| This 31 message thread spans 2 pages: 31 (  2 ) > > || |
|Microsoft OS Viruses and Security Faults Expected to Escalate|
Bleak Outlook for Windows
| 7:26 pm on Jul 9, 2004 (gmt 0)|
|nearly 70 percent of European companies think that the number of viruses and worms they'll face in 2014 will be double that of today. And almost 80 percent believe that the payloads carried by viruses will be even more destructive than they are now. |
The bleak outlook comes at a time when security is the hottest topic in IT, as Microsoft puts the brakes on Longhorn to devote time and money to cleaning up problems in Windows XP, and as one outbreak after another drives security managers up the wall.
|The seemingly endless spate of worm infestations over the last year has left something even more troubling in its wake: armies of zombie PCs that can be used to send spam, attack Web sites, and generally wreak havoc over the Internet. |
Worms such as Sobig, MyDoom, and Bagle have been identified as containing malicious code (malware) that allows remote attackers to take over infected machines--while their victims are blithely oblivious.
| 7:43 pm on Jul 9, 2004 (gmt 0)|
<nearly 70 percent of European companies think that the number of viruses and worms they'll face in 2014 will be double that of today.>
Change "2014" to "2005".. then I agree. Otherwise, it sounds like a major underestimate -- Unless something significant changes.
| 8:04 pm on Jul 9, 2004 (gmt 0)|
Damn if it just was possible to do everything with linux as what you can do with XP/IE6 then I would change now.
| 8:25 pm on Jul 9, 2004 (gmt 0)|
most can be achieved with Linux (I do a bunch with it)
but do keep a machine with XP pro and office
for all my clients will use XL and I do not know how to open an XL file on RH -unless using Lindow :)- which is not the real thing! - well I am not really sure about Lindow-
further the GIMP is a bit too hermetic.
If we had to jump in and do it I guess we could do it.
| 8:30 pm on Jul 9, 2004 (gmt 0)|
I we all went to a linux/firefox platform it would not be long before people were exploiting flaws in the code. The headlines would read linux security flaw exposed etc.
<added>UNIX ROCKS! - okay time to climb off the soapbox</added>
| 8:39 pm on Jul 9, 2004 (gmt 0)|
|Damn if it just was possible to do everything with linux as what you can do with XP/IE6 then I would change now. |
With XP/IE6, you can be hacked by visiting a web page, you can download and auto-install Viruses, trojans, diallers and such like without any intervention. Are these the features you want ported to Linux? There is nothing you can do on Windows that you can't do on an alternative OS such as Linux or Mac OSX. Nothing. Other than the viruses and hopeless security problems, naturally.
Windows suffers because of the monoculture, the closed-source nature of the product and due to Microsoft's misplaced priorities - who cares about security, look at all the fancy features! All programs and OS have security failings, in the case of Windows, it's insecure by default - or unsafe at any speed. Let's hope that Windows XP Service Pack 2 lives up to the hype, because it's desperately needed. Let's hope that alternative OS begin to gain market share too, because the monoculture has it's part to play too: with several popular operating systems, dozens of different browsers (adhering to open standards), then it is that much harder to hit the infrastructure in the way it has been recently and will continue to be in the next few months and years.
| 8:40 pm on Jul 9, 2004 (gmt 0)|
|Email security today is a global issue which pervades whole organizations. Viruses, spam, pornographic material and other harmful or unwanted content represent a serious risk to your company. To combat these all too real threats, you need a total, proven and effective solution. Only MessageLabs can assure you of complete peace of mind from complete email security. |
From MessageLabs website (hardly an objective source on this issue)
| 9:03 pm on Jul 9, 2004 (gmt 0)|
|There is nothing you can do on Windows that you can't do on an alternative OS such as Linux |
I'd switch soon if this shopping list happened on Linux, which I don't believe it will, but I'd be happy to be proven wrong..
1. Can run Dreamweaver 4, Fireworks 4, or maybe MX. There is no replacement for Dreamweaver in terms of basic site management, nVu isn't useable at all in its alpha state, and I didn't like the direction it was going in last I looked at it. I have to have Fireworks, it's not an option.
2. If Bluefish is as good as Editplus in every way, or some other text editor for Linux, especially when it comes to critical things like multiple line search and replaces and site management (lite), huge number of files open at once etc.
2. I can install Photoshop 6 (not 7, I know WINE or whatever lets you run 7, I think anyway).
3. I can run Office 2000, or at very worst, office XP. Despite silly claims to the contrary, OpenOffice.org cannot, I repeat cannot, deal with many complex Office files, especially things like text boxes, which it transforms to images last time I tried, making cutandpast of content impossible.
that's the main ones. I've been checking out the knoppix cdrom version of Debian, I like it a lot, first Linux OS I've experimented with that feels good and makes me want to use it more, for me it's a tossup between Gentoo and Debian unstable.
Re: MS monoculture. The absolute main cause of the problems in windows is that you basically must run it in adminstrator mode to be able to do real work, too many programs, like ACT, or Norton AV, simply won't work correctly in user or poweruser mode. And poweruser mode is pretty risky too.
