Security Isn't Just Avoiding Microsoft 295
Jay Singala noted a story which points out "It's time for all the people who have entertained this fantasy to stop deluding themselves.
How would life without Microsoft be different? It wouldn't be in any meaningful way for those in charge of network security; there would just be a different vendor peddling the dominant operating system."
Not exactly (Score:3, Insightful)
If the Apple/Windows market positions were reversed (or Linux/Windows for that mater) Windows would still be less secure. Unlocked doors and windows are still less secure even though there are fewer of them (or in our case more of them).
Re:Not exactly (Score:5, Insightful)
Re:Not exactly (Score:5, Insightful)
The difference back then was no one cared if we broke into a computer. It just didn't make news. Heck, I remember that remote exploits stayed open for years, and no one said a peep. The world was very different back then. Plus there just wasn't much interesting to hack into. People would generally hack into other students accounts -- erase homework, put a bug in a friends assignment, send a goofy email from their professor's account, etc... You didn't have organized crime stealing credit cards, because no one besides geeks used computers.
I know this doesn't fit into your mental model of how Unix was this secure fort in the old days, but you'd better think again. Those of us who were there, know better.
I hate to sound cliche, but as long as we have people programming systems, there will be security holes. And I've worked at enough places to know that no one has a silver bullet.
Re: (Score:3)
Email virus (Score:3, Informative)
Yea, it is a trusim that it took Microsoft to turn a hoax into reality.
But on the other hand, while Microsoft's ignorance, stupidity and arrogance made it a daily event we can't be totally smug either. We (including me, I was so sure back then too) have seen it happen to us as well. PINE, Evolution, Moz, all have had remote exploits in email. Gaim, etc has had remote IM exploits poss
Re: (Score:3, Insightful)
In order to protect against exploits in "data", the data format must be defined in such a way that it can contain no actions, the operating system and/or hardware must provide a mechanism for quarantining blocks of memory from execution (check out Data Execution Prevention or DEP), and the applications must be written
Re: (Score:3, Insightful)
Re:Not exactly (Score:4, Insightful)
In 1995, most of the US military facilities on the Internet had no firewall. I still remember logging on to the MS Lan Manager servers at work from home using Samba over a 28.8 modem and exporting X-Windows to Sun workstations 600 miles away. That was the normal level of information security and both Windows and Unix met it.
In 2007 the expected level of information security is rather different. In 2007, Unix and Linux have adapted to the new requirements and excelled at meeting them while Windows works only moderately better than it did in 1995.
So you're right, but you're wrong. Unix and Linux consistently met or exceeded the appropriate level of security at the time. That the target moves doesn't change the fact that they keep on hitting it. Windows, on the other hand, hasn't hit the target for the better part of a decade now.
Re: (Score:3, Interesting)
Still more important than this is the concept that most *nix flavors are continuously developed by a horde of people in plane sight. This Conway's Game of Life [wikipedia.org] approach shakes out more bugs (hopefully at a higher frequency than they are inserted). This results in better code in the long run. Look at the recent scheduler activity on the LKML for example.
OTOH, you've got the Temples of Syrinx [wikipedia.org] approach that says the p
Re: (Score:3, Insightful)
In the mean time though the Unix environments had a LOT of improvements towards security as time progressed. The problem with Microsoft ho
Re: (Score:2)
Re: (Score:3, Interesting)
While it is true that the original viruses developed by Dr. Fred Cohen were developed and tested - easily - on UNIX systems, it is also true that UNIX sys admins learned (most of them, anyway.)
In recent years - say, the last ten or 15 - UNIX has definitely been more secure than any version of Windows.
