NYT Security Tip - Choose Non-Microsoft Products 298
Giorgio Maone writes "The New York Times article 'Tips for Protecting the Home Computer' follows a story we recently discussed about the proliferation of botnets, and contains some statements which may sound quite unusual from mainstream press, especially if targeted to home users: 'Using a non-Windows-based PC may be one defense against these programs, known as malware ... Alternative browsers, like Firefox and Opera, may insulate users ... NoScript, a plug-in utility, can limit the ability of remote programs to run potentially damaging programs on your PC'."
Noscript is one of the best reasons to run Firefox (Score:5, Informative)
NYT is out of touch. (Score:4, Informative)
Not use Microsoft? That's unpossible! They must be Mac or Linux users and are completely out of touch because they don't have the problems in the first place.
Seriously, it's good to see the message getting out. Another widely read, "mainstream" source, the BBC, has said the same thing already, like this [slashdot.org]. Of course, everyone without a vested interest in M$'s welfare has been saying enjoying the same for years. Sooner or later, despite billions of advertising dollars and bullshit studies, people are going to get it and real OS choice will happen. Seeing this in the NYT makes me think this is sooner than later.
While on the surface..... (Score:2, Informative)
Perhaps the thinking should change to using products that are reasonably secure (regardless of vendor) and using some common sense? That may be much more effective.
Re:So Markoff Doesn't Care for Microsoft (Score:1, Informative)
There are no real benefits any longer... you can do almost the same on any of the other OS'es (Linux, xBSD, Solaris)... the only real stronghold now are gaming... the few benefits left are next to nothing compared to the security issues.
Re:Slashdot sucks (Score:2, Informative)
Re:ah yes... (Score:3, Informative)
Actually, it's more than just "security through obscurity". There are some nasty things that Microsoft products do that tend to get them into trouble (executing '.exe' files, ActiveX, etc) and makes their products more vulnerable.
Also "security through obscurity" is a valid practice, but it is not sufficient for good security. I don't tell strangers my computer's IP address (although, I'm pretty certain it would be useless to them and there are many ways to figure it out). The problem is when people are suckered into thinking that if they can't see something, nobody else can. Obscurity can be pretty effective when defending agains automated attacks too.
NoScript is great, except... (Score:4, Informative)
I like the extra feeling of security I get using NoScript, but I'm pretty close to ditching it because the pain of having to enable and reload every website I visit just to do something like be able to click on an 'about' or 'FAQ' link is too much.
Re:Think about it (Score:5, Informative)
Re:Noscript is one of the best reasons to run Fire (Score:5, Informative)
The only usable way to control Javascript is site by site, and turning it off by default slashes a whole army of exploits out of your life. Every browser should have this functionality built in.
Amen to that. I use noscript and I have lost count of how many sites fail completely or outright refuse to load if JS is disabled. The number of sites which degrade gracefully is sadly quite small. If every browser had this, maybe web developers would finally get it through their thick skulls that JavaScript is best utilized to enhance the user's experience. Obviously, there are some exceptions, like AJAX applications and the like. It bugs me so much that I have never developed a site that did not degrade gracefully in the absence of JS. In fact, the only way the user would notice something was different was if they had first seen the site with JS and then later without or vice versa. Some of the worst offenders are the "major" tech companies. Try logging into Yahoo webmail with JS turned off to see what I mean.
Nothing's more Fragnmented than M$ GUI. (Score:5, Informative)
I think your argument of "It's so simple a 5 year old can do it" is flawed for one big reason: The five year old isn't used to using IE.
You must have missed this article [informationweek.com]
, complete with screen shots about how inconsistent the M$ GUI has become. Just look at this screenshot [cmpnet.com]. I thought the differences between KDE, Gnome and other toolkits was bad but that's way off, M$ has no excuse for the fundamental differences seen in their own tools. Why would you ever throw a new user into that mess? The worst part is how frequently they change the interface, No one else does it more.I'll conclude with
Re:ah yes... (Score:4, Informative)
I don't think this is obfuscation. For the black hatters, it is more like the economics of mining precious metal. If you had several ore loads to choose from, and limited resources to mine them with, you choose the ore load with the richest deposits of gold. It doesn't mean the gold in either deposit is worth any less per ounce, it is just the economy of scale dictates that all other things being equal, you go where the most gold is. Why spend the time and effort to hack an OS that doesn't have 90% of the market share when there is such an OS?
