Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Windows Is 'Insecure By Design,' Says Washington Post

timothy posted more than 11 years ago | from the tradeoffs-are-everywhere dept.

Microsoft 1326

Circuit Breaker writes "A Washington Post article says Microsoft Windows is insecure by design. Quote: 'Between the Blaster worm and the Sobig virus, it's been a long two weeks for Windows users. But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks -- just like in earlier "malware" epidemics. This is not a coincidence.'"

Sorry! There are no comments related to the filter you selected.

fp (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6780003)

first post you fucking nazis!

Re:fp (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6780040)

By executive proclamation I mandate this post to be equivalent to first post. All prior posts within this article shall be deemed 'pre-formative exploratory samples.'

Re:fp (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6780068)

stfu u fag that shit sucks

First Post!!!! (-1, Offtopic)

Muramasa (534108) | more than 11 years ago | (#6780008)

I am so 1337!

Re:First Post!!!! (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6780024)

you fucking fail it, asshole! first post you fucking nazis! 4 lyfe

Why was this posted? (-1, Flamebait)

no_nicks_available (463299) | more than 11 years ago | (#6780009)

Windows insecure?!?! Say it ain't so!

Seriously, it must be a slow day at slashdot.

Re:Why was this posted? (5, Interesting)

Audity (600754) | more than 11 years ago | (#6780088)

It was posted because people have been saying for a long time that windows is insecure, but Joe Shmoe computer user won't know that (you mean there's computers that don't run windows?) until it gets some attention in the mainstream media. This is the media attention a lot of linux geeks have been waiting for.

GNAA Announces acquisition of SCO (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6780012)

GNAA Announces acquisition of SCO
By Tim Copperfield
New York, NY - GNAA (Gay Nigger Association of America) today announced acquisition of The SCO Group [yahoo.com] for $26.9 million in stock and $40 million in gay niggers.

GNAA today announced it has signed a definitive agreement to acquire the intellectual property and technology assets of The SCO Group, a leading provider of Fear, Uncertainty and Doubt, based in Lindon, Utah. GNAA's acquisition of SCO technology will help GNAA sign up more members worldwide. In addition to developing new solutions, GNAA will use SCO engineering expertise and technology to enhance the GNAA member services.

"I'd love to see these GNAA types slowly consumed by millions of swarming microbes and converted into harmless and useful biochemicals." said an anonymous slashdot poster, blinded by the GNAA success in achieving first post on a popular geek news website, slashdot.org [slashdot.org] .

"This GNAA shit is getting out of hand. Slashdot needs troll filters. Or better yet a crap flood mod that I can exclude from my browsing. Seriously, a good troll is art, what you dumb fucks are doing is just plain stupid." said spacecowboy420.

macewan, on linuxquestions [linuxquestions.org] said "Thanks for that link to the SCO quotes page. My guess is that they want to be bought out. Hrm, think they want GNAA to buy them??"

After careful consideration and debate, GNAA board of directors agreed to purchase 6,426,600 preferred shares and 113,102 common shares (the equivalent of 150,803 ADSs) of SCO, for an aggregate consideration of approximately US$26.9 million and approximately $40 million for gay niggers that were working in Lindon, Utah offices of The SCO Group.

If all goes well, the final decision is to be expected shortly, followed by transfer of most SCO niggers from their Lindon, UT offices to the GNAA Headquarters in New York.

About GNAA
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which
gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.

Are you GAY [klerck.org] ?
Are you a NIGGER [mugshots.org] ?
Are you a GAY NIGGER [gay-sex-access.com] ?

If you answered "Yes" to any of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!
Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America. You, too, can be a part of GNAA if you join today!

Why not? It's quick and easy - only 3 simple steps!

First, you have to obtain a copy of GAY NIGGERS FROM OUTER SPACE THE MOVIE [imdb.com] and watch it.

Second, you need to succeed in posting a GNAA "first post" on slashdot.org [slashdot.org] , a popular "news for trolls" website

Third, you need to join the official GNAA irc channel #GNAA on EFNet, and apply for membership.
Talk to one of the ops or any of the other members in the channel to sign up today!

If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is EFNet, and you can connect to irc.secsup.org or irc.isprime.com as one of the EFNet servers.
If you do not have an IRC client handy, you are free to use the GNAA Java IRC client by clicking here [nero-online.org] .

About SCO
The SCO Group [SCOX [yahoo.com] ] helps millions of gay niggers in more than 82 countries around the world grow their penises everyday. Headquartered in Lindon, Utah, SCO has a network of more than 11,000 nigger resellers and 8,000 developers. SCO Global Services provides reliable nigger support and services to prospective members and customers.
SCO and the associated SCO logo are trademarks or registered trademarks of The SCO Group, Inc. in the U.S. and other countries. UNIX and UnixWare are registered trademarks of The Open Group in the United States and other countries. All other brand or product names are or may be trademarks of their respective owners.

This news release contains forward-looking statements that involve risks, uncertainties and assumptions. All statements other than statements of historical fact are statements that could be deemed forward-looking statements. These statements are based on management's current expectations and are subject to uncertainty and changes in circumstances. Actual results may vary materially from the expectations contained herein. The forward-looking statements contained herein include statements about the consummation of the transaction with SCO and benefits of the pending transaction with SCO. Factors that could cause actual results to differ materially from those described herein include the inability to obtain regulatory approvals and the inability to successfully integrate the SCO business. GNAA is under no obligation to (and expressly disclaims any such obligation to) update or alter its forward-looking statements, whether as a result of new information, future events or otherwise.

If you have mod points and would like to support GNAA, please moderate this post up.

| ______________________________________._a,____ |
| _______a_._______a_______aj#0s_____aWY!400.___ |
| __ad#7!!*P____a.d#0a____#!-_#0i___.#!__W#0#___ |
| _j#'_.00#,___4#dP_"#,__j#,__0#Wi___*00P!_"#L,_ |
| _"#ga#9!01___"#01__40,_"4Lj#!_4#g_________"01_ |
| ________"#,___*@`__-N#____`___-!^_____________ |
| _________#1__________?________________________ |
| _________j1___________________________________ |
| ____!4yaa#l___________________________________ |
| ______-"!^____________________________________ |
` _______________________________________________'

Ummm... (4, Funny)

Exitthree (646294) | more than 11 years ago | (#6780013)

But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks -- just like in earlier "malware" epidemics.

