Microsoft Says Two Basic Security Steps Might Have Stopped Conficker

coondoggie writes "If businesses and consumers stuck to security basics, they could have avoided all cases of Conficker worm infection detected on 1.7 million systems by Microsoft researchers in the last half of 2011. According to the latest Microsoft Security Intelligence report, all cases of Conficker infection stemmed from just two attack methods: weak or stolen passwords and exploiting software vulnerabilities for which updates existed."

Applying security patches is a good idea?

[Gothmolly]

So basically they're saying if you had better passwords and applied patches, you'd avoid security problems?

Nice to see MS on the cutting edge of security research.

Re:

[Cro Magnon]

Which is more than you can say for too many of its customers.

Re:

[PNutts]

So basically they're saying if you had better passwords and applied patches, you'd avoid security problems?

Nice to see MS on the cutting edge of security research.

Apparently the owners of 1.7 million PCs need to hear it. And since those machines are throwing malware at mine I support that advice from any source.

Why are we still using passwords?

[betterunixthanunix]

We have better authentication methods, we are just not bothering to deploy them. How many times do passwords have to fail before we acknowledge that they do not provide the sort of security that we need?

Re:Why are we still using passwords?

[Lunix Nutcase]

We were waiting on you to implement it since it's so easy of a change to make.

Re:

[betterunixthanunix]

Did I say it was easy? Yes, it will take work, but we are not even trying right now. Does your bank offer anything better than passwords?

Re:

[hackula]

Did I say it was easy? Yes[.]

Sorry, I could not resist.

Re:

[Opportunist]

My bank offers text messages with one time password. After they found out that even printed OTPs can be abused.

Believe it or not, I've analyzed a trojan that got by OTPs myself. Really clever. Relies on the fact that what you see and what gets transmitted isn't necessary the same in the average browser.

Re:Why are we still using passwords?

[arth1]

My European bank used a one-time pad in addition already 13 years ago. They replaced it with a code generating card a while ago, for improved security (no one can make a copy of a code that's not generated yet).

My US bank still uses plain passwords.

It also uses debit and credit cards with just a magnet strip (which European stores won't accept anymore), and offers cheques (which the rest of the world stopped using in the 80s). And forget about having a giro system or SWIFT. It's truly like the dark ages over here.

Re:

[ion++]

They replaced it with a code generating card a while ago, for improved security (no one can make a copy of a code that's not generated yet).

yes, people can "copy" a code that is not generated yet if the method of generating the code is known. Like a pseudo random number generator that given the same input always will return the same output.

Re:

[camperdave]

Like a pseudo random number generator that given the same input always will return the same output.

That's done on purpose. It is used in simulations quite often, for example when you want to compare before and afters. Say you want to know the effect of sprinklers in a building. You simulate a fire using the random number generator and a specific seed. Then you add in the sprinklers, and reset the simulation, and re-burn the fire based on the same sequence of random numbers (produced from the same seed). That eliminates any side effect that might be caused by the particular string of random numbers t

Re:

[JonySuede]

You can also copy the generating function and it's initialization vector unless the generator repose on the recursive measurement of a series of QBit... The injection of the initialization vector might be complicated but it is theoretically doable with entangled QBit. Therefore, unless your bank gave you a quantum cryptpo card, the only way the security is improved is through the added obscurity.

Re:

[operagost]

ACH is the North American equivalent of giro and has been around for decades. Do you think we're still pushing paper around behind the scenes? Heard of Check 21? Please learn about the topic before you start bashing other countries.

biometrics are not that much better and don't to w

[Joe_Dragon]

biometrics are not that much better and don't to well for say a sheared admin or other maintenance password.

Re:

[Sique]

If possible and if the systems in question allow for it, you could still authenticate the admin with RADIUS+, and have the access to the RADIUS+ server done with two factor authentication or biometrics.

Re:

[Joe_Dragon]

what about local admin / laptops that may not be linked to the sever?

Re:biometrics are not that much better and don't t

[Pope]

Severed and sheared? Your workplace sounds way too violent.

Re:

[Sique]

In one company I worked for, local admin laptops were not used for networking gear once it was up and running. Only if something failed, then there was the occasional factory reset and reuploading the last known good config.

Re:

[Joe_Dragon]

what about in the field or where you may not have a good remote link.

Re:Why are we still using passwords?

[DdJ]

We have better authentication methods...

Would you kindly name three?

(Please be specific. Then, we can explain how for a given set of reality-based situations, they're not in fact actually "better".)

Re:

[Siberwulf]

Do you really need three?

Um, how about a simple rewording of "Password" to "Passphrase" and make the minimum required length 20 characters.

