![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
eWeek reports discovery of a massive ID theft ring powered by CoolWebSearch. Yeah, only Windows is vulnerable -- anyone surprised? ....No? Didn't think so. Why people put up with this shit is beyond me, let alone why people who surely KNOW how dangerous it is running around out there with an insecure OS will still just click on this shit and install it with no idea what it's actually doing and in the knowledge that they have no way to find out. Sometimes I wish one of these crooks would come along and clean out forty million people's bank accounts, just because I can't help but think it'll take something on that scale to get people's attention.
Trend Micro has a free online scanner that will detect and remove CoolWebSearch. Then again, anyone stupid enough to install a piece of untrusted code like that in this day and age probably isn't reading, or paying any attention to, this anyway.
Footnote: I don't particularly wish Microsoft would crash and burn. I don't particularly wish Windows would dry up and blow away in the wind. Not only are Unix and the Mac not for everyone, but a monoculture of ANYTHING is a bad. I just wish Microsoft would start taking security seriously and actually make a real effort to make Windows secure. I've heard some intimations Longhorn Vista may finally make some progress in that direction, provided that doesn't get dropped before release as well.
no subject
Apple did it right. They saw what a hash they'd made doing System 7-8-9 and decided, fsck this, we're going to do this right... and went and stole BSD (which is what it's there for) and threw a damn nice GUI on top of it and called it good. And lo and behold, to everyone's amazement, it *was* good.
Seriously, a Unix-architecture monoculture wouldn't kill us. You've got MacOS X, which is FreeBSD on, for the moment, PowerPC; you've got Red Hat, you've got SUSE, which is just enough different to give even experienced hackers headaches, you've got Debian and its variants, which are totally different packagewise and init.d-wise, and they're running everything from Red Hat 6 with Kernel 2.2 to Gentoo with Kernel 2.6.13rcsomething... Nevermind OpenBSD on old Sparcs and probably still a few 3b2's kicking around running the One True Squished'em Vee... I mean, why do you think they wrote Autoconf in the first place?
But, no, actually, you know what would work? If IE and Lookout and Office dried up and blew away and got replaced by Firefox and Thunderbird and OpenOffice, with Postfix and LAMP on the back end, Windows wouldn't be half bad... provided no one EVER tried to use ActiveX in a browser EVER again... oh, and we cut the base price of the home OS back to $49 and eliminate DRM entirely.
Oh, who the hell am I kidding. 100mph Penguin World Domination 4-3VAR!!!
*ahem* Seriously. Microsoft will never completely fix the design flaws in their systems. Otherwise their sales of new versions would go totally flat, and so would those of the A/V and commercial anti-spam companies. Which would be bad for the shareholders, dontcha know.
no subject
Oh, I didn't say Windows doesn't need to CHANGE. Windows "as we know it" is an insecure crock built on top of multiple layers of half-forgotten legacy cruft that, in many cases, MS's own developers don't fully understand any more.
That's a different thing than saying that Windows, as a low-learning-curve OS-for-the-masses, needs to go away. It's possible to fix it. Whether Microsoft CAN fix it, or cares about doing so, is another question.
"But, no, actually, you know what would work? If IE and Lookout and Office dried up and blew away and got replaced by Firefox and Thunderbird and OpenOffice, with Postfix and LAMP on the back end, Windows wouldn't be half bad... provided no one EVER tried to use ActiveX in a browser EVER again... oh, and we cut the base price of the home OS back to $49 and eliminate DRM entirely."
Hey, I could go along with that....
"*ahem* Seriously. Microsoft will never completely fix the design flaws in their systems. Otherwise their sales of new versions would go totally flat, and so would those of the A/V and commercial anti-spam companies. Which would be bad for the shareholders, dontcha know."
And that's the sad part. They will continue to publish a product that puts everyone else's financial future at risk, so long as doing so ensures their own.
no subject
no subject
Somewhere (when?) I have a long explanation of why this isn't possible.
To cut to the chase:
a) those who would write trojans, virii and the like have a particular hatred of Microsoft - and will continue to make it their primary target. Unfortunately, user-friendly == less-secure.
b) to 'make Windows more secure' Microsoft would have to trudge into the realm of firewall software and anti-spyware... can you imagine how fast the anti-monopoly lawsuits would get filed? Microsoft's hands are somewhat tied - since they didn't do it early on, they now really *can't* do it - because all of the individual software makers of security based code would be suing them until the lawyers fees alone bankrupted the company.
