Windows Is 'Insecure By Design,' Says Washington Post

Circuit Breaker writes "A Washington Post article says Microsoft Windows is insecure by design. Quote: 'Between the Blaster worm and the Sobig virus, it's been a long two weeks for Windows users. But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks -- just like in earlier "malware" epidemics. This is not a coincidence.'"

Ummm...

[Exitthree]

But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks -- just like in earlier "malware" epidemics.

Except the Mac and Linux users in charge of those systems... ;)

Re:Ummm...

[Li0n]

indeed...

I've had to patch and put up to date almost a dozen systems in my free time these weeks. Not seeing one penny for that since they all belong to friends and family... :/

That aside from the bozos at work that got hit and the flood of questions along the lines of "my computer keeps rebooting on me everytime I connect to the Internet... what can it be?..."

And people wonder why techies are grumpy...

Re:Ummm...

[Geek of Tech]

And people wonder why techies are grumpy...

Well, yeah, because you know we all make so much money...

Yeah.....

Re:Ummm...

[jonadab]

Exchange rates don't mirror cost of living, necessarily. The Aussie
buck isn't worth as much as the US buck on the international market,
but that isn't because the Aussie buck won't buy as much, locally,
as the US buck will buy in the US.

An example: the exchange rate between where I live (Galion Ohio)
and lower Manhattan is 1:1 -- one dollar from here is worth exactly
one dollar from there. Yet, an entire family here can live on less
money per month than the rent of a two-room apartment there.

The exchange rates do have an impact on the cost of living, as they
have an impact on the cost of some items, but not everything is
priced proportionally.

Here, $10/hour is a decent wage for a single person in a blue-collar
or entry-level position. I take home about that amount after taxes,
working as an entry-level computer troubleshooter (basically, a
one-man part-time IT department at a place too small to have a
full-time IT department), but a professional programmer would
certainly make more than that (except, I doubt if we have any in
the area). Fourty minutes' drive south of here there's a big
white-collar area (Worthington/Westerville, suburbs of Columbus --
conference complexes, marketing firms, shopping malls, and
three-quarter-million-dollar houses[1] as far as the eye can see)
where someone in a position equivalent to mine would make triple
my wage and struggle to get along. Rent is much higher there;
food costs more; everything costs more. A lot of people live up
this way and commute to work down there.

[1] Nobody would build a house that expensive in Galion, because
it wouldn't have resale value. We have a sparse handful of
houses in town worth two hundred thousand or a little more.
Part of it is that the land here is much cheaper.

Re:Ummm...

[Sandor at the Zoo]

I've had to patch and put up to date almost a dozen systems in my free time these weeks. Not seeing one penny for that since they all belong to friends and family... :/

That's why I tell my family: If you want help with your computer, buy a Mac. I don't support PCs.

Just about everyone in my family has a Mac.

It's a win-win for me, since the amount of support you have to do for a Mac user is virtually nil -- they just work. :-)

Re:Ummm...

[andreMA]

Yes, so very many of them:

• Sunday, October 06, 2002 10:08:43 US/Pacific: Installed "Security Update 2002-09-20" (1.0)
• Sunday, October 06, 2002 10:09:19 US/Pacific: Installed "Internet Explorer 5.2 Security Update" (5.2.2)
• Sunday, October 06, 2002 10:21:30 US/Pacific: Installed "Mac OS X Update" (10.2.1)
• Friday, February 14, 2003 18:31:25 US/Eastern: Installed "Mac OS X Update" (10.2.4)
• Friday, March 07, 2003 17:43:42 US/Eastern: Installed "Security Update 2003-03-03" (1.0)
• Sunday, March 30, 2003 22:10:29 US/Eastern: Installed "Security Update 2003-03-24" (1.0)
• Saturday, April 12, 2003 13:35:20 US/Eastern: Installed "Mac OS X Update" (10.2.5)
• Tuesday, May 13, 2003 14:28:01 US/Eastern: Installed "Mac OS X Update" (10.2.6)
• Tuesday, June 10, 2003 12:52:53 US/Eastern: Installed "Security Update 2003-06-09" (1.0)
• Sunday, June 22, 2003 15:12:53 US/Eastern: Installed "Security Update 2003-06-09" (2.0)
• Thursday, July 24, 2003 15:30:54 US/Eastern: Installed "Security Update 2003-07-14" (1.0)

This includes security updates and point-revisions of the OS (which one might presume to have less-critical security updates rolled into them), and excludes application specific updates for the i-App suite, Safari, etc. that were not labelled as "Security" related (one might assert that they were in fact security related, but they included point-upgrades to the applications as well. Those toatlled perhaps 8-10 updates over the span covered). Note that two (Stuffit! and IE) are for 3rd-party bundled apps with labelled "Security" updates.

yes, I'm aware that I haven't installed the latest one to patch the off-by-one bug that impacts the FTP server. I'm waiting until I need to reboot for some other reason.

TOTAL UPDATES OVER THE PAST 10 MONTHS: 5. 7 if you count patches to 3rd party apps, one of which was IE. 10 if you're really liberal and include the point-revisions of the OS too.

Please tell me where these "lot of security updates in the past 6 months" are... I'm not seeing them.

Re:Ummm...

[SillySlashdotName]

As well as bashful, sleepy, sneezy, dopey,...

Re:Ummm...

[oliphaunt]

why not offer them a choice?

I'll help you move to linux for free, or I'll charge you $50 to fix your system this time.

tell them the charge will double each time they need help, for either system.

Re:Ummm...

[ball-lightning]

MS is at fault, the root of it, to be sure.

It's kind of funny, but I didn't have any problems with either of those viruses in any of my three WinXP machines. Maybe it was the common sense (Sobig) or the fact all my machines were updated (MS Blaster)or the common sense that 300 e-mails with the same attachment from people I don't know might, just might be a virus. This is not to mention of course the firewall, pestpatrol, and Norton Antivirus. Now, you might say, "well hey, my linux box had none of that, wasn't patched, no firewall, nothin!" but think for a few seconds. These viruses were programed for windows, not linux/any other os. Of course your non-windows computer was not infected, because the virus/worm was not made for it. So before you get on your high horse, remmember it can happen [wired.com] if someone bothers to write it.

Re:Ummm...

[1lus10n]

please please please PLEASE do not reference wired if you wish to garner any kind of respect.

and just for reference (as a person who works hell desk (tech support) for linux servers) i have not yet met a single person affected or infected by slapper. unix and unix derivatives are vastly more secure because of the way they were designed. not to mention most distro's dont leave 45 uneccasary things running by default, hence the admin of a unix box has to do less to be decently secured.

i will admit this virus wasnt particularly microsofts fault. but we have been doing this same routine for 8 -10 years now with them. sooner or latter they are going to have to own up to it, and yes microsofts systems are inherintly insecure. and no i dont run anything M$ on anything i own or admin.

i am also very aware that i am having a bad spelling day.

Re:Ummm...

[Cederic]

>> this virus wasnt particularly microsofts fault

If you're talking Sobig.F then yes, it is definitely Microsoft's fault.

In the early 1990s, people got laughed at (or gently educated) if they suggested 'I got that virus through email'. It just didn't happen.

Then MS turn up with their inherently insecure 'Automatically run stuff that's emailed to you' email client, actually build it into the OS (thus ensuring greater take-up than would otherwise have been achieved) and email viruses became commonplace.

The only way this virus wasn't Microsoft's fault is that they didn't write it themselves. The environment it runs in, that enabled it, is entirely and absolutely due to insecure design by MS.

~Cederic

Re:I have a coworker who kept saying it was hardwa

[dtfinch]

Some of us developers working for smaller businesses need to handle EVERYTHING.

