Windows Is 'Insecure By Design,' Says Washington Post 1326
Circuit Breaker writes "A Washington Post article says Microsoft Windows is insecure by design. Quote: 'Between the Blaster worm and the Sobig virus, it's been a long two weeks for Windows users. But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks -- just like in earlier "malware" epidemics. This is not a coincidence.'"
Ummm... (Score:4, Funny)
Except the Mac and Linux users in charge of those systems... ;)
Re:Ummm... (Score:5, Insightful)
I've had to patch and put up to date almost a dozen systems in my free time these weeks. Not seeing one penny for that since they all belong to friends and family...
That aside from the bozos at work that got hit and the flood of questions along the lines of "my computer keeps rebooting on me everytime I connect to the Internet... what can it be?..."
And people wonder why techies are grumpy...
Re:Ummm... (Score:5, Funny)
Well, yeah, because you know we all make so much money...
Yeah.....
Re:Ummm... (Score:5, Interesting)
buck isn't worth as much as the US buck on the international market,
but that isn't because the Aussie buck won't buy as much, locally,
as the US buck will buy in the US.
An example: the exchange rate between where I live (Galion Ohio)
and lower Manhattan is 1:1 -- one dollar from here is worth exactly
one dollar from there. Yet, an entire family here can live on less
money per month than the rent of a two-room apartment there.
The exchange rates do have an impact on the cost of living, as they
have an impact on the cost of some items, but not everything is
priced proportionally.
Here, $10/hour is a decent wage for a single person in a blue-collar
or entry-level position. I take home about that amount after taxes,
working as an entry-level computer troubleshooter (basically, a
one-man part-time IT department at a place too small to have a
full-time IT department), but a professional programmer would
certainly make more than that (except, I doubt if we have any in
the area). Fourty minutes' drive south of here there's a big
white-collar area (Worthington/Westerville, suburbs of Columbus --
conference complexes, marketing firms, shopping malls, and
three-quarter-million-dollar houses[1] as far as the eye can see)
where someone in a position equivalent to mine would make triple
my wage and struggle to get along. Rent is much higher there;
food costs more; everything costs more. A lot of people live up
this way and commute to work down there.
[1] Nobody would build a house that expensive in Galion, because
it wouldn't have resale value. We have a sparse handful of
houses in town worth two hundred thousand or a little more.
Part of it is that the land here is much cheaper.
Re:Ummm... (Score:4, Interesting)
That's why I tell my family: If you want help with your computer, buy a Mac. I don't support PCs.
Just about everyone in my family has a Mac.
It's a win-win for me, since the amount of support you have to do for a Mac user is virtually nil -- they just work. :-)
Re:Ummm... (Score:5, Informative)
This includes security updates and point-revisions of the OS (which one might presume to have less-critical security updates rolled into them), and excludes application specific updates for the i-App suite, Safari, etc. that were not labelled as "Security" related (one might assert that they were in fact security related, but they included point-upgrades to the applications as well. Those toatlled perhaps 8-10 updates over the span covered). Note that two (Stuffit! and IE) are for 3rd-party bundled apps with labelled "Security" updates.
yes, I'm aware that I haven't installed the latest one to patch the off-by-one bug that impacts the FTP server. I'm waiting until I need to reboot for some other reason.
TOTAL UPDATES OVER THE PAST 10 MONTHS: 5. 7 if you count patches to 3rd party apps, one of which was IE. 10 if you're really liberal and include the point-revisions of the OS too.
Please tell me where these "lot of security updates in the past 6 months" are... I'm not seeing them.
Re:Ummm... (Score:5, Funny)
Re:Ummm... (Score:5, Interesting)
I'll help you move to linux for free, or I'll charge you $50 to fix your system this time.
tell them the charge will double each time they need help, for either system.
Re:Ummm... (Score:5, Insightful)
It's kind of funny, but I didn't have any problems with either of those viruses in any of my three WinXP machines. Maybe it was the common sense (Sobig) or the fact all my machines were updated (MS Blaster)or the common sense that 300 e-mails with the same attachment from people I don't know might, just might be a virus. This is not to mention of course the firewall, pestpatrol, and Norton Antivirus. Now, you might say, "well hey, my linux box had none of that, wasn't patched, no firewall, nothin!" but think for a few seconds. These viruses were programed for windows, not linux/any other os. Of course your non-windows computer was not infected, because the virus/worm was not made for it. So before you get on your high horse, remmember it can happen [wired.com] if someone bothers to write it.
Re:Ummm... (Score:5, Interesting)
and just for reference (as a person who works hell desk (tech support) for linux servers) i have not yet met a single person affected or infected by slapper. unix and unix derivatives are vastly more secure because of the way they were designed. not to mention most distro's dont leave 45 uneccasary things running by default, hence the admin of a unix box has to do less to be decently secured.
i will admit this virus wasnt particularly microsofts fault. but we have been doing this same routine for 8 -10 years now with them. sooner or latter they are going to have to own up to it, and yes microsofts systems are inherintly insecure. and no i dont run anything M$ on anything i own or admin.
i am also very aware that i am having a bad spelling day.
Re:Ummm... (Score:5, Insightful)
>> this virus wasnt particularly microsofts fault
If you're talking Sobig.F then yes, it is definitely Microsoft's fault.
