“Some think the software maker is at fault for the latest viruses. But you can’t blame a target. “Let’s all just beat the hell out of Microsoft. It unleashed the worms!” Well, that’s what some people think, if the e-mails (uninfected) I got during the past week are any indication.” says Wrastler for CNN Money. “So why doesn’t Microsoft make its software more secure? They’re trying, company officials say. But they also argue that like any other company, there’s only so much Microsoft can do to prevent a crime if a criminal truly wants to commit it.” a Statesman article says. In the meantime, the FBI has identified a teenager as the author of Blaster and plans to arrest him early Friday, a U.S. official confirmed.
Ah yes, next time they blame carmakers for stealing cars.
Funny – that was exactly my fist thought when I read this … you can blame Microsoft for a lot of things, but hardly for the fact that there are kids out there who write viruses.
If MS ignored the vulnerabilities after they were discovered they might be cupable. However, they published a patch for the Blaster hole more than a month before it started making the rounds. Blaming MS for that would be like blaming the DoT when a dumbass driver ignores the “wrong way” signs and gets on the freeway going the wrong direction. Sure it’s a known problem, but MS and the DoT have done all they can. It’s up to the user of the OS (or the freeway) to do the rest.
Ignorance might be an explanation but it is no excuse.
…if one decided to poke at it in various ways for a while, I think the car manufacturer *should* be found liable.
Not only is a carmaker expected to provide locks on the doors of the vehicles they sell, but those locks are expected to provide a certain level of deterrence to the casual thief who wishes to gain unauthorized entrance.
Microsoft has, in some cases, done SUCH a poor job of basic lock design in some instances that a certain amount of flak is to be expected.
Ah yes, next time they blame carmakers for stealing cars.
Well we can blame them if they don’t put a lock on the car.
Seriously, 90% of the security problems are between the chair and the computer. For sure, apps like Outlook Express
or Internet explorer doesn’t help ( 22 unpatched security holes http://www.pivx.com/larholm/unpatched/ ).
But IMHO, the main problem is that an awful lot of Windows users have very screwed up ideas of how their computers are supposed to function.
For instance, they don’t think having to type in a password to run Setup.exe is even remotely reasonable. Their view of the computer is: “if I want to do something with my machine, I should be able to just do it. Don’t put anything in my way.” And if they were forced to take precautions, their password would end up being something like ‘a’. And a regular schedule of changing passwords? Forget it.
Another example, a little more relevant to this case: people want their email for sending dirty pictures, HTML joke pages, funny Flash or Shockwave animations, Active X games, etc. They’d be bored to tears if they had secure email. And they’d be pissed off at anybody who was responsible for it. Have any of you guys ever taken heat for banning popular but incredibly insecure software at your site? Or spyware.
And it’s astounding how many supposedly intelligent people (programmers) who have you in their address books end up sending you virii because they were stupid enough to continue clicking on emails about ‘Hot pics’ or those ‘Snow White and the Seven Dwarves’ emails. Sheesh.
All this is not to say that Microsoft doesn’t have some basic architectural issues–they do. But the unreasonable demands and silly behavior of many users more or less prevents them from changing any of it. And when they do change it, people ignore it for the sake of convenience. It’s been possible to run as an unpriveliged user for a long time with Windows. And it’s not difficult to do. But guess how many people actually do that.
Actually, it makes sense to blame the lock maker, not the lock owner. Most (cheap) locks can be opened instantly. Now if you make an OS that can be broken into almost instantly, it also makes sense to blame the OS maker, not the OS owner
Well.. We all know how hard it is to steal a car don we ?
/D
The natural conclusion to be drawn from the defenders of Microsoft is that Microsoft can produce an operating system that has no security and any problems are all the fault of someone else. What rubbish! We can’t expect all of the millions of users to be fine upstanding citizens but we can expect the one producer of a product to make it as robust as possible. They have a moral (if not legal) obligation to make their product secure. EULAs are just weasel words to absolve them of blame which is rightly theirs if their products fail.
Did you mention that this worm attack could be commandited by Microsoft in order to force the Windows user to buy the new antiVirus products ? (Microsoft bought out an antivirus specialized company recently)
So this is probably a commercial act from Microsoft.
Probably, they had to download the security patch… nobody can blame M$ for this virus/worm…
Like ptrace bug in kernel. Nobody can blame kernel developers. They did the patch, and everybody could download it…you hasn’t? That’s your fault..
This is like selling a car with no locks and no ignition key, just a big red button to start the car and drive off.
The worms are bad for sure. But thousands of computers are being rooted and trojans being put in which will not be patched by a Windows update, Windows patch, or even antivirus. While one might clean up the big worms, they’ll be a multitude of lesser known trojans making the rounds. In its effect on home and small business users, this exploit is the biggest in quite some time. To my knowledge, works on NT through Server 2003, with most exploit code (including the worms) set for Win 2k and XP. If the offset is not set right for the Win version, it will crash RPC and reboot. Wonder how much lost work has resulted from crackers choosing the wrong offset and/or rebooting after critical changes.
I’m glad I’m primarily running Linux boxes behind a router. Thwarts 99% of the problems. Linux and friends are certainly not perfect in regards to security, but at least there are more options. One can choose a hardened open-source OS like OpenBSD for servers with Internet exposure. Or apply Bastille or SE Linux type mods and scripts. Or run in chroot jails. Or even a trusted variant. The latter two being extremely difficult for a novice or even intermediate cracker to get past.
Windows has had trusted variants, but at what cost? Is it really feasible for home use?
Microsoft, if they don’t already, should offer a hardened or trusted variant of 2003. And, if they don’t already, offer detailed manuals on hardening, so the average admin can do it. Perhaps such prevention tools and literature are already in place, just most admins are too clueless to apply it.
One other factor with Windows is the ease of use of exploits and tools. The recent RPC DCOM exploit had a GUI tool available pretty quick. Coupled with the numerous GUI remote admin tools, FW killers, and uploaders, a toddler could root and maintain control of most PC’s. With *nix, most work is done via CLI. Nmap and other tools are best used without frontends. This certainly adds a bit more difficulty and keeps out the true idiot crackers. One need only read some of the smaller “security” forums to realize just how stupid some of the newbie crackers are.
An aside, I’ve noticed one ISP seems to have blocked TCP 135 inbound. This is probably a good thing, but obviously may cause some problems for some customers.
In any event, a lot of the worm problems in business comps are simply caused by lazy admins not applying a patch which has been out for weeks. Every web site in the country was predicting this worm well in advance, and being an admin should entail at least some remedial reading in security and keeping up to date on exploits. After all, it IS their job. Well what do you expect when most MCSE’s were fry cooks in their previous job.
xmp
“They’re trying, company officials say. But they also argue that like any other company, there’s only so much Microsoft can do to prevent a crime if a criminal truly wants to commit it.”
Yea, so they said at Napster! I say do everybody a favor and shut’em down! You have a precedent
That’s funny, Microsoft claimed that the authors of Blast were probably not teenagers, but organised criminals, or terrorists. This shows how MS tries to push his “trusted” Palladium plateform with his BS and FUD. Actually their system is so bloated a simple individual can shut down tens of thousands of computers. But “terrorist” is a good vendor to the government.
The ‘stealing a car’ analogy is very poor and shows a misunderstanding of the basic concepts involved in these types of viruses.
The email client that most people use under Windows seems to be Outlook Express. This can open an incoming message (the preview pane), access a website, execute arbitrary code, and send mail to everyone in your address book – ALL WITHOUT THE USER’S INTERVENTION! This is poor design, plain and simple.
What you have in Windows is the equivalent of a car with no locks as standard, and a push start ignition. Would you be surprised if these cars were stolen – would you blame the manufacturer?
I agree with Elver’s comment. If the OS is flawed by design, you can’t simply blame the end users for not patching in time. This gets old after the thousandth exploit.
Microsoft does have some probs with legacy code, Lanman hashes being an example. And ease of use for most customers is another problem, lack of default firewalling being an example. Certain compromises must be made in the design process. But many of these exploits are fundamental weakness in the OS itself, in its implmentation of various services. Simple buffer overflows, etc. You can’t use the legacy excuse for these.
As for the comment that one should blame the virus writers, well most of these worms are propogating via an exploit, at least in part. This is not simply malicious code being downloaded or even a hole in Outlook or Explorer necessarily.
As for selling more antivirus, while I realize you comment was a joke, most antivirus won’t detect trojans that will be uploaded after the box is rooted. And no, I’m not referring to the mainstream worm code. You need to break out Trojan Defense Suite 3, and most admins don’t know how to use it effectively.
