Home internet users are suffering from a variety of worms, viruses, and spyware on their machines, and though they are often aware that their computers are acting funny, they often don’t have any idea why. Typical home users are not taking the necessary steps to protect themselves from these online threats. These are the findings of a recent study on internet security.
We needed a study to come to this conclusion?
wow.
We needed a study to come to this conclusion?
wow.
No fricking kidding. I don’t know many typical home users that even understand how the computer works. They just don’t care. Ever since (what was it mydoom? codered?) our call center has become virus/worm central because the general public refuses to learn how to protect themselves. Even after they get burned two, three, four times in a row. It’s simply amazing.
“The study being released Monday by America Online and the National Cyber Security Alliance found that 77 percent of 326 adults in 12 states assured researchers in a telephone poll they were safe from online threats. Nearly as many people felt confident they were already protected specifically from viruses and hackers.”
and
“Two-thirds of the computer users also were not using any type of protective firewall program, and spyware was found on the computers of 80 percent of those in the study.”
A partial / Personal story: To this day, a family member swears up and down that AOL installed NMAP for the security of her PC. That advice came from another family member which she reguratated quite promptly. No response was issued with the respect to the numerous keyboard loggers installed.
When will companies ship OS’ secure by default.
When will companies ship OS’ secure by default.
What you say? I believe the question should be: When will Microsoft ship an OS that is secure by default. And no, I don’t consider turning on the firewall “security.”
Are there any plans out there to check on the standard of grammar on posted comments? (just kidding)
But seriously, “most” internet users don’t spend much time even thinking about security, let alone doing anything about it. Despite my use of antivirus, firewall, anti-spyware, anti-trojan software, mozilla firefox as default browser & litestep as shell (on windows XP SP2), I still get “infected” by spyware & the (very) occasional virus.
If I get “hit” by these parasites, what chance the non-paranoid?
One day I’ll use OpenBSD.
I wish that there were as many commerical applications, including games, on non-windows platforms OSX, Linux et cetra. That is the ONLY thing stopping people, that are aware that the choice exists.
The moment I switched to OS X at home, my computer has been free of VD for a whole year!!! Yes, I am a Windows computer technician by day, and a mac user by night.
Never had a security problem on my OS X system. The problem is inherent in Windows. Other systems like OS X and Linux aren’t plagued by the problems experienced by Windows users.
No other OS (including MacOS, Linux) suffers from the viruses and spyware that plague Windows.
Malicious hacking is something all OSes are vulnerable too, though a system like OS X which disables all external services by default is the most secure in this regard ‘out of the box’.
‘Security for Microsoft Windows Users deemed weak’ should have been the title of this article – as it is, it unfairly disaparages the excellent security engineering and practices implemented on computing platforms such as Apple MacOS and the various Linux distributions.
I blame the broadband providers. They send people that are clueless about the internet and always on connections USB DSL modems or better yet connect the DSL or cable modems directly to home users machines. For the longest time they wouldn’t support home networks the very thing that would or could prevent this stuff. How about coming up with a cable/DSL modem that has built in NAT/Firewalling.
Not all ISPs are that bad, my isp for example blocks most troublesome ports (rpc dcom, lsass, netbios/smb, etc).
The focus of this article is on spyware. The principle source of spyware, no matter what the idiots tell you when you go to fix their machines, is user interaction. I have to wipe a couple of pieces of spyware off a fried’s machine *weekly* because, no matter what I fricking do, I can’t convince them to stop using bloody P2P programs. I kill the spyware and uninstall those pieces of crap, next week, I’m back again and, surprise surprise, every P2P app in the history of the universe is back on the machine. Hell, they even tell you in the sodding LICENSE AGREEMENT that they’re going to put spyware on your machine.
If you’re at the point where the user is actively helping you install the app in question despite you telling them exactly what it does, no operating system design on Earth is going to help them. How exactly does OS X or Linux protect you against an application bundled with a spyware program that pops up advertising windows every so often which *tells the user* the spyware program is going to be installed when they run the little script to install it?
It doesn’t. End of story.
oh, and btw, no, we didn’t need a study to come to this conclusion. AOL needed a study to send out to the press so they could get a bunch of PR for their “making the internet better” campaign or whatever it is.
After they spend hundreds or thousands on a new computer, they probably think that they’re machine should run correctly without a lot of handholding on their part. Silly them. See, it would be one thing if it took a Lex Luthor type of criminal to break into computers, but when some bald, fat teenager from Minnesota can do it (and lead the Feds right back to his own website in the process), then it’s simply too easy. If inept programmers can’t make an OS secure, at least they could make it a little harder.
“Never had a security problem on my OS X system. The problem is inherent in Windows. Other systems like OS X and Linux aren’t plagued by the problems experienced by Windows users.”
Things like viewing a PDF file will cause a virus? In linux? Yeah, that means every system has serious vulns. To bad XP was originally without a firewall though.
see above. It is never going to require a Lex Luthor type of criminal to break into a computer on which the user is permitted to install software. All it requires is someone who can convince a person to install a piece of software.
@anonymous (fi): no, this is not FUD. It is an inaccuracy. Please understand the meaning of the term FUD before spraying it everywhere.
In Mac/*NIX there really arent many places for spyware to ‘hide’ – and when you remove an application by deleting it, you know its gone.
You can see with the process list exactly what is running, under what user account it was started, and you can easily clean/monitor the machine remotely.
With Windows, there are numerous ways to hide programs from the process list, the registry is a labyrinth in which spyware/adware/viruses can hide their markers and the average user is effectively prevented from seeing what is actually going on on their PC even if they want to know.
Linux and MacOS X are way more ‘transparent’ in terms of showing you what is actually happening on your computer than Windows is. The browsers and mail clients don’t execute software automatically and privilege separation in the form of separate user accounts is encouraged and ‘security by obscurity’ is actively eschewed.