Unix/Linux will always have an advantage built in, no matter how many *nix hacks and exploits arise, as long as they keep forcing you to drop into superuser mode to do any real changes, with a password. As long as Windows cannot resolve this problem I don't see any significant change, basically all XP boxes sold are shipped with no password entry, turn on box, start computing, as adminstrator, with full admin priviliges. This is 'user friendly'. User friendly = insecure. It's the battle MS has to fight all the time, and it's the choice they made to get high market share.
[edited by: isitreal at 9:20 pm (utc) on July 9, 2004]
| 9:11 pm on Jul 9, 2004 (gmt 0)|
I may be getting off topic here but I just want to add my 2c worth.
Under linux on my server, if I want to know how many times googlebot has visited today I can use the command:
cat log.file ¦ grep 09/Jul ¦ grep googlebot/2.1 ¦ wc
Is that easy to do in XP?
| 9:23 pm on Jul 9, 2004 (gmt 0)|
Am I the only person who realizes that the reason Windows is constantly attacked is because it's the most widely used OS?
*nix operating systems are just as vulnerable as Windows ones, as we've seen from the NUMEROUS Linux/Unix web server hacks that happen on a regular basis. There are more people using Windows and thus more eyeballs trying to figure out back doors. If the same number of people focused their efforts on other operating systems, including MacOS, they would find just as many holes.
The goal of people who make viri is to screw with as many people as they can (or to sell anti-virus software heh) ... so of course they're going to target the most widely used operating system because they can affect the most people. If Linux was the #1 OS, you would still be hearing all of these stories in the news - any Linux user who says that isn't true is either a novice, doesn't understand security, or is hiding the truth about their OS of choice.
| 9:26 pm on Jul 9, 2004 (gmt 0)|
PhraSEOlogy, yes you are getting way off topic, and yes it is easy to do. ;)
find "09/Jul" log.file¦find "googlebot/2.1" /C
is it *AS* off topic if I write it small? ;)
| 9:32 pm on Jul 9, 2004 (gmt 0)|
|Am I the only person who realizes that the reason Windows is constantly attacked is because it's the most widely used OS? |
If you are "in the know" among the slashdotters, you'd refer to this argument as the monoculture.
Google for it if you want more details.
| 9:34 pm on Jul 9, 2004 (gmt 0)|
Thank you for bringing me back to earth. Its Friday and I am ready for the bar. Sometimes all this talk of viruses and trojans just makes me want to go and visit my local honky tonk.
Back to the topic in hand...
| 10:16 pm on Jul 9, 2004 (gmt 0)|
Seeing many Internet security failures end up at MSs doorstep is no great surprise. They are the 800lb software gorilla. Unfortunately most (I am not quite brave enough to be absolute) software is buggy. In MSs case buggy and also deliberately insecure (to ease cross program interaction).
Though their attitude is much better, open source (i.e. Linux, Mozilla) programs are not perfect either.
I see several inter-related "general" problems:
- the underlying Internet transfer protocols (especially mail) were not designed to be secure.
- the basic Domain Name structure is neither robust nor redundant.
- software is usually produced fast with features rather than stable and secure.
- software producers are rarely held accountable.
- business management almost never understand or properly support their IT department.
- server administrators generally do a poor job.
- individual users are frequently ignorant of the basics of computer use, never mind computer security.
- governments act, often inappropriately, years after a need occurs.
I expect there will be some major Internet "disaster" that wakes up the American public (they only notice the world when it kicks them in the ass) and all sorts of lawsuits (the American answer to everything) will provoke new accountability (and bankruptcies), new standards (rather than adherance to existing ones), and massive useless government interference. The American public will then go back to blissful ignorant sleep while a new generation of hackers work to circumvent the new "security" measures.
Note: Other nations may well also react strongly. However, in a world where the US is the 800lb government and economic gorilla any outrage of the American public has greater effect than any ten others.
It would be nice if web standards become universal; networks acquire robust redundancy; server admins secure their sites; IT departments get the support to design, install, maintain, and update secure communication and data systems; software companies put quality in place of quantity; and users learn to do more than press the "on" button. Oh, and governments ...
Yes, I do believe in miracles.
But I am not holding my breath.
| 11:45 pm on Jul 9, 2004 (gmt 0)|
|software is usually produced fast with features rather than stable and secure. |
iamlost, that's a good list. One thing I've noticed on the mozilla project, and I believe many other open source projects, is that there is no release date for the next version. For example, Firefox 1.0 will not be released until a list of current bugs is resolved, and no new features will be introduced. Compare this with the rush to release product x with features z before august in order to ensure that hardware vendors y can have it installed in time for christmas season. That's a significant difference in philosophy, one that I am beginning to suspect is going to have a pretty major impact over time.
I wouldn't claim Linux itself has this quality as a whole, although it's not really correct to speak of linux per se, there is no such thing. There's different distributions, some more safe than others. Debian, for instance, is extremely conservative, and doesn't do a new version until very rigorous standards are met. In other words, Linux is not a monoculture in the same way Windows is, so even if, as digitalv suggests, linux were to become more popular, there would not be a single target like there is with windows, there'd be a wide range of targets. And when you talk about stuff like freeBSD, I don't know, there's a reason unix drives the hardcore stuff.
