Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

A Taste Of Computer Security

michael posted more than 10 years ago | from the where-there's-a-whip-there's-a-way dept.

Security 192

andrew_ps writes "Amit Singh has published on his KernelThread.com a paper (mini book really) on computer security. A Taste of Computer Security is a VERY comprehensive paper in what it covers, but is remarkably easy to read. This is not some list of "sploits" though! Topics covered include popular notions about security, types of mal-ware, viruses & worms, memory attacks/defences, intrusion, sandboxing, review of Solaris 10 security and plenty of others. Most notably it includes probably one of the most fair and intelligent analysis of the Unix-Vs-Windows security issue that I have ever seen."

Sorry! There are no comments related to the filter you selected.

Its.. (-1)

Anonymous Coward | more than 10 years ago | (#9831025)

too bitter for windows XP.

fp? (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9831027)

hardly...

PDF? (0)

Outsider_99 (761534) | more than 10 years ago | (#9831053)

All very nice. Looks very interesting... but is there a PDF available?

Interesting "book", great read for PHBs! (4, Interesting)

mindhaze (40009) | more than 10 years ago | (#9831087)

Looks like an interesting read, and if nothing else, something we should be slipping onto our PHB's desks!

Re:Interesting "book", great read for PHBs! (2, Funny)

RepeatedEigenvalue (787224) | more than 10 years ago | (#9831104)

I'll set it as my PHB's home page. Should be easy enough, he takes a 2 hour lunch and his password is 12345.

Re:Interesting "book", great read for PHBs! (2, Funny)

Walterk (124748) | more than 10 years ago | (#9831425)

12345? Thats the code for my suitcase!

Re:Interesting "book", great read for PHBs! (4, Interesting)

x0n (120596) | more than 10 years ago | (#9831285)

Not meaning to point this directly at you, mindhaze, but it _is_ an interesting read, and if nothing else, _we_ should be reading it before slipping it into our PHBs' desks.

I would go so far as to say this should be made the must-read EULA for joining Slashdot. It might cut down some of the pointless conjecture and idiotic jibber that so clutters every discussion that mentions Windows, security or anything related. Hell, Slashdot may even grow still and quiet once in while. Not.

- Oisin

Re:Interesting "book", great read for PHBs! (1)

mindhaze (40009) | more than 10 years ago | (#9831426)

Not meaning to point this directly at you, mindhaze, but it _is_ an interesting read, and if nothing else, _we_ should be reading it before slipping it into our PHBs' desks.

Uhh... if you have a PHB, then your JOB is to read it, no? That being said, of course we should read it before dumping it on our PHBs desk! This just seems like pointless meandering to assume anything else.

Re:Interesting "book", great read for PHBs! (1)

x0n (120596) | more than 10 years ago | (#9831493)

Ok, you misread my intentions. I mean to say having read it [the article], it is worth reading. I don't mean to say that you would hand it off without reading it yourself.

- Oisin

Re:Interesting "book", great read for PHBs! (2, Interesting)

wayward (770747) | more than 10 years ago | (#9831637)

This actually would be a good book for management types, because the writing is clear and not overly technical. I like the way he makes the point that security is about more than a "grab bag of exploits."

Amit Singh, thank you! (3, Informative)

CharAznable (702598) | more than 10 years ago | (#9831088)

Kernelthread is by far the best source of information about OS X, barring Apple itself.

The UNIX vs MS Windows discussion is lacking (5, Insightful)

plover (150551) | more than 10 years ago | (#9831134)

I specifically was looking for one of the biggest problems with Windows -- Administrator authority is too easily doled out (by default, every home user is also an administrator.) This is exacerbated by the fact that so many Windows applications require the user to have Administrator authority.

For example, the bottom of this page [microsoft.com] shows a list of games that require Administrator authority to play. Why should administrator authority need to be granted to play a game? And to suggest granting Administrator access to people just so they can play them?

I have found no more powerful example of Microsoft's lack of commitment to security than this. I think this philosophy more than anything else contributes to the proliferation of destructive worms and viruses.

Re:The UNIX vs MS Windows discussion is lacking (1)

musikit (716987) | more than 10 years ago | (#9831159)

i like how all the games listed are microsoft games

Re:The UNIX vs MS Windows discussion is lacking (1)

Short Circuit (52384) | more than 10 years ago | (#9831260)

I've got MechCommander at home, and I could have sworn it wasn't a Microsoft game. I'll have to look again, but I suspect a rather large repetitive typo on their part.

Re:The UNIX vs MS Windows discussion is lacking (0, Offtopic)

strictnein (318940) | more than 10 years ago | (#9831415)

Re:The UNIX vs MS Windows discussion is lacking (1)

Short Circuit (52384) | more than 10 years ago | (#9831516)

I couldn't find the Original MechCommander on their site. Plenty of stuff about MechCommander 2, though. But thanks for the link.

Re:The UNIX vs MS Windows discussion is lacking (2, Informative)

tomknight (190939) | more than 10 years ago | (#9831316)

"i like how all the games listed are microsoft games"

That's probably because this is the Microsoft knowledge base.

Sheesh.

Tom.

Re:The UNIX vs MS Windows discussion is lacking (4, Interesting)

nb caffeine (448698) | more than 10 years ago | (#9831170)

Funny how the games listed there are all microsoft games. You'd think that MS would know how to get a game to run without Admin access... Well, I'd like to think anyhow :)

Re:The UNIX vs MS Windows discussion is lacking (2, Interesting)

Klar (522420) | more than 10 years ago | (#9831195)

Isn't it the game writers fault, not M$'s? From what I've heard(not sure how valid I am on this though) the reason they need admin rights is because the program stores info in the admin parts of the registry. Perhaps they should start enforcing software companies to keep away from doing this, and make it easier to run windows while not being an admin user.

Re:The UNIX vs MS Windows discussion is lacking (3, Informative)

peragrin (659227) | more than 10 years ago | (#9831446)

Of the Games Listed the Bulk are Microsoft made games. So it is the game writers fault, but since MS is the game writer you can just skip a step and blame MS.

for you who didn't click on the link

* Microsoft Age of Mythology
* Microsoft Age of Mythology: The Titans
* Microsoft Age of Empires II: The Age of Kings 2.0
* Microsoft Age of Empires II Expansion: The Conquerors
* Microsoft Age of Empires II Gold Edition
* Microsoft Baseball 2001
* Microsoft Casino
* Microsoft Classic Board Games
* Microsoft Combat Flight Simulator 2: WWII Pacific Theater 1.0
* Microsoft Combat Flight Simulator 3: Battle for Europe
* Microsoft Crimson Skies
* Microsoft Dungeon Siege 1.0
* Microsoft Flight Simulator 2004 - Century of Flight
* Microsoft Flight Simulator 2002
* Microsoft Flight Simulator 2002 Professional Edition
* Microsoft Flight Simulator 2000
* Microsoft Flight Simulator 2000 Professional Edition
* Microsoft Freelancer
* Microsoft Golf 2001 Edition
* Microsoft Halo: Combat Evolved
* Microsoft Impossible Creatures
* Microsoft Links LS 2000
* Microsoft Links 2001
* Microsoft MechCommander 2.0 1.0
* Microsoft MechWarrior 4: Vengeance
* Microsoft MechWarrior 4: Mercenaries
* Microsoft Metal Gear Solid
* Microsoft Midtown Madness 1.0
* Microsoft Midtown Madness 2 2.0
* Microsoft Motocross Madness 2 2.0
* Microsoft NBA Inside Drive 2000 1.0
* Microsoft NFL Fever 2000 1.0
* Microsoft Pandora's Box 1.0
* Microsoft Rise of Nations
* Microsoft StarLancer 1.0
* Microsoft Train Simulator 1.0
* Microsoft Zoo Tycoon
* Microsoft Zoo Tycoon: Complete Collection
* Microsoft Zoo Tycoon: Dinosaur Digs Expansion Pack
* Microsoft Zoo Tycoon: Marine Mania Expansion Pack