Are either MacOS X or Linux perfect? No, but at least both Apple and the Linux distro vendors/kernel hackers take security seriously and pay it more than lip service. By contrast Microsoft cook up a plan for profiting from their own systems hopeless insecurity e.g. MS’s antivirus product plans and their ‘you must pay to upgrade to XP/Longhorn if you want a secure system policy’
But whatever, you keep cleaning the spyware off your friends PC and i’ll keep using my Mac and Linux systems without ever having to worry about it.
heh, give me a dollar and I’ll come over and show you just how many different places you can stick something to have it start on boot in Linux.
Your other points are true to an extent but mostly irrelevant to what I’m saying; yes, it’d probably be a little easier to clean spyware off an infected Linux computer (having single-user boot and being able to kill multiple processes at once once also helps – I just don’t understand why Windows doesn’t have this second feature, it allows the annoying trick whereby spyware runs two or three processes that protect each other), but my point is it’s just as easy for it to get infected in the first place, assuming equal competence of system user, since the normal vector for spyware delivery would work with equal effectiveness on any operating system that allows the user to install software.
And give you a normal user account on one of my systems, and then i’d be happy for you to show me how many places you can put your spyware to start on boot in my system.
No offense, I understand what you are saying, and see your point re. user stupidity being a problem w/regard to spyware, and that the OS in many cases isn’t to blame.
However – spyware, for whatever reason, is currently a Windows-only problem – I don’t see why it is difficult to see why people like myself take exception when reporters broadly label ‘internet users’ as being vulnerable to these spyware issues when thats inaccurate at best and a flat out lie at worst.
It’s like labelling road users as a big source of pollution and then wondering why cyclists have a problem with what youre saying.
> “Never had a security problem on my OS X system. The problem is inherent in Windows. Other systems like OS X and Linux aren’t plagued by the problems experienced by Windows users.”
> Things like viewing a PDF file will cause a virus? In linux? Yeah, that means every system has serious vulns. To bad XP was originally without a firewall though.
Viewing a pdf file will _cause_ a virus? That’s new to me. Yes, apps on every system are vulnerable; that doesn’t cause viruses, merely provides an avenue for them.
I’d barely compare a vulnerability in xpdf to the many, many vulnerabilities in Internet Explorer, or Windows rpc… it’s just not in the same class. Linux isn’t immune; linux apps even less so.
The ability to exploit an app that’s basically used locally, and isn’t even particularily standard [kpdf, adobe’s stuff, linux without X… not to mention that xpdf isn’t linux-only], really does not count against the security of the host os, imho.
> In Mac/*NIX there really arent many places for spyware to ‘hide’ – and when you remove an application by deleting it, you know its gone.
False. Unused blocks of space in system executables, at the end of other files, trojanned kernels….
> You can see with the process list exactly what is running, under what user account it was started, and you can easily clean/monitor the machine remotely.
Very false. Altering process lists is trivial. Under linux, you can even have kernel modules which hide themselves from tools like lsmod; they can obviously impact the system in arbitrary ways, including altering the process list and files that you see.
> With Windows, there are numerous ways to hide programs from the process list, the registry is a labyrinth in which spyware/adware/viruses can hide their markers and the average user is effectively prevented from seeing what is actually going on on their PC even if they want to know.
Yes, Windows is a mess. Conversely, though, there are way more useful tools under Windows for checking out what’s going on. Yes, I love lsof and strace and tolerate GDB, but…
Windows has a worse design, but malware can be very good at hiding, regardless of the system. Tools have evolved as a result.
Saying this is just a Windows problem is at the best naive. Yes, currently it’s pretty much isolated to Windows, and as a platform Windows is horribly vulnerable to such things, but say everyone gets sick of it and are running Linux in 5 years time. Do you think spyware is just going to give up at that point?
Of course not. It’ll get sneakier. There’d probably be less of it, and certainly less of the daft remote exploits we’ve been subjected to recently. But it would still be a problem.
The important thing here is to learn from the failings of Windows, not to stick your head in the sand and pretend they don’t affect you.
You could make some interesting criticisms of the survey too – taking exclusively AOL users is probably not a fair sample space. Of course the conclusion isn’t particularly shocking, so it doesn’t really matter.
> False. Unused blocks of space in system executables, at the
> end of other files, trojanned kernels….
> Very false. Altering process lists is trivial. Under
> linux, you can even have kernel modules which hide
> themselves from tools like lsmod; they can obviously
> impact the system in arbitrary ways, including altering
> the process list and files that you see.
Please, youre talking about classes of exploits that are just way out of the ‘spyware’ ballpark.
Everything you mentioned requires root privileges, and the big reason Linux/MacOS is more secure and less prone to viruses, in general, than Windows is that is a hell of a lot harder to obtain root privileges.
If you are saying that under linux you actually have to gain root privileges and/or backdoor the the kernel even to hide your process from view, then i’d say that illustrates the inherent transparency and security of the OS rather well.
>>>Very false. Altering process lists is trivial. Under linux, you can even have kernel modules which hide themselves from tools like lsmod; they can obviously impact the system in arbitrary ways, including altering the process list and files that you see.
that is called kernel rootkit, even in windows rootkits can do same thing in kernel mode, and u can do it in user mode by hooking ntdll.dll api easly too, i mean it’s too easy in windows.
You can talk about ‘might’ and ‘will become’ and ‘in the future’ all you like
But right now Spyware is a Windows-only problem.
Nobody is burying their head in the sand, this is the way it is.
Linux and the MacOS have their own set of problems from a user point of view – But because MacOS X lacks the a lot of business applications, does that mean Windows is going to lack them in future? No, thats just retarded.
Because Linux has an unpolished set of user interfaces today, does that mean that Windows is destined to evolve towards this model too? No, thats just retarded.
So why would you say something like ‘Linux and MacOS X have no spyware today, but its a virtual certainty they will be vulnerable to these problems in future’? Its just retarded.
If it comes to pass, then i’ll be the first one to admit its a problem and deal with it as I have dealt with the other problems I have with my systems, but theres simply no way I’m going to sit here and accept that spyware is a problem on MacOS X and Linux without some kind of evidence of its existence, or some kind of rational explanation for why such a situation is inevitable.