But thanks for the heads up - I will be passing it along - as I seem to have one too many friends who DON'T get the concept of "don't click okay... you don't know what the hell that is!!"
no subject
Microsoft would not need to become a firewall or an anti-spyware company to secure Windows. (In any case, they've already done both of those. They built a firewall into XP SP2, and bought Giant for their anti-spyware product.) Neither of those will secure Windows anyway -- they're just band-aids plastered over the festering ulcer. The fix is to rewrite the internals to be secure in the first place, which includes getting rid of abominations like ActiveX.
no subject
But then, I've also met the guy that has pwned *every* major (and most minor) ISPs by knowing inherent UNIX flaws (he goes to defcon every year)... there is no such thing as a "safe" computer that connects to the internet... just "safer"
no subject
The consequences of the Robert Morris worm are interesting. CERT was formed within a reasonably short time, and Unix writers immediately began patching the hell out of their code (which was already designed for some modicum of security but had some tactical errors in execution) to close the holes. Eventually it became industry best practice to simply shut down services that were not considered up to security standards and that the proprietary vendors would not fix. (How often do you see fingerd up today?) Others began drop-in replacements or total rewrites of insecure services (witness Postfix and Qmail for Sendmail, among others).
What did Windows do in response to the quagmire of viruses that was the early 32-bit Windows? Add more features, and more eye candy. Admittedly there was some security tightening, but the ISV's didn't take advantage of it, insisting on insecure "god mode" to run their programs, which put all that work to naught.... *sigh*
It's the whole approach to doing things that is busted.
Me, I'm waiting for Symphony as far as Linux your luddite Aunt Martha can use.
no subject
oh well... there you go.
Personally, I don't want my luddite Aunt Martha running any flavor of Unix... she (they) already call me enough for tech support with windoze - by which I mean "um, my thingy with the clock on it and the start button? it moved to the side of the screen - how do I make it move back??"
sigh
no subject
Windows security
As a Microsoft employee, there are limits to what I can say without breaching corporate confidentiality rules but what I can tell you is that Microsoft really is making very large changes to its culture with regard to security. It has been going on for several years now, and it continues to progress. We have made fundamental, and I mean *really* fundamental changes to our processes to incorporate security into the development, testing, and distribution of our products. Windows Server 2003 is the most secure OS we've put out and the stats prove it.
We also have this guy (http://blogs.msdn.com/michael_howard/) working for us. Perhaps you've heard of a little book he wrote called "Writing Secure Code." () He, along with a team of very very smart people are dedicated full-time to making sure that we don't repeat the mistakes of the past. Yeah, some things will always get through, but that's going to happen to everyone, not just Microsoft.
As for the unprivileged user messing up the OS, Windows Vista is going to have some *significant* changes which will go a very long way toward preventing that kind of problem. Actually, the problem with XP is not that an unprivileged user can screw up the system; a "regular" user actually can't. It's that running as a regular user makes it hard to do a lot of things that you want to do, such as setting the system date and time or even set up a game to play. Therefore a lot of people run with Administrator privileges all the time. Vista will solve a lot of these problems. I don't know how much of this is public knowledge yet, so I'll stop here.
Re: Windows security
Aha!
s/a ref=/a href=/
no subject
Make with the clicky and be enlightened. (http://www.symphonyos.com)
Instead of the infinitely customizeable, trim it down to appliance-level. Firefox, OpenOffice, Thunderbird, a few other basic apps, and THAT'S ALL SHE GETS. *one* theme. *one* desktop. Of course, the remark about idiot-proof (only an idiot would use it) is true... that's when you upgrade to Ubuntu, but only after she's consented to actually *learn* the OS and made progress doing so.
That's all *most* people at home really need. A simple swiss army knife, and a small one at that. Web, mail, multimedia, and documents. That's all.
It's alpha, so no foisting it off on Martha yet... but testing it out? hellyeah. Help'em make it better, so we don't have to devote our weekends to tech support.