Re:The UNIX vs MS Windows discussion is lacking (1)

Klar (522420) | more than 10 years ago | (#9831507)

Humm, ya, they should have made a better attempt being microsoft games. Although, I know some of them are licenced out to other companies to make, like the Age of Empires series is made by Ensemble Studios, but published by microsoft. Still no excuse.

Re:The UNIX vs MS Windows discussion is lacking (2, Interesting)

jafomatic (738417) | more than 10 years ago | (#9831908)

I may be mistaken, but I believe that these games were published or distributed by microsoft. Not "written" or "made by" microsoft. Age of Empires (II) was made by uh, Ensemble Studios or something.

That said, you'd still hope they'd find a more-secure spot to write down the user's config. Wasn't there a branch on the root of the registry that was writeable without administrator permission? Is an ini-file impossible to consider as the settings store of a freakin' game?

List not accurate (1)

p_trekkie (597206) | more than 10 years ago | (#9832338)

If you look at the article, you would see that administrative privileges are only one of the possible solutions for the problem. I've played Freelancer and Train Simulator as the totally powerless "guest" account on my XP computer without incident. I suspect that other items on the list may run as non-administrators as well, so suggesting that all those games will not run as administrator is misleading.

Re:List not accurate (1)

Vancorps (746090) | more than 10 years ago | (#9832496)

Personally, I've never met a game that required Administrative privs. A good chunk require elevated permissions to install but it is by no means a requirement.

Of course, a good chunk of those games also require you to open multiple ports on the firewall so lets face it, you can't game on a computer that needs to be secured. Why not think ahead of situation like this? Spose not everyone has multiple computers

Just seems a shame this copy protection stuff forces the user of administrative privs. I can't think of any other reason they wouldn't store all the settings in an xml config file. It can be done, I don't suspect things will change anytime soon though. Everyone assumes right now if it doesn't work right away then you need higher permissions rather than oh, granting permission to the one folder.

Just a couple of my cents on this issue

Re:The UNIX vs MS Windows discussion is lacking (0)

TrollBridge (550878) | more than 10 years ago | (#9831214)

"For example, the bottom of this page [microsoft.com] shows a list of games that require Administrator authority to play. Why should administrator authority need to be granted to play a game?"

Perhaps if game companies wrote their games to run without admin rights, this wouldn't be a problem. It's not Microsoft's fault that game companies refuse to incorporate good security measures in their games.

Re:The UNIX vs MS Windows discussion is lacking (1, Insightful)

Anonymous Coward | more than 10 years ago | (#9831235)

Perhaps if game companies wrote their games to run without admin rights, this wouldn't be a problem. It's not Microsoft's fault that game companies refuse to incorporate good security measures in their games.

I certainly think it is when Microsoft is either the writer or publisher of said game...

Re:The UNIX vs MS Windows discussion is lacking (1)

skyhighpenguin (801233) | more than 10 years ago | (#9831442)

I certainly think it is when Microsoft is either the writer or publisher of said game...
A fault of Microsoft it may be...but a fault of windows it isn't...

Although I have played Microsoft games that have been less fun than repairing Windows....

Re:The UNIX vs MS Windows discussion is lacking (3, Interesting)

plover (150551) | more than 10 years ago | (#9831698)

A fault of Microsoft it may be...but a fault of windows it isn't...

No, this is a fault of Windows. We don't know how these games run or why they require admin authority. It might be to access the sound card, or the video drivers, or DirectX or something similar. But in all those cases it's a fault of Windows for not providing non-admin-level access to the required resources.

It may have something to do with backwards compatibility with Windows 9x. In that case, yes, the application probably could have littered itself with millions of 'if (WindowsVersion >= 4) SafeFunction() else UnsafeFunction() calls, each of which would have killed performance dead. They also could have shipped fat binaries or even two binaries, and had the installation program make the right choice up front. All those solutions add their own problems to an already complex product, though, and if those types of bad solutions are required, I'd say it's the fault of the OS for requiring them.

I would also think that if it were something they could easily fix at the application level, Microsoft's newest releases would not make this list. However, since it includes "Microsoft Flight Simulator 2004 - Century of Flight" I'd say that in these days of Microsoft waving the "Security First" flag, they have never actually addressed the root problem. And the root is Windows, not the application.

Re:The UNIX vs MS Windows discussion is lacking (2, Insightful)

stratjakt (596332) | more than 10 years ago | (#9831833)

Windows does provide non-admin access to all those low-level resources. It's called DirectX. I've never had to be Administrator to run any game under XP, and really, not even to install them (unless the game decides that it needs to install the latest DirectX for you, then it needs Admin rights, and that's why installshield likes to ask for it by default)

It's no more fair to criticize XP because legacy games designed for Windows 95 were poorly written and need to be run as root, no more than it is to criticize the new Gentoo 2004.2 because the original linux Doom and Quake ports required svgalib, and thus had to be run as root.

And there were exploits, oh boy, were there ever. Those were my asshole script-kiddy days. Camping, huh? Well just wait until you load the next map, complete with buffer-overflow giving me root access, etc.

Re:The UNIX vs MS Windows discussion is lacking (1)

jafomatic (738417) | more than 10 years ago | (#9832073)

We don't know how these games run or why they require admin authority.
I don't know every reason, but I can think of a couple/few. User settings, registration key, common component registration, may "require" permission to write to the registry. I say this in quotes because, aside from the component registration which should be done as admin at install-time, these settings can and should be doable without administrative privilege.

The really recent games on that list (if any, I didn't look at release dates) have no good excuse for requiring this at runtime of the game engine, however I'm not at all surprised that it wasn't even thought of. Consider that writing to the windows registry might've even seemed to be the "proper" way to store settings. It's backed up automatically and was believed to be not as easy to find and adjust by the end-user.

How many developers have we worked with who refused to use an older method to accomplish a task simply because it was older? I worked with a guy who argued against the use of an ini-file to store settings (he wanted to use the registry) because it was, and I will quote, "archaic". That application was almost designed to require administrative access at runtime because of such ideas.

Re:The UNIX vs MS Windows discussion is lacking (4, Insightful)

abb3w (696381) | more than 10 years ago | (#9831245)

Why should administrator authority need to be granted to play a game?

Obviously, to make low level system calls for direct hardware access in a copy protection scheme.