> Please, youre talking about classes of exploits that are just way out of the ‘spyware’ ballpark.
Not really. Yesterday’s “theoretical, we’ll never see that in the real world” vulnerabilities become today’s exploits used by every script kiddie out there.
> Everything you mentioned requires root privileges,
Sure. Nothing prevents me, as spyware running as a user, from changing the user’s $PATH environment variable to run custom copies of things like ps/top though.
> and the big reason Linux/MacOS is more secure and less prone to viruses, in general, than Windows is that is a hell of a lot harder to obtain root privileges.
Spyware doesn’t -need- root privs. Root makes it harder to detect, and harder to uninstall – but what’s the point of spyware?
To log keystrokes? To pop up ads? To copy all your openoffice files? Whatever – none of that requires root. Check out how little protection different X apps have from each other on the same $DISPLAY sometime.
> If you are saying that under linux you actually have to gain root privileges and/or backdoor the the kernel even to hide your process from view, then i’d say that illustrates the inherent transparency and security of the OS rather well.
Not really, no. Just because Windows is worse doesn’t mean Linux doesn’t suck.
I’m primarily a Linux user; I haven’t run Windows on my PC for years. I try to avoid sticking my head in the sand, though; Linux _sucks_, in general, at present, security-wise. Just because other widely-known systems are far worse doesn’t change this.
> Not really. Yesterday’s “theoretical, we’ll never see that
> in the real world” vulnerabilities become today’s exploits
> used by every script kiddie out there.
Yeah, why not resort to completely hypothetical situations to try and make your point?
I’m really not trying to claim Linux or MacOS X are immune from attack – just that I object to being labelled as having weak security with spyware and viruses used as justification for this when spyware and viruses simply doesnt exist for my platforms.
I understand that Linux and the applications that run on them are not impregnable, and i’m not burying my head in the sand over OS and application security = but the simple fact is that spyware is not a problem on Linux and MacOS X, and until it is shown to be a problem, i’m not going to accept that it is a problem, because that is just retarded.
Weak as in it’s not 100%, sure. No one (to my knowledge) ever said otherwise.
Weak compared to Windows? That’s simply rediculous. Linux/OS-X would have to purposely ADD vulnerabilities in order to have a weaker security model than Windows.
Weak compared to Windows? That’s simply rediculous. Linux/OS-X would have to purposely ADD vulnerabilities in order to have a weaker security model than Windows.
How so ?
In Mac/*NIX there really arent many places for spyware to ‘hide’ – and when you remove an application by deleting it, you know its gone.
Assuming you can *find* it. Ever spent time sniffing around a unix filesytem ? It’s hardly a small and simple structure. You don’t really think a virus will handily install itself into /use/bin, do you ?
And that’s before even getting into *complicated* ways of hiding.
You can see with the process list exactly what is running, under what user account it was started, and you can easily clean/monitor the machine remotely.
Unless someone has trojaned your ps/top/ls/rm etc commands like, say, most rootkits do.
With Windows, there are numerous ways to hide programs from the process list, the registry is a labyrinth in which spyware/adware/viruses can hide their markers and the average user is effectively prevented from seeing what is actually going on on their PC even if they want to know.
As with Linux and OS X. Your point ?
Linux and MacOS X are way more ‘transparent’ in terms of showing you what is actually happening on your computer than Windows is.
Maybe if you don’t know where to look.
The browsers and mail clients don’t execute software automatically and privilege separation in the form of separate user accounts is encouraged and ‘security by obscurity’ is actively eschewed.
No Windows mail clients execute software “automatically” either – it requires user intervention. Separate user accounts are just as doable in Windows (the help files suggest it).
Are either MacOS X or Linux perfect? No, but at least both Apple and the Linux distro vendors/kernel hackers take security seriously and pay it more than lip service. By contrast Microsoft cook up a plan for profiting from their own systems hopeless insecurity e.g. MS’s antivirus product plans and their ‘you must pay to upgrade to XP/Longhorn if you want a secure system policy’
Oh, goody, I love conspiracy theories. Tell me more ?
But whatever, you keep cleaning the spyware off your friends PC and i’ll keep using my Mac and Linux systems without ever having to worry about it.
I manage to use Windows machines without ever worrying about it either. Amazing, eh ?
Really, I don’t get problems from the internet. I do better than Windows because I use BeOS. As has been pointed out all OSs have thier weak points. The problem with Windows is how many weak points it has that have been know for years. Buffer-Overflows – just how many buffers does Windows have anyway that overflow checks have not been added after all these years. And why is it that when a overflow problem is discover with a program that all the buffers in that program don’t get checks added too? Personally, the main reasons I believe I don’t get virus on machine aside from the fact no-one is writting any, is my mail program does not process HTML (A good way packets are exchanged with an outside machine). Executables need to be saved before they can be ran. No ActiveX, No JavaScript, No Java – When reading messages why do I need these? FireFox Browser is not prefect but far better than IE for safety. And ofcourse no reg-file. There is a major advantage there, it is easy to check for changes in the config directory that replaces it. Does anyone know why Microsoft has not changed thier system to a true directory structure?
Your rebuttals are just a complete waste of time in the face of the fact that spyware is a Windows-only problem.
Your suggestion that Windows browsers and mail clients -specifically Internet Explorer Outlook/Outlook Express don’t run software automatically is just plain wrong.
How do you explain this:
http://www.winnetmag.com/Article/ArticleID/25002/25002.html
or this:
http://www.oucs.ox.ac.uk/viruses/avdocs/prevent/index.xml.ID=msconf…
or this:
http://www.nyu.edu/its/security/nyusecnews.delf.2000a2.html
some of these are old, and might be patched by now, but by default, scripts are run automatically by these clients, and it is a major source of virus infection.
For the nth time, yes, you do have to gain root privileges e.g. by installing a rootkit to do much to compromise the security or affect the ‘transparency’ of a UNIX system. Its not impossible, just pretty damn difficult. Thats the definition of ‘secure’.