As for blaming the user for not patching in time, that is ridiculous. The RPC DCOM exploit was released by LSD in July. A patch wasn’t released until later. The exploit was perhaps circulating in the underground before it was released by LSD. In fact, LSD may not have discovered it, suprise, suprise. And in comparing to the recent ptrace exploit, I suspect the Linux patch was released far more quickly than the Microsoft patch for RPC DCOM. Most of these patches are NOT proactive, they are reactive. The exploit code and autorooters are in circulation long before most people get back to work on Mondays and apply the patch.
Wait until we get a nice worm using a zero day exploit. Then everyone will wake up. It is a fundamental OS issue, not an end user issue.
hmx
what the….
i you were stupid enough to buy a car without locks, who’s fault is that?
unless they told you there were locks on it, i don’t think you have a case, the manufacturer may have thought of the car as one that you would put in your garage if you’re not driving it.
Did it occur to you that some drivers might prefer the car with no lock, because it makes using the car a lot easier (can’t lose key’s, no hassle in the dark etc,…)
i think noone is to blame but the fool that bought the car
…most people seem to invest a lot more research time and effort into the next car they purchase than they do in the next personal computer that they buy.
To many computer buyers, the only option available at the retail outlets they know about is an x86 PC running some flavor of Windows.
There are a few exceptions, but they’re still uncommon.
Is that their fault? Yes, and no. One might also fault the folks selling the computers for not properly educating their customers on the proper maintenance for a networked machine.
<<What you have in Windows is the equivalent of a car with no locks as standard, and a push start ignition. Would you be surprised if these cars were stolen – would you blame the manufacturer?>>>
true, it is a poor analogy, but i guess the point i was tring to make was different. you can not blame microsoft for people who make viruses, nor could you blame car manufactures that there are people out there who steal cars, even if those car manufactures sold of a car with no locks as standard, and a push start ignition (although technically, at least in germany if you leave your car unlocked you could be liable yourselve).
so i wouldn’t blame the manufacturer – i just would not buy their car !!! i guess that is why i use linux (-:
on second thoughts, actually you are right the car thingy is very poor analogy – people didn’t know that they were buying a car with no locks as standard, and a push start ignition, in which case the manufacturer (microsoft) should be lyable – it is funny how ms tries to put the blame ob others, rather than sorting out their software.
I think part of the difficulty is the idea of ‘ease of use’ that is promoted to users when they purchase a PC. Most of my friends do not use Windows Update; mostly because they assume that they do not need to, or do not know what it does. This is because they believe that they would not have to do anything to the PC once they have paid for it; the magical update fairy comes in the night and keeps them safe.
It’s about time that the industry realised that not everyone is a geek, and start educating users in basic computer security when they buy the bloody things…
Better analogy. A car manufacturer that sells cars with locks that don’t work, a keyless ignition and a “Steal this Car” sign painted in bright neon. All the while advertising how secure it is.
Well, it’s obvious that the virus-writer-kid has done something wrong, and should be punished. But if one single frustrated kid can bring down millions of computers in one week, then there is a huge security risk. The problem is allot bigger than just that kid. The kid isn’t just stealing one car, it is stealing millions of cars in one week.
Maybe Microsoft can’t secure it’s operating system to prevent this type of mass scale attack. It’s likely neither can Mac OS X or Linux, if it were in the same 95% market share position. The only solution I see, is making sure that there is a far more heterogeneous network. It may not solve the virus writing problem, but it reduces the impact of a single virus significantly.
“Ah yes, next time they blame carmakers for stealing cars.”
If a carmaker places a £5 lock on a car and sells it for £50 or £500 pounds.
The car makers is at fault as much as it is the person doing the crime.. by over inflatting the prices and if they claim their car is the most secure in the world they thats false advertising.
(Two things Microsoft love to do… every release is more secure and faster and more enriching all you have to do is read the advertising on the installation screen the wording is hardly different between windows 95 95SE 98 98SE ME NT, 2000, XP etc)… and every time the same type of viruses exploit the same type of problems… its almost like the blaster patch will be search for blaster.exe on this machine at start up then delete.. so the who ever renames it to blaster2.exe and the patch wont find anything…
These days cars are getting better alarms, immobiliser’s, motion sensors all fitted as standard….. does help…
but some reported problems that have hit the media have been..
BMW had the famous knock the back of the car and sensors would think the car was in an accident and unlock n open all doors…
Also BMW had the Casio remote control (£80) watch being able to learn their security keys and unlock the cars. (you can train most infrared remotecontrols that unlock cars to be opened my most palms -you only need the key for a second or two-).. but for a citron xantia i cant drive the car away immobiliser, i cant get into the car motion sensor and I don’t know the 4 – 6 digit pass code. I also would not have the key to start the car…
VW’s have had reported problem due to their windows being able to be pushed down…
The problems are in perseption the internet is a two way experience / communication (send and receive) and most consumer devices are one way… like TV, Radio, books etc
Theres no password to use my toaster or TV or oven… And with windows there has never been a two way perseption / experience only one way…
win95 to get round the screen saver Ctrl Alt Delete and “end task” on screensaver.exe “Classic”. a locked screensaver is just an on off switch in the registry if you can access the registry via other means and switch it off you have access… auto-booting Cd’s.. auto-booting USB drives…
There are also three markets the home user , SMB, and galactic corprate enterprises.
In the mid 90’s all three looked as though they could be given the same solution.
But things have moved on and SMB and corprates are questioning around a full computer for every user. Why does a receptionest need a GHZ Processor 512Ram 200GB HDD etc when all her needs are web browser, corprate email, printing, wordprocessing and maybe a spreedsheet.
there are many issues that have split the corprate computing world apart things like Laptops *being able to walk out the door with GIGs of data*, working from home and the need for a corprate building(s) housing everyone, the price of outsourcing (indian, China)….
And one of them is how PCs have been seen and used over the last ten years or so…
The way I’d use the analogy is that if my car was prone to so many problems, i’d get off my backside and change it for a different and better one.
Just a point:
Everyone points out how microsoft was SOOOO negligent in this case. It was SO obvious how poorly this flaw was allowed to exist.
If that is the case, then why did noone know about or take advantage of it until microsoft released the patch, therefore announcing its existance to the world?
I think that its not THAT bad, equating windows to a car with no locks and a big red start button is pushing things a bit dont you think? I have ran windows for YEARS, and have not ONCE had a virus. Its got alot more to do with the user than with the OS, I can guarantee you that. I deal with people everyday who have no clue what an update is. No clue that they should do one. And I know damn well that linux/macos/windows/ you name it all have updates for security. And I can guarantee these people would not have updated a single one of those. And the same situation would have occurred.
Microsoft TOLD everyone there was a problem, and at the same time told the worm maker where the problem was. Until then, they had no clue, so as far as im concerned, thats not what I would call a glaring error in programming.
In my opinion, and after completing a dissertation recently on operating systems in the workplace, I believe there is one primary reason Microsoft OS’s are targetted: their popularity.
With 90% or so of the market share virus writers are going to get the most impact from targetting Windows, as otherwise only a small number of people will be affected and they will not get what they want: attention.
The desktop market is also an easy target compared to the server market, as people don’t tend to open up malicious emails on a server, in fact anyone with an email client on a server should have their head seen to IMO.
OK, Outlook (or as many people I know call it ‘look out distress’) is an appauling package in terms of security. And Windows has some major flaws, but the fact its use is so widespread makes a huge difference.
Thankfully I’m a Linux user so I can sit back and watch!
jmf said:
“IMHO, the main problem is that an awful lot of Windows users have very screwed up ideas of how their computers are supposed to function.”
This is completely the wrong way around, the tool should *never* control the user, or dictate (except within generalised, conceptual ways) how it should be used. Continuing the car anology:
If a driver were to drive, full pelt, into a bridge support and kill themselves you’d have no sympathy (for them, anyway). However, if a driver who was just using their car the only way they knew how, and it spun off the road disabling them you’d be indignant at the manufacturer and full of sympathy for the driver.
In the computing world it seems that users are punished because of their lack of technical knowledge. Just because someone doesn’t want to learn the ins and outs of an operating system[1] doesn’t make them any more liable for the consequences of using a faulty product than the driver of a faulty car that almost kills them.
The computing industry, in general, does a lousy job of creating solutions for users – instead it adopts the approach that users should damn well learn how to use their products the way they wrote them to be used, warts and all. That’s all well and good until you start looking around and realising that, because of the dominance of companies like MS, there is no competition any more and therefore no innovation[2]. This leaves users trying to make do with solutions geared up toward technically-minded people, rather than finding products that suit them.
So, were does this leave us? The problem isn’t really the users, they just want to use their tools in the best way that suits them (which nobody, in their right mind anyway, would argue is a bad thing). So is it the crackers and script kiddies? Yes, but only is so far that they can do these thing. Therefore the ultimate responsibility comes back to the manufacturer (and not just MS) and their inability to produce products that work intuitively for the user in a secure, reliable manner.