I have found no more powerful example of Microsoft's lack of commitment to security than this.

While some blame attaches to Microsoft, since they choose to use such a copy protection method with their games, the real culprit is Macromedia, who made the SafeDisc copy protection system at fault.

So, what do you think will happen if it can be proven that the copy-protection methods the Content lobbies (RIAA/MPAA/BSA) are using are a threat to Homeland Security?

Re:The UNIX vs MS Windows discussion is lacking (3, Informative)

Anonymous Coward | more than 10 years ago | (#9831313)

...the real culprit is Macromedia, who made the SafeDisc copy protection system at fault.

Minor knitpick, but Macrovision makes SafeDisc, not Macromedia...Macromedia is the company that gave us that other monstrosity (aka, Flash).

Re:The UNIX vs MS Windows discussion is lacking (2, Funny)

finkployd (12902) | more than 10 years ago | (#9831364)

Macromedia is the company that gave us that other monstrosity (aka, Flash)

Which brought us homestarrunner, so it can't be ALL bad :)

Re:The UNIX vs MS Windows discussion is lacking (0)

Anonymous Coward | more than 10 years ago | (#9831394)

Which brought us homestarrunner, so it can't be ALL bad :)

ahhhh...touché...

Re:The UNIX vs MS Windows discussion is lacking (2, Insightful)

schon (31600) | more than 10 years ago | (#9831400)

Obviously, to make low level system calls for direct hardware access in a copy protection scheme.

Sounds like a cop-out to me. 'low-level' system calls are just that - *system* calls, and the system should have a way to allow processes run under non-admin accounts.

At the very least, why can't the installer put a 'setuid' (or whatever the windows equivalent is) program that does the bit-banging? Does the 'system' not allow it? (If not, then the system is indeed broken.)

Re:The UNIX vs MS Windows discussion is lacking (1)

abb3w (696381) | more than 10 years ago | (#9832511)

At the very least, why can't the installer put a 'setuid' (or whatever the windows equivalent is) program that does the bit-banging?

Even in UNIX, SUID files are one of the things you need to watch closely [busan.edu] . As a non-random example, a superuser-SUID copy of [insert cracker's favorite shell] is a nicely unsubtle way to help widen a security pinhole into an aircraft hanger door.

Your proposed technique does definitely reduce the ability of the user to accidentally shoot themselves in the foot, but any weakness in third-party SUID programs still effectively translates into an operating system weakness.

Re:The UNIX vs MS Windows discussion is lacking (0)

Anonymous Coward | more than 10 years ago | (#9832441)

Just out of curiosity, why do people use Macrovision? I can't think of a single one of their products that isn't trivially breakable. You would think their reputation would be in the toilet.

Re:The UNIX vs MS Windows discussion is lacking (2, Interesting)

Proaxiom (544639) | more than 10 years ago | (#9831256)

I have found no more powerful example of Microsoft's lack of commitment to security than this. I think this philosophy more than anything else contributes to the proliferation of destructive worms and viruses.

This is not a fair criticism. The 'security initiative' thing is still relatively new, and they are burdened by a large number of legacy security problems from the many years of development with any regard for security problems.

Most of the games in that list, for instance, were originally intended to be played in the 9x series of OS's, which had no notion of anything that was not administrator access (actually, 95/98/ME users had more access than NT admins do!).

There are certainly areas where Microsoft's commitment has been lacking, but the least privilege principle is one of the better areas. Michael Howard et al have been pushing hard for this within Microsoft, and more importantly, pushing for better developer education on how to write code that adheres to least privilege.

Because when you get down to it, if an application requires administrator access to run, it is not the fault of the Operating System.

Re:The UNIX vs MS Windows discussion is lacking (5, Interesting)

plover (150551) | more than 10 years ago | (#9832383)

The security initiatives have been going on a lot longer than just their "global security mobilization" of October 2003. For example, this "Secure Platform" document [microsoft.com] was authored in December 2002. And since they seem to be able to put out the "hot fix of the week" to handle the "virus of the previous week," I should think they have had plenty of opportunities to get OS patches released, driver patches, or whatever is required to the computers that need it.

Given that, explain why "Microsoft Flight Simulator 2004 - Century of Flight" should still make the list? If software they've released years after they've been aware of these problems still demands bad security practices, who is to blame? The application programmers or the environment in which they must work?

You said, "if an application requires administrator access to run, it is not the fault of the Operating System." Explain how a train simulator could possibly require admin authority except in a poorly architected environment? Then answer, 'who provided that poor architecture?'

This is Microsoft -- author of both these applications as well as the OS. They've had the chance to address it, they've had the incentive to address it, but they have not done so. I stand by my comment.

Re:The UNIX vs MS Windows discussion is lacking (2, Informative)

fireduck (197000) | more than 10 years ago | (#9831259)

I second this complaint. As I recall, one of the recent Blizzard games (fairly sure it has to be Warcraft 3, but it might have been Diablo 2) required admin rights in order to play online through battle.net. Took me a while to figure out why online wasn't working for me, until I switched to admin account, and then voila. I complained in their forums about this (with the predictable response from other players, "why don't you just switch your setting?"); few patches later Blizzard made the game playable with normal user setting. So, it's good that some companies get it, althought it would have been nice if they had gotten it from the start.

Re:The UNIX vs MS Windows discussion is lacking (1)

x0n (120596) | more than 10 years ago | (#9831323)

Why should administrator authority be needed to play a game? Pfff. I see you didn't read the article very well. Nearly all, if not all, games are designed to run on Windows 95 and up. To summarise, by virtue of NT's choice to backwardly support 95/98/ME, it has to give root access to the games by virtue of the shared win32 api/registry access and other functions between 95 derived and NT derived systems. Read the article again.

- Oisin

Re:The UNIX vs MS Windows discussion is lacking (4, Informative)

Minna Kirai (624281) | more than 10 years ago | (#9832394)

Why should administrator authority be needed to play a game?

So the game can have "root"-level control over your machine, to ensure that you're not cheating with 3rd-party apps running on the same machine. It must be able to inspect all applications and drivers in memory, comparing them against a list of "cheat signatures" rather like a virus-scanner does.

Seriously. This is exactly what's happening. Evenbalance.com licenses cheat-prevention software modules to several major game publishers, and they've started disallowing players on XP machines unless they're running under the "administrator" account.

Just read the FAQ here [evenbalance.com] :
  1. Why does PunkBuster now require players to run the game as an administrator under WinXP/2K?

    Because some cheats/hacks cannot be detected otherwise

The reason you give is obselete- mistrust of the end user is the new, upcoming explanation.

Re:The UNIX vs MS Windows discussion is lacking (2, Interesting)

Kristoffer Lunden (800757) | more than 10 years ago | (#9831348)

I'm not so sure. Here, at home, I am running my Linux box as a normal user, firewalled and everything setup according to the rules. Still, what would malware want with my root access for? If I would execute something malicious, the virus/trojan/whatever would already have access to what is important: the desktop user.

Ok, so it can't erase the *whole* HD or meddle too much with the system, but it can do everything I have the right to do, such as finding and using mail clients and start spreading if that is what it is about.

