Microsoft has taken alot of heat for the security issues that surround its Windows operating systems, but they should not be the only ones taken the heat for Windows security. There are other parties out there that deserve to shoulder some of the blame with Microsoft. This editorial, originally written for a Communication Security course, tries to take an objective view of who is exactly to blame for what in the perceive mess that is Windows security.
The Facts & Fiction Around Windows Security
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
I don’t think its all M$’s fault, the product is really nice and semi secure but it has a lot still based off prebelief in virus’s, spyware, a lot of hackers, bad people… So if they had the guts to break their product like apple did it would be all good again
quote…
“both of these groups will continue to debate in online forums and websites with no hope of reaching anything that can be viewed as a concise conclusion”
obviously Chris Ward does not understand UNIX or Linux.
I’ve read half a paragraph so far and he really need to proof read his papers…
Yeah I agree Chris, and please…that is so monolithic…the text I mean…my eyes went crazy the first time I saw it!!! How about something easy on the eye?! heh
Proof-read your paper.
Article spends too much time defining terms like spyware. It reads like homework for some introductory computing course.
Your cousin installs Kazaa? Why should we know about that? No new insights. Naive arguments. Bad examples. Anecdotal and not factual. Research was one-sided and not broad enough (see references).
And the conclusion was? What was it again?
Sorry, poor article.
Yes, as the article states:
1) Users are to blame
2) Virus wirters are to blame
3) And yes, MS is to blame. An operating system should be shipped securer by default. It is that plain and simple. Services should have resonable defaults.
A)Your hard drive should be able to be shared to the world if directly plug’d into a network connection
B) Listen (services) ports should have some fine grain control for who and what connects to them.
C) “Design limitations have hampered Microsoft ability to secure certain aspects of Windows XP.” MS knows they are a leader in the market, resonable care in selling their product.
D) “Now, some people can make a valid argument that Microsoft is to blame for integrating Internet Explorer into the Windows XP and thus help create a security problem for Windows XP.”
This relates to more than one version of Windows. There is no reason to have a browser intergrated into an OS. This was done to put Netscape out of business. There is no technical reason for this intergration. This was a business decision.
E) “Even though Microsoft will probably never acknowledge their mistake of integrating Internet Explorer, from a security stand point, into Windows XP there is no point in bringing up that particular issue every time there is a security alert for Internet Explorer.”
Like hell its not. Due to the intergration, it takes longer for a patch to get released. The intergration of the browser makes the threat more dangerous, period. As I said before, this was a business decision that MS did to counter the growth of Netscape.
4) “Microsoft has integrated Internet Explorer into the operating system in such away that it is impossible to remove it without making the operating system unstable.”
You can remove IE. Look at products like, NLite or PCLite. You can do a modular install of Windows. Just because you cannot remove it from within the environment doesn’t mean that you cannot remove it. This is blantent ommision.
5) “Also, a user can eliminate Internet Explorer visually from Windows XP by using the Set Program Access and Defaults program in Windows XP which can keep the “point and click” computer users from accessing Internet Explorer through the start menu and through an icon link on the desktop.”
So buring a persons head in the sand is the best way to handle this issue.
6) “The average computer user wants the computer to function on the same level as a VCR or DVD Player expecting everything to just work and willing to sacrifice computer security for easy of use.”
Check out OS X. Yes, OS X has patches but Apple has gone to measues to make OS X relaitvely secure out of the box. Default permission to share files are only open to whats local on the LAN. As for ease of use, I don’t think one could argue that OS X isn’t as easy to use as Windows.
7) “it is expected to bring the inclusion of an unconfirmed “new revolutionary concept” of having a non administrative user type in an administrative password before being allowed to install software. I expect that some users would applaud this new feature, if it turns out to be true, and some users would condemn the new feature because it just adds one more step that they will have to do in order to install software.”
This is a welcome change. I could care less if users complain. This is a step forware, in the right direction.
There is more to comment on, however; these complaints would be as long as the article in question (almost).
Windows was never built to be a secure system on a network like the Internet. Initially, the decision was moot because the Internet wasn’t a viable entity up until [about] the time windows 95 came out. Gates himself said they missed the Internet boat. Instead, they focused on implementing features that crushed much of the boutique and competitive products in a number of core markets. All the while, the shortcomings of the decision to do this via such technologies that were Internet unfriendly, such as ActiveX became apparent. And so the whole thing exploded.
Microsoft is rewriting Longhorn in much the same way 95 was a major overhaul of 3.11. This time around, .NET and a sound secure foundation are the objectives. That’s why it is taking so long. So shut up. And another thing, quit whining VB6 users, you are a legacy group stemming from the bad security model. Read a book on OOP and get VB.NET.
The times, they have changed. I am writing this from my SUSE lapper with KDE 3.4 on top of SUSE 9.2 so don’t even accuse me of being a troll or M$ lover. And another thing, stop using $ in MS. I hate that.
Until fairly recently – I would put it at the release of SP2, or several years after the Bill Gates announced the “Trustworthy Computing” initiative and started requiring his engineers to attend training sessions – Microsoft has seemed to have a rather lax attitude towards Internet security. Show developers how to avoid writing vulnerable code, post the fixes, and urge customers to download them ASAP. To them, the practice of “security” means establishing the authentication, authorization and cryptographic frameworks used to secure files, logon sessions, communications, and other sessions and resources within a corporate intranet. That type of security assumes that operating system and network-aware application code can’t be tricked into executing arbitrary code from an attacker, e.g. as a result of a buffer overflow.
