Linked by Thom Holwerda on Tue 10th Nov 2009 09:31 UTC
Windows Last week, security vendor Sophos published a blog post in which it said that Windows 7 was vulnerable to 8 our of 10 of the most common viruses. Microsoft has responded to these test results, which are a classic case of "scare 'm and they'll fall in line".
Order by: Score:
Not the right persons to judge...
by bsdfreak on Tue 10th Nov 2009 09:40 UTC
bsdfreak
Member since:
2009-10-22

Dont the use sensationalism themselves to sell their own products? Windows has never been a secure platform, but they have improved alot since windows vista.

Reply Score: 2

kragil Member since:
2006-01-04

No, default install is just a lot more insecure than Vista. You have to manually set UAC to always prompt otherwise it is easy to circumvent.

Reply Score: 6

bsdfreak Member since:
2009-10-22

ok i didnt know that, i dont use windows at all. i've only tried win7 for a few weeks. But i wasnt really satified to use it as my default os.

Reply Score: 1

Thom_Holwerda Member since:
2005-06-29

This isn't entirely true. UAC is less secure, definitely - however, the operating system itself also has other new security features. In other words, calling the entire OS less secure is a bit premature.

Doesn't negate the fact the changes in UAC are braindead.

Reply Score: 1

kragil Member since:
2006-01-04

Well at the end of the day security is account separation, which is effectively dead is the new "streamlined UAC".
Compared to that other enhancement I read on http://technet.microsoft.com/en-us/library/dd560691.aspx are just minor tweaks or meaningless to consumers, so IMO at least the default install(not the whole OS) is less secure. But defaults matter bigtime when you 94% market share.

Reply Score: 2

kaiwai Member since:
2005-07-06

No, default install is just a lot more insecure than Vista. You have to manually set UAC to always prompt otherwise it is easy to circumvent.


And the whole UAC could be avoided if Microsoft refused to support poorly written applications and bundled Windows XP Virtual Machine with every copy of Windows 7. If they did that then the whole malarkey with UAC would be a non-issue. It is end users complaining about their 20 year old application to work perfectly with the latest version of Windows and the vendors who refuse to update their software knowing full well that Microsoft will never force them to make their software run properly in a limited privileged environment.

Each layer of backwards compatibility adding more complexity and possible area that criminals can target. Microsoft could sort it out tomorrow, like I said. They could move backwards compatibility into virtualised Windows XP sessions and hold back Windows certifications from software vendors who refuse to get their software up to standards - the cold hard reality is that when push comes to shove and the difficult decisions need to be made - they crumple.

Edited 2009-11-10 12:05 UTC

Reply Score: 4

Thom_Holwerda Member since:
2005-06-29

Microsoft could sort it out tomorrow, like I said.


As much as I want to believe you, we don't know if it's that simple. We talk about backwards compatibility as if it's a simple package that comes with an InstallShield uninstaller, but in reality we have no idea how entrenched "backwards compatibility" is into the operating system.

and hold back Windows certifications from software vendors who refuse to get their software up to standards - the cold hard reality is that when push comes to shove and the difficult decisions need to be made - they crumple.


They've just been fined massively, and forced to change their operating system for something as mundane as including a browser or a media player - how do you think the DOJ and Kroes would respond if Microsoft did something like that?

I'm sure just about every engineer inside Microsoft wants to do just that, but this isn't Apple we're talking about - it's Microsoft. They are treated differently because of their market position, and can't just do the kind of cut-throat code cutting Apple can do.

Reply Score: 2

kaiwai Member since:
2005-07-06

As much as I want to believe you, we don't know if it's that simple. We talk about backwards compatibility as if it's a simple package that comes with an InstallShield uninstaller, but in reality we have no idea how entrenched "backwards compatibility" is into the operating system.


Microsoft know where it is, they've noted the deprecated parts only there for backwards compatibility, they created the virtualised registry to get around permissions issues on applications which make the assumption that they have administration privileges.

The solution is easy - include in the book, 'If the application doesn't run, right click and select 'run in virtualisation mode' where by Windows XP fires up in boardless mode (which virtualbox supports) and it'll appear like any other desktop application but within a virtual machine that is sandboxed off from the rest of the machine.

They've just been fined massively, and forced to change their operating system for something as mundane as including a browser or a media player - how do you think the DOJ and Kroes would respond if Microsoft did something like that?


Based on what evidence. They can still call it compatible but they just can't get the sticker. That is no different than a person writing a JVM but unable to call it Java till it meets certain specifications. Heck, Microsoft do it already with Windows compatible logo where hardware vendors have to meet a minimum set of requirements before they can affix the logo to their hardware. Making the software vendor meet a certain set of criteria before they can affix the logo of compatibility would be no different than their OEM side of the business.

I'm sure just about every engineer inside Microsoft wants to do just that, but this isn't Apple we're talking about - it's Microsoft. They are treated differently because of their market position, and can't just do the kind of cut-throat code cutting Apple can do.


Mate, there was a manager a while back who said, "legacy code is an asset"; excuse me, but when has a rusted car on the front lawn of a property, without wheels, up on four concrete blocks ever considered an asset? in any other situation it is an eye sore and a source of property depreciation.

When you have managers so far out of touch with reality, so devoid of what technology is actually out there by way of virtualisation, you know the person should be put out to pasture. They had their time in the spot light, time to allow the spot light to shine on those people who aren't living in the age where COBOL is the the new and up 'n coming language of choice for business.

Edited 2009-11-10 13:31 UTC

Reply Score: 3

boldingd Member since:
2009-02-19

There are a few problems with this approach, among them the performance hit that would come from virtualization (which might be small, but won't be zero), or the fact that a virtual machine wouldn't expose the host's hardware well (in particular, so far as I know, there's not good, high-performance way to expose the host's GPU). There's also the problems that, then you've got a lot of still-fundamentally-insecure apps running together in a virtual machine that's running a guest OS that's less-secure than the host. If any of those legacy apps manage sensitive information, and the virtual machine gets compromised, then you have a serious problem. There's also the fact that many insecure, low-level APIs don't virtualzie well.
Apple did something like this when they moved to OS X: if you had an <= OS 9 application, OS X would try to run the application in what amounted to an emulated OS 9. It didn't work very well; most legacy apps either didn't run well, or didn't run at all, and they didn't integrate with the rest of the system regardless. I think most Mac users took the hint and wrote off their Mac Classic applications, and used OS X native equivalents if they existed, and did without when equivalents weren't available. I know that's what I did.
I'm a fan of virtualization, but it's not a panacea, and it's not really a good way to handle any legacy apps on which you're dependent. At least, not in a desktop environment.

My other concern is that legacy applications and backwards-compatability really are good things. As someone else on this site has elegantly said before, you don't throw out a code-base with a 20-year track record just because the OS vendor says it's time to move on.

Reply Score: 3

kaiwai Member since:
2005-07-06

There are a few problems with this approach, among them the performance hit that would come from virtualization (which might be small, but won't be zero), or the fact that a virtual machine wouldn't expose the host's hardware well (in particular, so far as I know, there's not good, high-performance way to expose the host's GPU). There's also the problems that, then you've got a lot of still-fundamentally-insecure apps running together in a virtual machine that's running a guest OS that's less-secure than the host. If any of those legacy apps manage sensitive information, and the virtual machine gets compromised, then you have a serious problem. There's also the fact that many insecure, low-level APIs don't virtualzie well.


