Jump to content
Sign in to follow this  
LilBambi

Insecure by Design?

Recommended Posts

Guest ThunderRiver

It is insecure by design but that's what users asked for. They don't want Microsoft intervension. They don't want Microsoft update their system automatically. Yet, they want more power. Developers want more accessibility with the system through ActiveX, and Microsoft did it..and it also opens the door to virus and so on. Can't really blame totally on MS, it is users' choices too.On the other hand, MS is trying to write secure code and try to debug for any buffer over-run in thousands and thousands of codes. Hackers only need to find one bug to be famous...and jouranlists just come along and wipe on hacker's bum. I don't believe all Linux developers know how to write secure code, and I am sure there are tons of vulnerabilities yet to be discovered in the future.

Share this post


Link to post
Share on other sites
Jeber

My two thoughts on this topic:If the average user could see the code involved in building Outlook Express, for example, and then see how easy it is, with all those lines of code, to miss the line ot two that allow hacker exploits, perhaps they'd be more understanding about all those patches and updates. Perfect code is practically impossible to write the first time through.And therein lies the strength of Linux and the weakness of MS. MS has a limited number of people who can look at the code and debug it. Linux has an unlimited number who can look at the code and rewrite it if necessary. No doubt there are a lot of errors in Linux codes out of the box, but with so many people able to examine it, the fixes can come a lot sooner.

Share this post


Link to post
Share on other sites
Prelude76

i think by 'design', linux is a lot more secure, mostly for one reason: you log on as a user, not as root (administrator). every time you do something that requires admin privileges, it prompts for password, such as installing programs, changing drivers, etc... all versions of windows run as Administrator mode as default. and worse yet, you can't realistically change that even if you wanted to. i tried setting up as Power User in win2000, and i couldnt even burn CDs! it said i needed administrator privileges.if the next windows will make all users by default 'power users', and everytime an administrator privilege is needed, it prompts for password, it would be it that much more secure. that, and as the article explained, dont enable stupid services ON by default and firewall OFF by default. thats just a recipe for disaster. when i do a fresh windows installation, i stay off the internet until i set up antivirus, firewall, turn off about a dozen services, and then i log on and patch patch patch the system. THEN it's relatively secure. trouble is how many normal people who pick up XP off the shelf at Walmart and go home and auto-run and update their computer do all the steps i just described?

Share this post


Link to post
Share on other sites
Guest ThunderRiver

It is true that Windows uses Administrator by default, but that's also what users ask for. Microsoft doesn't want people questioning their product support with questions like "How come I used to be able to install programs in Windows 98, and now when I install the program it says *You don't have the Administrator privilege to install this program*..."It is so easy to change the policy since people are so used to install programs right away. As of now, Microsoft and other major companies do mention that "You need to be an Administrator in order to install such and that programs." However, most people would overlook it because they simply assume they are Admin.Perhaps, if Microsoft can drastically change the policy to the one similar with UNIX, they can thus elimiate the need for protected system files folder C:\WINDOWS\system32\dllcache

Share this post


Link to post
Share on other sites
Prelude76

i see your point, thunderriver.how about a different approach to it? have windows 'switch' to admin mode when installations are started, maybe have a password that can be set to "remember for next time", and then switch back to user mode automatically? or would that defeat the point of having user / admin seperate, if worms could also call and do the switch to 'admin' mode automatically? i guess we cant have it both ways. :lol:

