Forgot your password?
typodupeerror
Security

Security Isn't Just Avoiding Microsoft 295

Posted by CmdrTaco
from the foil-hats-also-required dept.
Jay Singala noted a story which points out "It's time for all the people who have entertained this fantasy to stop deluding themselves. How would life without Microsoft be different? It wouldn't be in any meaningful way for those in charge of network security; there would just be a different vendor peddling the dominant operating system."
This discussion has been archived. No new comments can be posted.

Security Isn't Just Avoiding Microsoft

Comments Filter:
  • Not exactly (Score:3, Insightful)

    by WrongSizeGlass (838941) on Monday May 07, 2007 @10:33AM (#19020565)
    If the "market penetration" philosophy were true Unix would have been hacked to bits decades ago. There are a lot more Chevy's around than BMW's, but I bet that more Chevy's are stolen because their "security features" are easier get past rather then just because they're more prevalent.

    If the Apple/Windows market positions were reversed (or Linux/Windows for that mater) Windows would still be less secure. Unlocked doors and windows are still less secure even though there are fewer of them (or in our case more of them).
    • Re:Not exactly (Score:5, Insightful)

      by Gearoid_Murphy (976819) on Monday May 07, 2007 @10:39AM (#19020643)
      absolutely, but theres a considerable group of people out there who view animosity towards Microsoft as part of a broader resistance to big corporations, and as a consequence of this, view this resistance as being naive and unfounded. Unix style systems have been around for a long long time and have a well deserved reputation for stability and security, unlike windows products which I, as a computer scientist and software engineer experience as being badly concieved and poorly executed
      • Re:Not exactly (Score:5, Insightful)

        by DevStar (943486) on Monday May 07, 2007 @11:03AM (#19020969)
        Where do people get this illusion that Unix systems were secure in the past? As an undergrad we would drive our friends crazy hacking into computers. Just about every Unix program they ran, from mail to finger to rn had security holes you could drive a car through.

        The difference back then was no one cared if we broke into a computer. It just didn't make news. Heck, I remember that remote exploits stayed open for years, and no one said a peep. The world was very different back then. Plus there just wasn't much interesting to hack into. People would generally hack into other students accounts -- erase homework, put a bug in a friends assignment, send a goofy email from their professor's account, etc... You didn't have organized crime stealing credit cards, because no one besides geeks used computers.

        I know this doesn't fit into your mental model of how Unix was this secure fort in the old days, but you'd better think again. Those of us who were there, know better.

        I hate to sound cliche, but as long as we have people programming systems, there will be security holes. And I've worked at enough places to know that no one has a silver bullet.
        • by jedidiah (1196)
          You would have also been laughed off of the local BBS in those days for suggesting something such as an email 'virus'.
          • Email virus (Score:3, Informative)

            by jmorris42 (1458) *
            > You would have also been laughed off of the local BBS in those days for suggesting something such as an email 'virus'.

            Yea, it is a trusim that it took Microsoft to turn a hoax into reality.

            But on the other hand, while Microsoft's ignorance, stupidity and arrogance made it a daily event we can't be totally smug either. We (including me, I was so sure back then too) have seen it happen to us as well. PINE, Evolution, Moz, all have had remote exploits in email. Gaim, etc has had remote IM exploits poss
        • Re: (Score:3, Insightful)

          by PitaBred (632671)
          Yes. But the Unix philosophy is a very secure foundation. Lots of components, each do just one job, and do it well. We can secure those, and then the whole chain becomes secure. With the undocumented API's and other crap that Windows has in it, not to mention it's monolithic and completely integrated design ("I swear, we can't remove Internet Explorer, it's integral!"), it's got many more places where things can and do go wrong, and "fixes" ripple throughout the system. Would you rather try to secure a
        • Re:Not exactly (Score:4, Insightful)

          by Spazmania (174582) on Monday May 07, 2007 @12:06PM (#19022055) Homepage
          Where do people get this illusion that Unix systems were secure in the past? As an undergrad we would drive our friends crazy hacking into computers. Just about every Unix program they ran, from mail to finger to rn had security holes you could drive a car through.

          In 1995, most of the US military facilities on the Internet had no firewall. I still remember logging on to the MS Lan Manager servers at work from home using Samba over a 28.8 modem and exporting X-Windows to Sun workstations 600 miles away. That was the normal level of information security and both Windows and Unix met it.

          In 2007 the expected level of information security is rather different. In 2007, Unix and Linux have adapted to the new requirements and excelled at meeting them while Windows works only moderately better than it did in 1995.

          So you're right, but you're wrong. Unix and Linux consistently met or exceeded the appropriate level of security at the time. That the target moves doesn't change the fact that they keep on hitting it. Windows, on the other hand, hasn't hit the target for the better part of a decade now.
          • Re: (Score:3, Interesting)

            Unix and Linux consistently met or exceeded the appropriate level of security at the time.