In the early 1990s, people got laughed at (or gently educated) if they suggested 'I got that virus through email'. It just didn't happen.
Then MS turn up with their inherently insecure 'Automatically run stuff that's emailed to you' email client, actually build it into the OS (thus ensuring greater take-up than would otherwise have been achieved) and email viruses became commonplace.
The only way this virus wasn't Microsoft's fault is that they didn't write it themselves. The environment it runs in, that enabled it, is entirely and absolutely due to insecure design by MS.
~Cederic
Re:I have a coworker who kept saying it was hardwa (Score:5, Funny)
"Hey, Dave, make our fundamentally different, colocated e-commerce sites securely share all their data amongst each other and seemlessly integrate it with this new proprietary MRP solution. Upgrade our computers when we're not using them. Find a legal way to install this one copy of Office onto all these computers. Make our computers faster and better. Don't touch my computer. Upgrade our Norton Antivirus server and all our clients. None of us want login passwords, but we do want security. This one mid-90's era server ought to be enough for all our needs. We want video conferencing on all our sites. We don't want to buy anything."
I do almost as much IT support as I do development.
Cars to Computers analogy (Score:5, Insightful)
As for changing fluids out, the computer equivalent would be to a backyard mechanic, who handles oil and antifreeze coolant. Maybe checks the tranny fluid and takes it somehwere if it doesn't look right. Changes out burned out lights, etc. Stuff that is mostly covered in the owner's manual, or at least has stuff like fluid quantities. In computers, I'd equate that with being able to hook up external devices and get them to work, being able to remove stuff from C:\WINDOWS\START MENU\PROGRAMS\STARTUP, configure basic network settings from instructions for something like DSL or Cable. Calls for support or a technician when something out of this range goes wrong.
A+ certified techicians would equivalently handle basics, like replacing alternators, starters, draining transmission fluid, replacing water pumps, checking differential gear oil, lubing the suspension or steering parts, replacing obviously bad water hoses, and the like. Stuff that stands out. By comparison to computers the person would be able to replace hard disk drives and CD-ROMs, install video cards, install the OS from scratch for the default configuration, configure sound support, and the like. Maybe even dig into the registry a smidgeon.
And above that you'd have your power-technicians, who would be up there with not being afraid to remove stuff like engines, axles, transmissions, steering columns, dash boards, interior parts, etc. These people would be able to play with advanced networking, deal with driver and IRQ conflicts, handle tweaking of the OS, dig into the registry a bit, etc.
Beyond that, you find different people who can rebuild engines or transmissions in their sleep, modify sheet metal artistically, handle advanced upgrading of suspension, and the like. They would in computer equivalents be specialized, but very talented. They probably wouldn't even do much of the lower-level work unless they had to, because they would be more valuable higher.
Well, that was quite long enough of a ramble...
Re:Ummm... (Score:5, Insightful)
I don't have Windows anywhere and haven't for several years now. I don't run Outlook. But it turns out that at least one of the current batch of worms spoofs email addresses.
So all week I've been getting email messages from postmaster@ saying "...your message to so-and-so will not be delivered because it contained the SoBig worm, we advise you to download a security update from..." I wrote a couple of them and got two responses from mail admins saying essentially "Yes, we know it spoofs your email, sorry there's nothing we can do, please understand that we're under tons of pressure on our end, everyone is infected, this worm sucks, you have it easy, you run Linux, stop complaining!"
Anyway, people are receiving messages marked "from" my email address and are getting infected with a worm as a result. Obviously one or several people (editors, management, etc.) that have me in their Outlook address books have become infected and now the worm is spreading from their machines and spoofing my email address as the source. I totally resent this and actually worry about my liability.
Do I now have to trademark my own email address or something and then include a disclaimer in my email saying "This email address is my trademark, you are not allowed to add me to your address book in any way"?
The crap Windows security model has certainly affected me, a non-Windows user.
Re:Ummm... (Score:5, Funny)
That's when you snap your suspenders, scratch your beard, and remember why you have that smug look on your face
Re:JRTFA (Score:5, Insightful)
When I started getting Sobig emails on Tuesday, I even took the time to call two of my friends (who subscribe to some of the same lists I do) to warn them not to trust emails with attachments. I had to explain the whole concept to them, but they got it. I got 40 the first day, 20 the second and only a handful since. And I had no desire to open any of them.
The biggest threat that Windows poses is that from users who are totally clueless... they turn on their machine thinking it's some kind of "email machine" and nothing else. Not a clue there are threats or risks out there. And no indication from Windows, or Outlook, or IE that anything they do could be unsafe. Windows update works, at least this time it did. They're not going to get more saavy, so there's no harm in telling people to use windows update.
Tell your friends:
1. Don't preview email
2. Delete email you don't know or trust
3. Don't open attachments if they're not absolutely known and expected
3. Update early and often
The article is right, Windows is dangerous. MS isn't going to tell the consumer, because that would threaten their (considerable) cash flow.
I'll shut up now.
Re:Ummm... (Score:5, Insightful)
Re:Ummm... (Score:5, Insightful)
Re:Ummm... (Score:5, Insightful)
Only somebody else's signiture, establishing that it came from them, could begin to establish that it did not come from you, and you would still need to establish that you aren't that somebody else, since having multiple signitures is trivial. (It would probably be reasonably satisfactory under most normal circumstances, though.)