Share this post


Link to post
Share on other sites
LilBambi

What a tough subject this really is....Microsoft is trying to make itself easy to use and add more features for interoperability, and in the process make the OS less secure.On the other hand I am seeing distros like Lindows trying for the same thing and making their version of Linux insecure. Folks would think they are getting a more secure operating system but they are not, because no one should run as root to do normal processes.I hope that as other distros try to make themselves more user-friendly that they don't lose sight of the overall objective which is to be user-friendly but not at the expense of security.In Linux, if you request to run or do something that requires Admin/root privileges, you are prompted for the root password. If you don't know the root password, no go...it just reports that you do not have rights to access that process or program. Then you have to go to your admin, whoever that is on your home or work network and let them know what you are trying to do and go from there.Some folks run as root even in Linux and make themselves vulnerable. It is an age old problem.It is so funny when you are unwise and forget who you are and try to go to an IRC server. The server can get quite rude ... it may bump you off entirely and tell you you can not be root. Some even say you are stupid to be trying to run an IRC client as root! LOL!Insecure by Design is not going to be an easy problem to address for Windows. It would seem so restrictive to many users and others just would not know what to even do under those circumstances.Catch22.

Share this post


Link to post
Share on other sites
Marsden11

From Google Zeitgeist for July 2003sept-os.gif from Aug 2001jul03_pie.gif from July 2003Looks like a trend. MS products are attacked simply because they are the largest target out there.Look at the roles that the various OSes play. Linux is secure because its roots are server based. Admins want secure servers. That prevents the casual user from messing around. Linux moves to the desktop and brings its security model alongMS has roots on the desktop. Prompting worker bees for a password every time they try to do something, would generate more support calls for, "I can't find, remember my password." Nothing would ever get done. MS enters the server side and eventually Win 2003 Server ships with similar security features akin to Linux. Most of everything useful to a worker bee is turned off by default.This just leads to my OS is better than yours blah blah blah.Any OS can be operated unsafely. To say ones OS is more secure than the other guys is just silly. When Microsoft announced in October 2002, that its Windows 2000 operating system had been awarded the highest possible grade (received a "moderate to high" security rating in the Common Criteria (CC) security certification last fall, open source advocates downplayed the honor as insignificant and unrelated to real-world security analysis.IBM and SuSE Linux Earn First Security Certification of Linux ARMONK, N.Y. and Oakland, CA, 08/05/2003 Meets Federal Standards Critical to Homeland Security IBM and SuSE Linux today announced that SuSE achieved the first ever security certification of Linux, taking the critical next step in the maturation of Linux and enabling the adoption of Linux by governments and companies around the world for mission critical environments. SuSE Linux Enterprise Server 8 has achieved Common Criteria Security running on IBM eServer xSeries. The Common Criteria (CC) is an internationally recognized ISO standard (ISO 15408) used by the Federal government and other organizations to assess security and assurance of technology products. The CC provides a standardized way of expressing security requirements and defines the respective set of rigorous criteria by which the product will be evaluated. It is widely recognized among IT professionals, government agencies, and customers as a seal of approval for mission-critical software. Now SuSe finally makes it and it is a big deal?There's just one catch: Linux got a lower security rating than Windows 2000 did last year. SuSe only achieved the "low to moderate" rating.Most Linux installs didn't receive the certification. Sponsored by a $500,000 fee paid by computing giant IBM, the certification applies only to SuSE Linux, and only then when it's installed on certain IBM hardware.EAL4.JPGSource linkage

Share this post


Link to post
Share on other sites
Prelude76

marsden, the certificate you mention is about testing their encryption, their security, and so on, at the server level. i dont know whos' better; certifications are silly, just like "i'm a Microsoft Certified Professional" which means nothing if one still can't fix a computer. :) i think the article and other people's threads were comparing out-of-the-box security, in which case, Windows falls WAY WAY short of linux. maybe windows 2003 SERVER is finally getting it right, but the vast majority of XP, 98, and 2000 users in a home environment are exposed.compare out of the box: winXP - firewall NOT active by default; default users are admnistrators; changing to 'limited user" prevents even simple program installation; system files can be accidentally deleted, and an intricate system of file protection (SFC, System Restore, etc...) try to RESTORE the delete or corrupted file AFTER the factsuse 8.2 out of the box - firewall enabled by default; user is automatically a normal user; making any installations or changes requires an administrator password; system files cannot be deleted or altered, unless you go and log off user, and log back in as root (admin mode).