[1] A lot of people in this industry regard users as ignorant because, in their view of the world, these people can’t be bothered to learn all about kernels and buffer overflows and such. That attitude is just completely wrong. If manufacturers in other industries treated their customers with the disdain that most in this industry believe is acceptable they’d pretty soon have no customers – perhaps the industry ought to think over that concept before its customers realise that the world was, if not necessarily better, a less scary, uncertain world before computers dominated.
[2] Take a look at a download site and compare the features and UI of the hundreds of e-mail programs available there, then you can decide for yourself whether there is any real innovation left in this industry and, more importantly, if non technically-minded users have any real choice but to use solutions geared toward people who know what they are doing.
I still find it very strange that since Microsoft owns
RAV antivirus the virusses are booming..
Could it be that…??
I can’t blame them for the virus attacks. I blame corporations and end users for putting up with Microsoft. There are viable alternatives out there, but there are too many sheep. I work in a I.S. department for a city gov’t and most of the employees here are like addicts. They know Microsoft software is bad, insecure, expensive, etc. but they keep coming back for more. While we were being hit hard by the worms last week, and people were worried that their desktops would get infected, my linux servers kept chugging along, my linux desktop kept chugging along, and my iBook kept right on going.
They haven’t done all they can to stop things like this. There operating systems isn’t based on security as a priority. They user systems is totally insecure because to do a lot of stuff you have to be an Administrator(If that wasn’t the case, more than half the viruses wouldn’t exsist), and I’m sure that’s not going to change. There are probably so many undisclosed exploits its not even funny, and if you try to post about them, well Microsoft will send you a C&D.
In any event, a lot of the worm problems in business comps are simply caused by lazy admins not applying a patch which has been out for weeks. Every web site in the country was predicting this worm well in advance, and being an admin should entail at least some remedial reading in security and keeping up to date on exploits. After all, it IS their job. Well what do you expect when most MCSE’s were fry cooks in their previous job.
I’m sorry, but that’s exactly what I expect from a MCSE that was a fry cook before… Patching something can break other things that were alright. For example, MS issued earlier this year that broke some 3rd party firewalls. They also issued patches that decreased seriously the performance of some computers. Some support contracts are also preventing sysadmins to patch their servers themselves without breaking them. Yes, some are lazy, but being overzealous isn’t really better.
Are we talking about blaster or sobig? If we’re talking blaster then YES the hole was glaringly obvious and YES it has been known about for some time. Windows leaves ports open in the default shipping configuration. It has the firewall turned off by default too. These are both glaringly obvious and well-known vulnerabilities. Has Microsoft fixed them? No. They knew about them before XP shipped and they intentionally did not fix them. That’s why Microsoft is at fault for blaster (and slammer – remember that doozy?)
I think the author is completely right.
Let’s say there’s a revolution in computerland next week. Suddenly *all* Windows installs become Linux installs, and vice versa. I think it would last exactly two weeks before the first major Linux viruses start popping up. In a year Linux would be as perforated as Windows.
I’m not saying this because I hate Linux– I actually like it. But I thinik that the main reason Linux viruses are rare is because there’s no credit to be gained from creating them; the desktop world (the most fun to attack) is 95% MS.
And even though an ‘outsider’ (the virus/worm etc.) can’t delete vital files because it doesn’t have root priviliges, it doesn’t mean a Linux virus can’t be dangerous: You don’t have to attack/alter/delete system files in order to do some serious damage.
Of course *at this moment* Linux (& co) are more secure. But when their desktop market share grows, people will definitely come up with ways to attack your OS, no matter how *secure* it is supposed to be. Take my nation’s capitol for example: A bike in Amsterdam is never safe. You may have the most expensive locks around your bike, but it will get stolen anyway.
Well, in fact MS propose you to update your OS almost each day when you start up your computer. The problem is that, many of us has got unregistered copy on Windoze and don’t want to be tracked by MS. So we don’t do the updates. On my own, I’ve been infected, and I’m running and AV and a firewall. It’s my only fault
At lastn I’ve got no problems with my Beos, QNX and Linux machines (and I’m dumb enough not to make my Linux Machine a server, but WinXP is ruling to connect machines )
So MS, has got many deffects but not this one
Let’s say there’s a revolution in computerland next week. Suddenly *all* Windows installs become Linux installs, and vice versa. I think it would last exactly two weeks before the first major Linux viruses start popping up. In a year Linux would be as perforated as Windows.
True – there would be Linux viruses (or Mac OS X viruses). But if the default account is not an administrator account then a virus that wants to do something to the OS is going to need a password. It could still be nasty (deleting all of YOUR files) but without an admin password it won’t touch the OS or the other users.
The argument that the quality of the software product is irrelevant to the ability of viruses to do damage is a feeble one and highly misinformed.
“(…) but without an admin password it won’t touch the OS or the other users.”
Virus/worm etc creators aren’t stupid– they’ll find a way!
I hope they don’t, though
Re: Stealing a car (blame the users)
By jmf
Ah yes, next time they blame carmakers for stealing cars.
Well we can blame them if they don’t put a lock on the car.
Seriously, 90% of the security problems are between the chair and the computer. For sure, apps like Outlook Express
or Internet explorer doesn’t help ( 22 unpatched security holes http://www.pivx.com/larholm/unpatched/ ).
But IMHO, the main problem is that an awful lot of Windows users have very screwed up ideas of how their computers are supposed to function.
—————————————————————
But IMHO, the main problem is that Microsoft has very screwed up ideas of how their computers are supposed to function in regards to security.
MS has driven out competitors out for years now. And right now they are market leader. And with this leadership comes responsibility.
CNN Moneys says that it comes due to the “demand” of new products. This is $%$#@. It’s a natural thing that people don’t want to change. MS want you to believe that you want to change.
And change means $$….for MS.
seem to be running high in regards to who is reponsible. Is it the software company? the user? the government? the malicious cracker?
The responsibility lies with all the parties affected by these security issues and ultimately each party much accept their role in what they need to do to prevent such a thing from occuring again.
Many years ago I gave up on the end user. I see there are some optimistic people who would love to sow the seeds of wisdom to the next generation and the unwashed masses in a hope that they may learn the skills required.
The end users don’t want to know, don’t care and consider ANY knowledge about computers/Information Technology as “not cool” or “too complicated” so they decide not to learn.
Ultimately a large amount of blame can be clearly put down to the end user appearing to praise ignorance and stupidity over being caucious and a little paranoid.
Ultimately you an teach the user till you have run out of breath and still they’ll continue to do stupid things. Ultimately you are either going to go mad or you simply take you sanity with you and give up.
I’ve chosen to give up. Teaching end users is like taking a horse to a drinking hole, you can’t make the drink if they don’t want to. Same goes for the end user. Until they realise that THEY have to put some effort into learning how to use a business tool, ultimately things won’t improve.
The only way this can happen is a strong top down approach. Management willing to punish subordinants lower down the chain of command who ignore requests to learn how to use the business equipment and as a result of this stupidity, continuous damage is done.
If you are infected with a virus, on your computer and you fail to follow the company proceedure you should be given a written warning. If after 3 written warnings you have still refused to follow the company policy, the employee should find their employment terminated, IMMEDIATELY.
Show me a *nix email client that launches an attachment by default. In fact, show me an email client for *nix that even saves an attachment as an executable. I’d think that a person capable of performing a “chmod +x” on a file would know the general risks. Ha, and please don’t be so smug in your belief that virus/worm writers are so bloody intelligent that they could find ways to gain adminstrative privelages; the guys working on the kernel aren’t that dumb either.
The simple fact of the matter is that there is no economic incentive for Microsoft to fix bugs or make their operating system more secure.
They have a monopoly and their revenue stream depends on steady patches, upgrades, and other fixes. All of which Microsoft charges money for (if you are not an individual user). Microsoft will never do anything to endanger their revenue stream. As long as they can say “the next version is more secure”, their revenue stream is safe.
Symantec, Network Associates, and other security firms make BILLIONS off of the problems with Windows. Microsoft saw the margins in the security business and decided to buy their own anti-virus company.
Most people in the know realize that many viruses are not written by teenagers and other prop-up bad guys, but by the security companies themselves. McAfee made a fortune by providing ‘scan’ for free and then seeding the world with viruses, claiming they’d come out of Bangladesh, Vietnam, and all sorts of places where they barely had personal computers, much less loads of motivated virus writers.
At the end of the day, you have to ask yourself if it is worthwhile using Windows. Microsoft is an abusive company — they don’t even bother denying it much anymore. If you tire of being abused, Linux is a great alternative as it allows you to keep your hardware investment and opens the doors to vastly more software choices than are available on Windows.
I agree. What is most important, the OS or my data? I can reinstall the OS no problem. My data is what is critical and that is vulnerable as well. But who would spend the time to write a virus that may affect 5% (maybe that) of computers?
