Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Vista Security — Too Little Too Late

kdawson posted more than 7 years ago | from the five-years-work dept.

Windows 483

Thomas Greene of The Register has a fairly comprehensive review of Vista and IE7 user security measures. The verdict is: better but not adequate, and mostly an attempt to shift blame onto the user when things go wrong. From the review: "[Vista is] a slightly more secure version than XP SP2. There are good features, and there are good ideas, but they've been implemented badly. The old problems never go away: too many networking services enabled by default; too many owners running their boxes as admins and downloading every bit of malware they can get their hands on."

cancel ×

483 comments

Sorry! There are no comments related to the filter you selected.

Vista security is.. (5, Insightful)

Anonymous Coward | more than 7 years ago | (#18094688)

.. A Dialog box asking if you wish to run the exploit or not.

And it is the first thing to be disabled for sure.

Re:Vista security is.. (5, Insightful)

madcow_bg (969477) | more than 7 years ago | (#18094930)

If that was it, then the security team has won the game!
Alas... I think it is asking for everything, therefore asking for nothing. An automatic OK is just as bad as no confirmation asked. Even worse, IMHO.

Re:Vista security is.. (2, Interesting)

Anonymous Coward | more than 7 years ago | (#18095092)

Sounds like perhaps, they didn't do the most obvious thing, and kill ActiveX. There is absofuckinglutely no reason for a web page to execute native code. I'd say use C#, but from what I understand they didn't properly sandbox that for the web either. If we could at least get through to the web designer community, that might help. No respectable web site should use ActiveX. Period.

Re:Vista security is.. (0, Troll)

rbarreira (836272) | more than 7 years ago | (#18095120)

That's just part of the security, if you had RTFA you might have learned a few things. Besides, most people probably don't even care/know how to disable UAC, so I doubt that will be a big problem...

Re:Vista security is.. (4, Insightful)

KingSkippus (799657) | more than 7 years ago | (#18095262)

if you had RTFA you might have learned a few things. Besides, most people probably don't even care/know how to disable UAC, so I doubt that will be a big problem...

My sarcasm detector is a little wonky today, so I apologize in advance if that's what that comment was. Otherwise...

Did you RTFA? If you did, it vehemently disagrees with what you said.

In fact, UAC is the most complained-about new feature of Vista, and most people are disabling it as soon as possible. Why? Because MS still encourages the owner to set himself up as the admin, and work from that account. And when you're running in an admin account, UAC is nothing but a bother. Every time you try to take an action, and this could be as simple as opening something in Control Panel, UAC disables your screen and pops up a little dialog asking you if you really want to do what you just did. A pointless irritant that will cause the vast majority of Vista users to disable UAC, because the vast majority of Vista users will, unfortunately, be running as admins, thanks to MS's stubborn refusal to try to put everyone into a user account to the extent possible.

(emphasis mine)

Re:Vista security is.. (1)

rbarreira (836272) | more than 7 years ago | (#18095298)

Err, that sentence started with "Besides", it doesn't mean that I agreed with everything the article said. I'd actually like to see some proof that most people are disabling UAC. If it's true, I'll stand corrected...

With my first sentence, I meant that the GP post was wrong in saying that UAC is the only security feature in Vista.

The OS that cried "wolf!" (4, Insightful)

KingSkippus (799657) | more than 7 years ago | (#18095182)

This is exactly what Vista security is.

My main problem with Vista security is that it is an OS that cries wolf. When I installed Vista, I had to click no less than 50 security confirmation dialog boxes (it's important to note that these were security dialog boxes) within the first hour or so in order to do simple, stupid stuff that clearly should not have needed confirmation. Stuff like changing my desktop background. Stuff like moving some documents around on a removable hard drive. Stuff like copying a line of text from an IE7 edit box. Stuff like pasting that line of text into a different IE7 edit box. Stuff like creating a new text file on my removable hard drive. And so on, and so on, ad nauseum.

This isn't security. This is constant aggravation, and yes, I cannot imagine any normal user calling their geek friend after five minutes and saying, "How do I turn this damn thing off?" Even if they don't, they "mentally" disable it by simply clicking Allow without thinking. Hell, I'm a computer expert, and I did it. "You are installing the pwnzj00 virus." Allow. "You are sending your bank account numbers to Nigeria." Allow, allow, allow, dammit! Leave me alone!

I try to give Microsoft the benefit of a doubt. I'm not a zealot or a Microsoft basher, seriously. I think they've put out some good software, but on this point, I have to agree with the folks who are saying that Microsoft isn't serious about security, they're simply trying to push the blame for when things go wrong onto the users.

There's no way in hell that they could have conducted any usability tests and found the currently scheme acceptable. But they still let it out the door, most likely to meet some sort of artificial management deadline to keep the OS from shipping any later than it already had.

So now, we've gone from OSes that never alert you to potential security risks to an OS that is even worse because it alerts you to everything, security risk or not.

I'll be interested to see how Microsoft tries to fix this mess, both from a technical standpoint and a PR standpoint.

Vista Security -- Too Little Too Late.... (2, Funny)

consumer_whore (652448) | more than 7 years ago | (#18094698)

I'm shocked at these allegations!!!

Re:Vista Security -- Too Little Too Late.... (4, Funny)

jdwest (760759) | more than 7 years ago | (#18094724)

Vista reviewers are coming to a sad realization.
Cancel or Allow.

Re:Vista Security -- Too Little Too Late.... (4, Funny)

minus_273 (174041) | more than 7 years ago | (#18094790)

allow...

Re:Vista Security -- Too Little Too Late.... (3, Funny)

HTH NE1 (675604) | more than 7 years ago | (#18095002)

Vista reviewers are coming to a sad realization.
Cancel or Allow.


Uhm... Retry?

Re:Vista Security -- Too Little Too Late.... (2)

boyfaceddog (788041) | more than 7 years ago | (#18094732)

You said it. This is a big yawn. The only story I want to hear about Vista security is what it fixes. We already know what Microsoft broke.

You are in the right place for that. (2, Insightful)

twitter (104583) | more than 7 years ago | (#18095028)

The only story I want to hear about Vista security is what it fixes. We already know what Microsoft broke.

I've been telling you for years and I'll tell you again. The fix is:

Diversity is the only solution to internet security. The user gains immediate security in the short term. The community gains security in the long term as weak platforms are eliminated and can no longer be used to attack strong ones. Everyone wins when the monoculture ends. Free software provides both transparency and a diversity of hard targets. Confronted with rising costs, criminals will go back to their usual meat space businesses.

Re:You are in the right place for that. (1)

rbarreira (836272) | more than 7 years ago | (#18095166)

Do you know how to read a question?

Re:You are in the right place for that. (1)

magicchex (898936) | more than 7 years ago | (#18095168)

fix /fiks/ verb, 1. to repair; mend.

fix /fiks/ noun, 28. Informal. a repair, adjustment, or solution, usually of an immediate nature.

And now that I've done my douche-bag move for the day, I can rest easy till tomorrow.

Fixing Windoze (-1, Flamebait)

twitter (104583) | more than 7 years ago | (#18095308)

Someone who thinks they are a douche-bag defines fix

fix /fiks/ noun, 28. Informal. a repair, adjustment, or solution, usually of an immediate nature. And now that I've done my douche-bag move for the day

I was talking about fixing your computer and internet security. If any of the six click installs available are not immediate enough, I'm not sure what is. No one can fix Windoze because it's not free. If it was free, it would look like ... gnu/linux by now.

Have a little more respect for yourself.