Share this post


Link to post
Share on other sites
Marsden11

How many people are running SuSe 8.2? How many are using some flavor of Windows?I read where Gartner expected PC sales this year to hit 161 million units. How many of those are running SuSe 8.2?Why do most folks in the know, use hardware firewalls to connect to the Web? Most businesses do. How many avarage users can plug in a PC running Windows and do stuff? How many average users out there can download an ISO an burn it and install and run SuSe 8.2?<<certifications are silly>>Then why do governments pay attention to them?

Share this post


Link to post
Share on other sites
Prelude76

that's a lot of questions, Marsden. :lol: are you implying that SuSE (or any flavor of linux) is more secure because its less popular than windows? that is a very short-sighted analysis. once again, do you or do you not agree with this sentence:Windows 98, 2000 and XP by DEFAULT have firewall turned off and run everything in administrator mode.but as a side note, i'm posting this from Windows 2003 Server. trying it out so i can set it up for a client. D***, i think microsoft is finally LISTENING. win2003 server has firewall turned ON, most useless services OFF, and runs IE in secure mode with those silly ActiveX controls turned off. nice, i'm impressed. lets hope they port these ideas over to Longhorn.p.s. - it boots faster than i've ever seen anything boot. its like windows 3.1 fast during boot. how did they do that? :lol:

Share this post


Link to post
Share on other sites
JackR

The issue of Software’s default (Firewall On or Off etc.) is actually Silly.It like saying I do not know how to drive a Car because the Default is Parking.You want to use a computer learn How!On other hand.Microsoft, Symantec and others believe that all the computers in the world should be like one big computer (through the Internet) with them in control. It is like building a neighborhood without[/b[ locks on the door under the assumption that you do not mind people getting in and out to your house without your permission (and knowledge).As a result a lot of developers are torn between securing their work and allowing a variety of “Doorsâ€. (Among the other it called Live Update, Auto Update, check for New Version, Synchronize this, Tune that etc.)

Share this post


Link to post
Share on other sites
GolfProRM

The reason Win2k3 server is so quick is because nearly EVERYTHING is turned off... It's SERVER software, not desktop software... It doesn't even come with the sound turned on... It's designed to be a very stable server, not a home user desktop... No "average joe" is going to spend more than $1000 on a home OS just because it's "more secure." I agree that the XP firewall should be turned on by default, but it's not MS's fault that the average computer user isn't knowledgeable enough to know how to protect themselves. Personally, I'd like to see every computer buyer take a basics class before they can buy a computer... This would solve all sorts of problems. :lol:

Share this post


Link to post
Share on other sites
Prelude76
I agree that the XP firewall should be turned on by default, but it's not MS's fault that the average computer user isn't knowledgeable enough to know how to protect themselves.  Personally, I'd like to see every computer buyer take a basics class before they can buy a computer...  This would solve all sorts of problems. :D
Ryan, thats very wishful thinking. :lol: i mean, i think everyone who is going to bring a child into this world needs to go thru parenting course, and everyone applying for a credit card must take some financial course, but those things aren't happening.but along those lines, how about a FORCED tutorial they have to step thru, and only if you go like SETUP.EXE -notutorial can it be bypassed. and if they fail a simple multiple choice quiz at end of tutorial, drive gets formatted and you are ordered to return the OS back to the store and take some further lessons. :rolleyes:but about Windows2003, you're wrong Ryan. Windows Audio is enabled by default. so are about 30+ services. i still have to use black viper to tweak it down some more. even Automatic Updates is turned on. but among notable missing features is Themes are disable by default (but can be enabled) and System Restore is a fignment of imagination: it doesnt even appear anywhere. but i like it, i like it. makes me wanna start saving $1000 for it. :lol:

Share this post


Link to post
Share on other sites
JackR

It seems that it is not so hard to learn important tasks like how to install Themes, and Change Screen Savers. (A lot of people buy XP Plus packages).But learn about Security, or Firewall Brrrr. G-D forbid, and how can you resist opening the attachment that includes your Wicked Screen Saver.Microwave manufactures has to list a List of No NOs. (One lady dried her Dog in the Microwave). OS manufactures should too.