Re:Ummm... (Score:5, Interesting)
Imagine if Ford were to sell a car with a fundamental problem. One that potentially cost lives. They did and they had to recall it.
Now these virus epidemics probably bring down some rather critical computers and potentially cost lives. (Yeah, yeah, mission critical machines should be kept uber patched...)
Microsoft really comes across as untouchable.
Re:Ummm... (Score:5, Insightful)
Re:Ummm... (Score:4, Interesting)
Did Ford send the signal out? No, so they are not directly liable. Did they attempt to correct this problem before it was taken advantage of? Yes. Should such a disastrously massive problem have been allowed to make it into the final design? Microsoft do share some liability for the damage done, but not all of it. It was, after all, their incompetence that created the problem in the first place. Is it all their fault? No, sorry.
The other angle to look at is the cost of installing the patch. Since Windows requires you to reboot after changing all but the most trivial aspects of your system, this makes installing the patch extremely inconvenient for many server administrators. Administrators have no such excuse with a Linux system, which really only requires a reboot after changing the kernel. On Windows boxes, however, such required restarts can end up costing a lot of money, especially if the patch breaks a service that the server is running. So, one thing Microsoft could do would be to reduce the amount of required restarts. Good luck, since the GUI is the operating system, unlike a *nix box, where it's just another process that can be terminated without bringing down the system.
As I said, I now feel sick for sticking up for the pricks in Redmond.
New sig file... (Score:5, Interesting)
*In light of the ability of some email viruses (eg SoBig.F) to spoof this address regardless of whether my machine is infected or not (for instance, pulling my address from a Windows user address book to use as a fake return address), if this statement is not included, consider a message from me to be a virus*
I figure that will be good, going out a few dozen times a day. I urge everyone to pen something similar. Cause, ya know, MS can never have too much bad press... erm, room to innovate.
Re:New sig file... (Score:5, Funny)
From: BillG@ms.org
Subject: I hate you, b1tch!
Text:
It was joke. Ahaha.
Take a look at this. Finest Klatchian
waterbeetle clock, it's really quite
humorous.
*****
ALL MY EMAIL IS FOLLOWED BY THIS NOTICE.
IF IT IS NOT PRESENT, BE AWARE THE MAIL
IS NOT FROM ME AND MAY BE A VIRUS!
*****
Attachment: fkwbc34.vbs
Re:New sig file... (Score:5, Informative)
X-MailScanner: Found to be clean
Not sure what it achieves, but it's there.
Re:Ummm... (Score:4, Interesting)
There are so many open orifices by default, it's, honestly, frightening to release a Windows system to the wild of being connected to the Internet without extensive preventative measures. Of course, keeping safe in a Windows environment is very possible but almost exclusively for technically savvy people, the rest of the Windows users (almost all of them) are running Windows with it's default pants down, bent over, with a giant neon "Rape Me" sign on them.
Sigh. Perhaps someday MS will enable some more of their security features BY DEFAULT on Windows (well, lets say, all of them, and then let users drop their computer's drawers if they choose to). Until then, look at it this way... MS's (deliberate?) default swiss cheese security keeps many a person employed plugging the holes.
If it were secure by default and kept itself in great working order automatically, what use would anyone have paying techies to do that? In a strange way, I owe my continued employment to MS's poor default practices.
Re:If you "trademark" your mail addy... (Score:5, Funny)
Uh, hate to tell you, but unless you're sueing somebody you're not participating in society in normal ways.
Re:Ummm... (Score:5, Insightful)
Re:Ummm... (Score:5, Insightful)
Perhaps I'm doing something wrong... (Score:5, Insightful)
Now, I may be doing something wrong here, but I've NEVER had a virus. I've never had a problem with a worm or anything really. XP hasn't even crashed on me before....ever. I've had programs hang up or crash...but the OS itself hasn't crashed.
And this has been the same on the 2 different machines that I've run XP on.
But yet, I always hear about everyone raking XP and Windows across the coals all the time. Yet I've never ever experienced nor do I know anyone anyone that's ever had major problems with XP. Oh, I know people out there have problems...but it's just that I personally have never known any.
Why is that? Now, as I said, I'm not an XP zealot at all. I could take it or leave it. But after reading here on Slashdot the evils of Windows and XP it would seem that my machine should have burst into flames months ago, yet it's going on day after day, never turned off, always hooked to the net...and chugging right along.
And I'm not really doing anything special. I keep up with all the updates to XP...which takes about 2 minutes out of my week. And I have basic Norton Antivirus running. I have Seti@home running when I'm away from the machine and I do a disk clean up and defragment maybe once a month or so.
So again, I must be doing something wrong (or right) to where XP doesn't give me one iota of problem.
I'm not praising XP...at least I don't mean to be praising it. You only see people bashing Windows, never praising it. To praise it would mean being thrown out of geekdom. So I think if XP or NT is working for you, you keep your mouth shut or just talk about how great Linux is.
I guess your mileage may vary.