"Hey, Dave, make our fundamentally different, colocated e-commerce sites securely share all their data amongst each other and seemlessly integrate it with this new proprietary MRP solution. Upgrade our computers when we're not using them. Find a legal way to install this one copy of Office onto all these computers. Make our computers faster and better. Don't touch my computer. Upgrade our Norton Antivirus server and all our clients. None of us want login passwords, but we do want security. This one mid-90's era server ought to be enough for all our needs. We want video conferencing on all our sites. We don't want to buy anything."

I do almost as much IT support as I do development.

Cars to Computers analogy

[TWX]

Well, checking the oil I'd put more akin to checking free resources. Same for most of the other fluids in the car, short of fuel. fuel's akin to turning the thing on in the first place. Do these people need to know how to operate the turn signals, trunk release, windshield wipers, domelight, etc? I'd rate them as your basic intelligent car owner.

As for changing fluids out, the computer equivalent would be to a backyard mechanic, who handles oil and antifreeze coolant. Maybe checks the tranny fluid and takes it somehwere if it doesn't look right. Changes out burned out lights, etc. Stuff that is mostly covered in the owner's manual, or at least has stuff like fluid quantities. In computers, I'd equate that with being able to hook up external devices and get them to work, being able to remove stuff from C:\WINDOWS\START MENU\PROGRAMS\STARTUP, configure basic network settings from instructions for something like DSL or Cable. Calls for support or a technician when something out of this range goes wrong.

A+ certified techicians would equivalently handle basics, like replacing alternators, starters, draining transmission fluid, replacing water pumps, checking differential gear oil, lubing the suspension or steering parts, replacing obviously bad water hoses, and the like. Stuff that stands out. By comparison to computers the person would be able to replace hard disk drives and CD-ROMs, install video cards, install the OS from scratch for the default configuration, configure sound support, and the like. Maybe even dig into the registry a smidgeon.

And above that you'd have your power-technicians, who would be up there with not being afraid to remove stuff like engines, axles, transmissions, steering columns, dash boards, interior parts, etc. These people would be able to play with advanced networking, deal with driver and IRQ conflicts, handle tweaking of the OS, dig into the registry a bit, etc.

Beyond that, you find different people who can rebuild engines or transmissions in their sleep, modify sheet metal artistically, handle advanced upgrading of suspension, and the like. They would in computer equivalents be specialized, but very talented. They probably wouldn't even do much of the lower-level work unless they had to, because they would be more valuable higher.

Well, that was quite long enough of a ramble...

Re:Ummm...

[aussersterne]

Not only for that reason.

I don't have Windows anywhere and haven't for several years now. I don't run Outlook. But it turns out that at least one of the current batch of worms spoofs email addresses.

So all week I've been getting email messages from postmaster@ saying "...your message to so-and-so will not be delivered because it contained the SoBig worm, we advise you to download a security update from..." I wrote a couple of them and got two responses from mail admins saying essentially "Yes, we know it spoofs your email, sorry there's nothing we can do, please understand that we're under tons of pressure on our end, everyone is infected, this worm sucks, you have it easy, you run Linux, stop complaining!"

Anyway, people are receiving messages marked "from" my email address and are getting infected with a worm as a result. Obviously one or several people (editors, management, etc.) that have me in their Outlook address books have become infected and now the worm is spreading from their machines and spoofing my email address as the source. I totally resent this and actually worry about my liability.

Do I now have to trademark my own email address or something and then include a disclaimer in my email saying "This email address is my trademark, you are not allowed to add me to your address book in any way"?

The crap Windows security model has certainly affected me, a non-Windows user.

Re:Ummm...

[theCoder]

"...you have it easy, you run Linux, stop complaining!"

That's when you snap your suspenders, scratch your beard, and remember why you have that smug look on your face :)

Re:JRTFA

[abirdman]

Right on. My experience was the same. I was immunized from BLASTER on July 17th according to the log from MS Update. It's very hip and au courant to ignore MS Updates, because they're a pain, and their Service Packs don't have a great reputation. But updating early and often has kept me out of trouble.

When I started getting Sobig emails on Tuesday, I even took the time to call two of my friends (who subscribe to some of the same lists I do) to warn them not to trust emails with attachments. I had to explain the whole concept to them, but they got it. I got 40 the first day, 20 the second and only a handful since. And I had no desire to open any of them.

The biggest threat that Windows poses is that from users who are totally clueless... they turn on their machine thinking it's some kind of "email machine" and nothing else. Not a clue there are threats or risks out there. And no indication from Windows, or Outlook, or IE that anything they do could be unsafe. Windows update works, at least this time it did. They're not going to get more saavy, so there's no harm in telling people to use windows update.

Tell your friends:
1. Don't preview email
2. Delete email you don't know or trust
3. Don't open attachments if they're not absolutely known and expected
3. Update early and often

The article is right, Windows is dangerous. MS isn't going to tell the consumer, because that would threaten their (considerable) cash flow.

I'll shut up now.

Re:Ummm...

[nikal]

If you digitally signed all of your electronic communication then you could effectively get rid of this worry. People who trusted your key would know immediately that this was a spoof.

Re:Ummm...

[afidel]

PGP sign all your email, that way you will be able to prove that an infecting email did not originate from you. Also the very fact that it is a windows worm and you run Linux should indemnify you.

Re:Ummm...

[Jerf]

To you and nikal, PGP does not prove X did not come from you, it only proves that X did come from you. Even if you are using PGP it is quite easy to send an unsigned message.

Only somebody else's signiture, establishing that it came from them, could begin to establish that it did not come from you, and you would still need to establish that you aren't that somebody else, since having multiple signitures is trivial. (It would probably be reasonably satisfactory under most normal circumstances, though.)

Re:Ummm...

[Deusy]

On the subject of liability, I wonder why Microsoft is never held liabel for the billions of dollars that these incidents cost the world's economies. A little forethought this would never have happened.

Imagine if Ford were to sell a car with a fundamental problem. One that potentially cost lives. They did and they had to recall it.

Now these virus epidemics probably bring down some rather critical computers and potentially cost lives. (Yeah, yeah, mission critical machines should be kept uber patched...)

Microsoft really comes across as untouchable.

Re:Ummm...

[Li0n]

They cease to be liable the moment you click "I Agree"

Re:Ummm...

[Durandal64]

As sick as defending Microsoft makes me feel, I'm going to have to point out that your analogy isn't fair. A more apt analogy would be Ford making a car with a radio so defective that the car would explode if it received a signal of a certain frequency. Ford learns of this and initiates a recall. People ignore the recall, and then someone hijacks an antenna two weeks after the recall has been initiated and broadcasts said signal of said frequency. Cars explode.

Did Ford send the signal out? No, so they are not directly liable. Did they attempt to correct this problem before it was taken advantage of? Yes. Should such a disastrously massive problem have been allowed to make it into the final design? Microsoft do share some liability for the damage done, but not all of it. It was, after all, their incompetence that created the problem in the first place. Is it all their fault? No, sorry.

The other angle to look at is the cost of installing the patch. Since Windows requires you to reboot after changing all but the most trivial aspects of your system, this makes installing the patch extremely inconvenient for many server administrators. Administrators have no such excuse with a Linux system, which really only requires a reboot after changing the kernel. On Windows boxes, however, such required restarts can end up costing a lot of money, especially if the patch breaks a service that the server is running. So, one thing Microsoft could do would be to reduce the amount of required restarts. Good luck, since the GUI is the operating system, unlike a *nix box, where it's just another process that can be terminated without bringing down the system.

As I said, I now feel sick for sticking up for the pricks in Redmond.

New sig file...

[MasonMcD]

I now have a new signature on my emails:

*In light of the ability of some email viruses (eg SoBig.F) to spoof this address regardless of whether my machine is infected or not (for instance, pulling my address from a Windows user address book to use as a fake return address), if this statement is not included, consider a message from me to be a virus*

I figure that will be good, going out a few dozen times a day. I urge everyone to pen something similar. Cause, ya know, MS can never have too much bad press... erm, room to innovate.

Re:New sig file...