Share this post


Link to post
Share on other sites
GolfProRM
But learn about Security, or Firewall Brrrr. G-D forbid, and how can you resist opening the attachment that includes your Wicked Screen Saver.
Speaking of Wicked Screen SaversAnyone else getting bombed by Sobig? I get somewhere between 25-75 emails a day with the subject "Wicked Screen Saver" of course I don't open them, but I ended up shutting down one of my email accounts as it got rediculous... They all are coming from random email addresses, and it seems to have slowed down a bit, but I was getting 1-2 a minute for about 7 hours on Sunday...

Share this post


Link to post
Share on other sites
zox

All this pie charts make me feel special.I am in 1 % if these are correct.That makes me wanna ditch my XP even sooner that I planned.By the way I still haven't boot up XP. :lol:

Share this post


Link to post
Share on other sites
Marsden11

<<are you implying that SuSE (or any flavor of linux) is more secure because its less popular than windows?>>No. I'm saying that all the Windows flavors are a larger target. Like hunting... much easier to hit a large target (Elk) at 300 yards than trying to hit a field mouse at the same distance.I'm also stating that in this case SuSe is less secure than Win2K when placed side by side in the Criteria for Information Technology Security Evaluation (CCITSE). I do not know of the status of XP in those same tests.

Share this post


Link to post
Share on other sites
Marsden11

<<System Restore is a fignment of imagination:...>>Try Volume Shadow Copy...I got one of several copies of Win2K3 Enterprise Edition for free after attending some free MS Hands On Training events.win2k3-box-25-cals.jpgSave your money and just sign up for the MS Partners Action Pack Subscription. Just about everything MS makes software wise for $299 + tax.

Share this post


Link to post
Share on other sites
zox
I'm also stating that in this case SuSe is less secure than Win2K when placed side by side in the Criteria for Information Technology Security Evaluation (CCITSE). I do not know of the status of XP in those same tests.
That is exactly Microsoft weapon.Money.Those certifications cost a lot of money and this one was the cheapest, just so they can get their foot in, so to speak.As we all know Microsoft is full of money and giving 1 milion bucks for each certification is nothing.IBM even paid this basic certification and not Suse.These certifications do not state which system is more secure but actualy who has more money to invest in government certification to gain access to nice contracts and deals with governemnt.Even if Suse obtained highest level of certification, it is still German distro and US government at least millitary part does not like really German company to run their software and such.That certification is solely for US and it is not required for the rest of the world.As you can understand from it, Microsoft is US based company, therefore favorite with US government over foreign companies which is nothing strange.Look at the article here, a bit old now The inquirer

Share this post


Link to post
Share on other sites
GolfProRM

Reminder: This is not a forum for a Win vs. Linux argument... :)Just because it's the Security forum doesn't mean it's free run for this type of argument ;)

Share this post


Link to post
Share on other sites
LilBambi

Ryan you are so right! ;) Let's keep this to the issue at hand.REMINDER: Insecure by Design? is the topic.Please try to remember we can debate issues without coming against our fellow Members. The issues are hot enough!Now everyone back to their corners! LOL! ;)

Share this post


Link to post
Share on other sites
Prelude76
<<System Restore is a fignment of imagination:...>>Try Volume Shadow Copy...
yeah, i saw that there. didnt try it yet.how does VSC work? is it similar to a RAID setup, where a drive/partition is mirrored ?