Almost ten years ago Netscape released the second version of their browser, which shipped with a Java virtual machine from Sun. These large and complicated products certainly had their share of security bugs. But what was interesting was the proactive approach both companies took to safeguarding the browser user against hostile code. For example, neither Java applets nor JavaScript were allowed to read or write local files (except cookies), even though that capability would have certainly made many slick applications easier to write. And Java applets were only allowed to communicate with servers in the domain from which they were downloaded.
At that time, and for as long as I can remember (up until SP2 that is), Microsoft’s approach could be summed up by their catch-phrase: making it easier. Their client-side execution model was ActiveX, which certainly did make it easier… for application developers, but also for hackers and malware artists. And their engineers strived to make their applications’ scripting languages as feature-rich as possible, without necessarily considering the security impact. Their DCOM framework required workstations and servers to be actively listening for new connections on port 135. And so on.
At the same time, they insisted on integrating IE into the operating system as a (rather unfair) competitive measure against Netscape, and to effectively eliminate unbundling as a feasible court remedy in the antitrust suit. That worked so well that they repeated it for their streaming media player. But that means that Windows cannot be completely secure unless IE and Media Player are completely secure, or you have a firewall that is totally reliable and configured properly at all times.
So I’m willing to accept that they’ve finally “gotten it”, but they have such a huge base of shipped product, along with their APIs, scripting languages, and so forth, that they can’t just redo every feature or API that was ill-advised to begin with. Their difficulties in getting customers to accept SP2 is an example of this.
First of all, let me say this: I don’t care what OS you’re using – if you get some random email telling you to do this or that in order to get nude pics of J-Lo, and you do it, then there isn’t a single OS in use today that can protect you. Even on Linux, the only thing protecting you from case is an extra step to give the file execute permission and/or a dialog box prompting you for your root password. Most of the worms that have infected thousands of machines were exploiting holes that were patched long before the outbreak. From that standpoint, once a patch has been released, there’s not a whole lot more a company can do if users don’t take advantage of the update features that are provided for them.
On the other hand, when I can go out right now and buy an OS off the store shelves, install it, bring it online, and then get infected even without me doing a thing, that is a sign of a flawed design from the ground up.
IMHO, the things that Microsoft is doing with Longhorn and XP SP2 security-wise should’ve been done long before XP was ever released.
Microsoft _knew_ their software was insecure but _chose_ to appease a fickle customer base. In other industries, this can be a crime (intentional negligence), but the software industry seems immune.
Even on Linux, the only thing protecting you from case is an extra step to give the file execute permission and/or a dialog box prompting you for your root password.
It may only be an extra step, but it does reduce propagation. Every little bit helps…
they control the OS and what developers can do. if they LET developers create unsafe applications that is MICROSOFT’s problem.
Microsoft has reduced the number of buffer overflow attacks as well as other seurity issues including spyware/malware.
However, I can’t say the same for Linux. In fact, I think linux is going backwards in terms of security. The 2.6.X kernel contains a new API called vsyscalls. This has become a new source of buffer overflow attacks. See here: http://www.securiteam.com/securityreviews/5QP0L0AFFS.html
Most Windows security issues are due to an ignorant user community. They can’t spell security let alone protect themselves from viruses, spyware, etc…
quote…
“Most Windows security issues are due to an ignorant user community.”
wrong.
windows design is flawed and insecure.
“The 2.6.X kernel contains a new API called vsyscalls. This has become a new source of buffer overflow attacks.”
wrong.
there are NO current exploits or “attacks” regarding vsyscalls. your linked article only argues that there is a possible potential.
no matter. if there is or is to be, it will get fixed. it’s all open.
“The Facts & Fiction Around Windows Security” and much more are explained correctly here…
http://radsoft.net/resources/rants/20050419,00.html
These days companies can build planes with just glue to keep all parts together. If there is a hole or leakage they just use little more glue to fill the spaces. The plane still flies, not that iam willing to bet my life for a testflight tho…
I would prefer a thorough design yet flexible.
Anyone can code bad applications that can bring any “secure” operating system (zOS, Linux, VMS, MacOS, Windows, whatever) down to its knees. But _never ever_ blame an end-user (not an end-abuser/tester) for a faulty program or operating system!
Is this really still a debate anymore?
Yes, Windows is not secure. It’s not Unix. XP was built with designs on MS owning the internet collecting tolls at every turn, so yes, it is wide open.
And yes, Microsoft realized this vision is not going to happen, at least the way they originally thirsted for. And the security holes became a threat, so they started locking in down.
But the foundation is flawed. So, all current shipping versions of Windows suck and are insecure. Unix they are not.
But I suspect the secret behind Longhorn is security. They really don’t need many new features to keep the monopoly, just security.
Linux is the bad guy in server security with about 35 breaches per week! (or was it per day? *g*)
On the client side, however, the user is to blame, and most do work as admins and install everything.