[E_elven]

Of course, the next big trojan (it's supposedly to be called DamnTiny.Bill) will include something like that.

From: BillG@ms.org
Subject: I hate you, b1tch!
Text:
It was joke. Ahaha.
Take a look at this. Finest Klatchian
waterbeetle clock, it's really quite
humorous.

*****
ALL MY EMAIL IS FOLLOWED BY THIS NOTICE.
IF IT IS NOT PRESENT, BE AWARE THE MAIL
IS NOT FROM ME AND MAY BE A VIRUS!
*****

Attachment: fkwbc34.vbs

Re:New sig file...

[dspeyer]

They beat you to it (sorta), Sobig.F contains the line

X-MailScanner: Found to be clean

Not sure what it achieves, but it's there.

Re:Ummm...

[thx2001r]

Windows security, (don't laugh) on NT 5 and up is not too shabby (when properly done... not to say that it is "secure", no systems plugged into electricity and a network are). The problem is not the security model, it's the default level of security applied out of the box. The default level is so lax, it is WISHING it were swiss cheese!

There are so many open orifices by default, it's, honestly, frightening to release a Windows system to the wild of being connected to the Internet without extensive preventative measures. Of course, keeping safe in a Windows environment is very possible but almost exclusively for technically savvy people, the rest of the Windows users (almost all of them) are running Windows with it's default pants down, bent over, with a giant neon "Rape Me" sign on them.

Sigh. Perhaps someday MS will enable some more of their security features BY DEFAULT on Windows (well, lets say, all of them, and then let users drop their computer's drawers if they choose to). Until then, look at it this way... MS's (deliberate?) default swiss cheese security keeps many a person employed plugging the holes.

If it were secure by default and kept itself in great working order automatically, what use would anyone have paying techies to do that? In a strange way, I owe my continued employment to MS's poor default practices.

Re:If you "trademark" your mail addy...

[Geek of Tech]

I am just trying to figure out how to strike a balance between limiting my exposure to liability in this networked world (because everyone is happy to sue these days) and still participating in society in normal ways.

Uh, hate to tell you, but unless you're sueing somebody you're not participating in society in normal ways.

Re:Ummm...

[LinuxGeek]

It dosen't have to be legal liability to cause trouble. A pissed off client, boss or girlfriend can be plenty of liability to have to deal with. If they have trouble understanding the actual causes, then good luck reasoning with them.

Re:Ummm...

[cybermace5]

Also, don't forget the Mac and Linux users who unfortunately happened to be in the address book of some poor Windows user. I'm about to go nuts from the 50-100 autoreplies from corporate virus scanners, and I know I have it easy.

Perhaps I'm doing something wrong...

[ScottGant]

I'm not an XP lover, but it's the OS that's on my computer. It just is. I play games and run Photoshop and other programs...so I use XP because my favorite programs all run on this OS on fairly cheap hardware.

Now, I may be doing something wrong here, but I've NEVER had a virus. I've never had a problem with a worm or anything really. XP hasn't even crashed on me before....ever. I've had programs hang up or crash...but the OS itself hasn't crashed.

And this has been the same on the 2 different machines that I've run XP on.

But yet, I always hear about everyone raking XP and Windows across the coals all the time. Yet I've never ever experienced nor do I know anyone anyone that's ever had major problems with XP. Oh, I know people out there have problems...but it's just that I personally have never known any.

Why is that? Now, as I said, I'm not an XP zealot at all. I could take it or leave it. But after reading here on Slashdot the evils of Windows and XP it would seem that my machine should have burst into flames months ago, yet it's going on day after day, never turned off, always hooked to the net...and chugging right along.

And I'm not really doing anything special. I keep up with all the updates to XP...which takes about 2 minutes out of my week. And I have basic Norton Antivirus running. I have Seti@home running when I'm away from the machine and I do a disk clean up and defragment maybe once a month or so.

So again, I must be doing something wrong (or right) to where XP doesn't give me one iota of problem.

I'm not praising XP...at least I don't mean to be praising it. You only see people bashing Windows, never praising it. To praise it would mean being thrown out of geekdom. So I think if XP or NT is working for you, you keep your mouth shut or just talk about how great Linux is.

I guess your mileage may vary.

Re:Perhaps I'm doing something wrong...

[naelurec]

Its all a matter of perspective. It seems like Windows NT/2k/XP works pretty good for knowledgable end users (Which you seem to be one ...). I have a W2K box that as a box works pretty good at what it does (though it does have some rather strange memory related problems .. but not nasty enough to justify a re-install...) However, atleast for me, after running Linux, Mac OS X and now FreeBSD as my primary desktop, I have a different perspective on how an operating system should work. I actually find the *nix desktops to be easier to work with. Not only are there a lot more cool features (ie mozilla has lots of neat features over Internet Explorer, same with KDE vs Explorer, etc..) but the entire system seems laid out much more logical. When programs install on my FreeBSD box, I know exactly what files it has installed and where (not to mention it is really easy to remove ALL the related files compared to the add/remove feature in Windows). I can quickly find what applications are running, I have a lot more information available to me as far as what is going on "under the hood" and most importantly, I can access all critical features on a fast SSH connection instead of trying VNC or some other cumbersome GUI interface. So whats my point? Well I suppose when my Windows using buddies, relatives and customers call me with yet_another_windows_problem (sobig, blaster, other viruses, adware, whatever..) I tend to think that "well if they were running *nix, would they have this problem? (usually not)" and "if they were running *nix, I could simply SSH to their box and fix the problem in a few minutes instead of explaining how to setup VNC over the phone and trying to troubleshoot it remotely (with their side being a 28.8k dial up connection)) or hopping in my car and physically sitting in front of the computer and hacking away at it.. Whats my point? I dunno. I guess I have found the *nix systems to be generally better than the Microsoft offerings. Since using *nix, I have different expectations to how my computer should work and at this time, Microsoft does not meet these expectations. Infact, when I am using Windows boxes, I have found that I get frusterated with the machine because it doesn't work like I am use to.

Re:Ummm... AGAIN, WHY NOT WINDOWS LINUX????

[croddy]

oh yes. they could call it MSUX.

Good point, muddled way of expressing it

[Raindance]

There's a large difference between "Windows is insecure by design" and "Windows was not designed to be secure or with security in mind" just as there's a significant difference between saying "Impalas are deathtraps by design" and "Impalas were not designed with safety in mind".

That said, and though the Post's article was a little muddled in general I agree with the spirit of the article in that
1). It's reprehensible that Microsoft apparently didn't have security (a broad term, but the literature to define it is out there) as a guiding design principle when they designed Windows, and
2) As a result of this, Items central to the functioning of Windows do not lend themselves to good security.

Re:Good point, muddled way of expressing it

[the Man in Black]

I didn't take that phrase that way until I read your post. The writer isn't stating that Windows engineers designed the OS to be insecure, he's stating that the way Windows was designed lends itself to insecurity. Two different takes on the phrase "by design". Slightly misleading, sure, but he clarifies in the article, so it's cred by me. I particularly like the comparisons he makes with Windows, OS X, and Red Hat's default install.

Re:Good point, muddled way of expressing it

[dhogaza]

Do keep in mind that at major papers like the Post reporters don't write the headlines. Just as they don't decide where their story will run (or if it will run), how big the type used for the head will be, whether or not there will be a subhead, etc.

So don't ding the reporter for the slightly misleading headline. Sounds like the reporter got it right in the part he or she wrote - the article.