“In any event, a lot of the worm problems in business comps are simply caused by lazy admins not applying a patch which has been out for weeks. Every web site in the country was predicting this worm well in advance, and being an admin should entail at least some remedial reading in security and keeping up to date on exploits. After all, it IS their job”
You can’t just say that laziness is the overwhelming cause. When you’re running production systems that clients depend on you can’t afford to just install a patch and restart the box. You need to do full regression testing[1] first and this takes time. When you’re running several dozen servers with different applications it takes a lot of time, especially with limited resources.
Where laziness does come into it, however, is when unnecessary ports are left open on firewalls, even when bulletins warn to close them down. If they’re unused why are they open in the first place? If you’ve been warned about an exploit using those ports, shut them down straight away! If you need those ports open, can you lock down access to only those clients who really need access?
So, I suppose, in a way the laziness comes down to poor sys. admin. training, but when it’s the manufacturers churning out “certified”[2] engineers by the bucket-load for a quick buck you realise that, once again, they are the root cause.
[1] If you’re not doing regression testing with patches and service packs then you really ought to pack up your desk, take your laminated MCSE certificate off the wall and start selling TVs again, ’cause you’re a sorry excuse for a sys. admin.
[2] In the UK at least, the term “certified” means something a whole lot different to what I think the training companies intend, it’s still kinda relevant though 😉
Microsoft invented the culture of any idiot being able to use a computer. They can’t then turn around and say their OS isn’t insecure but the problem lies with the fact any idiot can use a computer.
Where does it say on Windows XP that I should be a MSCE qualified administrator and must install firewalls, 3rd party secutiry software, virus checkers and make sure all this is patched and up to date on a daily basis?
M$ marketed Windows to the average Joe and the average Joe knows nothing about these sort of things. Sure we can blame sysadmins for their incompatance but can you really blame all the home users for spreading viruses because there was a security hole in DCOM, which, on a HOME computer is enabled by default – a service that 99% of SERVERS DO NOT USE? No of course not – these viruses/worms are the fault of Microsoft and the culture of stupidity and ignorance that they spread like a cancer throughout the computing world!
Moss:
Two weeks ago I had to (via chat) help someone who had resized their desktop down to 640×480 accidently and didn’t know how to make it bigger (because the “ok” button was off screen on the display properties).
Yet this same man is supposed to know to turn on the firewall. Riiiiiiight.
DingoFish:
Data should be backed up weekly (or even nightly) because even if your machine is perfectly safe from hackers and viruses your hard drive could still crash. I have OS X backup set to run every friday night for my personal documents. And my digital camera photos and purchased iTunes music is backed up regularly. It would suck if I lost my computer (all that pr0n….gone…boo hoo) but it wouldn’t be a disaster.
But the point is that a system can be made quite secure from worms. And if I run an attachment executable I suppose I get what I deserve.
Defending Microsoft by blaming the user… humm, you people have no hope on the future of computing I guess.
My mother want to send me emails and may be check the weather before to go to vacation, and I believe she should not have to think about applying a patch or checking the update windows website before to do so. Yes I blame MS because a good OS have to take care of these things for the basic user. Sure the admin can do that at work, sure the geeks can do it on their own. But DO NOT blame my mother because she did not know how to apply a patch, she did not pay another $100 for an anti-virus, and she is not able to use Linux either.
If you think MS is not to blame, you condemn yourself (and all of us) to use the same buggy software crap for another 20 years.
The main Blaster virus writer was NOT caught. This kid wrote one of the many variants of the original blaster.
Its not Microsoft’s fault. There’s nothing they could have done to prevent this sort of attack.
I feel sorry for them, getting all this bad PR lately. Its so sad.
Why do they always pick on Microsoft? Poor Microsoft. *sniffle*
Right, and vulnerabilities in Linux are not Linux’s fault.
What’s that? Do I hear anti-Linux pro-MS zealots coming?
People should start sueing the people who send them these things. If it originates from their systems they should be responsible for the attack. I think that would pretty much fix the MS and the lame system and ministrator problem in one sweep. To bad I didn’t even get one of those messages…..
Well this doesn’t really work but it was fun to think about…. It especially breaks with the car metaphor.
There are people here saying that if all the Windows PCs became Unix/Linux based PCs there would be a proliferation on Linux Virus’s. Please enlighten us how you get an email client to automatically execute a program when that file does not have permissions to execute it (root or user permissions)?
One of the “useful” features of Windows for virus writers is that running a file is dependent on its file extension. And another is that it can be done in Basic.
People write virus’s for Windows because its easy not because Windows has a large market share. There’d be a lot more credit (in a technical sense) for a virus writer to get a successful virus on Unix/Linux/MacOSX.
BUy a MAC!!!
BILL never acknowledged that the internet was important untill it grew BIG. They have a very very slack security advisory and the software is full of holes caused by bloatware they include for backward compatibility.
Basically they could DEFINITLY make it very difficult for the HACKER but they dont do so becuase the security advisories at microsoft are incompetent and very basic compared to somehing like OPEN BSD or NET BSD!
they just don’t keep as close an eye on things at microsoft….and millions of SUCKERS are tied into this stupidness by compatibility issues due to an early deal between Gates and IBM….
PULL YOUR FINGEROUT YOUR ASS BILL!
YOu can blame the car manufacturer if someone steals your car, particularly if you discover that the door lock/alarm/security devices were faulty etc and the car manufacturer has given guarantees about these devices!
I think a better anology would be creating a kids toy. If a company like Fisher-Price made a toy for a young toddler but the toy had small parts that the toddler could swallow, would you blame the toddler for swallowing the small parts? If Microsoft wants to make software for Joe User, then Microsoft will have to design their software so Joe User can’t hurt himself.
Or Microsoft will have to go on an education campaign to train Joe User to use a more dangerous product.
“Please enlighten us how you get an email client to automatically execute a program when that file does not have permissions to execute it (root or user permissions)?”
Hey man, see the light: what’s the whole point/challenge in creating viruses/worms etc and hacking? Right: do stuff ordinary software/people can’t do. Like I said: every lock can be broken. Just a matter of time.
And I think that if Linux had a 95% market share on the desktop, the same problems would arise as MS has today. No, I don’t THINK that, I KNOW it
This is my view exactly, except that I think that the entire computer industry needs to re-think how it designs products for consumers.
For too long the view in this industry has been “if you build it…you can ram it down their throats whether they like it or not”. We need this industry to grow up and start realising that the customer needs to be tailored for, not treated like an imbecile when they can’t/won’t understand non-core technology. Some people (like MS) thinks that this means you enable firewalls and auto-downloads of patches by default, nothing could be further from it. You need to re-engineer your product so that it is safe and doesn’t contain “small parts”. This can be done, is just requires a shift in thinking, the likes of which we haven’t seen for the last 20-30 years.
Thom, aren’t you the guy who wrote the “Why Linux isn’t bliss…” thing? You seem to hold a serious grudge against Linux and Linux users…
I’d posted a reply similar to Lain Peters. Anyway, your reply basically is nonsensical. What makes you believe that viruses exist predominantly for Windows because of its market share? By virtue of your argument Linux should have quite a number of viruses even today, at least commensurate with its market share… How many Linux viruses can you name that are out in the wild? And, please don’t even mention the one that wasn’t even a virus but rather a demonstration; Bliss, I think it was called. Why not just admit that when it comes to viruses that are spread via email Windows is the only really insecure platform and we all know how the majority of viruses propagate.
Hey man, see the light: what’s the whole point/challenge in creating viruses/worms etc and hacking? Right: do stuff ordinary software/people can’t do. Like I said: every lock can be broken. Just a matter of time.
If a port is open and no firewall is running is it really locked?
Every worm I can recall has attacked unsecured functionality. If locks had been in place (oh, say, a firewall that defaults to “on” or keeping ports/services closed/turned off unless a user specifically requests them) these worms wouldn’t have happened.
And even though a single lock can be broken, that doesn’t mean there aren’t more locks to bypass. For instance, maybe a virus breaks the scripting mechanism in an email program so it can run arbitrary code. Ok, that’s one lock broken. And if that’s the only lock you’re in deep trouble. A reasonable precaution would be to have more locks. Like, say, the OS files being owned by a different user. So now another lock has to be broken because this arbitrary code also has to get root.
Security is not a pointless excercise like you seem to believe. Quality matters.
Microsoft is more like Ford and the Firestone tires that had blowouts on Explorers. Microsoft makes defective products and should be held accountable for the damage they cause.
Everything goes full circle. I don’t wish any virus on anybody, but reality is that this is payback for years and years of crappy, buggy unsecure software. The public has been getting mostly swiss cheese betas for years. All these viruses are just exploiting the holes left open. It’s actually a solution for WinSin. With a billion a month increase in cash reserve, why should they care about you guys. 44 million lines of code-full of holes.