In terms of inherent system security, Windows leaves Linux far in the dust (fine-grained NTFS-CALs etc)…
> fine-grained NTFS-CALs etc
So how exactly are you going to improve security with these? Convenient – maybe. More secure – unlikely.
What a confused post…
The article is veryhard to read, a big pack of text, my eyes .. :/
Else, checkout what is fine grained security (NFS ACL? *laughts*):
http://www.rsbac.org
Anyone who has followed MS knows they are the best at looking at what’s working and cloning it with a MS brand.
I fully look for Long(way-off)horn to suddenly force users into a root/user permission system and get Grandma off the admin account. Disallowing active-x installs on demand.
Mr Gates and Co. are poor innovators but maybe the best immitators in history..
MrX
Yes, there is a lot of text in the article, but mostly because of the required number of pages my professor required for the paper. The purpose of the paper was not to get overly technical because there are plenty of articles that have been written that deals with the technical aspects of Windows security and offer better analysis on securing Windows, than I can offer at this point in my education level.
I am not an English major and so there are bound to be some grammar errors and other types of errors in the paper that I did not catch during the times that I proof read and edited the paper. The only reason I submitted the paper to desktopos as an editorial was because it was required by my professor and to see how well my understanding of the subject was. Only by having others point out the flaws in the paper can I get a better understanding of the subject matter.
Even though I am a hard-core Linux user, I believe there are a lot of unsubstantiated claims by journalists. They parrot what others say. There is no validation to their claims. Their idea of testing is what they see at the end of their noses.
Any decent system administrator, using Win, BSD, or Linux or other server systems, knows how to secure her or his servers. Harding the servers are your first step.
<action> Tosses a troll into the bog of eternal stench.
Windows is as secure as the administrator running it.
You saying that Windows is not securable is utterly false if your refering to XP or 2003.
Windows is much closer to being bullet proof if the following conditions are met:
Firewall on, block everything.
Use a restricted user for all work. (Yeah, this step really won’t work for 70% of the games out there.)
Use administrator only for installing apps / patches, and even then generally only promote the tool your trying to use to Administrator from your normal user account.
Learn how to use ACL’s properly. (No access granted to modify program files and the system directory when not administator). You can say goodbye to malware infecting critical directories. (This is VERY dangerious to play around with on system directories on a machine that is in production use. Never use deny on built in security groups unless you actually know what your doing.)
Learn how to use the local security policy software restrictions with it’s default settings plus three changes: set the default launch permission to deny instead of accept, figure out how you want to permit .lnk’s to work, and do not allow it to affect administrator accounts until you understand how the whole thing works. This will prevent everything from running if the administrator didn’t install it into a trusted space. There are loopholes to take advantage of while this is on with some widly used third party products… for those of you thoughtful enough to guess at them. (This is VERY dangerious to play around with on a system that is in production. Do not remove the default trusted registry-related allowed launch paths until you have a goood idea how it works or you’ll probably break all applications from working, and thus not be able to login and get a desktop (or anything else) anymore.)
Apply security patches in a timly manor.
–
While Microsoft can be blamed for not turning a lot of security features on by default that are in XP/2003, they did this to keep third party products running properly as much as possible. They do not deserve full blame. Take WinAmp. It won’t work properly if the user doesn’t have write access to some stupid files in it’s directory. Programs like this, I tend to strip the launch rights off it’s root folder, give full read/write access, and use code signing. Home users should use the SHA1 hash value launch permission… code signing has some broad knowledge requirements. While I use WinAmp as an example, note that Macromedia didn’t solve this issue until Studio MX 1.1, and Adobe didn’t fix it until Photoshop 7 (and then all future Adobe products followed in it’s steps).
“This is a welcome change. I could care less if users complain. This is a step forware, in the right direction.”
yeah, that attitude is going to make for a succesful buisness
Security is probably the main reason that I run Linux instead of windows.
With Linux, I feel safe on the web. I don’t even use any AV software, firewalls, or anti-spyware software. Yet I never have any security issues when using Linux.
With Windows, I’m loaded to the teeth with AV, firewalls, anti-spyware, etc. and I still get that cr@p.
I don’t care who’s to blame. I just want to feel safe, with less bother.
The flaw in your paper: Many of your sentences do not make the sense that I guessed you intended them to. This is because you often have the wrong words in places and sometimes you simply have conflicting plurals and other simple grammar errors. I’m not an english major either; but if I had turned in papers with that sort of grammar to my freshman english class: I’d still be a freshman.
>>unconfirmed “new revolutionary concept” of having a non administrative user type in an administrative password before being allowed to install software<<
Haha… it’s already there :p .. we have it in Gnome – and in NT/2K and XP it’s already existing. You cannot do a WindowsUpdate as ordinary user (sometimes not even as superuser) – however, you can rightclick and “Run as administrator” and type in the password… nothing revolutionary in Longhorns maybe upcoming feature. It’s something which should have been implemented fully a long long time ago.
The article is really funny – and the person behind cannot have done much research. If he had, he would know that many people dislike Microsoft and Windows due to the extraordinary MANY security flaws. Yes – free open source software have security issues, too – just not to that same extent
>>Even on Linux, the only thing protecting you from case is an extra step to give the file execute permission and/or a dialog box prompting you for your root password.<<
This is also a couple of major extra steps.