A comparative analysis of the methods UNIX uses to defend itself - such as SELinux and App Armor - vs the nonsense Microsoft has added to Vista, for example, the stupid UAC, pretty much demonstrates where signi
Re:Not exactly (Score:4, Insightful)
It was! Today's script kiddies can't tell grep for the GIMP but back in the day BBSs were filled with philes on hacking UNIX. Most those files are useless now because BSD and Linux developers have worked hard to improved security. (And so have Windows developers, XP is harder to hack then Win95) The point is that any product as complex as an OS will be full of security holes. Sure UNIX may be more secure but as soon as you get lazy and think your safe someone will prove you wrong.
Re:Not exactly (Score:5, Insightful)
Despite it's lesser market percentage, we still see exploits for Unix variants, and the services offered within. It's not some sort of impenetrable OS.
Anyhow. Security is in the hands of the user. Someone with half-decent security knowhow will be able to secure a Windows box far better than a newbie running Unix.
Re:Not exactly (Score:4, Interesting)
You must be talking about Linspire or whatever they call it these days. Most Linuxes I've run out of the box are quite a bit more secure than their Windows counterparts. I just ran nmap on my local network. The result was that all computers running Windows XP were identified along with their open ports and services whereas none of the linux boxes (with default firewalls configured on install) showed much at all. Nmap guessed that they were running Linux or Unix, but that was it.
Nobody is claiming that any OS is perfectly secure. But I seriously question your statement about newbies running *nix being more insecure compared to their Windows counterparts as most modern distros seem to have firewalls enabled and extraneous services shut off by default.
Re: (Score:3)
And what are you questioning? What I said was that someone who knew what they were doing (half-way decent knowledge of good security practices) could harden a Windows box better than a newbie could harden a Linux box.
sorry... but DUH!
<analogy type=car>
A professional Driver can drive a yugo better than my 1-year old can drive a Formula 1 race car.
</analogy>
Come on, at least make a comparison with at least one constant.
Re: (Score:2)
As for the parent's post, I was not trying to claim that *nix never had it's problems (as I mention in my previous post). Rather, I was questioning your claim about hardening Windows vs. *nix. What it comes down to is: what is your definition of newbie? Is it someone who has never used Linux? Or is your definition that a newbie is someone without a familiarity with computers?
In the first case one could state that a newbie to Windows would have a much harder time securing a Windows box than they coul
Re: (Score:2)
Quite. While it's obviously true that there is only going to be a market leader, it in no way follows that that market leader will therefore have lousy security.
And even if it did, that wouldn't be a reason to deploy products from a vendor with Microsoft's lamentable track record on security in in cases where security is paramount.
I know who gets my vote for delusional.
Re:Not exactly (Score:5, Insightful)
That way we get rid of the monoculture, which is a security disaster.
Re: (Score:2)
Re: (Score:2)
The Morris Worm was cross platform exploiting a weakness in Telnet, Finger, Sendmail, and probably every other service that used get() without input buffer checking. It was more of a BSDism than a Sunism, but the majority of the systems it could infect were Sun boxes.
Re: (Score:3, Interesting)
Re: (Score:2)
Let's regurgitate what I keep telling my friendly Windows trolls. In a certain year, market share of Linux/Apache was 60%, Microsoft's IIS had 20%, 60-something worms spread that year, ALL of them for Microsoft's product.
There. It's not that hard to understand. This claim of security only through obscurity is completely an
Re: (Score:2, Informative)
PLEASE, PLEASE, PLEASE FIND A NEW ARGUMENT. This one was dead before it began. Why? Simple...which version of Apache commands 60% of the market? Would that be the 1.2.x/SPARC/Solaris 2.6 version? Or the 2.0.x/MIPS/IRIX 6.5.4 version? Or the 2.2.x/x86/RedHat EL 4.0 version? The point is ther
IIS 5.0 not a web server .. ? (Score:3)
Then please tell us what IIS 5.0 was actually designed for.
'As IIS 5.0 was installed and operational on all Windows 2000 Servers unless specifically disabled this led to a huge number of web servers which Netcraft can't account for (as they're internal)''
And can you produce some evidence that most of the hacks were on non-operational Servers th
Re: (Score:3, Interesting)
Ah, well there's your security problem... an operating system which runs webservers without its users' knowledge.