It could also simply sit idle and log keystrokes until I enter my root pw if that is needed, or just any banking info, or whatever. What it can't do would be stuff like opening a spam mail relay. Until it gets the root pw, that is. Or maybe it is enough to capture your normal pw and use sudo? Did you set it up without restrictions?

Other possibilities include invading lots of local config scripts that are run when starting applications, and oh, when was the last time you checked what was in your KDE autostart? Or any of all the other files that are usually run?

Most things don't matter if root/Administrator access is available - that is for servers.

Actually, I could have something like this running since a long time ago, maybe some russian is watching me type this. After all, I've allowed outgoing connections and I don't do real security audits. After all, this is my home desktop user system. I think it is lots better of than most, but it is not a server.

Re:The UNIX vs MS Windows discussion is lacking (1)

meringuoid (568297) | more than 10 years ago | (#9832070)

What it can't do would be stuff like opening a spam mail relay. Until it gets the root pw, that is.

Couldn't it just open up port umpteen-thousand-and-twelve and run its spam relay there?

Re:The UNIX vs MS Windows discussion is lacking (1, Insightful)

Anonymous Coward | more than 10 years ago | (#9831380)

Have you ever used a linux box without root permission? It is hard to install software as well.

It is the programmers who use certain resources and assume that everyone else has the ability to write to them.

Re:The UNIX vs MS Windows discussion is lacking (4, Insightful)

jedidiah (1196) | more than 10 years ago | (#9831628)

Actually, it's quite trivial to install most software on Unix as a "mere user". It has been this way for decades.

If Vendors choose not to allow for this, it is certainly not due to a lack of functionality in the underlying system.

Re:The UNIX vs MS Windows discussion is lacking (1)

x0n (120596) | more than 10 years ago | (#9831459)

For example, the bottom of this page shows a list of games that require Administrator authority to play.

Eh, no. If you bothered to read the whole page, you'd see that the list pertains to games that require administrator access to _install_, not neccessarily play, which is entirely sensible.

-Oisin

Re:The UNIX vs MS Windows discussion is lacking (1)

Minna Kirai (624281) | more than 10 years ago | (#9832505)

administrator access to _install_, not neccessarily play, which is entirely sensible.

No it isn't. If a person has authority to run programs on a machine, and to place files on the machine, then he should be able to install and run a game off CD. (It should show up only in his own Programs menu, not globally, of course)

This user can undoubtedly install some games, such as a standalone "tetris.exe" or similar, so there's no good reason to prohibit more elaborate installers (unless if that OS doesn't provide a good way to install things in non-global positions, in which case the blame returns to Microsoft)

Re:The UNIX vs MS Windows discussion is lacking (1)

gordo3000 (785698) | more than 10 years ago | (#9831543)

I actually hope windows doesn:t change the default root access it grants users. I dread the day when they change this I have to sit on the phone for hours with my family when they get their new computer, explaining to them what root access is compared to regular user settings, whats the difference,and why they should actually care to not be root. I believe this will happen just as my mom is trying to install an IM to talk with her sisters.

I dread the day when this happens, because no one on start up will read what microsoft puts up there, even if its in big bold type, and so every help line will be clogged with wanting to know how to fix this. I don`t know what would be a good fix though. Maybe certain parts of the system in home users should just be made almost completely inaccessible until many, many, many hoops are jumped through. The computer litterate could do this, but if you make it such that in daily use, these priveledges aren`t needed, few regular users that don`t worry about security will be struck. Of course, this is very difficult when you do foolish things like integrate your web browser. I`m sure if the best crackers went at it, they could expose many security holes in mozilla but the difference is htat its a lot more difficult to control a system from a mozilla security hole. At best, you could probably make mozilla act up.

Of course, I hope microsoft surprises us all by making IE *not integrated* come longhorn, becuase I think this would allow for much more comprehensive security, but I highly doubt this will happen, so we are just SOL, eh?

Re:The UNIX vs MS Windows discussion is lacking (3, Informative)

badriram (699489) | more than 10 years ago | (#9831785)

The words over there when you read the games list were "you may experience". It does not happen for all users. I run halo all the time with a unprivildged user account, and trust me it works.

Also if you look at every major application made by MS, all of them run in user space, I run enough machines in my university to know what application do and what do not work in Windows user space. The one major problem we do run into is Visual Studio, but that is because of the debugging features, which can also be granted easily.

There are enough opensource apps in windows that have this problem.
  • Firefox, first run after installation requires Admin to run it, otherwise crashes over and over again
  • MySQL, if you enable innoDB, Which is by default, it likes to crash in user space

But yes this problem is more pronounced with other third party windows applications.

Re:The UNIX vs MS Windows discussion is lacking (4, Insightful)

einhverfr (238914) | more than 10 years ago | (#9831904)

I have found no more powerful example of Microsoft's lack of commitment to security than this [common requirement that the user have Administrator privilages]. I think this philosophy more than anything else contributes to the proliferation of destructive worms and viruses.

You know, you have pointed out one of the two major failings of Windows security-wise. The other is at least as bad, however.

People often think of UNIX being a nightmare of dependencies, but from a security perspective, the dependency nightmare is actually far worse on Windows. Some of this I can understand, but some I cannot. For example, it is true that copy and paste in Windows depend on RPC. This is understandable (in Gnome, they depend on CORBA). But last time I tried to secure a Windows box by turning off RPC on the PPPoE interface, it would not authenticate until I re-enabled it. Apparently the PPP authentication mechanisms require that RPC is running (works if firewalled) on the same network interface, or at least that is what I was told when I finally called technical support (Microsoft). Granted this was Windows 2000 and I was using a third-party PPPoE extension, but still...

At least with GNOME, I don't have to have CORBA listening on my network interfaces....

If I am securing Linux or UNIX, there is generally it is usually clear what can be turned off whithout adverse results to the rest of the software. This is NOT true with Windows, and I have generally found disabling unnecessary services to be extremely difficuly on Windows because it is difficult to determine what is actually necessary.

I find Windows security to be a complicated headache compared to UNIX security.

Of course, real security depends on the admin, not the OS.

Re:The UNIX vs MS Windows discussion is lacking (1)

ztirffritz (754606) | more than 10 years ago | (#9832040)

I have run into this same problem where I work. We use several different CAM (computer aided machining) software packages. Almost all of them require admin security to function. What is the purpose of having a logon screen at all if your software works this way!?! I had to sit down and hack on these computers for hours trying to figure out which folders were the vital ones so that I could set scecurity levels at the directory level that would not grant the users admin access across the entire computer, but rather to certain folders that were needed for the programs. Eventually it worked, but only because I was paranoid enough to fight through it. Any sane person would have said "screw it" and given them admin permissions. Is this Microsoft's fault? No I don't think so, but they should make their vendors more aware of these problems. I have not yet come accross a problem such as this in OS X, but that does not mean it could not happen.