1) Give the file execute permission (assuming it’s running from a partition allowed to execute files – /var and /tmp is usually not allowed to do this)
2) The dialogbox requires you to write the rootpassword – which you may not have – and even if you do it’s not sure it will work, due to the many differences between linux distroes
And let’s not even forget about dependencies. How will the virus/spyware/whatever handle those? Most other OS’es doesn’t have ActiveX nor the tight integration with internet and scriptlanguages (such as VBS), nor a centralized database for system settings and so on.
The architecture of windows is extraordinary stupid, and for this Microsoft is flamed. As it should be.
With all due respect, you are wrong. You have been dumbed down into thinking that just because a piece of code is considered open-source it is magically more secure, safer, better, etc… This is false! This like saying ”oh, I have pocket knife therefore I’m safer in the dark parking lot.” It is totally false.
With regard to your comment about the exploit, the article creates the exploit, hence the exploit exists. To say there are NO exploits is totally false. There *are* kernel exploits of this kind. They DO exist. Please do not spread FUD about Linux exploits by saying they don’t exist! All the respected security web site have documented the exploits. Go see for yourself.
With regard to your comment about the exploit, the article creates the exploit, hence the exploit exists.
Please explain the logic behind this statement, as it does not appear to make any sense. Specifically, describe to us the actual exploit you’re referring to.
To say there are NO exploits is totally false. There *are* kernel exploits of this kind. They DO exist.
That’s irrelevant. The fact that there are kernel exploits does not meant that there are exploits related to this particular function. You’re making a huge leap of logic here.
Please do not spread FUD about Linux exploits by saying they don’t exist!
The other poster was referring specifically to exploits using the function you named, not other kernel exploits. If you need to resort to such acrobatics in semantics to justify your point, it only shows that it was not a very strong point to begin with.
All the respected security web site have documented the exploits.
One referring specifically to the function you mentioned? Please provide us with links.
“And let’s not even forget about dependencies. How will the virus/spyware/whatever handle those?”
I think you should get an award for pitching “dependency-hell” as a security feature designed to thwart virii.
>>While Microsoft can be blamed for not turning a lot of security features on by default that are in XP/2003, they did this to keep third party products running properly as much as possible.<<
The surface reason was/is to keep third-party compatibility, but the real reason can only be determined when you ask why is keeping third-party compatibilty so important to MS? To maintain their monopoly.
It’s been stated in other ways in other posts on this thread, but it bears (continual) repeating: If MS specifically, and software generally, were subjected to the same product liability laws as every other industry, MS would have been litigated out of business. They intentionally continue to make decisions to protect their business interests over providing a basic standard of protection for their customers. When GM and Ford did that, they paid dearly for it.
LMAO…I think that is the funniest thing I have read in this forum thread.
Ok maybe my subject was a little bit trollish and maybe I’m not saying anything new but I feel like my 2 cents is waranted. Before I start…I don’t hate windows I actually think Windows has some really cool technology but…
Microsoft’s problem is security is not an afterthought. It’s wayyyy too late to fix it. No longhorn is not a solution either. The fact that longhorn is supposively going to be relying heavily on managed code is a GREAT start but Microsoft’s curse is that it has to maintain backwards compatability. It will take years and years before they can go back and fix the mistakes they made and I applaud them for trying but security is something you design for.
Another issue with Microsoft is their more marketting oriented. Security isn’t glamerous. It may make developers lives harder and it may make end-users lives slightly more convenient. It just doesn’t jive with MS’s way of doing things. They’re about ease of development and ease of use.
Haha, thanks for the link… This guys site makes for an interesting read.
Your analogy doesn’t work at all. I hate to see people who are saying something true do it with analogies that don’t work.
Anybody reads userfriendly.org here at OSNews? The article seems to be written by Stef with broken English. I strongly urge that if the author cannot even pass English, don’t post to the media. You deserve to be shot for making our life difficult to read your article. I almost skimmed through more than half the article!
Its depressing to read an article posted for the professional society when it is basically speech. If I read out loud, I can barely grasp an idea of what you mean.
Ok, keep that aside and into your CONTENT. You don’t have much. Its not balanced. You only have a one-sided viewpoint and that shall never help things. Even at the age of 16, people will now expect you to make balanced essay. Your references stand only in favour of Microsoft. WHY? You aren’t writing for Linux, and so you must have references against your stand, at LEAST!
You really do sound you don’t know your stuff:
1) “Even though Microsoft will probably never acknowledge their mistake of integrating Internet Explorer, from a security stand point, into Windows XP there is no point in bringing up that particular issue every time there is a security alert for Internet Explorer.”
This is a perfectly flawed argument. They did it intentionally. They thus deserved to be SCOLDED, especially when they can do the otherwise. We just don’t want IE in Windows, as most of the IE holes will make Windows unstable. And they cannot acknowledge it as a mistake, or risk being sued for saying just that. They have locked themselves out with IE.
2) “Even LitePC Technologies Pty Ltd, the makers of the LitePC series of software which allowed users of Windows 98 and Me to remove Internet Explorer completely, could not duplicate that success with the version of their software for Windows XP.”