Re:Perhaps I'm doing something wrong... (Score:5, Informative)
Re:Ummm... AGAIN, WHY NOT WINDOWS LINUX???? (Score:5, Funny)
Good point, muddled way of expressing it (Score:5, Insightful)
That said, and though the Post's article was a little muddled in general I agree with the spirit of the article in that
1). It's reprehensible that Microsoft apparently didn't have security (a broad term, but the literature to define it is out there) as a guiding design principle when they designed Windows, and
2) As a result of this, Items central to the functioning of Windows do not lend themselves to good security.
Re:Good point, muddled way of expressing it (Score:5, Insightful)
Re:Good point, muddled way of expressing it (Score:5, Insightful)
So don't ding the reporter for the slightly misleading headline. Sounds like the reporter got it right in the part he or she wrote - the article.
Re:Good point, muddled way of expressing it (Score:5, Insightful)
Re:Good point, muddled way of expressing it (Score:5, Informative)
I seem to recall XP's firewall being turned on during the inital "Welcome to Windows" wizard that pops up after installation, if you choose the option "This machine will be directly connected to the internet" (Or something like that).
That being said, I always turned the firewall OFF, it was too much of a pain to set up additional ports to allow.
Since then, I've moved to a Mac, and OS X's firewall is much easier to configure.
I certainly agree with the rest of your points though (and the majority of the article).
Re:Good point, muddled way of expressing it (Score:5, Insightful)
Under Debian, at least, if a package is found to have a security hole, I have several options.
I can download only the affected package. Of course, since it's Debian, I can always opt to just bring the whole system up to date. If bandwidth is really a problem, I can even manually rsync an older local copy of the package against the updated version upstream.
Unfortunately, rsync isn't done by apt-get automatically, but the option to do it manually is there, as many Debian mirrors do support rsync.
The point is, though, that with Linux and the BSDs, you can find out exactly what you're downloading, and determine exactly what effect the new package will have. With XP, you might have no idea what you're getting. Spending eight hours downloading MS updates when you don't know what you're getting isn't something most people consider worthwhile, especially when it's often the case that after updating Windows, it's found that there have been refinements to the updates that just occurred, and so Windows wants to download yet more stuff, and reboot yet again!
People want to use their systems, not maintain them. As long as the MS "critical updates" take ages to download and often create the need for further updates, people will continue to ignore the "Windows updates are available" messages.
Rebooting is a lot to ask. Large downloads are a lot to ask. If I were to install all of the "important" updates available to Windows at the moment, it would require several reboots, especially since many components can't be installed at the same time. Under Debian, not even one reboot would be required, unless the kernel were updated. Under Windows, if I update Media Player, a reboot is required, and Windows won't even let me update other things at the same time!
I'm just glad I'm behind a firewall.
Re:Good point, muddled way of expressing it (Score:5, Insightful)
Well, he could have mentioned a true "Insecure by Design" flaw in Windows: the fact that Windows determines that a file is executable based on its *name*. If a file ends in
On Unix and unix-like systems, one has to explicitly mark a file as executable before ths OS will try to run it, and it's even possible to deny the "execute" permission to an entire filesystem (for instance, users' read-write home directories).
Re:MOD PARENT UP, more.. (Score:5, Insightful)
The Washington Post article is not a troll or flamebait, it is a very necessary wake up call to the average Joe Windows users. If more of them had patched their systems and used mail clients other than Outlook or Outlook Express as you have, then these viruses/worms wouldn't be such a big problem. Without the mainstream press letting these people know, they will not get the message.
Worse: insecure ON PURPOSE to allow macros etc (Score:5, Insightful)
True, but far worse: Microsoft quite intentionally continues to make Windows and Office etc insecure on PURPOSE, as a side effect of offering full programmability of email, Excel, etc.
There wouldn't be any email viruses nor spreadsheet viruses nor Word document viruses if these apps were lobotomized -- if they could not be programmed.
But Microsoft continually makes the business decision that adding the power of programmability to every app is much more important than the resulting insecurity.
The vast majority of Linux apps do not allow that kind of programmability -- even when extension languages like Guile/elisp/etc are available in Unix apps, programs aren't automatically and blindly run whenever some hapless user receives email or views a spreadsheet or whatever.
Conversely, whenever that kind of programmability is added to Unix apps, if it is triggerable just by receiving/viewing a file, then Unix viruses will become far more rampant. (A small saving grace is that the Unix viruses mostly, but not always, will run as some user rather than as root, but this is really only a small issue.)
This should be a wake-up call to teams like Gnumeric; just yesterday on Slashdot Gnumeric was criticized for not supporting every single MS Excel feature, and Jody Goldberg replied that hopefully it would include those by next year. But any Unix app that is 100% compatible with a MS app will be virus prone!
Quote from a poster on that story:
Mmm-hmm, and there goes security.
(Story link: Gnumeric Now Supports All Excel Worksheet Functions [slashdot.org])
The really sad thing is that the marketplace clearly agrees with Microsoft about this tradeoff: corporate and personal users are far more concerned with having the power of macros/Visual Basic/etc built in to everything than with even basic security.