If you take the utterly easy passphrase of "My favorite password is the word password.", you're talking about 7.1 x 10^61 years to crack it. A measly 20 character phrase would take 1 sextillion years.

And really, from a development side of the coin, implementation doesn't get much simpler. You should already be storing hashes of the passwords, not the passwords

Re:

[Desler]

I hope you aren't referring to SecurID tokens...

Re:

[a90Tj2P7]

That's a bit extreme for normal users. The more complexity you force on them, the more likely they are to just write the password down. It's generally accepted to force 8 characters minimum, 3 character types (between lower-case letters, capital letters, numbers and symbols) and not allow them to use any of their last 5 passwords or change the password again on the same day. Now admin accounts, 15 characters is reasonable.

Re:

[b0bby]

That's a bit extreme for normal users. The more complexity you force on them, the more likely they are to just write the password down.

I have to say, in a small office environment, I'm less worried about people writing down passwords than having easy passwords which can be brute forced remotely. But I agree that 8 random characters with upper, lower & numbers should be enough for normal stuff.

Re:Why are we still using passwords?

[Anonymous Coward]

That kind of policy is the reason why people use P@ssword0000001 as their password, and then increment it by one every time they're forced to change.

Re:Why are we still using passwords?

[arth1]

Indeed.

And not only that, but by imposing published restrictions on the password, you reduce the number of possible passwords, making brute force attacks easier.

Just by saying "at least one digit", you reduce a brute force attacker's job by at least a factor of 9.5 (given you use ASCII; even more if you allow ISO-8859-x or Unicode). You reduce the time until any random password is cracked by about an order of magnitude. Or, put another way, the cracker can use a partial rainbow table that covers almost ten times as much of the total space.

Re:Why are we still using passwords?

[jedidiah]

That's only necessary if you are forced to change your password frequently.

Then you're stuck with coming up with new passwords all the time and something that you will actually remember. (assuming you don't just start writing them down)

Re:

[Desler]

And when you start doing that the user will then just write their password on a sticky note since it'll be complex to remember. And if other sites have the same policies they will just duplicate that password around. So, you've just made things more insecure.

Re:

[Opportunist]

This is great as long as whoever could hack you cannot get physical access to the machine. People don't easily remember passwords like Q4Rny$u(lZ, and hence write them down on Post-Its.

Seriously, this "security requirement" can backfire very, very easily, depending on what attacks are easier to execute against you. If you're a company where the servers are in a secured and inaccessible place, with no interaction with the outside world, this is probably not the best security system. If I know about that poli

Re:

[Peeteriz]

I have around a hundred places online where I have been requested to "make an account" so I have one there. For almost all of them, "123456" and "password" would be too complex passwords - I'd prefer to use a blank one. I don't care about those accounts - and I don't want to care. I don't even want to have those accounts - they're usually a stupid marketing decision by the site owners to offer personalization (that I don't care about) and fight spam (which is somewhat understandable).

Would it really be appr

Re:

[camperdave]

Requiring a lower case, an upper case, a symbol, disallowing dictionary attack prone words, and a minimum password length of 12 would probably go a long way.

I just have four things to say about that: correct horse battery staple [xkcd.com]

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Opportunist]

I guess you're barking up the wrong tree. The problem isn't that people can find out your passwords. The problem is that people hand them over willingly. They actively aid trojans and bank frauds. Unwittingly, of course, but because they don't know crap about the machines they are using.

The biggest attack vector today isn't even faulty software, it is user action. Opening attachments without wondering why a .pdf file prompts a "you really want to execute this attachment from 'unknown'?" from their system, r

Han Solo said it best

[swm]

It's not my fault!

Re:

[Opportunist]

But he sure would have had every patch installed, for we all know he does not tardy. After all, he shot first!

Patching existing vulnerabilities

[damn_registrars]

We had the conficker worm run wild at my work not long ago. Even systems that were well secured by passwords ended up falling victim to the worm due to unpatched vulnerabilities. Yes, bad passwords don't help, but Microsoft needs to own up to the fact that a worm such as conficker is perfectly capable of infecting well-secured (password-wise) machines if they are not patched for the vulnerabilities that Microsoft left behind.

And being as some patches and updated break compatibility with critical software, patching is not always a trivial matter. Some systems need to stay essentially frozen in time with regards to updates, while still being on the network. Of course then an infected system is added to the network and away we go again.

Two simple steps

[XiaoMing]

If only:
1. Everyone were meticulous in following the guidelines which require passwords being more shift+number than letters, and capable of memorizing new ones on a regular schedule.
2. Everyone kept better care of their computers (regular updates) than they do for their own bodies (regular physicals, anyone?).
Then we could have prevented this whole thing!