"Security" does not exist! (Score:5, Insightful)
Got that? It's all about market share. There is no such thing as "security".
If everyone's house had no locks, they would be just as secure as if everyone's house had the best locks on the market.
I run Ubuntu (Feisty Fawn). By default it has NO open ports. That means that unless a worm can hit the TCP/IP stack, I am invulnerable to them.
He is an idiot. He doesn't even define "security" before he says that it doesn't exist.
My definition is: Security is the process of evaluating threats and reducing their effectiveness.
You're an idiot.
So if we replace Windows with Ubuntu, and the number of cracked machines goes down from 10,000,000 to only 1,000
Why do I get the feeling that this guy just bought stock in a training company?
If that approach was effective, we wouldn't have the problem we have today.
Re: (Score:3, Insightful)
I understand what you're trying to say, but there's a certain comedy value in seeing a door that's secured with a Chubb 20mm deadbolt, but framed between a pair of plate glass windows.
If we take 'security' to mean some kind of magic fairy dust you can sprinkle on part of the world to make bad things stop happening, then no.. it doesn't exist. Bruce Schneier discussed the issue at leng
Good vs Bad. (Score:4, Insightful)
Possibly. But that doesn't take into account bad security designs.
As with my Ubuntu example, just having a default install have no open ports is a HUGE step in reducing the threat to that box.
Pretty much. Once you have a good security model, getting it to be MORE effective may take effort that the average person isn't willing to put into it.
But I never care about "uptime" as a measure of security. The system can be very insecure, but still never crash.
I prefer looking at data compromised vs data lost. If you maintain your system so well that you lose data more frequently by accidentally deleting it without a backup than the number of times you've been cracked, that's the best you can really hope for.
Just be so secure that your users (even if that is just you) will do more damage to their data than outside attackers will.
Re: (Score:2)
If the Apple/Windows market positions were reversed (or Linux/Windows for that mater) Windows would still be less secure. Unlocked doors and windows are still less secure even though there are fewer of them (or in our case more of them).
True. However, if things were reversed, Windows would have a tiny market share and its relative insecurity would doom it to obscurity. No one would care about Windows and hackers would be having a field day trying to crack Mac OS X. Don't kid yourself - when the kid the bullies pick on gets wise and stops reacting, the bullies don't dance with him/her anymore and go on to pick on someone else. Microsoft's presence/absence has little to do with the larger issue of Internet/OS security.
Re: (Score:2)
But most importantly, as the writer of the article said - it's the people who use the systems, who cause the security breaks. He suggested that everyone have a minimal amount of training, but the problem is, no amount of training will fix the inherant apathy to system security that a normal
Re: (Score:3, Insightful)
One of my professors in college referred to security as the art of breaking services. He's as correct today as he was then. It would be great to open up the systems and allow anyone to do whatever they want, they're productivity would rise. Unfortunately the world doesn't work that way and we're forced to break stuff to the point where users can only do what they are explicitly authorized to do. This means no taking initiative and probably no learning of the system since I know at least in my organization t
Re: (Score:3, Insightful)
I have a friend who isn't really a computer tech (he has me help him with a lot of stuff), but he is in a business where information and confidentiality are major.
Both of use have windows accounts where we are admin, for ease of use. Neither of use have had virus problems on our machines. The trick is, we are both very paranoid. We don't run every program we can download from the net, we don't go to sites that
Re: (Score:3, Insightful)
That is a valid criticism as Windows is only now just barely coming into its own in regards to least privilege accounts. With that said, I setup a common computer for all my roommates to use. They all have their own logins with just basic user access. The machine has gone for three years without any instruction from me and not one virus, not even any spyware beyond cookies of course. My roommates are definitely the type to just click blindly which is definitely a problem. I'd say my experience is a bit of l
Re: (Score:3, Insightful)
Re: (Score:2)
There are a lot more Chevys stolen than BMWs because there are a lot more Chevys. Furthermore, people who drive Chevys and need to get them repaired are more likely (I'm guessing) to take them to shops which would trade in stolen parts than BMW drivers would.