Vista Bashing For Nerds (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18094710)

Will there be no end to the endless Vista bashing from Slashdot?

You'd almost think they'd have an agenda in badmouthing Vista and promoting Linux.

Or wait, Microsoft is also one of the biggest sponsors of this site. I guess they have no problem loathing MS and taking their money.

Re:Vista Bashing For Nerds (0)

Anonymous Coward | more than 7 years ago | (#18094730)

You'd almost think they'd have an agenda in badmouthing Vista and promoting Linux.

Yeah. It's almost as if a lot of people who use this site like Linux or something. I am as baffled as you on this matter.

Microsoft is also one of the biggest sponsors of this site. I guess they have no problem loathing MS and taking their money.

Why would that be a problem? If Microsoft are a big enough bunch of suckers to pay money for advertising on a website where it is highly likely to be ignored, let 'em.

Re:Vista Bashing For Nerds (0)

Anonymous Coward | more than 7 years ago | (#18095056)

Yes, I am sure OSTG's Master Plan is far more insidious and underhanded than Microsoft's. Slick OSTG executives have been hoodwinking poor old babes in the woods Microsoft with their confiscatory advertising practices.

Stupid Microsoft! You know what you doing!?!?

Re:Vista Bashing For Nerds (0)

Anonymous Coward | more than 7 years ago | (#18094736)

Ahahah Microsoft sponsors a site which is bashing them! They are sooo stupid! Shame on Microsoft!

Why should they have a problem? (1)

geoffrobinson (109879) | more than 7 years ago | (#18094746)

If Microsoft wants to advertise here, to a crowd that largely doesn't care for them, more power to them.

And if Slashdot wants to take their money and then be critical of them, what's the problem with that either?

And there doesn't seem to be an official Microsoft stance on Slashdot anyway.

Re:Why should they have a problem? (5, Funny)

Architect_sasyr (938685) | more than 7 years ago | (#18094834)

There doesn't seem to be an official Slashdot stance on Microsoft either... about the only thing you *do* notice is that most of the windows supporters post as AC's...

Back on topic: Vista tests for my corporation have been far from impressive in both security and performance. I'll stick with the XP Upgrade method I think. "Skin XP to look like Vista... open up the case, remove half the RAM and clock the CPU back a few notches"

Re:Why should they have a problem? (1)

gEvil (beta) (945888) | more than 7 years ago | (#18095150)

Hey thanks! You just saved me 400 bucks. : D

Re:Why should they have a problem? (0)

Anonymous Coward | more than 7 years ago | (#18094874)

Why? So far, Microsoft has NOT invited independent, unindentured, un-gagged security experts to review their offerings, and its probably too late to see the dividends from the ex Sysinternals people. They like to sell security, but as the three pigs know, straw house and stick houses are not good enough. Vista is no brick house, so it stays in the sh.. house. One presumes there is commercial pressure to leave fluffy services wide open, pandering to advertisers and CRM want-to-bes.

Limited User Accounts (0)

Anonymous Coward | more than 7 years ago | (#18094728)

What I don't get is why they don't make the user a limited user to begin with. It's all implemented - requiring an admin password to do _admin tasks_ as a limited user, but they make the default user an admin. And, honestly, the User Access Control is pretty silly if you're an administrator, ne?

Re:Limited User Accounts (0)

Anonymous Coward | more than 7 years ago | (#18094858)

What I don't get is how people like you comment on things you know so little about.
All users on Vista (even administrator) are restricted.
If you are an administrator you are prompted to do administrator tasks if you are logged in as a regular user you are prompted for an admin accounts credentials.

Re:Limited User Accounts (3, Informative)

SCPRedMage (838040) | more than 7 years ago | (#18094878)

With UAC on, the only difference between an admin account and a limited user account is that Windows doesn't ask for a user name and password when you need to use admin rights; it just asks you to OK it. Unless you OK admin rights to an app, you're still running with limited user rights.

If someone figures out an exploit to make that "OK" automatically, yes, running as admin will be significantly less secure. Until someone figures that out, though, running admin with UAC on is just as secure as running as a limited user.

And as far as users finding UAC "annoying", riddle me this: how is any more annoying than Linux? Linux will do the SAME DAMN THING as Vista's UAC. It'll make the SAME prompts when trying something that requires admin rights as a limited user. The only difference is that Vista gives you the prompts while running as root, too. You can't blame M$ if stupid users disable security features they find "annoying" while praising Linux for doing the same thing.

Re:Limited User Accounts (3, Insightful)

Anonymous Coward | more than 7 years ago | (#18095314)

"And as far as users finding UAC "annoying", riddle me this: how is any more annoying than Linux? "

Piece of cake.

UAC annoys you when you try to run a setup program, _any_ setup program, for whatever reason, even a screensaver or desktop picture if it is a setup format.

In Linux you are not asked root's password to change desktop picture or installing random program and that's a major difference. Installed program has user account rights, but _that's the assumption_ and most programs respect that and, contrary to MS-systems, _can be installed and run_ just on user rights.

In MS-environment, _every_ program_ _must have_ (major) write-access to registry and system directories -> UAC every time you try to install or change anything. That's a _big_ difference. Like 1 to 100.

The idea that every program may write whatever they want in registry is outrageous. Only an idiot could design something like that.

Re:Limited User Accounts (1)

jimstapleton (999106) | more than 7 years ago | (#18094978)

There are so many poorly written applications, form the bad ol' 9x days, or programmers who program like it's the bad ol' 9x days, that people often need admin just to use the application, because it wants to write files to protected parts of the FS, or to the registry. You can use tools like filemon and regmon to find this, but it's a pain in the but to find/fix it.

I just sent a suggestion to Microsoft. A virtual registry/file directory structure stored in each users profile, under the local settings folder. Whenever they try to write to one of those where they don't have privleges, it instead writes to the virtual system instead, transparently. If they have their settings set right it may prompt them to optionally write to the virtual system or fail, but most users won't want this, so it ought be off be default IMO. Next since the directory/registry-key structure is cached in memory (not the actual files!), or cached on a quick-to-read-file if there isn't enough memory, then it shouldn't add too much latency for the read-check. people who find they aren't using it should be able to turn the whole thing off without needing to give themselves administrator to keep the system working.

Re:Limited User Accounts (1)

drsmithy (35869) | more than 7 years ago | (#18095236)

I just sent a suggestion to Microsoft. A virtual registry/file directory structure stored in each users profile, under the local settings folder.

Congratulations. You've just suggested to Microsoft they do exactly what they've already done in Vista.

Re:Limited User Accounts (1)

jimstapleton (999106) | more than 7 years ago | (#18095330)

really? I've never once seen documentation of this feature, got a link? Does it automatically shunt file-write attempts to there if done by a underprivledged user? Does it read from there first (if something exists) rather than from the file elsewhere?

Re:Limited User Accounts (1)

Pope (17780) | more than 7 years ago | (#18095238)

Isn't %APPDATA% similar to what you're talking about? Except, of course, that APPDATA is hidden from the user, and so impossible to properly back up unless you already know the ins and outs of what MS hides from the user.

Re:Limited User Accounts (1)

jimstapleton (999106) | more than 7 years ago | (#18095310)

no, that still has to be programmed manually.

This would be in the lower levels of the operating system on an fopen type call.

fopen -> do you have privleges?
yes -> write file
no -> check to write to the virtual setup
yes -> write to the virtual setup
no -> fail with a no privleges error.

So legacy programs (or poorly written non-legacy programs) will still work, even if the coder doesn't know about %APPDATA%.

