Security - Not our Responsibility?

[Loneregister]

I was just reading an article where Steve Ballmer is quoted as saying hackers are getting more sophisticated. (Duh!) He also stated that he didn't believe that the OS is the sole resting point of system security.

Anyway - that got me thinking.

Is it the responsibility of the OS to protect the system against hackers, or is it partially the owners responsibility too?

I mean this - if mom hooks up her 4 year old windows system to the internet with no firewall and no antivirus and antispamware - who's fault is it when she get's blasted and turned into a Zombie? Don't we as users share some culpability in the protection method for our computers?

It's kind of like if I purchase a house, but leave all the doors and windows open and then go on vacation. And then I complain bitterly that my house was robbed when I get back. Sure , the theft was a crime, but I am inviting the theft by leaving everything open. Reality.

How about this - microsoft releases a new product OS called Windows XP Clam Edition... And it's basically a crippled version of windows XP in the way it talks to the internet. All systems that listen outside of the computer (Except web browsing and email) are disabled. All advanced features that are security risks to the unknowning or clueless are removed. It's basically an OS that allows for computing with one computer and that's it. No advanced file sharing, no advanced internet capabilities, and it's purposefully disabled that way. It's also designed to only allow certain amounts of traffic at a time. So if you send 5 emails in 1 second - it shuts down email for 20 minutes. It allows only 5 emails per 10 minutes. Attachements can't be opened unless they are a picture format. No .exe, .cpl or .pif's.

If people WANT the extra features of windows, they can purchase a standard home edition or pro or whatever - but most price point noobs will get the cheap version and by default install themselves out of the zombie/virus race.

If Linux were installed on 90% of the computers out there - it would be one mass of security breaches as well. I mean - we're talking maximum result for minimum effort here. Why target anything but what everyone installs. Just look at Firefox - now that people have flocked to it - it's getting security alerts and hacks as well.

 

[Ice Czar]

read that coverage as well (Micrsoft claims to be the end all of security knowledge )

the user always shares some culpability
educaion is the real key, Steve has a point (distorted as it was and more so as reported)
anything that can be coded can eventually be cracked

this is not to say that Microsoft was far more concerned with features and default connectivity than security for the vast majority of its history, or that even now they are clutching at inheirently insecure technologies they own (a little searching would reveal a few ActiveX rants of mine)

But the main problem they currently have is IE (ActiveX et al)
well that and the fact that before a network install of the approriate patches for a fresh install can be completed
either MSBlaster or sasser are likely to pick off a n00b

a repost but what the hell...


Microsoft's internet browser gets caught in its own web

Here's an interesting question: why is Microsoft's Internet Explorer (IE) so bad? Not only is it outdated and tired compared with the competition, it is also exceedingly vulnerable to attack.

sinister intermission

The other explanation is more interesting. It is that Microsoft is trapped. It dare not upgrade its browser and make it more sophisticated in case doing so undermines its Windows and Office monopolies.

 

[ComputerBox34]

Is it your house's job to protect itself?

Is it your car's job to protect itself?


Sure there are some features you can install to protect your car such as a Car Alarm and you can put ADT in your house. But that usually isn't enough. The owner is or should be always on top of what he does or what he doesn't do to make sure that it's not a security threat such as not park your car in a dark alley or build your home in East Harlem or a town like that. Same thing with an OS, it comes with security features that you can enable but you usually must do more to keep it secured such as install Spybot, AntiVirus, and a software firewall.

 

[Ranma_Sao]

The operating system has a responsibility to try and protect the user, but most users don't know how to be protected. Most of the major attacks, Blaster, etc, microsoft had the patch out for months! That's why XPSP2 is such a pain about turning on Automatic Updates.

Microsoft has audited all the code, and constantly is reauditing the code. (My code gets audited every time I build, and I have coded buffer overruns by accident. (2) And I just build Test Code that never gets shipped to the customer!)

Note, IE isn't perfect but it has gotten better, notice the posting that IE was the only browser to not crash on malformed HTML:
http://www.securityfocus.com/archive/1/378632/2004-10-15/2004-10-21/0

Note, I work at Microsoft, and none of these views are of my employer.

 

[Ice Czar]

I would say Microsoft has made considerable headway recently
and that I was quite impressed with their
The Antivirus Defense-in-Depth Guide
unfortunately not something they require a user to read before activation

Howdy Ranma_Sao

 

[mosin]

Is it your house's job to protect itself?

Is it your car's job to protect itself?

Neither should be made of shoddy materials.
A cardboard house doesn't cut it.
A car that has a 90% chance of blowing up doesn't cut it either.

That said...

I believe that it is the owner's responsibility to maintain a level of security on his computer, assuming he has the tools to work with. Reckless and negligent use is not Microsoft's responsibility. Microsoft is no more responsible for computer use habits than Buick is for how you drive. However, Microsoft has chosen to not provide those tools needed to maintain the operating system's security because of a larger issue...

Microsoft's problem exists almost entirely because those in charge just couldn't stick with simply making an operating system, so the integration of a browser and other crap has lead to the mess that they are in. The responsible thing for them to do at this point is to issue service packs that allow for the removal of those crippled programs from the operating systems that those integrated programs endanger, rather than continue beating the dead horses that they are. Then, resources could be more wisely spent refining the operating system itself, and everyone would have the tools they need to rid Microsoft operating systems of antiquated, unwanted, or dangerous integrated programs.