You don't compromise computers in order to disassemble them and resell their component parts. You compromise computers in order to have them do your bidding, and it is that bidding which makes you money, whether it be spam, or warez, or po
The article is kind of pointless (Score:3, Insightful)
There is some credence to the "market penetration" argument, because Unix systems WERE "hacked to bits" decades ago, when they were the dominant networkable operating system. Of course, there are always other factors that come into play, and ultimately nothing trumps a robust design for security (which is why BSD and Linux servers running Apache are hacked far less often than Windows/IIS despite haveing a much
Re:Not exactly (Score:5, Insightful)
They've earned their damnation as the weakest link of security and if you eliminate the weakest link, the entire chain becomes stronger.
Re:Not exactly (Score:5, Insightful)
"It wouldn't be in any meaningful way for those in charge of network security; there would just be a different vendor peddling the dominant operating system."
That's actually true in broad strokes, if you think of what a network administrator's job is relative to security. They maintain the system, keep up to date with what vulnerabilities exist, test any patches and apply them, and respond to any DoS or virus attacks that occur. They deploy spam filters and virus checkers, and keep up to date on patches for them. This won't fundamentally change -- there are still vulnerabilities for *nix whose fixes will need to be tracked -- so really they are doing the same thing with a different vendor.
In a less general "what is the nature of your job" sense, the above is absolutely not true. For instance the only reason we have a virus scanner on our *nix mail servers is to prevent viruses that depend on MS Outlook. While we've lost entire volumes to corruption by Windows viruses, nothing like that has happened to our *nix file servers. And whenever something like this happens, it means over-nighters for the sysadmins. Ask them if having to come in less often on a Saturday night is a "meaningful" change in the way they work.
There are two common couter-arguments to this. The first is the marketshare argument -- MS software isn't any more buggy, it's just more used and thus targeted more. This makes sense at first blush, but anyone putting forth this argument must explain why IIS is hacked more than Apache. Clearly there is more to it than the number of targets.
The second, more desperate argument is the "all software has bugs" mantra. I'll just be honest -- people who argue this are either idiots or extremely lazy programmers. Of course all software has bugs, the question is how many and why. All food has bugs in it, but don't tell me you can't distinguish between food with below the FDA standard for bugs and food that vastly exceeds that amount. Only a fool confuses "bugs exist" with "the quantity of bugs is the same". Only a fool thinks that you can't design a system to be more secure. The problem isn't that Microsoft's programmers just introduce more bugs, it's that the inherent design of Windows and associated software that makes it bug-prone. The worse your design, the more careful you have to be to avoid bugs. Avoiding bugs, and designing the system so that it is inherently more secure and bugs are easier to avoid, is what good programmers strive to do. You can never do it perfectly, but only lazy idiots think that means you can never succeed at all.
Well whatever. All I know is that once I got my father off Explorer and Outlook and onto Firefox and Thunderbird, I stopped having to clear spyware off his computer every single time I visited. Anecdotal for sure, but it's good enough for me.
Story? (Score:2)
Pity Jay didn't provide a link to that story
Re:Story? (Score:5, Funny)
Re: (Score:2)
He did--I have no idea why you and a few others do not seem to be able to access the link. For those who cannot, here is the article:
Security Isn't Just Avoiding Microsoft
Ben Rothke
May 07, 2007 (Computerworld) -- Weve all heard IT professionals imagine how secure their networks would be if they just didnt have to use any Microsoft products.