Re:Good point, muddled way of expressing it

[rekkanoryo]

The problems with Windows are largely what was pointed out in the article:

• Users complain they don't trust Microsoft and don't apply Critical Updates
• XP's firewall is off by default and takes at least five steps to turn on
• XP leaves five ports open by default--three of them are 137, 138, and 139, the NetBIOS over TCP/IP ports

I have the following to say on those issues, however:

• If users don't trust that Microsoft can patch a hole, they shouldn't use Windows and shouldn't buy PCs preconfigured with Windows, no matter how crappy the software availability and quality for the alternatives
• For the XP Home software, all dialup interfaces should have the firewall on by default. XP can automatically detect broadband connections as well, so on broadband internet connections the firewall should also be on by default
• Ports 137 through 139 should be disabled by default until file sharing is turned on. And even then, those ports should be specifically closed on all internet-facing interfaces. The port that console messages are sent on should be closed to the internet-facing interfaces as well, and probably just closed period on Home since console messages are supposed to be used by administrators in domain environments

These are not the only problems with Windows, nor are these solutions I propose going to be 100% fool-proof. But most of the problem comes to users' carelessness or naivete. By turning off all the unimportant messages in XP such as

• Get a Passport
• Take a tour of Windows XP

should wait until after more important, security-related messages such as

• If you choose to use Windows Automatic Updates, your computer will automatically update itself with the latest security patches. This will ensure fewer problems and enhanced reliability while your computer is connected to the Internet. Click here to learn more.
• If this computer will be directly attached to the Internet through either a dial-up modem, a cable modem, or a DSL modem, you should enable the Internet Connection Firewall by clicking here and following the instructions. The firewall will help protect your computer from hackers and self-spreading worms on the Internet, keeping your computer working properly much longer.

It's simple steps like these that, on top of proper security considerations and testing when designing and writing the code, will help protect users and the net in general from what we suffer right now.

Re:Good point, muddled way of expressing it

[PygmySurfer]

XP's firewall is off by default and takes at least five steps to turn on

I seem to recall XP's firewall being turned on during the inital "Welcome to Windows" wizard that pops up after installation, if you choose the option "This machine will be directly connected to the internet" (Or something like that).

That being said, I always turned the firewall OFF, it was too much of a pain to set up additional ports to allow.

Since then, I've moved to a Mac, and OS X's firewall is much easier to configure.

I certainly agree with the rest of your points though (and the majority of the article).

Re:Good point, muddled way of expressing it

[hankaholic]

Fair enough, but many people may opt not to download updates because of their rediculous size.

Under Debian, at least, if a package is found to have a security hole, I have several options.

I can download only the affected package. Of course, since it's Debian, I can always opt to just bring the whole system up to date. If bandwidth is really a problem, I can even manually rsync an older local copy of the package against the updated version upstream.

Unfortunately, rsync isn't done by apt-get automatically, but the option to do it manually is there, as many Debian mirrors do support rsync.

The point is, though, that with Linux and the BSDs, you can find out exactly what you're downloading, and determine exactly what effect the new package will have. With XP, you might have no idea what you're getting. Spending eight hours downloading MS updates when you don't know what you're getting isn't something most people consider worthwhile, especially when it's often the case that after updating Windows, it's found that there have been refinements to the updates that just occurred, and so Windows wants to download yet more stuff, and reboot yet again!

People want to use their systems, not maintain them. As long as the MS "critical updates" take ages to download and often create the need for further updates, people will continue to ignore the "Windows updates are available" messages.

Rebooting is a lot to ask. Large downloads are a lot to ask. If I were to install all of the "important" updates available to Windows at the moment, it would require several reboots, especially since many components can't be installed at the same time. Under Debian, not even one reboot would be required, unless the kernel were updated. Under Windows, if I update Media Player, a reboot is required, and Windows won't even let me update other things at the same time!

I'm just glad I'm behind a firewall.

Re:Good point, muddled way of expressing it

[1010011010]

Well, he could have mentioned a true "Insecure by Design" flaw in Windows: the fact that Windows determines that a file is executable based on its *name*. If a file ends in .exe, .vbs, .bat, .scr, or one of lots of other extensions, Windows assumes it's executable and will load and run it when the user clicks on it. Or a "shell" command references it, etc.

On Unix and unix-like systems, one has to explicitly mark a file as executable before ths OS will try to run it, and it's even possible to deny the "execute" permission to an entire filesystem (for instance, users' read-write home directories).

Re:MOD PARENT UP, more..

[SoftwareJanitor]

Where you are wrong, and the Washington Post is correct is that Windows doesn't have to be intentionally flawed to be 'flawed by design'. Something can be flawed by design as far as security goes just in neglecting to design a proper security model to begin with. Windows is flawed because it wasn't designed to be secure from the beginning, and newer versions, even those written after Microsoft started to become more aware of the need for security, have been hamstrung by their need to retain backwards compatibility with older versions and for software written for older versions which in many cases just won't install and/or run correctly on a properly locked down installation of Windows. Whether Microsoft intentionally designed in security flaws isn't what matters, what matters is Windows, as it is currently designed and implemented has some inherent design flaws which make it less secure than it needs to be. Among them are the fact that so much Windows software relies on being able to write to system directories (to add DLLs, etc) to be installed, which leads most people to allow too many users to be able to access too many files. Another is the fact that Microsoft built in scripting which allows too much access to low-level functionality (in other words, it doesn't run everything in a restricted sandbox) into just about everything, including the email clients and office software most Windows users depend on. Another is the fact that executability is based on file extension and not by permissions, if it wasn't, then people wouldn't be able to accidently execute malicious downloads so easily. This problem is compounded by the fact that by default most Windows facilities and software likes to hide the file extension.

The Washington Post article is not a troll or flamebait, it is a very necessary wake up call to the average Joe Windows users. If more of them had patched their systems and used mail clients other than Outlook or Outlook Express as you have, then these viruses/worms wouldn't be such a big problem. Without the mainstream press letting these people know, they will not get the message.

Worse: insecure ON PURPOSE to allow macros etc

[Doug Merritt]

Windows is flawed because it wasn't designed to be secure from the beginning

True, but far worse: Microsoft quite intentionally continues to make Windows and Office etc insecure on PURPOSE, as a side effect of offering full programmability of email, Excel, etc.

There wouldn't be any email viruses nor spreadsheet viruses nor Word document viruses if these apps were lobotomized -- if they could not be programmed.

But Microsoft continually makes the business decision that adding the power of programmability to every app is much more important than the resulting insecurity.

The vast majority of Linux apps do not allow that kind of programmability -- even when extension languages like Guile/elisp/etc are available in Unix apps, programs aren't automatically and blindly run whenever some hapless user receives email or views a spreadsheet or whatever.

Conversely, whenever that kind of programmability is added to Unix apps, if it is triggerable just by receiving/viewing a file, then Unix viruses will become far more rampant. (A small saving grace is that the Unix viruses mostly, but not always, will run as some user rather than as root, but this is really only a small issue.)

This should be a wake-up call to teams like Gnumeric; just yesterday on Slashdot Gnumeric was criticized for not supporting every single MS Excel feature, and Jody Goldberg replied that hopefully it would include those by next year. But any Unix app that is 100% compatible with a MS app will be virus prone!

Quote from a poster on that story:

Worksheet functions are great, but a lot of Excel's draw comes from its embedded VBA. Companies that rely on workbooks with embedded VBA probably wont be willing to switch to Gnumeric until it has support for VBA, or something very similar.

Mmm-hmm, and there goes security.

(Story link: Gnumeric Now Supports All Excel Worksheet Functions [slashdot.org])

The really sad thing is that the marketplace clearly agrees with Microsoft about this tradeoff: corporate and personal users are far more concerned with having the power of macros/Visual Basic/etc built in to everything than with even basic security.

Re:MOD PARENT UP, more..

[Flower]

MS chose to enable features as default that did not need to be on most installs. That is an insecure design. To be fair, earlier versions of RH did the same stupid thing and got burned by it. Macs also used to suffer from worms though I don't know why things got better - sorry used to keep up with Macs but not anymore.

