Security Advisor

Does Windows Endanger Society?

Security study faulty at many levels; let me count the ways.

Last week, a number of high-profile security experts released a report called "Cyberinsecurity: The Cost of Monopoly. How the Dominance of Microsoft Products Poses a Risk to Security." Read coverage of the report first, at http://mcpmag.com/news/article.asp?EditorialsID=613; the report itself is at www.ccianet.org/papers/cyberinsecurity.pdf.

I discount the report for a number of reasons, and respond directly to the authors.

  1. I was made aware of the report's release through an invitation to a conference call. The subject of the e-mail was "National Security Compromised by Reliance on Microsoft Windows." To me, this sounded like the national security of the United States had been compromised. To me, this sounded like you were going to reveal the facts behind some successful attack on my country. Because of the title and the unrecognized sender, along with the fact that it had an attachment, I almost relegated the e-mail to the spam bucket.

  2. The conference call wasn't about national security being compromised. I assumed it was and I was annoyed that you'd used such a tawdry attempt at getting attention.

  3. At the beginning of the call you seemed almost apologetic—fumbling around, emphasizing that this wasn't about bashing Microsoft. I don't care if you want to bash Microsoft. This is a free country; you can criticize anyone you want to. If it's not about bashing Microsoft, though, why accuse the company of being behind the compromise of national security? Why bash them in the actual report?

  4. Your report, and the conference call, were sponsored by the Computer & Communications Industry Association (CCIA). This group is an industry association with a long history of anti-Microsoft rhetoric and action. The CCIA is involved in antitrust action against Microsoft in the United States and Europe. If you're going to tell me you're scientists who have all come to the same conclusion about the 3 M's—Microsoft, monopoly, and monoculture—then please find a more independent public forum. Your words will have more weight.

  5. While you stressed during the media conference call that your warnings weren't about Microsoft, the report plainly is. And while you are experts in information security, you clearly are not Microsoft Windows experts. One of you seemed surprised to learn that automatic updates are a default feature of current Windows releases. Another said they plugged in a Windows computer and it was compromised before it could be updated. Was the computer around when the patch was issued? If so, why wasn't it patched? Even the latest worm was preceded by three weeks in which the patch was available. Was it a new computer? I have to wonder about a security expert who waits three weeks to patch his computer or plugs in a brand new computer to the Internet before patching it or protecting it with a firewall. An ordinary citizen might do that, and that is a real problem.

And that's the problem you need to be talking about. Not your experience; you're the experts, after all. Don't get me wrong—in the enterprise, you don't need thousands of desktop computers phoning home to Microsoft and downloading and installing service packs and security patches. Depending on your size, there are products like the free Microsoft Software Update Services and commercial software like Systems Management Server or third-party product that allows you to choose which security patches will be applied to which computers, and when. But for the average consumer, the chance that a patch will cause harm is far less risky than the risk of not enabling automatic updating. The average consumer also needs to at least run a personal firewall. Many of the exploits, worms and so on can be foiled by basic firewalls.

  1. While they're correct that consumers shouldn't need to be security experts in order to browse the Internet, you don't seem to understand that the message consumers are getting is that they don't need to use any security on the Internet.

My ISP, Southwestern Bell (http://www01.sbc.com/DSL_new/content/0,,54,00.html#firewalls), has a lot to say about security. The quote below is from a Web page I've just downloaded. It tells consumers they should make their own decision about whether or not they need a firewall:

For example, a small business, or a customer who sends a lot of proprietary information over the Internet, may want to install a firewall, whereas customers who use the Internet for research or entertainment may find changing their passwords regularly to be all the security they need.

Would you trouble yourself to install a firewall after that? Read the page. It tells you how well Southwestern Bell keeps you secure by securing their network. It also implies you should not open an email attachment that contains a virus (how do you determine that, pray tell?) and install anti virus software (Nothing here about keeping that updated.) So why aren't you attacking ISPs? A computer used without any security is like a car driven by a drunk driver; an accident waiting to happen.

  1. You emphasized that people who use Macs laugh at worms. I know companies who have 100 percent Windows on the desktop and laughed, too. They weren't infected -- and not just because they patch, but because they follow sound information security principles. I also know many average folks who use Windows on their desktop. They use the onboard firewall. They use automatic updates. They weren't infected, either. Some of them were previous Mac users. Why did they switch? Because Windows is easier to use, and easier to update and protect.

Here are my general responses to your report's conclusions.

  • You complain that Microsoft has systematically done everything they could to become the dominant player in computing. Isn't that what business is all about -- becoming No. 1? Of course it was intentional. Was it malicious? Was it illegal? That's for the courts to judge. Get off it. Pointing fingers and calling someone the devil won't get me to support your cause.
  • You say that the result of the alleged monopoly is a monoculture. By that you mean that since life at the end of each thread leading away from the Internet and into someone's home or office is Windows, we're all at risk. A single flaw can be our downfall. This is true; one way of doing anything puts us at risk. It's why businesses build redundancy into their computing infrastructure. It's why we ordinary citizens have a backup plan for getting to work if the car won't start.
  • You say that the problem is we're all so dependent on computers, and the vast majority of us are so incapable of using them securely that the government needs to step in. It's true that we're dependent on computers. This scares me. Many users don't know how to use them securely. Many of us who should know better don't always secure them properly. You might convince me that we need some ground rules here. Every citizen has a responsibility to protect others. We have laws about smoking in public places, driving while intoxicated and other harmful actions precisely because on their own, some people will do harmful things. Making rules to protect the good of the masses against the actions of the few and enforcing them is at least as old as Moses and the Ten Commandments. But let's make sure the laws are about regulating everyone in the same way, and not about punishing a single company.
  • You say the complexity of Microsoft products and the tight integration of the code in those products lock users in and violate a basic security principle. You say that computer scientists agree that loose coupling and modularity makes for better systems. You want, in short, to be able to mix and match products. Use another word processor on Windows. Use Office on Linux. I can do the former. I can't do the latter.