Conspiracy theory? Last time i checked these were facts. If you want to refute the facts that a) Microsoft is considering producing anti-virus software and b) that there are vulnerabilities in existing Windows OSes for which Microsoft ofers a single suggested fix – upgrade to a later version of the OS – with the attached pricetag, then knock yourself out.
Perhaps you could explain, if Windows security is on-par with or better than Linux/MacOS X (which I am guessing is the point you are trying to make) – why spyware is a Windows-only problem?
The biggest issue is not that users don’t know how to set up security, but that OS companies generally assume that they do.
Windows requires people to know that they need a firewall, to know that they should run anti-virus software, to know that they should regularly check for spyware.
For people like us (interested hobbyists/users) that’s all well and good. We take the time to learn these things.
For the vast majority, however, there is an implicit assumption that the OS is secure from the beginning, and there’s a lot of company advertising to back up that assumption.
The problem absolutely does not lie with the users. They shouldn’t have to have CompSci degrees to run Windows. They should be able to install it and leave the security to MS. The most they should be required to do is remember passwords. Anything more is covering holes in the OS.
I’ve used Windows since 3.0, MacOS since about 4.x and haven’t played around too much with Linux. I believe that the evolution of the various OSs is nowhere near the endpoint. Apple comes closest in getting the user going simply and securely, and they’re greatly helped by the BSD underpinnings of OS X in that. There’s still a long way to go for OS X and (definitely) for Windows, but Linux has the longest way of all (user experience is not simple enough for novice users – what are the odds of a novice setting up a secure Linux box?).
So yes, most Windows installs are not secure. What is Microsoft going to do about this? They have the responsibility to their customers, after all. XP SP2 was a good start, but there’s a long way to go yet.
Your rebuttals are just a complete waste of time in the face of the fact that spyware is a Windows-only problem.
I swear – if I were a programmer, I would build some Linux spyware just so people would shut the hell up. And don’t tell me it isn’t possible to do this either … once you give a program permission to send packets through an outbound port, it automatically has the capability to become spyware. You Linux pundits just keep believing that you’re immune and one of these days, even though it may be much less profitable, somebody may write some Linux spyware just because they get tired of you running your mouth.
Adam, it looks like you don’t know how to secure Windows NT/2000/XP. (Windows 9x, ME btw aren’t securable without extreme levels of tinkering.)
If you demand that your tools do your job for you, you will be constantly disappointed.
To secure any computer properly takes a lot of work. Windows is especially difficult to secure. Once you know what you are doing, it should be possible for you to not use a firewall or virus/trojan detector and still have a secure system…even if you hand it over to a total novice.
Unfortunately, from what you wrote, it looks like you believe that the same problems that plauge a default configuration of Windows (^ read “Windows NT/2000/XP”) will also plauge a default configuration of Linux or OSX.
This is not true. While Windows^ does have proper permissions and other security tools available, most are not configured properly. If Windows^ were locked down, it would be fairly secure.
In the case of Linux and OSX, most of the locking down has already been done with most default installations.
One example: In Linux, OSX — as well as most other forms of Unix — users can’t install software system wide. They have read/write access to a small set of directories (think ‘Documents and Settings’ under Windows) and nothing more.
There are other examples, and while Windows^ *DOES* provide similar features to the Unix systems, most of the time these features are not enabled on a default Windows^ configuration.
That’s the main difference between Windows and everything else; the default settings.
But youre not a programmer, and spyware is still a Wndows-only problem.
Youre actually angry about the fact that other OSes are free from spyware?!
Nobody is saying any OS is immune from spyware, just that currently spyware is a Windows-only problem, and the labelling of all internet users, not just Windows users, on the basis of spyware and virus infections is highly inaccurate.
“If you demand that your tools do your job for you, you will be constantly disappointed.”
The tools are advertised as something they’re really not – secure and safe. If they were as good as the hype, then the above statement would be true. It’s not though.
Why should a busy person have to learn the ins and outs of a PC just to use it safely? What justification is there for people to be forced into this, when they’re the customers?
“The problem absolutely does not lie with the users”
yes, it absolutely does. As I wrote above, most spyware does NOT insinuate itself onto systems by nefarious means. People actually actively agree to install the bloody stuff. There’s nothing *any* OS design can do to stop this, besides not letting users install software.
@anonymous: you completely misunderstand my point. See above; I’m not talking about OS security in the sense of defending against cracker attacks or viruses or trojans. I’m making the point that no spyware vendor *needs* any of that to get on the average luser’s system. I am perfectly able to secure a Windows system, thanks very much. Please explain to me how I am to prevent the person who owns that system from installing software on it, preferably in a manner which doesn’t involve blunt instruments and the local law enforcement agencies…
Your suggestion that Windows browsers and mail clients -specifically Internet Explorer Outlook/Outlook Express don’t run software automatically is just plain wrong.
Your implication is that they do so *deliberately*, not because of coding errors. There is a substantial difference between the two scenarios.
For the nth time, yes, you do have to gain root privileges e.g. by installing a rootkit to do much to compromise the security or affect the ‘transparency’ of a UNIX system.
Untrue. The things a typical worm, virus or trojan wants to do it is quite capable of doing in a regular user account.
Conspiracy theory? Last time i checked these were facts. If you want to refute the facts that a) Microsoft is considering producing anti-virus software and b) that there are vulnerabilities in existing Windows OSes for which Microsoft ofers a single suggested fix – upgrade to a later version of the OS – with the attached pricetag, then knock yourself out.
a) I dind’t disagree with this, I disagree with your implication they’re doing instead of fixing these mythical “problems” – that you seem to think are fixable – making Windows supposedly more vulnerable to viruses than other OSes.
b) Last I checked the versions of Windows that aren’t being supported any more are *ancient*. I can’t fault them for not wasting effort on Windows 95.
Perhaps you could explain, if Windows security is on-par with or better than Linux/MacOS X (which I am guessing is the point you are trying to make) – why spyware is a Windows-only problem?