Firefox's growing success may be a glimpse into a future where opensource is the rule, rather than the exception....and deservedly so.

 

[HHunt]

Is it your house's job to protect itself?
Is it your car's job to protect itself?

Is is your car manufacturers job to make it hard to start, or even get entrance to, your car without the keys?
Is is the job of whoever built your house to make sure the locks work as intended, and hard to bypass?

If you bought a house where your front door was hinged on the outside with visible screws, it wouldn't be your fault that anyone with a screwdriver could break in, but it would be stupid not to fix as soon as possible after noticing/being told.

 

[Ranma_Sao]

I would say Microsoft has made considerable headway recently
and that I was quite impressed with their
The Antivirus Defense-in-Depth Guide
unfortunately not something they require a user to read before activation

Howdy Ranma_Sao

Had a feeling I'd reply huh?

Usually I don't participate in something that could escalate into a flame war, but when someone spends over a year helping audit and try and figure out to someone could abuse setup, it starts to become personal. And believe me, I have filed some doozies of security bugs that fortunatly you guys will never find out about, since they were fixed before XPSP2 went out the door.

 

[mosin]

Had a feeling I'd reply huh?

Usually I don't participate in something that could escalate into a flame war, but when someone spends over a year helping audit and try and figure out to someone could abuse setup, it starts to become personal. And believe me, I have filed some doozies of security bugs that fortunatly you guys will never find out about, since they were fixed before XPSP2 went out the door.

I believe that you guys have done an excellent job of fixing the fixable. Some things aren't worth fixing, however.

While we are on cars...
Ford Pintos aren't worth fixing anymore.

 

[Ice Czar]

Had a feeling I'd reply huh?
.

LOL, yes
actually that was a suggestion, feel free to pass it on to Bill and Steve
you need to correctly answer five out of seven security questions before your allowed to activate

when I build boxes for freinds and relatives i ship em with a
10 Immutable Laws of Security Screensaver

still doesnt stop em from bitching and moaning about the password policy I set

 

[GreNME]

Neither should be made of shoddy materials.
A cardboard house doesn't cut it.
A car that has a 90% chance of blowing up doesn't cut it either.

The materials that Windows is made of are not shoddy. Since 2k, the core of the operating system has been top-notch as far as effectiveness and securability. The problem is in the implementation and maintenance.

A house or car or garage door opener that is made of the finest materials on the planet will break down if not maintained, and will be broken into, stolen, or vandalized if not secured. In fact, the finer the quality of other things we use, the more maintenance or security attention we normally put into them. It's really bass-ackwards how little attention gets put into our security in operating systems by end-users.

Fifteen years ago, this wasn't as big an issue—the "internet" was small, difficult to navigate, and a computer was not nearly as much a part of the average household as it was today. Even then, however, security was an issue, viruses did damage, and data integrity was something that carried a price tag. In the late 80's and early 90's, UNIX machines were the most targeted by hacking attempts and viruses. It's ironic how today *nix is hailed as somehow more intrinsically safe, when history shows that it's had its own period of insecurity.

What the typical end-user of today doesn't often realize is that once a computer connects to the internet, the same caution should be used navigating the web as one takes when entering a city in their car. More often than not, almost everyone else out there is not trying to be malicious to you in particular, but if you aren't careful anything from an annoying fender-bender (stupid minor spyware/adware) to a traumatic car-jacking (full-blown trojan hijack) could occur. With the increased availability to information out there comes the increased vulnerability to identity theft. There's not a software package in the world that can save a user from their own gullibility, and cutting off interface capabilities as a countermeasure is not really an answer—it's just another method of applying the "security through obscurity" slippery slope.

However, Microsoft has chosen to not provide those tools needed to maintain the operating system's security because of a larger issue...

I challenge you to give some examples of what is missing, and then an example of another OS that provides what you claim is missing.

Firefox's growing success may be a glimpse into a future where opensource is the rule, rather than the exception....and deservedly so.

Growing success where? Do you have market data, or are you just going by CERT—a group that only geeks pay attention to—recommending an alternative to IE? Because despite what CERT or any other security agency has recommended, IE is still the industry standard and most used browser by a huge margin. Firefox has achieved a stronger niche, but it's still a niche.

Speaking of browsers, though, it is worth noting that IE is the weakest link of the Microsoft products (after FrontPage, of course). The most disappointing thing about IE is the statement from MS that there will be no new version of IE for XP/2k, only updates to the current browser. While this might open up easier development for the browser for Longhorn, it ruins the cycle of backwards-compatibility that MS has kept going for quite some time. Personally, it's pretty much pushed me over the edge to switch back to Moz: which, by the way, has a much better chance of becoming "mainstream" than Firefox because FF is simply a stripped-down and plugin-less version of Moz to begin with. Basically, it's looking more and more like Microsoft is poised to come full circle in the Browser Wars™ of the 1990's.

But when it comes down to it, do either the users or the developers have full culpability? The answer is yes. Both the users and developers have full culpability. It's the responsibility of the producers of software to provide usability, stability, and security. It is the responsibility of the users to make sure that maintenance is done and that the security capabilities provided is applied properly. Otherwise, both sides lose.

Open source is not the answer, no more than closed source.

No software product is the answer, no browser, office suite, or operating system.

Geeks with an inflated sense of superiority are definitely not the answer (and are, in some ways, part of the problem).

There is no one answer.

Developers, don't rely on technical writers to pass along the means to use the software—keep the KISS method and UI ergonomics in mind when writing, and learn writing safely as a habit.