Digitalv, I'm not sure how much you've actually checked out the install procedures for various distros, but there is absolutely no comparison in terms of startup security between default windows and default linux. This isn't saying the linux kernel is hack proof, that would be a stupid thing to say, but I've seen and used both, installed both, and there is absolutely no comparison between default installations in terms of security. That's assuming even the same degree of inherent bugs and flaws in both.
| 12:23 am on Jul 10, 2004 (gmt 0)|
|1. Dreamweaver and Fireworks |
Replace number 2 by BBEdit, and then buy a Mac. Problem solved. I prefer Linux, but for your requirements, a Mac is clearly a superior choice. Still got reasons to stick with Windows? As I said, there is nothing you can't do on an alternative OS that you can do on Windows.
| 12:24 am on Jul 10, 2004 (gmt 0)|
my 2 cents:
Nix vs. Doze security: While Doze has suffered from the monoculture problem, Nix is, and always has been, more inherantly secure. Nix was designed from scratch for a multi-user environment. The original developpers had security on their mind for this reason. Doze was initially developped for a 1 user platform, where security wasn't a significant issue, so security was sacrificed for usability. Argue it all you want, the core code is still in there, and the problems persist. There may come a day when Doze is just as secure as Nix, that day has yet to arrive. Part of it is a culture issue. MS believes, in the very heart of its corporate culture, that a large number of applications should be tied directly to the OS, because that improves usability, and in many cases speed (sorry Nix fans, but its true. Tying certain applications to the OS makes those applications faster). It also opens up the floodgates of bad security. To compromise a Doze box, you don't need to compromise Doze itself, you just need to compromise one of the myriad apps tied directly to the OS.
Go to F-Secure, SecurityFocus, wherever. Start reading the white papers. It's all there.
Nix and Monoculture: Nix can't become a monoculture. The open source nature of it means that there are now, and always will be, a wide variety of significant variations of the same OS. Each one may have its security flaws, but seldom are these flaws "core" to the extent that they'll overlap all versions. This vastly reduces the impact of any one vulnerability.
Nobody codes viruses for Nix: BS and more BS. A virus for Nix is the holy grail. No one's done it yet. The first one to do it will willingly turn themselves in, get the "credit" for it, then make millions selling a book on how they did it. The incentive to write a a Virus for Nix is also huge because of the large number of backbone servers that are Nix. The incentive is very definitely there, and people are very assuredly working on it.
Server admins are lazy: Get a grip. The average server admin is overworked to the extreme. The reason why they fall behind on their server admin tasks is because Management can't "see" what they're doing, so keep coming up with new ways of wasting the admin's time and doing other things. Often, the server admin is the most tech savvy person in a company, and as a result, they'll get called on to do all kinds of crap that has little or nothing to do with their core task.
Nix Hacks are as common as Doze Hacks: (I seperate Hacks from Viruses very deliberatly). True. There have been just as many Nix vulnerabilities posted over the years as Doze server vulns. Maybe more. None of them have been of the "self executing" variety that would enable a virus to propogate, but in many ways that's besides the point. What isn't beside the point is the length of time it takes to rectify the vulnerability. With an open source, quite often the person who spots the vuln is the same person who patches it, and then releases the patch to the community. Time to correct the vuln: as close to zero as doesn't count. Even if the identifier doesn't patch the vuln, once released to the community, it is rare in the extreme for it to go unpatched for more than a few days. With Doze, its a different story altogether. I can't remember MS patching a vuln in under a month. The most recent vulns were known about for 6 months to every one and their dog, and the security community and MS for almost a year. Nice response time guys.
Am I talking out of my butt: No. Without name dropping, a high-school buddy/life-long friend since, is currently a senior analyst/project manager for one of the "Big Three" security companies. I get my info from him, and he's an old enough friend to tell me when the company line is BS.
| 12:54 am on Jul 10, 2004 (gmt 0)|
Encyclo, sorry, I should have been more precise, I was referring to Linux only in that list, I really really hate macs, I hate the whole proprietary architecture, I hate the price, I loathe the interface and the logic, let's just say I hate macs and leave it at that, I like windows 2000, I think it's a very solid operating system, but I don't like XP at all, have it and hate it, so I know this will be my last windows.
I see nothing to gain from jumping from one proprietary model to another, that's kind of pointless, especially when w2k works very well, solid, reliable, almost never crashes, everything works. Security isn't a problem for me because I more or less have some idea what I'm doing, in fact I sometimes wonder why supposed pros on these forums are getting so worked up about their personal system security when it's so easy to not have any problems, I never do, haven't for years, since I lasted visited a hacker site or was playing around with various toys before I knew better, in fact :)
BBEdit is very weak from what I've seen unless they've massively improved it recently, I can't stand mac's for web work at all [this is not a flame but a personal opinion, if you like macs that's great, I know that they are very solid though pricey machines].
|Nix was designed from scratch for a multi-user environment. The original developpers had security on their mind for this reason. Doze was initially developped for a 1 user platform, where security wasn't a significant issue, so security was sacrificed for usability. |
Grelmar, cool comments, I'm not clear where the myth that windows is only attacked because it's popular comes from, that might actually be a marketing ploy by ms to deflect some of the blame, hard to say.