Because no-one is bothering to write spyware for Linux and OS X yet.
This is not true. While Windows^ does have proper permissions and other security tools available, most are not configured properly. If Windows^ were locked down, it would be fairly secure.
Don’t run as an Administrator and you’re at exactly the same level of “locked down” as you are running as a user on Linux or OS X.
Tough stuff indeed.
One example: In Linux, OSX — as well as most other forms of Unix — users can’t install software system wide. They have read/write access to a small set of directories (think ‘Documents and Settings’ under Windows) and nothing more.
I imagine most people would get rather annoyed if they spent $2000 on a computer and then couldn’t install any software on it.
would spyware be a significant problem in linux if it were the number one os is the million dollar question…
im sure it would exist. but there speaking in relation to gentoo and debian, you only very rarely download and install from random untrusted sources, typically its apt-get install this or emerge that, i think that would make the deployment of spyware a whole lot more difficult on those respective distro’s.
given that mdk, rh, and slack all have similar things to apt-get (never used any of them, so i dont really know, ive only heard about urpmi, slapt-get (sp?) and the likes).
when i do run untrusted software, its often within the constrains of systrace.
though i fully acknowledge that systrace is beyond the average user, i think the idea of using package repositorys is a most excellent game plan, and i also think its more user friendly then the current approach.
(really, opening up a friendly front end to apt-get is easier then trying to work out how to use the web browser, then how to find software (where does a newbie find free software?..they inevitable end up at the worser places to download things from), then downloading it, then running whatever it is youve downloaded {of course, you have to know where you saved it, which honestly does cause alot of ppl alot of problems})
“If you demand that your tools do your job for you, you will be constantly disappointed.”
The tools are advertised as something they’re really not – secure and safe. If they were as good as the hype, then the above statement would be true. It’s not though.
Why should a busy person have to learn the ins and outs of a PC just to use it safely? What justification is there for people to be forced into this, when they’re the customers?
First: I was being charatable to Windows. To say it is a pain to secure really makes pain seem like a joy ride. To properly secure Windows takes an amazing amount of effort — initially much more than any Unix system I’ve delt with. If you secure multiple machines, automation tools are really the only way to do this if you want to keep your sanity.
Rule: Security is a process not a product.
Unfortunately, if you follow the standard methods to secure Windows…you can’t be assured that your system is secure.
Example: XP system gets cracked before SP2 is installed.
There are ofcourse many, many, other examples, and there are simple ways to avoid the example I’ve given. Add them up, though, and either things break or you’ve left some other hole around ready to be exploited.
The poor people who walk into a super store and walk out with an XP system are wrong if they believe it is secure. Out of the box, it is very fragile even if current patches have been applied.
A mere mortal can’t secure that XP system. Most admins can’t. The nieve ones think that all they need is to run a firewall, add anti-virus, tweak a few settings, and install a few patches. LOL! Microsoft is to blaim for the sad state of disinformation because security was not built in by design and they encourage people who shouldn’t be touching production equipment to click around and call themselves admins.
By default, most Unix systems such as OSX and Linux enforce restrictions and plug the most common holes. Unlike Windows applications, Unix applications are designed to handle these restrictions…so they work within the rules. Does this make OSX and Linux — let alone other Unix systems — totally secure? Nope. It does get rid of the common problems mentioned here though — yep!
I know it’s a softball question…and that we likely agree on just about all the details…but what the hell!
would spyware be a significant problem in linux if it were the number one os is the million dollar question…
Nope!
Apache — another example of open source — is the #1 web server. It runs on just about every modern os including Linux and Windows.
Yet, Microsoft’s IIS gets exploited more often.
There are many reasons for that. Debate!
@anonymous: you completely misunderstand my point. See above; I’m not talking about OS security in the sense of defending against cracker attacks or viruses or trojans. I’m making the point that no spyware vendor *needs* any of that to get on the average luser’s system. I am perfectly able to secure a Windows system, thanks very much. Please explain to me how I am to prevent the person who owns that system from installing software on it, preferably in a manner which doesn’t involve blunt instruments and the local law enforcement agencies…
If the user owns the system and insists on installing malware — don’t support them (unless they pay you well!).
Do I really beleive that? No. I don’t. The truth is much more harsh.
If you spend time to secure a system and can’t prevent a local user from screwing it up your time has been wasted. Windows can be secured and you should know how or find out how without me telling you in detail.
Since I do not plan on typing out a large manual to explain what I do and why, I will say this;
* After installing SP2 on an XP system, my first run through the security settings and locking down the system took 2 solid days — not including research specific to SP2 that required an additional week.
* Many external tools were used (ex: Nessus), and hand tweaking of the settings were required.
* With that done, the next step was to build automation tools and scripts so that it could be done much faster.
* As more information is learned, the tools will be improved.
* The system is now secure without a firewall (though one is enabled for kicks), users can not install local software, and known problem software was replaced by securable software (I’ll let you make your own list of what’s good and bad).
Windows is a royal pain to secure, though it it possible to do.
Unix systems are much easier to secure and the methods that apply for Unix systems also apply to Windows.
If you want to learn about security under Windows, build an OS from scratch — meaning, pick Linux or a BSD that requires manual installation of each part — and use it. Keep notes and when you look at Windows tell yourself “Linux/BSD/… and Windows all do the same things…what is Widgit Z in Windows called under Linux/BSD/… and how do those other guys do it? Why do they do it that way?”.
Think of it like learning another language; you learn about language in general and improve your native language skills too in the process.
Anonymous
But youre not a programmer, and spyware is still a Wndows-only problem.
So first you say that spyware is a Windows-only problem …
Nobody is saying any OS is immune from spyware, just that currently spyware is a Windows-only problem
Then you say tha spyware currently is a Windows-only problem – the key word here is currently. When you leave out the ‘currently’ part, you tend to give the impression that if the masses were to switch to Linux, all viruses/worms/spyware would go away. However, unless Linux is bulletproof and has the ability to prevent users from doing stupid stuff (including typing in the root password when prompted), I highly doubt this is the case. Would it be as bad as it is on Windows? Probably not. But someone (not necessarily you) saying that there’s no spyware on Linux and there never will be is intellectually dishonest. Also, despite what a previous poster says, Windows is not that hard to secure, unless you want to prevent a user from doing anything. A person would have a much easier time spending 20-30 minutes learning how to stay virus/spyware free on Windows than they would enduring the headaches involved with switching operating systems.