Real world implications of having to remember numerous non-dictionary passwords, and expecting those who see the computer as a magic box to the interweb

Like autorun?

[Anonymous Coward]

Which wasn't even properly disabled when you tried to disable it through the UI in Windows. Who were the idiots not following security best practices when they came up with that idea? Infected flash drives and non-disabled autorun were the main vectors for Conficker around here.

having to change passwords all the time leads to w

[Joe_Dragon]

having to change passwords all the time leads to weak ones or the password being put on a post it note.

Re:

[CanHasDIY]

having to make up your own passwords, then having to change them all the time leads to weak ones or the password being put on a post it note.

FTFY.

I used to work for a public university; when I started there, our passwords were auto-generated random strings of 8-12 alphanumerics and symbols, and we received new passwords every fiscal quarter. Our security team would run various password cracking apps on the systems, and only once did an auto-generated password get cracked.

Two years after I started there, they changed the password policy - users had to make up their own passwords. Still minimum 8 characters, at least 1 capitalized letter, 1 lowe

Re:

[tlhIngan]

I used to work for a public university; when I started there, our passwords were auto-generated random strings of 8-12 alphanumerics and symbols, and we received new passwords every fiscal quarter. Our security team would run various password cracking apps on the systems, and only once did an auto-generated password get cracked.

Two years after I started there, they changed the password policy - users had to make up their own passwords. Still minimum 8 characters, at least 1 capitalized letter, 1 lower case

Re:

[CanHasDIY]

Or there's a mismatch between IT's perception of security with the user's. What did the password to your accounts control? If it was just access to a PC in the lab, most users would just go "meh" as they have their own PCs.

Faculty and staff network access; pretty major stuff.

If I'm not mistaken, it was someone in the financial office (which handles not only student accounts, but payroll as well) who had the wonderfully secure password 'Dolphin1'

I wish it had been something as benign as lab computer access, would have made my job of patching up the holes created by user generated passwords a hell of a lot easier.

Re:

[clarkn0va]

And MS knew that. [microsoft.com]

Passing the buck?

[Ichijo]

...exploiting software vulnerabilities for which updates existed.

Seeing as Microsoft wrote it in the first place, I think it's fair for them to share some of the blame.

Well, kinda. There is flawed reasoning here.

[shumacher]

The assumption here is that an attacker choosing the easiest way has no other route. It would be safer to say that the route used by the worm would have been unavailable if basic preventative steps had been taken.

It's like the old joke. "Ever wonder why whatever you're looking for is always in the last place you look?" "Well, sure, once you've found it, why keep looking?"

Microsoft seems to think the authors would have stopped looking without finding an exploit route. Instead, they found one, and stopped looking.

Better authentication?

[140Mandak262Jamuna]

Each and every site admin comes up a different idea for more secure authentication. Then clueless management insists on dumbing it down shredding what little remains.

For example E-trade will give you the RSA key fob. Am I supposed to get a dozen key fobs from each of my bank, brokerage, mutual fund, anf 401-K administrator? Schwab would not let me use special characters in passwords. I think they also have a ridiculous 8 char limit. In this day and age where GPUs are being used for dictionary attacks? 8 char? Fidelity wanted an all numeric password because they wanted the phone based log-in used by their older customers to work in web too. On top of all that they have the password reset procedure which asks for stuff that you can find on the facebook profile.

Then there are idiotic Paychex which will lock you out after two failed login attempts. There is this site securetransfer.com that requires some 16 char password with at least two capitals two numerals and two special characters to get 100% strong password quality rating. Then there are clueless admins who tell you "never write down the password". Hello! Is there any end to this password madness?

Why can't they give me two levels of access? Read only access that lets me see account balances and verify that the check has cleared. And the write access that requires one more password that allows me to transfer funds and trade securities. May be even a third level password to send cash out of that institution to outside.

Re:

[jonwil]

My bank has a second layer of authentication (either one-time-use SMS codes or a second password) that is used any time you want to transfer to someone not on your "approved payees" list.
They also have password entry done (both the main password and this extra password) through an on-screen keyboard where you have to click the letters and the keyboard moves slightly when you click it.

On the minus side, they have a stupid limit of 10 characters for the passwords.

Prompt passing

[sjames]

I just got caught up on some of my reading. One of those articles was about how people who 'foolishly' applied their black Tuesday patches were unable to print out their tax forms. I think that might just explain why so many systems are so far out of date.

Updates are a big part of the problem, really ....

[King_TJ]

It's nice to keep telling people "you wouldn't have the security issue if you did all the updates right away". But to that, I'd like to tell the OS developers something else:

You wouldn't have the concerns about unpatched systems if you designed the OS so it could apply the downloaded updates without requiring system reboots!