Technicians, don't rely on your certifications or your past experience to solve problems—learn how to intuitively troubleshoot and how to practically apply explanations of solutions to the customer or manager/decision-maker.

Users, don't rely on it working six months ago to be the reason it works six months from now—updates and patches are released for a reason, on just about all software products.

Education and information accessibility are the key. And by "information accessibility" I don't mean open-source: 99% of the users out there don't give a shit about the source code. I mean that more accessibility to the security and stability features need to be out there. XP SP2 made huge leaps in terms of this, and the latest builds of the most popular (or, rather, user-friendly) Linux distros don't do a bad job either. Apple's implementation isn't half bad at all, too. Now more stress has to be put on getting people to take notice of them. Let people know why they're there, and how to use them without having to call an expensive tech to configure everything for them.

It's not difficult, but it does mean getting out of 20-year-old habits for dealing with computer and networking technology. This applies to every level.

*note: mosin, this wasn't a direct attack on you, but the ideas you expressed were common fallacies in addressing security in technology from both a developer's and an end-user's perspective*

 

[ComputerBox34]

The materials that Windows is made of are not shoddy. Since 2k, the core of the operating system has been top-notch as far as effectiveness and securability. The problem is in the implementation and maintenance.

A house or car or garage door opener that is made of the finest materials on the planet will break down if not maintained, and will be broken into, stolen, or vandalized if not secured. In fact, the finer the quality of other things we use, the more maintenance or security attention we normally put into them. It's really bass-ackwards how little attention gets put into our security in operating systems by end-users.

Fifteen years ago, this wasn't as big an issue—the "internet" was small, difficult to navigate, and a computer was not nearly as much a part of the average household as it was today. Even then, however, security was an issue, viruses did damage, and data integrity was something that carried a price tag. In the late 80's and early 90's, UNIX machines were the most targeted by hacking attempts and viruses. It's ironic how today *nix is hailed as somehow more intrinsically safe, when history shows that it's had its own period of insecurity.

What the typical end-user of today doesn't often realize is that once a computer connects to the internet, the same caution should be used navigating the web as one takes when entering a city in their car. More often than not, almost everyone else out there is not trying to be malicious to you in particular, but if you aren't careful anything from an annoying fender-bender (stupid minor spyware/adware) to a traumatic car-jacking (full-blown trojan hijack) could occur. With the increased availability to information out there comes the increased vulnerability to identity theft. There's not a software package in the world that can save a user from their own gullibility, and cutting off interface capabilities as a countermeasure is not really an answer—it's just another method of applying the "security through obscurity" slippery slope.


I challenge you to give some examples of what is missing, and then an example of another OS that provides what you claim is missing.


Growing success where? Do you have market data, or are you just going by CERT—a group that only geeks pay attention to—recommending an alternative to IE? Because despite what CERT or any other security agency has recommended, IE is still the industry standard and most used browser by a huge margin. Firefox has achieved a stronger niche, but it's still a niche.

Speaking of browsers, though, it is worth noting that IE is the weakest link of the Microsoft products (after FrontPage, of course). The most disappointing thing about IE is the statement from MS that there will be no new version of IE for XP/2k, only updates to the current browser. While this might open up easier development for the browser for Longhorn, it ruins the cycle of backwards-compatibility that MS has kept going for quite some time. Personally, it's pretty much pushed me over the edge to switch back to Moz: which, by the way, has a much better chance of becoming "mainstream" than Firefox because FF is simply a stripped-down and plugin-less version of Moz to begin with. Basically, it's looking more and more like Microsoft is poised to come full circle in the Browser Wars™ of the 1990's.

But when it comes down to it, do either the users or the developers have full culpability? The answer is yes. Both the users and developers have full culpability. It's the responsibility of the producers of software to provide usability, stability, and security. It is the responsibility of the users to make sure that maintenance is done and that the security capabilities provided is applied properly. Otherwise, both sides lose.

Open source is not the answer, no more than closed source.

No software product is the answer, no browser, office suite, or operating system.

Geeks with an inflated sense of superiority are definitely not the answer (and are, in some ways, part of the problem).

There is no one answer.

Developers, don't rely on technical writers to pass along the means to use the software—keep the KISS method and UI ergonomics in mind when writing, and learn writing safely as a habit.

Technicians, don't rely on your certifications or your past experience to solve problems—learn how to intuitively troubleshoot and how to practically apply explanations of solutions to the customer or manager/decision-maker.

Users, don't rely on it working six months ago to be the reason it works six months from now—updates and patches are released for a reason, on just about all software products.

Education and information accessibility are the key. And by "information accessibility" I don't mean open-source: 99% of the users out there don't give a shit about the source code. I mean that more accessibility to the security and stability features need to be out there. XP SP2 made huge leaps in terms of this, and the latest builds of the most popular (or, rather, user-friendly) Linux distros don't do a bad job either. Apple's implementation isn't half bad at all, too. Now more stress has to be put on getting people to take notice of them. Let people know why they're there, and how to use them without having to call an expensive tech to configure everything for them.

It's not difficult, but it does mean getting out of 20-year-old habits for dealing with computer and networking technology. This applies to every level.