I've had to listen to clients kvetch for hours on end about how Microsoft makes their lives miserable and ho
Where's the link? (Score:2)
"A story"? (Score:2)
Story? Who cares? (Score:2, Funny)
Re: (Score:2)
Philosophy (Score:3, Interesting)
MS too large (Score:3, Interesting)
Things would be no better with any company having Microsofts history, but that doesn't mean MS was set on it's current course through fate or whatever else you wish to call it.
Re: (Score:2)
The Information Technology industry's problem is Microsoft is too big.
Go back and look at the rate of innovation in the 90's. Now look at the last eight years or so. Thinks were changing so fast in OS space and then *BAM*, stagnation.
Microsoft bullying their way to monopoly status has hurt IT advances more than anything else. Think where the industry would be if Microsoft had suceeded in ignoring/supressing the Internet as well.
Yes, but free software is not a company. (Score:2)
Things would be no better with any company having Microsofts history ...
Good thing free software is something users can control and will always be dominated by those with a fighting spirit. The differences are real [slashdot.org].
Seriously, editors... ENOUGH ALREADY (Score:5, Interesting)
1. Find a common belief of Slashdot
2. Whine and bitch about "Slashdot bias" while not even understanding the point
3. When you don't get modded high enough for your complaining, find some blog that agrees with you
4. Get story linked to on Slasdot
4a. In this case, not even a link
5. Page Hits
Editors, I know you love to drive ad revenue by putting up these blatant trolls (OMG How Can I Love Open Source Without Copyright? If I Don't Like The RIAA I MUST Hate RMS!!!!!One!), but the joke's on you - most of us who respond to these out of annoyance run adblock.
Can we try for some actual stories now?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I wouldn't call that a consensus either considering last I checked, applying a security template for Windows was exactly as difficult as running a script on most any Linux distro. I'd say they are pretty well on par these days.
Hell, with SMS I can run the scripts on Linux and apply templates to thousands of machines at once so automating it on a massive scale is even easy.
The real debate comes from the user perspective, who's better at protecting the user from themselves without upsetting the user? It's a
Re: (Score:2)
Re: (Score:3, Insightful)
Trolling is going to a NY Nicks' fan forum after they lose a game and posting "SEE!!!! OMG THEY DO SUCK I TOLD YOU!!!". Trolling is hanging out in religious IRC chatrooms and doing nothing but posting links to atheist websites. Trolling is wandering down to the Holocaust museum in Israel and handing out pamphlets saying "hey, maybe Hitler was misunderstood".
Trolling is also getting pissed off because your understanding of security is shallow enough that you take it personally when someone points out that
The problem is one of balance (Score:2, Interesting)
Now, MS is having to balance coddling those users who don't know jack about their OS and keeping the OS secure. Added security generally means more steps (or the same number of more complicated steps) to accomplish the same task.
I would contend that
Re: (Score:2)
Well for the "I just want it to work for a short time before rebooting" crowd, anyway.
Re: (Score:2)
Re: (Score:3, Insightful)
The "ease" of Windows 3.1 or Windows 95 had nothing to do with it.
Win/DOS was already being pushed by Dell and the rest of his friends.
Re: (Score:2)
Better question: (Score:2)
Re: (Score:2)
More secure? (Score:5, Insightful)
Things were more secure when Netware was the NOS for businesses. Create a user, and they could see nothing unless you flipped a switch. Fire up bitchx and doesn't it say, if using as root, "using bitchx as root is stupid." Su, denial of anonymous access or even read access across the network
This says nothing for the hall-of-shame when trying to remove root access for users on their local boxes.
If not for microsoft, consumers might have saved billions on hardware by removing the microsoft tax. Dozens of smaller companies might still be in business.
If not for microsoft, I might still be managing a Netware NDS which, some dozen years ago now, was a far better directory service for a network than active directory is today, (I can only apply security settings at the domain level?). Oh for the days of right clicking anywhere -- I mean anywhere -- in the tree and setting a differnt password policy....
If not for microsoft, the first thought on computer security might be something other than a virus....