Re:Limited User Accounts (5, Interesting)

DrPizza (558687) | more than 7 years ago | (#18094982)

They don't do it because typing a password is too damn annoying.

UAC is still useful as an Administrator. Until you elevate your privileges, a UAC user *is* a regular user (essentially they have two possible tokens, a regular user token and an Administrator token, and unless you elevate, they're using on the regular user token). This means that the "protection" that it offers is the same; what differs is the ease with which you can switch between the two kinds of user (click a button vs. enter a password). So I don't think that's actually a huge problem.

Whenever something is done for which the regular user token isn't good enough, you can elevate to an Administrator token. That brings up the UAC prompt; it does it for broadly the same category of operations that MacOS X or Linux will demand root access for.

The thing is, the prompt is quite annoying. It's not any more annoying than it is on other OSes; they're annoying too. But a password is even more annoying than clicking the box. And if something is annoying, well, people are going to try to avoid it.

That's the dilemma faced by MS. If they make the thing too annoying, everyone will one way or another disable it. Originally UAC not only required a password, but also a ctrl-alt-del (so that the password couldn't be intercepted or anything). ctrl-alt-del to enter the password was too annoying; it was too intrusive. So they disabled that by default (though you can reinstate it if you want, through a GPO). Entering a password by default was also too intrusive, so again, they disabled it by default (and again, you can reinstate it across the board, even for Administrators, if you want). The reason they did this is because they want the level of annoyance to be livable. If UAC is so annoying that people outright disable it, it's useless. If it's a minor annoyance, they probably won't turn it off.

I've been using Vista since it went RTM, and I have to say, I don't see many UAC prompts any more. I did at first, when I was installing all my software, but now, it's pretty infrequent. It's certainly something I can live with. I did try cranking it right up--passwords for all users, with ctrl-alt-del to enter them--but it's far too annoying to put up with. I can't really fault MS for making the trade-off the way they made it. Hopefully, as applications improve, elevation prompts will become more infrequent (for example, I have to elevate to play Battlefield 2, because Punkbuster "needs" admin rights... this is something that they really need to fix), and when this happens, demanding a password to elevate won't be so onerous. But as things stand right now, there are just too many problematic applications. This isn't really MS's fault (it's not like NT's DAC is new...), but it is something that they've got to live with, and provide a solution for.

ubuntu does the same thing too. (1)

Type-E (545257) | more than 7 years ago | (#18095000)

When you first install ubuntu, you will be prompted to create an user during installation, that users is automatically placed in the sudo list. When you tried to configure something that require admin privilege, it will prompt you for your password. So is command prompt, you will need to put sudo in front of the command to get admin privilege. However, for linux, your windows manager would remember your elevated privilege for a while so the same task would not ask you for the same login/password again for a while. For windows, it's kept coming back again and again.

Re:Limited User Accounts (1)

drsmithy (35869) | more than 7 years ago | (#18095204)

What I don't get is why they don't make the user a limited user to begin with.

It is.

Administrator in Vista != Administrator on XP (or earlier)

dear lord... (4, Insightful)

tomstdenis (446163) | more than 7 years ago | (#18094744)

can't believe I'm speaking up for Vista but ...

User security, is like car safety. It's nice to design for "in case shit happens" but if you drive like a lunatic, you're likely to get hurt.

I think a large part of security involves the self. People don't do enough thinking, and are too lazy to follow simple security procedures. No automated tool or system, that allows some freedoms can protect people entirely. Think about it, the OS'es solution to malware? Only allow MSFT signed binaries to run. But this is horrible as it means only MSFT can authorize binaries and it cuts out 3rd party developers.

At some point the users themselves have to stop and learn how to use their computers properly, if they want to use them. If they're too lazy to figure it out, *and* demand security, they should not use a computer.

Of course it's largely MSFT's fault for breeding a culture of contempt for knowledge. Oh look it's so easy anyone can use it with zero training.

Imagine if MSFT made automobiles (but with the a yolk instead of a wheel/pedals, and other "standard improvements"). No training required!

Tom

Re:dear lord... (2, Insightful)

Anonymous Coward | more than 7 years ago | (#18094770)

Good idea. Let's lobby for mandatory computer licenses, with proper training and a test. People won't be allowed to use a computer unless they have a license.

This plan is sure to succeed.

Re:dear lord... (1)

celardore (844933) | more than 7 years ago | (#18094820)

Good idea. Let's lobby for mandatory computer licenses, with proper training and a test. People won't be allowed to use a computer unless they have a license.

This plan is sure to succeed.


Actually, this has already been done in Europe. [ecdl.com] The problem is that it's not mandatory, employers don't require it, and nobody gives a shit about it.

Re:dear lord... (1, Interesting)

Anonymous Coward | more than 7 years ago | (#18094958)

it's not mandatory, employers don't require it, and nobody gives a shit about it
And just as well too, given that the ECDL only tests if you have a basic understanding of Microsoft software. Making it mandatory would be tantamount to making using windows/office mandatory (well, more so than they are by default already.)

Re:dear lord... (3, Interesting)

tomstdenis (446163) | more than 7 years ago | (#18094822)

Well why not have it part of the school curriculum? When I went through school even keyboarding was voluntary. So in effect the majority of my fellow high school grads, knew JACK SQUAT about computers (we're talking circa 2000).

I don't think you can simultaneously pull on the resources of society when you fall victim to fraud, malware, or viruses (e.g. turned into a bot), and then reject learning how the tools work. Why should I pay interest rates, taxes, and other socially collected fees [ISP rates for instance] to cover for people who willing put themselves into harms way?

I never said we should have licenses though, you're putting words into my post (nice AC troll-fu btw). I just think society would be better served if as a whole, people had the first slightest clue about computers.

And it's not like the majority of folk don't want to use computers. So why is making it a mandatory part of the high school [or better yet elementary] curriculum such a bad idea? Of course, I'd love to see such curriculum not focus solely on Windows, maybe through in OS X and a Linux distro for good measure.

Tom

Re:dear lord... (0)

Anonymous Coward | more than 7 years ago | (#18094918)

I'm not trolling, and I'm only AC because I can't remember by password and haven't commented in ages.

The point is, people are unwilling to learn about computers, because they have been presented as easy to use. You mentioned this a bit, in saying that MS is to blame for claiming they are easy to use, but should we really be saying they are difficult? Should they be difficult? Why?

The problem is that you have to try to explain things to people who don't care and don't understand. Without explaining the intricacies of DNS and the like, how can you explain to someone why they shouldn't be entering details into a site that is, to their eyes, their Internet banking site? The best you can do is tell them not to put details into any site that's linked to in an e-mail, but if that worked phishing woul dhave stopped overnight.

People don't see any risk with computers, because there is no obvious danger, and certainly no physical danger, short of popping the cover and poking capacitors. Driving is completely different, because most everyone can fathom out that moving a tonne of metal at 50mph carries some risks. How is sitting at your desk looking at pr0n dangerous? There's no risk! To that end, it is certainly Windows' fault that malware can be drive-by installed just by you going to a certain website. What's up with that? It's all well and good saying a user should only go to reputable pr0n sites, but how the hell can they know which are legit? Moreover, I'd love to know how you plan to teach that one in your classes. I'd love to see that lesson.

People don't understand, don't want to understand, and don't care. They also don't have the time or money to spend on IT classes. They want to buy a £300 PC at PC World, surf pr0n, play a couple of games, then buy a new one when it's utterly screwed by malware a year down the line.