Can't say I agree about windows server admins, I took classes in that in school, sat in on some linux classes, and the level of knowledge of the average student in the two was absolutely night and day, no comparison, win admin attracts the same types that maybe used to fix your toaster down the street in the '30's, that's what I saw anyway, linux attracts the psychos [and I mean that with the greatest of compliment] who want to know how it all works, get deep into the guts, it's a different quality of person altogether, this isn't an accident, MS did a survey years ago of the heads of IT departments and asked them what their pet gripe was, and it was the unix sys admins, so ms set out to make a plug and play server os, with predictable results. That story, by the way, is also from very high up in the computing world. To pretend that the MS problems are merely due to its popularity has to ignore this entire history.
[edited by: isitreal at 1:03 am (utc) on July 10, 2004]
| 12:59 am on Jul 10, 2004 (gmt 0)|
digitalv: nope, you're not alone. There are at present count TWO of us....
| 2:38 am on Jul 10, 2004 (gmt 0)|
Those who say Windows is only attacked because there are so many more systems out there need to contrast the security records of Apache (with about two thirds of the web server market) and IIS...
There are real Linux viruses out there -- some of my colleagues got bitten by one! -- but they have almost no propagation vectors so they don't go anywhere fast.
| 3:20 am on Jul 10, 2004 (gmt 0)|
|digitalv: nope, you're not alone. There are at present count TWO of us.... |
|Those who say Windows is only attacked because there are so many more systems out there need to contrast the security records of Apache (with about two thirds of the web server market) and IIS... |
Actually I was talking about desktops not web servers, but if you want to talk about web servers let's not forget stuff like Apache-scalp.c. Most of the websites that get hacked and actually make the news are running some version of *nix. The first time Microsoft.com was hacked that I can recall was last May, and even then was only due to a mis-configuration with FrontPage Extensions, not due to a problem with IIS or Windows. Security is a job that goes beyond the operating system or application and it always SHOULD be that way - I don't care what OS I'm running, I will never trust that OS with security. I trust my PIX :)
|There are real Linux viruses out there -- some of my colleagues got bitten by one! -- but they have almost no propagation vectors so they don't go anywhere fast. |
True - but it's not for lack of ability, it's for lack of EFFORT. I guarantee you they would if the virus authors thought it was worth the extra effort to code them. A person running Windows on their home system is equivalent to a Linux user logged in as root 100% of the time. If they install a program that is designed to screw with stuff, the program will do just as much damage on a Linux system logged in as root as it would on a Windows system logged in as administrator. That's why BOTH operating systems have the ability to create users with restricted access - so crap like that doesn't happen. Whether you choose to do it or not is entirely up to you.
If Linux were the most popular desktop OS there would be just as many problems as there is with Windows because:
(a) Most people would be logged in as root all the time
(b) Those same people would download and run programs that damage their system
When you install Linux the only way to get in is to log in as root. It's up to you to make sub-users that have different access levels to protect yourself. Likewise when you install Windows your first account also has administrator access and it's up to you to change this. With Windows 2000 and XP, the system can be configured where the logged in user doesn't have full god-like powers over the system. And since programs always run as either the logged in user or the SYSTEM account, it is extremely easy to restrict the access that third party programs have.
The problem isn't with Windows, it's with the PEOPLE who windows that don't know how to secure it. If those same people were running Linux they would have the same problems. Right now there are fewer idiots running Linux.
| 4:32 am on Jul 10, 2004 (gmt 0)|
I just want to say thank you to some very intelligent and informed people discussing this issue. You guys are great. Thanks.
| 8:14 am on Jul 10, 2004 (gmt 0)|
Thanks DigitalV, I stand corrected and I don't mind.
Scalp C flew right under my radar.
2 Years ago.
(Want the source, along with the h@x0r 1337 bragadocio embeded within, feel free to click here [downloads.securityfocus.com], the mods needn't worry, it long ago ceased to be a threat.
And since then, on the Apache virus front there has been.... Ummmm....? Oh, yah, the variant of scalp known as Slapper A [sophos.com], which came out later in the same year. And really, it was a worm, with virus behaviour spread through the local intranet.
That came out a little later in 2002.
And sure, there are some serious concerns about the Consumer Grade *nix PowderKeg [securityfocus.com], when WalMart starts carrying cheap PCs with open source OS (the day will come - and Wally World will drive it, because it will give them a cheaper product than anyone else, and that's what drives Wally World).
But overall, I like the response time in the opensource community. Example? A security hole in my preferred browser, FireFox, fixed in under 24 hours [software.newsforge.com]. Not bad, considering it was really a hole in Doze, that could be exploited through any browser. A hole that the people at MS claimed ceased to exist a few years ago.
Compare that to the frightener of a hole in IE, that took a week *ahem - from exploit, not from discovery, which was earlier* to fix. Err... That's right. The fix didn't really accomplish anything, did it? The vulnerability is still there.