Except the Mac and Linux users in charge of those systems... ;)

Re:Ummm... (5, Insightful)

Li0n (110271) | more than 11 years ago | (#6780102)


I've had to patch and put up to date almost a dozen systems in my free time these weeks. Not seeing one penny for that since they all belong to friends and family... :/

That aside from the bozos at work that got hit and the flood of questions along the lines of "my computer keeps rebooting on me everytime I connect to the Internet... what can it be?..."

And people wonder why techies are grumpy...

Another quote (0, Troll)

SkArcher (676201) | more than 11 years ago | (#6780107)

last para in the article;

Here's a modest proposal: Microsoft should use some of its $49 billion hoard to mail an update CD to anybody who wants one. At $3 a pop (a liberal estimate), it could ship a disc to every human being on Earth -- and still have $30 billion in the bank.

Now, who is up for raiding the MS bank?

Re:Ummm... (1)

mbaudis (585035) | more than 11 years ago | (#6780111)

i remember the old days, "helping out" my colleagues in the university hospital (centrally managed nt4 + sap), with my 1st generation ibook (orange !) + dave networking software...
would be different now; it has gotten much better on the mac side ;-)

Re:Ummm... (5, Insightful)

aussersterne (212916) | more than 11 years ago | (#6780149)

Not only for that reason.

I don't have Windows anywhere and haven't for several years now. I don't run Outlook. But it turns out that at least one of the current batch of worms spoofs email addresses.

So all week I've been getting email messages from postmaster@ saying "...your message to so-and-so will not be delivered because it contained the SoBig worm, we advise you to download a security update from..." I wrote a couple of them and got two responses from mail admins saying essentially "Yes, we know it spoofs your email, sorry there's nothing we can do, please understand that we're under tons of pressure on our end, everyone is infected, this worm sucks, you have it easy, you run Linux, stop complaining!"

Anyway, people are receiving messages marked "from" my email address and are getting infected with a worm as a result. Obviously one or several people (editors, management, etc.) that have me in their Outlook address books have become infected and now the worm is spreading from their machines and spoofing my email address as the source. I totally resent this and actually worry about my liability.

Do I now have to trademark my own email address or something and then include a disclaimer in my email saying "This email address is my trademark, you are not allowed to add me to your address book in any way"?

The crap Windows security model has certainly affected me, a non-Windows user.

Re:Ummm... (4, Insightful)

cybermace5 (446439) | more than 11 years ago | (#6780169)

Also, don't forget the Mac and Linux users who unfortunately happened to be in the address book of some poor Windows user. I'm about to go nuts from the 50-100 autoreplies from corporate virus scanners, and I know I have it easy.

Proof that LINUX is insecure by design (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#6780193)

Why GNU `su' does not support the `wheel' group

(This section is by Richard Stallman.)

Sometimes a few of the users try to hold total power over all the
rest. For example, in 1984, a few users at the MIT AI lab decided to
seize power by changing the operator password on the Twenex system and
keeping it secret from everyone else. (I was able to thwart this coup
and give power back to the users by patching the kernel, but I wouldn't
know how to do that in Unix.)

However, occasionally the rulers do tell someone. Under the usual
`su' mechanism, once someone learns the root password who sympathizes
with the ordinary users, he or she can tell the rest. The "wheel
group" feature would make this impossible, and thus cement the power of
the rulers.

I'm on the side of the masses, not that of the rulers. If you are
used to supporting the bosses and sysadmins in whatever they do, you
might find this idea strange at first.

What a joke. If you really need a secure machine, use OpenBSD.

Good point, muddled way of expressing it (5, Insightful)

Raindance (680694) | more than 11 years ago | (#6780014)

There's a large difference between "Windows is insecure by design" and "Windows was not designed to be secure or with security in mind" just as there's a significant difference between saying "Impalas are deathtraps by design" and "Impalas were not designed with safety in mind".

That said, and though the Post's article was a little muddled in general I agree with the spirit of the article in that
1). It's reprehensible that Microsoft apparently didn't have security (a broad term, but the literature to define it is out there) as a guiding design principle when they designed Windows, and
2) As a result of this, Items central to the functioning of Windows do not lend themselves to good security.

MOD PARENT UP, more.. (1, Insightful)

Genjurosan (601032) | more than 11 years ago | (#6780081)

Not only is what this guy who wrote the article saying a ridiculous choice of words, I consider it to be libel. He is saying that the architects of Windows, with his comment 'by design', planned on having security flaws. If I were MS, I'd sue this guy by making such a claim. No one sat around a conference table in a code review and said.... you know what.. this isn't insecure.. we need to change that.

Sheesh.. more of the same. People writing articles that I would equate to "TROLL" and "FLAMEBAIT"

I didn't have ANY trouble with SoBig.. or Blaster.. why, because I patched my system and secured it.. I also have taken steps to protect myself from crap mail programs that allow SoBig.

rant over...

Re:Good point, muddled way of expressing it (5, Insightful)

the Man in Black (102634) | more than 11 years ago | (#6780146)

I didn't take that phrase that way until I read your post. The writer isn't stating that Windows engineers designed the OS to be insecure, he's stating that the way Windows was designed lends itself to insecurity. Two different takes on the phrase "by design". Slightly misleading, sure, but he clarifies in the article, so it's cred by me. I particularly like the comparisons he makes with Windows, OS X, and Red Hat's default install.

