Cyber crims smash through Windows into the great beyond Windows has been a beleaguered piece of software over the years. That is because malicious hackers, like everyone else, want to walk the simplest path to the greatest glory. Microsoft’s operating system has been the most popular one for the past 20 years, so it has attracted the most malware. One IT professional told The …
I'm sure other commentards will answer this but I'll ask anyway:
"Is there a truly safe OS that businesses can turn to?"
It's only natural for predators to go after the herd; are businesses running red hat/other Gnu/Linux OS' PROVEN to be any safer?
I've heard a lot of gossip and banter but it would be good to read an article on the subject containing hard facts and busting myths.
Linux will get targetted just as Android, MacOS X and Windows are being targetted now.
What will make it difficult is the level of fragmentation. Try to post a dodgy RPM to a Debian user proporting to be a patch from Red Hat and expect to have ridicule heaped upon you.
I myself: my workplace maintain a lot of Ubuntu-based servers, my own infrastructure including my work PC (BYOD) run Gentoo.
But surely MS do something fundamentally wrong when it comes to security? They have to. There are literally millions of PCs in botnets right now.
Does anyone on here work in security?
I agree that you'll never prevent a user from clicking "OK" to install malware but there must be something fundamentally "safer" about Unix/BSD/Linux systems.
This post has been deleted by its author
"But surely MS do something fundamentally wrong when it comes to security?"
It is more complex than that.
Modern versions of Windows can be locked down pretty good, but that requires a high level of skill and an attitude of not making life easy if it makes it vulnerable. Home users do not normally fall in to that category, and some (usually small) businesses are run by folk with little more IT knowledge.
What MS also has to battle is a legacy of folk just downloading and running stuff, often while logged in as admin, and just clicking "yes" to every annoying pop-up that asks them if shaftmesideways.exe should be allowed to do XYZ.
In that respect the typical *NIX system user is not expected to do that, and won't normally be logged in as root. Add to that the typical package manager approach to getting most software and it is a different mind-set, more like the Apple walled garden app store.
> "But surely MS do something fundamentally wrong when it comes to security?"
There are many things that Microsoft _designed_ into Windows that led directly to security problems. Some of these have been fixed, but many are just papered over by popping up a 'yes/no' dialog that then turns the blame onto the user.
* Inserting a Floppy, CD or USB drive executes code on that device with no further user action. (mostly fixed now)
* Opening an email, or in some cases merely selecting it so it can be deleted, can cause attachments to be opened. For certain types of attachment this will cause code inside it to be executed - by design, such as Office macros, - or by flaws such as image handling.
* File 'types' are hidden by default so that 'knickers.jpeg.exe appears to be an image that the user can safely click on.
* Any file that is .exe is executable. A file that is downloaded does not need anything else other that it be a (hidden) .exe to be run.
* ActiveX. No more need be said.
* Users running as admin.
Other systems don't have these designed in security failures.
There are many things that Microsoft _designed_ into Windows... Opening an email...
This is not a function of the OS, but it is still ridiculous. As for the rest of the list (your Top 5, I presume), the auto-execute bit has either been turned off in newer versions or well-enough known that I have not seen it in a corporate or home environment in quite some time. File types and ActiveX: you are preaching to the choir.
This leaves us with users running as admin: again, not part of the OS but more a part of the "culture." This is typically a function of poor management decision-making coupled with weak system administration. I contend that this points to the weakest portion of any IT environment: the people.
I think you missed the biggest issue of all with Windows (and other OSes, in some part): the ongoing redesign of their interface. Every version of their OS (and other software) has pretty much called for their customers to have to re-learn how to use their products. How can users be expected to learn good practices if they have to be taught a new way to do basic tasks every major release? This, I believe, is the greatest factor in the uptake of newer versions of both Windows and Office, which arguably leads to the older and less secure versions of these staying around for much longer than they otherwise would (e.g. Windows XP).
Another factor is that if MS switched on all the security and restrictions (user accounts as default and not admin/EMET/DEP etc.) included in Windows by default there would be carnage.
Average users would moan at the restrictions or extra passwords they would have to use. Not to mention all the poorly or out of date coded software that would be rendered useless by DEP/SEHOP etc.
Damned if they do...
"short answer: No
Just less likely to be attacked because of the market share, .. if it had 50% market share, we'd be seeing all sorts of nasties aimed at GNU/Linux"
The question was not how many attacks are likley but how many will get through. There may not be a direct relationship.
Funny that. In a previous job I was reviewing a build document for linux servers, one of the lines what that Antivirus was not required. I made a quick scribble through that with the justification that the cost implication is minimal. The servers will never run at 100% load, so there is no real performance impact. The install is automated so it's no extra effort, and having antivirus that is never needed is better than not having it (for no good reason) when it is needed.
It's a combination of scale (more users = more profit opportunities) and openness. Things have got better since Vista with UAC (Password for privilege elevation) but unlike other operating systems, it's still possible for the user and the administrative account to be one and the same.