Do you remember the first version of Windows NT? The requirement for modularity resulted in OS/2 and POSIX subsystems. What was the first security suggestion? Remove those subsystems because they posed additional risk. I agree with the subsystem removal bit. Few used those parts of the product, and another security dictum says get rid of what you don't use, because it poses a risk as well. It's true that complexity is the enemy of security. The complexity of computing systems can be the result of using a single complex product. But diversifying, a main solution proposed by the report, also makes computing systems complex. How much harder will it be for consumers to secure their systems when they have a greater variety of them?

  • You also offer some suggestions for the alleged problem; here the message gets muddied.
  1. Use a Macintosh or Linux. But oh, by the way, if all of us do that, we'll still be at risk since those that would attack us will just do it by discovering and exploiting flaws in those products.
  2. Government legislation is needed to control the situation. I'm not sure if you're saying that Microsoft should be kicked in the pants or that we just need better control over who can do what on the Internet.
  3. Take the computers away from moms. Well, what else did you expect me to draw as a conclusion, when they complain that the problem is stupid users using unprotected computers on the Internet, and then point to their own mothers as an example? A number of you did just that during the conference call.

I'm glad we live in a society where we can express our opinion, and I'm really glad you did. I want very much to join you in your crusade to make the world safe from those that would take advantage of the lack of computer security that lives on the edge of the Internet. I want to make people more aware. I want them to secure their computers. I want the computing industry to give us products that are secure by design, and that we can secure even if we aren't experts. I want the craziness to stop. I don't want anyone hurt because some clueless teenager or malevolent terrorist takes advantage of a flaw in an operating system or application. I want it badly.

So guys, come on, stop with the M words. Join together instead. Let's get together—users, experts, policy makers, moms, programmers, software and hardware companies—in some independent forum, and work toward that goal without the rhetoric, without the animosity. After all, as one of you once said, "Security is a process, not a product."

comments powered by Disqus

Reader Comments:

Wed, Jul 13, 2005 Anonymous Anonymous

microsoft sux

Mon, May 24, 2004 Elijah Michigan

OK So TCP-IP drives internet communication. Split up the OS blockade and people will just come up with ways to exploit the OTHER things we ALL use. Doesn't anyone see that its not about Microsoft at all? It's people being creative with what they've got; exploiting anything they can.

Interconnectivity is what makes the internet work, people! If you make it so all computers don't share a common set of protocols and practices, you're removing the INTERNET from the world! Is that what this they are saying to do? That is, after all, the only failsafe solution. And thats all that matters, not business and just doing you JOB on your microsoft software, right? GET OVER IT.

As long as the internet and business communication online is around, there will be SOMETHING that EVERYONE has the same on their computers, and they will be vulnerable to someone's crazy hack that they dreamed up in during study hall.

I only rated three stars because this huge point was missed. It's the internet that connects us, not microsoft--and its made of allll sorts of machines.

Mon, May 24, 2004 leonard hall orlando fl

society? really i don't forsee any operating system as endangering society and what's with the new trend of asking for government control of the internet ?
i've used computers since 1989 got virus'es had crashes and in general did every thing screwed up that was possible
fortunately i was able to learn from my mistakes and haven't been infected in years the biggest threat on the internet is the us government as far as i have been able to determine the current admin seems intent on controlling the internet and the gigabits of data it contains
and though i laughed when i first heard a certain very scary dude say that he was going to '''''clean up " the internet what a sad day when the exland of the free is now becoming an orwellian HOMELAND
kinda reminds one of der fatherland or the motherland no? oh well at last we had a good run. security does not exist in the form that you seem to seek ie some blanket of protection provided by the great white father in D.C. security in better served by we each learning to protect our investment be it our computers or our freedom from government domination

Mon, Mar 29, 2004 Pete Austraila

Sounds just like all Microsoft Press Statements? Paranoid that their 95% market share might be reduced to 90% over lsmall issues

Mon, Oct 20, 2003 Richard Costello Raleigh

One of the big oversites that most people make is that TCPIP was never engineered for secure transmissions. TCPIp was designed for open communications. Now as MS and other software mnfs try to retro fit security, it is not easy. That is waht most critics of MS forget.

Sat, Oct 11, 2003 Anonymous Belgium, Old Europe

A very interesting article, and completely unbiased, even though it was written by somebody who might stop making a living when there's no more MS to write about. Some small hint though, for your "Use Office on Linux. I can do the former. I can't do the latter.": discover Wine, or in your case, if you prefer the click-click way like I do: xandros (since it comes with CrossOver Office, that will let you install your MS Office in a Linux environment.
Bravo, for daring to stand up against the majority of people who claim that MS products are no good. eh, or was it that other way around ? D.G didn't get fired by @stake right, he just wanted to go out fishing for the rest of his life, pure coincidence and misinterpretation.

Let's stop whining, like with politicians, we get what we deserve.