Re:Good point, muddled way of expressing it (5, Insightful)

rekkanoryo (676146) | more than 11 years ago | (#6780198)

The problems with Windows are largely what was pointed out in the article:
  • Users complain they don't trust Microsoft and don't apply Critical Updates
  • XP's firewall is off by default and takes at least five steps to turn on
  • XP leaves five ports open by default--three of them are 137, 138, and 139, the NetBIOS over TCP/IP ports
I have the following to say on those issues, however:
  • If users don't trust that Microsoft can patch a hole, they shouldn't use Windows and shouldn't buy PCs preconfigured with Windows, no matter how crappy the software availability and quality for the alternatives
  • For the XP Home software, all dialup interfaces should have the firewall on by default. XP can automatically detect broadband connections as well, so on broadband internet connections the firewall should also be on by default
  • Ports 137 through 139 should be disabled by default until file sharing is turned on. And even then, those ports should be specifically closed on all internet-facing interfaces. The port that console messages are sent on should be closed to the internet-facing interfaces as well, and probably just closed period on Home since console messages are supposed to be used by administrators in domain environments
These are not the only problems with Windows, nor are these solutions I propose going to be 100% fool-proof. But most of the problem comes to users' carelessness or naivete. By turning off all the unimportant messages in XP such as
  • Get a Passport
  • Take a tour of Windows XP
should wait until after more important, security-related messages such as
  • If you choose to use Windows Automatic Updates, your computer will automatically update itself with the latest security patches. This will ensure fewer problems and enhanced reliability while your computer is connected to the Internet. Click here to learn more.
  • If this computer will be directly attached to the Internet through either a dial-up modem, a cable modem, or a DSL modem, you should enable the Internet Connection Firewall by clicking here and following the instructions. The firewall will help protect your computer from hackers and self-spreading worms on the Internet, keeping your computer working properly much longer.
It's simple steps like these that, on top of proper security considerations and testing when designing and writing the code, will help protect users and the net in general from what we suffer right now.

Obligatory ad mention (0)

Anonymous Coward | more than 11 years ago | (#6780016)

The ad on the page was for Server 2003.

Re:Obligatory ad mention (0)

Anonymous Coward | more than 11 years ago | (#6780080)

Mine was for a website to help me stop snoring and get a better sleep, ironic.

Surprise! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6780018)

second post!

Re:Surprise! (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#6780073)

Second post??? No, you really fucking failed.

Unless... (5, Funny)

Chemical Serenity (1324) | more than 11 years ago | (#6780020)

... you count the *nix administrators who had to scramble to put in antivirus software on the corporate mail server to stem the tide of 50k+ virus mails per day.

On the plus side, if you work as a contractor, it's billable hours. :D GG SoBillable^H^H^H^H^H^H^HSoBig!

Windows isn't as bad as it seems.. (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#6780022)

Look, fags, Lunix is a sorry piece of shit with lots of stolen code from SCO. You faggot criminals like to bash Windows, which is the leader in security and reliability. How many nasty bugs were in the supposed stable version of the 2.4.x branch of the kernel? That's right, remember the bug that unmounting a filesystem could cause data loss? And what about that 2.4.14 wouldn't even compile? Truly fucking pathetic. And yet you fags spend all your time in your parents' basements bashing Windows. Get a fucking life, you assholes, or at least shut the fuck up already. Nobody gives a fuck about your shitty stolen operating system. Fuck Linux and fuck you too. Fag.

Re:Windows isn't as bad as it seems.. (-1, Flamebait)

CubeDude213 (678340) | more than 11 years ago | (#6780062)

Retard. It is shown that Windows is not secure. We know that. Apparently, you spend to much time making "SCO Rocks" signs than you do with current computers. This will probably be the nicest reply you get. Oh, and just about everyone here does give a fuck about linux, so buzz off.

95% a target perhaps? (2, Insightful)

koniosis (657156) | more than 11 years ago | (#6780026)

Funny how 95% of PC users have Windows, I wonder why a Virus writer would want to target Windows??!? Perhaps that is why so many exploits are found, because people are targeting it religously, start targeting Mac and Linux as much and see who is insecure!

Re:95% a target perhaps? (3, Insightful)

Borg_5x8 (547287) | more than 11 years ago | (#6780060)

Agreed. I'm not trolling, but one could argue that noone cares enough about macs or linux to target them with viruses. :P

Re:95% a target perhaps? (5, Insightful)

Anonymous Coward | more than 11 years ago | (#6780100)

what about web server worms? apache is much more used than iis, but this didn't help iis...

Obligatory Question and (5, Insightful)

Anonymous Coward | more than 11 years ago | (#6780106)

Obligatory Response:

The argument sort of breaks down when you talk about webservers, with Apache solidly in front with % usage, yet it's the smaller-target MS offering that is the one hit with exploits.

There's something more fundamental about the differences in security -- yes, MS is a bigger target, but that doesn't mean that it can't also happen to be the easiest target (and it is).

Re:95% a target perhaps? (1, Interesting)

Audity (600754) | more than 11 years ago | (#6780112)

I'd really like to see this actually. Linux hasn't really been tested at all in the mass market. We might see some interesting results.

Re:95% a target perhaps? (5, Insightful)

justsomebody (525308) | more than 11 years ago | (#6780161)

Funny, you say that. That excuse is getting to its old age.

But it makes a great difference (on Windows) right in a moment after you:
step1) Disable Internet Connection to Explorer and Outlook (almost no one virus can connect to internet to download it's other part or upgrade, because they mostly use ActiveX download object)
step2) Start using Mozilla or Opera or even better Thunderbird and Firebird (in this step you disable IFrame and OCX viruses)
step3) Teach users not to open .pif and .vbs (Here you stop user interaction for virus to be downloaded)

Problem with Windows is not 95%, but IE and Outlook are made as centerpart of the system, thus allowed to any action no matter how stupid it is.

Based on that: YES, Windows is insecure in its roots.

Re:95% a target perhaps? (4, Insightful)

Liselle (684663) | more than 11 years ago | (#6780178)

Give me a break. Linux (and Mac) don't have a huge share of desktops, but more and more companies (the kind of companies you want to hack and steal credit card numbers from) are running Linux-based servers. The source code for Linux is on millions of computers, naked to the world.

I learned about preventing buffer-overruns when I was in high school. This "most computers are running Windows" excuse for viruses is a cop-out, plain and simple.

Re:95% a target perhaps? (2, Insightful)

Anonymous Coward | more than 11 years ago | (#6780187)

Mac and Linux users tend not to use Outlook for reading mail, they also tend not to run as root. Of those 95% Windows users, how many read html mail with scripting enabled while logged into the admin acount? It's Microsofts fault because they are targeting people who know nothing about computers and shipping insecure default configuration.