Open source is more secure.
Apache is both more stable, and more secure. Or it wouldn't be running 2/3s of the net servers out there. What, with the zero$ advertising budget they have, versus the Ad Campaigns and High Pressure Salesmen from Redmond.
And the people don't try and hack Apache and code viruses for it argument? I still say hogwash. If I wanted to launch an attack against the web, my method of choice would be the following:
Double Payload Virus: A virus that scans for Apache servers to install itself on. Then sits, quietly scanning for other Apache servers, and waiting for a "hit" from a vulnerable MS machine using IE. Pick a vuln, any vuln, even one that's been genuinely patched. Doesn't matter. Only half the people out there install the patches. Deliver payload to IE machine.
That's essentially what was going on with the IIS attack the other week. Only they went after IIS, not Apache, not because IIS is on more machines, but because they couldn't figure out how to payload Apache. If they had figured out how deliver through Apche, the outbreak would have been more damaging by an order of magnitude.
If you think for one moment the Russian Hacks behind the most recent attacks aren't aware that this would be a far more damaging attack, well....
| 4:20 pm on Jul 10, 2004 (gmt 0)|
|When you install Linux the only way to get in is to log in as root. It's up to you to make sub-users that have different access levels to protect yourself. |
This is what I suspected, looks like you haven't done this, or haven't done it recently, or haven't paid much attention when you were doing it. When you do the install on say redhat, you have to configure the superuser account, then you get a screen that STRONGLY advises you to create a standard user account, and it tells you exactly WHY you should do that. But that's just the beginning, after that there's a whole bunch of options given, the defaults of which result in a significantly more secure box.
The default windows installation, following the advice on the screen, merely creates a single admin user account, which does not even need to login to boot. As far as I know, there is no default way to install linux without logging in to boot. And this doesn't even get into the other security stuff that is built in.
To act as standard user on windows, which it sounds like you may not have done much, basically cripples the machine for almost everything but browsing the web, forcing users to login as admin to do real work. I've tried setting small office networks to restricted privileges but had to back off and give admin rights or I get too many support calls, things fails to work, too often.
Logging in as administrator from standard user account on Windows NT means shutting down everything you are doing, losing or saving all work, then logging off, loggin in as admin, doing what you have to do, then logging out, logging back in, restarting all your work. Obviously you haven't done this much. In Linux, you dip into su mode, then dip back into user mode. Period, that's it. That's why it's intrinsically more secure. This intrinsic difference is self evident when you play with this stuff for more than 1/2 an hour.
Again, a properly configured windows will be more secure than an improperly configured windows, obviously, as will a properly configured *nix, but the real question is the defaults, which are what most users run with, and are what spread most malware, I recently worked on an office network with the full default w2k server install. Insecure password, admin name administrator, everyone group had full access to everything. IIS server installed without any security at all. Or incompetent security, a much more frequent problem.
| 6:59 pm on Jul 10, 2004 (gmt 0)|
I'm aware how a RedHat installation goes and I do admit that security concerns are POINTED OUT to the user more, but in either case you're still ignoring the fact that your typical home user doesn't know about security, doesn't care, or doesn't think anyone would want to target them because "I don't keep my banking information on my computer". Combine that with the fact that most people, when they install Linux for the first time because they want to learn how to use it, DO NOT make a sub user because they want to have full god-like powers while they learn a new OS. Do you really think the average Windows user would do any differently?
|To act as standard user on windows, which it sounds like you may not have done much, basically cripples the machine for almost everything but browsing the web, forcing users to login as admin to do real work. I've tried setting small office networks to restricted privileges but had to back off and give admin rights or I get too many support calls, things fails to work, too often. |
With all due respect, I have to completely disagree with this statement - I have a very secure Windows-based network at my office and everyone has enough access to do their job without being able to screw anything up, and no one has ever NOT been able to. We're not all logging in as administrator and can all do everything required without problems. My network administrator is an experienced MCSE and knows how to configure a Windows network properly. Say what you will about MCSE's, but a good one wouldn't have made the statement you just did about office networks.
In any case, you have to admit that security flaws are more commonly a result of a lack of knowledge or effort on the user's part than the operating system itself. A dumb user is going to have security holes regardless of which OS they use because they're a dumb user. Right now there just happen to be more dumb users using Windows :)
By the way, I don't remember Scalp C affecting WINDOWS versions of Apache :) Either way what does the fact that Scalp C happened two years ago have to do with anything? It was still a vulnerability that had to be patched, and you said yourself that your typical Windows user doesn't download the updates. What makes you think those same "dumb users" would START downloading updates for any other OS? If the typical Windows user became the typical Linux user Scalp C would still be a threat today.
Personally I have never been affected by any Windows exploit or virus. Maybe it's because I'm not logged in as administrator, or maybe it's because I always download the critical updates the day they come out. Or maybe it's just because I know what the F I'm doing. :)
I've found Microsoft's response time to be pretty good on critical issues. I remember hearing about some big new exploit on the news and immediately went to get the latest patch - turns out I had installed it a month ago by doing regular updates. Microsoft had fixed the problem BEFORE it became a problem - the only people who were affected were those who don't do the updates.