Sat, Oct 4, 2003 Gary NC

I believe Roberta makes some very valid points when she points out the MS bashing of the article. I also believe some of you Roberta bashers have valid points regarding shillism. Although, I do have to say that the selling of a windows based pc that isn't patched is the fault of the store that sold it, not MS.

A few years ago, GM sold some cars that didn't have a properly torqued oil filter mount. Most of these were fixed by the dealer before the car was sold. If cars were sold at the average department store, I doubt these things would have been fixed before there were a LOT of firebirds, camaros, and assorted v8 GM cars in the breakdown lanes.

I work at a computer store that won't let a windows based computer reach the customer till it has been fully patched/updated. So, if a new windows based pc I prepared was plugged in, and instantly "blastered", it would have been my fault, not MS'.

gap

Fri, Oct 3, 2003 Zach Redmond, Wash.

Vince from Indiana says: "I jumped over to the Redhat website. There have been 53 Red Hat Linux 9 Security Advisories since March of 2003. (https://rhn.redhat.com/errata/rh9-errata-security.html). 65 if you count all patches and bugfixes." Try doing a bit of research before you try to prove your point by counting advisories (remember the Aberdeen Group getting slammed for trying to make this point with CERT numbers?) For those of you who live in Windows LaLaLand and don't read much of anything from a non-Windows site, I'll paraphrase. 1) Linux the operating system is not the same as Redhat Linux or Suse Linux or Mandrake Linux. Linux the OS is the kernel; Redhat, Suse, Mandrake are distributions. A distribution contains both Linux the OS and usually a few thousand open source applications. Looking at just the OS advisory count for RH9 you get 3; the rest are application advisories (and of those 3 kernel advisories, none were remotely exploitable). Comparing the number of advisories that a Linux distribution releases vs. Windows is an apples and oranges comparison. To get an apples to apples comparison, you would have to include Windows and the next 2500 (in RH's case; 5500 in Suse's case) most popular applications for the Windows platform. 2) What MS doesn't tell you, you'll never know. In the open source world, there is no stigma for posting a vulnerability. In fact, in the open source world, it's generally accepted that all software has bugs and that when you find one, you advise the project participants. People patch it and get on w/life. It is a natural part of the development model to release code often and not hide or hold things back (read ESR's Cathedral and Bazaar for insight). In contrast, MS only makes public those vulnerabilities that have either been exploited, about to be exploited or more importantly, will hit them hard in the PR department. There is no telling how many "advisories" MS is currently sitting on for "marketing" reasons. Security through obscurity doesn't work for operating systems. 3) Just because Redhat releases an advisory for an application doesn't mean that everyone running Redhat will be exploited by it. There are numerous applications on RH's list that are never installed on someone's computer (for example, I don't run Eye of Gnome or squirrelmail so those advisories don't apply to me). To take it a step further, because of the variability of Linux installations, even kernel exploits don't apply to all machines as sysadmins frequently recompile kernels on their servers to drop unneeded kernel modules or even drop the whole kernel module subsystem itself. This is why it's hard to write a successful virus/worm for Linux; not every machine is a cookie cutter image of another one so the exposure base is smaller. OTOH, when MS releases an advisory, it generally applies to all MS machines because they all run the same binaries and are all exploitable in the same way. That is the main reason why Windows has 65,000 plus virii/worms; it's easier to write an exploit that will be successful for a large number of machines. I could go on but I know I'm only wasting my breath on sites like these. We'll see how long MS lasts as as Linux continues to commoditize the OS and remove the profit out of OS's for companies like MS and Sun. For all you Windows-only admins, I wish you good luck on eventually learning your new OS! -- Zach CISSP, LPI, MCSE

Fri, Oct 3, 2003 Anonymous Anonymous

In response to the comment about new cars required change of oil before they’re safe to be filled up and driven in comparison to computer security. This is the worst analogy I’ve even seen! The correct analogy should be that people still buy new cars without alarms installed, they still drive the new cars without security protection out of the dealer’s car yard. This is just the same as desktop computers. What we need is for computer shops to fully patch the OS before shipping it to the users. Just like some car dealers would install an alarm system (most likely at the customer’s request) before handing the key over. I rest my case.

Fri, Oct 3, 2003 julie FL

what about my six year old girl? my 73 year old mother? Are they supposed to educate themselves about "basic operation"??? what if they just want to use the machine? put yourself in the shoes of these people...are they going to understand "patches and bugfixes"...also many patches are large, and for a person with a dialup modem, that means alot of time with no telephone...if the transfer works. that is why the only type of machine I will recommend is a mac. period.

Fri, Oct 3, 2003 DA MD

There seems to be a lack of common sense in the world today. With any new piece of machinery it's wise to educate yourself about it's basic opperation before firing it up or of course the results could be unpleasant. Come on boys and girls we're adults now and need to take some responsability for our actions. Microsoft is a very successfull company with a great vision that is helping to reshape everyone's future. We all love to bash the the biggest and brightest but truth be know if Microsoft products were as bad as all that then no one would be buying them!

Fri, Oct 3, 2003 BB Anonymous

Gee - I kinda liked it....

Fri, Oct 3, 2003 Dan Steele Dallas

"Some of them were previous Mac users. Why did they switch? Because Windows is easier to use, and easier to update and protect."

This statement is so laughably wrong as to negate anything else she says. Anyone who has *actually worked with* both machines for an extended period knows how inaccurate it is.