Anyway, as for your requirement for "INTENT." Back when the CodeRed came out, work gave me the responsibility of locking down our IIS servers. Back then I didn't have any experience with IIS so I did the smartest thing I could come up with - started reading and convinced work to send me to a one day SANS seminar. Well, the instructor told a story from an MS employee of how MS figured it was cheaper enable crap like Internet Printing and the like by default than it was to eat the cost of projected support calls they would get from people who wanted the feature but couldn't figure out how to enable it.

IOW, enabling everything in IIS was done because it saved MS a few bucks. That is a design decision. It was intentional and most importantly it was insecure.

You still want to mince words on this?

Just listen please....

[Genjurosan]

Your reply is the best so far; however, just take a step back and listen to my point.

Do you think we should write an article that claims that Henry Ford invented the automobile as a device to kill people 'by design'?

People get in vehicles drunk and run into families of four, killing them all. Do you think that this unintentional side effect was, 'by design' when the engineers created the vehicle? Was it 'by design' when man created beer or wine?

I think I'm being treated VERY unfairly by most responses here.

I give you one more example.

When the hammer was designed, do you think the designer intended it to be used to kill people? Or how about the baseball bat?

This is being over-analyzed by so many techies, that I think the clear facts are being missed. That which is, the article is misleading and doesn't contain a fair wording of facts. Put yourself in the shoes of others. Take a breath and look at my point.

Re:Just listen please....

[1010011010]

Do you think we should write an article that claims that Henry Ford invented the automobile as a device to kill people 'by design'?

No, that would be the same as saying "Operating systems are insecure by design." What the article says is, "Windows is insecure by design." This is like saying "the Suzuki Samurai is unsafe by design." Damned thing tips over way too easy.

Here's an example I posted elsewhere about Windows being "insecure by design":

Well, he could have mentioned a true "Insecure by Design" flaw in Windows: the fact that Windows determines that a file is executable based on its *name*. If a file ends in .exe, .vbs, .bat, .scr, or one of lots of other extensions, Windows assumes it's executable and will load and run it when the user clicks on it. Or a "shell" command references it, etc.

On Unix and unix-like systems, one has to explicitly mark a file as executable before ths OS will try to run it, and it's even possible to deny the "execute" permission to an entire filesystem (for instance, users' read-write home directories).

the article is misleading

Not really.

Re:Insecure by Design

[Tony-A]

Fact: File extensions are still hidden by default.

Re:Insecure by Design

[BRTB]

Also fact: System relies on file extensions to differentiate between executable and non-executable files, which in my mind is a bit worse.

Unless...

[Chemical Serenity]

... you count the *nix administrators who had to scramble to put in antivirus software on the corporate mail server to stem the tide of 50k+ virus mails per day.

On the plus side, if you work as a contractor, it's billable hours. :D GG SoBillable^H^H^H^H^H^H^HSoBig!

In a sense, it's true

[Anonymous Coward]

The old DOS/Windows had security as a pretty secondary concern, it was just about getting things to run and not crash a lot of the time. NT/2K/XP is much imrpoved, but it still suffers from this legacy. For example, it's still difficult to run users in non-Admin roles because some applications expect the user to have full Admin rights. Only when most of these applications are update will the ability to use real user security settings become practical.

Re:In a sense, it's true

[manly_15]

If every software maker followed these Microsoft specifications [microsoft.com] Windows would be a much better operating system. A good example of a broken app is Palm Desktop. First of all, it only works with one user. Second, to install it, you have to give the limited user admin rights, install it, and bring them back down to limited rights. It's the same for Documents To Go. Talk about a PITA - and notice that neither of the apps boxes have the Windows logo on them.

Quick linux security test.

[Anonymous Coward]

To test if your linux box is secure, press alt f2 to open up the run dialog, then type

yes > /dev/mem

.

If nothing happens then you have a reasonably secure linux box.

Re:Quick linux security test.

[Negative Response]

I just did it and the result is:

zsh: permission denied: /dev/mem

You know, being funny aside, you just demonstrated one excellent point: Users should have enough rights to have work done, but not so much to easily screw up the system. Don't use root privilege in vain!

Re:Quick linux security test.

[donnz]

Oh, ha, yes, funny.

Now connect your Windows PC to the internet and wait for someone in Khatmandu to type "format c:".

The real issue however is that Windows * is still using a lot of code from DOS and Win3.1 for all sorts of shit. Those were the days, remember, when personal computers were just that, personal.

*nix has a pedigree in networked computers. So whilst mistakes are made in code of each system, always, one paradigm is always going to be more secure than the other. Until MS really, really and truely re-writes its OS. Shame the article misses this point by such a wide mile.

'windows attacked because popular'

[gl4ss]

the author makes nice (partial if you may)rebuttal of this myth, and also points to something to back it up like the number of open ports that create potential possibilities for holes,and that are for services that are default enabled, yet shouldn't be used in hostile environment(and how ms does nothing about it, and how xp was supposed to be more secure in matters like this). and frankly i haven't heard of non-hostile environment involving more than 10 people in a deserted island with lots of food and jolly sunshine happiness to keep them away from their computers.

-

Linux users

[jabbadabbadoo]

"But nobody with a Mac or a Linux PC has had to lose a moment of sleep "

Like a Linux PC owner sleeps anyway....

Re:Linux users

[ceejayoz]

They do sleep, they just sleep alone. ;-) joking, joking...

Good idea

[Rosco P. Coltrane]

Here's a modest proposal: Microsoft should use some of its $49 billion hoard to mail an update CD to anybody who wants one. At $3 a pop (a liberal estimate), it could ship a disc to every human being on Earth -- and still have $30 billion in the bank.

Please Microsoft, use CD-RWs. I already have a wall covered with silver AOL CDs ...

Nah...

[Faust7]

Here's a modest proposal: Microsoft should use some of its $49 billion hoard to mail an update CD to anybody who wants one.

The sorts of people that would think to order such a CD in the first place are likely already patching their machines. Others will get the CD and misplace it, forget about it entirely, or mistake it for something like an AOL disc and toss it in the trash.

MS Bashing

[mOoZik]

This is a bit unfair. Microsoft identified the problem and offered updates long before the worm hit the streets. Microsoft cares about the security of Windows, but it was the stupidity of the users which led to the compromise of their systems. If a Linux hole is found, nearly ever user would update to fix the change, because the average user of Linux knows what putting it off may entail. The average Windows user does not have the same computer knowledge, and hence, Microsoft gets the blame. Just another MS bashing is what it is!

Re:MS Bashing

[cduffy]

There're two issues:

1. There's this bug users didn't patch for

2. The system's default configuration made almost everyone vulnerable being attacked via the bug, even if the user isn't actually making use of the buggy service.

On item [1], yes, there's a really strong argument that it's the user's fault. On item [2], though, it's pretty damn clearly the vendor's negligence.

Actually mac and linux users were affected

[jdigriz]

Some of us alternative OS users were actually affected by the virus, even if we weren't infected. In addition to the Net slowdown, the friggin SoBig.f virus forges emails. So if you have any windows using acquantainces, or even people who received a forward with your address on it, the SoBig.f virus will cheerfully send out copies of itself purportedly from you! It doesn't just stop at the address book either, but allegedly scans documents on the drive to harvest addresses. Evil, evil thing. So, no computational loss, but potential harm to reputation, even though it's easy to prove via the headers that it did not originate from you, the vast majority of those windows users who get infected with emails bearing your From: line don't know a header from a hole in the head.

quoth Marc Andriesen

[Crashmarik]

Regarding IE and Active X.

Its nothing but a virus delivery system.

That was about 8 years ago. Microsoft destroyed netscape and aside from some humorous footage of Bill Gates lying under oath nothing was done about it.

Now someone in the mainstream press has actually done their homework. Are we supposed to be impressed ?

Bad design 4 Security - Bad 4 Servicing ...

[leoaugust]

Not only are the security implications horrendous in the MS products, but servicing them is a nightmare ....

This story just caught me at a bad time ... I have been trying to do a file/printer sharing between 2 computers running Win 2000 Prof and Win XP Prof using a hub. You would think it would be plug and play, and a little bit of configuration - and that is how I set out my cost estimates for a small business that wanted me to do it for them ... big mistake ...