And yes, though I'm not a software developer, I do know a little bit about this, and why it's a "tall order" (core services you can't just delete and replace with updated versions while they're in use, etc.). But I guess I'm saying this doesn't seem impossible to overcome, if someone wanted to make the functionality a priority in a new OS's design?

Unless we reach that point, people will always be delaying installation of new updates because it interferes with work they need to get done, or they're afraid an update could potentially break something they rely on and don't have time to deal with, if it goes wrong. System patches/updates need to become a less intrusive, more seamless process -- and one that can easily "roll back" any new update that turns out to cause issues. It should automatically notify the developer when this happens, and should flag the problem update so it doesn't get re-installed (but subsequent, supposedly corrected versions DO get installed ASAP).

With today's multi-core CPUs, maybe it's even possible to design systems so two instances of the OS/application environment can be run in tandem during an update process? Hand off the running processes to a parallel copy of the current environment, invisibly to the user, when an update is about to take place. Then patch the first environment, which now has no "core services" in use by apps anymore, and shuttle the apps back over to the patched environment when it's ready?

Re:

[coolmoose25]

Updates are worse than just the hassle of them. Many of the updates take away, or fundamentally change, the way the underlying software works. IIRC, iTunes had a great example of this early in their release schedule... At some point, Apple wanted to stop people from doing something with their files...like being able to turn them into MP3's or something like that. They released an "Update" that stopped that ability. (I may be remembering some other similar functionality)... Anyway, I remember consciously

not rebooting leads to memory leaks and stuck soft

[Joe_Dragon]

not rebooting leads to memory leaks and stuck software.

Even with a system to update stuff with out a full reboot what happens when it hits some thing stuck in the background or updates some thing that is leaking ram?

Re:

[King_TJ]

Well, you can't avoid the need to reboot when things crash. Nothing new there. But people have a need to apply updates far more often than they encounter stuck software and memory leaks crippling things, right?

With a seamless update process like I was suggesting, the need to *eventually* reboot probably doesn't go away. But uptimes would certainly improve over what you'd have if you applied, say, every Microsoft update on the day it was released. My experience with those is you get at least 3-5 of them ev

Blame the user...

[mr_lizard13]

Instead of blaming the user, perhaps the *biggest and most successful software company in the world* can do something to help.

1) Bake-in a password-generator tool into IE (along the lines of 1Password).

2) Don't make the software update system suck balls so people want to turn it off.

On the former point, I know this isn't a magic bullet solution. You still need to remember a password. But it's one password, not 37. It at least makes it easier.

On the latter point, I have automatic updates turned

So like, where is "User.education.microsoft.com"?

[bmo]

Sure, sure, blame the users again, Microsoft.

How about educating them for once? You own, according to some metrics, 90 percent of the desktop market. Your operating systems in retail boxes don't even come with quickstart guides to basic security. No, you just leave your users to flounder about without any guidance at all, and if they want it, they have to pay extra for it.

At least when I was paying for boxed sets of SuSE Linux, it came with two well-written manuals, a user's manual, and an administrator's manual. I suspect that boxed sets still include these. It was in the grand old tradition of "when you get this software, we'll give you the manual too" like what you got when you bought DOS or CP/M.

But these days, I guess that user education is viewed as "intimidating" to users, because *shock* *horror* computers might be revealed as the complicated, useful, and powerful devices they actually are and heaven forfend users get any ideas beyond clicking on the pretty pictures. Microsoft does its damnedest to not give the user *anything* that might resemble common sense lessons in security.

There is a lot of energy pointed at the education of developers, but none that I can see at day-to-day users from Microsoft.

I just dealt with a user who has become so paranoid, she considers technet.microsof.com "foreign" because she's been so abused by the utter lack of guidance in the past with computers that she can no longer tell what's legitimate or not, wrt software. I was merely pointing out a sysinternals tool. This makes me a sad panda, and I don't blame her. I can't. Because I've seen it too many times to think it's just "dumb users" anymore.

Microsoft's blaming of the user is utter bollocks. It is entirely their fault now.

Yes, this makes me mad. Deal with it.

--
BMO

Get rid of IE 6 & XP!

[Billly Gates]

Save this article and email it to the idiot bean counters at work who say IE 6 is perfectly fine and so is XP so why upgrade until 2014?

I thought Conflicker came out in like 2004? It should not be infected machines today and this is stupid.

The problem is not IE and Windows. Windows 7 and IE 9 have been secure for awhile with ASLR, DEP, and sandboxing. The idiots are not the users (well most are not), but IT and CIOs and CEOs who refuse to look at things like computers as anything but cost centers. It is gra

More obvious solution?