The statement is just the PC-centered version of the tiresome Mac/PC debate. Usually, it's fanatic Mac-heads bashing PCs. This time, it's an apparent MCSE who should know better.

You're really showing your ignorance here, Roberta.

Thu, Oct 2, 2003 Tammi San Jose

I am so so SO MAD at windows/microsoft. This lady is a mindless lemming so brainwashed by her evil master that she cannot see that what she is saying is hurting innocent people like myself. I am a regular computer user (read: know next to nothing about them, I just want them to work for me). I got it to upgrade my trusty IBM typewriter, so I can get my writing career out of the "dark ages". So, I went to the store and I bought myself a cute little laptop with windows on it. I had one of the most prolific streaks of my career....then I went back into the dark ages as I witness my computer freezing and making funny noises and then the screen turned blue and said I had to turn it off. So I did, and when I turned it back on all of my wonderful work was gone! Can you believe it? So I took it back to the store and they told me that it had a virus and my work was unrecoverable. I just went through the roof. My selectric would never do this to me! He said I should have "patched" my machine, and asked me if I remember messages coming on my computer from microsoft asking me to install this or that....I thought those things were trying to sell me things or take control of my computer or something like that. So I decided to get smart, and I handed the saleslady all of the computer stuff back, got my money and went to the apple store and got a powerbook. No problems whatsoever...these things dont get viruses or other bad things...and I feel I can trust the company as well. So thanks for letting me vent!

Thu, Oct 2, 2003 Anonymous Anonymous

Anonymous from southern cali says " anyone who leaves ports such as 135 open and is connected to the internet, deserves to be hit" Tell me something, how do I turn off port 135 from a Win2k server? The answer is, you can't. You can block it, but you must pay for some 3rd party firewall SW/HW. This is a good example of inherenly bad design in windows. I recently had a non-critical win2k server compromised, because I trusted the auto-update feature to download and install any new updates that came out. The problem is, every stinking update from MS requires a reboot, and once AU downloads the current batch of updates, it won't get anymore until that reboot is complete. A key decision from MS was to use a micro-kernel architecture in NT. Store everything in DLLs and separate them from the kernel. However, MS's implementation has been horrible, mainly due to the OS's DLL loading. I have since replaced the Win2k box with a linux server, which I have control over which ports are really open. Updates do not require reboots, therefore less downtime. Many services(if started from xinetd) do not even require a restart of the service. The only time I've rebooted the machine was for one kernel update. All of my win servers have had to be rebooted multiple times to keep them secure. The OS obfuscation is the best form of security windows provides. It is much easier to write exploit code for linux, as it's a much simpler design, and is well known. There are currently 31 unpatched vulnerabilities in IE(which of course is part of the OS now). I don't know of any current vuln in any other OS that lets an attacker take complete control over your PC, simply by having you view a web page or email. -- Oh, but you don't open untrusted emails or visit shady web sites. No matter, I'll just poison your DNS server. It's another attack vector, that can't be exploited on any other OS. How about every app that uses a progress bar, excecute your own shell code. I work heavily with a corporation that just deployed a single Active Directory with 75 sub-domains, after implementation it came out that giving an admin Domain Administrator rights in one domain allowed that user to take over the entire forest, MS responded by saying "Well best practices suggest...." The list goes on and on. MS only fixes issues that are media-worthy, like remote exploits.

Thu, Oct 2, 2003 Anonymous Anonymous

Real security folks know the score and agree with Roberta. Grandstanding and demonizing Microsoft with half baked theories is not helping anyone. The person who wrote the "Windows is bad" article had his employment terminated. Right there, that tells you that even his own people though his article stunk. In my opinion, it also makes life a lot harder if you run a mixed shop too: Difficult upgrade paths, incompatibility issues, integration issues, administration issues, and not the least, an inabilty to use a lot of "Windows only" security features like security templates ect.

Thu, Oct 2, 2003 Rick Japan

After reading this article I went and read the referenced article. It is actually well thought out and written. It is critical of MSFT no doubt but it didn't take the approach that this Roberta person would have you believe. It is not a "We hate Microsoft" bantering paper. Now, on the other hand her article is a "Microsoft's great any anyone who doesn't know that is a moron" bantering, vacuous piece of chicken scratch. I have always found it interesting when a "MCSE" thinks they are an authority because of the stupid acronym. I have plenty of acronyms in many different NOSs. Just because I went to some goofball class for a piece of parchment means diddly. What I rely upon is my over 10 years of experience working with many NOSs and have found that pretty much anything else beats MS hands down. Only thing MS wins at is they have the market share because they have the big marketing budget and people, quite frankly, will buy a bridge if you make the commercial pretty enough.

