Security Isn't Just Avoiding Microsoft 295
Jay Singala noted a story which points out "It's time for all the people who have entertained this fantasy to stop deluding themselves.
How would life without Microsoft be different? It wouldn't be in any meaningful way for those in charge of network security; there would just be a different vendor peddling the dominant operating system."
Re:Not exactly (Score:2, Informative)
PLEASE, PLEASE, PLEASE FIND A NEW ARGUMENT. This one was dead before it began. Why? Simple...which version of Apache commands 60% of the market? Would that be the 1.2.x/SPARC/Solaris 2.6 version? Or the 2.0.x/MIPS/IRIX 6.5.4 version? Or the 2.2.x/x86/RedHat EL 4.0 version? The point is there is no one Apache in the same sense there is one version of IIS. Apache runs on multiple platforms, multiple OSes, and there are multiple versions of Apache. Therefore when you say "Apache has 60% of the market" it's not like saying that "IIS has 20% of the market". Plus I have seen no credible evidence supporting that IIS is hacked more than Apache. To the contrary IIS 6.0 has had an excellent security track record. Much better than Apache. I can only assume you're referring to the IIS 5.0 buffer overflow which exploited systems, and here is the key, which were never intended to be web servers. As IIS 5.0 was installed and operational on all Windows 2000 Servers unless specifically disabled this led to a huge number of web servers which Netcraft can't account for (as they're internal).
Now with that said please stop ignoring the obvious.
Re:More secure? (Score:4, Informative)
If not for microsoft, the word "rootkit" might not exist?
Is this a joke I hear whooshing past my head or are you being serious. You know that "root" part of "rootkit", it talks about the Unix superuser known as "root". The roots (pardon the pun) of a rootkit are most definitely in the Unix heritage. Look it up for yourself. [wikipedia.org]
M$ lack of Security comes from (Score:4, Informative)
Apps that need admin so they can auto update them selfs
A/V apps like Norton home that needs a admin users logged in for it to be able to get the updates.
Games copy protections that needs admin to run that should be other ways to do this with messing the the ide drivers or needing admin just to check if you have a good copy of the game.
It would be a big help if MS came out with a common update system that is easy for games and other apps to use and is free for developers to use. Then you can at lest get rid of having to deal with games and other apps having there own built in updates and needing admin just to run them as some force you to get the updates to use them. This system can also make it easy to keep your whole system up to date. You will just need to be an admin to run that common update system or even let it be setup to auto run in the back round at system level. Also MS needs to let get the all of the updates form windows update using auto update. Runas does not work for windows update in windows xp and 2000 and you need to run that to get the Optional updates.
Also put the full video drivers on windows / M$ update.
Re:More secure? (Score:2, Informative)
Most security issues do not make popular media. I have heard the occasional big virus scare (ILoveYou, CodeRed) on the radio, but something like "Remote ANI vulnerability found in Windows - Patch your systems"? Never....
It doesn't make good mainstream news...
Email virus (Score:3, Informative)
Yea, it is a trusim that it took Microsoft to turn a hoax into reality.
But on the other hand, while Microsoft's ignorance, stupidity and arrogance made it a daily event we can't be totally smug either. We (including me, I was so sure back then too) have seen it happen to us as well. PINE, Evolution, Moz, all have had remote exploits in email. Gaim, etc has had remote IM exploits possible against it. And yes we too had the one I would tell people with confidence wasn't possible, a GIF/JPEG that would infect your computer just by looking at it.
Oh yea, I'd tell people the 'truth' about how only an executable could get ya, pure data like a picture was safe; so watch those file extensions carefully over there on DOS and it would be all right. But all that depends on programmers being good at defense, to keep on going and check every bit of data for sanity, every system call for an error return, etc. To not stop and release as soon as it 'seems to work' and move on to a more interesting problem.
Follow the errata stream from a major Linux distro for a few years and it will change your attitude. Thankfully though the trial by fire does help us. Sendmail went through it and emerged. Bind likewise, used to be a problem but fairly rare for a new bug. Now the meat grind seems to be focused more on the graphical apps like Mozilla/Firefox, OpenOffice, Gaim(whatever it is today) Ethereal/Wireshark. PHP, the databases and Squid seems to be the whipping boys in server space now.
Re:The problem is Window's insecure architecture. (Score:4, Informative)
IE is just a few user mode shared libraries. It doesn't have hooks into the kernel. It runs with whatever privileges the user has; it doesn't have some magical security back door. It's not used by any system services. A vulnerability in IE can lead to the compromise of the process it is loaded into, but that's true of any library. IE's vulnerability record is awful, but it can only compromise the system as much as any of your other applications. If IE was a totally standalone program, its security track record would be exactly the same; it's (in)ability to compromise the machine exactly the same. If you run an app as admin, and its compromised, the entire machine is compromised. If you run an app as a normal user, and its compromised, only the user's account is compromised. IE has nothing to do with the security architecture of Windows.
In court, Microsoft said that IE was an integral part of the Windows experience, and that removing it would diminish that experience and break their right to sell a software package with whatever features they liked.
Re:More secure? (Score:1, Informative)
Not that I'm disagreeing with your point, love NDS, just don't talk about that which you do not know.