Re:MOD PARENT UP, more.. (Score:5, Interesting)
Anyway, as for your requirement for "INTENT." Back when the CodeRed came out, work gave me the responsibility of locking down our IIS servers. Back then I didn't have any experience with IIS so I did the smartest thing I could come up with - started reading and convinced work to send me to a one day SANS seminar. Well, the instructor told a story from an MS employee of how MS figured it was cheaper enable crap like Internet Printing and the like by default than it was to eat the cost of projected support calls they would get from people who wanted the feature but couldn't figure out how to enable it.
IOW, enabling everything in IIS was done because it saved MS a few bucks. That is a design decision. It was intentional and most importantly it was insecure.
You still want to mince words on this?
Just listen please.... (Score:5, Insightful)
Do you think we should write an article that claims that Henry Ford invented the automobile as a device to kill people 'by design'?
People get in vehicles drunk and run into families of four, killing them all. Do you think that this unintentional side effect was, 'by design' when the engineers created the vehicle? Was it 'by design' when man created beer or wine?
I think I'm being treated VERY unfairly by most responses here.
I give you one more example.
When the hammer was designed, do you think the designer intended it to be used to kill people? Or how about the baseball bat?
This is being over-analyzed by so many techies, that I think the clear facts are being missed. That which is, the article is misleading and doesn't contain a fair wording of facts. Put yourself in the shoes of others. Take a breath and look at my point.
Re:Just listen please.... (Score:5, Insightful)
No, that would be the same as saying "Operating systems are insecure by design." What the article says is, "Windows is insecure by design." This is like saying "the Suzuki Samurai is unsafe by design." Damned thing tips over way too easy.
Here's an example I posted elsewhere about Windows being "insecure by design":
the article is misleading
Not really.
Re:Insecure by Design (Score:4, Informative)
Re:Insecure by Design (Score:5, Interesting)
Unless... (Score:5, Funny)
On the plus side, if you work as a contractor, it's billable hours. :D GG SoBillable^H^H^H^H^H^H^HSoBig!
In a sense, it's true (Score:5, Insightful)
Re:In a sense, it's true (Score:4, Interesting)
Quick linux security test. (Score:5, Funny)
.
If nothing happens then you have a reasonably secure linux box.
Re:Quick linux security test. (Score:5, Insightful)
You know, being funny aside, you just demonstrated one excellent point: Users should have enough rights to have work done, but not so much to easily screw up the system. Don't use root privilege in vain!
Re:Quick linux security test. (Score:4, Insightful)
Now connect your Windows PC to the internet and wait for someone in Khatmandu to type "format c:".
The real issue however is that Windows * is still using a lot of code from DOS and Win3.1 for all sorts of shit. Those were the days, remember, when personal computers were just that, personal.
*nix has a pedigree in networked computers. So whilst mistakes are made in code of each system, always, one paradigm is always going to be more secure than the other. Until MS really, really and truely re-writes its OS. Shame the article misses this point by such a wide mile.
'windows attacked because popular' (Score:5, Informative)
-
Linux users (Score:5, Funny)
Like a Linux PC owner sleeps anyway....
Re:Linux users (Score:5, Funny)
Good idea (Score:5, Funny)
Please Microsoft, use CD-RWs. I already have a wall covered with silver AOL CDs
Nah... (Score:5, Insightful)
The sorts of people that would think to order such a CD in the first place are likely already patching their machines. Others will get the CD and misplace it, forget about it entirely, or mistake it for something like an AOL disc and toss it in the trash.
MS Bashing (Score:5, Insightful)
Re:MS Bashing (Score:5, Funny)
1. There's this bug users didn't patch for
2. The system's default configuration made almost everyone vulnerable being attacked via the bug, even if the user isn't actually making use of the buggy service.
On item [1], yes, there's a really strong argument that it's the user's fault. On item [2], though, it's pretty damn clearly the vendor's negligence.
Actually mac and linux users were affected (Score:5, Interesting)
quoth Marc Andriesen (Score:5, Informative)
Its nothing but a virus delivery system.
That was about 8 years ago. Microsoft destroyed netscape and aside from some humorous footage of Bill Gates lying under oath nothing was done about it.
Now someone in the mainstream press has actually done their homework. Are we supposed to be impressed ?
Bad design 4 Security - Bad 4 Servicing ... (Score:4, Interesting)
Not only are the security implications horrendous in the MS products, but servicing them is a nightmare ....
This story just caught me at a bad time ... I have been trying to do a file/printer sharing between 2 computers running Win 2000 Prof and Win XP Prof using a hub. You would think it would be plug and play, and a little bit of configuration - and that is how I set out my cost estimates for a small business that wanted me to do it for them ... big mistake ...
It is 3 days past now. I have read probably 100 + articles to understand the security implications for these windows products .... Used all sorts of keywords in google to get many articles to see how the damn networking is done in the first place. And I am now thoroughly confused, tired, and am spending a lot of unpaid hours getting this damn networking done. FOR GOD's sake I am trying to network two products from the same company ... How could MS screw it up and make it such a nightmare .... and do such dumb stuff as not turning the security features on by default so that I don't even know what I am exposing, all the patches that are being issued faster than I can download ...
Re:Bad design 4 Security - Bad 4 Servicing ... (Score:5, Funny)
Can he give you the strength to forgive yourself?
Someone Who Gets It (Score:5, Insightful)
Computer industry? WHAT COMPUTER INDUSTRY? The VAST majority of these big viruses exploit who's products? All togerther now: MICROSOFT. This isn't Apple's fault, Macromedia's fault, iD's fault, or anyone else. These things are almost all MICROSOFT's. Finally someone in the media seems to get it.