Easy solution for the problem…purchase a new dual 2ghz G5 and the upcoming Panther. I’ve had 5 Macs for 8 years, and I have never ever run a virus scan and never had a virus. All but one are connected to the internet and are still running smoothly. A 7500 with a 604e 233 running Deck multitrack audio recording. A revision A original iMac that my wife uses for the old Epson digital camera and to email in Chinese to her folks, a G3 Lombard Powerbook for general use and mobility running OSX and sometimes boot into OS 9 for some Photoshop tweaking, and two eMacs for general games and all else. My return on investment has been tremendous and the user experience without the hassles has been a pleasure and a blessing. BLAST yourself with a Mac…you will not regret it. Swallow the pride. Humble yourself to learn something far more intuitive and see longterm the total cost of ownership and lack of patch downloading/worry that we have here on the “Dell No” at work.
Easy solution for the problem…purchase a new dual 2ghz G5 and the upcoming Panther.
Geez, I just love these people … “simple solution, buy a dual 2ghz G5! It’ll work for you, because it works for me!! Nevermind if you don’t have $1,500+ lying around or don’t want to go into debt to buy one – since it is *my* preferred choice of platforms, you’ll be better off because it!!”
Fact still remains .. been a Windows user since ’93 and so far, not one virus and not one worm.
As for buying a Mac, I’d rather have my balls crushed by a wooden mallot I’m glad that you and the other 12 Mac users think the interface is intuitive, but the rest of us are actually sane.
The week before Blaster hit I took an SFF Shuttle SK41G with a fresh install of Win 2000pro and ran MS update on it.
When the machine restarted it went in an infinite reboot cycle. Running rescues and such on it didn’t do jack. The whole machine had to be reformatted and reinstalled.
The IT guy who works here refuses to put any MS updates on machines unless they’ve already been released for several months as a service pack. The problem is that MS just doesn’t test their updates very well. He’s also lost machines from doing updates too. Another complaint is that MS updates do more than just fixes, they like to automatically help you change out your unsigned drivers with their signed drivers (happens with nvidia drivers).
The big problem is that MS has so heavily integrated everything that the cross dependencies are deadly. So changing something in the OS has a potential of breaking something else peripheral.
I just flat can’t see how any end user can be expected to easily do any updates and expect to keep a running system.
My wooden mallet is raised. Are you ready? Has your PC’s been connected to the internet ever? Ha I realize cost is sometimes an issue. We can all choose to buy a Hundai or a BMW. Which has the best ROI or COO. Are you the predictable member of the status quo in everything you do? We 12 are at the top of the class and have a user experience and not a user hassle.
I’d rather argue specific points on specific issues of hardware and software and not immature “on the block” unspecified arguments. Thank you.
I understand your premise that locks can be broken but the execute permission isn’t a lock, its part of the design of Unix based systems and has been around for 30 odd years. And since most of the internet is served by Unix-based systems, it should, by your premise, make a great target.
Microsoft will get it right eventually but the security aspect has to be re-designed and re-written from scratch otherwise its going to have so many sticking plasters on it. Its operating systems are going to get more and more difficult to patch correctly at the first go, they have already had to re-issue patches because some of their patches break other parts of the system
Why hasn’t any of Microsoft’s products that clearly don’t work as stated get recalled?
Even though they pose a national security risk, crash many a home systems, etc the ones that are genuinely faulty have no fear of ever being recalled; Win Me ranks HIGHEST ON THIS LIST.
“Every worm I can recall has attacked unsecured functionality. If locks had been in place (oh, say, a firewall that defaults to “on” or keeping ports/services closed/turned off unless a user specifically requests them) these worms wouldn’t have happened.”
I agree, I agree. Of course Linux (& co) is more secure than Windows. What I’m trying to say is: even though Linux (& co) are more secure, that doesn’t mean it’s impossible to make an effective Linux worm. It’ll only take some more trouble to do so, especially in the beginning. But, in the end, (that’s why I said: IF linux had a 95% marketshare) it will happen.
Don’t get me wrong, I’d really want you to be right (I use MDK myself), but I don’t think it’s realistic to say/think that Linux (& co) is invincible to viruses.
“Thom, aren’t you the guy who wrote the “Why Linux isn’t bliss…” thing? You seem to hold a serious grudge against Linux and Linux users…”
It seems you didnt’t really read those two articles and my comments. Read ‘m up, okay??
As for buying a Mac, I’d rather have my balls crushed by a wooden mallot I’m glad that you and the other 12 Mac users think the interface is intuitive, but the rest of us are actually sane.
Now why would you try and ruin a perfectly reasonable discussion by trolling and spouting flames like that? One wonders what you were doing with your Windows machine in 93 – See and Spell? (wow, flaming is easy!)
As a fellow Mac user, I beg you to please get over the luxury car analogy. Unlike Apple, BMW (and more to the point its customers) knows what market BMW is in. As a result, its profits have been increasing over the past several quarters unlike Apple’s. As for the topic of the article, what would make Microsoft’s OS’s secure enough? It is possible to make an OS fool-proof? If not, how would you quantify a secure OS?
…made this typically pointed but accurate observation recently:
Another argument is that if Outbreak–er, Outlook–didn’t exist, there’d be some other market-leading email application, and the same vandals who now target Outlook would target that application instead.
This fallacy implies that the natural state of affairs is a software monoculture, where everyone runs identical software. In the larger sense, the same argument holds that if it weren’t for Windows, there’d be some other dominant OS with 90+ percent market share; and that if there were no Microsoft, there would be some other monopolist ruling the industry.
I disagree. I think Microsoft and its success is an anomaly. Standard platforms are indeed natural, but with multiple and diverse implementations. Nature tends to favor heterogeneity, not homogeneity. Email, again, serves as a fine example. In the internet-standard world of POP, IMAP, and SMTP, there are numerous servers, and a downright plethora of client applications. Internet-standard email clients are not impervious to Trojan-horse style attachment viruses, but their variety does make them exempt from widespread attack.
Further, this fallacy implies that all software is written to Microsoft’s lax security standards. It is not. Like I wrote Monday, it used to be true that you could not possibly get or spread a computer virus simply by opening a particular email message. And that’s still true for the vast majority of email client software.
—
While John Gruber (Daring Fireball’s author) is a Mac partisan, he also has his head screwed on pretty straight, and his observations are almost always worth checking out.
http://www.daringfireball.net/
Sure the world is full of dumb and lazy people who want their computers to be as easy to use as a toaster, but they’ve been led down a dangerous path by the great Pacific Northwest monopoly.
People have learned to do things the Microsoft way. They have learned that passwords aren’t necessary (or so they think), that it’s possible to send all manner of insecure crap via email. This is because MS has let them do it. Windows users are sheep who fall into line faster than a group of soldiers confronted by an officer.
Nobody calls them Eudora viruses or PINE viruses, they call them Outlook viruses because that’s what most of them are. Once again Microsoft is to blame for the spread of these things because they’ve corrupted email with “user friendly” content. They’ll argue that it makes computers easier to use, but Apple has somehow managed to accomplish that without opening a million security holes.
Microsoft will also defend the close connections between its applications and its OS, but I consider it inexcusable that a high level app can wreak havoc with the underlying OS so easily.
A computer, and by extension Microsoft, is a human invention, so would it follow the rules of nature? The history of the use of tools has shown a tendency towards standardization (from the Stone Age->Iron Age to the assembly line).
I think the car example sucks! I have a 98 GM truck and there is in my opinion to flaws in design that I know about that make my truck easy to steal. Is it the fault of GM that people want to steal trucks? NO! Is it there fault that they did not design the truck so it was hard to steal? Hell yes! Just as it is an automakers responsibility to make cars difficult to break into it is Microsofts job to make there software harder to exploit. I guess this is why it rocks that all our cars are so different if they all had the same locking system when someone figured out how to break in we would all be screwed.
But when you are aware that your system has faults and you market it as being secure, then you need to be responsible. Would you buy a Car whose locks didn’t work and an ignition system that started without a key. Microsoft needs to put a warning on their products and clearly spell out the security wholes. They currently do not do this. Instead they continue to promote Windows for mission critical apps, though it endangers a corporations viability.
…what is with this “unlike Apple” with respect to profits? For all the copious doomsaying about Apple we get subject to (mostly by people who take any positive comment about Apple as a personal affront, like Darius evidently does), it’s the only major computer manufacturer other than Dell that’s making money currently. Apple’s last 10-Q shows modestly increasing net sales, and with the already-released new iPods, the new G5s starting to ship and, more than likely, both Panther and a new 15″ PowerBook by year’s end, that trend certainly isn’t going to reverse.