At the end of the day, the can has been open a long time and the worms are everywhere. Everyone has a computer, everyone is using Windows, everyone thinks they know what they're doing, and everyone's computer is screwed. Hyperbole? A bit, but it's not worlds away from the truth. We can't stop people using computers, and we're going to have a hard time educating them when they don't care.

I know I'm not presenting a solution, and I'm not really trying to, because I don't think there is an obvious solution, basically.

To the other poster who mentioned the ECDL... Near worthless. Half a dozen classes on how to turn a computer on, then you make a cookie cutter spreadsheet, letter to your mum and a powerpoint presentation. It's going to take an awful lot more than that for user related security problems to go away.

Re:dear lord... (3, Insightful)

tomstdenis (446163) | more than 7 years ago | (#18094988)

What I don't get about posts like yours is where this "must have a 6 year masters degree in comp.sci to understand how to use SMTP" comes from.

As a 11 going on 12 year old kid I was setting up nodes for transcanada, fidonet, tattlenet and the like for the BBS that my brother and I ran. We were routing mail from all over north america and even into europe (thank god for cheap long distance plans with upper limits).

If an 11 year old can figure out, on their own, without classes, how to route mail, surely to god a competent adult can figure out how to turn off HTML emails, not run attachments, not run as root all the time. Or are you saying adults are in general very very stupid and shouldn't be trusted?

Your comment about driving is lost on me. Most adults drive fairly poorly. Running stops, speeding, not giving right away, etc. That there aren't more accidents than there currently are is mostly because people are good at avoiding them. It doesn't mean they're driving safe, it just means they know how to react when they're cut off, or pull a turn too quickly, or etc...

People in general just assume the world works for them and that putting any effort into anything is a sign of a weakness. If I have to learn how to use e-mail, it means I'm stupid or something, therefore I'll just pluck at it until I get my first chain letter [and then forward it off to 100 people] then i know I mastered email.

Tom

Re:dear lord... (2, Insightful)

SCPRedMage (838040) | more than 7 years ago | (#18095112)

Or are you saying adults are in general very very stupid and shouldn't be trusted?
If he's not, I am: people are Stupid. The vast majority have the potential to be Not Stupid, but the vast majority of THEM squander that potential.

I know, that's a dim view of humanity, but frankly, when I look at the world, that's what I see.

Re:dear lord... (2, Insightful)

planetmn (724378) | more than 7 years ago | (#18095016)

So why is making it a mandatory part of the high school [or better yet elementary] curriculum such a bad idea? Of course, I'd love to see such curriculum not focus solely on Windows, maybe through in OS X and a Linux distro for good measure.

I would love to see computers taught more in schools, but there are a couple of problems with doing it right now (which isn't to say in 5 years these problems will still exist).

First of all, schools need to teach reading, writing, arithmetic, science, etc. You get the idea. Now you want to add an additional required subject to this. Keep in mind that everything that is being required to be taught, is being required to be tested. So, you mandate that schools spend an hour every week teaching computers. Where does that hour come from? Math? Science? And what happens when the students aren't doing as well on the standardized tests in the subject you've replaced? That's right, the teachers and schools get blamed, never mind the fact that a change was forced upon them.

Second, and in my opinion, the real problem. Who will teach these courses? Most people who are knowledgable enough to teach these courses, don't teach. They can make much more money working elsewhere, and not have to deal with kids. Retraining teachers to teach computers could work, especially for basic tasks, but for more advanced subjects, they will not be adequate.

Third, exactly what do you teach? Not to install stupid programs? That's the biggest problem right there. It isn't that Windows is inherently insecure, most people use a firewall router, run anti-virus, etc. to protect there systems. The problem is that these people are infecting their systems through actions that they have taken.

I think it's important to teach computers, and not windows, but again, it's going to take somebody who knows what they are doing. And these people generally don't want to teach high school students when they could be making two to three times as much working elsewhere. To teach OSX, you now need additional hardware or you could use all Mac hardware (wouldn't Apple just love that) and install linux and Windows. So if you want to teach OSX, you've now tied the hands of the district and they can not look for competing vendors, they now must purchase hardware from Apple.

-dave

Re:dear lord... (2, Insightful)

tomstdenis (446163) | more than 7 years ago | (#18095084)

I agree that a focus on the basics is more important than computers or tech. (judging by the spelling errors in my post ... maybe I should have paid more attention hehehe).

But figure this out, you can do things like English and most sciences, with a computer. Typing up an essay, running numbers through a spreadsheet to get standard deviation, etc. Most uni students I know, have to have crash courses in computers because their professors expect them to use things like Fortran, maple, magma, etc.

Granted, I agree that a lot of things, like math, should be done manually at the early stages. Heck, I was going through elementary during the "calculator debates." (should we have calculators in classes before grade 6?). But once you hit highschool, things like statistics are largely just a manual labour job and not actually a comprehension job. like I know how the standard deviation works, but if you ask me to figure it out for a set of 30 numbers, I'm likely to typo a calculation or two. Getting the wrong result doesn't mean I don't know the technique, it just means the work is not suitable for humans.

The trick that adults give up on, is that children have a capacity to learn that can be untameable compared to adults. Add to the fact that they have all the time in the world to be a student (not like they have jobs or other responsibilities) and it's easy to see how they could pick up technology.

It isn't like computers are going to "go away" nor become any less entrenched in our society. So why not make it a part (but not the whole part) of the student experience?

Tom

Re:dear lord... (1)

planetmn (724378) | more than 7 years ago | (#18095292)

The trick that adults give up on, is that children have a capacity to learn that can be untameable compared to adults. Add to the fact that they have all the time in the world to be a student (not like they have jobs or other responsibilities) and it's easy to see how they could pick up technology.

You focus on the student side of the equation, which I agree, has room for the information. But not on the teaching side. There is infrastructure required (classrooms, equipment, support), teachers required (salaries, benefits, substitutes), etc.

But figure this out, you can do things like English and most sciences, with a computer. Typing up an essay, running numbers through a spreadsheet to get standard deviation, etc. Most uni students I know, have to have crash courses in computers because their professors expect them to use things like Fortran, maple, magma, etc.

Maybe my education was different. But we did utilize computers early on. I remember as early as first grade (1986) going to the computer lab to create a project on the computer (which to a six year old was an amazing and magic machine). This continued throughout my education. My high school actually did offer quite a few computer/technology courses, but they suffered by not having appropriate teachers. One course (something like writing for the world wide web or something - introductory web design) I "taught" because the teacher early on realized that I had more experience than he did in the subject.

I also wonder about the university students. I'm an engineer, which meant that I used a hell of a lot of Maple and Matlab during school. Crash courses weren't offered. If you are in a curriculum that relies so heavily on technology, you should have a basic understanding of technology (whether it's from high school courses, learning on your own, etc.). I don't think we need crash courses at a university level.

But once you hit highschool, things like statistics are largely just a manual labour job and not actually a comprehension job. like I know how the standard deviation works, but if you ask me to figure it out for a set of 30 numbers, I'm likely to typo a calculation or two.

My wife teaches reading. And to me (being the engineer), I didn't understand exactly what she was teaching. I figured, they learn the letters, the sounds, the words, the meanings. Simple. Turns out, there is a lot more to it than what I could think of. Same thing with math. It's amazing the number of people who can't get a rough idea of a valid answer. Your example of calculating the standard deviation by hand. Yeah, it's manual labor, you'd probably never do it in the real world. But, it does teach something. It is (according to a junior high math teacher) useful for teaching students how to estimate whether their answers are correct. In other words, ensuring they aren't off by an order of magnitude, and that the answer makes sense.