Virtualisation isn't meant to be a long term solution - it is only there for backwards compatibility until such time that the customer can upgrade their software to a version that is compatible with the underlying operating system. It is a zimmer frame for applications - that is it. Time for people to wake up and stop expecting software to be perpetually supported on their computer - attitudes expecting perpetual support are as stupid as the person who fills up their car once with petrol and is pissed off when he or she finds out that they need to fill up the tank again.

You buy a car, you need to fill it up with petrol and maintain it. You exist because you have to go out and purchase groceries from the supermarket. You want to run BluRay? get a BluRay drive. Life is a continuous movement forward - stop trying to hold onto the door frame like a child being told that they need to go to the dentist.

Apple did something like this when they moved to OS X: if you had an <= OS 9 application, OS X would try to run the application in what amounted to an emulated OS 9. It didn't work very well; most legacy apps either didn't run well, or didn't run at all, and they didn't integrate with the rest of the system regardless. I think most Mac users took the hint and wrote off their Mac Classic applications, and used OS X native equivalents if they existed, and did without when equivalents weren't available. I know that's what I did.
I'm a fan of virtualization, but it's not a panacea, and it's not really a good way to handle any legacy apps on which you're dependent. At least, not in a desktop environment.


And you know, here we are 8 years later, after Apple bit the bullet and they have a top of the line operating system. They made the tough decision when they needed to - Microsoft every release doesn't want to address the problem. They're like the obese person who tries every diet under the sun; the pickle diet, the orange diet, the prune diet - all hoping that there is an easy way out instead of facing reality that it is calories in, calories out. Microsoft is like that obese person - avoiding what needs to be done by gravitating around the periphery.

My other concern is that legacy applications and backwards-compatability really are good things. As someone else on this site has elegantly said before, you don't throw out a code-base with a 20-year track record just because the OS vendor says it's time to move on.


Who the hell said throwing out old code for the sake of it. When the new code addresses all the flaw of the old code and a period of time has been given for programmers to migrate off the old API - you then need to remove it. More code staying in the code base means more area for which a hacker or cracker can aim at.

Yes, keep old code for a period of 5 years to allow customers to migrate off it and address the concerns if the new API lacks certain features developers require - but that isn't and shouldn't be an invitation to keep layering multiple API's from 20 years worth of development. You create an API, 5 years later you realise that assumptions made in that design aren't meeting the requirements so you create a new API that replaces it. You deprecate it, you remove the ability to compile against it then eventually you remove support from the operating system.

Again, it is pathetic and childish to label what I posted as merely a knee jerk reaction of throwing out 20 year ideas out the window because I feel like it. I've laid out reasons for why you should, not just practical but also economic reasons as well. Instead of repeating the same things over and over again - address why what I state can't and won't work in reality.

Edited 2009-11-11 06:15 UTC

Reply Score: 2

vaughancoveny Member since:
2007-12-26

Lateral and constructive thinking could be used to solve
Virtualization and Legacy Application problems.

Lateral Thinking is concerned with using random words to change concepts.

Constructive thinking places judgements from people down side-by-side. Rather than the old western argument system.

Its time to move away from these age-old problems.

Reply Score: 1

phoenix Member since:
2005-07-11

The solution is easy - include in the book, 'If the application doesn't run, right click and select 'run in virtualisation mode' where by Windows XP fires up in boardless mode (which virtualbox supports) and it'll appear like any other desktop application but within a virtual machine that is sandboxed off from the rest of the machine.


Isn't this exactly what "Windows XP Mode" for Windows 7 does, using a virtualised XP install running in a headless VirtualPC instance? And it even puts application shortcuts into the Start Menu for these apps.

Edited 2009-11-10 17:45 UTC

Reply Score: 2

kaiwai Member since:
2005-07-06

Isn't this exactly what "Windows XP Mode" for Windows 7 does, using a virtualised XP install running in a headless VirtualPC instance? And it even puts application shortcuts into the Start Menu for these apps.


Yes it is, but 'Windows XP Mode' isn't included with all versions of Windows 7 - only the highest end. It also doesn't do away with deprecated parts of the operating system or the work arounds implemented for the sake of backwards compatibility such as registry virtualisation.

Reply Score: 2

sbenitezb Member since:
2005-07-22

We talk about backwards compatibility as if it's a simple package that comes with an InstallShield uninstaller, but in reality we have no idea how entrenched "backwards compatibility" is into the operating system.


Very entrenched. All that should be scrapped for good. The ugly useless stuff should be left to run in a virtual machine with a Windows XP provided copy. They could cut a sizeable chunk of useless crap code out of the OS, not maintain it anymore and live it where it belongs.

I'm sure just about every engineer inside Microsoft wants to do just that, but this isn't Apple we're talking about - it's Microsoft. They are treated differently because of their market position, and can't just do the kind of cut-throat code cutting Apple can do.


Sure they can, as long as they provide a way for existing software to keep running.

Reply Score: 2

v They deserve it
by Devi1903 on Tue 10th Nov 2009 10:58 UTC
RE: They deserve it
by cb_osn on Tue 10th Nov 2009 11:36 UTC in reply to "They deserve it"
cb_osn Member since:
2006-02-26

The fact is that windows has never and will never be a secure os.

And Linux will never let you install new hardware without recompiling your kernel.

Oh wait. We're both wrong.

The use of outdated criticisms only demonstrates your own technical ignorance.

Reply Score: 7

RE[2]: They deserve it
by Devi1903 on Tue 10th Nov 2009 11:52 UTC in reply to "RE: They deserve it"
Devi1903 Member since:
2009-11-05

I apologies for not elaborating. Microsoft has come a long way from XP in securing itself. And windows 7 is far more advanced in its security features, but none the less it is still not secure when comparing to linux for instance.

Reply Score: 0

RE[3]: They deserve it
by flanque on Tue 10th Nov 2009 22:26 UTC in reply to "RE[2]: They deserve it"
flanque Member since:
2005-12-15

Until both OS's are tested in the wild with the same level (and stupidity) of users, along with the same level of focus from the bad guys, this really cannot be stated as fact.

Reply Score: 3

RE[4]: They deserve it
by sbergman27 on Tue 10th Nov 2009 22:38 UTC in reply to "RE[3]: They deserve it"
sbergman27 Member since:
2005-07-24

Until both OS's are tested in the wild with the same level (and stupidity) of users, along with the same level of focus from the bad guys, this really cannot be stated as fact.

Why? All else aside, the fact of the matter is that the bad guys *don't* attack non-MS OSes with anywhere near the intensity that they attack Windows. This makes Windows a far more dangerous operating system to run. Period.

Look at it this way. If you had a choice of being put into a battle zone without a bullet proof vest, being put into a battle zone with a bullet proof vest, or staying at home watching Nova (with or without a vest), which would you choose? Which would be safest?

I've never understood folks who whine that if Operating System Q were attacked as much as Windows, they would have problems, too. Because there is only one family of OSes which *is* attacked so violently and consistently. And that is the Windows family of operating systems.

It reminds me a bit of that scene in "Whatever Happened to Baby Jane?".

To paraphrase:

---
Blanche: If *only* I weren't always getting attacked by all this malware!

Jane: Butcha *are*, Blanche! Ya *are* getting attacked by all that malware!
---

People need to learn to face reality. And the reality is that regardless of the relative security features of the OSes themselves, Windows is a far more dangerous OS to be running than just about anything else, because it's the one with the target painted on its back.

Edited 2009-11-10 22:51 UTC

Reply Score: 1

RE[4]: They deserve it
by lemur2 on Tue 10th Nov 2009 22:39 UTC in reply to "RE[3]: They deserve it"
lemur2 Member since:
2007-02-17

Until both OS's are tested in the wild with the same level (and stupidity) of users, along with the same level of focus from the bad guys, this really cannot be stated as fact.