Darius can go off and crack his nuts with a mallet if he wants, but those 12 of us using Macs can’t help but wonder why we threaten his manhood so much. I wonder that about anyone who takes this so personally, though. I observed to a friend that when I watch “PC versus Mac” debates, the Mac people are generally saying “Macs are better than PCs because…” while the PC people are, all too often, saying “You’re a moron for liking Macs because…”
“I agree, I agree. Of course Linux (& co) is more secure than Windows. What I’m trying to say is: even though Linux (& co) are more secure, that doesn’t mean it’s impossible to make an effective Linux worm. It’ll only take some more trouble to do so, especially in the beginning. But, in the end, (that’s why I said: IF linux had a 95% marketshare) it will happen.”
Um, if it is more trouble to make a Linux worm, wouldn’t you expect fewer of them. Also, much of the Windows code base predates MS getting serious about security, while the Linux, GNU, and other free *nix developers have been serious all along. That means that MS has a backlog of old, neglected bugs to find and fix, while Linux systems do not. Further, Linux systems are patchable within days of exploit, and updating the packages on a Linux system works more robustly than applying MS hotfixes and service packs.
“I don’t think it’s realistic to say/think that Linux (& co) is invincible to viruses.”
Invincible, no. More resistant and resilient, oh yes.
I’m not trying to be a doomsayer in regards to Apple, I just don’t think the luxury analogy fits. As I said before, BMW’s marketing team (based on profits) knows how to go after its target audience better. And I may be wrong about a BMW here, but I believe an Apple computer is much more a commodity product than a BMW is.
I hate it when people blow things out of proportion….
The kid they nabbed had taken Blaster, made MINOR modifications and sent it on. He is not THE Blaster writer. As with all MS mail virusses, it is near trivial to change something in the code and so create your own version of the virus.
So, the guy was an irresponsible stupid git (but I won’t tell him that face to face…) but not the writer of the Blaster worm!!
” With 90% or so of the market share virus writers are going to get the most impact from targetting Windows, as otherwise only a small number of people will be affected and they will not get what they want: attention. ”
If it is the attention they crave, I think that you can do better by creating the first OS X virus in the world. And yet, there is none… it shows that it is hard to create one (not impossible, but very hard). Script kiddies will always be script kiddies no matter how much havoc their virii cause, and it is a testament on how unsecure Microsoft OS is that you can have virus building tools around.
As far as I’m concerned… The blame can be spread around.
Alot of users couldn’t care less about using their computers properly. Alot of people won’t even look at any manuals at all. In fact, one of the first things I usually do whenever I have to deal with a problem someone is having, is ask, “Where is the manual?” Often, (not always, but often) the person I am helping says… “Oh… I don’t know… I remember seeing one… But that isn’t important! What could that possibly say of any importance?”
Believe it or not… I’ve even seen so called “professionals”/”gurus” say such things. Which brings me to the second party that’s to blame.
Really, a lot of “experts” don’t know 10% as much as they think they know and they really don’t put much effort or care into their work. I’ve seen people who build computers for a living put computers together that were junk to start with and did these people care? No.
I’ve seen computer repair people who couldn’t be bothered to put much effort into solving the problem and as a result when they’re done… They’ve typically taken care of the symptoms, but not the cause of the problem. Sometimes I’ve also seen them make a computer much much worse.
I’ve also seen network administrators who really couldn’t care less about the networks they take care of. And as a result, they had absolutely hideous networks.
Then of course we come to the software manufacturers… Who could come up with better designs, do more testing, etc…
Anyway… What it boils down to is alot of people (from all the different groups) just really don’t care to put any effort into anything they do.
And when something happens… Whose fault is it? Everyone together now… It’s not my fault! It’s HIS/HER/THEIR fault!
Let me make something clear. I’m not saying no one puts any effort into what they do or that any one group can take care of all of the problems. It’s just that there are alot of people who don’t put any effort into anything and alot of these people like to pretend that they aren’t part of the problem. The fact is… They are. Alot of people I’ve met who don’t care, even advocate acting as they do and try to convince others that it’s the correct way of doing things.
To me… With cars (since that analogy is popular) it would be like… Say a fellow driver… Saying that all drivers shouldn’t have to worry about staying in their lanes, they shouldn’t have to worry about hitting other cars, they shouldn’t have to worry about checking their oil or gas, lights on the dash board should be ignored, strange sounds coming from the engine should be ignored too, smoke coming out from under your hood should also be ignored, etc… And if something does happen, clearly… It’s the manufacturer’s fault.
Or a car manufacturer saying it’s acceptable for the engine to not work when you buy a car, or for the car doors to fall off if I hit the car with a pebble, or for the windshield to break if there is a slight breeze, or if the average human being can walk 10 times faster than the car, etc…
Is Bill Gates/Microsoft dissimilar from Alfred Nobel ???
“Microsoft invented the culture of any idiot being able to use a computer.”
Nope, that “fault” is Apple’s… remember the computer for the rest of us? But much like Microsoft’s “innovation”, they hijacked a good thing ™ and turned it into a piece of crap.
“They can’t then turn around and say their OS isn’t insecure but the problem lies with the fact any idiot can use a computer. ”
Yes they can and did… with their billion dollars in the bank, they can buy anything including IT industry, DoJ, media, and the truth. Fortunately, some of us are smart enough not to buy it.
Makes me want to buy another mac!
lol You know its always amazingly funny to watch the PC Weenies try and defend microshit and put most of the blame on their own kind. Also its equally funny to see them try and bash us Mac users and our OS…
Darius: I think you are probably part of that small % of windows users that don’t have this problem because i mean come on… any windows user thats on the net a lot has gotten some sort of a virus if they have been using a pc that long… Its a very rare thing if you have not… As for your comment about rather having your family jewels crushed with mr. mallet… Whats your malfunction? I mean have you even tried using the newest mac os? If you have not then please shut the f*** up and move on troller because im really getting tired of the senseless mac bashing everywhere pc users are…
Oh and for your information i have used pretty much every version of windows and even DOS (Yuck!), they all BLOW and are very insecure, why do you think they release security patches so often? and lemme tell you… Sure the mac os has had its share of problems in the past and a few within a year or so but now it has a rock solid core of unix that does not have all these ports turned on that windows comes with open that allow hackers to get in so easily… Microsoft could easily close those ports too but they don’t… Why is it so hard for Microsoft to make an os that at least does not need a security patch every week? Yes i know some of the blame can be placed on the PC idiots that open e-mail attachments but come on guys i would say its at least 90% Microsoft’s fault because they can close the majority of this crap if they just work hard at it… The user should not have to worry about what to open in there mail box or have to update their system so often… I recently read this interesting article about windows vulnerabilities and the mac os… Looks like i will have to post the rest of my discussion right after i post the above cause its over 8,000 characters lol… Stupid rule lol….
…
————————-
“Your article, and Mr. Cluley’s statements in particular, perpetrate a myth regarding the fallibility of *NIX [Unix-based operating systems] when compared to Microsoft Windows,” said Burt Janz, a senior software engineer who is president and owner of CCS New England, a computer-services provider in Nashua, N.H. Janz has developed in all the major operating systems — Windows, Unix, IBM Corp.’s OS/2, as well as OS X. While creating a Mac OS X virus is not impossible, Janz said, “the degree of difficulty here is at least 9.5 on a scale of 1 to 10.”
Even harder is creating a virus or worm that could access the OS X system. The reason, Janz and several others pointed out, is in part explained by how Unix-based systems handle multiple users on the same machine. For instance, Mom, Dad and Sis all can have separate user accounts. This also is true of Windows. But in OS X, only an account with administrator privileges can install software — and even those accounts cannot access or change applications or data in other accounts, especially not the core of the system software.
Furthermore, only a user with “root”-level permissions has full access to the system, but Apple has this access disabled by default. Most users never will go to the trouble of figuring out how to enable the root user, and don’t need to — as nothing a regular user would want to do requires root-level authority. Denied such access, the damage that any OS X malware could do becomes limited to the account of the user who runs it.
In other words, even if Dad got hit with an OS X virus that wiped out all his data — and, remember, no OS X viruses presently exist — the Mac still would operate, and Mom’s and Sis’s stuff on it would be untouched. Also, because OS X always asks the user to type an administrator password before modifying anything in the system, attempts to install malware or alter system files immediately would be flagged.
” Unlike the Mac OS, a user account with administrative privileges on a Windows machine can wreak catastrophic damage to data, programs — or the system itself. Any misbehaving task under Windows is capable of modifying any [non-running program] anywhere on the system,” Janz said. “And, when that [executable] file is run, bad things will absolutely happen.”