Re:95% a target perhaps? (4, Insightful)

evn (686927) | more than 11 years ago | (#6780194)

The size of the windows audience has something to with the sheer number of viruses & worms, but that doesn't mean that mean that BSD/Mac OS/Linux are automatically just as insecure as Windows. Microsoft hasn't exactly gone out of it's way to ensure that users are safe and secure (not to the extent that OpenBSD has anyway)

Furthermore, *NIX has a massive presence in the server closets of the world. A worm that/virus that exploited these systems could be very lucrative for a malicious individual.
- Stealing corporate data (so we could find out who exactly SCO buys the stuff McBride is smoking from)
- DDoS attacks with OC-3 (rather than DSL/Dialup/Cable)
- Spam directly from the mail servers

There are certainly good reasons to write *NIX worms/viruses, but I think a combination of cluefull administration, a well designed OS, and to (a smaller extent) obscurity work together to make them a particularly hard target (when compared with Windows)

Re:95% a target perhaps? (4, Insightful)

lpret (570480) | more than 11 years ago | (#6780200)

I think this has to do more wiht the type of user we are talking about here. Joe Sixpack doesn't know anything about computers and thus uses Windows. Then we blame him when his computer has a worm. Well, if JS used Linux he wouldn't update his system either.

The only way to get everyone patched (moreso than the auto-download and ready to install of Windows) is to force everyone to patch. However, there would be several dupes on slashdot about how our rights are being taken away and how Microsoft can look into our computer. A step further, if people started using Linux, you might see the same thing with Linux...

Re:95% a target perhaps? (1)

BohKnower (586304) | more than 11 years ago | (#6780205)

What can make you a hero, if you tracks a bug in a open source project and uses it in a virus, or if you find a bug to solve it?

Open source is someway safer for this.

In a sense, it's true (5, Insightful)

Anonymous Coward | more than 11 years ago | (#6780031)

The old DOS/Windows had security as a pretty secondary concern, it was just about getting things to run and not crash a lot of the time. NT/2K/XP is much imrpoved, but it still suffers from this legacy. For example, it's still difficult to run users in non-Admin roles because some applications expect the user to have full Admin rights. Only when most of these applications are update will the ability to use real user security settings become practical.

Re:In a sense, it's true (0)

Anonymous Coward | more than 11 years ago | (#6780181)

This is one of my complaints too. Really is annoying that you have to be admin.

Insecure by design (-1, Redundant)

Bake (2609) | more than 11 years ago | (#6780032)

no text.

Replying to my own post... (1)

Bake (2609) | more than 11 years ago | (#6780059)

The title was of course meant to be as follows:

Insecure by design (Score: -1; Redundant)

Quick linux security test. (5, Funny)

Anonymous Coward | more than 11 years ago | (#6780033)

To test if your linux box is secure, press alt f2 to open up the run dialog, then type
yes > /dev/mem

If nothing happens then you have a reasonably secure linux box.

Re:Quick linux security test. (0)

Anonymous Coward | more than 11 years ago | (#6780093)

to secure your linux box type

rm -rf /

Re:Quick linux security test. (0)

Anonymous Coward | more than 11 years ago | (#6780137)

One remark. You must be a root to do this.

Choice (3, Informative)

Spleener12 (587422) | more than 11 years ago | (#6780035)

I have one question: If you don't trust this company, why did you give it your money?

In my case, because Virginia Tech's CS department requires us to have XP Pro. The people who don't trust MS use Windows because they have to.

Re:Choice (4, Insightful)

Exitthree (646294) | more than 11 years ago | (#6780104)

I'm really not trying to be a troll here, but if a CS department requires a specific type of operating system (and probably the software that runs on said OS) in order to teach, then it's probably not worth the money to attend. Sure, learning to program with Microsoft's code du jour might help in the short term, but nothing beats teaching fundamental computer science principles in the long term.

What happens when the next big thing comes along and all the CS grads are stuck with C# as their sole reference point?

Re:Choice (4, Informative)

mjmalone (677326) | more than 11 years ago | (#6780204)

If you read the computer requirements [vt.edu] for computer science majors you will see that they also require to you be able to run mandrake linux.

In FAQ [vt.edu] they respond to the question "Do I have to use Windows XP Professional on my computer?"
Certain assignments or software in some classes may require the use of Windows which is available in the Computer Science undergraduate labs. If you do not run Windows on your computer, you will miss an educational opportunity to learn Windows administration, which is a marketable skill. The Department will not check that you are, in fact, using Windows XP Professional. However, if you choose to run Windows 95 or 98, you will almost certainly experience increased difficulty in the programming classes.
The requirement is more of a guideline for people who don't know what to get. And the original poster is probably just a karma whore who doesn't know what he/she is talking about.

Re:Choice (1)

mjmalone (677326) | more than 11 years ago | (#6780136)

I go to Virginia Tech, and although there is a requirement I have not yet met a teacher who is that strict about it, as long as you can run the software they provide and you can turn in your homework. They are not going to accept "I coudlnt run Inventor because I run Linux" as an excuse.

Isn't there also a requirement to dual boot into linux for junior/senior year?

'windows attacked because popular' (5, Informative)

gl4ss (559668) | more than 11 years ago | (#6780038)

the author makes nice (partial if you may)rebuttal of this myth, and also points to something to back it up like the number of open ports that create potential possibilities for holes,and that are for services that are default enabled, yet shouldn't be used in hostile environment(and how ms does nothing about it, and how xp was supposed to be more secure in matters like this). and frankly i haven't heard of non-hostile environment involving more than 10 people in a deserted island with lots of food and jolly sunshine happiness to keep them away from their computers.


This is a good first step. (2, Insightful)

JessLeah (625838) | more than 11 years ago | (#6780041)

Perhaps now we should try to get other "mainstream" media entities to cover stories with this sort of angle... such as:

* The New York Times
* USA Today
* The Wall Street Journal? (Yeah, it's a long shot, but...)