Are you sure? I believe its just because Microsoft has yet again moved all their garbage in Windows around so that its harder to eliminate. This is a point which I am not very sure of, but still it poses a refutable point. Moreover, since you have already stated that IE is not removable on 98 and ME, why are you stating this to refute your own point. You may be talking about XP only but its still a contradictory point!
3) “There is only so much Microsoft can legally do when it comes to having anti virus and anti spyware software because of the anti-trust issues that could be raised by commercial anti-virus and anti-spyware software providers if Microsoft decided to bundle those software solutions into future version of Windows.”
They can just make Windows a more secure system that does not need them. Just like how MAC OS X and Linux/Unix can survive without any AV-like stuff for years (Thats right, years). AV-like stuff should only be put in place for server-like systems.
4) You feel that IE being shot at for releasing patches while not Firefox is unfair. We feel that being forced to be a patch receiver is even more unfair. Rants shall go on. Moreover, when Firefox goes down, it doesn’t cause the whole system to be unstable. Just try that with IE. AGAIN, we don’t want IE!!!
5) “Other argument that is often brought up is that Microsoft should spend more money on research and development to make future version of Windows more secure. What some people don’t wish to understand is that throwing more money at a problem that does not equal success.”
Yah, but if they don’t spend enough then it will definitely not work. It is a must to have enough money, because money is the most important resource in the free market economy. Please read up on Economics textbooks before you make that comment.
6) Typing an admin password to do tasks is definitely not a “new revolutionary concept” because Linux/Mac/Unix has it for YEARS. Even Windows have it, but not on by default.
7) While you are at point 6, refer to the whole paragraph. I don’t want to quote the whole paragraph here. A VCR and DVD have to be learnt to use. Do not assume anything. You can still spoil a VCR or DVD with incorrect usage. And for the VCR, note that sometimes, the VCR will stuck. Remember that. Yes, people can let others fix their computers, and should be ignored. However, the very notion that people with a clue are also affected is disturbing. Finally, the OS should always do its best to prevent the clueless ones from harm, something that Windows never cared for till recently.
8) “Malicious hackers share the majority of the blame because if there were no malicious hackers there would be no need for operating system patches, anti virus and spyware software, software and hardware firewalls, and other security measures taken to protect computers.”
Well, its known that even without crackers (the apporpriate term for malicious hackers), users will still need patches because its possible they can kill their own computer. A shaky computer will always need patching, with or without crackers. This argument of yours is too flawed!
9) In the same paragraph again, the IP is a robust one. If not, how can the cops arrest crackers how wrote infamous virii like the SoBig virus? It only goes to show that your references are too little
10)”* Gain fame among other malicious hackers”
…
“* Basically because they have nothing better to do because of their lack of a social life. The lack of a social life leads to creating viruses and such as an attention getter in order to create an “online social life” for themselves.”
I believe its only your own guess. Gaining fame is not applicable because they want to avoid being caught. And saying that crackers have nothing better to do? You seem more boring than them. I’m sorry but a personal attack is the most apporpriate here.
11)”* To make the general public aware of the flaw in order to force Microsoft to acknowledge the flaw and create a fix for it, since Microsoft has a tendency to be reactive in supplying security fixes.
* To test a theory, by definition a hacker is someone who likes to get to know the inter-workings of a program or an operating system and interested in testing the software to its limits
Announcing security flaws for the public safety reasons deals with the debate of security through secrecy because if no one knows about a security hole, than can it really be considered a security hole if no one knows about the flaw.”
Do you mean that Microsoft is slow in reacting to the discovery of flaws? Your point here is debatable because I can’t make sense out of it. If I interpreted it correctly, then thank you for a point that is against Microsoft.
You mean security through obsecurity in the second point. That is an oxymoron because unknown bugs in any system can still be exploited, and has nothing to do with hackers. Moreover, only by stating it can the problem be solved isn’t it? You deserve to be infected with SARS because it means you support China’s covering-up of the issue. Moreover, the success of the GNU/Linux system shows that security through publicity is the real model that works.
12)Ironically, you didn’t make a stand with that paragraph. What do you mean? Do you really believe Microsoft to the very word? That is naive and shows how disorientated you are.
13)”In a perfect word there would be no need for security”
Debated before in point 8.
14)Since we are at the last paragraph, refer to it. Do we really need to debate on which security model is best? Just any fair comparison will tell you that the Linux one is better — We declare the same vulnerability in Linux and Windows, and in no time patches for Linux will be out. And the one affecting Linux will be less of an impact than on Windows.
15)To round up the numbers, you keep saying that users are to be blamed. Yes, they should be, but in the numbers out there, isn’t Windows to blame too?
In all, make your sound points, make it readable in English, and make it readable with better paragraphing, better font and better type!
What I was trying for with the article (paper) was to point out that just blaming Microsoft for Windows security problems seems unfair, in my opinion. If you took a typical Windows user, who does not care about security (that is why I mention my cousin in the paper) and put them on a Linux distribution they would still be using unsafe computing habits. The only difference would be they would not feel the effects of their unsafe computing habits because Linux distributions are not under the same amount of malicious attack as Windows. What makes Linux distributions more secure than Windows, in part, is because the majority of Linux users are more tech savvy compared to the majority of Windows users. I feel that a Linux distribution can be just as insecure as Windows if the user does not take the time and learn about how to secure their system.