Re:The UNIX vs MS Windows discussion is lacking (2, Informative)

Ytsejam-03 (720340) | more than 10 years ago | (#9832156)

I specifically was looking for one of the biggest problems with Windows -- Administrator authority is too easily doled out (by default, every home user is also an administrator.) This is exacerbated by the fact that so many Windows applications require the user to have Administrator authority.
Application developers deserve just as much blame for this as Microsoft. It's a catch-22: practically everyone who uses Windows logs on as Administrator, so making sure non-administrative users can run your app is generally not a requirement.

To make matters worse, Windows allows developers to store global variables in a shared memory segment, which IIRC is located in the dataseg of a given .exe or .dll. This provides an easy way to do IPC. IIRC, usage of shared memory segments is the reason that Office 97 and other apps require write(!) access to the System32 directory. Of course when I've seen shared memory segments mentioned in the MSDN documentation, I've never seen any mention of the security implications.

Re:The UNIX vs MS Windows discussion is lacking (2, Interesting)

Beryllium Sphere(tm) (193358) | more than 10 years ago | (#9832198)

>Administrator authority is too easily doled out

I'd argue that that's a symptom and not a cause. Behind all the technical errors there's a mindset that causes them.

For example, somebody thought it was a good idea to have web server plugins run in the address space of the web server. It's only a good idea if you place more value on speed than on reliability and security. Somebody thought it was a good idea to speed up the system by moving more and more functionality into Ring 0. Somebody thought it was a good idea to have Turing-equivalent programs execute when you open an Office document, placing features above security. Somebody thought Javascript in email was a good idea.

The same mindset, until recently, valued rapid code development over security.

Everthing came together in Slammer. The philosophy of feature-richness put a SQL database into products whose buyers didn't even know they had it. The philosophy of convenience had it listening on the network by default. And so on.

By now the old Microsoft attitudes and assumptions have been baked into the foundations and built on by ISV's. Change will be slow and painful even with firm commitment by Microsoft.

Re:The UNIX vs MS Windows discussion is lacking (1)

Minna Kirai (624281) | more than 10 years ago | (#9832460)

I specifically was looking for one of the biggest problems with Windows

It also lacks in other areas. For one thing, it ignores the common argument that "Windows only attacked so much because it's the biggest target, not because it's more vulnerable".

And elsewhere it lies, claiming that DOS/Windows has a history of virus-writing that UNIX lacks. That is plainly false, as rtm demonstrated epidemic UNIX infections decades ago.

MS Bob (1)

danormsby (529805) | more than 10 years ago | (#9831177)

I'd never heard of MS Bob [kernelthread.com] until I read this article. Wonder why it wasn't called MS Bill?

Re:MS Bob (2, Funny)

Short Circuit (52384) | more than 10 years ago | (#9831287)

Because "Bill" brings to mind a redneck driving a truck with a gun rack. At least, it does for me. :)

Re:MS Bob (1)

SpaceLifeForm (228190) | more than 10 years ago | (#9831485)

They didn't have their billing system set up back then.

Re:MS Bob (0)

Ignignot (782335) | more than 10 years ago | (#9831539)

Every joke, every pun, done to death, really.

-SG1

Re:MS Bob (1, Funny)

jhylkema (545853) | more than 10 years ago | (#9832326)

Yes, and it was the brainchild (abomination) of one Melinda French . . . now Melinda Gates. It's the only genuinely "innovative" thing M$ has ever done and it was a miserable failure. A male project manager would have been summarily shown the door, but Melinda stayed in on her back.

Sure.. (4, Interesting)

stratjakt (596332) | more than 10 years ago | (#9831178)

Most notably it includes probably one of the most fair and intelligent analysis of the Unix-Vs-Windows security issue that I have ever seen."

Ok, so his thesis seems to be that Windows is insecure because it's too hard? Is this guy on crack?

There are too many "knobs." The exposed interfaces are either too complicated, even with documentation, or too weak and limited. Security on Windows is hard to configure correctly (try setting up IPSEC).

This guy can't seriously expect me to buy his argument that properly configuring a unix box is "easier", can he?

This isn't a fair analysis, it's just more "MS is teh gay linucks is awwwwsome!!!!!11!" tripe.

It's really not hard at all to secure Windows, and you can lock it down every bit as tight as any Unix if that's what you want to do. Just because people don't doesn't make it the OS's fault.

How about all the newbies running their X sessions as root because it's the only way they can get the soundcard/dvd-r/tv-tuner/misc hardware to work?

Is it Linux's fault that once you start piling OSS layers onto ALSA and jam the whole pile of shit into Gentoo's default devfsd setup, that it's a huge pain in the ass to get a non-root user to be able to play sounds? Cuz it is. Don't give me the bullshit about "all you have to do is add the user to the audio group" stuff.

What about lazy fucks like me who quit trying to have their daemons chroot and su to another user, because every fucking time they type emerge -u world portage decides to change all the file permissions and ownerships around, so now all of a sudden slapd cant read or write it's data directory, hosts.allow and hosts.deny are no longer world-readable, etc, etc.. Fuck it, the only way to guarantee my LDAP server stays up is to have it run as root. And, of course, it has to stay up, else noone could log in.

I can't remember which distro now, but it shipped with a single * in the xdm's Xaccess file - ie; anyone anywhere could get a local X session on it.

What about every app that uses svgalib having to be suid root, or run as root. Those mythTV boxes and advanceMAME cabs are just big fat fuckin backdoor waiting to be exploited.

The only point I'm trying to make is, any PC out there is no more secure as it's user/owner/admin and the apps they run. Most normal people dont enjoy spending 8 hours a day doing nothing but configuring their systems.

Re:Sure.. (1)

tomknight (190939) | more than 10 years ago | (#9831292)

Indeed, a good read of the "Hardening Windows 2000" doc that's floating around will go a long way towards making your W2k servers much more secure.

Re:Sure.. (0)

Anonymous Coward | more than 10 years ago | (#9831396)

"I don't need no instructions to know how to rock!!!!"

You do realise this is a double negative and means that you do need instructions.

Re:Sure.. (2, Funny)

Azrael Newtype (688138) | more than 10 years ago | (#9831598)

You do realize that this is a direct quote from Aqua Teen Hunger Force, when Carl steals the Foreigner belt from Ignignoct in season 1 episode 8. He then proceeds to invoke the powers of "Hot Blooded," heating Ignignoct and Err and causing them to leave the pool, and subsequently Earth.

God, why am I responding to someone responding to a damn sig, espcially an AC...

Re:Sure.. (1)

FuzzyBad-Mofo (184327) | more than 10 years ago | (#9832306)

Shut up and eat your cheese sandwich.. ;)

Re:Sure.. (5, Insightful)

wwest4 (183559) | more than 10 years ago | (#9831431)

> Ok, so his thesis seems to be that Windows is insecure because it's too hard? Is
> this guy on crack?
> This isn't a fair analysis, it's just more "MS is teh gay linucks is
> awwwwsome!!!!!11!" tripe.

His thesis is actually more along the lines of (and I'm quoting from the Win v Unix section of the article):

"Current Windows systems have some of the highest security ratings (as compared to other systems)... However, the number of documented security issues and the real-life rampant insecurity of Windows are not speculations either! The problems are real, both for Microsoft, and for Windows users."