In answer to supporting the sales drones, this recent Dilbert came to mind... http://dilbert.com/strips/comic/2014-05-19/
It is the scale and some (let's call them idiotic) decisions regarding the user interface. For example trying hard to educate users that file extension is not important and even hiding it from them while at the same time allowing blind execution of anything ending in .exe, bringing html and scripts to email messages, bombarding user with meaningless warning messages ("an application wants to make changes to your system" when user is trying to install the super sleek free video codec downloaded from some obscure Russian website - what is he supposed to do with this ?). Add to this all those half brain developers from Adobe, Sun/Oracle and others who have gifted Windows users with plug-ins that overstep the boundaries of common sense (why a document viewer has to execute local applications ? parse that bloody damn document and display it that's all). All this (auto-run, drive-by download and others) was done in the name of what they call user experience.
At least so far, we the *nix crowd don't give a damn about that and the irony is that we are being ridiculed for this attitude. We don't mind to type chmod u+x for a file we just downloaded from the Internet as this gives us enough time to think of the possible implications. Oh, and verifying file checksums is a concept that even today escapes to the large mass of Windows users.
Windows is not bad at all, it's just that it was designed and constantly evolved into an OS for dummies (why would you hide system files from a sysadmin or the admin that's not really an admin in Vista ?) and you can't expect those dummies to care for their computers properly.
That looks like a pretty fair assessment of the weaknesses of Windows. Ironically it is the same weaknesses that allowed them (coupled with some shady business practices) to capture over 90% of the market at their peak.
On the other hand, I upgraded to Windows 7 in 2011, since then, I haven't had so much as a sniff of a virus or any other malware. A little pragmatism goes a long way. It's just a shame that that lesson is so hard to teach people.
Microsoft likes complexity, in particular complexity that is there not to help the user, but to befuddle him and lock him in. On one hand, functionalities may be split over several packages to make upselling possible. On the other hand, features you really do not want may come pre-packaged to embiggen the product. That makes systems hard to think about and to design properly.
And then you connect all this to the Internet, which is frankly riding the devil. Why is that? Occupy Babel explains..
Their architecture would often completely ignore security. A typical example is the decision for any application to automatically honour any request sent by other application without any checks. This made for an integrated software suite but allowed such nonsense as, say, the address book spamming everyone in its list on instructions from the browser.
Funny that. In a previous job I was reviewing a build document for linux servers, one of the lines what that Antivirus was not required. I made a quick scribble through that with the justification that the cost implication is minimal.
In my experience, the antivirus seen on Linux tends to be aimed at finding and eliminating Windows viruses … i.e. by scanning files and emails that may pass through a Linux server en route to a Windows client.
So your SMTP server and file server (Samba) might whistle up clamav to scan a file; if a virus is found the file is rejected.
Unfortunately for the malware writers, a user really has to want to bork a Linux machine. Users don't run with admin rights, so users can't install executables. It's a simple concept, but one that continues to elude Microsoft.
MS took a bunch of decisions in the late 80s which still haunt their operating systems to this day. There is no way to make a Windows machine secure - other than switching it off.
The Windows apologists and fans around here who sneer at the apparently small market share conveniently forget that their routers, Tivos, internet service providers and their favourite websites all run Linux (and couldn't work as effectively with any other OS.
Windows is just a pi$$-poor, insecure, slow, bloated and expensive client for a Unix world!
Hiya,
Just wanted to share my thoughts on XP. I know its dead and all, but win7/8 are in no way "upgrades" unless your new and have never used a computer before.
They seem to be trying to kill it off by not allowing hardware support in browsers, resulting in poor performance on sub 2ghz processors. I know you can enable it in chrome, but then netflix stops working, as silverlight complains..
Anyhows I digress,
If there is no longer support for XP and XP becomes a hotbed for malicious activity as a platform, then isnt it in everyones interest to demand an update for XP?? if you know what I mean?
Most stuff that affects home users is their PC`s being used for DOS attacks, otherwise, who cares?
I may have mentioned this before, but you should consider that people that currently "click OK regardless" will do it regardless of the OS. XP may be dead as far as Microsoft are concerned, but a large amount of the problem with XP tended to be that people insisted on using administrative accounts for their normal use. This was partly down to the design and partly down to users not being completely knowledgeable about what the problem of running as an admin in a dangerous environment such as the Internet was. The trouble here is that some of these users will be doing the same thing on Windows 7 or 8 or MacOS or Linux as long as they are given the opportunity to.
By restricting the use of the admin or root account (select the appropriate account name according to the OS you are using) so that you only use it when you actually need it reduces a lot of the problems addressed in this thread.
Of course, it doesn't solve everything. I daresay that anyone reading this will already have a few examples in mind that could still occur, including the one where a user allows root/admin access where malware spoofs a legitimate product.
But then my own view is that there is only one completely foolproof way to prevent malware. Turn the computer off! ;)
As an example start a download of Facebook app for Android and see the frightening amount of access it asks for to be able to run. Who needs malware when apps like Zuck's ask for permission to look through your phone book, access to premium rate calls and your SMS texts, it's a chat/blogging app for crying out loud, why does it need all that? Most users simply click "OK" and the app is on the phone and ready to sell you out.
All you have to do is write and app that everyone will kill to install ( Flapping Birdies or whatever the heck it was called ), ask for a stupid amount of access and 9 times out of 10 most people will simply click "OK" to install and you're golden.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