It is 3 days past now. I have read probably 100 + articles to understand the security implications for these windows products .... Used all sorts of keywords in google to get many articles to see how the damn networking is done in the first place. And I am now thoroughly confused, tired, and am spending a lot of unpaid hours getting this damn networking done. FOR GOD's sake I am trying to network two products from the same company ... How could MS screw it up and make it such a nightmare .... and do such dumb stuff as not turning the security features on by default so that I don't even know what I am exposing, all the patches that are being issued faster than I can download ...

1. I have both the lights from the two computers in my hub flashing - thank god.
2. I can connect via one computer to the internet - praise the lord.
3. But I can't get the file/printer sharing done yet ... - Forgiveness is divine.
4. And as the feed is provided by a cable internet operator, which has a pool of computers of its own, I am not even sure of what is secure and what is not - Ignorance is a bliss.
5. And I have lost a lot of money and time ... Lord, give me the strength to forgive those who do not know what they are doing ....

Re:Bad design 4 Security - Bad 4 Servicing ...

[Politburo]

Lord, give me the strength to forgive those who do not know what they are doing ....

Can he give you the strength to forgive yourself?

Someone Who Gets It

[MBCook]

Everything I've heard on TV and Radio that's been more than just "There is a new virus" that has an attitude that I just can't stand. A thing I heard on NPR put it perfectly. Basically the attitude is that this is the way the computer industry is, and maybe they should do something about it.

Computer industry? WHAT COMPUTER INDUSTRY? The VAST majority of these big viruses exploit who's products? All togerther now: MICROSOFT. This isn't Apple's fault, Macromedia's fault, iD's fault, or anyone else. These things are almost all MICROSOFT's. Finally someone in the media seems to get it.

Linux needed to help keep Windows secure

[dwheeler]

GNU/Linux systems can be used to help Windows systems get a little more secure.

A family member of mine got a new Windows XP system, installed it, and tried to download the security patches. Before the XP system managed to download the patches, it had already been 0wned by Blaster. It's really hard to keep a Windows system up-to-date when you can't connect to the Internet to update it.

My solution?? I used Red Hat Linux to download the patch, and wrote it on some media. Of course, he can't really completely wipe his hard drive to be sure he's safe from any other attacks. Why? If the drive is fully wiped, Windows XP can't be installed any more - on his system, the CD doesn't contain the entire OS!

Of course, I'm writing this from a Red Hat Linux system that has a nice built-in firewall, a "root" account that's not normally used, no externally-accessible ports, and lots of other designs that make it far more resistant to attack in the first place. Yum.

OS X is completely locked up...

[cfoster611]

In comparison, Mac OS X ships with zero ports open to the Internet.

Actually, OS X does have (in most systems) some ports/services open by default. Here's a sample portscan with no user-services (ssh,httpd, afp, etc) running.

Port Scan has started ...

Port Scanning host: 127.0.0.1

Open Port: 427
Open Port: 631
Open Port: 1033

1033 is assigned to NetInfo
427 is "server locator"
631 is "IPP (Internet Printing Protocol)" ...according to the iana.

If IE / Outlook ran in their own account....

[tjstork]

With write priviledges only to their own sandbox, then, none of this would be happening. Instead, you've got IE and Outlook running as a user's account, so, despite the prevalance of a workable user based access control list based security system in Windows, Microsoft does not use it where it really counts. Dumb dumb dumb.

The main problem with windows is the users..

[Ramion]

Today I sat down at my computer when I got a MSN message from a friend. That friend is complete noob with computers and now he had a problem.

This is pretty much what was said:
Friend: Hey. I got a problem with my computer. It has shut itself two times today, without me doing something. What do you think is wrong? I heard something about a virus.

Me: Yeah there is a few major virus's flowing around the net right now. Have you patched your system?

Friend: Patched ? ?

Me: Yeah. You know downloaded updates for windows.

Friend: No..

Me: Oh well. Here is a link to a virus scanner try and run that first. .... After awhile, me trying to explain him how to scan for viruses. Yeah! It found a virus named blaster and I THINK he got it removed...

Me: Good now to update your system. .... I, after awhile, get him pointed to the windows update and the patch for blaster. Again I think he got it installed ....

Me: So, Now I suggest you update your system with patches from windows update.

Friend: Why? What should I waste time download all that? What good does it do me ?

Me: Well... It secures your system, give you updates to windows programs and IE and new drivers. You know. Makes it upto date.

Friend: But how do I do it ? .... I try to explain him how to use windowsupdate but is almost giving up since he just dont get he just gotta press scan for updates and then install updates. Well in the end he gives up and says he dont care ....

And there is the entire windows Security problem. Users that just come to their computer to surf abit and download a few programs like kazaa or emule just dont feel the need for updates. And they end up spreding the viruses to the entire net. Oh.. And it dont help that MS dont allow pirate versions of windows to be updated fully. I can see why it would in sense suck for them to give free updates to people that havent payed for the system. But people dont get updates when its all blocked. Which in end leads to viruses like this to run wild.

long week for windows users is right.

[htmlboy]

it's dorm move-in weekend at the university where i work. after looking at a sample of the machines brought to school by students given the privilege of early move-in (ra's, mainly), we found that less than 5% of our students were patched for both blaster/lovesan and welchia/naichi. as such, it was decided that shutting off the entire residence hall network would be easier than shutting off ~95% of the ports once they got infected (typically takes 3-5 seconds in this environment). so our student workers and a few full-timers like me get to make our way to every single student machine (~8,000 students in the dorms) and analyze, clean, patch, and install a current virus scanner.

overtime is great.

Conspiracy theory

[bokmann]

I'm late to the party with this reply, but I'm posting it anyway for posterity. Someday I'll find this message and link back to it.

Windows IS insecure by design. The Virii and worms that are happening now are pissing people off. In the future, Microsoft will bring the 'security' scheme from the XBox to Windows... code will have to be signed by Microsoft in order to run on Windows. the press will love it, and you will see tons of articles saying things like "Microsoft gets Security Right" and "Microsoft Announces the End of Virii".

And in the end, you and I won't be allowed to fire up a compiler and write a trivial little 'Hello World' program without buying a runtime license from Microsoft, which will be embeded in every program you write.

Innovation will be stifled... I doubt Microsoft will be very license-friendly to Sun, or Apache, or Cygwin, etc.

Microsoft's own lax security is a plan to pave the way to their heavy handed takeover of your computer.

mark my words.

NSA Secure Linux going into the standard kernel

[Animats]

On August 13, 2003, with little publicity, the NSA Secure Linux [nsa.gov] was merged into the mainline Linux kernel. It's in 2.6.0-test3 and later kernels. There's also useful documentation at the sysadmin level [nsa.gov], and the beginnings of a multilevel secure X-windows system.

It's not a magic bullet, but mandatory security just went mainstream.

What this all means is the ability to put programs into levels and compartments from which they can't escape. Security breaches in the mail handler or the web server can't propagate to the rest of the system.

The code is open source, GPL, and written by the United States Department of Defense's National Security Agency. It looks like Microsoft's attempt to shut down that project [theregister.co.uk] failed.

Complete with ad for "Windows 2003 Server."

[spoot]

I thought it was amusing when I surfed over to the Post to read the article there was an ad for "Windows 2003 Server" on the page. I had to take a screen shot. If you want it it's here --> http://johnford.net/images/windows_ad01.jpg [johnford.net]

Windows does not have to be insecure.

[facelessnumber]

...Or, "The Tecn Commandments of Windows Security."

I run Linux on my servers, but for compatibility, certain programs I need, etc., etc., my workstations use XP. I haven't patched anything. I don't trust the patches and especially not the Service Packs. They can break things and slow things down. If my box is working, why tempt fate? There are a few, very simple things to do that will keep Windows almost entirely secure:

1 - No scripting host. If you don't need it, kill it.