Nowhere here is he saying that MS sucks, or that linux r0x0rs. Again, from the sam part of the article:

"We stated earlier that UNIX was not even designed with security in mind. Several technologies that originated on Unix, such as NFS and the X Window System, were woefully inadequate in their security."

The argument that explains the paradox is along the lines of what many of us already know - that MS is more prevalent, has a wider spectrum of users (inexperienced to experienced) and exists in a wider range of vulnerable environments - not just cozy, isolated research labs.

So while your arguments are valid, they don't really go against the overall opinion of the article.

Re:Sure.. (1)

Tim C (15259) | more than 10 years ago | (#9832482)

Well, I have a hard time arguing that it's a "fair and balanced" opinion, given that one of his opening paragraph headings is "How Did Windows Become So Insecure?"

Unless I've missed something on a previous page (which I admit is entirely possible), he's started from his conclusion ("Windows is not secure") and at best worked backwards.

Re:Sure.. (0)

Anonymous Coward | more than 10 years ago | (#9831458)

so his thesis seems to be that Windows is insecure because it's too hard? Is this guy on crack?

No, you simply lack the cranial capacity to understand what he's saying.

It's insecure because it's too hard to make secure, and it's easy to make insecure. There are multitudes of settings that interact with each other in subtle ways, and it's damn near impossible to know what they do.

And even if you have things set properly, you *still* don't know for sure that you've properly secured the system.

Re:Sure.. (1)

Short Circuit (52384) | more than 10 years ago | (#9831482)

The only point I'm trying to make is, any PC out there is no more secure as it's user/owner/admin and the apps they run. Most normal people dont enjoy spending 8 hours a day doing nothing but configuring their systems.

I agree, mostly. That said, how long it takes an admin to tighten down a box depends on how much experience he has with it. Don't ask an RHCE to tighten down Windows Server 2003, and definitely don't ask an MCSE to tighten down a Red Hat server.

However, just about any user with a somewhat thorough understanding of the protocols and technologies involved can tighten either system, if given a book that explains where the configuration options are.

Re:Sure.. (5, Insightful)

stratjakt (596332) | more than 10 years ago | (#9831632)

The problem is deeper than that, don't ask a RHCE to tighten down a Slackware or Gentoo box. Linux distros can be worlds apart. For instance, Slackware doesn't have /etc/init.d, it uses rc.d scripts, etc.

They store config files in different places, with different names (ldap.conf vs nss_ldap.conf, etc). They install apps to different places, and so on and so on. Now we can deal with XFree vs X.org (migrating to X.org on Gentoo also broke, well, almost freakin everything I use, and I still don't know how to properly configure the new font paths for tightvnc)

For that matter, don't ask a guy who's RHCE is a year old to secure a RedHat box, because for all you know, he doesn't know shit about, as an example, Samba 3.0's new config options or iptables (since he was taught ipchains). The OSS world likes to completely reinvent apps between revisions, for some reason.

Whereas, one XP box is pretty much the same as the next, and not far removed for Win2k.

I've had the same problems with both. I installed PuTTY in Windows as Administrator, tried to run it as a user, oops.. No user rights.. This is when you find out what kind of user you are. Do you switch to Administrator, screw around with permissions, and test until it works and you feel it's secure, or do you just go "fuck it" and add your username to the Administrators group so you don't have to deal with that kind of shit every day.

I'm not ashamed to admit I'd put myself in the latter category. Screwing around with filesystem ACLs and group memberships isn't what I like to spend my time doing. My firewall/router is about the only "secured" box on my home lan, which is fine, since I lock the doors when I leave so the likelyhood of a script kiddie sitting down at one of my machines is low.

There is a point to be made, and it's that it's nearly impossible to have the best of both worlds. It's either simple and painless to use (desktops), or super-hardcore secure (servers). Both OS's can function in both roles.

Re:Sure.. (1)

Short Circuit (52384) | more than 10 years ago | (#9831793)

Familiarity with the way Linux systems work in general will help.

Don't know where LDAP configration files are? Use a manpage, or "locate ldap". Don't know where apps are installed? Use locate again. The nature of the difficulty of XFree to X.org migration is something I'm unfamiliar with, though.

If an app has been "reinvented" since the version he was trained on, he can look it up on the Internet. He'll be competent to know what sites to look at, etc. A Google search for "Samba upgrade caveats" might be all he'll need.

There is a point to be made, and it's that it's nearly impossible to have the best of both worlds. It's either simple and painless to use (desktops), or super-hardcore secure (servers). Both OS's can function in both roles.

I'm not disagreeing with you.

Re:Sure.. (1)

azaris (699901) | more than 10 years ago | (#9831824)

I've had the same problems with both. I installed PuTTY in Windows as Administrator, tried to run it as a user, oops.. No user rights.. This is when you find out what kind of user you are. Do you switch to Administrator, screw around with permissions, and test until it works and you feel it's secure, or do you just go "fuck it" and add your username to the Administrators group so you don't have to deal with that kind of shit every day.

First of all, PuTTY doesn't require admin rights so it must have been a folder permissions issue. Secondly, the right way to do this is to use the "Run as..." context menu option and only run those few apps that require Administrator permissions under that context.

Re:Sure.. (0)

Anonymous Coward | more than 10 years ago | (#9831533)

This guy can't seriously expect me to buy his argument that properly configuring a unix box is "easier", can he?

See, for example, how to set up a private certificate server [slashdot.org]

Re:Sure.. (1)

spronk (712662) | more than 10 years ago | (#9831673)

What about every app that uses svgalib having to be suid root, or run as root. Those mythTV boxes and advanceMAME cabs are just big fat fuckin backdoor waiting to be exploited.

Do you have a clue what you're talking about? MythTV doesn't use svgalib, MythTV in no way requires you to run as root for anything, the MythTV protocol isn't open to RCE exploits (assuming you're stupid enough to not be behind a firewall in the first place).

Re:Sure.. (1)

CyberKnet (184349) | more than 10 years ago | (#9831677)

What about every app that uses svgalib having to be suid root, or run as root. Those mythTV boxes and advanceMAME cabs are just big fat fuckin backdoor waiting to be exploited.

Contrary to what your post implied, MythTV does not use svgalib, nor does it require to run as root/suid root.

It is quite possible to setup MythTV to run as its own unprivileged user that only has access to QT libs, X, the tv tuner, video out and some form of large scale storage.

In fact, that is the most common way to set it up, because that is how the very verbose documentation instructs you to set it up.

I freely acknowledge that it is time consuming to set MythTV up; but I would heatedly dispute that it has to be insecure because of any reason issued in your post.

Re:Sure.. (1)

jedidiah (1196) | more than 10 years ago | (#9831683)

> Is it Linux's fault that once you start piling
> OSS layers onto ALSA and jam the whole pile of
> shit into Gentoo's default devfsd setup, that
> it's a huge pain in the ass to get a non-root
> user to be able to play sounds? Cuz it is.
> Don't give me the bullshit about "all you
> have to do is add the user to the audio group"
> stuff.

Nope. It's Gentoo's fault. Unix in general has suitable authorization and automation facilities such that this should not be a problem for ANY user running anything newer than Slackware '96.