[fahrbot-bot]

Isn't Conficker a Windows-only issue?
If so, wouldn't the obvious one basic security step be to stop using Windows?
Just sayin'...

Re:Two basic steps

[hackula]

Troll much? Windows has nothing to do with it when you set all of your passwords to "123456".

Re:

[jedidiah]

It does on any reasonably well managed corporate machine.

Why can't that be the default in the consumer OEM copy?

Although the service in question likely has no business being anywhere it can be exploited anyways.

Re:

[VoidCrow]

I had a manager once who set his password to ch0pper... that's wood-related brit slang.

Re:Two basic steps

[yuhong]

True, but there are targeted attacks even in the Unix world, and if you don't keep it up-to-date, you could be owned by one of them

Re:Two basic steps

[farrellj]

Please name a Unix based attack that is equivalent to the malware being discussed.

Re:

[Anonymous Coward]

Thats a false argument. You give me equal amounts of clueless users using Linux as they are with Windows and I'll name one.

The vast vast vast majority (I'd say 90+%) of Linux PCs are (1) servers that are administered professionally or (2) locked down cell phone OS or (3) desktops that geeks use. There is no way you're going to be in the same situation as Windows is with that kind of demographics.

 

Re:

[Anonymous Coward]

Where do you think the term "Root"kit came from?

Before NT Unix was the laughing stock off security seriously. Like Windows it is also written in C and uses the same apis for buffer overflows, stack over runs, and other crack attacks.

My old World Almanac from 1990 had an editorial on the first ever Worm which nearly took down the internet. Hint ... it was all Unix based.

Re:

[jedidiah]

Even if you do keep it up to date, you could get potentially "owned" by someone. That's why it's a better idea to be more proactive and keep track of likely attacks and black list the attackers.

It also helps not to leave things in a state where they can be exploited to begin with.

Re:Two basic steps

[Anonymous Coward]

Yes, because it's completely impossible to turn that feature off. Oh wait...

http://windows.microsoft.com/en-US/windows7/Turn-automatic-updating-on-or-off

If you don't want them "forced down your throat", maybe you should change the setting to instead notify you that they exist and then let you pick and choose which ones you want to install as well as those you want to ignore permanently? How is that any different from any of the automatic update services in Linux distributions bugging you to update and you continually ignoring them?

Re:Two basic steps

[g0bshiTe]

The difference is that unless it's a kernel update Linux doesn't really need a reboot on update.

Re:

[dkf]

The difference is that unless it's a kernel update Linux doesn't really need a reboot on update.

A C library update is pretty noticeable too; you might be able to keep the kernel up, but there's not a lot of point given that virtually every user process is entangled with the library being updated. OTOH, if you're having to update the C library on a regular basis, you've got pretty serious problems anyway...

Re:

[Anonymous Coward]

A C library update is pretty noticeable too;

ELF, ld.so, and dynamic library versioning pretty much eliminated that. Or are you one of the few that actually manually removes an old C library version and then rebuilds every single executable that complains it can't find the old version?

Re:

[0ld_d0g]

Well, believe it or not, there is actually a valid reason for the reboot. Any executable code running in memory is typically not patched by most operating systems. They will update the file stored in the filesystem but not the executable code already loaded in memory. For e.g. Shared libraries loaded in memory with ASLR and other OS protections will be untouched. (And no, KSplice is not even remotely relevant here). This means that you are at a risk of running a vulnerable piece of code. Real bad news if yo

Re:

[Billly Gates]

You hit the nail there.

ASLR and the other OS protections are untouched because most corporations still use XP and a 10 year old kernel. The reason most software doesn't use these things and tap into them is because they wont run on XP. Corporations wont leave XP because software doesn't use things and tap into them. Cost savings are on top of this.

This is a great reason to upgrade to Windows 7 and keep your systems patched. This was totaly preventable and IT departments got what they deserved for their shor

Re:

[nschubach]

20 seconds, plus waiting for your email to load back up, may as well update your local source code for the project you are working on since you have to recompile and relaunch your local dev environment in debug mode, plus waiting for your local test environment to compile and fire back up so you can continue dev-ing, plus having to log back into all your services, re-open any documents that explain what X interface is supposed to do ... it's a pain in the ass, not just 20 seconds. That popup dialog telling

Re:

[Tanktalus]

If you haven't restarted your session, you haven't fixed the vulnerability.

True. You will be fixed when you restart, though. I do the updates, and then, periodically, when it is safe to do so, restart daemons that have been updated. That is the point where I'm running with the fix, not merely updating the code. It's not instantly, but it does allow me to update the code even under load and defer the outage to a less sensitive time.

Reloading the desktop? That's more work as then I have to close down everything except the daemons. More of a headache. But still no reboot.