If not for microsoft, the word "rootkit" might not exist?
Re:More secure? (Score:4, Informative)
If not for microsoft, the word "rootkit" might not exist?
Is this a joke I hear whooshing past my head or are you being serious. You know that "root" part of "rootkit", it talks about the Unix superuser known as "root". The roots (pardon the pun) of a rootkit are most definitely in the Unix heritage. Look it up for yourself. [wikipedia.org]
Re: (Score:2)
Lemme rephrase:
Would it make CNN? (or popular media)
Yes, it's Monday. This is my 10th "whoosh" experience today....
Re: (Score:2, Informative)
Most security issues do not make popular media. I have heard the occasional big virus scare (ILoveYou, CodeRed) on the radio, but something like "Remote ANI vulnerability found in Windows - Patch your systems"? Never....
It doesn't make good mainstream news...
Monoculture. (Score:2, Insightful)
Re: (Score:2)
Maybe if Linux or another UNIX was the commonplace desktop we could expect our users to be a bit more intelligent about their security.
Essentially MSFT makes money by calling their users stupid and selling them software to make the bad scary computer go away. Which is, oddly enough, also why OSS users t
Re: (Score:2)
This brings up issues of interoperability which, until recently, posed serious problems for the 285-flavor world. To completely oversimplify: back in 1999 if you wanted to be able to share word-processing documents with somebody else you could either be on the same OS (monoculture) or both use the same software (monosubculture). I think that now with fast computers and virtual machines (and virtualization in general) there are some creative solutions to this sort of problem. So maybe in 10 yea
True (Score:4, Insightful)
True, security isn't just about avoiding Microsoft.
But avoiding Microsoft is a good start. :-)
Being a part of any monoculture is bad... (Score:2)
If you're just another corn stalk in a huge field, when the stalk 3 rows down breeds a new virus/bacteria/mold that you and the rest of the monoculture have no defence for, you're screwed.
That's part of why I run my home server with NetBSD on MIPS, and without the 'leading' servers for DNS, Mail, & http.
Wrong assumption (Score:2)
information security training and awareness progra (Score:2)
Dreck! (Score:4, Insightful)
This article is complete and utter rubbish. It makes random claims with no support. For example, "How would life without Microsoft be different? It wouldn't be in any meaningful way for those in charge of network security; there would just be a different vendor peddling the dominant operating system. " makes the assertion that it would not be any different and makes the implicit statement that there would be a single dominant operating system, all completely without any support for either of those statements. First, why would there be a single dominant OS and second, why, if that OS was Linux, would the same problems that occur with MS's monopoly not be completely undermined by Linux's licensing?
Sure it would, but that's again assuming someone had to "win" and establish a monopoly. No evidence that this is the case has been provided. I know it is hard to imagine a world with multiple OS's and vendors that interoperate via these crazy things called "standards" but that is how most markets operate. Yeah if someone else had an abusive monopoly we'd still have a broken market, that's why we want to restore the market to a non-monopolized state.
Except right now if you do that with Linux or MacOS you have a whole lot fewer problems, to the point where it takes no significant time.
No they're not. Most malware infections by number are still the result of automated attacks with no user interaction. Such malware is harder to write, but it spreads faster and further than other malware. As for user error, sure it will always be an issue, that is no reason to ignore other aspects of security or to implement ways of mitigating user error. You seem to think (like MS) that the user element should be isolated from the security mechanisms. You cannot ignore the user when planning security and the examples you point out are where that is exactly what failed. If the Nazis had planned realistically for what their users would do, they would have built a system that verified which keys were used and that they were unique.
Sure if you want to spend the money, go for it. It won't help very much though. Until the security of OS's is up to snuff and simple enough, the training will be mostly ineffective. What is a user supposed to do if they have a binary and aren't sure if it is safe? Windows has basically no mechanism for determining the trust level or for running it in a sandbox if it is not trusted enough. Until it does and it is brought to the user in a functional way, education will help very little. The OS actually has to have an easy way to let the user do what they want, or they will take risks out of laziness.