It isn't like computers are going to "go away" nor become any less entrenched in our society. So why not make it a part (but not the whole part) of the student experience?

You are absolutely correct. Computer skills are becoming more and more valuable all of the time. But a lot more students nowadays have access to computers without a specific computer course. Just about everybody has a home computer (obviously, this is going to vary due to socio-economic demographics). Most libraries have computers for anybody to use (and at least mine offers courses on how to use them). It's a different situation than it was when we grew up.

-dave

Math and Science aren't the only options (1)

rbarreira (836272) | more than 7 years ago | (#18095146)

So, you mandate that schools spend an hour every week teaching computers. Where does that hour come from? Math? Science?

I think it would be nice if it came from the Creationism Class :P

Re:dear lord... (1)

magicchex (898936) | more than 7 years ago | (#18095244)

Second, and in my opinion, the real problem. Who will teach these courses? Most people who are knowledgable enough to teach these courses, don't teach. They can make much more money working elsewhere, and not have to deal with kids. Retraining teachers to teach computers could work, especially for basic tasks, but for more advanced subjects, they will not be adequate.
As a student finishing up an education degree and getting ready to teach preschool and kindergarten in underprivileged communities, as well as someone who knows other students, teachers, and a future-mother-in-law who teaches high school in one of the poorest school districts in the area, I can tell you that most teachers do not teach for the financial gain. I would hazard that at least 95% of good teachers could make more money doing something else, but we take pride in having a positive impact on so many people through teaching and helping out those who really need it. Yes, teachers are generally underpaid and under appreciated, but they still teach. This field will be no different than any other; those who already want to teach simply have another subject to consider for their career path. Please, society, realize that teachers DO deserve more... but don't worry about good teachers not teaching if you don't change the compensation any time soon. Teachers will continue to make sacrifices for the good of others, even as new subjects are introduced at younger levels.

Re:dear lord... (1)

jackbird (721605) | more than 7 years ago | (#18095344)

So why is making it a mandatory part of the high school [or better yet elementary] curriculum such a bad idea?

It's not necessarily, but you could say the same thing about driving, cooking/nutrition, personal financial management, media literacy, and lots of other life skills subjects that don't relate to standardized tests. The problems are time, money, qualified teachers, and politicization/monetization of most of the subjects I listed above (see your average school board meeting about the sex ed program for an example).

Re:dear lord... (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18094842)

Of course it's largely MSFT's fault for breeding a culture of contempt for knowledge

I agree with all of it except this.

Give me a break, MSFT is THE REASON we have personal comupters. Without them the computing world would not exist in its current iteration.

what woudl you have them do, restrict computer use to those who want to learn the fine details of security and system administration.

Think of it kinda like a car, you are basically sayign the only people who shoudl be allowed to drive are mechanics.

Re:dear lord... (1)

tomstdenis (446163) | more than 7 years ago | (#18094908)

MSFT is not the reason we have personal computers. TRS-80, Vic-20, Apple ][, Mac Lisa, etc... These were all computers that came before, during, after the inception of MSFT. None of which ran Windows (or MS-DOS). Sure, MSFT is a large player in the field, but to say we would not have PCs if it were not for MSFT is a huge stretch.

Why should consumers expect security if they don't know how to use the tools (and yes, an OS is a tool, not an adventure!). If anything, be upset at how apathetic people are towards general knowledge, curiosity, responsibility, and the like.

You can know a thing or two about cars, enough to both drive safely and responsibly without being a mechanic. If your car is running rough, or spouting out blue smoke, chances are you shouldn't be driving it. I couldn't tell you exactly what is wrong, but common sense says, if the car ain't acting like normal, it's worth investigating.

The reason people will run a car until the wheels fall off is because they're wilfully ignorant, apathetic, and lazy. It's not my fault if the tires fall off, it's Ford's for building a car that can't run unmaintained for 23 years.

it's not my fault my box turned into part of a zombie net, and my financial details have all been leaked, it's MSFT for allowing me to run every random binary off the net, for me running them as admin instead of a user, etc, etc, etc.

If the very basics of using a computer such as, not running as admin, or not reading HTML emails with activex turned on is too complicated, maybe you should resort to snail mail and "the price is right" on the TV. At least that won't contribute to the mass of spam that hits my inbox every day.

Tom

Re:dear lord... (0)

Anonymous Coward | more than 7 years ago | (#18095042)

it's MSFT for allowing me to run every random binary off the net, for me running them as admin instead of a user, etc, etc, etc.

First, lets not get into a debate about who is the bigger player in the development of modern personal comutping.

Second, I'm sorry, you are just plain wrong. Is it the car companies fault you can put other liquids in your gas tank and ruin your car, is it the car companies fault you car can exceeed the spee dlimit and you can get a ticket for it, is it the car companies fualt that even thouth the oil light on you rcar is on it still runs and gives you a chance to kill it for good.

FUCK NO. It is you fault, all your fault.

Stop blaming MS and put the blame where it belongs, the user, plain and simple.

And to go with an earlier joke, I have just shown you the error of your ways, Cancel or Allow.

Re:dear lord... (1)

tomstdenis (446163) | more than 7 years ago | (#18095102)

Um, what? My point was that the users have to take responsibilities for their actions. Thank you for arguing my point.

Tom

Re:dear lord... (0)

Anonymous Coward | more than 7 years ago | (#18095214)

Of course it's largely MSFT's fault

Sorry, I guess that statement threw me off a bit.

Re:dear lord... (0)

Anonymous Coward | more than 7 years ago | (#18094860)

I fear you didn;t actually read the article. Doing so would mean you would understand that the way MS has implemented the new "security features" actually gives users little choice but to "drive like lunatics" as the alternative is having a computer that won't function properly with the apps they want to run. But at least MS can then say "it's your fault, you were the one driving like a lunatic!".

Vista - just don't.

Re:dear lord... (1)

jimicus (737525) | more than 7 years ago | (#18094898)

Imagine if MSFT made automobiles (but with the a yolk instead of a wheel/pedals....)

But wouldn't you get covered in bits of egg?

Re:dear lord... (1)

tomstdenis (446163) | more than 7 years ago | (#18094934)

Teach me to post when hungry... I of course meant a yoke.

Tom

Re:dear lord... (5, Funny)

Zebra_X (13249) | more than 7 years ago | (#18094920)

Imagine if MSFT made automobiles

It would be pretty horrific...

Are you sure you want to unlock your car? (Yes/No)
Please confirm this action: Start car (Allow/Deny)
The manufacturer of this car is not trusted, are you sure you want to start this car? (Yes/No)
The car is attempting to use gas that does not fall between 89 and 91 octane are you sure you want to continue? (Yes/No)
Are you sure you want to turn on the radio (Allow/Deny)
The manufacturer of this radio is not trusted, are you sure you want to turn on radio? (Yes/No)
Station 104.7 is attempting to play content that requires special priveliges, do you want to play 104.7? (yes/no)
Please confirm your administrative username and password.
Please confirm this action: Change to D (Allow/Deny)
This feature requires administrative priveligeges, please enter your username and password. ... ...

Re:dear lord... (1)

herve_masson (104332) | more than 7 years ago | (#18095046)

You take mandatory and lengthy courses to drive a car, not to use a computer; that's a _big_ difference. If you want to do the same for computers, I am afraid it would have to be even longer.

What i'm getting at is that you can't ask most people to act wisely when it comes to computer security, simply because they have no clue. It's a bias many people have when rejecting the fault on users, and it does not help much at the end of the day.