Your false sense of security is probably exactly why MS & Apple force a reboot.

No. M

Re:

[Ihmhi]

1) Start.

2) Run.

3) sc stop wuauserv

4) And now Windows stops bugging me to restart my computer when I'm trying to read my webcomics.

(Of course, I install the update at a later time, but some of the "idiot-proofing" has made things a major pain in the ass for people who know what they're doing sometimes, such as the lack of easy customization in certain programs.)

Re:

[amRadioHed]

I use Linux, but you sound like a troll to me too. You claim you only use Windows twice a year, and yet you complain about the number of updates that are supposedly forced on you?

Re:

[amRadioHed]

I have to use Windows regularly and I can tell you I don't have the problem you do. Disabling automatic updates is trivial, in fact I'm pretty sure the option is stuck right in your face when you first setup windows so you can't miss it. It's really your own fault if you left it on.

Re:

[PNutts]

Yes, because it's completely impossible to turn that feature off. Oh wait...

http://windows.microsoft.com/en-US/windows7/Turn-automatic-updating-on-or-off

If you don't want them "forced down your throat", maybe you should change the setting to instead notify you that they exist and then let you pick and choose which ones you want to install as well as those you want to ignore permanently? How is that any different from any of the automatic update services in Linux distributions bugging you to update and you continually ignoring them?

I use Windows maybe twice a year and I am not going spend hours fiddling with settings just for that. On Linux it Just Works[tm] and I usually do not have to reboot, even on the rare occasions there is a critical patch.

That comment could only be a troll in the mind of a Microsoft Spinbot.

Forget the instructions at the link. If it takes him hours for four clicks, make a selection, and then one final click I don't think being considered a troll is his biggest problem.

Re:Two basic steps

[a90Tj2P7]

It's nothing like the Windows situation where you get a bag of critical patches forced down your throat every Patch Tuesday, and then your Windows box loves to reboot right in the middle of whatever you are doing. Sheesh.

1) Just as a point of clarification, Patch Tuesday is only once a month. And there's usually only about a dozen or so, only some of which are genuinely "critical". Obviously that varies though. 2) Windows Update has been a lot better for years, ever since Vista. There's nothing wrong with it now. You might be able to complain about the default settings, but they're right there and they're pretty straightforward. If you're logged in and it's set to restart automatically, it prompts you to restart or postpone it. And, obviously, you can shut down the automatic reboots or the automatically downloading/installation of updates. Besides, since moving Windows Update to an actual program after XP, there's also been a lot fewer updates that seem to require restarts. With XP, it seemed like you had to restart every single time you ran updates. Vista/7's a lot better with that.

Re:

[owlstead]

Was a lot better than that, somehow that always seems to water down with Windows. With Ubuntu, I can at least keep my computer on (or, most of the time, sleeping or hibernating) more often than with Windows.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Doctor_Jest]

Or you can just run Debian....

Re:Two basic steps

[hackula]

Fanboy? No, I actually run Mac and Linux at home and I program cross platform at work. The fact that Conflicker happened to be for Windows has nothing to do with this. Running old software with weak passwords is a recipe for disaster on any existing OS.

Re:

[stephanruby]

Part of the problem is also running unlicensed Windows, since those people that do -- don't get the security updates (or they may just turn off updates because they don't want to be tracked, or have some of their functionality remotely shut down). At least with Linux, there isn't much of an issue there. If someone wants to stop paying RedHat/Fedora, they can just switch to Cent OS. That's it.

And really, this wouldn't be a problem for the rest of us, except that those zombie PCs can affect the rest of us, ev

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[cpu6502]

>>>shown repeatedly that Windows is more secure than Mac OS

I've never heard that before. Where has it been shown? Where does Linux fall? More or less secure than Mac?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Two basic steps

[Opportunist]

For this to work, companies would first of all have to agree to run their update process through said package manager. You don't think this will ever happen, do you?

What bugs me about Windows is that there is very often no way to do an unattended update at a certain time for many "packages". Windows being the notable exception. The average Windows day for the average customer runs a bit like this:

"Ok, I'd like to play a game. Let's double cli... huh? Oh, Acrobat update. Ok.... yes, accept license... wait ... download patch, watch download bar move... installing... watching bar move ... ok, we're set. Now lemme... huh? Oh, virus killer. Ok, 'tis important, go ahead and update yourself. Yes, license agreement... waiting for download (because experience taught us that you better NOT try to do anything as system critical as starting a game while something is being patched. Could upset the copy protection trojan). Huh? Failed? Oh, because the Acrobat update didn't finish yet. Ok, it's finished now insta... restart."

"And we're back after the break. Now, for the antivirus. download ... update... huh? New version? Ok, install it. Yes, I agree with the license... installing... reboot."