            Still more important than this is the concept that most *nix flavors are continuously developed by a horde of people in plane sight. This Conway's Game of Life [wikipedia.org] approach shakes out more bugs (hopefully at a higher frequency than they are inserted). This results in better code in the long run. Look at the recent scheduler activity on the LKML for example.
            OTOH, you've got the Temples of Syrinx [wikipedia.org] approach that says the p

        • Re: (Score:3, Insightful)

          by guruevi (827432)
          I know that Unix had a bunch of holes that we used to like to exploit, back when computers were a scientific gadget that you saw only in universities and big companies. Heck, I remember all e-mail servers by default being an open relay and usually left that way so we could send e-mail around the world. But we also had Windows, with the same exact security holes back then.

          In the mean time though the Unix environments had a LOT of improvements towards security as time progressed. The problem with Microsoft ho
        • by caluml (551744)
          Why can't we get read of strcpy from the C libs (perhaps with a compile time flag to use them if you have to have them)? Sure, it would break stuff, and cause a few headaches - but what's that saying about eggs, and omelettes?
        • Re: (Score:3, Interesting)


          While it is true that the original viruses developed by Dr. Fred Cohen were developed and tested - easily - on UNIX systems, it is also true that UNIX sys admins learned (most of them, anyway.)

          In recent years - say, the last ten or 15 - UNIX has definitely been more secure than any version of Windows.

          A comparative analysis of the methods UNIX uses to defend itself - such as SELinux and App Armor - vs the nonsense Microsoft has added to Vista, for example, the stupid UAC, pretty much demonstrates where signi
    • Re:Not exactly (Score:4, Insightful)

      by ArchdukeChocula (1096375) on Monday May 07, 2007 @10:42AM (#19020667)
      >If the "market penetration" philosophy were true Unix would have been hacked to bits decades ago.

      It was! Today's script kiddies can't tell grep for the GIMP but back in the day BBSs were filled with philes on hacking UNIX. Most those files are useless now because BSD and Linux developers have worked hard to improved security. (And so have Windows developers, XP is harder to hack then Win95) The point is that any product as complex as an OS will be full of security holes. Sure UNIX may be more secure but as soon as you get lazy and think your safe someone will prove you wrong.
    • Re:Not exactly (Score:5, Insightful)

      by wframe9109 (899486) <bowker.x@gmail.com> on Monday May 07, 2007 @10:46AM (#19020723)
      That's pretty funny, because from my experience, Unix has had a history rife with exploits and security issues... It *was* hacked to bits long ago. Good job!!!

      Despite it's lesser market percentage, we still see exploits for Unix variants, and the services offered within. It's not some sort of impenetrable OS.

      Anyhow. Security is in the hands of the user. Someone with half-decent security knowhow will be able to secure a Windows box far better than a newbie running Unix.
      • Re:Not exactly (Score:4, Interesting)

        by niiler (716140) on Monday May 07, 2007 @11:27AM (#19021357) Journal

        You must be talking about Linspire or whatever they call it these days. Most Linuxes I've run out of the box are quite a bit more secure than their Windows counterparts. I just ran nmap on my local network. The result was that all computers running Windows XP were identified along with their open ports and services whereas none of the linux boxes (with default firewalls configured on install) showed much at all. Nmap guessed that they were running Linux or Unix, but that was it.

        Nobody is claiming that any OS is perfectly secure. But I seriously question your statement about newbies running *nix being more insecure compared to their Windows counterparts as most modern distros seem to have firewalls enabled and extraneous services shut off by default.

    • Quite. While it's obviously true that there is only going to be a market leader, it in no way follows that that market leader will therefore have lousy security.

      And even if it did, that wouldn't be a reason to deploy products from a vendor with Microsoft's lamentable track record on security in in cases where security is paramount.

      It's time for all the people who have entertained this fantasy to stop deluding themselves.

      I know who gets my vote for delusional.

    • Uh, the original Internet Worm ran on SunOS, and a key reason it did so much damage was the Sun monoculture of the day.
      • The Morris Worm was cross platform exploiting a weakness in Telnet, Finger, Sendmail, and probably every other service that used get() without input buffer checking. It was more of a BSDism than a Sunism, but the majority of the systems it could infect were Sun boxes.

    • Seriously. How many times must we go through this? I can maybe understand oblivious Windows users buying into the only-because-of-lesser-market-share bullshit, but computer world? Come on.

      Let's regurgitate what I keep telling my friendly Windows trolls. In a certain year, market share of Linux/Apache was 60%, Microsoft's IIS had 20%, 60-something worms spread that year, ALL of them for Microsoft's product.

      There. It's not that hard to understand. This claim of security only through obscurity is completely an
      • Re: (Score:2, Informative)

        by Anonymous Coward
        Let's regurgitate what I keep telling my friendly Windows trolls. In a certain year, market share of Linux/Apache was 60%, Microsoft's IIS had 20%, 60-something worms spread that year, ALL of them for Microsoft's product.