Microsoft usually discovers bugs in their software THEMSELVES and fixes them via patches - then people who want to execute exploits read the details of what was fixed and write their virus or worm to exploit those systems that HAVEN'T been patched. If you'll pay attention to the patch release dates and the dates you hear about people starting to get affected by something, you'll notice that the patches were released weeks, sometimes months before the "outbreak". It's your own stupid fault for not downloading them.
| 9:06 pm on Jul 10, 2004 (gmt 0)|
|In any case, you have to admit that security flaws are more commonly a result of a lack of knowledge or effort on the user's part than the operating system itself. |
Yes, no argument there at all. One of the more worrying thing about the push to get Linux on the desktop is exactly what you mention, that they choose to change the defaults to make it more 'user friendly'.
If you have the luxury of having a competent MCSE on staff there's no problem at all, however most small companies don't have that luxury, so when I set them up, I have to set them up in the way that will work for them most of the time, which is sadly full admin priviliges, or power user at best. If I were on staff, this would not be the case, but how many small companies can afford this? Even power user causes problems due to the logging in and out procedure I mentioned, which is to me one of the simplest ways to increase security for average users. And, while I'm not that good at networking, I'm better than most of the people I've replaced from what I've seen of their installations, which is a big part of the problem.
If you don't have to logout of your desktop to make admin changes, you would be much more likely to run in user mode, without any question, it's just common sense, it would be easier to sell people on that. I always run in admin mode because of this problem, I wouldn't if I had a realistic and practical su option like we do with Linux. That's why I keep mentioning that problem. That is a windows problem, and it is unique to windows, and it is the main reason windows installations default to admin priviliges, and are inherently insecure, it's just too hard to get standard users to do such a silly procedure just to install something or update av or whatever. This was a Microsoft decision, and it's built into the structure of windows. Unix/Linux does not have this built in limitation, and that's a simple fact.
Since MS does not seem to be showing any signs of abandoning this method, I don't have a lot of hope for a secure Windows in the coming years.
|Microsoft usually discovers bugs in their software THEMSELVES and fixes them via patches - then people who want to execute exploits read the details of what was fixed and write their virus or worm to exploit those systems that HAVEN'T been patched. |
Sometimes this is true, and very very often it's not true, in fact, 'security researchers' very often are discovering the holes, alerting ms, then waiting a polite time to publish their findings. You can see this history easily in many security patches, where ms says: 'thanks to security researcher x for alerting us to this issue'.
This is fairly standard practice, and is one of the activities so called 'white hat' hackers engage in.
However, recently there apparently has been a bigger problem with MS not releasing patches when alerted, and security types are beginning to publish the exploits without waiting for a patch because MS is taking too long to release it. Sad but apparently true.
Then there are the cases you mention, which also happen, a lot, since it's so easy at that point. However, it's not just unpatched systems, it's flawed designs, Outlook and Outlook Express had flawed designs, otherwise known as 'extra features' that virtually guaranteed that they would become the conduits for the klez viri of the world. This was bad coding, featuritess, bad planning, all centered around the concept of maximum user friendliness for maximum market penetration. To not blame MS for this is like not blaming Ford for making the Exploding Pinto Gas Tank. Personally, I have no problem with the concept of holding corporations responsible for their actions, seems like somehow the software world has so far managed to avoid being held accountable for their mistakes in the way most other corporate entities have been.
The initial IIS installations, in default, were RADICALLY insecure. As were the default server installations. And securing them was EXTREMELY difficult, especially if they were supposed to run asp, or do more complex stuff, the permissions are a nightmare, and counteract each other at every step, to the degree getting a secure installation was almost impossible. This was bad design and bad implementation, why is MS supposed to not be blamed for this? You're not being very consistent, I know that if you screwed up in your company you wouldn't try to blame somebody else, you'd take responsibility, why does MS get to get a magic 'avoid responsibility card'? Keep in mind at one point the Gartner group released a study that said that IIS was inherently insecure, and could only be made secure by a full recoding. Just like is happening now with IE, oddly enough.
| 12:36 am on Jul 11, 2004 (gmt 0)|
Am I the only person who realizes that the reason Windows is constantly attacked is because it's the most widely used OS?
There are two reasons Windows is constantly attacked: one, as you say it is the widest distributed PC OS (I do agree); two, as many have said (and you appear in denial about) it has some inherently unsafe practices built-in so the attacks work ... easily.
MS made a policy of interacting interoperability without addressing security issues. They went contrary to proposed web standards to give us ActiveX (my pet peeve) among other "features/benefits" and we have been suffering ever since. They talk "security" now when it hurts their image and bottom line - but right up through XP "security" is, if not missing, turned off by default.
I like Win2000, I use it to run my personal home network. But it is "industrial strength" Windows and not something I would suggest for a normal home user. And I still had to do many, many setting changes from default to ensure reasonable security.
Indeed I like the MS dream of interactive interoperability - but it is not really interactive interoperable if it only applies to the behaviour of one companys products. And if the basics of "security" are flouted I have concerns.