*note: mosin, this wasn't a direct attack on you, but the ideas you expressed were common fallacies in addressing security in technology from both a developer's and an end-user's perspective*

Agreed

 

[Ice Czar]

What the typical end-user of today doesn't often realize is that once a computer connects to the internet, the same caution should be used navigating the web as one takes when entering a city in their car.

entering Fallujah in their car

but I do agree with mosin regarding the inheirent advantages of compartmentalization vs the advantages of root integration
largely the same principle you employ daily in securing an install ehh?

problem is that user ability to employ the tools supplied to do that is lacking and as said

education

 

[GreNME]

Originally Posted by GreNME
What the typical end-user of today doesn't often realize is that once a computer connects to the internet, the same caution should be used navigating the web as one takes when entering a city in their car.

entering Fallujah in their car

Actually, I was thinking more like entering Manhattan. The web isn't that bad, you just need to know what "streets" to stay away from.

but I do agree with mosin regarding the inheirent advantages of compartmentalization vs the advantages of root integration
largely the same principle you employ daily in securing an install ehh?

Daily? Not even close. Can you give me an example of compartmentalization vs root integration? As far as I know, most major OSes aim for both for security, stability, and useability reasons. I need an example to see exactly what you're pointing out.

problem is that user ability to employ the tools supplied to do that is lacking and as said

There's no ability about it. It's all about education and access to information. It doesn't take a genius in both the NT and *nix OSes to sufficiently safeguard a standalone, and training to do it in a wider network. Regular users do not need to be sysadmins.

 

[BobSutan]

Part of the problem is the disconnect between people's expectations of everyday life and what realities they face in terms of computers. When you get into a car you expect it to be reasonably safe so long as you follow the prescribed guidelines that the government mandates. There is also an expectation the many things will have already been accomplished by the manufacturer of the vehicle. Not many people buy a car and feel they should be expected to install the seatbelts, airbag, etc on their own. With computers, and more specificly the OS, that has been the case. People have had to disable the unsecure bits and the burden of AV, firewalls, et al have been placed on the owner/operator. At least we've gotten to the point where MS has acknowledged the fact that its their product and that there is an expectation of reasonable funtion as well as security when it comes home from the store. Jane and Joe consumer expect it with anything they buy at the mall. Why should a computer or it's OS be any different?

 

[mosin]

The materials that Windows is made of are not shoddy.

Sorry, I never meant to inply that they are. Perhaps a better analogy would be a car with no jack.

I challenge you to give some examples of what is missing, and then an example of another OS that provides what you claim is missing.

Other operating systems don't have programs integrated into them that aren't needed, at least to the extent that Microsoft does. What's missing is an easy way to get those embedded programs out of the operating system.

Firefox has achieved a stronger niche, but it's still a niche.

It is quickly becoming mainstream everywhere that I go. I see companies and individuals switching every day. There is a browser war, and Firefox will win it. You'll see.

Speaking of browsers, though, it is worth noting that IE is the weakest link of the Microsoft products (after FrontPage, of course). The most disappointing thing about IE is the statement from MS that there will be no new version of IE for XP/2k, only updates to the current browser. While this might open up easier development for the browser for Longhorn, it ruins the cycle of backwards-compatibility that MS has kept going for quite some time. Personally, it's pretty much pushed me over the edge to switch back to Moz: which, by the way, has a much better chance of becoming "mainstream" than Firefox because FF is simply a stripped-down and plugin-less version of Moz to begin with. Basically, it's looking more and more like Microsoft is poised to come full circle in the Browser Wars™ of the 1990's.

Well, almost. Look at Firefox as Mozilla with extensions that let the user load it up as much as he wants. I look for the current Mozilla to stop being developed, like IE. Time will tell, however.

 

[Ice Czar]

Daily? Not even close. Can you give me an example of compartmentalization vs root integration? As far as I know, most major OSes aim for both for security, stability, and useability reasons. I need an example to see exactly what you're pointing out.
.

broad examples
ntfs permissions vs web content in the explorer shell
compartmentalization vs root integration

more specific compartmentalization
disabling HTML in e-mail
disabling ActiveX
disabling or limiting WHS\VB\Java\Java Scripts
remove insecure subsystems (OS/2 and POSIX)
protect or remove: arp.exe \ at.exe \ cacls.exe \ cmd.exe \ Command.com \ cscript.exe \ debug.exe \ edit.com \ edlin.exe \ finger.exe \ ftp.exe \ pconfig.exe \ Issync.exe \ nbtstat.exe \ net.exe \ Net1.exe \ netstat.exe \ netsh.exe \ nslookup.exe \ ping.exe \ posix.exe \ qbasic.exe \ rcp.exe \ regedit.exe \ regedt32.exe \ regini.exe \ rexec.exe \ rsh.exe \ route.exe \ Runas.exe \ runonce.exe \ telnet.exe \ tftp.exe \ tracert.exe \ Tlntsvr.exe \ wscript.exe \ xcopy.exe
remove the .reg file association from the registry editor

basically locking down what isnt used (or regularly used) and forstalling ease of navigation and tool use or trip wiring the OS in the event of being compromised

greatly dependent on the role of the box of course

(notice I didnt say disable unecessary services? )

gpedit\permissions is all about compartmentalization as are most security measures
malware automated tools bog down and real brains have to work for it
if the vector is missing, and enabling it is a tripwire....

(of course there are still rootkits, but say telnet is a vector, traffic could then tip the hand detected outside the box)

an ap like firefox that doesnt integrate to the shell at nearly the same level makes sense when viewed in that light
even if its exploited, its potential for damage is inheirently limited

PS my latest toy > http://www.knoppix-std.org/tools.html
is going to keep me busy for quite awhile

 

[Ranma_Sao]

I don't understand. If the box is compromised, how do you expect limited tools to matter? I can write xcopy in about 5 minutes, I'm sure a hacker can. (Misc trivia, it was one of my interview questions...)