        PLEASE, PLEASE, PLEASE FIND A NEW ARGUMENT. This one was dead before it began. Why? Simple...which version of Apache commands 60% of the market? Would that be the 1.2.x/SPARC/Solaris 2.6 version? Or the 2.0.x/MIPS/IRIX 6.5.4 version? Or the 2.2.x/x86/RedHat EL 4.0 version? The point is ther
        • 'I can only assume you're referring to the IIS 5.0 buffer overflow which exploited systems, and here is the key, which were never intended to be web servers'

          Then please tell us what IIS 5.0 was actually designed for.

          'As IIS 5.0 was installed and operational on all Windows 2000 Servers unless specifically disabled this led to a huge number of web servers which Netcraft can't account for (as they're internal)''

          And can you produce some evidence that most of the hacks were on non-operational Servers th
          • Re: (Score:3, Interesting)

            by legirons (809082)
            IIS 5.0 buffer overflow exploited systems which were never intended to be web servers'

            Ah, well there's your security problem... an operating system which runs webservers without its users' knowledge.
    • by khasim (1285) <brandioch.conner@gmail.com> on Monday May 07, 2007 @11:01AM (#19020951)
      At least, that is what TFA says.

      Networks in a world in which Apple had won the operating systems wars would still be insecure. What's that, you say? The Macintosh has had far fewer bugs reported and patched than Windows? That's true, but it's a consequence of the minuscule market penetration of Mac OS.

      Got that? It's all about market share. There is no such thing as "security".

      If everyone's house had no locks, they would be just as secure as if everyone's house had the best locks on the market.

      If you put computers on a network and open that network to the outside world via the Internet, you're going to have security problems, regardless of whether you're running Windows, Mac OS, Linux or an operating system you created in your spare time.

      I run Ubuntu (Feisty Fawn). By default it has NO open ports. That means that unless a worm can hit the TCP/IP stack, I am invulnerable to them.

      He is an idiot. He doesn't even define "security" before he says that it doesn't exist.

      My definition is: Security is the process of evaluating threats and reducing their effectiveness.

      But once we've done all that, we're left with one unalterable fact: Users will still make errors galore.

      You're an idiot.

      So if we replace Windows with Ubuntu, and the number of cracked machines goes down from 10,000,000 to only 1,000 ... that doesn't mean that Ubuntu is more secure because 99% of the cracked machines would be Ubuntu.

      So, what needs to be done? You must require users to attend formal information security training and awareness programs. No one should be left out.

      Why do I get the feeling that this guy just bought stock in a training company?

      If that approach was effective, we wouldn't have the problem we have today.
      • Re: (Score:3, Insightful)

        by mstone (8523)
        ---- If everyone's house had no locks, they would be just as secure as if everyone's house had the best locks on the market.

        I understand what you're trying to say, but there's a certain comedy value in seeing a door that's secured with a Chubb 20mm deadbolt, but framed between a pair of plate glass windows.

        If we take 'security' to mean some kind of magic fairy dust you can sprinkle on part of the world to make bad things stop happening, then no.. it doesn't exist. Bruce Schneier discussed the issue at leng
        • Good vs Bad. (Score:4, Insightful)

          by khasim (1285) <brandioch.conner@gmail.com> on Monday May 07, 2007 @12:04PM (#19021989)

          Any such system that's tight enough to meet conventional ideas of 'security' is tough to build, and even harder to maintain. The effort and diligence curves are way above what you can expect from the everyday person on the street.

          Possibly. But that doesn't take into account bad security designs.

          As with my Ubuntu example, just having a default install have no open ports is a HUGE step in reducing the threat to that box.

          Security is measured like system uptime: in orders of magnitude. One-nine security (90%) is easier to achieve than two-nines (99%), with each additional nine being harder and more expensive to tack on. It's very unlikely that we'll ever see the general public acquire the knowledge and discipline necessary to maintain overall five-nines security (99.999%), because somebody just won't think the payoff is worth the effort.

          Pretty much. Once you have a good security model, getting it to be MORE effective may take effort that the average person isn't willing to put into it.

          But I never care about "uptime" as a measure of security. The system can be very insecure, but still never crash.

          I prefer looking at data compromised vs data lost. If you maintain your system so well that you lose data more frequently by accidentally deleting it without a backup than the number of times you've been cracked, that's the best you can really hope for.

          Just be so secure that your users (even if that is just you) will do more damage to their data than outside attackers will.
    • by Billosaur (927319) *

      If the Apple/Windows market positions were reversed (or Linux/Windows for that mater) Windows would still be less secure. Unlocked doors and windows are still less secure even though there are fewer of them (or in our case more of them).