IF MS made lousy products it would be easy. They generally make great products with major security holes built in by design. I grieve at such a waste of potential.
When I first read the specs on Longhorn I thought they might finally get their act together and provide something special. Something to go head-to-head with *nix on all counts, including security. Well, apparently the time it would take is too long and the cost ($50-billion in the bank is not available? while they cut staff and perks by $1-billion!) is too great and so all Bill Gates proclaimed "advances" are being dropped one by one. I expect in the end Longhorn will be XP SP3. It is so very sad.
Switch to Server Admins:
As is often said before denigrating a group: "some of my best friends are admins". There are many very good admins: overworked, underpaid, and never appreciated. There are also many very bad admins: without training/upgrading, and even worse, without interest.
Yes, many of them work under even worse IT managers. I listen to my admin friends - they love to vent to someone who understands.
My opinion is that a third of admins know and do their job, a third know their job but are just putting in time, and a third are total disasters who got the job because no one with ability would work for such low pay in such a miserable workplace. I see a burnout rate (for the good ones) similar to social workers.
I have never done a breakdown by server OS - most of my friends work for webhosts that offer both MS and *nix. I do know more of their time is spent on the MS side but not the reason(s).
Many web infestations could have been limited by upgraded/patched server systems that weren't. Many cracked sites would have been secure if the time had been taken to design, implement, and maintain appropriate security. Regardless of OS.
I expect the average user to be ignorant, foolish, and/or dangerous - they are paying for the privilege. I am disappointed the average server admin is mediocre and/or incompetant - they are being paid to do a job.
Apologies to all admins who perform above and beyond - and I know there are lots of you - and I hope you get the support you need and the pay you deserve. Stop laughing/crying ...
| 2:09 am on Jul 11, 2004 (gmt 0)|
Well, guys, all of you have really good points from your particular POVs. I like Windows because it works for me (and I DO MAKE MY MACHINES AS SECURE AS I POSSIBLY CAN! - because I'm a quasi-geeky nerdly sort of middle-aged female....)
However, even I can see the handwriting on the wall in a way. And that's okay - I am NOTHING if not flexible. My question though comes at things from another angle: longhorn is maybe going to be the "WindowsME of XP", and it doesn't appear from what little I can find out that Windows2000 will be "furthered" as an OS. Which should maybe put *nix in the forefront for non-mac systems.
So, given that it may become the "only choice" will *nix programmers simply quit worrying about decent GUI and the sort of functionality (the stuff that WORKS, okay? I KNOW there's a lot that's broken in Windows!) that we're all used to after 15 years or so of Windows?
You see, the reason I gave up on linux several years ago was because I needed an OS that did NOT require hours of blood sweat and tears to configure to WORK like Windows does OOB. Yes, Windows OOB has security holes and eventually needs tweaking (for someone like me, though likely NOT for the normal home user), but I didn't (and sometimes STILL don't) have time to mess about with an OS install - I need it to WORK RIGHT NOW while I finish whatever I was in the middle of, and the major fixes I do over bits and pieces of time as necessary.
I have a funny feeling that the *nix elitists and programmers will look at a "new order" and sneer, "Hah. Told you I did," and just never make anything really usable available (along the lines of the Windows GUI - and PLEASE do not go off into "MS STOLE IT FROM MAC"!)
Of course, "usable" depends entirely on the definition in one's own parlance. Usable to me for the most part is seamless integration like Windows - where all I have to do to use a program, go to a website, send an email is click an icon on the QuickLaunch bar. I'm not sure I'll ever be willing to go back to command-line (I CAN use it, I just don't want to....), and having to use command-line to open various programs just to get to other functions that I use ALL THE TIME certainly does NOT appeal to me....
[Various caveats: I honestly haven't ever had any problems just upgrading from Win version to version (see statements elsewhere about not having bugs in games either....); I DO take all the time necessary to plug security problems as I discover them; at the time I was trying linux, I couldn't find in the sketchy documentation ANYTHING about how to set up an internet connection, and I DID NOT HAVE TIME TO MESS WITH IT - I need a connect instantly at any given time of the 24 hours (or as instant as it gets on dialup....)]
[[Er. Sorry about the length....]]
| 3:52 am on Jul 11, 2004 (gmt 0)|
It's useful to look at a real casestudy, in this case the white paper on Hotmail's conversion from freeBSD to Windows servers [securityoffice.net].
|The team was unable to reduce the size of the image below 900MB; Windows contains many complex relationships between pieces[number one cause of security holes like the recent IE/Windows connections], and the team was not able to determine with safety how much could be left out of the image. Although disk space on each server was not an issue, the time taken to image thousands of servers across the internal network was significant. By comparison, the equivalent FreeBSD image size is a few tens of MB[too funny, but amazing]. |
Now it's very obvious that it's going to be a LOT easier to secure a few 10 mB of code than 900 mB. There will be fewer holes, and the holes that exist will be easier to fix, since there are not as many relationships and intertwinings happening. Unix is a modular system as I understand it, while windows is monolithic. There's real reasons windows is less secure fundamentally, and this is one of them.