This argument is getting very tired indeed.

Firstly, Linux has significant market share in areas where it is an attractive target ... servers for example.

Secondly, in Linux the "paradigm" for installing new software is not to download & run stuff from some random website, but rather to use a package manager.

I believe package managers have an impeccable record.

Over many years, for thousands of packages, for many Linux distributions, for millions of users, I have never heard of a single case, ever, of an end-user's system being compromised with malware through installing software using a package manager.

Amongst many millions of Linux users, there has got to be the odd stupid one here and there you would think.

Reply Score: 0

RE[5]: They deserve it
by tomcat on Wed 11th Nov 2009 01:34 UTC in reply to "RE[4]: They deserve it"
tomcat Member since:
2006-01-06

Firstly, Linux has significant market share in areas where it is an attractive target ... servers for example.


Sigh. Linux server != Linux desktop. Servers are locked-down far more than desktops. You can't extrapolate one from the other. Apples and oranges. Once you start opening up ports to run things like BitTorrent, web browsers, etc, the attack vectors become multiplicative.

Secondly, in Linux the "paradigm" for installing new software is not to download & run stuff from some random website, but rather to use a package manager.


Um, that works fine if you only run open source software, but there are MANY cases where no open source application exists for what you want to do. So, what does a user do? Fail? I don't think so.

I have never heard of a single case, ever, of an end-user's system being compromised with malware through installing software using a package manager.


So what. There have been cases where repositories have been compromised. Only dumb luck prevented you from getting screwed by a malicious attack.

http://www.eweek.com/c/a/Security/Security-Web-Digest-Major-Open-So...

Amongst many millions of Linux users, there has got to be the odd stupid one here and there you would think.


Millions? Talk about overly optimistic...

Edited 2009-11-11 01:36 UTC

Reply Score: 2

RE[6]: They deserve it
by lemur2 on Wed 11th Nov 2009 01:57 UTC in reply to "RE[5]: They deserve it"
lemur2 Member since:
2007-02-17

"Firstly, Linux has significant market share in areas where it is an attractive target ... servers for example.
Sigh. Linux server != Linux desktop. Servers are locked-down far more than desktops. You can't extrapolate one from the other. Apples and oranges. Once you start opening up ports to run things like BitTorrent, web browsers, etc, the attack vectors become multiplicative. "

Nevertheless, the argument that "Linux is not an attractive target" is utterly debunked by the number of Linux servers.

"Secondly, in Linux the "paradigm" for installing new software is not to download & run stuff from some random website, but rather to use a package manager.
Um, that works fine if you only run open source software, but there are MANY cases where no open source application exists for what you want to do. So, what does a user do? Fail? I don't think so. "

No, you just don't think.

The package managers and repositories do not require that applications they contain be open source. There are binary-only repositories which allow for distribution of closed-source applications via package managers.

Being closed source means that such applications are not auditable, but that does not mean they necessarily contain malware. They can still benefit from the secure delivery channel to end-users systems offered by package managers.

As an example, Adobe's flash player for Ubuntu is deliverd by package managers. Ubuntu has a "third party repository" to provide for just this kind of distribution.

https://help.ubuntu.com/community/Repositories/Ubuntu#Third-Party~*~...
"The "Third-Party Software" tab is where you will be able to add the Canonical Partner Repositories. You will see two Canonical Partner repositories listed - one for applications and another for source code (src). The partner repositories offer access to proprietary and closed-source software and are not enabled by default. Users must specifically enable these 'partner' repositories. Select "Close" and "Reload" to save and update the database if you chose to add either or both of them."

"I have never heard of a single case, ever, of an end-user's system being compromised with malware through installing software using a package manager.
So what. There have been cases where repositories have been compromised. Only dumb luck prevented you from getting screwed by a malicious attack. http://www.eweek.com/c/a/Security/Security-Web-Digest-Major-Open-So... "

This is an incident where a GNU server was hacked. Broken in to. No system is invulnerable to a hack where a password is either guessed or illegally obtained. No malicious code was injected on to the server. No end users systems were compromised.

"Amongst many millions of Linux users, there has got to be the odd stupid one here and there you would think.
Millions? Talk about overly optimistic... "

Pfft.

http://www.desktoplinux.com/news/NS5114054156.html
"Eric Lai quotes ABI analyst Jeff Orr as saying that the study shows that 32 percent (about 11 million netbooks) of this year's netbook shipments will be used with a Linux-based operating system. "

There is 11 million desktop Linux systems right there, in one small section of the market, in just one year.

The fact that for thousands of packages, for many, many millions of users, over many years, the one incident that you came up with resulted in no end-users systems being compromised rather proves the point, doesn't it, about the relative security of Linux desktop software distribution compared to Windows?

Thankyou for illustrating it so nicely.

Edited 2009-11-11 02:05 UTC

Reply Score: 1

RE[7]: They deserve it
by tomcat on Wed 11th Nov 2009 03:51 UTC in reply to "RE[6]: They deserve it"
tomcat Member since:
2006-01-06

Nevertheless, the argument that "Linux is not an attractive target" is utterly debunked by the number of Linux servers.


BS. Those servers are running a paltry number of services and are locked-down tighter than a nun's thighs. Those kinds of environments aren't as attractive as desktops because the cost of finding and exploiting a vulnerability is considerably more difficult.

Being closed source means that such applications are not auditable, but that does not mean they necessarily contain malware. They can still benefit from the secure delivery channel to end-users systems offered by package managers.


Again, it provides no independent means of auditing, which debunks your claim about package managers being safer. They're merely another distribution channel.

This is an incident where a GNU server was hacked. Broken in to. No system is invulnerable to a hack where a password is either guessed or illegally obtained. No malicious code was injected on to the server. No end users systems were compromised.


So much for your "secure" claim.

There is 11 million desktop Linux systems right there, in one small section of the market, in just one year.


And, naturally, ABI doesn't offer any details to back up its claims on what MIGHT happen in the future.

Reply Score: 2

RE[6]: They deserve it
by lemur2 on Wed 11th Nov 2009 02:24 UTC in reply to "RE[5]: They deserve it"
lemur2 Member since:
2007-02-17

there are MANY cases where no open source application exists for what you want to do.


Just on this ... this is also an oft-touted claim, but it has no credibility without justification.

Games is one area where this perhaps has some semblance of validity, but if you want to play games why not just buy a games console?

As for other, real-world actual desktop applications ... I'd like to hear of one with wide adoption (say over 80% of desktop users would run applications of that kind) where one couldn't get good software for Linux to achieve that end.

I'm talking email clients, browsers, Office suites, editors, collection managers etc, etc ... exactly what kind of software do you imagine one can't you get for Linux?

Edited 2009-11-11 02:27 UTC

Reply Score: 2

RE[7]: They deserve it
by cb_osn on Wed 11th Nov 2009 03:54 UTC in reply to "RE[6]: They deserve it"
cb_osn Member since:
2006-02-26

Games is one area where this perhaps has some semblance of validity, but if you want to play games why not just buy a games console?

Way off topic, but this is rather ironic coming from you considering that one of the main advantages to PC gaming is that developers often release tools/SDKs that allow you to modify their games and share your work with others. Whereas consoles are about as locked down and DRM ridden as you can get.

I've seen this line of reasoning often enough to learn that supporting DRM and impenetrable devices, particularly for gaming, is just fine for some in the Free Software crowd as long as it serves to devalue one of the true advantages that Windows has over Linux.