      True. However, if things were reversed, Windows would have a tiny market share and its relative insecurity would doom it to obscurity. No one would care about Windows and hackers would be having a field day trying to crack Mac OS X. Don't kid yourself - when the kid the bullies pick on gets wise and stops reacting, the bullies don't dance with him/her anymore and go on to pick on someone else. Microsoft's presence/absence has little to do with the larger issue of Internet/OS security.

    • Script kiddies can still get into bigger systems. I've seen/heard of plenty of UNIX systems getting hacked - here's a hint, not all of the databases that you hear are hacked and have a loss of data security, are Windows.

      But most importantly, as the writer of the article said - it's the people who use the systems, who cause the security breaks. He suggested that everyone have a minimal amount of training, but the problem is, no amount of training will fix the inherant apathy to system security that a normal
      • Re: (Score:3, Insightful)

        by Vancorps (746090)

        One of my professors in college referred to security as the art of breaking services. He's as correct today as he was then. It would be great to open up the systems and allow anyone to do whatever they want, they're productivity would rise. Unfortunately the world doesn't work that way and we're forced to break stuff to the point where users can only do what they are explicitly authorized to do. This means no taking initiative and probably no learning of the system since I know at least in my organization t

        • Re: (Score:3, Insightful)

          by jimstapleton (999106)
          Even dropping the security blocks for a user doesn't neccessarily kill the security of the system.

          I have a friend who isn't really a computer tech (he has me help him with a lot of stuff), but he is in a business where information and confidentiality are major.

          Both of use have windows accounts where we are admin, for ease of use. Neither of use have had virus problems on our machines. The trick is, we are both very paranoid. We don't run every program we can download from the net, we don't go to sites that
          • Re: (Score:3, Insightful)

            by Vancorps (746090)

            That is a valid criticism as Windows is only now just barely coming into its own in regards to least privilege accounts. With that said, I setup a common computer for all my roommates to use. They all have their own logins with just basic user access. The machine has gone for three years without any instruction from me and not one virus, not even any spyware beyond cookies of course. My roommates are definitely the type to just click blindly which is definitely a problem. I'd say my experience is a bit of l

    • Re: (Score:3, Insightful)

      by BewireNomali (618969)
      more chevys are stolen because most stolen cars are used for parts (note: i'm not certain if more chevies than bmws are stolen as i did not check. merely working with parent's example). more chevys on the road means more chevies need parts which means there is a good black market for chevy parts. this is why honda/acura vehicles are high on the stolen list year after year IINM. In other words, your example doesn't indicate that bmws are more secure - in fact it reinforces what has always been said - windows
    • by MrNougat (927651)
      Bad analogy.

      There are a lot more Chevys stolen than BMWs because there are a lot more Chevys. Furthermore, people who drive Chevys and need to get them repaired are more likely (I'm guessing) to take them to shops which would trade in stolen parts than BMW drivers would.

      You don't compromise computers in order to disassemble them and resell their component parts. You compromise computers in order to have them do your bidding, and it is that bidding which makes you money, whether it be spam, or warez, or po
    • If the "market penetration" philosophy were true Unix would have been hacked to bits decades ago.

      There is some credence to the "market penetration" argument, because Unix systems WERE "hacked to bits" decades ago, when they were the dominant networkable operating system. Of course, there are always other factors that come into play, and ultimately nothing trumps a robust design for security (which is why BSD and Linux servers running Apache are hacked far less often than Windows/IIS despite haveing a much
  • by AlHunt (982887)
    >Jay Singala noted a story which points out

    Pity Jay didn't provide a link to that story ...
    • Re:Story? (Score:5, Funny)

      by Lazerf4rt (969888) on Monday May 07, 2007 @10:41AM (#19020655)
      This must be a story which hopes to achieve security through obscurity.
    • by ktappe (747125)

      Pity Jay didn't provide a link to that story ...

      He did--I have no idea why you and a few others do not seem to be able to access the link. For those who cannot, here is the article:

      Security Isn't Just Avoiding Microsoft

      Ben Rothke

      May 07, 2007 (Computerworld) -- Weve all heard IT professionals imagine how secure their networks would be if they just didnt have to use any Microsoft products.

      I've had to listen to clients kvetch for hours on end about how Microsoft makes their lives miserable and ho

  • I'm sure it's a fascinating story, but I can't read it if you don't provide a link.
  • Is it any particular story, or was the source far too uninteresting to do anything other than lift an completely unattributed quote from?
  • I guess this just means that the editors have come to realize that, since no one actually reads the stories posted here before bloviating, it's just more efficient to omit the story entirely.

  • Philosophy (Score:3, Interesting)

    by youthoftoday (975074) on Monday May 07, 2007 @10:39AM (#19020621) Homepage Journal
    This smells of the anthropic principle [wikipedia.org]...
  • MS too large (Score:3, Interesting)

    by Turn-X Alphonse (789240) on Monday May 07, 2007 @10:42AM (#19020665) Journal
    MS's problem is they haven't had a real rival in years. They are so used to being the top dog they forget how to fight. It's the same way guys who work up from the bottom suddenly develope amnesia of exactly how difficult it was to get there until using "I came from the streets!" is going to help them in politics of some sort.