Your welcome.
These guys know their sh%$!
also try rixstep.com
I am not even going to respond to personal attacks, even though I am not Stef. You posted how you felt about the paper and your arguments are fair and can stand with out them. I knew my paper was not perfect and expect criticism. What is the need for so called personal attacks, no one forced you to read the article. I am going to take a shot at clearing up some of the issues that you had:
1. I don’t see the point in complaining about the integration of IE into Windows. Yes, the integration of IE made Windows more insecure, but I don’t see Microsoft changing their minds about the integration of IE unless people stop buying Microsoft operating systems, which I don’t see happening any time soon.
2. I don’t think I am contradicted myself. I stated that Lite PC could remove IE from Windows 98 and ME, but could not do the same in Windows XP, according the article that I read, look at reference 11.
3. If Microsoft made Windows more secure, to the point that it did not need anti virus and spyware software, it will still vulnerable because of certain users falling victim to social engineering scams.
4. I don’t see the difference in Firefox releasing new version to patch security vulnerabilities and Microsoft patches. This can be attributed to me not having any problems with IE because I don’t use IE when I don’t have to. On the occasion I have used IE, thus far, I have not ran into any problems with it.
5. Spending enough is defined by what? How much money does Microsoft need to spend? A company can spend large amounts of money, in the millions, but if the money is not used wisely, then the company has wasted the money.
6. The reason new revolutionary concept is in quotes is because I know it is not a new concept to have to type an administrative password to do tasks. I can admit that I made a mistake and should of came out and stated that it was not instead of using quotes in order show sarcasm.
7. Protecting the clueless ones my hurt the clueless ones in the long run. If they get so use to everything being done for them what happens if a time comes when that entity is there for them. Becoming depended on Microsoft for everything is not the answer, in my opinion, for the clueless ones. Instead clueless ones need to be educated in proper computer security.
8. I meant security patches and not bug patches. I did not use the correct term for malicious hackers on purpose because of the other meaning of the correct word and I did not want to offend anyone in the academic circles.
9. I agree with you on me not having a stronger reference for IP. I based that section of the paper on the ideas was being talk about on the news.
10. I just stated what others have repeated about the reasons why virus writers write viruses. I did not say that I agreed with that train of thought.
11. Yes indeed, I meant that Microsoft is sometimes slow at responding to security vulnerabilities posted by others.
12. I did not mean obsecurity because sometimes Microsoft knows of security vulnerabilities and just does not want to announce them for one reason or other.
14. I was not trying to create a debate of what security model is better. Everyone is going to have their own opinion on which security model is better and the debate will never end.
15. To summarize, I did not take a clear position on who should blame more. I feel that each of the list groups share a blame in the security situation in Windows and there is no point in blaming one group more over another.
The paragraphing of the article is not the original way I sent it in and was changed to fit into the way desktopos wanted it. The article was not meant to be the final word on the subject matter, but an expression of my views, nothing more.
All these problems would be fixed if Windows was released under the GPL.
“The paragraphing of the article is not the original way I sent it in and was changed to fit into the way desktopos wanted it.”
Paragraphing of the article is in the right format, my mistake for saying the above in the first place.
I can change the formatting of the article. That was th eway it was sent in, I did’nt chnage anything about it other then trying to fix some of the links at the end.
It’s never too late to correct things like that…
First the anti-Linux news, now this MS apologist drivel?
Dear lord… have mercy, already.
I blame eveybody at Microsoft,because I can’t beleve techs,engineers and programmers with a degree can’t build a system that has a good security, and how can these same people are able to develop programs or hardware like firewalls, antivirus,etc to protect the systems. why not incorporate these technlogies into the operating systems in the first place.instead of making me buy all of these stuff. No thank you. I run FreeBSD and linux,
To Chris Ward:
Being a long-time Windows user I had to cringe when I read your statement: “Microsoft has integrated Internet Explorer into the operating system in such away that it is impossible to remove it without making the operating system unstable. Even LitePC Technologies Pty Ltd, the makers of the LitePC series of software which allowed users of Windows 98 and Me to remove Internet Explorer completely, could not duplicate that success with the version of their software for Windows XP”.
What planet are you from? I am by no means a Windows expert, but I COMPLETELY uninstalled IE and its troublesome cousin Outlook Express from my copy of WinXP Pro immediately after having to reinstall the OS for the umpteenth time.
(1)Go to Control Panel;Add/Remove Programs;Select Windows Components;Select Internet Explorer;Click Remove button.
(2)Reboot computer into Safe Mode:Login as Administrator:Open Windows explorer (file manager);Browse to
C:Program Files;DELETE Internet Explorer folder (Yes, Virginia, there is a Santa Claus);(While you’re at it, DELETE the Outlook Express Folder as well).;EMPTY the Recycle Bin.
No special tricks, no special software required.
When you reboot, the folders you deleted will exist again, but will be completely empty of binaries(.EXE, .DLL, any pesky little remnants that a hacker night latch onto).
Try it for yourself. And get a dictionary.
>“We just don’t want IE in Windows”
>“AGAIN, we don’t want IE!!!”
Please speak for yourself.
>“I run FreeBSD and linux”
I have seen FreeBSD rootkited, and stories about 0wned Linux desktops and servers are plently on the Internet.