Dealing with computer security is hard for trained people; it's simply impossible for average user, period. What we need is better software, and from what I'm reading about vista, we are not there yet. Yes, microsoft did a great job to meet users for what is related to user interface & experience. They did a very poor job in security so far, that's sad and it really sucks.

Re:dear lord... (1)

tomstdenis (446163) | more than 7 years ago | (#18095162)

I disagree, there are a lot of simple small things people could do to protect themselves

1. Learn to recognize spam/phishing
2. Not run attachments
3. Not run random binaries (even things like Party Poker.net)
4. Not read HTML emails
5. Not run as root (that fix takes all of 5 seconds to make)

etc...

You hardly need a degree in comp.sci to sort this out. People are just lazy, and will do whatever they want despite the fact they're their own worst enemy most of the time.

No libre OS can ever defend against every threat vector since doing so requires taking away liberties, such as the ability to develop and run 3rd party software.

Tom

MS is to blame for user mistakes in this case (1)

Opportunist (166417) | more than 7 years ago | (#18095190)

The simple reason in a nutshell: The user cannot make a qualified decision based on the information the system gives him.

With the installer needing admin privileges, no matter if its trying to install a driver or a game demo, the user cannot make a qualified decision whether the privileges asked for are warranted or not. You could blame the user if it was not so. If the user could install a game with "reduced" privileges and it asks for full admin rights, he could smell the rat. He cannot in an environment that asks for admin privs by default for installations.

The only way he could would be to sandbox everything he plans to install and then trace and analyze everything the software does to his system, the files it produces, the data it downloads and/or uploads to/from certain servers, the entries it creates, changes and deletes in the registry... And of course he'd first of all have to know how to interpret this information.

If Vista would give the user sufficient information to actually make a qualified decision, I'd agree. Blame the sucker for being dumb enough to run the trojan. But simply telling him "Flash installer wants admin rights to install, continue?" is not giving him any information at all. What if I simply labeled a Trojan "Flash installer"? Of course it would ask for admin rights to install, that's what an installer does by default.

Give the user enough information to actually make the decision, then blame him if he makes the wrong one. If the user cannot make a qualified decision, all that remains is a game of chance and luck. And you could just as well get rid of those questions, simply because the user cannot answer them anyway with the information the system gives him.

Re:MS is to blame for user mistakes in this case (1)

tomstdenis (446163) | more than 7 years ago | (#18095252)

Look at where most demos and games come from, some anonymous, ad laden, 3rd party "download site".

I'd trust a game download fetched from idsoftware.com more than gamesgamesgamesgalore.com. If a game requests admin rights to install for my user, that would raise a red flag, etc.

Wow, two simple ideas that didn't involve a masters thesis from MIT.

I must be a genious.

Tom

Re:MS is to blame for user mistakes in this case (1)

BVis (267028) | more than 7 years ago | (#18095316)

The user has access to all the information they need.

Even the simplest user can type "www.google.com". The information is out there, they just need to go and find it.

Sure, that's blaming the victim, but in this case the user is victimizing themselves.

If they can't be bothered to do the most basic research, screw 'em. Once they educate themselves, subsequent situations become easier to handle. If they choose to remain ignorant, then it's their own damn fault and I have no sympathy.

That being said, Vista's "annoyware" approach to security is inexcusable. All it does is essentially force the user to shut down the added security in order to get any work done. MS is the largest software company in the world with a de facto monopoly on the desktop. If they wanted to say "OK we're going to break all your software because our security is a joke and we need to fix it for the good of the community", they could bloody well do it.

Apple breaks nearly everything every ten years or so, and they've been "going out of business" for about twenty years now. And they don't have a twentieth of the market share that MS has.

Re:dear lord... (1)

hawg2k (628081) | more than 7 years ago | (#18095272)

I am also not sticking up for Microsoft, but I agree with the Parent poster here.

I work in the information security area at my company, and we recognize that every employee and associate at the company needs to help with security. We have slogans like "security is everyone's business", and we have mandatory annual security training that everyone must take. It's simple stuff like have a secure password, keep it safe, never give it to anyone, no legitimate person will ever ask you for it, etc.

At the very least, we force our employees to spend 20 minutes a year thinking about it, in hopes of cutting down on problems.

To tie back in to the home user, at some point they need to take on a more "buyer beware" attitude and take some responsibility for their part. I know it's "en vogue" these days to, for example, sue the lawn mower manufacturer because they forgot to put a sticker on the mower that said "don't use as a hedge trimmer", when you lose an arm; however, "en vogue" is not necessarily right. If the user would exercise a little bit of common sense, most things could be avoided.

That being said. If Microsoft can do something diffeernt to help out their user base, I think they should.

"Too much malware" (1)

Veetox (931340) | more than 7 years ago | (#18094750)

As dissatisfied as I tend to be of Microsoft's "advancements", I have to say that they should not be responsible for making their system impossible to screw up. Daddy just needs to learn to spend money on the high quality porn, instead of the cheap, virus loaded "Click for more!" free porn. But that doesn't address the fact that home users log in as admin. every time - no, that's a different hell right there; MS should make restricted access user accounts mandatory.

Who cares about Windows security? (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18094752)

Windows is made to run games on PC's and to keep average IT people employed.

It's not like you should ever run anything important and/or productive on it.

er um (2, Funny)

pizzach (1011925) | more than 7 years ago | (#18094760)

"too many owners running their boxes as admins and downloading every bit of malware they can get their hands on."
er um. I hope he's not talking about me.

You can't build a fort on a foundation of shit. (1, Informative)

Anonymous Coward | more than 7 years ago | (#18094774)

It's pretty obvious that you can't build a fort on a foundation of shit. Without a solid base to hold your fort up, it will sink into the fecal marsh and smell like high heaven.

The security of Windows has always been built upon such a foundation of shit. That's why it's had so many problems. Instead of drawing from the proven security models of systems like UNIX and VMS, the Windows developers went and rolled their own. And you know what? It was shit. It didn't have a solid theoretical underpinning like the security model of other systems have. It's been over 20 years later, and they still haven't looked to the proven models for inspiration.

Re:You can't build a fort on a foundation of shit. (1, Interesting)

DrPizza (558687) | more than 7 years ago | (#18094856)

The theoretical underpinnings of the Windows security model are DAC, with limited MAC (specifically, the Biba Integrity Model). The MAC stuff is new to Vista; the DAC stuff has always been in NT.

The DAC model is the same as that found on typical Linux, Solaris, AIX, Mac OS X, FreeBSD, etc. installations. The Biba model is rarer (but nonetheless theoretically sound), but it's rumoured that Leopard will use it too.

In other words, shut the fuck up; you don't know what you're talking about. But I guess that's to be expected of anonymous cowards when talking about Windows.

Re:You can't build a fort on a foundation of shit. (1)

david.emery (127135) | more than 7 years ago | (#18095304)

On another /. topic recently, there was a small discussion (claimer: I started it) on VMS fine grained security models. Apparently Win NT had something closer to the VMS model inside, but it apparently was never really used by anyone.

I still think this is what modern OS need. Unix-based security models are better implemented, but I do NOT think they're necessarily better designed.

Thus I think that there is merit in both the original poster's comments and this response, but the last line of this response should perhaps (in the best object oriented fashion) be applied to SELF as well as to PARENT.

          dave

As Beavis and Butthead once said... (1)

consumer_whore (652448) | more than 7 years ago | (#18095116)

"You can't polish a turd."