Linux needed to help keep Windows secure (Score:5, Interesting)
A family member of mine got a new Windows XP system, installed it, and tried to download the security patches. Before the XP system managed to download the patches, it had already been 0wned by Blaster. It's really hard to keep a Windows system up-to-date when you can't connect to the Internet to update it.
My solution?? I used Red Hat Linux to download the patch, and wrote it on some media. Of course, he can't really completely wipe his hard drive to be sure he's safe from any other attacks. Why? If the drive is fully wiped, Windows XP can't be installed any more - on his system, the CD doesn't contain the entire OS!
Of course, I'm writing this from a Red Hat Linux system that has a nice built-in firewall, a "root" account that's not normally used, no externally-accessible ports, and lots of other designs that make it far more resistant to attack in the first place. Yum.
OS X is completely locked up... (Score:4, Informative)
Actually, OS X does have (in most systems) some ports/services open by default. Here's a sample portscan with no user-services (ssh,httpd, afp, etc) running. 1033 is assigned to NetInfo
427 is "server locator"
631 is "IPP (Internet Printing Protocol)"
If IE / Outlook ran in their own account.... (Score:5, Interesting)
The main problem with windows is the users.. (Score:5, Insightful)
This is pretty much what was said:
Friend: Hey. I got a problem with my computer. It has shut itself two times today, without me doing something. What do you think is wrong? I heard something about a virus.
Me: Yeah there is a few major virus's flowing around the net right now. Have you patched your system?
Friend: Patched ? ?
Me: Yeah. You know downloaded updates for windows.
Friend: No..
Me: Oh well. Here is a link to a virus scanner try and run that first.
Me: Good now to update your system.
Me: So, Now I suggest you update your system with patches from windows update.
Friend: Why? What should I waste time download all that? What good does it do me ?
Me: Well... It secures your system, give you updates to windows programs and IE and new drivers. You know. Makes it upto date.
Friend: But how do I do it ?
And there is the entire windows Security problem. Users that just come to their computer to surf abit and download a few programs like kazaa or emule just dont feel the need for updates. And they end up spreding the viruses to the entire net. Oh.. And it dont help that MS dont allow pirate versions of windows to be updated fully. I can see why it would in sense suck for them to give free updates to people that havent payed for the system. But people dont get updates when its all blocked. Which in end leads to viruses like this to run wild.
long week for windows users is right. (Score:4, Informative)
overtime is great.
Conspiracy theory (Score:5, Interesting)
Windows IS insecure by design. The Virii and worms that are happening now are pissing people off. In the future, Microsoft will bring the 'security' scheme from the XBox to Windows... code will have to be signed by Microsoft in order to run on Windows. the press will love it, and you will see tons of articles saying things like "Microsoft gets Security Right" and "Microsoft Announces the End of Virii".
And in the end, you and I won't be allowed to fire up a compiler and write a trivial little 'Hello World' program without buying a runtime license from Microsoft, which will be embeded in every program you write.
Innovation will be stifled... I doubt Microsoft will be very license-friendly to Sun, or Apache, or Cygwin, etc.
Microsoft's own lax security is a plan to pave the way to their heavy handed takeover of your computer.
mark my words.
NSA Secure Linux going into the standard kernel (Score:5, Informative)
It's not a magic bullet, but mandatory security just went mainstream.
What this all means is the ability to put programs into levels and compartments from which they can't escape. Security breaches in the mail handler or the web server can't propagate to the rest of the system.
The code is open source, GPL, and written by the United States Department of Defense's National Security Agency. It looks like Microsoft's attempt to shut down that project [theregister.co.uk] failed.
Complete with ad for "Windows 2003 Server." (Score:5, Funny)
Windows does not have to be insecure. (Score:5, Interesting)
I run Linux on my servers, but for compatibility, certain programs I need, etc., etc., my workstations use XP. I haven't patched anything. I don't trust the patches and especially not the Service Packs. They can break things and slow things down. If my box is working, why tempt fate? There are a few, very simple things to do that will keep Windows almost entirely secure:
1 - No scripting host. If you don't need it, kill it.
2 - No Outlook. Outlook is bad. IE is almost as bad. Everyone should know this by now. And if you must use it...
3 - Don't open file attachments from anybody unless you know what the hell they are! Why is this so difficult? Well, it's because people never...
4 - Unhide the file extensions. You wouldn't eat something from a package simply labled "food" without having some clue what's in it, so why double-click an icon without knowing what it will do? Learn what these extensions are, and Google it if you're not sure what a given one means.
5 - Don't use IE if you don't have to. Mozilla's now advanced and stable enough that you should almost never have to use IE to properly view a site. I never have a problem with popups, and I've never had my browser hijacked. Using IE tempts people to break #6...
6 - Read the question before you answer "Yes." Do you walk around at work slackjawed and answering "yes" to every question you're asked without listening? If you weren't specifically looking for what a site wants you to install, chances are you don't need it.
7 - Firewall. Buy a $30 broadband router, build a Linux gateway, enable XP's own, built-in, pre-installed firewall, or get something like Zone Alarm, depending on your needs and/or level of computer literacy.