    Things would be no better with any company having Microsofts history, but that doesn't mean MS was set on it's current course through fate or whatever else you wish to call it.
    • You have this backwards.

      The Information Technology industry's problem is Microsoft is too big.

      Go back and look at the rate of innovation in the 90's. Now look at the last eight years or so. Thinks were changing so fast in OS space and then *BAM*, stagnation.

      Microsoft bullying their way to monopoly status has hurt IT advances more than anything else. Think where the industry would be if Microsoft had suceeded in ignoring/supressing the Internet as well.
    • Things would be no better with any company having Microsofts history ...

      Good thing free software is something users can control and will always be dominated by those with a fighting spirit. The differences are real [slashdot.org].

  • by freeweed (309734) on Monday May 07, 2007 @10:46AM (#19020727)
    This is the 3rd or 4th story in as many days that positively SCREAMS troll.

    1. Find a common belief of Slashdot
    2. Whine and bitch about "Slashdot bias" while not even understanding the point
    3. When you don't get modded high enough for your complaining, find some blog that agrees with you
    4. Get story linked to on Slasdot
    4a. In this case, not even a link
    5. Page Hits

    Editors, I know you love to drive ad revenue by putting up these blatant trolls (OMG How Can I Love Open Source Without Copyright? If I Don't Like The RIAA I MUST Hate RMS!!!!!One!), but the joke's on you - most of us who respond to these out of annoyance run adblock.

    Can we try for some actual stories now?
    • by mikkelm (1000451)
      So pointing out that a common consensus is wrong is trolling to you? You're either really arrogant or very conservative.
      • by khallow (566160)
        It's not a common concensus. A relevant common concensus would be that given the same amount of effort to secure, a Linux box is more secure than the Windows equivalent.
        • by Vancorps (746090)

          I wouldn't call that a consensus either considering last I checked, applying a security template for Windows was exactly as difficult as running a script on most any Linux distro. I'd say they are pretty well on par these days.

          Hell, with SMS I can run the scripts on Linux and apply templates to thousands of machines at once so automating it on a massive scale is even easy.

          The real debate comes from the user perspective, who's better at protecting the user from themselves without upsetting the user? It's a

      • by sharkey (16670)
        Not to mention that he thinks that Slashdot 'editors' actually 'edit' in the commonly-defined sense of the word.
      • Re: (Score:3, Insightful)

        by freeweed (309734)
        No.

        Trolling is going to a NY Nicks' fan forum after they lose a game and posting "SEE!!!! OMG THEY DO SUCK I TOLD YOU!!!". Trolling is hanging out in religious IRC chatrooms and doing nothing but posting links to atheist websites. Trolling is wandering down to the Holocaust museum in Israel and handing out pamphlets saying "hey, maybe Hitler was misunderstood".

        Trolling is also getting pissed off because your understanding of security is shallow enough that you take it personally when someone points out that
  • Microsoft is insecure because they try to juggle security, performance, and being idiot-friendly. Windows is largely the dominant OS because people found it easier to use and more available than the alternatives in the mid-90s when the computing boom took place.

    Now, MS is having to balance coddling those users who don't know jack about their OS and keeping the OS secure. Added security generally means more steps (or the same number of more complicated steps) to accomplish the same task.

    I would contend that
    • by MECC (8478) *
      in that during the 90s Windows was the *only* operating system for the "I just want it to work" crowd

      Well for the "I just want it to work for a short time before rebooting" crowd, anyway.

      • by PFI_Optix (936301)
        If by "short time" you mean "several weeks at least" I'll agree. Back in the 90s there were WAY too many apps with memory leaks and other stupid problems that never should have existed, and Windows fell victim to them.
    • Re: (Score:3, Insightful)

      by jedidiah (1196)
      No, Windows is the dominant OS because MS-DOS was the dominant OS. That happened because of the association between Microsoft and IBM back when IBM was the computer industry bogeyman.

      The "ease" of Windows 3.1 or Windows 95 had nothing to do with it.

      Win/DOS was already being pushed by Dell and the rest of his friends.
  • What would life on the Internet be without scriptable office documents/spreadsheets, email, web sites, and be like? A whole lot safer, regardless of the Operating System.
  • More secure? (Score:5, Insightful)

    by Himring (646324) on Monday May 07, 2007 @10:59AM (#19020915) Homepage Journal
    Since all other OSes/NOSes have/had the model of "everything is denied unless specifically given otherwise" and Microsoft's has always been, "everything is allowed unless specifically given otherwise," to say the least, things would be more secure.