Education is the last step, but first we need to fix the OS and fix the market to motivate the fixing of the OS's. Right now you need the equivalent of a 4 year degree to have a good chance of safely running a Windows box and accomplishing all the tasks you want to. That is simply not good enough. It needs to be down to a couple hours or training before we will see a widespread difference.
Dear Editors (Score:4, Funny)
Thanks!
Security Isn't Just Avoiding Microsoft (Score:2)
But even with a secure environment from the start you can make things very unsafe (i.e. using trivial passwords in open services)
How silly (Score:4, Insightful)
Holy crap, my CISSP value just went down! (Score:3, Insightful)
Finally, this "theory" should be quantitative, I question if sites which are linux only have the same number of vulnerabilities as Windows only. Why doesn't he give us some examples?
My summary: I am ashamed to have the same certification as the author.
But... (Score:3, Interesting)
Sometimes a double negative can sum it up best: "but it isn't *not* avoiding Microsoft..."
M$ lack of Security comes from (Score:4, Informative)
Apps that need admin so they can auto update them selfs
A/V apps like Norton home that needs a admin users logged in for it to be able to get the updates.
Games copy protections that needs admin to run that should be other ways to do this with messing the the ide drivers or needing admin just to check if you have a good copy of the game.
It would be a big help if MS came out with a common update system that is easy for games and other apps to use and is free for developers to use. Then you can at lest get rid of having to deal with games and other apps having there own built in updates and needing admin just to run them as some force you to get the updates to use them. This system can also make it easy to keep your whole system up to date. You will just need to be an admin to run that common update system or even let it be setup to auto run in the back round at system level. Also MS needs to let get the all of the updates form windows update using auto update. Runas does not work for windows update in windows xp and 2000 and you need to run that to get the Optional updates.
Also put the full video drivers on windows / M$ update.
Security isn't just avoiding Microsoft... (Score:2)
Another Lost Opportunity (Score:3, Interesting)
The argument has been out for a very long time now; "Any OS with this much market share would be subject to an equal number of attacks and breaches." But it's a weak argument; many point this out. The reason I'll pitch to the forefront is this: we have no evidence that it's true, and until another operating system has 80% market share for two decades, we simply won't have a baseline to compare.
What I find lamentable is that this article takes what might have otherwise been a good opportunity to echo a tired suggestion. Rather than denying it is impossible for anyone to do as well as Microsoft has, perhaps it would be important to drill down to some real reasons why MS has had so many issues, and why another OS - regardless of the technical features - might have similar difficulty. The number one reason I can come up with - off the top of my head - is feature management. 80% of the market is large. Huge. Gargantuan. There are many users with many wants, but they all want certain common ground across which all of them can function. They are asking a central authority - Microsoft - to provide that. Unix simply has not had that sort of crushing demand put on them, and I find that a more compelling argument than one whose support is based on a hypothetical. Microsoft has tried and not always succeeded to meet that demand while providing the features requested securely. Nothing is perfect - but they challenge anyone to do it better.
If Microsoft has faith in their product, they'll have faith that people will try, and fail, to do it better. If they don't, they'll reduce themselves to distractions and hand-waving - and the people making their money off of MS will throw any argument out there that will draw the least bit of attention away from their lack of confidence.
Mythbusting (Score:2)
Security isn't Binary. (Score:4, Insightful)
I'm sorry to say, but security isn't about having a perfect solution. It's a mistake many people make in the IT industry because on a low-level, you can perfectly solve small problems. Many people think this scales up to larger, more complex problems. It doesn't.
My point is that security is a continuum. Pointing out that all systems have flaws doesn't mean that Windows is just as secure/insecure as some alternate reality OS that doesn't exist but in the mind of the article writer.
web server usage as a percentage of hacks .. (Score:2)
Ok, given the number of web servers out there as reported [netcraft.com] by Netcraft, why aren't there 56% Linux breeches as against 31% MS.