Thu, Oct 2, 2003 Darren UK

I think in this article there is a person who is saying enough is enough. I think Roberta has taken quite a slating here, at least she is passionate about her profession, which is more than can be said for others (more on this later). Let's not forget, Roberta's company is independent, she doesn't have to use MS products. Plus, she is bound to be biased, she has her company to protect! There are scores of people just waiting for the next release from MS so they can tear it apart and reveal all of it's flaws, which in itself is pretty stupid in my opinion. There are a lot of replies here that also mention 'Microsoft's monopoly'. Well, how did MS get to the top, because people buy the software in the first place. It's simple, if you don't like the way Microsoft does business, don't buy the product. They're not putting a gun to your head and making you buy the latest O/S are they? You might think that I'm a Microsoft fan, you're right I am, but the laptop I'm writing this from also multi boots with Linux amongst other things and guess what....it's damn well good, very good in fact. Enough to convert me to the Linux Kernel? No, but it's good enough to stay on my HD and be used very regularly. Finaly I'd like to point out there are many factors concerning network security. Ranging from the Firewalls, Routers and switches (and the OS/firmware they are running, why did that virus get through the firewall anyway?) down to the administrators who so call 'administrate' their hardware. You wouldn't believe the number of admins I've seen install Windows based servers and leave them running on a default install. I've witnessed very little fine tunning on any servers I've come across (including SQL, Echange, DHCP, DNS, WINS DC's etc). A lot of you guys are bitching over this that and the other but, come Monday morning, how many of you will go into work and look at your servers and see, say the spools service, running on a DHCP, DNS or some other server that doesn't require printing, let alone fully patched and protected.

Thu, Oct 2, 2003 Ron Tampa

I totally agree with Roberta. Yes this is a Windows magazine just like you would find the same type of defense in any of the Open Source mag's so most of the negative comments here are irrevelant.
Since the original article ommited to state that there are just as many if not more security bullentins against other OS's than there are against Windows. This article was misleading and very inflamatory considering what is going on in todays society.

Most of the people who do not like Microsoft is not because of the products but because of the man that is leading it. This type of attitude is very juvinele!

I am an MCSE and proud of it!!

Thu, Oct 2, 2003 Steve Cazadero

Microsoft is damned if it does and damned if it doesn't- envy rules.
In the early '90's the screamers were demanding "release it all now, for everybody, anytime and anywhere". No thought or concern, MUCH LESS knowledge was given to security by this same type of user.
We can all be geniuse's using hindsight, it's much easier to "bi... and bite" than it is to come up with solutions.
Get over it, go to work and do your job!

Thu, Oct 2, 2003 Anonymous Anonymous

there are other OSes out there so why do people us MS? Could it be MS gives people what they want. Possible. We do not have to by a MS product but people seem to like it. Go get them Roberta. If someone wants a better product then create it and make it a competitor to MS. Yeah, MS gets the viruses but who's on top of the heap. If and when MS gets knocked off then the next number 1 will have the same issues. Go figure

Thu, Oct 2, 2003 Anonymous southern cali

anyone who leaves ports such as 135 open and is connected to the internet, deserves to be hit. it's a wake up call...not a ms issue. i agree with the author, it's not a ms problem...the ccia report reflects the typical idea that linux is invincible, most commonly held by people who know nothing of it. security patches come out at least weekly for linux, so ms's patches dont look too bad. macs laugh at worms, yet most of them leave their systems unpatched. i laugh at worms, and the inability of macs for not only being forced to use a proprietary os but also proprietary hardware. at least with a pc, you've got options. as for me? i havent been hit by a worm or a virus in at least 8 years, and it's not that hard. when blaster hit, it was business as normal. kind of funny how people are the first to complain, yet the last to patch.

Thu, Oct 2, 2003 Mike New England

Roberta came across as shrill and biased which seemed surprising to me given that all the columns I'd read by her seemed fairly level-headed. She claimed she wasn't opposed to anyone attacking Microsoft but its clear to me that's exactly what got under her skin. Her claim "Use a Macintosh or Linux. But oh, by the way, if all of us do that, we'll still be at risk since those that would attack us will just do it by discovering and exploiting flaws in those products." is a common theme among MS supporters who insist Microsoft products are targeted because they're popular, not unpopular. The fact of the matter is that there's not much interest in writing malware or viruses for Linux and the Mac because those products aren't as hated as Microsoft, and it's due to the business practices and "Who, me?" attitude this company has displayed.

Her objections notwithstanding, something needs to be done about Microsoft's poor security. Labeling those who attempt to do so as a bunch of partisan anti-MS critics is no less partisan, especially if one makes a living supporting Microsoft products.

Thu, Oct 2, 2003 Elcio Favare Sao Paulo - Brazil

The last years of "the white war" of Windows and Linux sounds like a children's trial to get the last donut. The guys from Microsoft and "The forces behind the wall" of Linux are looking at us and given us the bullets to kill one another on this useless crusade.

Every product you get will have weak points - from tires and cars to spaceships - so why some "less brained" ones believe that some products are much better than others?

I work with Microsoft, CA, HP/Compaq, IBM, and other's products at least for the last 10 years and I've seen some very rotten things from every players (and I also have heard the same stories from other IT players), but have you tryed to look back and see pretty nowadays products like cars and toothbrushes, from the first decades of 1900's?

Despite the number of people working on this industry, our arrogance, and we are living in the Information Age, massive computing is a new thing, out of us, IT Profs., does anyone knew too many regular people using a computer before 1993/95? The concepts are not yet absorved for those who dont work with it. Try to explain to my boss that his 2.4GHz P4/512MB/40GB/15" small notebook is much faster than my big IBM Netfinity 5000, 5100 and 5500 old servers, you can also carry on a conversation to tell him that a computer made in 1999 is almost an elderly machine.

So let's stop trying to kill ourselves and let's work hard to make it better not just for us, but for the humanity.

Thu, Oct 2, 2003 Bill Chicago

So many hostile close minded people...

I run a secure network with windows 9x, NT, 2000, and XP, linux, 3 unix flavors, and MACs. I've had far more problems with "real" crackers on my linux than anything else.