Reply Score: 2

RE[7]: They deserve it
by tomcat on Wed 11th Nov 2009 04:09 UTC in reply to "RE[6]: They deserve it"
tomcat Member since:
2006-01-06

Just on this ... this is also an oft-touted claim, but it has no credibility without justification.


Well, allow me to retort...

Games is one area where this perhaps has some semblance of validity, but if you want to play games why not just buy a games console?


Ah, yes. That old familiar kneejerk response from a Linux fanboy upon discovering Use-Cases that they can't handle: Criticize the user. Nice. How's that working for you? Converting lots of "dumb, ignorant users" with that approach?

As for other, real-world actual desktop applications ... I'd like to hear of one with wide adoption (say over 80% of desktop users would run applications of that kind) where one couldn't get good
software for Linux to achieve that end.


Um, sorry, but you don't get to narrow the scenarios to some arbitrary percentage of users in order to deflect the damage. Users have all kinds of different needs -- and in fact, needs that are already being met by OS X and Windows -- so you're going to have to try harder to pretend all they need is a web browser and an Office suite.

I'm talking email clients, browsers, Office suites, editors, collection managers etc, etc ... exactly what kind of software do you imagine one can't you get for Linux?


Mac/Windows............Linux
Photoshop.................GIMP (crap)
Quicken.....................Zilch
Autocad.....................Zilch
PageMaker.................Zilch
Visio........................Zilch
Access......................Zilch
AfterEffects................Zilch
3DStudio MAX...............Zilch
A zillion vertical apps...Zilch

Edited 2009-11-11 04:19 UTC

Reply Score: 3

RE[7]: They deserve it
by vaughancoveny on Wed 11th Nov 2009 11:00 UTC in reply to "RE[6]: They deserve it"
vaughancoveny Member since:
2007-12-26

As for other, real-world actual desktop applications ... I'd like to hear of one with wide adoption (say over 80% of desktop users would run applications of that kind) where one couldn't get good software for Linux to achieve that end.


This is quite unfair because many of those applications exist already. What u say following this quote is unattributable to tangible uses.

I would like to see back-of-book Indexing
software for Linux.
Macrex runs on another Unix, but is really for geeks, not Indexers. Cindex is the best, runs on Windows, uses a database creation layout.
There are many Open Source books.

This software is not for geeks, there are Indexing courses around the world; cheapest in United States.

Edited 2009-11-11 11:11 UTC

Reply Score: 1

RE: They deserve it
by BluenoseJake on Tue 10th Nov 2009 12:34 UTC in reply to "They deserve it"
BluenoseJake Member since:
2005-08-11

I think microsoft deserver all they get. They constantly knock other os and do things like anti-linux training, so they deserve to have their os knocked about (even if the way it is done is a bit of a waste of time.) The fact is that windows has never and will never be a secure os. Unless they really do right back to the drawing board and start again.


and the FSF doesn't knock other OS's? Or Apple? Grow up.

Reply Score: 6

RE[2]: They deserve it
by lemur2 on Tue 10th Nov 2009 12:46 UTC in reply to "RE: They deserve it"
lemur2 Member since:
2007-02-17

"I think microsoft deserver all they get. They constantly knock other os and do things like anti-linux training, so they deserve to have their os knocked about (even if the way it is done is a bit of a waste of time.) The fact is that windows has never and will never be a secure os. Unless they really do right back to the drawing board and start again.


and the FSF doesn't knock other OS's? Or Apple? Grow up.
"

Chicken and egg.

If Microsoft trains representatives to lie with anti-Linux FUD, it has to surely expect criticism in return.

http://www.linuxpromagazine.com/Online/News/New-Anti-Linux-Propagan...

I mean, really:
http://quaoar.ww7.be/ms_fud_of_the_year/569458-microsoft-attack-lin...

outright lies, pure and simple. Caught red-handed just plain lying.

As usual, Microsoft's "Get the Facts" campaign spreads totally unsubstantiated lies about Linux which it calls fact.

...

remarkable is Microsoft's claim that in the case of a security leak, Linux offers no guarantee of a patch- ignoring the fact that in the past, critical breaches in Linux have never been left for any notable length of time without a security patch being released. Unlike Windows, where a known security issue can stay un-patched for two years. Which shows that it's Microsoft that should be reticent of offering guarantees for patches.


Microsoft's biggest porkies are about the security of its OS in comparison to others, as usual.

Edited 2009-11-10 12:52 UTC

Reply Score: 5

RE[3]: They deserve it
by Devi1903 on Tue 10th Nov 2009 12:56 UTC in reply to "RE[2]: They deserve it"
Devi1903 Member since:
2009-11-05

[q][q]Microsoft's biggest porkies are about the security of its OS in comparison to others, as usual.


Agreed!

Reply Score: 1

RE[3]: They deserve it
by BluenoseJake on Tue 10th Nov 2009 15:49 UTC in reply to "RE[2]: They deserve it"
BluenoseJake Member since:
2005-08-11

Anti-linux fud has nothing to do with the misrepresentations that Apple employs in it's adds, and most of the problems listed on the Windows 7 Sins page is just FUD, or problems that were solved ages ago.

I'm pretty sure that the FSF predates Linux, so they have been spreading the word long before MS started to get worried about Linux

MS is not the only one that lies, and as a user of both Windows and Linux, i can tell you that the FUD from both sides is kinda sickening.

Reply Score: 3

RE[3]: They deserve it
by larwilliams on Wed 11th Nov 2009 21:28 UTC in reply to "RE[2]: They deserve it"
larwilliams Member since:
2007-04-03

remarkable is Microsoft's claim that in the case of a security leak, Linux offers no guarantee of a patch- ignoring the fact that in the past, critical breaches in Linux have never been left for any notable length of time without a security patch being released. Unlike Windows, where a known security issue can stay un-patched for two years. Which shows that it's Microsoft that should be reticent of offering guarantees for patches.


There is no lie in saying that Linux isn't guaranteed a patch for a flaw. There is no one company behind it, to ensure that flaws will eventually be patched.

As for 2 years, I guess you forget the OpenSSL weak key flaw that was a bug from mid-2006 until mid-2008 huh?

Edited 2009-11-11 21:30 UTC

Reply Score: 1

RE[4]: They deserve it
by lemur2 on Wed 11th Nov 2009 22:37 UTC in reply to "RE[3]: They deserve it"
lemur2 Member since:
2007-02-17

"remarkable is Microsoft's claim that in the case of a security leak, Linux offers no guarantee of a patch- ignoring the fact that in the past, critical breaches in Linux have never been left for any notable length of time without a security patch being released. Unlike Windows, where a known security issue can stay un-patched for two years. Which shows that it's Microsoft that should be reticent of offering guarantees for patches.
There is no lie in saying that Linux isn't guaranteed a patch for a flaw. There is no one company behind it, to ensure that flaws will eventually be patched. "

This is true. I suppose then there are only the estimated 1.5 million full-time-equivalent developers involved with open source, who can all see the code and submit patches against identified problems, and whose best interest is undoubtedly served by promptly fixing any identified security problem.

As for 2 years, I guess you forget the OpenSSL weak key flaw that was a bug from mid-2006 until mid-2008 huh?


An as-yet-unidentified bug is not an unpatched security flaw. It is a bug.

An unpatched security flaw happens when a secruity bug is know to the general public, but no fix yet exists.

There was only a very short time span for the OpenSSL weak key flaw ... it wasn't hard at all to fix, as the flaw was caused by initialising some variables that shouldn't have been. As soon as it was identified, it was fixed.