One big advantage of an open source OS (Score:2)
One big advantage of an open source OS is the source. Unfortunately, not everyone has the skill to take advantage of it. I do, and I have used it to close up holes that I have found. But that required C programming skills on the part of a system administrator. That is a combination that is all too rare and unlikely to ever be corrected.
One big advantage of a portable OS (which does not require being open source, though that helps) that can run on a different architecture is that binary code incompatibi
The problem is Window's insecure architecture. (Score:5, Insightful)
Perhaps Windows is attacked so much because it is the most popular operating system. However, those attacks succeed so frequently because the security architecture of Windows is so poor.
Re:The problem is Window's insecure architecture. (Score:4, Informative)
IE is just a few user mode shared libraries. It doesn't have hooks into the kernel. It runs with whatever privileges the user has; it doesn't have some magical security back door. It's not used by any system services. A vulnerability in IE can lead to the compromise of the process it is loaded into, but that's true of any library. IE's vulnerability record is awful, but it can only compromise the system as much as any of your other applications. If IE was a totally standalone program, its security track record would be exactly the same; it's (in)ability to compromise the machine exactly the same. If you run an app as admin, and its compromised, the entire machine is compromised. If you run an app as a normal user, and its compromised, only the user's account is compromised. IE has nothing to do with the security architecture of Windows.
In court, Microsoft said that IE was an integral part of the Windows experience, and that removing it would diminish that experience and break their right to sell a software package with whatever features they liked.
Vista blocked link. (Score:2, Funny)
Simple...Linux would be more secure (Score:2)
Re: (Score:2)
How would life without Microsoft be different? WHY DON'T YOU TRY IT AND FIND OUT?
I'm pretty sure the question meant, "How would life be different if MS didn't exist?" Unfortunately, I do not have the means to cause MS to not exist.
Re: (Score:2)
You can bite my shiny metal ass.
Re: (Score:2)
I few words that mean something to those who use *nix regularly.
$HOME
chmod 700
jail
iptables
pf/pfctl
firefox/konqueror/opera
There are vulnerabilities out there, but to anyone who bothers to take the time to learn a variant of Unix, yes, there is some measure of security because no one bothers to hack, but far more is it possible that a properly done distro is going to be better than a Windows pre-install any day of the week. If I am forced to do a Windows install
Only on /. could this drivel be modded up (Score:2)
Re:No (Score:4, Insightful)
Re: (Score:2)
I don't know about you, but if I was a hacker... Having "the first guy to break OS X/Linux security" with a massive security hole on a massive scale would seem rather appealing on my resume. Just think of the bragging righ
Re: (Score:2)
don't know about you, but if I was a hacker... Having "the first guy to break OS X/Linux security" with a massive security hole on a massive scale would seem rather appealing on my resume. Just think of the bragging rights alone which you could beat over the head of all the naysayers.
So why hasn't there been any persons up to the task?
It depends on what kinds of hackers we're talking about. Generally speaking when people think poor security they remember security issues which were exploited in some way. If you're a malicious hacker out to exploit security holes then having "the first guy to break OS X/Linux security" on your resume is liable to get you arrested. To put this another way, the guys who make the real headlines security-wise are the guys who aren't in it for the bragging rights, at least not outside very specific circles, th
Agreed, Apache is proof otherwise (Score:2)
So, going back to the original question, yeah, there would be another vendor peddling the dominant OS, and there's a good chance it would be much more secure (if not only because every other mainstream OS on the planet is *nix, which is inherent
Backfire. (Score:2)
He's just attempting to up magazine subscriptions.
Yeah, but the author is so wrong about so much that the little CW with a yellow background associated with him is now equivalent to dog poop in my mind. Subscribe? You have to be crazy.