With Open source you have control of the source code, it's yours to do whatever you want with, dump all the parts you don't need for the application. MS can never achieve this, ever, it's why they have had very little luck with the handheld market, and Linux has. On the desktop, Gentoo Linux [gentoo.org] comes closest to this level of unix performance from what I understand, but is also hardest to install, since there is no default installation at all, it's literally installed onto your specific hardware framework, using only the components you specify.
|Using FreeBSD, such tasks are scheduled by the cron service. Jobs are scheduled by being listed in a file, one line per job. Changing the file is easy to accomplish using the command line (or rdist), and replacing the entire file is a good way to ensure that each server has exactly the schedule of jobs that the administrator intended. Jobs can be scheduled to execute once, or at intervals down to one minute. |
Although the Windows Task Scheduler service is fundamentally able to look after such jobs, the interfaces provided in Windows does not measure up to the task.
The usual interface is the GUI, which is appropriate for setting up jobs on a machine at a time, is labor-intensive and error-prone....
The team met the need by running the cron service provided in Services for UNIX. As described earlier, relying on Services for UNIX (or any other package subject to extra license costs) provides a bad model for other customer deployments[my emphasis, but LOL and roll on the floor, this document reeks of how much the guys hated being forced to dump a fantastically stable, powerful, configurable setup just so MS could claim to use win servers on hotmail].
Note that the unix module was able to be reloaded live, over the network, no reboots required, in real time, since it was a tiny fraction of the size of the minimum windows installation [read: windows is bloatware, from the windows engineers themselves]. This white paper is especially instructive since it was written by the people who did the job, unhappily for the existing unix admins, who must have been absolutely tearing their hair out, like being forced to switch from a Lotus to Chevy, but MS had to switch, eat their own dog food etc.
Shortly after this switch, hotmail began failing routinely, and still does to this day, I stopped using it during the transition because service become so bad, and is still pretty unreliable, going down for up to a day at a time, in other words, the reliability, stability, and simplicity of the unix system was NEVER matched by the Windows server farm, but that server farm, if it had paid for its windows licenses, cost a huge amount more than the freeBSD system it replaced. there's a reason yahoo, google, amazon etc don't use windows.
Vkaryl: It's getting better, try downloading or ordering the knoppix cd [knoppix.org] rom version, you can play with it without having to do an install, you boot into the cdrom, it runs off the cd rom from ram. This is built on the Debian distro, which is quite well known for it's somewhat boring stability.
What's amazing is that with a miniscule fraction of the development budget windows has, linux is getting closer to having a truly useable desktop. In that sense comparisons between windows desktop and linux desktop are not really fair. When I saw w2k the first time, I knew it was probably the best windows ms would ever make, and longhorn only goes to further that belief.
If you play around with the knoppix package, you'll soon see that the only things missing are some of the major apps like photoshop, fireworks, dreamweaver. However, and this is worth keeping in mind, the macromedia/adobe ports to Mac OS X's BSD framework means that it is going to be a relatively trivial task for those companies to eventually release linux versions, and at that point, well... it's linux time.
In Debian, I believe all you have to do to install a program is drop into su mode, type in something like apt-get firefox and you'll have it all installed while you make your coffee, upto all the latest os and package updates. I saw the gentoo version of this, I think it's called emerge or something, and it was very impressive, rpm sucks, I can't figure out why it's still being used, it doesn't work.
Then of course there's things like having the ability to run 4 desktops at once, just set each up, click a button to toggle between them. It's odd how in some ways parts of linux are amazingly sophisticated, and in other parts, basic things like doing simple copy and paste between programs, they just can't get it down.
[edited by: isitreal at 4:30 am (utc) on July 11, 2004]
| 4:11 am on Jul 11, 2004 (gmt 0)|
isitreal: thanks for the info. I'll probably order the cd (y'know, I just DO NOT have the patience for mega-downloads anymore.... dialup - it's the PITS!), and play with it a bit. As to the "lacks" you mentioned in re various mainstream programs, since I don't use any of them it shouldn't be a problem. I would assume there are various other graphics programs out there that have ports to *nix, etc. Online research and discovery is one of my strengths. Since I'll be retiring later this summer, I'll have some time to do stuff like re-partition my main box so I can "work" in XP while I figure out how to move to *nix as painlessly as possible....
Assuming the "great *nix migration" happens for me, I'll keep a Win98SE box around to play games on....
[It's interesting from my POV to see how things change depending on perceived threat. A couple of years back, I read stuff here-there-and-everywhere, noted that folks were saying that XP was the most security-conscious Windows yet, and didn't further worry about it for a while.
In the interim, security took on a whole new meaning apparently. Now I want y'all to understand that I literally have NEVER had a virus, a worm, an intrusion not blocked by my firewalls, etc. etc. ad infinitum ad nauseam. But there comes a point beyond which it is more politic and FAR safer to simply bid farewell to the increasing number of "black holes of the universe" than to continue to stitch patches over rips over patches over seams....
I think I may be there....]
| This 31 message thread spans 2 pages: 31 (  2 ) > > |