Share this post


Link to post
Share on other sites
Prelude76
Ryan you are so right!  ;)  Let's keep this to the issue at hand.REMINDER: Insecure by Design? is the topic.Please try to remember we can debate issues without coming against our fellow Members. The issues are hot enough!Now everyone back to their corners! LOL!  ;)
yeah, arguing which is better, Windows or Linux, its like arguing whats the best car. i mean, obviously its a HONDA, but SOME people are **** bent on Ford, Chevy, etc... ;) no use arguing about itbut about topic of security, i must say, if Windows 2003 Server is how microsoft is going to tackle security, Linux is in for rough waters ahead. they'd better crank up their interface / desktop appeal because relying mainly on security issues will be a tougher sell with Win2003 and future Microsoft systems. just a thought i have after trying out w2k3 this week.i still give more kudos to Linux for being able to read FAT32/NTFS and Linux partitions. i cant stand how none of microsoft windows sytems can access linux partitions and continously screw up linux boot loaders whenever they can. but i guess thats how you choke the competitor, right? ;)

Share this post


Link to post
Share on other sites
LilBambi

Good point, Prelude,It is actually very good news that Windows Server 2003 is much more secure than previous versions of Windows servers.Will be great to see how that security is implemented in future builds of their desktop Windows for home and business users.BTW: Linux is up to the challenge ... I wouldn't worry about that too much ;)

Share this post


Link to post
Share on other sites
Jeber

"Insecure by design"...here's a thought that this subject brings to my mind:With the increasing threat of domestic and foreign terrorism, all OS vendors are going to have to make system security a priority. Terrorists know how to use the internet, and if they don't already, they'll soon know how to exploit an OS's weaknesses to gain access to computers in important networks or for DOS attacks.Also...sympathizers are always a major security headache. Terrorists could easily recruit sympathizers to go to work at Microsoft...or write a Linux package...and plant trojans for their own purposes.Unless we want the government to determine how and when we can use our computers, the vendors and users are going to have to take it upon themselves to provide a secure OS.(I think I spent too much time working for the gov. ;) I'm not paranoid, they really are out to get me! ;) )

Share this post


Link to post
Share on other sites
LilBambi

Jeber,Yep .. it's a real challenge in an environment where users are looking for features first, security second....UNTIL...there's a security problem! LOL!The only secure computer is one that doesn't have an internet connection ... a Microsoft spokesperson on Microsoft's site once said the only safe computer is one that is still in the box. (paraphrase) will have to find that link again ;)

Share this post


Link to post
Share on other sites
Marsden11

Shadow Copy Service enables administrators to configure point-in-time bit-level snap-shots (copies) of critical data volumes without service interruption. The service then takes more snap-shots on user specified intervals and then maintains a catolog of the bit-level differences. These copies can then be used for service restoration, archival purposes, or restoration. Users can retrieve archived versions of their documents or other data types that are invisibly maintained on the server. Productivity is improved by the ability to better recover documents and other types of data.The Shadow Copy service can also be applied to downstream clients via the Shadow Copy Client which can be used all the way back to Win NT as long as the volumes are NTFS.

Share this post


Link to post
Share on other sites
Prelude76

ok, Jeber, no more associating computer viruses/worms/security with TERRORISM, k? come on, undo that CNN subliminal influencing :D reminds me of this funny news satire written in IRONIC TIMES :

Homeland Security Dept. Warns of Microsoft Windows FlawTerrorists could enter your computer, play your games, read your e-mail.
bottom line: who's more likely to exploit windows flaws? middle eastern terrorists, or your own government trying to track down who's using kazaa or not? i say option 2 is more believable.

Share this post


Link to post
Share on other sites
LilBambi

Prelude,Actually legally at this time in the US, the RIAA doesn't need the government to figure out what you are sharing, who your ISP is and only needs the authority already given to them by congress (without normal legal due process, I might add) to gain your personal info from the ISP.The only winning move is not to play as Joshua on the movie War Games stated after learning that little lesson by playing Tic-Tac-Toe. Great movie.At least until something is done about this 'situation.' :D

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...