Roscoe
would spyware be a significant problem in linux if it were the number one os is the million dollar question…
im sure it would exist. but there speaking in relation to gentoo and debian, you only very rarely download and install from random untrusted sources, typically its apt-get install this or emerge that, i think that would make the deployment of spyware a whole lot more difficult on those respective distro’s.
AFAIK, Gentoo is a source-based distro and Debian mainly hosts Free software. So what do you do when Linux gets to be more popular and there’s more and more binary, non-free packages out there? Eventually, either distros won’t be able to keep packages in their repository (either for legal or religious reasons), or there deluge of new software packages will be too much to keep up with.
Then you say tha spyware currently is a Windows-only problem – the key word here is currently. When you leave out the ‘currently’ part, you tend to give the impression that if the masses were to switch to Linux, all viruses/worms/spyware would go away. However, unless Linux is bulletproof and has the ability to prevent users from doing stupid stuff (including typing in the root password when prompted), I highly doubt this is the case. Would it be as bad as it is on Windows? Probably not. But someone (not necessarily you) saying that there’s no spyware on Linux and there never will be is intellectually dishonest. Also, despite what a previous poster says, Windows is not that hard to secure, unless you want to prevent a user from doing anything. A person would have a much easier time spending 20-30 minutes learning how to stay virus/spyware free on Windows than they would enduring the headaches involved with switching operating systems.
Moving to Linux from Windows will eliminate the vast majority of problems even when/if Linux becomes wildly popular at the novice level.
As for switching operating systems, the only hangup are applications. If the app you need exists, no problem. If not, big problem. Everything else is minor.
The benifits of switching include not having to dink around with firewall tools and anti-virus programs, let alone malware removers and protectors. They just aren’t needed *currently* and will not likely be needed *ever* because of the ways the systems are designed and managed.
To start, the default settings for Linux (and most other Unix systems including OSX) are much more secure. A normal user *can’t* install software globally, for example.
Windows default settings are horridly insecure, and many of the features it has are either difficult to remove or cause the system to break in one way or another if removed.
While this is often because of open standards and the history of Unix, it does not always require full openness; OSX.
OSX has a core user base of fairly novice computer users who don’t like technical details (there are exceptions ofcourse!). Yet, OSX does not suffer from malware — let alone as a proportion of market share.
The open source folks for the most part don’t give a hoot about quarterly profits so they won’t add in things that aren’t secure just to claim a feature. (Some do, though they have a very hard time to sway others in the project to do the wrong things.)
The main example of this is Apache vs. IIS.
Apache runs the majority of the web servers out there and has no security holes. IIS does not fair nearly as well with less of an installed base.
Under Windows ActiveX is a marketing tool. ActiveX is also a really bad idea…though because of it being a feature it can’t be completely removed.
With open source at the system level, if someone attempted to insert something as dangerous as ActiveX either it would be rejected, a patch would be submitted to turn it off, or the project would be forked. Quickly.
Will malware ever become a problem under Linux? Probably will…though it will likely be a short term issue. See how well the Firefox folks are dealing with the first malware they are encountering; under 2 weeks from the first verified report and it’s dead along with similar features that could be abused.
—-
Exceptions: I’ve been very disapointed with many applications that install ontop of Apache. Many are insecure by default (PHP apps), though they often can be secured even without changing the code.
> > Not really. Yesterday’s “theoretical, we’ll never see that
> > in the real world” vulnerabilities become today’s exploits
> > used by every script kiddie out there.
> Yeah, why not resort to completely hypothetical situations to try and make your point?
This isn’t really so hypothetical. A lot of new sorts of exploits are considered “exotic” at first.
> I’m really not trying to claim Linux or MacOS X are immune from attack –
Good.
> just that I object to being labelled as having weak security with spyware and viruses used as justification for this when spyware and viruses simply doesnt exist for my platforms.
I’m not understanding what you’re trying to say there. Obviously, _weak_ security isn’t the _reason_ that malware isn’t common on your platforms. Most apps are developed with basically no attention to security seemingly; this is rather unfortunate.
> I understand that Linux and the applications that run on them are not impregnable, and i’m not burying my head in the sand over OS and application security
We agree.
> = but the simple fact is that spyware is not a problem on Linux and MacOS X, and until it is shown to be a problem, i’m not going to accept that it is a problem, because that is just retarded.
… Yes, it’s not a problem now. They’re better architectures, and I doubt that technical [rather than social-engineered] spyware will ever become as huge a problem on them as it is concurrently with Windows. Good packaging provides a further level of protection. No one’s claiming that Linux and Macs are the primary spyware platforms at present, or that they will be in the future.
Malware just evolves too fast.
> AFAIK, Gentoo is a source-based distro and Debian mainly hosts Free software. So what do you do when Linux gets to be more popular and there’s more and more binary, non-free packages out there? Eventually, either distros won’t be able to keep packages in their repository (either for legal or religious reasons), or there deluge of new software packages will be too much to keep up with.
Debian has a non-free repository. Gentoo includes a few binary packages. Packages under Gentoo that can’t legally be automatically downloaded [ie, Sun’s java stuff] are marked “Fetchonly” – you need to manually download them, but then they can be installed by portage. Portage checks for matching md5sums.
There’s always a lot of new software packages. Most end up being used by very few people. Major packages tend to be packages quickly; minor ones based [roughly] on demand. Proprietary packages that can’t freely be automatically downloaded and have no cost aren’t hugely common; even if they were to become so, it’s already possible to make the user manually download them, but also verify against a known md5sum.
I’d be highly surprised if Debian or Gentoo packaged anything with intentional spyware for an extended period of time.