Re:You can't build a fort on a foundation of shit. (3, Insightful)

drsmithy (35869) | more than 7 years ago | (#18095264)

The security of Windows has always been built upon such a foundation of shit. That's why it's had so many problems. Instead of drawing from the proven security models of systems like UNIX and VMS, the Windows developers went and rolled their own. And you know what? It was shit. It didn't have a solid theoretical underpinning like the security model of other systems have. It's been over 20 years later, and they still haven't looked to the proven models for inspiration.

Windows has the same "theoretical underpinning" as VMS (hardly surprising, given they're designed by the same person). Which is, I must point out, vastly superior to that of traditional (and most contemporary, at least as commonly configured) UNIXes.

There is little, to nothing, wrong with the "foundation" of Windows.

Let me get my flame-proof suit on and say...... (4, Insightful)

ip_freely_2000 (577249) | more than 7 years ago | (#18094800)

"and downloading every bit of malware they can get their hands on."

Come on. More than anything, Microsoft is in a no-win situation to try and protect people from themselves. If everyone ran Linux instead of Vista there'd be the same damn problems.

If a thirteen year old wants to download smileys for their IM client, the kid is going to do it. If the software has spyware, then that spyware would do what it takes to open up or break the system. It's pretty damn hard to code against human behaviour.

Re:Let me get my flame-proof suit on and say...... (1)

Bob54321 (911744) | more than 7 years ago | (#18094846)

I agree with the parent completely. There is no way Microsoft can stop people downloading random piece of shit and installing it on their computer. If every time you tried to install something there was a pop-up saying "Are you sure you want to do this?" people would complain about too many pop-up causing people to ignore them. I suppose if the thirteen year old was in a non-root account there would be some stoppages but after enough going to the parent saying "I can't install this, it is essential, you can't use a computer without it... blah, blah, blah) the kid will be running as root soon enough. Especially given the majority of computer users do not realize they should run their computer as administrator. (written from a windows laptop logged in as admin...)

Apt-get (2, Funny)

Anonymous Coward | more than 7 years ago | (#18094910)

If everyone ran Linux instead of Vista there'd be the same damn problems.
If everyone ran Linux, they wouldn't have these problems because people wouldn't know how to install anything.

*ducks*

Re:Let me get my flame-proof suit on and say...... (1)

wiz31337 (154231) | more than 7 years ago | (#18095020)

Mind if I borrow your flame-proof suit for a second?

I agree with you, if everyone ran Linux they would log in a root so they didn't have to type their password every time they wanted to install smileys. Most casual users (not the /. crowd) want their computers and software to be easy to use, fast, and to look pretty security is somewhere on the back burner.

If a box asks them if they want to cancel or allow an action they are more than likely going to click allow so they can get to their smileys because afterall that is why they downloaded them in the first place.

Re:Let me get my flame-proof suit on and say...... (1)

andreasg (1010787) | more than 7 years ago | (#18095068)

You wouldn't have to be logged in as root to install smilies, it could just install them under ~/.im_app/smilies/

Re:Let me get my flame-proof suit on and say...... (1)

exi1ed0ne (647852) | more than 7 years ago | (#18095074)

Microsoft is in a no-win situation to try and protect people from themselves.

I'd have to agree. People want computers to be a toaster - throw some bread in, mash a button, and get toast. That is the extent they want their involvement to be if it isn't in their realm of interest.

To be honest though, there are plenty of other occupations that I'm clueless on. Put me in a fighter jet, or have me do someone else's taxes and your gonna see the same recipe for disaster. I'm sure there are plenty of people who shake their head at folks who don't understand what a GDP deflater is, or know how to skin a deer.

asbestos cloak of ignorance (0)

twitter (104583) | more than 7 years ago | (#18095148)

If a thirteen year old wants to download smileys for their IM client, the kid is going to do it. If the software has spyware, then that spyware would do what it takes to open up or break the system. It's pretty damn hard to code against human behaviour.

What, there's spyware in the Debian repositories? Call Perens, now! Oh wait, false alarm from someone projecting Windoze problems onto free software. Never mind, Gaim, kde's IM client, and all the other IM clients that already have smileys, do not actually contain malware, nor do any of the other user contributed and community verified packages of artwork. Oh dear, that makes life very hard for malware authors.

I'll give you a little hint about the specifics - if you go read the article you can see the author going through all the details of how easy it is to screw a Vista user and why - he compares them to free software browsers and OS because none of those problems exist there! Free software is not like the deceptive and broken crap M$ makes.

I know, I know, you are only pretending to be ignorant. That's OK, I like answering easy questions.

Re:asbestos cloak of ignorance (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18095282)

Newflash, "If everyone ran Linux" then malware writers would target Linux distributions with malware they way they target Windows now. Monocultures are targets like that. Linux is great, but it's not unbreakable. If the average person has root access, they can do serious damage.
Now, if everyone ran Linux and knew what they were doing I suspect malware authors would have a much more difficult time accomplishing anything. But that isn't really a fair comparison, because if Windows users knew what they were doing, it would be much harder for malware authors too (remote exploits notwithstanding. But even these problems can be mitigated by knowledgeable users.)

Users (2, Interesting)

drooling-dog (189103) | more than 7 years ago | (#18094830)

Microsoft is always going to leave network services on by default because otherwise users might have to go admin and turn them on to get their software to work. Of course the goal is to relieve users of the need to be concerned about what's going on in their computers, but unfortunately it also relieves them of the opportunity to ever learn anything and thereby participate in their own security.

So, you can be "insecure by design", or you can expect your users to educate themselves just a little about how things work and their own role in the security equation. I'm sure the focus groups all say, "We'll take our chances, just don't make us have to think!"

"Don't let users do anything" (0)

Anonymous Coward | more than 7 years ago | (#18094880)

The tone of this article implies that users are too stupid to breathe, let alone operate a computer system. For a crowd that endorses a privacy-rich, DRM-free, open-sourced world, I'd expect more of you to have realized this.

Screw the author of TFA and his insultingly haughty and elitist opinions of what computer OS purchasers can or cannot do. He strikes me as the type that Mitties his day away as the BOFH.

90% of viruses and spyware? (3, Insightful)

Paulrothrock (685079) | more than 7 years ago | (#18094900)

I think that's a bit low. There are only about 30 viruses for Macs (most of which are holdovers from OS 8 days) and I've not encountered one bit of spyware or adware. I don't have experience with Linux, but I imagine it's similar

I think the reason Windows is such a target isn't just its market share, but also its vulnerability.

Re:90% of viruses and spyware? (1)

Overzeetop (214511) | more than 7 years ago | (#18095288)

Actually, it's also because the maximum number of clueless users on Windows far outstrips all other OSes combined, likely by a couple orders of magnitude. I would also venture that windows users are more likely to look for that "free ride" download instead of purchasing software. Linux also has its freeware crowd, but it's a totally different environment.

Unfortunately, the old MS model - mostly pre-internet - ignored permissions, or implemented them poorly such that even trivial software is written expecting admin privledges. MS just doesn't have the balls to go break all of that software. Shame, too, as they could have actually fixed the system had they done that.

Maybe it's not the MS is incompetent, but merely spineless?

Nice Article (3, Funny)

icedivr (168266) | more than 7 years ago | (#18094932)

When the second paragraph contains this quote --

In a nutshell, Windows is single-handedly responsible for turning the internet into the toxic shithole of malware that it is today.

you know it's going to be fair and balanced.

Re:Nice Article (2, Insightful)

RAMMS+EIN (578166) | more than 7 years ago | (#18094974)

``In a nutshell, Windows is single-handedly responsible for turning the internet into the toxic shithole of malware that it is today.

you know it's going to be fair and balanced.''