2 - No Outlook. Outlook is bad. IE is almost as bad. Everyone should know this by now. And if you must use it...

3 - Don't open file attachments from anybody unless you know what the hell they are! Why is this so difficult? Well, it's because people never...

4 - Unhide the file extensions. You wouldn't eat something from a package simply labled "food" without having some clue what's in it, so why double-click an icon without knowing what it will do? Learn what these extensions are, and Google it if you're not sure what a given one means.

5 - Don't use IE if you don't have to. Mozilla's now advanced and stable enough that you should almost never have to use IE to properly view a site. I never have a problem with popups, and I've never had my browser hijacked. Using IE tempts people to break #6...

6 - Read the question before you answer "Yes." Do you walk around at work slackjawed and answering "yes" to every question you're asked without listening? If you weren't specifically looking for what a site wants you to install, chances are you don't need it.

7 - Firewall. Buy a $30 broadband router, build a Linux gateway, enable XP's own, built-in, pre-installed firewall, or get something like Zone Alarm, depending on your needs and/or level of computer literacy.

8 - Don't download software without knowing exactly what it is. Read the license agreement. Sure, I like to check out neat toys on Download.com too, but not if I have to install Gator or GAIN to use them. See #6. Read!

9 - Check your processes. and read what's going on in there. Google each one. This is a pain in the ass the first time, but do it once and then you'll know when something's not supposed to be there.

10 - Watch who gets your email address. Get two. One for ordering/registering things, and one that you only give to real people.

That's it. I run no antivirus software and my system thanks me for it with good performance. I have not loaded a Service Pack, a patch, anything. None of this is difficult. These rules are simple enough for almost anyone to follow, and the major ones are extremely easy.

This story is nice

[inkswamp]

So Windows is insecure by design, huh?

It's so nice to see Microsoft finally get something right.

Re:Why was this posted?

[Audity]

It was posted because people have been saying for a long time that windows is insecure, but Joe Shmoe computer user won't know that (you mean there's computers that don't run windows?) until it gets some attention in the mainstream media. This is the media attention a lot of linux geeks have been waiting for.

Re:Why was this posted?

[brokencomputer]

I agree. The Washington Post is a very well known newspaper that many people get. Even my father(who subscribes to WP) read the article this morning and showed it to me because he thought I might find it interesting. He isnt the type to read stuff like slashdot. Just a note..I saw it at news.google.com this morning.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:95% a target perhaps?

[Anonymous Coward]

what about web server worms? apache is much more used than iis, but this didn't help iis...

Not exactly...

[Dimensio]

Apache is more deliberately used than IIS. IIS, however, has a very widespread install base amongst clueless users who don't even realise that they're running it, thanks to Microsoft's boneheaded install procedures.

Obligatory Question and

[Anonymous Coward]

Obligatory Response:

The argument sort of breaks down when you talk about webservers, with Apache solidly in front with % usage, yet it's the smaller-target MS offering that is the one hit with exploits.

There's something more fundamental about the differences in security -- yes, MS is a bigger target, but that doesn't mean that it can't also happen to be the easiest target (and it is).

Re:95% a target perhaps?

[justsomebody]

Funny, you say that. That excuse is getting to its old age.

But it makes a great difference (on Windows) right in a moment after you:
step1) Disable Internet Connection to Explorer and Outlook (almost no one virus can connect to internet to download it's other part or upgrade, because they mostly use ActiveX download object)
step2) Start using Mozilla or Opera or even better Thunderbird and Firebird (in this step you disable IFrame and OCX viruses)
step3) Teach users not to open .pif and .vbs (Here you stop user interaction for virus to be downloaded)

Problem with Windows is not 95%, but IE and Outlook are made as centerpart of the system, thus allowed to any action no matter how stupid it is.

Based on that: YES, Windows is insecure in its roots.

Re:95% a target perhaps?

[Liselle]

Give me a break. Linux (and Mac) don't have a huge share of desktops, but more and more companies (the kind of companies you want to hack and steal credit card numbers from) are running Linux-based servers. The source code for Linux is on millions of computers, naked to the world.

I learned about preventing buffer-overruns when I was in high school. This "most computers are running Windows" excuse for viruses is a cop-out, plain and simple.

Re:95% a target perhaps?

[evn]

The size of the windows audience has something to with the sheer number of viruses & worms, but that doesn't mean that mean that BSD/Mac OS/Linux are automatically just as insecure as Windows. Microsoft hasn't exactly gone out of it's way to ensure that users are safe and secure (not to the extent that OpenBSD has anyway)

Furthermore, *NIX has a massive presence in the server closets of the world. A worm that/virus that exploited these systems could be very lucrative for a malicious individual.
- Stealing corporate data (so we could find out who exactly SCO buys the stuff McBride is smoking from)
- DDoS attacks with OC-3 (rather than DSL/Dialup/Cable)
- Spam directly from the mail servers

There are certainly good reasons to write *NIX worms/viruses, but I think a combination of cluefull administration, a well designed OS, and to (a smaller extent) obscurity work together to make them a particularly hard target (when compared with Windows)

Re:95% a target perhaps?

[lpret]

I think this has to do more wiht the type of user we are talking about here. Joe Sixpack doesn't know anything about computers and thus uses Windows. Then we blame him when his computer has a worm. Well, if JS used Linux he wouldn't update his system either.

The only way to get everyone patched (moreso than the auto-download and ready to install of Windows) is to force everyone to patch. However, there would be several dupes on slashdot about how our rights are being taken away and how Microsoft can look into our computer. A step further, if people started using Linux, you might see the same thing with Linux...

Re:95% a target perhaps?

[deputydink]

Funny how 95% of PC users have Windows, I wonder why a Virus writer would want to target Windows??!? Perhaps that is why so many exploits are found, because people are targeting it religously, start targeting Mac and Linux as much and see who is insecure

Actually, virus writers write virii targetting windows machines because windows machines are easy targets, not because there are so many licenses sold.

According to Netcraft's site survey [netcraft.com] only a quarter of active sites run Windows leaving the bulk of the public internet running on *nix.

I suspect much of the 95% of PCs you speak of are safely walled up in institutions, schools and corporations private networks, which are generally out of scope for a worm like blaster to target.

Now koniosis, what you should impress you is that *nix's run the majority of public sites on the internet, (those sites most easily attacked, i might add) with a marked minority of serious compromises as compared to Windows. More sites, less bugs. Simple.

Finally, only a Microsoft employee could think that its justified that the amount of embarrasing code compromises grow proportionally to desktop marketshare.

Re:Choice

[Exitthree]

I'm really not trying to be a troll here, but if a CS department requires a specific type of operating system (and probably the software that runs on said OS) in order to teach, then it's probably not worth the money to attend. Sure, learning to program with Microsoft's code du jour might help in the short term, but nothing beats teaching fundamental computer science principles in the long term.

What happens when the next big thing comes along and all the CS grads are stuck with C# as their sole reference point?

Re:Choice

[mjmalone]

If you read the computer requirements [vt.edu] for computer science majors you will see that they also require to you be able to run mandrake linux.

In FAQ [vt.edu] they respond to the question "Do I have to use Windows XP Professional on my computer?"

Certain assignments or software in some classes may require the use of Windows which is available in the Computer Science undergraduate labs. If you do not run Windows on your computer, you will miss an educational opportunity to learn Windows administration, which is a marketable skill. The Department will not check that you are, in fact, using Windows XP Professional. However, if you choose to run Windows 95 or 98, you will almost certainly experience increased difficulty in the programming classes.

The requirement is more of a guideline for people who don't know what to get. And the original poster is probably just a karma whore who doesn't know what he/she is talking about.

Re:Apple and Linux systems are insecure too!

[David Gerard]

And we certainly see this on the Web, where Apache on Linux greatly outnumbers Microsoft IIS on Windows. Oh wait, no we don't.