Bottom line- stop crying about Microsoft-all computers attached to the internet are inheritly vulnerable. It's the administrators of networks that are responsible for their safety. If you don't protect your networks/computers, why would you be surprised they get compromised?

I do however agree that average user patching on a new machine is a problem. Perhaps responsible resellers should pre-patch them before sale for no charge is asked.

Thu, Oct 2, 2003 Ron Rosenkoetter Kansas

Roberta is no MS shill. She has written MANY excellent articles explaining security in a Windows environment with numerous step-by-step instructions on how to lock it down. She has pointed out Microsoft security holes AND HOW TO FIX THEM for quite some time now. I agree with the points she made in her article.

Thu, Oct 2, 2003 Ed NY

Good article. Can be better organized.
I think that MS and MS community should be more proactive in showing that any OS has security flaws and that heterogeneous environment is more susceptible to intrusion than homogeneous environment.

Thu, Oct 2, 2003 Elbert Abilene

Very good artical. I've always said the most secure computer is an "off" computer and doing away with integration is moving in that direction. Less integration, less functionality, more complexity. It's a bit like comparing a new car to a 1955 Chevy. The new car is much more complex and not just any ol' shade tree mechanic can effectively work on it. Nothing wrong with the old Chevy, it does what an old Chevy should. If you want a modern ride with all the creature comforts you'll have to deal with the complexity; hire a mechanic!

Thu, Oct 2, 2003 Sysadmin PA

This article is something to be ashamed of, and as a journalist you are a disgrace. You neither adressed the points of the original paper, or even demonstrated a basic understanding of them. OS wars aside, this sort of rhetoric disguised as analysis discredits both you and your publication. As a MCSE, I look to other sources for news and legitimate analysis.
Instead of yelling heretic at anyone who dares to challenge the worth of Microsoft platforms, we would all be well advised to analyse the claims made thoughtfully. It might lead the more intelligent amongst us to realize that Microsofts operating systems do contain serious design flaws that cripple them from a security perspective. While a bank robber is to blame for a bank robbery, what does it say about the bank when the safe can't even be locked?
Its high time we all stopped accepting an inferior product from microsoft, and either demanded improvements, or found acceptable alternatives.

Thu, Oct 2, 2003 Guy Iowa

It is SO important for Microsoft to try harder; their lack of attention to detail sometimes borders on the shocking. With that said, it IS possible to run Windows securely. I have placed Internet-connected machines running different variations of Windows too many times to count. The jabs, rhetoric, and reports with so-called "positive intentions" do no good. This is all about education and becoming more proactive programmers and users. (I'm beginning to look at it this way: We all have to get licensed to drive because a mishandled vehicle can cause major damage to public and private property. If some fool gets behind the wheel and forgets to stop at the red light, the resulting accident is not Chrysler's fault. Unless, of course, the brakes fail and then it's up to the judge and-or jury to decide if the brakes are inherently unsafe and then up to Chrysler to modify. Educate the users to operate proactively and how to patch their systems regularly and much of what are successful exloits today become "could've been" fodder for the back page.)

Thu, Oct 2, 2003 TC Miami

Wow, you seem to really have missed the key point of the report. Though, I guess I shouldn't expect anything but a defensive article in this kind of forum.

Thu, Oct 2, 2003 Jim Anonymous

Thanks Roberta, for a very good column exposing the anti-Microsoft rhetoric for what it is. You have jumped on Microsoft when they've done wrong, and you've defended Microsoft when they are not the problem. I've heard you speak a few times in person, and you are always interesting and right on the money. Your column sure brought out the warmongers, didn't it?

Thu, Oct 2, 2003 Anonymous Anonymous

Excellent answers to a stupid tilted article

Thu, Oct 2, 2003 Ken Missoula MT

Another bashing from the anti-Microsoft folks..Big surprise. Why don't these so called experts discuss the justice department’s inability to prosecute virus writers. It's like blaming a bank because it got robbed. Get a clue

Thu, Oct 2, 2003 Anonymous In your server.

GNU Project servers breached
By Matthew Broersma
ZDNet (UK)
The GNU Project, which develops many of the components in the Linux operating system, said this week that the system housing its primary download servers has been compromised by an attacker.

The project urged those who have downloaded software from the server since March to check that the source code has not been tampered with.

Linux, an open-source operating system that dominates the Web server market, uses the compiler, libraries and other software that was originally developed by the GNU Project. The project warned that the attacker may have inserted malicious code into its software, although it said all the code checked so far appeared to be intact.

In an alert issued Wednesday, computer security response organization CERT Coordination Center warned that the breach could prove to be a serious problem. "Because this system serves as a centralized archive of popular software, the insertion of malicious code into the distributed software is a serious threat," the warning stated.

The Free Software Foundation, the GNU Project's overseer, has issued lists of "hashes"--numbers generated by the source code of software known not to have been compromised--that can be used to verify downloaded code. The lists can be found here and here.

The attacker compromised the project's servers to the root level, gaining complete control over the system, according to the GNU Project. The attack was carried out using an exploit that was revealed on March 17, and for which a patch only became available a week later. During that week, the intruder compromised the system and installed a piece of malicious code known as a Trojan horse, according to evidence found on the machine.

The Trojan horse stayed in place until it was discovered in the last week of July, the project said. "The modus operandi of the cracker shows that (s)he was interested primarily in using gnuftp to collect passwords and as a launching point to attack other machines," the project said in a statement on its Web site.