    Things were more secure when Netware was the NOS for businesses. Create a user, and they could see nothing unless you flipped a switch. Fire up bitchx and doesn't it say, if using as root, "using bitchx as root is stupid." Su, denial of anonymous access or even read access across the network ... on and on. Please try disabling anonymous access on a windows domain controller. Users, suddenly, cannot see shares, change their passwords, etc. It is a registry setting that has to be left unsecured or else the windows NOS stops working.

    This says nothing for the hall-of-shame when trying to remove root access for users on their local boxes.

    If not for microsoft, consumers might have saved billions on hardware by removing the microsoft tax. Dozens of smaller companies might still be in business.

    If not for microsoft, I might still be managing a Netware NDS which, some dozen years ago now, was a far better directory service for a network than active directory is today, (I can only apply security settings at the domain level?). Oh for the days of right clicking anywhere -- I mean anywhere -- in the tree and setting a differnt password policy....

    If not for microsoft, the first thought on computer security might be something other than a virus....

    If not for microsoft, the word "rootkit" might not exist?

    • Re:More secure? (Score:4, Informative)

      by Corporate Troll (537873) on Monday May 07, 2007 @11:25AM (#19021335) Homepage Journal

      If not for microsoft, the word "rootkit" might not exist?

      Is this a joke I hear whooshing past my head or are you being serious. You know that "root" part of "rootkit", it talks about the Unix superuser known as "root". The roots (pardon the pun) of a rootkit are most definitely in the Unix heritage. Look it up for yourself. [wikipedia.org]

      • by Himring (646324)
        I actually wasted time typing today on /. What was I thinking? ...I'm doing it again!

        Lemme rephrase:
        Would it make CNN? (or popular media)

        Yes, it's Monday. This is my 10th "whoosh" experience today....

        • Re: (Score:2, Informative)

          Most security issues do not make popular media. I have heard the occasional big virus scare (ILoveYou, CodeRed) on the radio, but something like "Remote ANI vulnerability found in Windows - Patch your systems"? Never....

          It doesn't make good mainstream news...

  • Monoculture. (Score:2, Insightful)

    by Door in Cart (940474)
    Sure Windows is a security nightmare, but the real problem is that just about everyone is content to use the same system as everyone else. Diversity is required for culture-wide strength. As much as the internet's proclivity for niche marketing has encouraged everyone to explore their individuality, most of us remain oddly content to behave nearly identical to everyone else. In a hypothetical world where 285 most-used operating systems compete on a wide variety of creatively different architectures, the iss
    • Granted, but part of the problem with MSFT is they have a vested interest in pandering to morons. Most individuals aren't totally stupid, and certainly feeding that cycle will be a self-fulfilling prophecy.

      Maybe if Linux or another UNIX was the commonplace desktop we could expect our users to be a bit more intelligent about their security.

      Essentially MSFT makes money by calling their users stupid and selling them software to make the bad scary computer go away. Which is, oddly enough, also why OSS users t
    • by spud603 (832173)
      Right but ...
      This brings up issues of interoperability which, until recently, posed serious problems for the 285-flavor world. To completely oversimplify: back in 1999 if you wanted to be able to share word-processing documents with somebody else you could either be on the same OS (monoculture) or both use the same software (monosubculture). I think that now with fast computers and virtual machines (and virtualization in general) there are some creative solutions to this sort of problem. So maybe in 10 yea
  • True (Score:4, Insightful)

    by Fujisawa Sensei (207127) on Monday May 07, 2007 @11:04AM (#19020993) Journal

    True, security isn't just about avoiding Microsoft.

    But avoiding Microsoft is a good start. :-)


  • If you're just another corn stalk in a huge field, when the stalk 3 rows down breeds a new virus/bacteria/mold that you and the rest of the monoculture have no defence for, you're screwed.

    That's part of why I run my home server with NetBSD on MIPS, and without the 'leading' servers for DNS, Mail, & http.
  • The author says ... there would just be a different vendor peddling the dominant operating system. Networks in a world in which Apple had won the operating systems wars would still be insecure. That's where the author goes wrong in the first place. Look outside: how many car brands do you see? There's no "dominant car brand" there, is there? Look at your collegues' cell phones. There are some "dominant brands" but none of them has a 90% market share. By the way, interconnection is their purpose, but there
  • information security training and awareness programs for people like janitors may be hard to do as some of them work for out side janitorial services and even then some of them don't speak English that well.
  • Dreck! (Score:4, Insightful)

    by 99BottlesOfBeerInMyF (813746) on Monday May 07, 2007 @11:08AM (#19021053)

    This article is complete and utter rubbish. It makes random claims with no support. For example, "How would life without Microsoft be different? It wouldn't be in any meaningful way for those in charge of network security; there would just be a different vendor peddling the dominant operating system. " makes the assertion that it would not be any different and makes the implicit statement that there would be a single dominant operating system, all completely without any support for either of those statements. First, why would there be a single dominant OS and second, why, if that OS was Linux, would the same problems that occur with MS's monopoly not be completely undermined by Linux's licensing?

