a piece written for the average user attempting to explain why Windows is `still` grappling with security issues. Although Gates made security and privacy top priority four years ago, not much progress has been made." From the article: "Microsoft customers haven't stopped worrying. A year later, Windows was hit with several nasty worms, including Slammer, Sobig, and Blaster. The viruses caused major traffic bottlenecks throughout the world, which cost tens of billions of dollars to clean up. Vulnerabilities deemed 'critical' have forced the company to release an almost unending stream of patches and fixes to the Windows operating system, Microsoft Office, and Internet Explorer." An interesting look at the whole issue.
Security is damn hard.. (Score:5, Informative)
Computer security will get worse before it gets better. It's the second hardest problem in computing, coming second only to DRM; which is provely impossible to do properly.
The problem comes from many quaters: some theortical, some practical, some managerial. For example:
I could go on for quite sometime.. the point to appreciate here is that it isn't all Microsoft's fault but they could do a whole lot more. If we could just get rid of the overflows that would be a good start!
Simon
What can you do to protect yourself? (Score:3, Informative)
I thought most importantly users should be responsible enough not to simply click on or open anything in front of them.
Comment removed (Score:5, Informative)
Re:What can you do to protect yourself? (Score:4, Informative)
Ummm... the recent WMF vulerability needed no user interaction, other than visiting a web page or getting an e-mail with a "specially crafted" WMF file disguised as a
Your first bit of advice was correct - security is a process, not a product, and as such needs to be maintained and thought out in advance. I'd add "Educate users why people want into thier machine and here's how they get in" to the list too.
Soko
The Only Thing... (Score:2, Informative)
Re:It's no secret... (Score:2, Informative)
Re:No Progress? (Score:3, Informative)
It was written to be "OS/2 v3", once Gates poached Cutler's development team.
It was grafted onto the Windows shell as a long-shot, after tensions between MS and IBM began to manifest themselves over the success of Windows 3.0, the failure of Presentation Manager and the differing visions for the future of OS/2.
Drivers for NT were still alot like drivers for VMS, from the API point-of-view.
Re:It's no secret... (Score:5, Informative)
More recently the DOJ at least accused Microsoft of using secret APIs in support of IE, Messenger, Media Player, and Outlook Express.
I don't necessarily think that you are wrong, but the situation is certainly not as cut-and-dried as you seem to think it is.
-Peter
Re:Slow progress (Score:3, Informative)
I would say that this comes under uneducated users again. You can do exactly as you said in windows. I run as a limited user, and everything works fine. Sure, sometimes I need to login as admin to install something. Or a game's copy protection wont allow it to run except as admin. But then you just change the shortcut to runas admin, and everything keeps going just fine. I dont really see how this is any different than having to login as root or feed a nag window.
I think Microsoft is to blame for limited user not being the default. But once you have it setup running as a limited user, its not any harder than running as admin and most of Window's spyware, and virus problems dont affect you.
Re:Unending stream of patches helped MS it seems (Score:1, Informative)
http://www.us-cert.gov/cas/bulletins/SB2005.html [us-cert.gov]
Showed facts that in the year 2005 more bugs and security related issues were found in Unix based or derived operating systems and softwares than in Windows and its wares.
(Contrary to the information often stated by the penguins and unix fans worldwide and very often here at slashdot).
So I must ask - why was the post which I am replying to modded down?
It only showed things as they are from a reputable 3rd party source's findings in us-cert.gov which is a united states government website specializing in security related issues and it is also fairly obvious that the United States government is not partial to Microsoft because of the antitrust suits they have plagued Microsoft with.
The findings on the website used were also not results found by a test sponsored by Microsoft which is another complaint used by the linux people here at slashdot very often.
Shameful and childish modding down the posting that way slashdotters. Is that what unix people are about?
Unix, Linux, and MacOSX users are now the ones with the least secure operating system platforms it appears, not Windows users.
Why OS vendors make LOUSY application vendors (Score:2, Informative)
Want another example?
How about 'priority boosting'? That is where only MS boost the thread level of the actively running application so it 'appears' to run faster to the user. This has created all kinds of fun problems for developers but 'hey' it SELLS upgrades baby.
Here is a fun one for you.
Why is it when I go into my CMD shell I can do a 'NET STAT'? Where did that stuff come from?
That would be when they put it in the NT kernal to compete with Novell. They have just been too busy helping the customer to take it out. All of the NET commands came from MS Lan Manager. I'm sure there isn't a Netbui stack that has kernal access either.