“Microsoft made a decision 10 years ago that their e-mail client, Outlook, should be allowed to run any script that it finds as an attachment to incoming mail, Since the average user has no idea this feature exists, or even what a script is, they don’t know to turn it off — let alone know how to turn it off, Cardani said. So a virus like SoBig can infect a Windows machine and e-mail itself out, to everyone in the user’s address book, without the user realizing it. ”
“No Mac e-mail program allows this, so Mac users would have to spread a virus like SoBig manually by intentionally mailing it other users — not a likely scenario. ”
“Another issue raised by readers concerned Cluley’s statement regarding the Mac’s “security through obscurity” — arguing the reverse. The real reason no viruses exist for Mac OS X has little to do with its low market share, they say, but rather its near-impenetrability.
Though many amateurs may be looking for, and finding, holes in Windows, the FreeBSD Unix code that forms the foundation of OS X has been prodded by legions of expert programmers for 30 years.
Though a few hardy souls use the Unix offshoot Linux on PCs built for Windows — they usually wipe Windows off the hard drive–Unix typically is used in mission-critical roles, powering high-end work stations and file servers. ”
———————–
PC users need to wake up and smell the corruption and lies that Microsoft is spewing out… I guarantee you that if OS X had 90% of the market sure they would have more (None currently exist) viruses but the fact to look at would be they would have a really tough time doing much if ANY harm to your system files unlike the big pile of smelly swiss cheese security that is
windows… Now Linux i don’t know too much about so im not sure if it would be more leak proof then OS X but im sure it could do better then microshit security in their shoes lol…
I don’t have any ill will toward PC users but they seem to have it for me and the rest of my mac community… I personally wish you would just wake the f*** up and see that your being brainwashed practically by bill gates at least for my sake because i would like to have a country that can’t be taken down by a stupid windows exploit thats made by f***ing loser script kiddies that don’t have anything better to do because they rely on that shitty technology…
As long as more companies and Gov.’s across the world move to other more secure OS’s (Linux, OS X, Whatever floats your boat, Etc..) then i will be happy but i mean shit when even our government relies on Microsoft to be secure and it scares me everyday that i know about it doesn’t it scare you guys too? Talk about a major computer attack by terrorists or other countries waiting to happen eh?
But anyways, i just hope this senseless mac bashing ends sometime in the future… Just face it guys, you don’t want to pay good money for a secure OS with elegant software all running on a wonderful computer that is not as cheap as bargain PC’s… You would rather be satisfied with your Cheap Ass Dell (Or Whatever Shitty PC Manufacturer you want to add in there lol) and your security hole ridden crash prone system and are too ignorant to even acknowledge the accomplishment Mac OS X has made in the OS world and in such little time its been out and how superior it is to windows in almost every way and your just too ignorant to even try OS X and learn how fun and wonderful it is to use and at least at the end of that time says its a good OS even if you don’t end up using it at least you have to acknowledge that much about it… I hope iv made my point loud and clear and yes im sure there will be many flames toward me and my comments and im sure they will attack me directly and call me petty names because thats all they can do and not talk facts and discuss things intelligently because most are not but i don’t care about any of that because i know im above it and i know what i say about the mac and windows is truthful and im not in any way a zealot (I just enjoy working on my mac and always have) so give the debate up and have a good day everyone = )…
When you consider the issues, Windows is the clear winner when choosing a worm platform. It has a default email client and browser with limited security. Several ports open by default. Most users run as admin. Obscure file extensions for executables e.g. .scr. Windows is more widespread for home users, giving better propogation speed. No firewalling by default. And the list goes on. Linux would be a close second for some forms of worm. OS X, VMS, and others would be poor choices, but probably get 15 mins of fame for uniqueness.
Here are my whack ideas for solutions:
Get the mainstream media involved. As soon as LSD alerted MS in July about the exploit, various sites should cover it.
Automatically apply security patches, NOT full updates, by default. This behaviour could be turned off easily.
Implement some sort of quasi sudo command for windows. Constantly running as admin makes home users so vulnerable.
Turn off tcp 135, etc in a default install. When file sharing is turned on, the ports will be listening again.
If possible, get rid of the obscure file extensions like .pif which are executables. This may take years. Big warnings when executing legacy code with this extension.
Allow admins an easy way to subscribe to a security warnings list, using a dialog box on install. Alert the day the exploit e.g. RPC DCOM is discovered or revealed. Release a patch quickly. Then again a Windows warning list might be misconstrued as a mail bomb heh.
Any other ideas?
xmp
“” Further, Linux systems are patchable within days of exploit, and updating the packages on a Linux system works more robustly than applying MS hotfixes and service packs.
“”
It’s utterly ridiculous to presume that the users who don’t bother using the Windows update service will somehow magically use Linux updating services if they switch.
Think about how long it took for people to update after the last OpenSSH security alert was put out. Hell, some people are probably still using the exploitable versions.
It’s all well and good saying that Linux is more secure than Windows (And it is), but the onus is still on the user to actually secure it. Just boot up your Linux box sometime and take a look at how many services are running with root privileges. Any of these could contain exploits giving someone a window of opportunity to root your system.
X. Wtf is it doing running as root?
Apache 1. Great, so I can use suexec and increase script overhead tenfold, or let any script be capable of altering files Apache has access to?
SSH. Oh joy, the default configuration allows root logins (They may have fixed this, it’s been a while).
TelnetD/FTPD. Could someone please explain to me just wtf a desktop distribution is doing with these installed and running (There’s a few distributions that do this).
Lindows et al. “You need to enter your root password to install this software” (Or similar). Just stop for a second and think how many people have unwanted Gator software on their Windows computer.
Yes Linux is inherently more secure than Windows, but let’s face facts, if it’s exposed to the net Joe User’s Linux box is probably going to be rooted just as quickly as his Windows box. Might not make the same headlines as a virus/worm since the number of people affected is going to be small, but the damage can be just as bad.
In fact there’s no reason (It hasn’t been done, so I guess there is actually a reason :>) why this couldn’t be automated. A script tries rooting a box, it gets root, recreates itself on the target box, grabs something like Apache’s access log and tries to replicate. Neat, don’t even need email anymore. All you need is a common (And able to be automated) exploit, a common app to write the copy with (cat maybe), and a set of ip addresses to propagate with (grepping logs for ip addresses should do the trick).
I can understand being cautious before adding a patch to a production server. But in the case of the RPC DCOM exploit, I’m just referring to a small patch, not a full update. Yes it could break the machine, but otherwise you will almost surely be 0wned if the box is not firewalled properly. The OC 192 script takes seconds to execute and get remote root, and requires almost zero computer skills. The output of a network mapper could be dumped into an OS detection tool which is subsequently dumped into the exploit portion. The final part of the script is the portion which gives instructions to the victim, likely uploading rootkit and staple tools. All you need is to add some self propogation code and you have a worm. It was pretty clear that this exploit would be turned into a worm very quickly.
Most likely, most of the worm code was already written months ago and simply tweaked in the last couple of months. Large portions of the code may have simply been borrowed from prior worms. When a sufficiently decent exploit was released by the Last Stage of Delerium, the propogation code was in place.
It’s a pretty safe bet that whenever a major remote root exploit is released for Windows that a worm will follow within a couple of weeks. I wish more admins knew this, or cared. The situation is similar with Linux, although you have far less home and SOHO boxes to perpetuate the worm’s existence.
In any event, more admins should keep a sharp eye on Bugtraq and they won’t give up r00t so easily.
newb
People asked me why I went into Mac-bashing mode .. it’s because of the nimrods who post on these kinds of boards who think that the solution for every PC problem is to go out and blow a wad of cash on a dual G5.
I guess they think that anyone who tries OSX will ‘see the light’ and be converted to their religion, but at least in my case, that didn’t happen. Yes, I have seen and played with OSX and though I will admit that it doesn’t suck nearly as badly as MacOS7/8/9 (I used to do ISP tech support for these), I don’t particularly care for it. And I’m sick of these Mac-loving fundies who think that the only reason I even bother with PCs is because I’ve been somehow brainwashed by Father William. But I’m here to tell all of you to go and get fucking clue, and do realize that not everybody is going to think Macs are the greatest thing since sliced bread. Granted, I don’t view the PC that way either, but between the two, well .. different strokes for different folks.
As for Windows, I’ll be honest with you … to be secure on Windows is really not that damn hard. It wiorks like this:
1. Install a half-decent firewall
2. Install a virus scanner and make sure auto-update/scan is turned on (if you don’t want to do these manually)
3. Hit Windows Update about twice a month and download any Critical Updates you find.
Well, that is what I do and have had 0 problems thus far. Some would argue that the OS should be secure enough so that people don’t have to go through the effort, but let’s apply this logic to Linux ….
Some would say that if MS came out with a patch weeks, months, or even years before a massive worm started spreading, it’s still Microsoft’s fault for building an insecure OS, even though the user didn’t take the necessary steps to apply the needed patch.