The group said it has spent the weeks since the compromise was discovered verifying the integrity of its software. "Most of this work is done, and the remaining work is primarily for files that were uploaded since early 2003, as our backups from that period could also theoretically be compromised," the statement said.

The project said it believes no source code was compromised. "The evidence includes the MO of the cracker, the fact that every file we've checked so far isn't compromised, and that searches for standard source Trojans turned up nothing," the group stated.

Thu, Oct 2, 2003 Brian Houston

Roberta,

You stated:

"Another said they plugged in a Windows computer and it was compromised before it could be updated. Was the computer around when the patch was issued? If so, why wasn't it patched? Even the latest worm was preceded by three weeks in which the patch was available. Was it a new computer? I have to wonder about a security expert who waits three weeks to patch his computer or plugs in a brand new computer to the Internet before patching it or protecting it with a firewall. An ordinary citizen might do that, and that is a real problem.
And that's the problem you need to be talking about."

I downloaded and read the article myself the moment I heard Dan Geer was fired over it. While I did not recieve an invitation to the conference call you speak of, I can understand some frustration you might have had with how the information was presented. In specific regards to the statement you made above, this issue *IS* very clearly and specifically addressed in the document. In fact they are rather clear that the majority of the problem with the abundance of Microsoft is not so much a Server side and Corporate side issue. They express concerns at the rapid growth of MS operating systems in the hands of the masses where they aren't being regularly patched and fear that the abundance of this environment makes it exponentially easier for attackers to take advantage of the situation. Essentially the problem they are describing has to do with out of the box typical use implementations at the house where most systems are not kept regularly maintained (especially pre-win2k).

My personal point of view after having read the article was that it was a bunch of hogwash. This paper would have hit home and been very hard to defend a couple of years ago, but Microsoft is making strident efforts in making itself more secure and much of what MS has done towards this is blatantly ignored in the report. Nonetheless, I think coming out vehemently against a controversial report like this, effort should be taken to read what they have to say and not attack them for not discussing something they actually did... just my 2 cents.

T. Brian Granier
GCIA, GCFW, CCSE, CHP, MCSE (NT4&W2K), MCP+I, N+, A

Thu, Oct 2, 2003 Anonymous Anonymous

have you checked your Linux source code today? Got ROOT?

Thu, Oct 2, 2003 Anonymous Anonymous

Bunch of Penguin Huggers come out of the woods to defend their conrads. nice.
oh btw - did you hear about the linux source code server being compromised. hummm.

Thu, Oct 2, 2003 Anonymous Anonymous

Linux losers don't get Roberta's point. The title of the article was completely deceptive. BTW, the author of the original article GOT CANNED for being a dumbass. If you want to see something really scary, look at Linux's daily list security flaws which provide root access. It is at LWN dot net slash Alerts . ALerts must have a capital "A" to get to the list. I would not put Linux on a production server for any amount of money. You want to screw up your network with Linux insecurity, go right ahead. You'll get rooted by the lamest of noobs.

Thu, Oct 2, 2003 anonymous Los Angeles

Most of the responses are the same old Microsoft-bashing. Particularly egregious is that of Valdis Kletnieks, who doesn't acknowledge that XP comes with a half-firewall that would certainly keep stuff out until the user got the box updated, and W2K has an option to directly control which ports are open.

Thu, Oct 2, 2003 Anonymous Anonymous

This article is poorly written and seems to be poorly thought out. The author neither demonstrate an understanding of, nor addresses the arguments made in the report she is criticizing. It feels as if Mrs Bragg thought the report was meant as a volley in the OS religious wars, this column being a counter-strike. I was disappointed by the link that was followed. I thought it would be a much more insightful critique

Wed, Oct 1, 2003 aj Anonymous

I could rant endlessly about your bias in bashing the report, the same as you rant about the bias in the report bashing MS. You really overlooked a LOT of material and assumed a LOT of other things.
ie, Auto Update only covers the OS. Office? SQL? No way. Many admins thought that the updated kept their SQL patched. Sapphire (Slammer) taught them otherwise. Firewalls? What, worms have never jumped through NAT, or came in on a laptop that was on an infected cable modem segment the weekend before? Your points are pretty weak and have little bearing on the reality that admins face and that exists on the internet, sorry.

Wed, Oct 1, 2003 Anonymous Anonymous

"Another said they plugged in a Windows computer and it was compromised before it could be updated. Was the computer around when the patch was issued? If so, why wasn't it patched?"

Uhh, assuming you only have one computer, how do you propose patching it (using your beloved Windows Update, no?) without connecting to the net? From where do you get a firewall? Telepathy?

Wed, Oct 1, 2003 Anonymous Anonymous

Just going in circles here, I feel she missed the point, and did exatcly what she accuses Dan and them of. (Just blowing a whole lot of PR rubbish to defend your product allegiance)

Wed, Oct 1, 2003 David McKenzie Chicago

While the funding of the CCIA is definately not Microsoft favorable, none of the authors of this paper's integrity is questionable. Ms. Bragg's evidently is questionable. Her selective memory as to NT 4 'security recomendations' omits the first requirement for C2 classification...Remove the network interface. So little has really changed. I followed a link here, but I won't be back, not will I pay much attention to the referer.