All the other things are just as easy to circumvent if you have an exploited box, however you can do all of those things with the registry and global policy.

Ice Czar, I'm not trying to argue with you, but I don't understand how limiting these files limits hacking potential?

(Note, XP doesn't have either the posix or OS/2 layer in it.)

mosin:
You and I have had this debate before, but what you want is not what most people want. Most people buy a box and want it to browse the web, without having to go through extravegent methods to get a web browser. (Look at linux, I believe it comes with three or four now... )

 

[Steel Chicken]

here the problem

1. protecting your house or car is EASY...(did I lock the doors? did I park in a bad area?)
2. stealing your car or stuff out of your house is HARD, and carries with it hefty punishments for the perp if caught
3. protecting your puter is HARD esp for mom's and other people not like us geeks who likes to learn and mess around with everything.
4. stealing from, or hacking, or compromising a computer is EASY and there are little to no repercussions for the person who does it

is it the OS's developers job to make software secure? No more than its the car manufacturers job to put an alarm system on your car, or even door locks for that matter...but who would buy a car with no door locks? Who would buy an OS with little to no security? Oh wait, unless your a tech you dont even KNOW if the OS is secure or not..its not like its got big old padlocks hanging off it...Not to mention, there are only a few OS choices...and if youre a noob, theres only one choice, you get whatever version of Windows M$ wants on your puter when you buy it...

just some food for thought

my suggesgtions
1. make software more secure out of the box
2. allow people more choices when buying a new puter (Dell the most popular n00b store, has only Intels, and Windows) not alot of choice there
3. educate people about the 4 biggest lines of defense...Anti-Virus, Firewalls, and Spybot tools, OS updates and patches
4. find and punish those who damage peoples computers, write trojans, etc

 

[Ice Czar]

I don't understand. If the box is compromised, how do you expect limited tools to matter? I can write xcopy in about 5 minutes, I'm sure a hacker can. (Misc trivia, it was one of my interview questions...)

All the other things are just as easy to circumvent if you have an exploited box, however you can do all of those things with the registry and global policy.

Ice Czar, I'm not trying to argue with you, but I don't understand how limiting these files limits hacking potential?

well let say we are talking about an automated tool (a worm) as the original infection vector
since we are being hypothetical we will say its an unpatched zero day exploit
so the infection has occured, however this worm calls on net.exe to stop and start services and ftp.exe to propogate, or it might use runonce.exe as part of its infection proceedure but they arent there and it didnt bring a copy of its own so it boggs down. (of course these days we got superworms with multiple vectors, or at least the successful ones but runonce is a pretty common component nevertheless for alot of em, and certainly for spyware)

and as far as a hacker goes, well make em work for it, I like M11 example of how he uncovered a rootkit

if you are ever the victim of a real brain behind the malware, its damn near impossible to detect a rootkit without matching up traffic patterns to activity
(read snort ect)
most anything signiture based or heuristic that would tip the hand is removed (if it was the original vector)
something to give us all pause

No kidding. I nearly lost my job over a rootkit. Heres the story:

I basically assume sysadminship at a technology consulting firm, and one of my first tasks was to renovate the stale and depriciated network of the company's #3 client. Well, I can't wipe the server and go from 2000>2003 yet, so I find myself getting the PCs on XP, redoing group policy, etc. Well, they continued having break-ins including loss of data, spam being relayed through their mailserver(checked the SMTP logs and found "Administrator" was sending it ). All sorts of general mayhem ensued there, and no one could figure out why. I was almost fired because I could not get the breaches under control.

It turns out that the previous tech guy had been running keygens from the server, and thats how a rootkit got installed. Had I not found the keygens in an obscure folder, it would have taken me even longer to figure it out. This was enough to warrant moving to 2003 immediately, as neither of the 2000 servers could be trusted (both tested positive for the rootkit).

So please folks, remember that rootkits remain one of the greatest evils of the networked age. You don't know the computing practices of everyone on the machine, and thus assumptions anymore are hard to make.

so anything that is generating traffic out of a box, that couldnt possibly be doing so, since you have removed that will tip the hand, and of course there are hackers and then there are script kiddies, there are alot more script kiddies out there than hackers, and most of em couldnt recode xcopy with a gun to their head

or say we have a wannabe, that uses net.exe to cull users, groups, password expiration schedules, when users last logged ect, just dont make it easy, you might be able to detect em before they are able to do much, or simply discourage em to move n to easier pickings instead of having to recode or import and hide those files.

 

[mosin]

mosin:
You and I have had this debate before, but what you want is not what most people want. Most people buy a box and want it to browse the web, without having to go through extravegent methods to get a web browser. (Look at linux, I believe it comes with three or four now... )

I have never met a person who actually uses Net Meeting or Movie Maker, and I have never met a person who didn't have problems with Internet Explorer or Outlook Express at some point. Linux is packaged by independents. Some add a browser, and some don't.

 

[Ranma_Sao]

Ice, I'm not disagreeing per say, I'm just saying that's a false sense of security, since a compromised box, is a compromised box. (Espically rootkits, since they install a kernel mode driver and run as system.) (Addendum: I have seen one user mode rootkit, that would effect users logged on, but that was rare)

Mosin: You and I will have to agree to disagree, if it bothers you so much, run Windows Embedded.