The sad thing is that it's actually true.

Re:Nice Article (2, Insightful)

PhxBlue (562201) | more than 7 years ago | (#18095012)

It may not be "fair and balanced," but that doesn't take away from the truth of the statement. This is slightly OT, but too many media entities today worry about being "fair," at the expense of giving their readers the whole story.

Crazy Article. (1, Troll)

twitter (104583) | more than 7 years ago | (#18095218)

[article is not] fair and balanced.

That depends on your perspective. If you are Bill Gates, or drugged or both, you might think it's not fair M$ is blamed for all the M$ born malware that threatens the internet and every machine on it. If you are anyone else, you're dumbfounded the authors bothered to run Vista at all. It's funny how people keep doing the same thing and expecting different results. It's not surprising M$ results make people angry, but it is surprising people keep listening to them and giving their software a fair chance to fall on it's face.

The details in the article are pretty irrefutable. Eris's journal entry [slashdot.org] is not a bad summary if you don't have time to read further than the second paragraph.

Article is putting Windows in too good light (4, Informative)

pesc (147035) | more than 7 years ago | (#18094940)

From the article:

As Billg likes to point out, Windows is the platform on which 90 per cent of the computing industry builds, and this naturally means that it's the platform on which 90 per cent of spyware, adware, virus, worm, and Trojan developers build. That translates into 90 per cent of botnet zombies, 90 per cent of spam relays, 90 per cent of spyware hosts, and 90 per cent of worm propagators.

This implies that Linux, Mac, Solaris, VMS, etc stands for 10% of the malware. This is not true. I would guess that non-Windows systems have less than 1% of the malware.

Gee.. biased a bit? (2, Insightful)

d_jedi (773213) | more than 7 years ago | (#18094968)

Oh, the article is from the Register. I see.. no surprises there.

Re:Gee.. biased a bit? (0)

Anonymous Coward | more than 7 years ago | (#18095222)

Ad hominem circumstantial

The biggest Microsoft problem (2, Insightful)

Don_dumb (927108) | more than 7 years ago | (#18095024)

As usual, Windows enables far too many services by default.
This is my number one Windows gripe. It not only reduces security (there's more vunerabilities running) but takes up resources and generally gets in the way.

Microsoft can't fix the users, there will always be the crowd blindly clicking OK or tuning off the firewall because their game's troubleshooting tells them to.
But reducing the number of services and installed programs running, can reduce the number of vunerabilities present and active by default. How long did it take for them to give the option of actually turning off Messenger, despite no one ever using it. The deault install should be the minimum needed to access the net and use office. If we are all used to prompts and downloading programs a wait of a few seconds to install a progam from a file in the Windows install folder, to run something new, shouldn't be too much of a problem.
Especially if we have the option of actually uninstalling IE7 completely.

And on another note, I have watched this Vista launch and still I wonder. -
Why should I get it? I see alot of hype but not a single reason to upgrade.

ANSWER: Get Internet Freedom Disk + P.U.M.P (0)

Anonymous Coward | more than 7 years ago | (#18095058)

http://internetfreedomdisk.blogspot.com/ [blogspot.com]

Great persistent memory LiveCD. Videos to explain them to noobs

My suggestion (1)

Maznio (137785) | more than 7 years ago | (#18095090)

...is to lock it up by default and then the users will be FORCED to learn to make stuff work.
And I don't mean those pesky dialogs "Allow application to run?" but rather default low-permission accounts (which implies making it hard to create an administrator account -- which exists already), minimum services out-of-the-box and a checklist of stuff needed to be turned on for apps to function. It's not too hard to enable and start the printer spooler when installing a printer, is it? Or enabling the DHCP client service when needed?

IMHO, the whole idea of a centralized registry to keep all configuration for every installed application AND the OS is flawed.

Some strange quotes (1)

rbarreira (836272) | more than 7 years ago | (#18095098)

For one thing, IE7, at least on Vista, is no longer such a dangerous web browser. It may still be the buggiest, the most easily exploited, and the most often exploited browser in internet history, and probably will be forever, but it has become safer to use, despite its many shortcomings.

It's funny the way he uses "IE7" when he's apparently talking about a mixture of IE and IE7... As far as I know, IE7 doesn't have many security bugs known until now, and especially not on Vista due to protected mode... Three letters - F, U, D.

Of course, it only works if everyone stays out of the admin account as much as possible, and if everyone with an admin password knows better than to install a questionable program with admin privileges. And there's the catch: "Windows needs your permission to install this cleverly-disguised Trojan nifty program. Click Yes to get rooted continue."

So you see that, here again, MS's security strategy involves shifting responsibility to the user.

So how exactly could this be better? By preventing the user to install/run any applications downloaded from the internet? It seems that the author of the article never heard about Security vs Usability tradeoffs (however he mentions them somewhere else, which makes it even worse...).

And once UAC is disabled, all of its security enhancements are lost.

Oh my god, how surprising...

The old problems never go away: too many networking services enabled by default

Some references would be nice, as well as proving that DEP and address space randomization won't be enough to counter the threat present due to those services...

Data hygiene is still an absolute disaster on Windows. In fact, it's worse than it ever was in some ways, and that's very bad indeed. Browser traces still in the registry, heavy and complicated indexing to improve search, new locations where data is being stored. It all adds up to a privacy nightmare. Keeping a Vista box "clean" is going to be impossible for all but the most knowledgeable and fastidious users.

That might be true, however it has nothing to do with the remark that Vista won't be enough to make the internet have less malware, etc.

I stopped reading at... (1)

drsmithy (35869) | more than 7 years ago | (#18095188)

This is because MS has finally addressed IE's single worst and most persistent security blunder: its deep integration with the guts of the system.

Because it's pretty obvious at that point the author is clueless.

Then again, it's the Register. What else to expect but clueless Microsoft bashing ?

OS vulnerability (3, Insightful)

Jason Buchanan (14443) | more than 7 years ago | (#18095234)

The vulnerability of Vista or any other OS can be traced back to the requirement to modify the OS for software installation. It makes no reasonable sense that an end-user should modify the operating system when installing a software package (exceptions for servers but that's iffy, too). CONFINE the end-user software to the end-user's space (i.e., home directory) - and as suggested earlier, the notion of each user having an independent registry instead of the global system-wide Windows registry is a great idea. An infinite number of users should be able to use a Windows environment without any influence by one user upon another. This goes for all operating systems. I can't understand why this idea hasn't been pursued already. It's too late for Vista but in another 3 years or so this may happen.

One of these days Microsoft will realize that system-wide changes are killing them. Perhaps when they start leasing remote desktop connections for $9.95 a month they will figure this out.

New Vista dialog (1)

140Mandak262Jamuna (970587) | more than 7 years ago | (#18095300)

"You are visiting Slashdot with its very well known anti-Microsoft bias. Allow or cancel?"

"you are about to read a scary story about the lack of security in Vista. Allow or cancel?"

lack of security (1)

RAID10 (1051554) | more than 7 years ago | (#18095324)

Windows is still the only popular OS that has no decent security by default. With Mac OS X, Linux or BSD you got to have a bad admin if your box gets owned. With windows you only need a clueless user and you're screwed. So there has to be something wrong with the design. You can't blame the user for everything; "you shouldn't have clicked that", "you should have been running a better firewall", "you should have bought a better anti-virus software".
No wonder mr ballmer is worried about the competition
Ballmer repeats threats against Linux [com.com]
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?