8 - Don't download software without knowing exactly what it is. Read the license agreement. Sure, I like to check out neat toys on Download.com too, but not if I have to install Gator or GAIN to use them. See #6. Read!
9 - Check your processes. and read what's going on in there. Google each one. This is a pain in the ass the first time, but do it once and then you'll know when something's not supposed to be there.
10 - Watch who gets your email address. Get two. One for ordering/registering things, and one that you only give to real people.
That's it. I run no antivirus software and my system thanks me for it with good performance. I have not loaded a Service Pack, a patch, anything. None of this is difficult. These rules are simple enough for almost anyone to follow, and the major ones are extremely easy.
This story is nice (Score:5, Funny)
It's so nice to see Microsoft finally get something right.
Re:Why was this posted? (Score:5, Interesting)
Re:Why was this posted? (Score:4, Interesting)
Comment removed (Score:4, Insightful)
Re:95% a target perhaps? (Score:5, Insightful)
Not exactly... (Score:4, Insightful)
Obligatory Question and (Score:5, Insightful)
The argument sort of breaks down when you talk about webservers, with Apache solidly in front with % usage, yet it's the smaller-target MS offering that is the one hit with exploits.
There's something more fundamental about the differences in security -- yes, MS is a bigger target, but that doesn't mean that it can't also happen to be the easiest target (and it is).
Re:95% a target perhaps? (Score:5, Insightful)
But it makes a great difference (on Windows) right in a moment after you:
step1) Disable Internet Connection to Explorer and Outlook (almost no one virus can connect to internet to download it's other part or upgrade, because they mostly use ActiveX download object)
step2) Start using Mozilla or Opera or even better Thunderbird and Firebird (in this step you disable IFrame and OCX viruses)
step3) Teach users not to open
Problem with Windows is not 95%, but IE and Outlook are made as centerpart of the system, thus allowed to any action no matter how stupid it is.
Based on that: YES, Windows is insecure in its roots.
Re:95% a target perhaps? (Score:4, Insightful)
I learned about preventing buffer-overruns when I was in high school. This "most computers are running Windows" excuse for viruses is a cop-out, plain and simple.
Re:95% a target perhaps? (Score:4, Insightful)
Furthermore, *NIX has a massive presence in the server closets of the world. A worm that/virus that exploited these systems could be very lucrative for a malicious individual.
- Stealing corporate data (so we could find out who exactly SCO buys the stuff McBride is smoking from)
- DDoS attacks with OC-3 (rather than DSL/Dialup/Cable)
- Spam directly from the mail servers
There are certainly good reasons to write *NIX worms/viruses, but I think a combination of cluefull administration, a well designed OS, and to (a smaller extent) obscurity work together to make them a particularly hard target (when compared with Windows)
Re:95% a target perhaps? (Score:5, Insightful)
The only way to get everyone patched (moreso than the auto-download and ready to install of Windows) is to force everyone to patch. However, there would be several dupes on slashdot about how our rights are being taken away and how Microsoft can look into our computer. A step further, if people started using Linux, you might see the same thing with Linux...
Re:95% a target perhaps? (Score:5, Informative)
Funny how 95% of PC users have Windows, I wonder why a Virus writer would want to target Windows??!? Perhaps that is why so many exploits are found, because people are targeting it religously, start targeting Mac and Linux as much and see who is insecure
Actually, virus writers write virii targetting windows machines because windows machines are easy targets, not because there are so many licenses sold.
According to Netcraft's site survey [netcraft.com] only a quarter of active sites run Windows leaving the bulk of the public internet running on *nix.
I suspect much of the 95% of PCs you speak of are safely walled up in institutions, schools and corporations private networks, which are generally out of scope for a worm like blaster to target.
Now koniosis, what you should impress you is that *nix's run the majority of public sites on the internet, (those sites most easily attacked, i might add) with a marked minority of serious compromises as compared to Windows. More sites, less bugs. Simple.
Finally, only a Microsoft employee could think that its justified that the amount of embarrasing code compromises grow proportionally to desktop marketshare.
Re:Choice (Score:5, Insightful)
I'm really not trying to be a troll here, but if a CS department requires a specific type of operating system (and probably the software that runs on said OS) in order to teach, then it's probably not worth the money to attend. Sure, learning to program with Microsoft's code du jour might help in the short term, but nothing beats teaching fundamental computer science principles in the long term.
What happens when the next big thing comes along and all the CS grads are stuck with C# as their sole reference point?
Re:Choice (Score:5, Informative)
In FAQ [vt.edu] they respond to the question "Do I have to use Windows XP Professional on my computer?" The requirement is more of a guideline for people who don't know what to get. And the original poster is probably just a karma whore who doesn't know what he/she is talking about.
Re:Apple and Linux systems are insecure too! (Score:4, Interesting)
Re:Corporate Blinders (Score:5, Interesting)
That seems to be a rather easy thing to say if you're not actually trying to manage a business with a large, complex interconnected system of technologies... having spent a rather painful amount of time (actually, more like an amount of rather painful time) in very large companies (35000 PC users at all levels of use), I have to say that a desire for OS diversity is far from an obvious choice. I'm not saying it's a bad idea, just a potentially unpractical one in many real corporate situations.