Package management is a fairly serious win in avoiding trojans.
Then you say tha spyware currently is a Windows-only problem – the key word here is currently. When you leave out the ‘currently’ part, you tend to give the impression that if the masses were to switch to Linux, all viruses/worms/spyware would go away. However, unless Linux is bulletproof and has the ability to prevent users from doing stupid stuff (including typing in the root password when prompted), I highly doubt this is the case. Would it be as bad as it is on Windows? Probably not. But someone (not necessarily you) saying that there’s no spyware on Linux and there never will be is intellectually dishonest. Also, despite what a previous poster says, Windows is not that hard to secure, unless you want to prevent a user from doing anything. A person would have a much easier time spending 20-30 minutes learning how to stay virus/spyware free on Windows than they would enduring the headaches involved with switching operating systems.
Moving to Linux from Windows will eliminate the vast majority of problems even when/if Linux becomes wildly popular at the novice level.
That said, Windows can be made secure if you spend enough time on it. The 20-30 minutes using virus/spyware tools don’t secure a system…they just treat the symptoms in most — though not all — cases.
As for switching operating systems, the only hangup are applications. If the app you need exists, no problem. If not, big problem. Everything else is minor.
Most of those hangups, though, are either caused by propriatory formats or people thinking that any change is a bad thing — and fearing it. Habits are hard things to break.
As for applications and tools there are already over 10,000 software packages with specific Linux support — open and closed source — and an additional 20,000 that are portable between operating systems. (Look at freshmeat.net — http://freshmeat.net/browse/199 — to see that these are conservitive numbers not wishful thinking (Linux is largely Posix compliant btw).)
You have as many choicee under Linux or OSX for spreadsheets as you do under Windows — including Excel (Wine or native).
The benifits of switching include not having to dink around with firewall tools and anti-virus programs, let alone malware removers and protectors. They just aren’t needed *currently* and will not likely be needed *ever* because of the ways the systems are designed and managed.
The only thing that is ‘needed’ are cookie cleaners, though if you use something like Firefox that saves your passwords you can save cookies for the session only and that problem is eliminated.
—
To continue; the default settings for Linux (and most other Unix systems including OSX) are much more secure. A normal user *can’t* install software globally, for example.
Windows default settings are horridly insecure, and many of the features it has are either difficult to remove or cause the system to break in one way or another if removed. Windows is also hostile to enforcing permissions and quite a few applications require the admin account (though I expect that to be fixed over the next couple years).
While Unix systems often benifit from open standards and the history of painful mistakes that have been corrected, it does not always require full openness; OSX.
OSX has a core user base of fairly novice computer users who don’t like technical details (there are exceptions ofcourse!). Yet, OSX does not suffer from malware — let alone as a proportion of market share.
The open source folks for the most part don’t give a hoot about quarterly profits so they won’t add in things that aren’t secure just to claim a feature. (Some do, though they have a very hard time to sway others in the project to do the wrong things.)
The main example of this is Apache vs. IIS.
Apache runs the majority of the web servers yet most exploits that suceed target the less popular IIS.
Under Windows ActiveX is a marketing tool. ActiveX is also a really bad idea…though because of it being a feature it can’t be completely removed.
With open source at the system level, if someone attempted to insert something as dangerous as ActiveX either it would be rejected, a patch would be submitted to turn it off, or the project would be forked. Quickly.
Will malware ever become a problem under Linux? Probably will…though it will likely be a short term issue. See how well the Firefox folks are dealing with the first malware they are encountering; under 2 weeks from the first verified report and it’s dead along with similar features that could be abused.
—-
^^ Note: While Apache is secure, I’ve been very disapointed with many applications that install on top of Apache. Many are insecure by default (PHP apps), though they often can be secured even without changing the code.
(Disclaimer – I didn’t check for typos here, too much typing)
Moving to Linux from Windows will eliminate the vast majority of problems even when/if Linux becomes wildly popular at the novice level.
Yeah, you say that now … many people are so short-sighted because they think the only way to penetrate a Linux system is how you pentrate a Windows system (such as email attachments). But, let me ask you this .. if I were to trick you into installing an apt package (yeah, that social engineering thing), are you telling me that I couldn’t do any damage to your system whatsoever? Is your /home directory read only?
As for switching operating systems, the only hangup are applications.
You’re talking long-term hangs. Short-term hangups include things like ‘How the hell do I get this OS to recognize my portable mp3 player?’ Yeah, been there, done that (*cough* Fedora *cough*)
The benifits of switching include not having to dink around with firewall tools
Right, so Linux users don’t run firewalls? Most Windows firewalls (including the free ones) pratcially configure themselves.
and anti-virus programs
Agreed.
let alone malware removers and protectors.
Not necessary.
They just aren’t needed *currently* and will not likely be needed *ever* because of the ways the systems are designed and managed.
I agree with your conclusion, but not your reasoning. The reason why they probably will never be needed is that it’s not likely that most people will even bother with Linux on the desktop.
To start, the default settings for Linux (and most other Unix systems including OSX) are much more secure.
No argument there
A normal user *can’t* install software globally, for example.
I don’t know what ‘installing globally’ means, but does a piece of software have to be installed globally to cause harm?
Windows default settings are horridly insecure[i]
No arguments here either, although XP SP2 helps quite a bit
[i]and many of the features it has are either difficult to remove or cause the system to break in one way or another if removed.
Or you could try just not using them – not exactly rocket science.
OSX has a core user base of fairly novice computer users who don’t like technical details (there are exceptions ofcourse!). Yet, OSX does not suffer from malware — let alone as a proportion of market share.
I have my own theory about this, but that’s beyond hte scope of this discussin.
The main example of this is Apache vs. IIS.
Apache runs the majority of the web servers out there and has no security holes.
Wow, Apache has never had security holes??
IIS does not fair nearly as well with less of an installed base.
This is like the only example that pundits can come up with. I don’t think these two are directly comparable because they primarly run on different operating systems. Apache has an inherent advantage because the underlying OS is more secure .. you don’ thave as many people trying to poke holes in Linux, thus less exploits by default.