Reply Score: 2

RE: They deserve it
by rockwell on Tue 10th Nov 2009 14:38 UTC in reply to "They deserve it"
rockwell Member since:
2005-09-13

News flash, nitwit: NO OS IS SECURE, unless no one ever uses it and/or it is not connected to the Interwebs.

Have you ever installed Linux? Hello? Any updates needed after installation?

Jagbag.

Reply Score: 2

RE[2]: They deserve it
by moondevil on Tue 10th Nov 2009 19:27 UTC in reply to "RE: They deserve it"
moondevil Member since:
2005-07-08

Yes. Lots of them.

Reply Score: 1

Okay
by drcoldfoot on Tue 10th Nov 2009 11:47 UTC
drcoldfoot
Member since:
2006-08-25

This is typical marketing. I want to observe a conclusive test. A fully patched version of the OS, then test. Otherwise, this is a waste of keystrokes, and bandwidth.

Reply Score: 1

RE: Okay
by Devi1903 on Tue 10th Nov 2009 12:23 UTC in reply to "Okay"
Devi1903 Member since:
2009-11-05

Do we ever see a conclusive test? Security Vendors always over exaggerate and microsoft always defend themselves. Its business!

Reply Score: 1

RE[2]: Okay - pwn2own
by jabbotts on Tue 10th Nov 2009 15:42 UTC in reply to "RE: Okay"
jabbotts Member since:
2007-09-06

Current versions of the big name OS fully patched.

Granted, to remove the chance of target bias, it'd be interesting to have the competitors hit each of the machines with the lovelies they braught. It would show what vulnerability was present in all platforms or what mitigated it.

Reply Score: 2

RE[2]: Okay
by sbenitezb on Tue 10th Nov 2009 16:01 UTC in reply to "RE: Okay"
sbenitezb Member since:
2005-07-22

I hope Microsoft includes a really good Security Essentials with all Windows versions from now on, so these smoke and mirror companies disappear once and for all.

Edited 2009-11-10 16:01 UTC

Reply Score: 2

RE: Okay
by Gone fishing on Tue 10th Nov 2009 15:48 UTC in reply to "Okay"
Gone fishing Member since:
2006-02-22

Why fully patched? not everyone has the luxury of a internet connection. How about as it comes out of the box or installed OEM on the PC

Reply Score: 2

RE[2]: Okay
by sbenitezb on Tue 10th Nov 2009 16:03 UTC in reply to "RE: Okay"
sbenitezb Member since:
2005-07-22

I believe a computer without internet access is useless nowadays.

Reply Score: 2

RE[3]: Okay
by Devi1903 on Tue 10th Nov 2009 16:47 UTC in reply to "RE[2]: Okay"
Devi1903 Member since:
2009-11-05

I believe a computer without internet access is useless nowadays.


I have to agree. Even as a huge linux user & fan i have to say linux is the worst for this. You can do very little in linux without an internet connection. Unlike install applications in windows, having the file for an application does not always work due to dependencies.

Although you can see how the trend of the way all platforms are being developed has gone towards the assumption that all computer user have access to the internet.

Reply Score: 1

RE: Okay
by shashank_hi on Tue 10th Nov 2009 16:15 UTC in reply to "Okay"
shashank_hi Member since:
2009-08-27

The pwn2own contest is a good independent security benchmark. I highly doubt if there could be a conclusive test though, because OS development is quite dynamic.

Reply Score: 1

Sopohs?
by chekr on Tue 10th Nov 2009 13:36 UTC
chekr
Member since:
2005-11-05

Typo in title..."Sopohs"???

Reply Score: 2

LUA+SRP folks
by pcunite on Tue 10th Nov 2009 14:11 UTC
pcunite
Member since:
2008-08-26

Run windows in LUA+SRP mode folks. This is getting so tiring. I wish people who call themselves security experts knew the first thing about security.

Reply Score: 3

RE: LUA+SRP folks
by jabbotts on Tue 10th Nov 2009 15:45 UTC in reply to "LUA+SRP folks"
jabbotts Member since:
2007-09-06

"able to implement SRP on a VISTA PREMIUM (as explained here). There is no way to use any snap-in from Microsoft, as they have decided it was not for family members, but only for enterprise world"

http://www.wilderssecurity.com/showthread.php?t=232857

So, for the majority of versions which do not make LUA/SRP easy...?

Reply Score: 2

RE[2]: LUA+SRP folks
by n4cer on Wed 11th Nov 2009 01:35 UTC in reply to "RE: LUA+SRP folks"
n4cer Member since:
2005-07-06

"able to implement SRP on a VISTA PREMIUM (as explained here). There is no way to use any snap-in from Microsoft, as they have decided it was not for family members, but only for enterprise world" http://www.wilderssecurity.com/showthread.php?t=232857 So, for the majority of versions which do not make LUA/SRP easy...?


On the Home versions of Windows Vista and Windows 7, the interface for SRP is the Parental Controls control panel (or the underlying API). Through this interface, you may restrict which applications may run (and more).

http://msdn.microsoft.com/en-us/library/ms711710(VS.85).aspx

http://msdn.microsoft.com/en-us/library/ms711654(VS.85).aspx

Reply Score: 2

Comment by satan666
by satan666 on Tue 10th Nov 2009 14:31 UTC
satan666
Member since:
2008-04-18

The windows guy said:

Chester's final conclusion? "You still need to run anti-virus on Windows 7." Well, we agree: users of any computer, on any platform, should run anti-virus software, including those running Windows 7.
(my bold)

That's simply not true. I've been using Linux exclusively both at work and at home (at least 10 hours a day in total). I've never installed an antivirus and I haven't had any virus at all.
Edit: I forgot to mention I've been using Linux for five years now (and counting).

Edited 2009-11-10 14:33 UTC

Reply Score: 0

RE: Comment by satan666
by big_gie on Tue 10th Nov 2009 15:07 UTC in reply to "Comment by satan666"
big_gie Member since:
2006-01-04

That's simply not true. I've been using Linux exclusively both at work and at home (at least 10 hours a day in total). I've never installed an antivirus and I haven't had any virus at all.

As much as I would like to agree, having a false sence of security because we run linux is dangerous. Yes, there might not be any (real) virus for linux out there, but I still don't want to be a vector of transmission by giving infected files to other computers.
Of course we wont have any threat if we us something nobody else uses, because, well, nobidy care! Now that allows me to surf the web and laugh at attempts to highjack my IE or even Safari, but that does not mean that my 3 years old unpatched firefox is more secure then the sandboxed,firewalled,antivirused IE 8...

Often, when advocating linux, I ear people saying that it is more secure and does not need antivirus. This is a dangerous idea of false security.

Reply Score: 2

RE[2]: Comment by satan666
by lemur2 on Tue 10th Nov 2009 22:48 UTC in reply to "RE: Comment by satan666"
lemur2 Member since:
2007-02-17

"That's simply not true. I've been using Linux exclusively both at work and at home (at least 10 hours a day in total). I've never installed an antivirus and I haven't had any virus at all.
As much as I would like to agree, having a false sence of security because we run linux is dangerous. Yes, there might not be any (real) virus for linux out there, but I still don't want to be a vector of transmission by giving infected files to other computers. Of course we wont have any threat if we us something nobody else uses, because, well, nobidy care! Now that allows me to surf the web and laugh at attempts to highjack my IE or even Safari, but that does not mean that my 3 years old unpatched firefox is more secure then the sandboxed,firewalled,antivirused IE 8... Often, when advocating linux, I ear people saying that it is more secure and does not need antivirus. This is a dangerous idea of false security. "

Firstly, antivirus isn't security. Antivirus is trying to detect and remove a security breach after it has already compromised your system.