 

[Phoenix86]

*grabs stick, marshmellows, and beer*

Computer analogies suck ass, always have. Especially computer-car or computer-home analogies.

Gotta take Ballmer's side on this one, users make things secure. Under the current system, it takes sysadmin level understand to create, setup, secure, and manage a home network, which are multiplying by the day.

Consumers want appliances, PCs are it. However they also want to run "everything," yet, when is the last time your regular TV (appliance) started displaying the newer HDTV format? Oh that's right it hasn't... It's the same TV you bought when you got it.

Computers, on the otherhand, are expected to change "daily," yet act like an applicance.

Write protected OSes won't solve this either, then people will be bitching that "it doesn't play WMPv10 files" or whatever newfangled application/codec is on the web.

The real question, is why won't people pay for these services? Why couldn't I make $$ hand over fist by setting up a service business installing and maintaining people's home networks? Demand ISN'T there. People NEED this service, but don't get it.

 

[Moto Guzzi]

Is it the responsibility of the OS to protect the system against hackers, or is it partially the owners responsibility too?

Software:
If you buy an OS legally, you in fact never become the owner of the software, that they make very clear in their legal agreement.

Hardware:
Only the weight of the hardware is yours. That chip's capability is not yours, it's patented.

Result:
Everything PC wise you got and paid for, is not yours in fact.

Conclusion:
If I don't own any of this as my own, worse, not allowed to own, I am not responsible for what hackers can do to an OS. AV companies just saw the opertunity and jumped in.

Thats why MS has a "better" firewall now, and plan to use their own antivirus software, so you get total protection buying their OS. This is how it should be.

 

[Steel Chicken]

Computers, on the otherhand, are expected to change "daily," yet act like an applicance.

for us nerds, maybe. for my family and friends that are always calling me for help, i disagree. they want to browse, use email, office and thats about it. once in a while they will watch some videos, which once in a while will require a codec...but most of the people I know are running sub 1Ghz CPU's w/o 3d acceleration. they aren't interested in the latest games or hardware.

Most of my calls (in the last year or so) have do with virii, trojans, exploits etc. they didnot know they needed these things...im slowly getting them educated.

 

[Ice Czar]

Ice, I'm not disagreeing per say, I'm just saying that's a false sense of security, since a compromised box, is a compromised box. (Espically rootkits, since they install a kernel mode driver and run as system.) (Addendum: I have seen one user mode rootkit, that would effect users logged on, but that was rare)

Mosin: You and I will have to agree to disagree, if it bothers you so much, run Windows Embedded.

luckily I dont suffer from a false sense of security
(the tinfoil underwear should have been your first clue )

I agree a compromised box is just that,
and as you said detecting a rootkit isnt easy at all
which is why Im now learning to play with SNORT and getting into firewall forensics
but its pretty easy to throw all those files on a floppy for when you actually need em
I rarely remove all of them, some I just use to often myself

since I have you on the line here, was wondering if I could get your opinion and insights on Process Guard
Ive been using it with alot of success (as a trial install) on boxes Im disinfecting for friends and family, its great as a means to disrupt an infection since you have to approve each process that wants to run (of course thats not its intended use)

 

[jimnms]

Here's an interesting article:

User Education Is Not the Answer to Security Problems

Summary:
Internet scams cannot be thwarted by placing the burden on users to defend themselves at all times. Beleaguered users need protection, and the technology must change to provide this.

Computer users suffer myriad security problems, including:

* viruses and worms,
* "Nigerian" scams (email asking you to help smuggle out a supposedly large sum of ill-gotten gains),
* phishing (falsified email, purportedly from a known vendor's customer service department, asking you to go to a masquerading website and enter your account information), and
* spyware and adware that install software on your computer without your informed consent (although some operations might claim to have consent, most people don't know what they're agreeing to when they click "OK?" buttons on the Web; for true consent, users must know that software will be installed and want the adware feature activated).

Whenever the press covers a new outrage, you'll surely see quotes from security experts lamenting users' stupidity and advising companies to better educate users about appropriate security precautions.

 

[Phoenix86]

for us nerds, maybe. for my family and friends that are always calling me for help, i disagree. they want to browse, use email, office and thats about it. once in a while they will watch some videos, which once in a while will require a codec...but most of the people I know are running sub 1Ghz CPU's w/o 3d acceleration. they aren't interested in the latest games or hardware.

Most of my calls (in the last year or so) have do with virii, trojans, exploits etc. they didnot know they needed these things...im slowly getting them educated.

OS updates, application updates (AIM, AOL, Office), driver updates, codec updates, browser updates, flash/java/webwidgets, e-cards, smiley faces in e-mails, backround desktops, downloaded programs (web games, tools), new screen savers...

I'm sure I missed about 1000 other things too, none of which have to do with gaming, and most of which wouldn't work with a write protected OS. *don't actually know the limits, so some of this may be possible with a HDD for only "user data" like backrounds and screensavers.*

Case in point, I think I make less changes to my home system than most users because I know a bit... Don't fix what ain't broken.

 

[GreNME]

I don't have time at the moment to address many of the fine points brought up so far, but just to give you guys some more fire to the "who is culpable" argument:

• Current RedHat rootkit that basically does the same thing as 95% of the active mail viruses out there
• OS X worm that takes advantage of a patched flaw

Just wanted to keep things honest in the discussion, so it doesn't turn into a bunch of "MS has had to patch, therefore it is not secure" arguments. Patches are a necessary evil in all operating systems, and user gullibility cannot be thwarted by the software developer (no matter what OS they run).