    Networks in a world in which Apple had won the operating systems wars would still be insecure.

    Sure it would, but that's again assuming someone had to "win" and establish a monopoly. No evidence that this is the case has been provided. I know it is hard to imagine a world with multiple OS's and vendors that interoperate via these crazy things called "standards" but that is how most markets operate. Yeah if someone else had an abusive monopoly we'd still have a broken market, that's why we want to restore the market to a non-monopolized state.

    If you put computers on a network and open that network to the outside world via the Internet, you're going to have security problems, regardless of whether you're running Windows, Mac OS, Linux or an operating system you created in your spare time.

    Except right now if you do that with Linux or MacOS you have a whole lot fewer problems, to the point where it takes no significant time.

    User errors have long been the bane of security.

    No they're not. Most malware infections by number are still the result of automated attacks with no user interaction. Such malware is harder to write, but it spreads faster and further than other malware. As for user error, sure it will always be an issue, that is no reason to ignore other aspects of security or to implement ways of mitigating user error. You seem to think (like MS) that the user element should be isolated from the security mechanisms. You cannot ignore the user when planning security and the examples you point out are where that is exactly what failed. If the Nazis had planned realistically for what their users would do, they would have built a system that verified which keys were used and that they were unique.

    So, what needs to be done? You must require users to attend formal information security training and awareness programs.

    Sure if you want to spend the money, go for it. It won't help very much though. Until the security of OS's is up to snuff and simple enough, the training will be mostly ineffective. What is a user supposed to do if they have a binary and aren't sure if it is safe? Windows has basically no mechanism for determining the trust level or for running it in a sandbox if it is not trusted enough. Until it does and it is brought to the user in a functional way, education will help very little. The OS actually has to have an easy way to let the user do what they want, or they will take risks out of laziness.

    Education is the last step, but first we need to fix the OS and fix the market to motivate the fixing of the OS's. Right now you need the equivalent of a 4 year degree to have a good chance of safely running a Windows box and accomplishing all the tasks you want to. That is simply not good enough. It needs to be down to a couple hours or training before we will see a widespread difference.

  • by DigitAl56K (805623) on Monday May 07, 2007 @11:10AM (#19021091)
    Next time could you please choose a more loaded headline?

    Thanks!
  • ... but is a very good starting point. Is the main major vendor that somewhat, in a way or another (design choices, big implementation holes, monoculture, etc) always been the "weak point" of internet, the unsafe by default case study.

    But even with a secure environment from the start you can make things very unsafe (i.e. using trivial passwords in open services)
  • How silly (Score:4, Insightful)

    by WindBourne (631190) on Monday May 07, 2007 @11:12AM (#19021121) Journal
    It is NOT about market share. It is about ease of penetration. There are MORE than enough *nix system that if they were easy to crack, than they would be. If nothing else, notice the .php/.asp world. Most php runs on *nix. They are attacked because it has been easy. Fortunately, the damage is limited, but it still allows such things as stealing information including credit cards and individual information via sql injection.
  • by harris s newman (714436) on Monday May 07, 2007 @11:17AM (#19021203)
    This guy has one fault: faulty logic. Systems are not being attacked more under Windows because of user error, it's because of the holes in the OS. Training is not the main issue with security today, it's an operating system which continues to have a paradigm of an insecure kernel. Layering is a mantra of security, it's not by Microsoft

    Finally, this "theory" should be quantitative, I question if sites which are linux only have the same number of vulnerabilities as Windows only. Why doesn't he give us some examples?

    My summary: I am ashamed to have the same certification as the author.
  • But... (Score:3, Interesting)

    by PhotoGuy (189467) on Monday May 07, 2007 @11:23AM (#19021287) Homepage
    "Security isn't just avoiding Microsoft..."

    Sometimes a double negative can sum it up best: "but it isn't *not* avoiding Microsoft..."
  • by Joe The Dragon (967727) on Monday May 07, 2007 @11:31AM (#19021425)
    Apps that where design back in the 9X and 3.1 days where there was little to no multi user, admin vs user, common dirs, and so.
    Apps that need admin so they can auto update them selfs
    A/V apps like Norton home that needs a admin users logged in for it to be able to get the updates.
    Games copy protections that needs admin to run that should be other ways to do this with messing the the ide drivers or needing admin just to check if you have a good copy of the game.

    It would be a big help if MS came out with a common update system that is easy for games and other apps to use and is free for developers to use. Then you can at lest get rid of having to deal with games and other apps having there own built in updates and needing admin just to run them as some force you to get the updates to use them. This system can also make it easy to keep your whole system up to date. You will just need to be an admin to run that common update system or even let it be setup to auto run in the back round at system level. Also MS needs to let get the all of the updates form windows update using auto update. Runas does not work for windows update in windows xp and 2000 and you need to run that to get the Optional updates.