"Finally! Ok, first of all, let's take a look at some porn. Open Browser... oh, new version? *sigh* Ok, download and install it. ...waiting... Ok, now... huh? What happened to my plug... oh. Of course. Incompatible. Fine, but I'm not going to visit any porn pages without a decent ad blocker, so first of all, update the plugins."

(half an hour of browsing, finding them, or not finding them and searching for a replacement later ... And another few minutes later including washing your hands...)

So. Game time! Fire up Steam... updating... Ok, restart steam... While it's doing that, let's start Teamspeak... Oh. Updating... must be patch day all over the world...

Finally a good game of $whateverfps. Huh? Patch? I don't wanna, not again! Oh, no multiplayer without, huh? Ah, anti cheat stuff. Ok, make it so...

And so on, and so forth. THIS is what actually bugs me about Windows. The piecemeal updating process. You can't just keep your machine running to have it update its stuff and actually, you know, USE it when you are sitting in front of it. It seems to be critical to steal the user's time and show him that they actually patch their half baked software.

And it's not like the software (and its patchers, launchers and oh-so-important taskbar tools) wouldn't run anyways and could technically do a daily check for updates. Dear Adobe, care to inform me why you insist that your launcher is running (and turning it off only means it gets reinserted into the Run key as soon as I dare to open an Acrobat document) and steals my ram for zero return, yet STILL require me to be present for every damn update you might want to run? Why is there no option in Steam to automatically patch and restart Steam if I'm not currently playing a game?

Rolling that all into a single package handling goodie would be a blessing. And MS actually manages to do just that with their updates, the kicker is that of all the various companies that have their fingers in my system, MS bugs me the least!

Re:

[aztracker1]

Microsoft could create an API, that applications (during install) can register with (requiring an ActiveX, or .Net control, with an interface implemented). The windows API simply calls the application, which then self-checks for updates, and notifies the update manager that it, does/doesn't have updates... and upon user selection, or classification runs the updates via the update manager. It doesn't need to be tight integration, just an API with rules for the various apps to follow. MS *COULD* have done

Re:

[Opportunist]

Steam is pretty much this for games. Does it look like it works?

Re:

[gl4ss]

that's the most annoying thing ever! have steam download a game and updates..

then you go start it. AND IT UPDATES SOME MORE "PREPARING TO..".

Re:

[Anonymous Coward]

1) Get rid of Windows

2) Never use it again

Because if we get rid of Windows, all the malware writers in the world will give up and stop trying to steal money from people who don't update software and use "pa55word" as their password...

Re:Two basic steps

[Opportunist]

It's really hard for me to say that, but getting rid of Windows isn't going to do jack. Idiots using computers will be vulnerable to malware, no matter what kind of OS they use. Unless the OS is secured away from its user, there is no safety if the user himself is the biggest security hole.

The key to the whole issue is the Dancing pigs [wikipedia.org] problem. In a nutshell:

"Given a choice between dancing pigs and security, users will pick dancing pigs every time."

People don't even notice the warning message, and they don't care. Why? Because they got way too used to it. UAC pops up and wants you to say yes to something, and people will click yes without thinking what's going on. Why? Because they learned the wrong lesson. They lesson they SHOULD have learned is that this window tells them to go and think whether what they are about to do should really require administrative privileges. Should displaying some childish webpage require the rights to dig into your system's bowels?

What they learned is "if I click no, it does not work". That's pretty much it, this is the way people work and think. They don't WANT to know what this window means. For them, it could as well not exist and if anyone ever tells them how to turn it off (and yes, you can), they will without thinking twice and be grateful that they got rid of that nuisance. And, bluntly, it doesn't make a lick of a difference for them anyway!

Why the heck would this be different with, say, SE-Linux? You know SE-Linux? Allegedly one of the more secure and hardened Linux flavors in the world. Hand it to Mr. Moron now using Windows 7 and it will be "pwned" in minutes. Allow me to illustrate.

Let's assume he is using Linux, even properly configured by a good friend of his who made the horrible mistake of telling him the root password. In comes my trojan, disguised as some kind of, say, torrent speed enhancer. I'll even be blunt and forward in the reasoning just why he has to install it as root.

"The software needs elevated privileges to install and properly configure the device driver needed to establish a secure connection with the controlling server to maximize the success and streamline the process. This also allows the software to work without any user interaction necessary, you will not have to enter the password ever again for this software to function properly"

In short, let me install my rootkit and hook up a connection to my bot herder server.