>“I can’t beleve techs,engineers and programmers with a degree can’t build a system that has a good security”
While having good security principles implemented in the OS is important, the OS is not secure if it is not administered by the competent person.
This is the issue with any modern OS: Windows, Linux, MacOS, any UNIX you name, etc.
Build an OS that will only let user do what does not harm the user- and problem solved. I can’t. Can you?
ok, since you asked,
1) Why IE integration is bad? It is bad because even if you don’t use IE for anything, any IE bug that is serious enough will take down the whole system. That is the reason why IE is hated for the security part. We aren’t even talking about how IE is Windows’ tactic to kill Netscape.
2) Yes, it cannot be removed, even by the method win&lin user stated (just open My Computer and you see how it can browse the net too.), but still it contradicts the point that you are talking about Windows as a whole, especially by not stating XP. Even if you only talk about XP in your whole article, you must define it.
3) That is a resounding NO. I doubt people from the Mac are vulnerable to anything that serious. And social engineering scams? Do you mean those cheating you see on net? Well, that is purely user error, and no amount of security will do against that. Moreover, it has nothing to do with the scope of this isn’t it? and AV-stuff cannot prevent that either — the user is willing to be cheated by doing things. You must educate the masses, and that is something not practiced by Apple and Microsoft.
4) Not using IE that much reduces vulnerability by a lot, but not the serious ones. Of course you get less problems, but still you don’t get the idea that people don’t want IE on their systems. Well, even if the same vulnerability is patched for Firefox and IE, people flame IE because they chose to install Firefox, not IE.
5) It is seldom the case a firm will waste money. And we are complaining that money is not enough here. Look. You must have money to solve something, and thats the problem. In any company out in the free market economy, emphasis is directly related to the amount of money spent on something. I can’t define anything here because I cannot access the data in Microsoft, but that is true for all I care.
7) Again a resounding NO! It pays to do every part to protect the clueless. The Mac system also have many novice users similar to the majourity Windows users, and most of them understand the importance of those little bits. Its funny but people seem to learn from these little bits. When the system saves the user from something drastic, they will learn to appreciate that. Purely education seldom can educate everybody, and that is true with the Windows system, where after some time, all revert to the old ways without security. That is why the media always wants you to “do your part” even if its very little
9) An article is meant to be factual, at least when you meant to make it a factual one. Do not base anything on talk. This is a common error, and I can forgive on that.
12)But that mentality means obsecurity. There is no reason for that. The reason why people publicise the vulnerabilities is because of history. Once in the computer realm, company A produced a system with a bug that is identified by company B. B told A about it, and A ignored it. So B made a havoc out of it with a software that propagated and made use of it. That forced A to patch it. That is a situation that nobody wants to happen again. Its already very nice of people to tell Microsoft about the vulnerabilities.
14)Well, my point is that the security model used my Microsoft is bad. If not, why are there so many problems? Can you refer some of those pro-Microsoft-model sayings to me?
15)Well, summing my points above, I think we should be blaming Microsoft for making a lousy product, when they can give a better one, isn’t it? Look, the users are directly affected in any disaster, so they have had their share of the blame, while Microsoft just get off the hook. So, we should blame Microsoft for not doing their best into it and selling at the best rate.
Its not the paragraphing. Its how its presented to us. I read it by copying it all to Openoffice and changing the font to suit my eyes. Hope you get this. Well, don’t you think your paragraphes are a bit too long too?
Yes, the user is best to blame, but don’t you think that Microsoft is to blame too? And Microsoft is always off the hook after any disaster. I don’t think its good that way. And Microsoft should put an effort into it too.
Ok, you may want IE, but many people out there don’t want it. So take it that I’m talking on behalf of people with the same thoughts of mine.
Well, My computer can browse the Net too. Even Windows 98 will do it after I’ve used LitePC on it. So in fact, its not exactly removed until the functionality is removed completely
Yes, the user is best to blame, but don’t you think that Microsoft is to blame too?
You’re obviously new around here. In the two years I’ve posted on this site, I don’t recall ever seeing Russian Guy criticize Windows or Microsoft. If you were to believe him, the security situation is just as bad for Linux as it is for Windows.
Next, he’ll claim that I insulted him in a post weeks ago. My advice to you: don’t bother responding to him.
Thanks. But why would a pro-Windows advocate be here anyway? He should go to Neowin or something that is 100% pro-M$. I think OSNews is more of an objective site…
Why? because OSNews seldom takes a stand. And OSNews displays news about any OS and claims.
>“And Microsoft should put an effort into it too.”
Yes, they should, and yes- they do.
There was a post from someone praising Linux for how better it became since 1999. Fine, and I am glad to know that because I run hundreds of Linux servers at my job, but why not to compare Win98 (dated 1999) and Windows XP SP2 (dated 2004) and praise Microsoft for the progress it made in between?
Lets be fair, shall we?
>“Ok, you may want IE, but many people out there don’t want it. So take it that I’m talking on behalf of people with the same thoughts of mine.”
Many people don’t care at all. So, be more realistic on behalf of how many people you are taking.
>“but don’t you think that Microsoft is to blame too?”
Actually, it is a very good question. Yes, Microsoft is to blame, first and foremost for making Windows easy for software developers, and for thinking convenience before security.