    Also put the full video drivers on windows / M$ update.
  • ...it's burying Windows completely in a 43 foot hole in the ground (rocks and boulders should be fine).
  • by EgoWumpus (638704) on Monday May 07, 2007 @11:42AM (#19021611)

    The argument has been out for a very long time now; "Any OS with this much market share would be subject to an equal number of attacks and breaches." But it's a weak argument; many point this out. The reason I'll pitch to the forefront is this: we have no evidence that it's true, and until another operating system has 80% market share for two decades, we simply won't have a baseline to compare.

    What I find lamentable is that this article takes what might have otherwise been a good opportunity to echo a tired suggestion. Rather than denying it is impossible for anyone to do as well as Microsoft has, perhaps it would be important to drill down to some real reasons why MS has had so many issues, and why another OS - regardless of the technical features - might have similar difficulty. The number one reason I can come up with - off the top of my head - is feature management. 80% of the market is large. Huge. Gargantuan. There are many users with many wants, but they all want certain common ground across which all of them can function. They are asking a central authority - Microsoft - to provide that. Unix simply has not had that sort of crushing demand put on them, and I find that a more compelling argument than one whose support is based on a hypothetical. Microsoft has tried and not always succeeded to meet that demand while providing the features requested securely. Nothing is perfect - but they challenge anyone to do it better.

    If Microsoft has faith in their product, they'll have faith that people will try, and fail, to do it better. If they don't, they'll reduce themselves to distractions and hand-waving - and the people making their money off of MS will throw any argument out there that will draw the least bit of attention away from their lack of confidence.

  • I like how this guy is pretending like he's busting some giant myth, when really he's just peddling the standard low-market-share-equals-security myth.
  • by Vellmont (569020) on Monday May 07, 2007 @11:49AM (#19021721)
    The article, and many of the comments seem to think a system is either Secure or Insecure. I.e. it's either Perfect or Imperfect. The article talks about every system having holes, blah blah blah.

    I'm sorry to say, but security isn't about having a perfect solution. It's a mistake many people make in the IT industry because on a low-level, you can perfectly solve small problems. Many people think this scales up to larger, more complex problems. It doesn't.

    My point is that security is a continuum. Pointing out that all systems have flaws doesn't mean that Windows is just as secure/insecure as some alternate reality OS that doesn't exist but in the mind of the article writer.
  • 'If you put computers on a network and open that network to the outside world via the Internet, you're going to have security problems, regardless of whether you're running Windows, Mac OS, Linux'

    Ok, given the number of web servers out there as reported [netcraft.com] by Netcraft, why aren't there 56% Linux breeches as against 31% MS.
  • One big advantage of an open source OS is the source. Unfortunately, not everyone has the skill to take advantage of it. I do, and I have used it to close up holes that I have found. But that required C programming skills on the part of a system administrator. That is a combination that is all too rare and unlikely to ever be corrected.

    One big advantage of a portable OS (which does not require being open source, though that helps) that can run on a different architecture is that binary code incompatibi

  • by QuietLagoon (813062) on Monday May 07, 2007 @11:57AM (#19021869)
    A simple application like the IE web browser is tightly integrated into the operating system in order to get around anti-trust laws. How dumb is that?

    Perhaps Windows is attacked so much because it is the most popular operating system. However, those attacks succeed so frequently because the security architecture of Windows is so poor.

    • IE consists of a front-end launcher and a few shared libraries that implement parts of the back-end like an HTML renderer. The only thing that the IE back-end is integrated with is parts of shell environment. It's a few shared libraries that are loaded into iexplore.exe, and explorer.exe when it needs to do HTML rendering. OSX has a similar architecture, called WebKit. KDE also shares Konqueror's back-end.

      IE is just a few user mode shared libraries. It doesn't have hooks into the kernel. It runs with whatever privileges the user has; it doesn't have some magical security back door. It's not used by any system services. A vulnerability in IE can lead to the compromise of the process it is loaded into, but that's true of any library. IE's vulnerability record is awful, but it can only compromise the system as much as any of your other applications. If IE was a totally standalone program, its security track record would be exactly the same; it's (in)ability to compromise the machine exactly the same. If you run an app as admin, and its compromised, the entire machine is compromised. If you run an app as a normal user, and its compromised, only the user's account is compromised. IE has nothing to do with the security architecture of Windows.

      In court, Microsoft said that IE was an integral part of the Windows experience, and that removing it would diminish that experience and break their right to sell a software package with whatever features they liked.
  • HELP! Vista blocked this link and all my Favorites. HELP!
  • If Linux were the mainstream desktop then there would be far more people looking for security problems and then fixing them. In fact this process would likely be faster since the same people looking for the problems can actually submit patches to fix them themselves! Also being mainstream projects like SELinux would likely become more mainstream as their user interfaces would be made more accessible and relevants to everyday tasks. there would be some changes though - I imagine that security testing would

"When it comes to humility, I'm the greatest." -- Bullwinkle Moose

Working...