I'll be back with replies to the comments before this post.

 

[mosin]

Mosin: You and I will have to agree to disagree, if it bothers you so much, run Windows Embedded.

I agree. It isn't the stuff that's on there that bothers me, however. It's the lack of tools to easily remove it. Your idea that maybe I would be happier with Windows Embedded is a good one. I'm looking into it, and will most likely give it a shot. So far, it looks really promising.

 

[Ranma_Sao]

luckily I dont suffer from a false sense of security
(the tinfoil underwear should have been your first clue )

I agree a compromised box is just that,
and as you said detecting a rootkit isnt easy at all
which is why Im now learning to play with SNORT and getting into firewall forensics
but its pretty easy to throw all those files on a floppy for when you actually need em
I rarely remove all of them, some I just use to often myself

since I have you on the line here, was wondering if I could get your opinion and insights on Process Guard
Ive been using it with alot of success (as a trial install) on boxes Im disinfecting for friends and family, its great as a means to disrupt an infection since you have to approve each process that wants to run (of course thats not its intended use)

I will get back to you on that. I want to see how it works at work, I have a feeling it's trapping the createprocess call, but I want to verify it. How I have verified and removed infections in the past (Including rootkits, but they are getting smarter at this technique) is from the kernel debugger, getting a list of processes, and you can terminate them from the debugger. I will let you know, but if it works for you, all the better.

 

[Summoner]

Part of the problem is the disconnect between people's expectations of everyday life and what realities they face in terms of computers. When you get into a car you expect it to be reasonably safe so long as you follow the prescribed guidelines that the government mandates. There is also an expectation the many things will have already been accomplished by the manufacturer of the vehicle. Not many people buy a car and feel they should be expected to install the seatbelts, airbag, etc on their own. With computers, and more specificly the OS, that has been the case. People have had to disable the unsecure bits and the burden of AV, firewalls, et al have been placed on the owner/operator. At least we've gotten to the point where MS has acknowledged the fact that its their product and that there is an expectation of reasonable funtion as well as security when it comes home from the store. Jane and Joe consumer expect it with anything they buy at the mall. Why should a computer or it's OS be any different?

I think the problem here is that anytime MS tries to integrate other aspects of software into its OS, it gets hit with the anticompetitive stick.

Look at all the trouble over IE for example. Can you imagine how loud Symantec et al would be shouting if MS had a good, strong firewall, AV and spyware install that was free and part of XP? They are in a damned if you do, damned if you dont situation.

 

[GreNME]

Well, lemme try to address some comments. Since I'm not replying to anyone in particular, I'm not going to quote too much and not really attribute names.

But first, to Ice Czar:

broad examples
ntfs permissions vs web content in the explorer shell
compartmentalization vs root integration

NTFS permissions are not equitable to displaying web content. Permissions are about allowing (or denying) access, web content is just a manner of displaying... well, content. The compartmentalization vs integration is a worthwhile argument, though.

However, the NT kernel is no less compartmentalized than the *nix kernel. The only real difference between the two (posix aside) is the open-ness or closed-ness of the source. The level of integration between the two most popular OSes on x86 is not a matter of source, but it is a matter of implementation. Now as to contention on the level of usefulness/success/correct-ness of the implementation for both, I think a case can be made for quite a few distros of *nix as well as Windows.

(just so you know, I mention a "few distros" because some implementations include far more integration than other builds, no distro wars here)

more specific compartmentalization
disabling HTML in e-mail
disabling ActiveX
disabling or limiting WHS\VB\Java\Java Scripts

I disagree with those, and they aren't examples of compartmentalization issues—those are implementation, as I mentioned earlier.

remove insecure subsystems (OS/2 and POSIX)

Are you saying they are inherently insecure? Please explain.

protect or remove: arp.exe \ at.exe \ cacls.exe \ cmd.exe \ Command.com \ cscript.exe \ debug.exe \ edit.com \ edlin.exe \ finger.exe \ ftp.exe \ pconfig.exe \ Issync.exe \ nbtstat.exe \ net.exe \ Net1.exe \ netstat.exe \ netsh.exe \ nslookup.exe \ ping.exe \ posix.exe \ qbasic.exe \ rcp.exe \ regedit.exe \ regedt32.exe \ regini.exe \ rexec.exe \ rsh.exe \ route.exe \ Runas.exe \ runonce.exe \ telnet.exe \ tftp.exe \ tracert.exe \ Tlntsvr.exe \ wscript.exe \ xcopy.exe
remove the .reg file association from the registry editor

I agree on everything but the .reg association.

greatly dependent on the role of the box of course

As well as many other things, which is why I said before that it isn't so much all the developer's fault as it is equally the responsibility of the developer.

Okay, now on to the (general) analogies: they've gotten out of hand. You see, comparing a system to a house or a car or something is good when dealing with concept, but when the details come into play, the differences are so vast as to make an analogy a mess of convoluted and unmatching comparisons. The concept of one keeping their property safe is useful when talking about one keeping their own computer safe. Comparing a lojack or a deadbolt to a firewall or an A/V is simply not worthwhile, as the differences and purposes for each are vastly different. Basically, it becomes an argument of semantics instead of a debate of ideas. Stick to the ideas and concepts, not semantics.