Wed, Oct 1, 2003 Gregory California

This article makes a few good points. Unfortunately it is written in such a disorganized freewheeling manner, almost stream-of-consciousness, that those points are difficult to discern. Yes, expert authors should make their biases apparent to their readership. Yes, business is about making money. Yes, the legality of questionable business practices is a point of law. No, this was not the best article ever written. REgardless of Ms. Bragg's and this publication's opinions and the opinions, the real fault lies with the editor who failed to send this back for a rewrite.

Wed, Oct 1, 2003 Sandy Scotland

Nothing is inherently secure to be sure, but poor design choices are inherent in MS productsand that make them more difficult to secure. S from CA should re-read my comment, much as Roberta should re-read the report without blinkers.

Wed, Oct 1, 2003 S CA

"Roberta needs to acknowledge that Microsoft products are insecure because of poor design choices that are not inherent in other operating systems. "

If they are so secure... how come my inbox gets just as many vuln notices from the 'Nix distros as Windows. Nothing is "inherently secure". It's HOW WE SET THEM UP and monitor them makes them secure.

Wed, Oct 1, 2003 Anonymous Anonymous

I have not much to add to the comments above, yeah she missed the point. And yeah there is nothing (new) in brings us any further. And there is this line (7): "Some of them were previous Mac users. Why did they switch? Because Windows is easier to use, and easier to update and protect." Hehe, yeah sure ;-).

Wed, Oct 1, 2003 Sandy Scotland

A very defensive article which does nothing to rebutt the reports claims. Roberta puzzles me in her statement that she can use another word processor on Windows but can't use Office on Linux. Why is this relevant ? Claiming that people switch from Mac to Windows because "Windows is easier to use, and easier to update and protect" is almost ridiculous. Roberta needs to acknowledge that Microsoft products are insecure because of poor design choices that are not inherent in other operating systems.

Wed, Oct 1, 2003 Valdis Kletnieks Anonymous

Roberta complains she has trouble with security experts who don't patch their machines on time. However, she totally misses the point - if you're Joe Consumer and buy a new machine at Office Depot and hook it up, it *isnt* patched. And there is a high risk that the machine WILL be 0wned by somebody before the patches finish downloading from windowsupdate. You have to do a lot of tedious and complicated hardening of the machine before it's safe to download the patches.

In the automotive industry, this would the equivalent: When you buy a new car, you would have to have it towed, at your expense, to a mechanic who would change the oil, in order to make it safe for you to put gasoline in and start it up.

We don't accept cars designed that way, and we shouldn't accept computers that are that vulnerable either.

Wed, Oct 1, 2003 JT Anonymous

I also agree with the report written by Dan and the others. One person already lost their job by honestly looking at the issue. I suspect Roberta is playing it safe. After all, her article appears in Microsoft Certified Professional Magazine. Nuff said!

Wed, Oct 1, 2003 Paul Indiana

This is a forum for MS shills. Why is anyone surprised when an MS shill defends MS, despite the prepondance of evidence that MS is indefensible?

Wed, Oct 1, 2003 Jason Coombs Anonymous

Roberta has been so badly compromised by her own bias that she isn't aware that she completely missed the point of the report. The Microsoft monopoly is causing severe harm, and its potential for new specific harm increases (force multiplication) as the monopoly grows. A necessary step in the process of information security is selecting software that is designed with open, provable security features -- until Microsoft changes its abusive, monopolistic behaviors (which come from the top of the company) it will never build a trustworthy product. Roberta chooses to trust Microsoft because she is underinformed. Perhaps she has smelled the truth and opted for a financially-comfortable condition of denial where she can help further Microsoft's cause while looking the other way when Microsoft commits terrible offenses. This way the stink doesn't create a denial of service condition for her personal bank account balance.

Wed, Oct 1, 2003 Tom New Jersey

I credit & agree with everything Dan and the other authors put into that report. They should not be bashed for expressing their opinions about a company which is trying to control, well, everything.

"No Microsoft product were used for typing this response"

Wed, Oct 1, 2003 Anonymous Anonymous

The same old thing. You don't bring anything to the table, no new ideas, nothing.

Wed, Oct 1, 2003 Mark Denver

Pretty much what I expected to hear from someone who makes their living working with MS products. The CCIA report did come off harsh against MS, but also provided strong scientific arguments as to why they did so. The arguments Roberta makes here against the report would be expected had the report been a "Linux rocks, M$ Sucks" type of thing. Unfortunately this wasn't the case. We should be glad that their are people who are willing to risk(and lose) their jobs by coming out and standing up for what they believe in.

Wed, Oct 1, 2003 Surreal Arizona

The first 1/2 was pointless: "I throught it was about this* but it was really about *that*. and "My ISP is stupid, why didn't you blame them?".
That's followed that by (intentionally?) misunderstanding the recommendation to diversify, claiming that they said " Use a Macintosh or Linux. But oh, by the way, if all of us do that, we'll still be at risk". I haven't read her work before, but from this one exposure I'd think she wants to be the Rush Limbaugh of the computer press.
To me, the article raised many valid points in a non-inflamatory way and included suggestions for improvement - including documenting secret lock-in APIs and releasing software for alternative platforms. Maybe if I had MCSE after my name it would have driven me to blind rage too. My creds are merely 20 years industry experience, 10 years in security and the little-known OPSA acronym.
I would have rated "good" if everything above "Here are my general responses..." had been edited out as pointless huffing and puffing. Note, I'm* not paid "by the word" so I can afford that luxury.

Wed, Oct 1, 2003 oliver cali

A little whiney in places but a fair article.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.