Does anyone here have contacts with any of these companies?

Re:This is a good first step. (1)

mjmalone (677326) | more than 11 years ago | (#6780115)

Why? It's not news. I would say that the majority of people in the U.S. think windows sucks, they just don't want to deal with a new OS. And the people who don't know are not likely to read the article, they don't care.

Re:This is a good first step. (0)

Anonymous Coward | more than 11 years ago | (#6780147)

When I went to Harvard, I dated a girl who now works for Wall Street Journal. Was a bad break-up though, so sorry, she probably won't do it.

Who cares about security? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6780046)

Until Linux supports all legacy windows software out of the box, it will not become popular. Thing how popular windows longhorn, even if much better, would be if they didn't support legacy applications - noone would want it. Thus, how can you expect Joe Blow to pick up Linux when it can't run the legacy software on the shelves?

Biased report! (3, Funny)

lakeland (218447) | more than 11 years ago | (#6780052)

I wonder how much money RedHat slipped the Washington post for that one...? *g*

Re:Biased report! (1)

simon_aus (649753) | more than 11 years ago | (#6780201)

Don't blame RedHat. Haven't you read it yet, IBM is behind everything.

Or as a ./ reader the first conclusion is thet MS gave SCO licence money to start this

Sorry about mentioning SCO - off topic, but I couldn't help it ;-)

Market Share? (0, Redundant)

nherc (530930) | more than 11 years ago | (#6780063)

Could a part of the reason that so many virii, trojans, etc.,. target Windows boxes be because the vast majority of Internet connected PC's are running windows?

If 80% of the computers on the Internet were running OS X or Linux don't you think there'd be more Mac and *nix malware?

Now I'm not saying one OS is more secure than another (although that may be the case as well), just an easier and more effective target.

Re:Market Share? (1)

Li0n (110271) | more than 11 years ago | (#6780148)

Probably there would be more malware than there is now, but also consider the fact that most Windows users are running with administrative priviledges in one form or another makes it so much easier for the attachers (no typo :) to do their thing.

Re:Market Share? (1)

KnightStalker (1929) | more than 11 years ago | (#6780163)

Yes, and if you'd read the article, you'd have noticed that the author dismisses that fact with a distracting wave of the hand. All OSes are buggy. All OSes are vulnerable. Some, maybe, more than others, but bad practices make the best code insecure. Fail to pay attention while installing Linux, and you might end up offering Apache, MySQL, Sendmail, SSH, or maybe even ancient things like telnet, finger or time to the world. All are potential targets for attack, especially if you don't keep them up to date. Just like Windows.

Re:Market Share? (2, Insightful)

Anonymous Coward | more than 11 years ago | (#6780165)

It's be already said, but I'll say it again: Apache is the most used web server on the internet, yet most web server worms are for IIS. Following your logic, Apache should be exploited every couple of weeks.

Re:Market Share? (2, Insightful)

Anonymous Coward | more than 11 years ago | (#6780171)

If you read the article, the author explains why
it's not just the sheer number of windows
users that's the problem. As an example, there's
the number of ports open on Windows XP (5),
vs. OS X (0) by default. You really do have
to take into account the design of the operating system. Windows is just too easy to hack compared
to the other OS choices.


Re:Market Share? (2, Insightful)

David Gerard (12369) | more than 11 years ago | (#6780184)

And we certainly see this on the Web, where Apache on Linux greatly outnumbers Microsoft IIS on Windows. Oh wait, no we don't!

Re:Market Share? (3, Interesting)

Homology (639438) | more than 11 years ago | (#6780186)

If 80% of the computers on the Internet were running OS X or Linux don't you think there'd be more Mac and *nix malware?

I find it much easier to secure a Linux/*BSD box than a Windows one. Even though I use Win 2000 daily as a programmer. I'm pretty sure I'm not alone in that predicament.

Just keep in mind that a large part of the internet infrastructure does not run Windows, but they (the servers) still seems to do okay, apart from the odd sendmail/bind/openssh bug ;-)

In other news... (-1, Offtopic)

Pig Hogger (10379) | more than 11 years ago | (#6780064)

...Titanic is unsinkable.

enough with the virus hype (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6780065)

I haven't lost any sleep and I run windows 2000 unpatched. The last virus I feel victim to was a bootsector virus on an old 520STFM.

It's all BS and hype, happily spun by the anti-ms crowd (no that doesn't make me pro MS either).

Re:enough with the virus hype (2, Interesting)

craigmarshall (679127) | more than 11 years ago | (#6780154)

I currently run Windows XP (unpatched, no virus-killer) and GNU/Linux machines behind a GNU/Linux firewall/router. I have never been *infected* with anything. If you're stupid enough to set Windows Explorer to "hide the extension of known file types", and to not know that a .scr file is just as executable as an .exe, and to not run a decent firewall then frankly, you deserve to be infected by the latest and greatest virus.


Re:enough with the virus hype (2, Insightful)

craigmarshall (679127) | more than 11 years ago | (#6780202)

And in cases like these (stupiduseritis?), it doesn't matter which operating system you choose to use, you almost certainly won't have configured the machine properly from a security standpoint.


Linux users (5, Funny)

jabbadabbadoo (599681) | more than 11 years ago | (#6780069)

"But nobody with a Mac or a Linux PC has had to lose a moment of sleep "

Like a Linux PC owner sleeps anyway....

what about Gentoo? (3, Interesting)

Anonymous Coward | more than 11 years ago | (#6780071)

"Windows is better than most operating systems at easing the drudgery of staying on top of patches and bug fixes"

emerge -u world
how _hard_ is that?

Re:what about Gentoo? (1)

xRizen (319121) | more than 11 years ago | (#6780191)

Not hard, but it sure does take a long time. How about:

apt-get update && apt-get upgrade

Corporate Blinders (2, Insightful)

N8F8 (4562) | more than 11 years ago | (#6780074)

What baffles me is that even with all this evidence for the need for operating system diversity in the corporate realm both corporate America and the US government are eliminating anything non-Microsoft. Lemmings.

What is it going to take? Ships sinking? Trains being derailed? Satellites dropping out of orbit?