Re:Corporate Blinders

[vacaboca]

"all this evidence for the need for operating system diversity in the corporate realm"...?

That seems to be a rather easy thing to say if you're not actually trying to manage a business with a large, complex interconnected system of technologies... having spent a rather painful amount of time (actually, more like an amount of rather painful time) in very large companies (35000 PC users at all levels of use), I have to say that a desire for OS diversity is far from an obvious choice. I'm not saying it's a bad idea, just a potentially unpractical one in many real corporate situations.

Working with the single devil you know as opposed to a vast army of individually varied devils may be preferable, at least in theory.

Re:Corporate Blinders

[mjmalone]

What is it going to take? Ships sinking? Trains being derailed? Satellites dropping out of orbit?

Major power outages in the northeast!? Entire DMV operations being shutdown!? Massive denial of service attacks cripleing the internet!? E-mail viruses bringing hundred thousand dollar mailservers to their knees!?

Re:It's not Windows' fault

[lkaos]

The recent DCE/RPC vunerability exploited MS's DCOM implementation residing on the end point mapper port using raw DCE/RPC over TCP.

This has nothing to do with Unix and certainly isn't a standard (hell, Samba doesn't even support this). This was totally a MS-original.

A lot of the http virii are based on MS-extensions or broken non-standard behavior of the MS clients.

If MS has followed what you refer to as "obscure unix standards", this wouldn't be an issue. Despite what you may thing, Unix systems were designed with security in mind whereas Windows was designed as a user-operating system.

Re:It's not Windows' fault

[hankaholic]

In a response to a recent story, someone mentioned that UNIX standards were generally based upon specifications which had been made publically available for comment.

This is something that many take for granted, but it is quite important. RFCs are discussed publicly, and people review protocols independently of specific implementations. This means that the protocols themselves are refined, and implementors only have to worry about correctly coding to a given specification.

Under Windows, the specification is often "whatever works with this code is fine". This invites much less review of the protocols, and since the protocols are ill-defined, it's difficult to determine whether the protocol has been implemented correctly.

Re:It's not Windows' fault

[Limburgher]

These are not failures of the security of the protocols. These are failures of the MS implementations of these protocols. Both IIS and Apache use http, and yet one is more secure than the other. Both Exchange/Outlook and Sendmail/(insert favorite MUA here) use smtp, and look at which one spreads virii like the clap. To blame these 'obscure' standards is like blaming the wheel for problems with Ford Explorers rolling over. It's not the standard, it's the piss-poor impementation.

Even some Linux default installs have security holes. It's all in how it's done, not what it's done with. Are we supposed to throw out everything written in C now, too?

Only Partially True

[EXTomar]

While it is true that a lot of these things rely on social engineering, the other part is why does the OS allow the user to do these things in the first place? If you don't want users to do something destructive, why offer them the choice?

One of the first rules of design seems to be lost on MS designers. If you don't want users to do something then don't offer it as an option. You can pop up dialog after dialog warning users like this:

Do not click 'yes'. If you click 'yes' will crash the machine. Only click 'no'.

[Yes] [No]

How stupid is it for a user to click "yes"? How stupid was it for the programmer to put the "yes" button there?

Yet in MS program after MS program they tell you something is dangerous and allow you to do it anyway. I guarentee as long as applications allow this some malicious hacker will use a little word play or social engineering to allow them to do something destructive.

I really want to throttle the person at MS who tried to get people to believe computers are as easy to operate as toaster ovens. Computers are complex machines. Hiding the fact from the user is not only dubious but dangerous.

Re:enough with the virus hype

[thedbp]

This is really an awful way to think about a consumer base that doesn't understand some basic tenants of computing. I've known plenty of Windows users that think 3.5" floppies are hard disks because the casing is, well, hard. To expect them to catalog file extensions in their heads as well is ridiculous. Obviously you are a more savvy user as you have Linux based machines and a firewall set up.

Not everyone has the time/expertise/desire to learn that much about computing, and that's OK. If everyone were a geek, you'd have no one to bitch about, would you?

Re:what about Gentoo?

[rampant mac]

"Windows is better than most operating systems at easing the drudgery of staying on top of patches and bug fixes"

emerge -u world how _hard_ is that?"

First off, I'm a Mac user but fairly experienced using Unix/Linux....

The Mac is better than most opertaing systems at easing the drugery of staying on top of patches and bug fixes...

*clicks software update*

Do you really expect newbie users of Linux to understand "emerge -u world" by chance? If so, there is MUCH work to be done to Linux's software update model. Sure the emerge command may seem trivial to most advanced Linux users, but what can be done to expand this simplicity towards the consumer market?

Re:Correct Me If I'm Wrong but....

[Politburo]

Why are attachments allowed to do *anything* on the computer?

Uhh, because some of us know our way around well enough to get programs from people that we want to run. Saving to HD and then running doesn't change a thing. To say you shouldn't be attaching executables is silly. People should be safe: know who sent them the mail, know what it is they are running, and run an up to date virus scanner, as well as keep their system patched.

If you are talking about automatic running of attachments, that is a different story, but I want my computer to do what I tell it to do.

Users are forced to run as admin

[hirschma]

Users running NT based versions of Windows are effectively forced, or annoyed, into running as admin. This happens for a number of reasons:

* Old software runs as admin only. Stuff that came out during the DOS/Windows days, much of it pretty recent, simply won't run as anything but admin. This is a nasty legacy thing, and is a vestige of the horrendous design of Win95/98/ME.

* Too much new software runs as admin. For example, if you want to run Microsoft's own Age of Empires, it only installs as admin, and only runs as admin. This is a new application made by the mothership, and clearly, fits into the home scenario as the article. I'd guess that at least 20% of the apps on my Win2k box require admin rights.

* Too many housekeeping functions require admin.

* It is a relative hassle to run a program with admin rights when not admin. The most common way is to -right click on the program's icon, and then select Run As, and then enter the admin password. Ugh.

* Even for the disciplined, quick user switching allows admin to stay logged in, most likely still running OE or some other security nightmare.

The upshot is that if a user even understands the concept of not running as admin, they are forced to, or get lazy and do so.

I've set up several users on Win2k, and taught them about security, and why they really, really don't want to run as admin. Months later, they all are.

This will be a problem if Linux ever becomes widely adopted by home users, and why Lindows runs as root by default.

Didn't Apple get this figured out? Why haven't everyone else copy them as usual?

Jonathan

Re: Windows Is 'Insecure By Design,' ...

[Little Brother]

I wonder how many people skip the patches because the EULA's are so obnoxious?

I wonder how many people read the EULA's? I bet the numbers are related (and small).

Re:Nice to see such a mainstream source getting on

[smallpaul]

So a friend asks me today to help them install XP. I was reluctant but XP does have some legitimate advantages over Windows 98 and her Windows 98 was crashing. The disk she hands me from the computer store is from 2001. Okay, I'll have to download some patches, I think. She's a modem user. Little did I understand (as a naive Mac/Unix user) that in the time it takes to connect to the Microsoft site I was already infected by TWO virii. Egad! So I downloaded a disinfector and then initalized the firewall. Now I go to see whta it takes to download the patches and update. According to Windows Update, she needs *40* security patches and critical updates...totally over 40MB. Over her freaking dialup modem!

Okay, maybe I should have turned on the firewall before connecting to the Intenet. I didn't realize the virii were scanning so relentlessly and quickly. I also thought that the idea of turning on a software firewall on a brand-new install seems a little dumb. All the firewall does is prevent incoming connections to insecure ports. If Microsoft knew when they shipped the OS that the ports would likely be found insecure, why wouldn't they just turn them off by default? I mean it is one thing to buy Norton Firewall on the presumption that they are fixing Microsoft's broken security model but why would I use a "security fix" that comes on the same CD as the program that introduced the security hole in the first place! It seems totally illogical to me.