The packager dropped the ball.

The root user shouldn't even be able to touch the multimedia devices.

Re:Sure.. (4, Insightful)

Amoeba (55277) | more than 10 years ago | (#9831696)

Ok, so his thesis seems to be that Windows is insecure because it's too hard? Is this guy on crack?

There are too many "knobs." The exposed interfaces are either too complicated, even with documentation, or too weak and limited. Security on Windows is hard to configure correctly (try setting up IPSEC).

This guy can't seriously expect me to buy his argument that properly configuring a unix box is "easier", can he?

You are purposefully misunderstanding his point. He was not stating that Windows is "harder" than unix to secure, merely that the "average" unix user will generally have a deeper understanding of how the underlying OS works as opposed to an "average" Windows user. Think about it.

Unix has a larger barrier of entry in terms of learning the OS and understanding how it works until you get to a point where it is "usable". Windows on the other hand has a much lower barrier of entry and a deep understanding of the underlying actions of the OS are not required in order to utilize the system. As a result the complexity of securing unix systems is not as complex to the average unix user since they already have overcome that initial large barrier whereas Windows is more complex to the average windows user because they are faced with a magnitude of complexity they normally do not see.

I do agree with you that Windows can be locked down thoroughly and be just as secure as a unix machine.

A friend once told me (1)

Prince Vegeta SSJ4 (718736) | more than 10 years ago | (#9832060)

He was not stating that Windows is "harder" than unix to secure, merely that the "average" unix user will generally have a deeper understanding of how the underlying OS works as opposed to an "average" Windows user. Think about it. The difference between Windows users and Unix (Linux) users, (and the reason Linux boxes tend to be more secure) is that Winodws users install drivers - Linux users write their own drivers. This was true at his company, at least. (he manages routers, etc at a fortune 500 securities trading company).

Summary (3, Insightful)

Anonymous Coward | more than 10 years ago | (#9831224)

Windows enables things by default that enable exploits. This is done for ease of use. Users can make Windows secure.

*NIX disables things by default. This is done for security. Users could make *NIX insecure.

The number of different *NIXs makes it tedious to create viable exploits.

In spite of what the guy says, I think most of us already knew this stuff. Have I missed anything?

Re:Summary (1)

fimbulvetr (598306) | more than 10 years ago | (#9831602)

I'm a huge *nix fan, but I call bs.

Ever try Solaris? Even seen what that has enabled on the default install? How about HPUX? Perhaps even SCO?
Redhat 7.2? All of these have more than 5 remote root exploits out of the box.

Re:Summary (2, Informative)

jimicus (737525) | more than 10 years ago | (#9831704)

Redhat 7.2

Play fair. The article discusses Win2K and XP. RedHat 7.2 is a few years older than XP, and predates RedHat deciding not to enable everything by default.

Good Read (-1, Redundant)

myte (799564) | more than 10 years ago | (#9831241)

This looks like a real informitave read for the little that I have looked at. They seem to have done some research on this. Kudos guys.

The core security problem with Windows. (4, Interesting)

argent (18001) | more than 10 years ago | (#9831307)

The core security problem with Windows is that Microsoft has been unable or unwilling to take advantage of the core security capabilities of Windows.

It's more than just the fact that there are existing applications that expect to have write access to system directories and do other dengerous things, it's that Microsoft doesn't seem to be able to respond appropriately. For example, our early Citrix-based server showed the path to solving the problem of writing to system directories... it mapped system write access into the user's profile, and you had to switch to an explicit "installer" mode to actually modify things in the system.

Microsoft owns that code now, it's surely in Terminal Server, but instead of implementing it they created a high level workaround... the sort ofthing you'd expect to see coming from a third party... that monitors the system and puts files back when they change. This not only breaks more applications than the old Citrix-style code did, but it provides another hiding place for viruses that manage to infect the repository or trick the system into backing them up.

Similarly, the whole protocol/handler problem in Internet Explorer... or rather the Microsoft HTML control... (and being inexplicably copied by Apple and the KDE people) could be almost completely prevented by simply making the protocol and helper application binding the responsibility of the application calling the control instead of making the control guess whether the application it's calling is hardened for use by untrusted pages, and if not then it has to guess whether the page it's displaying is trustable or not.

A better article on Solaris 10 security (3, Informative)

sczimme (603413) | more than 10 years ago | (#9831328)


is here [securityfocus.com] .

As an aside, items like ASET and RBAC are not new for S10; IIRC they have been included since S8.

Or instead of reading about these things, individuals can download the Solaris 10 Beta 5 ISOs and try them out. Go to this page [sun.com] and scroll to the bottom to Solaris Express.

CC evaluation? Orange book? (3, Informative)

winchester (265873) | more than 10 years ago | (#9831338)

I more or less disagree with him on his treatment of the Windows adherence to the CC and Orange book standards.

Even though Windows 2000 is EAL 4+ certified, that doesn't mean it is a secure system. On the contrary, the protection profile Microsoft chose to use specifically states that the threats Win2k should guard against do not include either malicious outsiders or malicious users.

A more or less similar situation exists when we regard the C2 certification for Windows NT. That certification is obtained only when using a NT 4 system with several subsystems removed and no network access.

Both certifications sare the facts that a very specific hardware-software combination has been audited. This is so extreme that EAL 4+ is only valid for a Windows 2000 system with a very specific set of patches applied (SP2 and 1 patch IIRC). In other words, totally useless for any serious real-world application.

Re:CC evaluation? Orange book? (4, Insightful)

arivanov (12034) | more than 10 years ago | (#9831550)

These evaluations are evaluations on procedures in handling data. They are not evaluations on system breakability and security against unauthorized break-in as such. They are evaluations on suitability of a system to handle confidential data according to some predefined requirements.

Basically a EAL or Orange book certified system will not allow casual transfer of data from a higher security level to a lower security level. That is the core of the qualification concept. All the stuff about admin roles, etc is just fluff oriented towards managing the concept and the granularity to which it is managed.

After the wave of buffer overrun hacks that followed the publishing of Alef1's paper "Smashing the Stack for Fun and Profit" in 1996 I had a conversation with the security head of a bank-to-bank transfer house head of security. We were discussing what can we do about intrusions like this. His first suggestion was to raise the security level to B1 or higher. At which point I had to point to him that all intrusions were circumventing the security mechanisms, not breaking through a problem in them so the Orange Book level of security did not bloody matter at all.

On a similar note, Old SCO OpenServer 3.x which had C2 certification was quite hard to hack in its normal mode of operation. Raising the system to C2 and the enabling of roles required to do so made the system a walkthrough. It took me around 5 minutes to get root on it by doing casual operations, no real hacking involved.

Re:CC evaluation? Orange book? (1)

McMuffin Man (21896) | more than 10 years ago | (#9831787)

Having taken a couple products through Common Criteria (CC) certification, I can tell you that every CC certificate out there applies only to a very specific set of patches (that's a requirement of the certiication process), and that every Protection Profile (PP) I've read is either full of holes or so tight as to make a system useless without violating the configuration spec. Admittedly, some are more full of holes than others, but your presentation makes it sound like the flaws inherent in the process are specific to Microsoft.