The problem with "secure" things like browsers is when you sacrifice one thing for another. Many say that IE has sacrificed security for integration. I say that most other browsers have sacrificed useability and efficiency for security. Case in point: non-IE browsers crash an order of magnitude more often due to memory errors and display issues with less-than-perfect (malformed) code. The answer, I opine, is somewhere between what IE is currently and what Mozilla is now—both have some working in a certain direction, though not necessarily the same for each.

Some argue that user education is not the answer. I find this claim ridiculous, mainly because when it comes to everything else in our daily lives, education helps make us more aware and able to prevent things that may harm or inconvenience us. This doesn't mean that people need to be trained to be sysadmins—that's equally ridiculous—but it does mean that the simple preventative measures available out there should be made more accessible and available to the public. For example: I have given advice to many to use things like this, which is updated regularly by those who made the page, to be a bit of pre-emptive protection. On top of that, there's the obligatory spyware cleaners and the suggestion to stay away from the more risque sites. Just those things alone can reduce malware infections by more than 75%. If people did them aggressively, the number would be even higher (I have personally seen more than a 90% drop in malware on my personal machines).

That is why user education is so important. The user doesn't have to know the details of how and why the methods keep them safer, they just need to know if it will indeed keep them safer. Not telling them and grudgingly expecting Corporation A to fix all of this shit for them does nothing but create job security for the "side-business computer guys" who clean out people's home computers for $20-25 a pop.

Try to bring to mind any virus out there, and I would wager that for almost every case, it exploits something that has been patched, either by the OS vendor or the application vendor. Teaching the end-user simple update/patch maintenance techniques as a matter of course would reduce the problem of these things greatly. Almost every "exploit" in existence today—meaning all those servers that get r00t3d or hacked in some way—is either the result of piss-poor admin work or something that had a patch available but not installed.

However, there are stupid idiosynchrasies out there—like the fact that cmd.exe executes text files instead of opening them with notepad.exe (link). I'm not saying there aren't flaws, but I am saying that the onus isn't completely on the hands of the developer.

Ice Czar, Ranma_Sao, I appreciated the comments from both of you, as well as others in the thread so far. Just wanted to let you guys know, aside from all the talk of this program having that flaw and whatnot.

 

[BobSutan]

I think the problem here is that anytime MS tries to integrate other aspects of software into its OS, it gets hit with the anticompetitive stick.

Look at all the trouble over IE for example. Can you imagine how loud Symantec et al would be shouting if MS had a good, strong firewall, AV and spyware install that was free and part of XP? They are in a damned if you do, damned if you dont situation.

I've considered this as well. I guess we'll find out soon enough if MS goes through with their plans to include an intregrated AV of some sort in their next OS.

I don't see why they don't just create a security package of some sort--Firewall, AV, etc. and make that available online. It'd placate those that say it infringes on competitiveness because it's not rolled into the OS, but it makes people like us happy because is a fair amount of free security built specifically for the OS. If the system runs without them in place (for example until you can get it installed), you'd be at risk, but then again so are those who run like that aready on SP1 machines (minus an AV and FW disabled).

Sorry, just playing devil's advocate here.

 

[mosin]

I've considered this as well. I guess we'll find out soon enough if MS goes through with their plans to include an intregrated AV of some sort in their next OS.

I don't see why they don't just create a security package of some sort--Firewall, AV, etc. and make that available online. It'd placate those that say it infringes on competitiveness because it's not rolled into the OS, but it makes people like us happy because is a fair amount of free security built specifically for the OS. If the system runs without them in place (for example until you can get it installed), you'd be at risk, but then again so are those who run like that aready on SP1 machines (minus an AV and FW disabled).

Sorry, just playing devil's advocate here.

I agree, but it doesn't take much to see that I am one of those who believes that Microsoft infringes on competitiveness by their insistence on integration of components that are not essential. Still, they are in the position to write the best code to protect their operating systems, or at least they should be.

 

[Summoner]

If your average joe wont buy AV or a firewall from another company, why would they from MS? I think theres a lot of people out there who dont understand or arent even aware of the risks when you are connected to the internet. You see an ad on TV for Earthlink or AOL where they imply everyone is safe using their software when it couldnt be further from the truth.

You would think the salespeople at Best Buy etc would be scaring the crap out of people so they bought $200 worth of extra software and a router

 

[Phoenix86]

I think what BobSutan is implying that it's a free download from MS, just don't bundle it in with the OS CD. This would be a fair option, however, would they actually do it? I know of a lot of machines w/o virus protection because the 1 year free upgrades exired 6 months ago.

Sure you and I could/would, but would Joe and Jane consumer?

 

[Summoner]

I think what BobSutan is implying that it's a free download from MS, just don't bundle it in with the OS CD. This would be a fair option, however, would they actually do it? I know of a lot of machines w/o virus protection because the 1 year free upgrades exired 6 months ago.

Sure you and I could/would, but would Joe and Jane consumer?

But if its free, the anticompetitive thing comes up again. Its a hard one to solve, thats for sure.

 

[Phoenix86]

But if its free, the anticompetitive thing comes up again. Its a hard one to solve, thats for sure.

If it's not bundled in the OS, how they aren't using their OS monopoly to force you into an application, regardless of cost?

 

[mosin]

If it's not bundled in the OS, how they aren't using their OS monopoly to force you into an application, regardless of cost?

I agree that it would be a fair option, but Joe Average won't take advantage of it. One day someone may write the ultimate piece of malware, a trojan, worm, virus, or other evil, yet unconceived, that will grab his attention, but he will most likely blame Dell.