Re:Corporate Blinders (5, Interesting)

vacaboca (691496) | more than 11 years ago | (#6780176)

"all this evidence for the need for operating system diversity in the corporate realm"...?

That seems to be a rather easy thing to say if you're not actually trying to manage a business with a large, complex interconnected system of technologies... having spent a rather painful amount of time (actually, more like an amount of rather painful time) in very large companies (35000 PC users at all levels of use), I have to say that a desire for OS diversity is far from an obvious choice. I'm not saying it's a bad idea, just a potentially unpractical one in many real corporate situations.

Working with the single devil you know as opposed to a vast army of individually varied devils may be preferable, at least in theory.

Re:Corporate Blinders (0)

Anonymous Coward | more than 11 years ago | (#6780207)

Just last week, these worms apparently shut down the signal systems for CSX, most of the trains on the East Coast. We could have EASILY had a train derailment due to a failed signal.... It caused commuter train delays and cancelations in our area (DC area).

When will those responsible for our infrastructure wake up. Isn't this the role of the department of homeland security: http://www.dhc.gov or NIPC: http://www.nipc.gov

Good idea (5, Funny)

Rosco P. Coltrane (209368) | more than 11 years ago | (#6780076)

Here's a modest proposal: Microsoft should use some of its $49 billion hoard to mail an update CD to anybody who wants one. At $3 a pop (a liberal estimate), it could ship a disc to every human being on Earth -- and still have $30 billion in the bank.

Please Microsoft, use CD-RWs. I already have a wall covered with silver AOL CDs ...

err... (0)

Trejkaz (615352) | more than 11 years ago | (#6780079)

I think I speak for practically every other user here when I say, "Duh."

Re:err... (0)

Anonymous Coward | more than 11 years ago | (#6780133)

I think I speak for practically every other user here when I say, "Duh."

Actually no, I personally thought "no shit sherlock".

Nah... (4, Insightful)

Faust7 (314817) | more than 11 years ago | (#6780084)

Here's a modest proposal: Microsoft should use some of its $49 billion hoard to mail an update CD to anybody who wants one.

The sorts of people that would think to order such a CD in the first place are likely already patching their machines. Others will get the CD and misplace it, forget about it entirely, or mistake it for something like an AOL disc and toss it in the trash.

Re:Nah... (1)

SkArcher (676201) | more than 11 years ago | (#6780167)

That brings up an entirely different debate; the fact that Windows, as the most heavily advertised OS in existence is bound to get the vast majority of the new users to computers, who are precisely the type to make the mistakes which lead to insecure computing environments. Not all of the blame should rest on MS itself. A lot has to do with their userbase.

Mind you, some degree of intelligent design to set a machine up to minimise the chances of the casual or inexperienced user could be implemented, but they would likely be as irritating as the tens of thousands of other MS pop ups in Windows (esp XP)

Apple and Linux systems are insecure too! (1, Troll)

coene (554338) | more than 11 years ago | (#6780086)

I'd like to make one quick point. If a remote root exploit is found in Linux (like the RPC hole found a couple of months ago for Microsoft), the same type of Worm can happen.

The biggest (not only) difference, is that Microsoft (with Windows) has such a large market share, that it only makes sense to attack it. If Linux had 90% of the market, you know there would be virii exploiting it's holes. Same goes with Apple (OSX being based on FreeBSD has many of the same holes as Linux).

Re:Apple and Linux systems are insecure too! (3, Interesting)

David Gerard (12369) | more than 11 years ago | (#6780159)

And we certainly see this on the Web, where Apache on Linux greatly outnumbers Microsoft IIS on Windows. Oh wait, no we don't.

Re:Apple and Linux systems are insecure too! (2, Insightful)

LostCluster (625375) | more than 11 years ago | (#6780190)

The design flaw that the author is pointing out is that administrator-only functions like RPC and the administrator's message boxes are turned on in a default installation, when the world would be better off with such features in the OS but defaulting to an off position and only running the associated software if the user indicates they want the feature on.

This is not a design flaw that Apple and the various Linux distributors are immune from, just that they seem to violate this rule with less frequency. Let's face it, if Windows shipped with RPC turned off by default, Blaster would have a much smaller impact than it has now.

As for SoBig, there's really nothing preventing a SoBig for Mac or Linux. Afterall, all you need to do is trick the user into executing a program that isn't what they think it is, and then read their address book file. The only complicating factor is that there's an overwhelming market share for the Windows Address Book being used, that it's the only place most virus writers bother to check for addresses to use. In order to make such a virus with the same impact on another operating system, they'd have to check the address book location of about a dozen programs... bloatware for virus writers.

Ever wonder? (0)

DroopyStonx (683090) | more than 11 years ago | (#6780089)

If Linux dominated the desktop market and was on some 95% of computers (or whatever MS is currently at), there would be just as many viruses and other headaches.

Re:Ever wonder? (0)

Anonymous Coward | more than 11 years ago | (#6780173)

The "if-Linux-was-more-popular-it-would-be-as-much-att acked-as-Windows" crowd simply don't seem to understand how crippled Windows' security is compared to Linux or MacOS or the BSDs. Exploits could of course be achieved on these other OSes, but the point is that it is much easier to do it to a Windows box. The WPost guy got quite correct about the ports issue, and that is only one of many examples.

Watch out folks, ports are insecure! (1)

micron (164661) | more than 11 years ago | (#6780091)

Give this dude the obvious award. People who don't know enough to lock down there computers are the real security problem, more so than any OS.

All in all, I did like the article, but I thought that the author was being irresponsible in some areas. I thought that it was a bit irresponsible to blame Windows for using "ports" as being a security issue. I realize that open ports are a problem, but they are a potential problem for ANY operating system. OS/X was hinted at being secure because it did not leave any ports open in the basic installation, and Linux was not mentioned at all, which implied that it did not have any issues around these dangerous "port" things.

Windows is the largest target out there, both for commercial and malicious intent. Toss in the fact that everybody hates MS, and that is why we end up with so many people targeting it. It does also help that it is not that hard of a taget to hit.

no sleep for linux users? (0)

Anonymous Coward | more than 11 years ago | (#6780095)

Ha! I've had to mail out instructions to secure Windows and the patches to all my Windows lusers buddies.