Here are just few examples of how good intentions went wrong:
1. Very good software backward compatibility. Bad: no problem running 6-10 years old virus on the current OS.
2. Scripting. No need to invent your own spreadsheet formula calculator if you can write a script to run inside Excel and do what Excel can’t do by default. Bad: Excel and Word based worms.
3. Componentized model. Don’t reinvent mail protocol, call email client (Outlook) through COM interface from any application and tell Outlook to send email on your behalf. Bad: email worms.
4. Expand Web browser functionality as much as you want by using browser add-ons. For security, force users to accept add-ons and force developers to sign them. Bad: users don’t care and click yes, spyware loves adding itself to the browser.
List can go on and on. You sure can agree that when some geek in Microsoft invented ActiveX controls, he didn’t justify it to the management as a tool to annoy Windows buyers with spyware and ad-ware.
Microsoft is going the direction Linux does, like it or not. Linux users, especially inexperienced ones, are strongly encouraged to download software only from the Linux distro vendor depository. That saves from the dependency hell- but also from many rogue applications available on the wild wild Web.
Microsoft still is not able to pull that: force people to only use Microsoft approved and provided software, but it is working in that direction.
Also, lack of backward compatibility is sometimes credited by Linux advocates as a security measure to limit spread of malware on Linux.
Wait until Longhorn and lets see if Microsoft can pull the same. If it does- we’ll rightfully blame it for dropping backward compatibility.
Microsoft can’t win.
>“And Microsoft is always off the hook after any disaster. I don’t think its good that way.”
I am not sure what “off the hook” means.
Does Microsoft has bad reputation in technical circles for decisions it made? Yes- you can’t say Microsoft is off the hook.
Does Microsoft delay (again!) new products because it had to invest extra hundreds of millions and many man hours to fix issues in software it currently sells, free for end users? Yes- you can’t say Microsoft is off the hook.
Does Microsoft have hard time positioning itself against fierce competition from the UNIX and Linux camp? It sure does, today more than ever. You can’t say Microsoft is off the hook.
Do we have more choice on OS market now than 5 years ago, do we know what is the real OEM Windows price is, do OEMs have more freedom to choose what OS they want to sell with their hardware? Yes- you can’t say Microsoft is off the hook.
Speaking about disasters: remember MSBlast that hit everyone few months after the patch was available, Microsoft warned everyone, CNN published a story and even Homeland security sent a warning?
Well, now Windows XP is annoying a user every time patch is available, reminding user that patch must go on- so what do we see? User disabling auto-updates. Microsoft can’t win.
So, coming back to the original statement: yes, Microsoft is to blame for some decisions it made, but when you have careless user who’d rather play computer games than spend 2-3 minutes to click “yes” and update OS with the critical patch- how much of Microsoft fault it is?
If I use IE for 5 minutes, I’ll get a trojan. Don’t tell me this is anybody else’s fault but Microsoft’s. I don’t anything wrong by browsing the web. And if their browser + OS was secure at all, there wouldn’t be so many viruses and trojans.
Microsoft security policiy is like putting locks on your doors, AFTER your house has been broken into and robbed…
Please…
That was a good piece.
I know the majourity don’t care if they have IE even if it is a resource and security hog, Yet still, those with a clue generally care.
Of course, the users are at fault too. I agree with that the most of all — users who have no clue are the worst of all. They worsen all forms of disaster(by letting their computer become a portal) and sometimes even compel the system admin to relax restrictions. But users have always been the one who suffers. When a virus strikes, all their hard work are lost.
However, ain’t this worsened by Microsoft for choosing convenience before security. Backwards compatibility is, surprisingly, quite well respected by the linux community. Although much of the system have made improvements, care had been taken to ensure most parts of the system remain similar to the programs —- provided that you make the program run without querying the kernel of any sort. That is an incentive for developers to develop code that is standards-compliant, so that you don’t have to use brute hacks to do your job, but rather other tools. The same is done for scripts. The venerable awk is still symlinked to gawk.
Ok, that was a little too much, but still, there is efforts for backward-compatibility in linux, even if its minimal. But for Microsoft, backward-compatibility was its main goals. In fact, being backwards-compatible must have gained it a major share of its foundation now. Yet, the move to remove backwards-compatibility will only go to show that the move was stupid in the first place, as things are getting way out of hand. Redoing the whole kernel from 9X to NT was a powerful move, but resulted in all kinds of problems. One cannot argue that the NT kernel was similar to the 9X kernel, yet it still is a problematic one. And there is no need to wait for longhorn. SP2 is in itself a stand for the transtition to longhorn. As much as the sysadmins can complain, SP2 is out and they must update to it or risk more breakins.
No, Microsoft is not “off the hook” by how its condemned after their moves, but in how they manage to secure their foundation. Up till now, Microsoft still has the largest desktop base, and is making inroads to the server systems. I even KNOW of a moron from China that insists on Windows for his server that is going to only run a forum, even when the chinese are one of the pro-linux communities.
And it seems that only Linux has the power to fight Microsoft. That is why I support Linux — to bring the giant to economical justice.
Finally, before I forget, The linux improvements from 1999 to 2004 is still larger than the windows one. kde and gnome especially, and hardware support too.