What will Mr. Moron read in this sentence. He doesn't understand it, at least not all of it, but he knows a few words out of that and here's what he puzzles together from this:

"The software ... technobabble ... install and properly configure (ok, it does that by itself, I guess, but only if I type in the password. If I don't, it probably won't work properly)... more technobabble ... server (server is good, I want to connect to one. I think) to maximize the success, streamline process (yeah, I want that!). No user interaction necessary later on. Never have to type the password again (great, so just once and then it works on its own. 'k, no problem, once doesn't count, right?)

He WILL hand over his credentials. Without thinking twice. And he will have forgotten about it before the trojan makes his first report to his controlling server.

It doesn't matter what system you give him. Security is the minimum of the system's capabilities and its user's capabilities. Not the average. The minimum thereof.

Re:Two basic steps

[Opportunist]

Again. Just in case I didn't make my point clear.

The user hands over the password.

It's not a trojan reading the file where the password is stored. It's not a hacker getting in from the outside using some supersecret backdoor account. It's not any kind of hack whatsoever. How the heck do you want to keep a password secure from its rightful owner and user?

The USER is the problem. Not the system. And unless Linux has some magical ability that I didn't notice yet, namely the ability to know what the user WANTS, instead of just what he DOES, there is exactly zero chance to protect the password. No matter the system.

Re:

[PNutts]

getting rid of Windows isn't going to do jack. Idiots using computers will be vulnerable to malware, no matter what kind of OS they use. Unless the OS is secured away from its user, there is no safety if the user himself is the biggest security hole.

Linux/Unix have a well established culture and plenty of infrastructure to support the concept of strong password protection. Unlike Windows.

u mad? I agree my mom (and probably most of the people at Costco buying PCs) don't have a concept of strong password protection. If I put her on Linux/Unix how does that change?

Re:Two basic steps

[Opportunist]

MS is in a bind here. They are very much aware of this problem, but there is very little they can actively do against it.

It's not even MS that is the problem here, it's the way some companies (notably game companies) abuse the system and don't write to spec. In Linux, you get ravaged (to avoid a less pleasant word) if your software required more privileges than it absolutely minimally needs, and you better have a GOOD reason to ask to run as root. Hell, most packages say explicitly that you should NOT run this as root.

It's exactly the other way 'round for MS Windows. With both, old legacy reason and newer, at least as bad reasons.

The legacy reasons come from the times of the Win9x systems who arguably had zero real protection. Likewise, it didn't matter just what Registry tree you cluttered with your keys. And because it's easier and works for all users to simply slap it into the HKLM tree instead of the HKCU (aside of other, more serious, problems that you have to take into account when using HKCU), software creators didn't even think twice before sprinkling the Registry liberally with their crap. Of course, this flies right in the face of anything resembling security where HKLM or even HKCR are off limits for "user" privileged accounts. So every time this legacy junk was supposed to run, UAC throws a hissy fit.

The less acceptable reason and the one that irks me way more is that the various DRM schemes and anti-cheat crap make games require administrative privileges, not only for installation (where I could at least accept that, due to installing a device driver, these privileges are required) but also to run them. Again: To run a stupid, insignificant game, you have to bring out the big admin guns. And this is simply NOT ok.

But there is very little MS can actively do against that. As long as people buy those games despite the need for admin privs, companies will continue using DRM schemes that don't give half a crap about the system's security. And as long as this is the case, MS cannot do anything about it. What should they do?

As soon as a program requests permissions that can somehow harm the system, a sensible security watchdog function should report that something is happening that could be damaging. Else, what is it good for? The security of the system is the security of the weakest link. One link broken, the security breaks down. You can't simply "not ask just this one time". If you do that, disable it altogether. But if it really asks every time something could possibly be amiss, you get what UAC is today, along with its "allow and deny" jokes.

So please tell us, what should MS do?

Re:

[Desler]

Because you can't use poor passwords on Linux or any other *nix system? Oh wait, you can. And when I've set my password using anything from Ubuntu to Slackware there was no educational text telling me not to use bad passwords or anything of the sort. But don't let facts get in the way...

Re:

[lister king of smeg]

you generally don't have to tell a nix user because they already know

Re:

[arth1]

Ubuntu and Slackware doesn't use pam_cracklib.so or similar?
That's news to me.

Re:

[Locutus]

so where did the parent say anything about Linux or *nix being better, worst or anything? Since you brought it up, are you now saying that Linux and/or *nix are consumer OS's? Strange because that's not what we usually hear from the Windows lemming crowd.

Besides, I've seen and used *nix systems which wouldn't allow weak passwords so it's doable.

LoB

Re:

[chill]

Herring. Thank you Android auto-correct.

Re:

[CanHasDIY]

Ah, "smart" phone auto(in)correct - making reasonably intelligent people sound like complete morons since 2006. [damnyouautocorrect.com]