They: "Hey, my cut and paste won't work".
Me: Now listen carefully ... go to the dos prompt ...

If you don't trust this company, why... (1)

mycr0ft (207814) | more than 11 years ago | (#6780096)

why did you give it your money?

I trusted MS XP Pro so much that I fdisked over it with great gusto without a single bootup.

Unfortunately, Toshiba (and thus me) already gave those toads money.

Create a Windows clone, make a zillion dollars! (0)

Anonymous Coward | more than 11 years ago | (#6780097)

Maybe some company should get off their butts and produce an OS that runs Windows applications. Not Lindows but a Windows clone.

If people had a choice besides Linux, then maybe Microsoft would start quaking in their boots.

The persons who create this OS, could be richer then Mr. Gates.

something to think about. and its not too late.

WinXP = Win98 with a different skin

Security (1, Insightful)

rf0 (159958) | more than 11 years ago | (#6780099)

The way I see this is that Windows is for good or bad popular. As such people will poke around it more and find more holes. Its not like Mac + Linux are totally secure. Now as there are more people, more holes will be found.

Now from these Microsoft issues more patches etc. It should be pointed out that the holes that allowed the recent worms are fixed by a patch released over a month ago. Its just that people/admins haven't applied them meaning systems are still exploitable.

Also Windows isn't designed to be totally secure from the ground up it designed to work on a wide range of hardware and appeal to all levels of people.

Just my $.02


Intelegence (2, Insightful)

sub7mage (601797) | more than 11 years ago | (#6780105)

The only reason these worms can spread is because of the lack of basic computer intelegence of the average user. i have had windows and used the internet religiously for years and have never gotten a worm on my box.

So basically what i'm saying here is that its not always the operating systems fault, even though i think windows is insecure it gets to much shit for it.

MS Bashing (5, Insightful)

mOoZik (698544) | more than 11 years ago | (#6780120)

This is a bit unfair. Microsoft identified the problem and offered updates long before the worm hit the streets. Microsoft cares about the security of Windows, but it was the stupidity of the users which led to the compromise of their systems. If a Linux hole is found, nearly ever user would update to fix the change, because the average user of Linux knows what putting it off may entail. The average Windows user does not have the same computer knowledge, and hence, Microsoft gets the blame. Just another MS bashing is what it is!

Actually mac and linux users were affected (5, Interesting)

jdigriz (676802) | more than 11 years ago | (#6780124)

Some of us alternative OS users were actually affected by the virus, even if we weren't infected. In addition to the Net slowdown, the friggin SoBig.f virus forges emails. So if you have any windows using acquantainces, or even people who received a forward with your address on it, the SoBig.f virus will cheerfully send out copies of itself purportedly from you! It doesn't just stop at the address book either, but allegedly scans documents on the drive to harvest addresses. Evil, evil thing. So, no computational loss, but potential harm to reputation, even though it's easy to prove via the headers that it did not originate from you, the vast majority of those windows users who get infected with emails bearing your From: line don't know a header from a hole in the head.

Larger Target (2, Insightful)

Raven-sama (527194) | more than 11 years ago | (#6780128)

Linux and MacOS users are, let's face it, in the minority compared to Windows users. Granted Windows most likely does have moe security flaws than these other OSes, but the main concern here is that virus writers will target the OS that will cause the most damage (or that they have the most experience with) and that will almost always be Windows.

Even if all the known exploits in Windows were patched, all it would take it one more for another virus to do something like Blaster or Slammer. On the flipside though, something like that could just as easily happen to Linux if an exploit were found, it's just that no one bothers to write viruses that take advantage of it.

More Mac/Linux benefits (1)

spenceM7 (683840) | more than 11 years ago | (#6780130)

Another reasons Mac/Linux is more secure is there isn't 10 million things popping up as you browse the internet, inviting you to install software, change your homepage, or other sundry offers - Here's to incompatibility! Also, Mac/Linux holes get patched significantly faster (in general) then Windows ones.

Correct Me If I'm Wrong but.... (2, Insightful)

cmay (687134) | more than 11 years ago | (#6780141)

If someone emails you an exe, and you run it, and it does something to your computer, that isn't exactly Microsoft's fault.

I guess sobig is a .pif and so its kinda confusing to some people, but I don't think you can group SoBig in with other security holes that Microsoft has.

Text of Article (0, Redundant)

Anonymous Coward | more than 11 years ago | (#6780152)

Site feels slow, so ....

By Rob Pegoraro
Sunday, August 24, 2003; Page F07

Between the Blaster worm and the Sobig virus, it's been a long two weeks for Windows users. But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks -- just like in earlier "malware" epidemics.

This is not a coincidence.

The usual theory has been that Windows gets all the attacks because almost everybody uses it. But millions of people do use Mac OS X and Linux, a sufficiently big market for plenty of legitimate software developers -- so why do the authors of viruses and worms rarely take aim at either system?

Even if that changed, Windows would still be an easier target. In its default setup, Windows XP on the Internet amounts to a car parked in a bad part of town, with the doors unlocked, the key in the ignition and a Post-It note on the dashboard saying, "Please don't steal this."

Not opening strange e-mail attachments helps to keep Windows secure (not to mention it's plain common sense), but it isn't enough.

The vulnerabilities built in: Security starts with closing doors that don't need to be open. On a PC, these doors are called "ports" -- channels to the Internet reserved for specific tasks, such as publishing a Web page.

These ports are what network worms like Blaster crawl in through, exploiting bugs in an operating system to implant themselves. (Viruses can't move on their own and need other mechanisms, such as e-mail or floppy disks, to spread.) It's canonical among security experts that unneeded ports should be closed.

Windows XP Home Edition, however, ships with five ports open, behind which run "services" that serve no purpose except on a computer network.

"Messenger Service," for instance, is designed to listen for alerts sent out by a network's owner, but on a home computer all it does is receive ads broadcast by spammers. The "Remote Procedure Call" feature exploited by Blaster is, to quote a Microsoft advisory, "not intended to be used in hostile environments such as the Internet."