Working with the single devil you know as opposed to a vast army of individually varied devils may be preferable, at least in theory.
Re:Corporate Blinders (Score:5, Funny)
Re:It's not Windows' fault (Score:5, Informative)
This has nothing to do with Unix and certainly isn't a standard (hell, Samba doesn't even support this). This was totally a MS-original.
A lot of the http virii are based on MS-extensions or broken non-standard behavior of the MS clients.
If MS has followed what you refer to as "obscure unix standards", this wouldn't be an issue. Despite what you may thing, Unix systems were designed with security in mind whereas Windows was designed as a user-operating system.
Re:It's not Windows' fault (Score:5, Insightful)
This is something that many take for granted, but it is quite important. RFCs are discussed publicly, and people review protocols independently of specific implementations. This means that the protocols themselves are refined, and implementors only have to worry about correctly coding to a given specification.
Under Windows, the specification is often "whatever works with this code is fine". This invites much less review of the protocols, and since the protocols are ill-defined, it's difficult to determine whether the protocol has been implemented correctly.
Re:It's not Windows' fault (Score:5, Insightful)
Even some Linux default installs have security holes. It's all in how it's done, not what it's done with. Are we supposed to throw out everything written in C now, too?
Only Partially True (Score:4, Insightful)
One of the first rules of design seems to be lost on MS designers. If you don't want users to do something then don't offer it as an option. You can pop up dialog after dialog warning users like this:
Do not click 'yes'. If you click 'yes' will crash the machine. Only click 'no'.
[Yes] [No]
How stupid is it for a user to click "yes"? How stupid was it for the programmer to put the "yes" button there?
Yet in MS program after MS program they tell you something is dangerous and allow you to do it anyway. I guarentee as long as applications allow this some malicious hacker will use a little word play or social engineering to allow them to do something destructive.
I really want to throttle the person at MS who tried to get people to believe computers are as easy to operate as toaster ovens. Computers are complex machines. Hiding the fact from the user is not only dubious but dangerous.
Re:enough with the virus hype (Score:4, Insightful)
Not everyone has the time/expertise/desire to learn that much about computing, and that's OK. If everyone were a geek, you'd have no one to bitch about, would you?
Re:what about Gentoo? (Score:4, Insightful)
emerge -u world how _hard_ is that?"
First off, I'm a Mac user but fairly experienced using Unix/Linux....
The Mac is better than most opertaing systems at easing the drugery of staying on top of patches and bug fixes...
*clicks software update*
Do you really expect newbie users of Linux to understand "emerge -u world" by chance? If so, there is MUCH work to be done to Linux's software update model. Sure the emerge command may seem trivial to most advanced Linux users, but what can be done to expand this simplicity towards the consumer market?
Re:Correct Me If I'm Wrong but.... (Score:5, Insightful)
Uhh, because some of us know our way around well enough to get programs from people that we want to run. Saving to HD and then running doesn't change a thing. To say you shouldn't be attaching executables is silly. People should be safe: know who sent them the mail, know what it is they are running, and run an up to date virus scanner, as well as keep their system patched.
If you are talking about automatic running of attachments, that is a different story, but I want my computer to do what I tell it to do.
Users are forced to run as admin (Score:5, Insightful)
* Old software runs as admin only. Stuff that came out during the DOS/Windows days, much of it pretty recent, simply won't run as anything but admin. This is a nasty legacy thing, and is a vestige of the horrendous design of Win95/98/ME.
* Too much new software runs as admin. For example, if you want to run Microsoft's own Age of Empires, it only installs as admin, and only runs as admin. This is a new application made by the mothership, and clearly, fits into the home scenario as the article. I'd guess that at least 20% of the apps on my Win2k box require admin rights.
* Too many housekeeping functions require admin.
* It is a relative hassle to run a program with admin rights when not admin. The most common way is to -right click on the program's icon, and then select Run As, and then enter the admin password. Ugh.
* Even for the disciplined, quick user switching allows admin to stay logged in, most likely still running OE or some other security nightmare.
The upshot is that if a user even understands the concept of not running as admin, they are forced to, or get lazy and do so.
I've set up several users on Win2k, and taught them about security, and why they really, really don't want to run as admin. Months later, they all are.
This will be a problem if Linux ever becomes widely adopted by home users, and why Lindows runs as root by default.
Didn't Apple get this figured out? Why haven't everyone else copy them as usual?
Jonathan
Re: Windows Is 'Insecure By Design,' ... (Score:5, Insightful)
I wonder how many people read the EULA's? I bet the numbers are related (and small).
Re:Nice to see such a mainstream source getting on (Score:5, Insightful)
Okay, maybe I should have turned on the firewall before connecting to the Intenet. I didn't realize the virii were scanning so relentlessly and quickly. I also thought that the idea of turning on a software firewall on a brand-new install seems a little dumb. All the firewall does is prevent incoming connections to insecure ports. If Microsoft knew when they shipped the OS that the ports would likely be found insecure, why wouldn't they just turn them off by default? I mean it is one thing to buy Norton Firewall on the presumption that they are fixing Microsoft's broken security model but why would I use a "security fix" that comes on the same CD as the program that introduced the security hole in the first place! It seems totally illogical to me.