And people wonder why Linux runs so much quicker? I mean has anybody bothered to empty the garage lately that we all call the XP kernal? I mean what else is running at ring zero these days? Seriously if MS Basic hadn't been in the EPROM I bet the LOAD command would still work.
You think I'm kidding right?
Has anyone tried to nuke the msmsgs.exe task? That would be MS's Instant Messaging application. This is STUCK in your toolbar and if you TRY to remove it you are told
OTHER applications are USING it! Don't we call other programs that do this viruses or trojans? This is a very rich example of why an OS vendor should NOT be allowed to compete in the application space. But hey it allowed them to KILL Netscape even when they had 80% market share. This might have been OK when MS DOS was seen as a HOBBY only used by kids but NOW IT IMPACTS every companies BOTTOM LINE!
Final point. Anyone ever bother to read what the findings of fact were in the MS anti-trust trial? I mean we all paid several million in taxes for that one and it makes GREAT bed time reading.
Are you aware that MS MANAGEMENT STOPPED the release of Windows 98 UNTIL AFTER Christmas so key DLLs could be part of the kernal? Since this statement sounds like I'm on a narcotic I'm going to PROVE IT IS TRUE.
BTW
Not one other company could pull this kind of crap NOT EVEN IBM. MS has created their own monster. The reason their kernal has SOOOO many holes in it is because the product managers HAVE DRILLED them there in the first place. I mean even a blind guy can fall into ring zero and take over your system. Why is it folks can READ the code for the kernal in Linux and it is SAFER but I can blind fold you and you 'might' get admin rights in XP?
MS could never allow you to read their kernal code. You would see how too many of their APPLICATIONS work.
The link for the DOJ trial doc is here: <URL:http://www.usdoj.gov/atr/cases/f3800/msjudge. pdf>
From page 83 of the above link:
Allchin followed up with another message to Maritz on January 2, 1997:
You see browser share as job 1. . . . I do not feel we are going to win on
our current path. We are not leveraging Windows from a marketing perspective
and we are trying to copy Netscape and make IE into a platform. We do not use
our strength -- which is that we have an installed base of Windows and we have a
strong OEM shipment channel for Windows. Pitting browser against browser is
hard since Netscape has 80% marketshare and we have <20%. . . . I am convinced
we have to use Windows -- this
Re:Whomever Geeks and Nerds Find Evil... (Score:5, Informative)
"Robust" is not an adjective I would ascribe to Windows.
If Macs were what windows is today, the story would be the complete opposite I assure you. You see the SAME thing in popular games as well. The most hacked games are the biggest and best, not because it is easier, but there are far more people attempting to exploit the system.
Homogeneity is weakness. Stop being so damn homogeneous (x86, Windows, the most popular software, etc.), and start being more diverse (POWER, SPARC; Linux, *BSD; good but not most popular software; etc.); otherwise, you're just bringing this upon yourselves.
I know that the herd mentality still affects humans' decisions, but please do try to balance your cognitive biases out.
Re:Slow progress (Score:2, Informative)
Please stop making it sound like being a limited user is absolutely terrible. Very few applications have required me to run them as Administrator or Power User. Those that do, usually require a few tweaks to their home directory or registry key permissions, and you're good to go. Get with the program, developers. Windows can have more than one user now, and we're not all Administrators.
Re:No Progress? (Score:3, Informative)
Until its easy (not merely 'possible') to run limited accounts & control permissions, we're going to see major problems.
The use of limited accounts only goes so far. It will prevent a virus from doing damage to some areas of the machine; it will not prevent the creation of "zombie" DDOS networks, infection by spyware, or OS exploits. Correct me if I'm wrong, but the WMF exploit will work regardless of whether or not you're running with full or nil permissions.
Re:No Progress? (Score:2, Informative)
In the field - you know, where the 'rubber hits the road' - it has been incredible progress in dealing with the security issues around MS software.
My background is as an assessment/penetration tester, and a remediation analyst for infosec. My toolset and personal choices are 'Unixy'.
I have yet to see anything as onerous as admin passwords written to logs - and I don't even BELIEVE it can be done. You can pass a hash, not text. No API will give you a plantext from either AD or the LanMan cached credentials. You need a refresher course.
Re:It's no secret... (Score:3, Informative)
"Microsoft teams identified a few hundred undocumented Windows interfaces or parameters that were used by one or more of the Microsoft Middleware components."
Admin vs. root on OS X (Score:3, Informative)
root has much greater (and usually unnecessary) privileges than an administrator and is locked by default. I have only had to use root twice, in both cases because I had broke