Secondly, the correct method of installing software on Linux is via the package manager. Package managers and the associated online repositories allow for a system where any piece of software can be audited and verified by any person on the planet. Anyone at all, not just the person who wrote the software. If everyone on the planet can see what is in a piece of software BEFORE it gets to end users, this makes it very difficult indeed to hide malware within that software.

Finally, one should examine the record. The record is AFAIK impeccable. AFAIK (and no-one has yet been able to contradict this) ... there has never been an end-user's system compromised with malware via installing open source software from package managers.

PS: On Linux, all programs by default run as a normal user. Running firefox on Linux means running it as a normal user, and hence it has no ability at all to modify or create system files or directories. All programs run as a normal user on Linux are effectively sandboxed.

Edited 2009-11-10 23:07 UTC

Reply Score: 2

RE[3]: Comment by satan666
by tomcat on Wed 11th Nov 2009 01:13 UTC in reply to "RE[2]: Comment by satan666"
tomcat Member since:
2006-01-06

Secondly, the correct method of installing software on Linux is via the package manager. Package managers and the associated online repositories allow for a system where any piece of software can be audited and verified by any person on the planet. Anyone at all, not just the person who wrote the software. If everyone on the planet can see what is in a piece of software BEFORE it gets to end users, this makes it very difficult indeed to hide malware within that software.


The "package manager and associated online repositories" doesn't work with commercial/proprietary software, where you don't have the source code. The best that an auditor can do in that case is GUESS whether the software contains malware or not; for example, an application may only reveal itself as malware under timed conditions (only destroying your machine or turning it into a zombie after a period of time). And, since there is an unquestionable need for commercial/proprietary software, you don't have a solution.

Edited 2009-11-11 01:14 UTC

Reply Score: 2

RE[4]: Comment by satan666
by lemur2 on Wed 11th Nov 2009 04:02 UTC in reply to "RE[3]: Comment by satan666"
lemur2 Member since:
2007-02-17

"Secondly, the correct method of installing software on Linux is via the package manager. Package managers and the associated online repositories allow for a system where any piece of software can be audited and verified by any person on the planet. Anyone at all, not just the person who wrote the software. If everyone on the planet can see what is in a piece of software BEFORE it gets to end users, this makes it very difficult indeed to hide malware within that software.
The "package manager and associated online repositories" doesn't work with commercial/proprietary software, where you don't have the source code. The best that an auditor can do in that case is GUESS whether the software contains malware or not; for example, an application may only reveal itself as malware under timed conditions (only destroying your machine or turning it into a zombie after a period of time). And, since there is an unquestionable need for commercial/proprietary software, you don't have a solution. "

When package managers (on an end users system) are enabled to use an additional repository which holds binary-only software, then it is true that for that small set of packages the end users have no ability to audit them. They could potentially contain malware.

This is the risk one takes when one adds repositories for closed-source applications.

This is the PRECISE reason why such repositories are not enabled by default on most distributions.

You add the repository at your own risk.

My advice would be to refrain from ading such a repository until many thousands of expert users had had a chance to trial the applications. A few months after first release might be enough time. If there was any malware, it should have shown up by then.

Mind you, if a software supplier did set up a closed-source repository, and an application therein did contain malware, and end users did end up with malware as a result ... that story would be all over the net in days. You wouldn't hear the end of it. Windows fans would be jumping with glee, Linux users would be livid, and the site would be blacklisted (as a critical security update) almost immediately. You wouldn't have time to blink.

The fact that this has never actually happened also nicely illustrates the security of package managers and repositories as a distribution mechanism, even when it comes to closed-source applications.

Keep going with these posts, you are doing a very good job so far of highlighting the fact that this repository/package manager system for distribution of Linux software is vastly superior to anything for Windows.

Reply Score: 2

RE: Comment by satan666
by Doca on Tue 10th Nov 2009 15:32 UTC in reply to "Comment by satan666"
Doca Member since:
2006-01-30

Satan, you YET don't have to use an AV because Linux is only 01 percent of the desktop market. There is no point in f***ing just one percent of the desktop market when you can target around 90 percent. If the desktop share was very simmilar, I think you might be using an AV permanently.

Back to the subject of the news:

And there are guys over there that say "Windows is insecure" and right after that states "I don't use Windows". How ignorant can you be to make a statement like that? I've seen the same statement from a professor at Carnegie Mellon on the IT Security classes. The worst about this is that a person that gives classes about something usually dictates the culture over it and that is a serious thing.

But we all are missing the point, here. I too agree that security companies spread FUD about a lot of things based on user (lack) of knowledge.

Oh, do you see how things are? Not only the companies do that, anyone misinformed about something can state something "serious". It all depends on WHO says. And if this guy is a somewhat "misinformed" person on a somewhat big company, the information will spread. And eventually get a response and generate some discussions around the web...

So, have fun!

Reply Score: 4

RE[2]: Comment by satan666
by Devi1903 on Tue 10th Nov 2009 16:28 UTC in reply to "RE: Comment by satan666"
Devi1903 Member since:
2009-11-05

Linux is only 01 percent of the desktop market.


I am not convinced that this is a true reflection of Linux usage. Many people use both windows and linux on a day to day basis, but would probably be considered windows users.

If the desktop share was very simmilar, I think you might be using an AV permanently.


While i have no doubt in my mind that AS linux increases its market share viruses will crop up, it is just not a simple & easy to create a virus to infect Linux as it is to create only that will infect windows.

Reply Score: 1

RE[2]: Comment by satan666
by Tuishimi on Tue 10th Nov 2009 17:41 UTC in reply to "RE: Comment by satan666"
Tuishimi Member since:
2005-07-06

Satan, you YET don't have to use an AV because Linux is only 01 percent of the desktop market. There is no point in f***ing just one percent of the desktop market when you can target around 90 percent. If the desktop share was very simmilar, I think you might be using an AV permanently.


It's that devil-may-care attitude that got him kicked out of heaven.

Reply Score: 2

RE[2]: Comment by satan666
by lemur2 on Tue 10th Nov 2009 22:29 UTC in reply to "RE: Comment by satan666"
lemur2 Member since:
2007-02-17

Satan, you YET don't have to use an AV because Linux is only 01 percent of the desktop market. There is no point in f***ing just one percent of the desktop market when you can target around 90 percent. If the desktop share was very simmilar, I think you might be using an AV permanently.


Actually, Linux is far more prevalent than 1%, even if we look only at the desktop market.

Linux reportedly has 32% of the netbook market, for example:

http://blogs.computerworld.com/15068/where_is_the_linux_desktop_goi...

http://www.computerworld.com/s/article/9140343/Linux_s_share_of_net...

Reply Score: 1

RE: Comment by satan666 - clam
by jabbotts on Tue 10th Nov 2009 15:46 UTC in reply to "Comment by satan666"
jabbotts Member since:
2007-09-06

I always drop ClamAV on a box I build. No reason not to help protect the Windows machines one may be sharing files with.

Reply Score: 2

RE: Comment by satan666
by sbenitezb on Tue 10th Nov 2009 16:08 UTC in reply to "Comment by satan666"
sbenitezb Member since:
2005-07-22

I've been using Linux exclusively both at work and at home (at least 10 hours a day in total). I've never installed an antivirus and I haven't had any virus at all.