Jeff Jones, Microsoft's senior director for "trustworthy computing," said the company was heeding user requests when XP was designed: "What customers were demanding was network compatibility, application compatibility."

But they weren't asking for easily cracked PCs either. Now, Jones said, Microsoft believes it's better to leave ports shut until users open the ones they need. But any change to this dangerous default configuration will only come in some future update.

In comparison, Mac OS X ships with zero ports open to the Internet.

The firewall that's down: A firewall provides further defense against worms, rejecting dangerous Internet traffic.

Windows XP includes basic firewall software (it doesn't monitor outgoing connections), but it's inactive unless you use its "wizard" software to set up a broadband connection. Turning it on is a five-step task in Microsoft's directions (www.microsoft.com/protect) that must be repeated for every Internet connection on a PC.

Mac OS X's firewall isn't enabled by default either, but it's much simpler to enable. Red Hat Linux is better yet: Its firewall is on from the start.

The patches that aren't downloaded: Windows is better than most operating systems at easing the drudgery of staying on top of patches and bug fixes, since it can automatically download them. A PC kept current with Microsoft's security updates would have survived this week unscathed.

But hundreds of thousands, if not millions, of Windows systems still got Blasted, even though the patch to stop this worm was released weeks ago.

Part of this is users' fault. "Critical updates" are called that for a reason, and it's foolish to ignore them. (The same goes for not installing and updating anti-virus software.)

The chance of a patch wrecking Windows is dwarfed by the odds that an unpatched PC will get hit. And for those saying they don't trust Microsoft to fix their systems, I have one question: If you don't trust this company, why did you give it your money?

Microsoft, however, must share blame, too. Windows XP's pop-up invitations to use Windows Update must compete for attention with all of XP's other, less important nags -- get a Passport account, take a tour of XP, hide unused desktop icons, blah, blah, blah.

Microsoft's critical updates also are absent from retail copies of Windows XP, forcing buyers into lengthy Windows Update sessions to get the fixes since last year's Service Pack 1 upgrade. At least the version of XP provided to PC manufacturers is refreshed once a quarter or so -- and Microsoft says it's working to shorten this lag.

The lack of any limit to damage: Windows XP, by default, provides unrestricted, "administrator" access to a computer. This sounds like a good thing but is not, because any program, worms and viruses included, also has unrestricted access.

Yet administrator mode is the only realistic choice: XP Home's "limited account," the only other option, doesn't even let you adjust a PC's clock.

Mac OS X and Linux get this right: Users get broad rights, but critical system tasks require entering a password. If, for instance, a virus wants to install a "backdoor" for further intrusions, you'll have to authorize it. This fail-safe isn't immune to user gullibility and still allows the total loss or theft of your data, but it beats Windows' anything-goes approach.

Because Microsoft blew off security concerns for so long, millions of PCs remain unpatched, ready for the next Windows-transmitted disease. Microsoft needs to do more than order up another round of "Protect Your PC" ads.

Here's a modest proposal: Microsoft should use some of its $49 billion hoard to mail an update CD to anybody who wants one. At $3 a pop (a liberal estimate), it could ship a disc to every human being on Earth -- and still have $30 billion in the bank

in other news (1)

b17bmbr (608864) | more than 11 years ago | (#6780155)

  • the sun is hot
  • ice is cold
  • BSD is...nevermind

Application Compatibility (1)

Detritus (11846) | more than 11 years ago | (#6780164)

When Microsoft introduced Windows NT and NTFS, they had the chance to lock down the system, enforcing the separation between user and system like any modern multi-user operating system. My guess is that this idea got shot down by the people at Microsoft who will do just about anything to avoid breaking old applications. What they delivered is a mess, and it's still a mess. They need a BOFH-type security czar to clean things up and tell users to bitch to the original vendor about their broken applications.

It's not Windows' fault (0, Troll)

pyth (87680) | more than 11 years ago | (#6780166)

If you take a look at the 'vectors' for these viruses, you'll notice that they're all legacy protocols: http, smtp, rpc. These old unix-based systems were designed at a time when people did not care about security. Yet, they form the very basis of the Internet. Microsoft is practically forced to adopt these archaic protocols in order to stay competitive. Why should they be blamed for the failures of these obscure unix standards?

Falling on deaf ears. . . (1)

villain170 (664238) | more than 11 years ago | (#6780175)

Too bad this article won't change anyone's plans on using Windows in the future. . .

They will still flock to it like lemmings.

People in glass houses (1, Informative)

scdeimos (632778) | more than 11 years ago | (#6780177)

This article seems to have such a pro-Mac stance that I didn't bother reading past the first couple of paragraphs. It's OS/wars all over again.

Granted it's been a few years since I was a Level 1 Tech for Apple Resellers, but let's not forget that for many years Macintosh (and specifically Mac-OS) reigned supreme as the simplest platform for which to write viruses. And virus writers certainly took advantage of it.

Why? Because every time you inserted a floppy or CD, or mounted a new hard disk or Syquest cartidge, the OS went behind the scenes to load CODE resources from the disk to allow the display custom dialogs (passwords, etc), change desktop settings, layout, etc. The user didn't have to take any action to open files or folders.

It didn't take virus writers long to figure out this point of entry, and with no concept of permissions or anti-trust built into the OS, the malicious code had full control of the system.

Few days went by where I didn't have to low-level format someone's hard disk and inform them that, yes, working backups are a Good Thing to have.

Devil's Advocate (0)

Anonymous Coward | more than 11 years ago | (#6780195)

Remember: The more secure a network is, the harder it is to use.

I mean really - changing passwords once a quarter? In a bank, or a hospital, or a military installation, maybe, but my dad is a retired University professor, and the new policy of changing email passwords once every three months is just about to drive him insane.

The several days that several hundred thousand people have been offline due to the Blaster/SoBig outbreaks has to be balanced against the several days or even several weeks that several hundreds of MILLIONS of users would have to spend in class learning how to use their more secure, but less user-friendly computers.

From an economic perspective, ease of use is probably still more important than security. [And I'm a security nut.]

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?