Now, let’s look at Linux. A person who tries Linux and doesn’t read any documentation at all and thus gets frustrated and gives up, Linux zealots would be quick to point out that it was the user’s fault for not doing the obvious – nevermind that the OS itself is not intuitive enough so that people can just pick up and go with it, it’s still the user’s fault. That sounds like a double standard to me.
ms (and other proprietary software companies) should be held somewhat responsible for the software they make their customers pay for. just like car manufactuerers would be held responsible if their cars broke down a lot.
i also think that pc owners have a certain responsiblilty towards their computer and they should look after it. just like a car owner has to fill their car up with petrol, make sure there’s enough water, make sure the tyres are not bald etc…
One of points is you should not have to f***ing hit Winblows Update so often… They should have the millions of holes at least somewhat patched before releasing the soft…Otherwise DON’T release a bug ridden security hole nightmare that is every version of windows… Well i hope for the sake of pc users that use windows that with the next os revision Microsoft will actually take many years to just work on security issues and not so much all the other bullshit that they copy from os x anyways… As for the brainwashing comment lol… If you willingly use windows and say its good you must be (And Insane lol) by the simple fact that you have not destroyed your computer in a fit of rage from all the problems and quit using the os altogether lol… I have used all the windows os’s and they are all nightmares to run, yes they are getting better slowly but not good enough and never will be and i could care less… Also i could care less that you guys go though all the problems because you put it on yourselves… If Apple remains a niche market i could care less cause i will still be using it for as long as they are around and you guys can keep having ur problems lol, see if i care or the rest of the people that use macs do lol… = P
Also i could care less that you guys go though all the problems because you put it on yourselves..
Of course, he’s right. With all the problems I am constantly experiencing with my Windows boxes, it’s amazing I even have time to jerk off anymore.
Guess it’s time to make the jump – take Bill’s cock out of my mouth and make room for Steve’s, yes?
Microsoft has been negligent.
They know their market share and uses in critical infrastructure. They also know the way the world is (not nice…).
They have an obligation to ensure the security of their technology. They have more then enough resources behind them to discredit any “outside of our means” arguements.
The negligence is embarrising/repulsive when coupled with their security marketing statements…
Every version of NT technology was affected by the recent rpc/dcom vulnerability. This includes the most secure windows platform ever, 2003. What makes this even more embarrassing is the vulnerability is on default exposed MS services. What kind of internal audit/review process would not focus on default exposed services, throughout no less then 7 years of product lifecycles?
There is no justification for this… it is simply sloppy.
Yes they patched it in a reasonable timeframe, once they became “aware” of issue. But this does not negate the lack of dilegence a company in their position should reasonably perform.
Well, set aside all the heated debate for a while and lets examine a few logical questions…
There will always be exploits in complex software for some time to come. There will always be people who will work to discover these exploits. Some other indivuals will have the chutzpa to abuse them. Get used to it.
Most of these “devastating” email worms that have cost the industry “billions” (who makes this stuff up anyway?) have four common elements: executeable attachments, script access to users address book, ability to send email under program control and…MS outlook.
I want these questions answered:
Why hasnt this been stopped by the OS engineers at MS? (Nevermind whether they are responsible…)
Is it really that difficult to make it so a mass email culled from the address book can not be sent without user intervention? I bet if you popped up a dialog even the most “clue free” windows user would be wise enough not to spam everyone they have an address for.
Do attachments need to be executeable? Ever? Even once they are extracted? Email is for communications, I dont remember using a binary to tell a story. (One could ask if we even need attachments…)
Why should software besides the email client have access to the address book database?
Does anyone but a spammer need a program to send mass mail?
Maybe MS should pay for all the time wasted on virii and maybe not. In my opinion they have not done enough.
And I feel sorry for the poor kid chosen to be the blaster scapegoat.
Is it really that difficult to make it so a mass email culled from the address book can not be sent without user intervention?
Actually, it has been fixed in Outlook for quite sometime, either in newer versions or security patch for the old ones. Try to use the Outlook address book with a script and it’ll pop up a warning.
The way the newer email viruses work is that they use addresses from other files on your system (.eml, .html, etc) and use their own SMTP engine to send out the mass emails – completely bypassing Outlook.
Do attachments need to be executeable? Ever? Even once they are extracted?
Also, Outlook (at least the newer version[s]) have completely removed by default the abilit to run executable attachments. If you turn it on and still get nailed, well ….
I’m not defending Outlook here (I personally hate it), but it’s not quite the virus magnet nowdays that everybody makes it out to be.
Did you mention that this worm attack could be commandited by Microsoft in order to force the Windows user to buy the new antiVirus products ? (Microsoft bought out an antivirus specialized company recently)
So this is probably a commercial act from Microsoft.
The company that MS bought was purchased for technology, as many of their purchases of different companies are.
There are plenty of viruses going around. No need for Ms to write their own.
Honest, buy a Mac (an eMac if you are prices sensitive). The user experience is unbeliavble and you don’t need to worry about Windows updates, worms, viruses, etc. Just use it and have fun. If you consider your time is valuable and think that you are spending too much with Windows problems, your total cost of ownership – not to talk about peace of mind – will be much lower in a few months. Give it a try! Play with one, go to an Apple store, check it out use one of your friend’s, you have nothing too loose. If you end up buying one, you’ll love it and thank me.
“Hey man, see the light: what’s the whole point/challenge in creating viruses/worms etc and hacking? Right: do stuff ordinary software/people can’t do. Like I said: every lock can be broken. Just a matter of time.”
If a house does not have a locked windows and doors, will a thief dig a hole to get inside just to see if he can do it? Use your common sense if you have any, a securely locked house equipped with a burglar alarm is harder to break into than one with open doors and windows.
Nobody argues that it is an impossibility to create virus for Mac OS X and linux and *NIX, it is just harder and requires more skills than virus creator wannabees/script kiddies have to write one for Windows. And in case you are wondering, there are better venues to take up the hacking challenge. The point of a virus is to create havoc. If it is just a challenge, why destructive payloads, then? BTW, with 70,000 virii for Windows, can you still say it is extraordinary to create one with similar exploits over and over?
“And I think that if Linux had a 95% market share on the desktop, the same problems would arise as MS has today. No, I don’t THINK that, I KNOW it ”
Then I am sorry you are such a stupid troll. To know with any certainty of the result of any thought experiment requires logic you don’t have. How do I KNOW for certain? Simple, you just dismissed all possibilities that Linux is NOT Windows, the facts that Linux does not ship with open ports and the email programs does not execute attachments without user intervention, etc.
Nobody: If a house does not have a locked windows and doors, will a thief dig a hole to get inside just to see if he can do it? Use your common sense if you have any, a securely locked house equipped with a burglar alarm is harder to break into than one with open doors and windows.
True, but alot of people view computers differently. I think it has something to do with the fact that they can plan and execute something without ever having to leave their little room and look someone in the eye. Or risk bumping into someone who might get angry if they notice what they’re trying to do.
Nobody: And in case you are wondering, there are better venues to take up the hacking challenge. The point of a virus is to create havoc. If it is just a challenge, why destructive payloads, then?
I’ve encountered viruses (on other people’s systems, I’ve never been infected) that didn’t have destructive payloads. I can’t remember what they were called right off hand… Anyway… I also remember some that don’t do anything, until after they “warn” you, then some time later they wreak havoc.
Nobody: BTW, with 70,000 virii for Windows, can you still say it is extraordinary to create one with similar exploits over and over?
Creating a virus is not extraordinary. But some people think it is. I’ve met plenty of people who think what they do is extraordinary, when in fact it isn’t even remotely a big deal. But since they feel it is, they do it anyway.
the FBI has identified a teenager as the author of Blaster
At least in Finland, an 18-year-old man is considered an adult.
I set out to learn WinNT 4.0 and Win2K a year or two ago.
I was already a (relatively) seasoned Linux user (seasoned as in sprinkled with parsley and chives, of course) and had never operated an Operating System with more than one user, as Superuser/root for anything more than installing new software and administering the users.
Wow! Was WinNT 4.0 and Win2K a shock to the system! To browse the Internet I had to be SysAdmin. To do anything besides a bare minimum, I had to be SysAdmin.
SysAdmin == Superuser/root.
I’m using Linux to surf the net now. Using Win2K to do that scares the living daylights out of me. No way Jose!
Wesley Parish: Wow! Was WinNT 4.0 and Win2K a shock to the system! To browse the Internet I had to be SysAdmin. To do anything besides a bare minimum, I had to be SysAdmin.
My mother uses Win2K and she is not set up as the “SysAdmin”, I am. She browses the Internet, gets e-mail, talks to her friends on the Internet, uses Word to write letters, etc… Just fine.
When Blaster hit… Her computer just kept right on running.
I used WinNT 4.0 once upon a time and I certainly don’t recall having to browse the Internet under my “SysAdmin” account.
At least in Finland, an 18-year-old man is considered an adult.
I don’t thing teenager and child are synonymous over here. An 18 year-old “teenager” here is considered an adult as well.