I am sure that if enough people used Linux or OS X or brand X, and it became worth the effort, those OSs would be attacked for more. And Linux et al apps do have flaws that can be exposed (to say they don't would be very arrogant) and are routinely patched (how many megs per yum update if you wait a couple weeks?). And yes I know, in many cases the patching is faster, but the openings are still there, and more will be found if more black hatters start looking as much as they do with MS right now.
And by the way, obfuscation is a useful and valid tool when used with other security precautions. For example, a good firewall set up doesn't just block incoming connections to ports you want closed against port scanning, it will also drop the messages silently so that the sender doesn't have an indication that they actually reached something at that IP address. (TCP/IP allows the option to firewalls et al to tell the sender that the connection was refused. And some firewalls allow you the option to configure this.) A good firewall protects you by actively blocking packets and obscuring your computer. Much better than blocking and letting the sender know it was blocked. In that case the sender would have an IP address it knows for sure has something on the other end to work on. There are likely dozens of good uses of obfuscation (how about not letting others see your PIN when you use the bank machine? Even though you have the only valid card and are taking it with you, you still shouldn't show your PIN).
Re:ah yes... (Score:5, Informative)
I disagree completely.
Windows makes it easy to practice these bad habits... default Administrator login, programs that don't work correctly when run without Admin access, ActiveX, etc. Contrast this with, say, Ubuntu... an excellent Linux distro even for newbies: by default the root account is disabled, when you want to do something system-alterating (e.g. temporarily gain root access), you have to put in your PASSWORD, not just click "Okay". The whole thing is so well-integrated that these password prompts aren't annoying or confusing. The system in general tries to explain to you what you're doing when it's something unusual.
Furthermore, most Linux distros are based on a central software repository which is supported, or at least approved, by the distro's developers. When you install open-source software from this repository, you can have confidence that you're not going to get spyware... and if you're running the stable distribution you can be pretty sure that you're installing software that has been thoroughly debugged as well--as opposed to some IE toolbar crap rushed out the door after a week's dev time.
I also think that Firefox 2.0 is far superior to IE 6 (haven't used 7 yet) in terms of alerting the user to potentially dangerous actions. When you install extensions, Firefox adds a 5-second time delay before you can click on "OK" to force you to actually read those stupid pop-up boxes. It detects suspicious obfuscated URLs, won't run downloaded executables without additional intervention, and checks HTTPS sites that improperly mix secure and non-secure content.
So I *do* think that PC security would improve substantially if the Windows userbase switched en masse to Linux. Granted, there'd be some of the problems with people doing stupid things and not reading warnings, but I don't think it'd just be same-old-same-old...
Ultimate Firefox Add-Ons for Privacy/Security (Score:5, Informative)
Re:Marketshare != Bette Target (Score:4, Informative)
Your example is flawed as Apache is more targeted and more successfully hacked specifically because it is far more popular even though it can be much more secure. Link for your reading [theregister.co.uk]
I know you want your opinion to be right but the logic and the math works. Accept it and move on.
Re:Marketshare != Bette Target (Score:4, Informative)
So I'm not sure what your point was. I don't know which of Apache and IIS is targetted more often. And I don't know which would be a more lucrative target (Apache serves more hosts, but IIS might serve "wealthier" hosts regarding commerce). But Apache is no more secure than IIS, so if IIS is targeted more often, it's not because it's less secure, but for some other reason (like maybe anti-MS fanboy hackers target IIS to make a political point of some sort).
Re:not a real solution (Score:3, Informative)
Thanks for the FUD that your hardware might not work. Take the time to run a live CD to see what doesn't work. My machine had everything work except a HP flatbed scanner I bought at Goodwill. Big deal. I replaced an under $10 scanner with another under $10 scanner. The Cannon scanner works fine.
Everything worked without downloading drivers unlike a Windows install. Even my HP printers on Hawking printservers worked fine with no need for installing software. The printer servers installed as IPP printer ports. (Internet Printing Protocol)
Re:ding! (Score:3, Informative)
That's why I dumped windows for Linux ages ago...
Re:Think about it (Score:3, Informative)