Not using an AV somehow proves that you don't get any virus? Weird. Not like a virus will show a message in the screen telling you "you are now infected".

Reply Score: 2

RE[2]: Comment by satan666
by hollovoid on Tue 10th Nov 2009 20:01 UTC in reply to "RE: Comment by satan666"
hollovoid Member since:
2005-09-21

Exactly, I always wondered how people know they dont have viruses without "ever installing antivirus". That goes for you Mac' guys too!

Edited 2009-11-10 20:01 UTC

Reply Score: 2

RE[3]: Comment by satan666
by StephenBeDoper on Wed 11th Nov 2009 18:59 UTC in reply to "RE[2]: Comment by satan666"
StephenBeDoper Member since:
2005-07-06

Exactly, I always wondered how people know they dont have viruses without "ever installing antivirus". That goes for you Mac' guys too!

In fairness, there are usually indications of malware infections (unusual drive & network activity, suspicious processes, etc). And the people who run without anti-virus software can usually spot those signs on their own (or at least they think they can).

Reply Score: 2

RE[3]: Comment by satan666
by sbergman27 on Wed 11th Nov 2009 19:07 UTC in reply to "RE[2]: Comment by satan666"
sbergman27 Member since:
2005-07-24

Exactly, I always wondered how people know they dont have viruses without "ever installing antivirus". That goes for you Mac' guys too!

I always wonder how people know they dont have viruses after having installed antivirus. That goes for you Windows guys! :-0

Reply Score: 2

Not all security vendors.
by Bill Shooter of Bul on Tue 10th Nov 2009 15:04 UTC
Bill Shooter of Bul
Member since:
2006-07-14

Maybe I'm naive, but I trust F-secure. Its proven itself to be mom and dad proof for over four years now! Plus, during the installation on older machines, it only enables the components that it thinks the machine can handle. No crippling.

Reply Score: 2

...
by nagnatron on Tue 10th Nov 2009 15:10 UTC
nagnatron
Member since:
2009-09-24

I'm really happy that it will be Microsoft who buries all the antivirus vendor vermin with their Microsoft Security Essentials suite. It's very good and free.

Reply Score: 4

Sophos is eating shit
by twitterfire on Tue 10th Nov 2009 15:20 UTC
twitterfire
Member since:
2008-09-11

I used Windows 7 for almost 6 months now. And you know what? I've seen no virus, no worm, niente, nada.

Sophos is pushing "the panic". They ought to. After all, if everybody is thinking there aren't so much malware treats any more, why are they going to buy Sophos antivirus?

Reply Score: 2

RE: Sophos is eating shit - sophos
by jabbotts on Tue 10th Nov 2009 16:10 UTC in reply to "Sophos is eating shit"
jabbotts Member since:
2007-09-06

Sophos sells AV so I'd expect the marketing message "win7 needs AV; and it should be our AV you use".

At the same time, I also don't think six months uninfected somehow disproves the need for AV. I've been running winXP for years without a virus hit; does that mean winXP does not need protective measures too?

Reply Score: 2

RE: Sophos is eating shit
by Bill Shooter of Bul on Tue 10th Nov 2009 18:29 UTC in reply to "Sophos is eating shit"
Bill Shooter of Bul Member since:
2006-07-14

You're kidding right? You. One person has not been infected with any viruses with windows 7. Therefore, it is impossible to get a virus on windows 7? Is that really the conclusion you are drawing?

Uhm... I suppose most viruses are hoaxes because you haven't been infected with them. So how many viruses aren't hoaxes? Just the ones you've been infected with?

There was once upon a time that smart users didn't need anti-virus software. That was before malware writers stepped up their game and found silent vulnerabilities in microsoft products that required no explicit user interaction.

Reply Score: 2

Mixed feelings
by Gone fishing on Tue 10th Nov 2009 15:41 UTC
Gone fishing
Member since:
2006-02-22

I think there is no doubt that Vista and now Windows 7 is more secure than XP, however, this is not saying much an un-patched XP could be infected by just plugging into the internet - it almost infects its self. OK the situation improved with the service packs, however, this is a very insecure OS.

Certainly with Vista we didn’t get the mass infections like Blaster and it seems reasonable to believe that Windows 7 will be similar to Vista, (although I am like many concerned about the changes in UAC and wonder if these changes will survive the first service pack.) However, I’m sure an updated virus checker is needed. I see infected Vista machines every day and it will be the case with Windows 7. I’d say here in Lesotho we have about 80% virus infection rate on XP PCs and a lower but very significant infection rate in Vista PCs. If you doubt these figures consider Windows without the internet (no updated AVs) and prevalent file sharing via flash drives.

The legacy features and desire by MS to maintain backwards compatibility means that this virus problem cannot be fixed. Improved a little but not fixed an AV is needed and God help us in the third, non internet world.

I note in the MS blog it was suggested that all platforms need an AV well Mmm. I don’t use one on my Linux Box, but I can see that it may become more necessary, if I look at Ubuntu forums I can see that Ubuntu is beginning to appeal to the less technical and soon the folk who might well click on a see_naked_ladies file and enter the root password when asked. Obviously the problem will never reach or even come close to windows levels but let’s not be too complacent no OS is invulnerable and some users need protecting from themselves.

Edited 2009-11-10 15:50 UTC

Reply Score: 2

Let's be more specific
by twitterfire on Tue 10th Nov 2009 16:02 UTC
twitterfire
Member since:
2008-09-11

I'm a programmer. I used to write some quick'n small malware just out of fun. I have friends in my country which are working for big antivirus solutions - RAV - now MSSE - ex GECAD, now Microsoft, -BITDEFENDER. I even have friends in the underworld. And everybody agrees to that: writing worms targetting Windows is like trying to target FreeBSD's jail. Not undoable, but hard like hell.

Back in the happy days of Windows XP SP1, there were a breeze writing worms which propagate like plague on windows machines. But with the new security models, writing malware is much, much harder.

I mean, I remember the first opensource windows worm: rxbot. And the first open source windows/linux worm: agobot. I happily contributed to them and modified the sources. It was easy as hell to hack a windows box. But not anymore.

Generally, if you want to break a box, you need to use a buffer overflow exploit. You write crafted code to some ports on a machine, and boom, you're in. Not anymore. Not only that exploits are getting patched really soon, but even if you discover a 0day ecploit, you can't really use it. You need to bypass the firewall (ports aren't anymore unprotected), and you end up taking charge of an application running in user mode. So you need to bypass the UAC, which is pretty complicated.

I don't say it's undoable, but the security is very hardened and it will be very hard, and it will take thousands of manpower hours do do something which will work.

Reply Score: 3

RE: Let's be more specific
by sbenitezb on Tue 10th Nov 2009 16:24 UTC in reply to "Let's be more specific"
sbenitezb Member since:
2005-07-22

It's probably easier to craft some trojan with "social" abilities and people will download it and use it without suspecting anything until it's too late.

Reply Score: 2

RE[2]: Let's be more specific
by twitterfire on Tue 10th Nov 2009 17:50 UTC in reply to "RE: Let's be more specific"
twitterfire Member since:
2008-09-11

It's probably easier to craft some trojan with "social" abilities and people will download it and use it without suspecting anything until it's too late.


That doesn't have anything to do with the software platform. Any software platform is vulnerable in that respect.

Reply Score: 1

PlatformAgnostic Member since:
2006-01-02

Yeah. I get the feeling that it was these Trojans that Sophos tested with. The OS doesn't really do much against those except via the Malicious Software Removal Tool, that only targets the absolutely most 'popular' malware.