Another reply to this thread seemed to confute Orange Book and CC. While a CC PP can be defined to focus on protection of confidential data (and even to mimic Orange Book style MLS), that is not a basic limitation of CC. Most firewalls that are certified, for example, have PP's that cover protecting the security policy from alteration by unauthorized entities.

Solaris 10 is so nice (1)

chegosaurus (98703) | more than 10 years ago | (#9831377)

I'm very impressed with zones, the resource control and monitoring are even better than in 9, dtrace is just about the coolest thing I've ever seen on Unix, and zfs and the souped-up NFS look great too. (Though I haven't had the chance to play with those yet,)

Nice to see Sun can still innovate.

frustrated with "anti"-virus on Windows (4, Interesting)

spoonyfork (23307) | more than 10 years ago | (#9831574)

I'm still getting MyDoom.o [mcafee.com] emails. It spread like wildfire inside the company I work at. No update pushed to McAfee on workstations until the next day after the infection. After... the barn door is already open and horses are gone. Be sure to shut that barn door after everything is compromised.

On this Windows box at work I'm protected from thousands upon thousands of viruses except the one that gets written tomorrow and the idiot that opens its brilliantly socially-engineered email attachment.

This is rhetorical and wishful: when are we going to get some anti-virus software that protects us before an outbreak?


(please don't say don't run Windows, it is realistic but not realistic today right here)

Re:frustrated with "anti"-virus on Windows (1)

Kristoffer Lunden (800757) | more than 10 years ago | (#9831765)

I know a lot of people that use Windows, and use it in large "Joe User"-offices, that never ever gets any viruses.

This is due to two things: Behaviour and a Personal Firewall. Most of these people also runs anti-virus software, but it is never needed - still, it feels safe to have and can't really hurt (other than costs). Behaviour means not doing too much stupid stuff, and it often but not always include not using Outlook or IE, at least too much.

Check out some software firewall, Kerio [kerio.com] used to be a good choice when I ran Windows, although I've heard the newer versions are pretty bloated and stupid. There are others as well.

That, together with some simple common sense keeps a lot of people very safe.

Re:frustrated with "anti"-virus on Windows (1)

t1m0r4n (310230) | more than 10 years ago | (#9832108)

I'm still getting MyDoom.o emails. It spread like wildfire inside the company I work at....
This is rhetorical and wishful: when are we going to get some anti-virus software that protects us before an outbreak?
(please don't say don't run Windows, it is realistic but not realistic today right here)

When you say, "don't run Windows", do you mean on the mail server? Off the top of my head, I know of this procmail tweak [impsec.org] which can do wonders to stop new virus type threats when set up wisely. I've seen it put to good use at a few places that use Windows desktops. I would imagine that if one was a bit clever, there should be a similar solution on Windows servers also.

Re:frustrated with "anti"-virus on Windows (1)

mrroach (164090) | more than 10 years ago | (#9832430)

One tactic that I have used successfully for some time is to "sanitize"[0] potentialy destructive attachments on incoming emails.

This means that .exe files get renamed to whatever.exe.bin and the content type gets changed to application/binary. This way a user has to really want to run that executable, and know how. I also have it dig into zip and tnef files and do the same there.

Now that I think of it, this is sort of a poor-man's executable bit. It doesn't actually prevent execution, it just adds another step (that isn't just an "are you sure?" dialog) to the process.

-Mark

[0] http://www.impsec.org/email-tools/procmail-securit y.html [impsec.org]

Fr0st pist. (-1, Redundant)

Anonymous Coward | more than 10 years ago | (#9831659)

Wash off hands of *(BSD asswipes America. You, [nero-online.org]. Will not work. And

Windows will be secure, next time! (1)

Bwerf (106435) | more than 10 years ago | (#9831737)

A very interesting thing about the comparison in the end of the article is that he looks at all the different OSs as they are right now. Except for MS Windows, where he says, it has good chances of being secure when the next SP is released... Isn't this always the case with MS products? "we know something is f*cked up, but it will be fixed in the next version, promise!".

Maybe he's just propagating what MS is saying there though, since the rest of the analysis doesn't suffer to badly from this.

Re:Windows will be secure, next time! (0)

Anonymous Coward | more than 10 years ago | (#9832464)

Sätt dig själv i centrum, slå följe med A-lagarna

Skål på dig!

Mac security circumstances? (2, Informative)

Anonymous Coward | more than 10 years ago | (#9831903)

The security "philosophy" of the Mac platform, and of the Mac community, is immature yet. While Mac OS X has a good amount of circumstantial immunity against malware, it is significantly lacking in its security paraphernalia as compared to the cutting edge feature-set found in its competitors. The difference is more stark on the server side, where the competition is stiffer.

Isn't this argument sort of like saying that Macs are only secure because they are obscure?

I have read [theregister.co.uk] OS penetration has little to do with security. Additionally, with Mac OS X there is a BSD underpinning that utilizes ipfw. OS X is shipping with a strong firewall built in, that doesn't seem circumstantial to me. Does this mean the the BSD's are also circumstantially secure?

I am not saying OS X is completely secure, I have seen the recent exploits, but certainly Mac OS X security is methodical and planned since its roots are from a relatively secure BSD.

Maybe I am reading too far into the above statement. I am not more educated in this subject than the author, but it certainly seems like an unfair treatment of a relatively secure OS.

It managed to crash IE six times while printing (1)

TrogL (709814) | more than 10 years ago | (#9831932)

No, I can't install anything else, I don't manage this desktop. I do UNIX for a living. The printed output also looks horrible. Be that as it may, an excellent article. I could have spent all day meandering around his site. I did read most of the history of Apple and a bit about Mac operating systems, but duty calls.

Oh-oh (1)

Anonymous Coward | more than 10 years ago | (#9832077)

If you folks are ANYTHING like me, the first thing you read was the section Windows-v-UNIX. The author's points were non-biased and well thought out. That 'forced' me to read the rest. The article is now being routed through all my buds (PHBs, UNIX and Windoze Sys Ads, Developers), both in company and in other venues. A lot of 'intelligent' conversations will be started on this subject - again! It is unfortunate that some of us keep trying to get proof for our point of view instead of trying to see the other side of things.

Misinformations Synthedic fluff? (1)

LifesABeach (234436) | more than 10 years ago | (#9832285)

"Most notably it includes probably one of the most fair and intelligent analysis of the Unix-Vs-Windows security issue that I have ever seen."

after reading the anchor i can only conclude the following:

1. the author makes references to certain things about windows that i cannot easily verify. why?

2. there is a great deal more said of apple computers than linux in a comparison of windows vs. linux. why?

3. as for 'C2' clearance, that was 10 years ago, and on 'NT' which is not supported any more. what is the point of discussing DOD clearances of windows, but not of linux?

the article is a fine begining, but it appears to be still an unfinished work in progress. i hope to get a chance to read the final work.

Eye Candy... (1)

kevin_conaway (585204) | more than 10 years ago | (#9832386)

The material on his site is good but his layout has way too much eye candy. To me, its very visually distracting and hard to focus on the content of his article...thats just me though :)
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?