Under Windows ActiveX is a marketing tool. ActiveX is also a really bad idea…though because of it being a feature it can’t be completely removed.
Well, it’s a good idea, but the execution if severely flawed.
With open source at the system level, if someone attempted to insert something as dangerous as ActiveX either it would be rejected, a patch would be submitted to turn it off, or the project would be forked. Quickly.
Yeah, and the new project would probably never get out of alpha on Sourceforge either.
Will malware ever become a problem under Linux? Probably will…though it will likely be a short term issue.
Why?
See how well the Firefox folks are dealing with the first malware they are encountering; under 2 weeks from the first verified report and it’s dead along with similar features that could be abused.
Right, and you assume that if Firefox had a 95% userbase, everyone would just run out to install the patch?
Proprietary packages that can’t freely be automatically downloaded and have no cost aren’t hugely common; even if they were to become so, it’s already possible to make the user manually download them, but also verify against a known md5sum.
What the hell is an md5sum and where does it come from? (Note: That question is rhetorical, I know the answer, but asking from a newbie’s perspective). What I don’t know the answer to is this – what if an md5sum is not available? Are you going to tell users “Don’t download anything with an md5sum?” That assumes knowledge on the user’s part, which means their system would be compromised in short order.
Package management is a fairly serious win in avoiding trojans.
It’s also a very serious pain when that ‘not so common’ application you would like to install isn’t on the repository, or hasn’t been updated in ages. The whole system of having each distro do their own packages is flawed, IMHO.
“* The system is now secure without a firewall (though one is enabled for kicks), users can not install local software, and known problem software was replaced by securable software (I’ll let you make your own list of what’s good and bad).”
This suggests to me that you are either operating in a corporate environment or you have *amazingly* tolerant friends. It’s not a method I could use.
BTW, Roscoe, your package management point is well made. Unfortunately, I’m not sure it works completely. I have the hell of a time trying to convince new Mandrake users not to use Random Third Party Package Sources, which are exactly as trustworthy as Joe P2P App, really. People want software; you build it and they will come…
“To start, the default settings for Linux (and most other Unix systems including OSX) are much more secure. A normal user *can’t* install software globally, for example.”
How does this matter, in the context of spyware or adware? I am normal user ‘joe’. I install some spyware or adware as normal user ‘joe’. It can log my keystrokes, track my internet usage, and pop up adverts at me. Does it matter that it wasn’t installed systemwide, so far as ‘joe’ is concerned? Heck, no. It’s easier for root to clear up, sure. But that wasn’t the point.
Who forces people to run with administrative rights on windows? They can run restricted, like power users or users and use “runas” when needed and it’s absolutely really usable and possible, that’s how most people in networked AD enviroments work.
Check this out too: http://weblogs.asp.net/aaron_margosis/
Who forces people to run with administrative rights on windows
Well, nobody forces anyone to run as Administrator, but it’s the defualt user level for Windows. Doesnt the installer even ask you for your ‘Name’ and create you an account with Admin privs? The truth of the matter is, if Microsoft really cared enough about security for home users, it would at least put a warning in the startup folders of admin accounts to display warnings about the dangers of an Administrator account running as a desktop user.
You also noted that users could use the normal accounts and use the ‘runas’ trick. My findings show faults in this way of installing and using software. For one, most ‘runas’ installs icons on the Administrator’s start-menu and desktop, but not on the desktop you are currently using. Where would the Joe End User be without icons? Most certanly do not know how to navigate in the file-system to create shortcuts back to the desktop, then specifiy a ‘runas’ argument in the command-line for the Application to even run correctly.
The real way to deal with security can be seen by Mac OS X, honesly it has the best, secure way to install applications. Apps that need root privs require a password typed by the user. I understand that a user can be ‘tricked’ for malware, but it is defanatly some measure that any computer OS should add.
We’ll have to disagree on some points as this story is getting dated.
I agree with your conclusion, but not your reasoning. The reason why they probably will never be needed is that it’s not likely that most people will even bother with Linux on the desktop.
Not quite,with the windows platform it’s the mutual activities that unites individuals into groups.Whereas on *.BSD,Linux it’s more interest in the OS itself.There are
enough people in the latter category capable of creating
all the nasty things windows suffers from, and yet this doesn’t happen.
Right, so Linux users don’t run firewalls? Most Windows firewalls (including the free ones) pratcially configure themselves.
Well i don’t use a firewall on my Linux box.Iptables has showed to be an attack vector more then once.In my opinion it’s better not to install it but to disable all unnecesary services and last but not least harden the kernel and consorts.
The truth of the matter is, if Microsoft really cared enough about security for home users, it would at least put a warning in the startup folders of admin accounts to display warnings about the dangers of an Administrator account running as a desktop user.
Well, the standard Windows help advises against using an Administrative account for day to day tasks.
You also noted that users could use the normal accounts and use the ‘runas’ trick. My findings show faults in this way of installing and using software. For one, most ‘runas’ installs icons on the Administrator’s start-menu and desktop, but not on the desktop you are currently using. Where would the Joe End User be without icons? Most certanly do not know how to navigate in the file-system to create shortcuts back to the desktop, then specifiy a ‘runas’ argument in the command-line for the Application to even run correctly.
This is a developer problem. The “All Users” profile has been around basically forever, but due to either incompetence or laziness developers don’t use it. Much like they keep putting things that belong in the HKEY_LOCAL_MACHINE registry hive that really belong in HKEY_CURRENT_USER (roughly analogous to putting things that belong in ~ in /usr/local/etc for the unix people).
The real way to deal with security can be seen by Mac OS X, honesly it has the best, secure way to install applications. Apps that need root privs require a password typed by the user. I understand that a user can be ‘tricked’ for malware, but it is defanatly some measure that any computer OS should add.
The facility for this certainly _exists_ in Windows (eg: the Office installer does it). Again, the problem lies with developers not utilising the tools available to them.