It is pretty much impossible to keep trojan programs out because they don't violate the security model of the OS.

Reply Score: 2

Bill Shooter of Bul Member since:
2006-07-14

Yes, but wouldn't it be better to protect yourself and your company from these attacks as much as possible?

Reply Score: 2

RE[3]: Let's be more specific
by lemur2 on Tue 10th Nov 2009 22:24 UTC in reply to "RE[2]: Let's be more specific"
lemur2 Member since:
2007-02-17

"It's probably easier to craft some trojan with "social" abilities and people will download it and use it without suspecting anything until it's too late.
That doesn't have anything to do with the software platform. Any software platform is vulnerable in that respect. "

More or less true.

There is however one desktop system available that allows one to hold to a policy of not downloading any software except via auditable channels (package managers). To hold to such a policy, all that a user has to do is refrain from supplying his/her password anywhere except for the login screen and the package manager (which is the expected norm anyway).

If one simply sticks to such a policy, then no amount of cleverness in trojans with social abilities will be able to compromise the system.

Reply Score: 2

Comment by simon17
by simon17 on Tue 10th Nov 2009 21:39 UTC
simon17
Member since:
2009-08-21

So Windows 7 is immune to 2/10 popular viruses even when the user double-clicks the executable and then hits allow?

I think that's pretty good!

Reply Score: 2

RE: Comment by simon17
by linumax on Wed 11th Nov 2009 00:05 UTC in reply to "Comment by simon17"
linumax Member since:
2007-02-07

That's the whole point. Unfortunately so far in the comments, like usual, the discussion has gone into OS politics.

These guys intentionally executed viruses that 8/10 didn't need permission elevation (functioned at local users level) and Windows rightfully allowed them to execute. I mean we're techies here, we understand there's no magic involved in preventing something like this. However, Sophos can (ab)use it as a marketing tool when selling AV to normal users.

Reply Score: 2

RE: Comment by simon17
by lemur2 on Wed 11th Nov 2009 00:29 UTC in reply to "Comment by simon17"
lemur2 Member since:
2007-02-17

So Windows 7 is immune to 2/10 popular viruses even when the user double-clicks the executable and then hits allow? I think that's pretty good!


Just curious here ... how do you imagine that Windows verifies that it was a valid user who caused the executable to be run and then caused a "click" to be registered on the allow button?

It seems to me that Windows doesn't verify that at all. No entry of a valid password is required.

In addition, apparently Windows 7 automatically elevates the permission level of several Windows utilities without even a UAC prompt.

Edited 2009-11-11 00:30 UTC

Reply Score: 2

RE[2]: Comment by simon17
by PlatformAgnostic on Wed 11th Nov 2009 21:33 UTC in reply to "RE: Comment by simon17"
PlatformAgnostic Member since:
2006-01-02

If he doesn't have malicious software running to begin with, who else but the user could possibly issue the 'click' that starts up a trojan?

Reply Score: 2

RE[3]: Comment by simon17
by lemur2 on Wed 11th Nov 2009 22:22 UTC in reply to "RE[2]: Comment by simon17"
lemur2 Member since:
2007-02-17

If he doesn't have malicious software running to begin with, who else but the user could possibly issue the 'click' that starts up a trojan?


A script running in the web browser, outlook or the IM client, sent to the machine from some random on the net.

An autostart script on a USB stick that was picked up when that stick was in another machine somewhwere (say, at the library, or at the photo print shop, or at the kids school).

Any hostile person who has unattended physical access to the machine for a few moments while it is logged on.

Edited 2009-11-11 22:26 UTC

Reply Score: 2

RE[4]: Comment by simon17
by cb_osn on Thu 12th Nov 2009 00:02 UTC in reply to "RE[3]: Comment by simon17"
cb_osn Member since:
2006-02-26

A script running in the web browser, outlook or the IM client, sent to the machine from some random on the net.

All operating systems are vulnerable to remote code execution bugs. In fact, the most recent serious vulnerability of this nature was a bug in the Java browser plugin and it affected all platforms.

An autostart script on a USB stick that was picked up when that stick was in another machine somewhwere (say, at the library, or at the photo print shop, or at the kids school).

Autorun on a USB stick was a brain dead idea and has finally been removed in Windows 7.

Any hostile person who has unattended physical access to the machine for a few moments while it is logged on.

All operating systems are vulnerable to this.

Reply Score: 2

RE[5]: Comment by simon17
by lemur2 on Thu 12th Nov 2009 01:44 UTC in reply to "RE[4]: Comment by simon17"
lemur2 Member since:
2007-02-17

"A script running in the web browser, outlook or the IM client, sent to the machine from some random on the net.
All operating systems are vulnerable to remote code execution bugs. In fact, the most recent serious vulnerability of this nature was a bug in the Java browser plugin and it affected all platforms. "

The point is that the many many thousands of malware payloads that could use such an exploit are virtually all Windows executables.

"An autostart script on a USB stick that was picked up when that stick was in another machine somewhwere (say, at the library, or at the photo print shop, or at the kids school).
Autorun on a USB stick was a brain dead idea and has finally been removed in Windows 7. "

Thank goodness. Why did it take Microsoft years to do that?

"Any hostile person who has unattended physical access to the machine for a few moments while it is logged on.
All operating systems are vulnerable to this. "

Nope. On secure systems, such a hostile person would require knowledge of a password in order to be able to elevate priveledges. On Windows 7, all that the same hostile person would have to do is click on 'allow'.

Reply Score: 2

RE[6]: Comment by simon17
by PlatformAgnostic on Thu 12th Nov 2009 09:21 UTC in reply to "RE[5]: Comment by simon17"
PlatformAgnostic Member since:
2006-01-02

Not true. There are several attacks one could perform on a logged on system to gain full privilege later on by fooling the user into giving up his password. Depending on path settings, or specifics of the environment, you can create a script/program that masquerades as a legitimate higher privileged application and takes control next time the user performs that activity.

Maybe there are some mitigations already in the Linux environment that I don't know about. Do the DEs in some way protect shortcuts to important apps from tampering (e.g. the launcher icon for the package manager)? Is the path in the shell always ordered so that privileged directories come before unprivileged ones? Is there no way for a malicious program to reorder the path once it is established, or launch a sub-shell later on with a reordered path?

Reply Score: 2

RE[6]: Comment by simon17
by cb_osn on Thu 12th Nov 2009 09:31 UTC in reply to "RE[5]: Comment by simon17"
cb_osn Member since:
2006-02-26

The point is that the many many thousands of malware payloads that could use such an exploit are virtually all Windows executables.

That's irrelevant. All it takes is one. Over many years of using different operating systems, the only machine I've ever had taken over remotely without any action on my part whatsoever was a Red Hat 9 box. The attacker had tampered with the PAM configuration, replaced /bin/login, and had about a dozen new accounts running IRC bots. I found evidence of one of those little script kiddie rootkit packages that you can download just about anywhere. This is not an attempt to damn Linux. The whole event was completely my fault for not keeping the system "up2date". The point is that hostile code exists for all platforms.

Remote code execution and privilege escalation exploits are becoming increasingly rare across the board these days anyway.

Thank goodness. Why did it take Microsoft years to do that?

I assume it has something to do with the behemoth size of the company.

Nope. On secure systems, such a hostile person would require knowledge of a password in order to be able to elevate priveledges. On Windows 7, all that the same hostile person would have to do is click on 'allow'.

Given physical access to any machine without encrypted volumes, it is trivial for anyone with a moderate level of skill to install whatever they want on it.

Reply Score: 2