Windows security - where is it today?
Windows security - Just what is it’s state today? One simply has to do a bit of research to find numerous articles with specific data stating the obvious. (Obvious at least to computer technicians that have to clean up Windows computers on a daily basis…)
From one of the most core computer news sources on the planet - in the middle of Silicon Valley - comes this quote in an article posted on March 02, 2005 by Michael Gray:
The internet is one big, bad neighbourhood. Try connecting a freshly loaded Windows system - no patches - to the internet. How long would it last? 10 seconds? Maybe 20?
InternetWeek was a bit more forgiving, stating that an un-patched Windows computer would last less than 20 minutes.
Last November, USA Today ran a Windows security test and wrote that an unprotected Windows XP machinewas breached within four minutes, and became a zombie in less than ten hours.
Also last November, Linux Pipeline reported on another Windows security test run by “marketing-communications firm AvanteGarde” wherein they connected 6 computers directly to the Internet. Name of the article? Gone In 30 Seconds.
And what of your Windows passwords? Are they at least secure? An article from WindowsITPro titled “Researchers Crack Windows Passwords in Seconds” should answer that question for you.
Alright, so Windows security doesn’t appear to be faring well to say the least.
WHY !?!?!?
Rather than reiterate a _very_ well thought out investigation of Windows security vs. Linux security by one Nicholas Petreley, wherein the actual reasons for Windows security troubles are made apparent and well communicated, may I take the liberty of pointing you here…
Note that you don’t have to be a computer geek to understand Mr. Petreley, and that the reason for Windows security troubles has NOTHING to do with there being more Windows computers than Linux computers at the present moment.
14 Comments for "Windows security - where is it today?"
Leave a comment ...
There may be a delay in displaying comments, which are moderated due to spammer abuse. Apologies; I appreciate your participation and your comment will be reviewed as soon as possible. Posters must be 18 or older | Privacy Policy
» Diane Vigil
03/11/05 @ 1:14 pm
And so … you have a solution? (That goes beyond not hooking an XP machine up to the ‘Net?)
» Dan
04/7/05 @ 11:44 pm
Not really - here’s why.
The weaknesses that Windows has had (and continues to have) are able to exploited via many different ways, not just via an Internet connection.
Consider these past exploits:
Multiple exploits in macros. This means that even a Word document or Excel file could have corrupted your computer - connected to the Internet or not…
There are many things that _can_ be done such as installing a firewall, using OpenOffice and Firefox, etc. but these won’t fix _Windows_.
Only Bill Gates and company can do that…
» Diane Vigil
04/11/05 @ 4:03 am
Okay. Well, if we ignore (for the sake of argument) *internal* owies that could cause problems, then XP could be connected to the Internet?
» Dan
04/11/05 @ 12:23 pm
‘Pert-near’ any O/S _can be_ connected to the Internet.
Currently, connecting a stock installation of Windows XP Service Pack 2 (SP2) to the Internet is not _too_ bad, as long as you don’t use IE, Outlook or Outlook Express of course.
However, connecting a stock installation of Windows XP SP1 to the Internet is similar to going undersea in a submarine with 30 screen doors - you _will_ sink.
Problem is that Windows XP SP2 breaks a lot of software packages running on Windows XP, and this is why many corporate firms have not upgraded to it yet - but then they are usually behind a firewall of some sort…
This problem is based on Windows XP’s user permissions setup and use of it’s registry - the database of all programs running on your Windows computer.
If Microsoft had setup Windows to allow users to install programs seperately from Windows, and have them run with that user’s privileges, they would have had less trouble with their upgrades.
(By the way, this is the default setup on Unix, BSD, Mac OS-X and most Linux variants.)
As it is, most programs require one to be either the Adminstrator, or to have administrator privileges in order to install software, as many changes will be made in the Windows registry and Administrator privileges are needed for this activity.
so in Microsoft’s current scenario, most users are Administrators, and IE/Outlook/Outlook Express lets software be installed without your knowing about it, which means that this software is installed onto your computer with Administrator privileges…
Hindsight is a wonderfull thing isn’t it? :-)
Currently Microsoft is working on a different user privilige setup for the next version of Windows, code-named ‘Longhorn’, so we’ll see if they have brightened up any in this area when Longhorn comes out. They could actually compete with Unix, BSD, Mac OS-X and most Linux variants in this area, but it will mean a massive re-design of Windows.
Addendum added 02:00p.m. 11 Apr, 2005:
I have just read that Microsoft has set back the release date of Longhorn again to 2007.
» Diane Vigil
05/5/05 @ 3:18 am
That doesn’t sound promising, if XP SP2 gives problems with running software and SP1 is … whatever it is.
Which means I’m still happy with Win2K.
» JBlanch
05/6/05 @ 9:48 pm
I’m running windows XP SP1, i’ve never recived anything more then spywear because i accidently downloaded an ActiveX component from a windows media file (it was hidden in a music video and i clicked ok by accident). I don’t see how besides stupidity on the users part, or a program outside of windows actual base operating system (the parts of IE that aren’t system based, to be fair it still is part of the OS but not completely) or somthing else along those lines. I don’t personally think you can blame the operating system for faults other then the issues like passwords being cracked. Being connected to the internet, means you yourself are the one responsible for being hacked, if you’re worried about security and not getting hacked, then don’t download/run any email attachments ever, and don’t download anything from the internet.. oh, and don’t use IE.
I personally don’t see where the big security flaw is besides in things that are also found in other OS’s. I mean, i’m not exactly anything but a windows guy due to limitations of my environment, but i’m sure that linux isn’t perfect in every way either.
» Dan
05/8/05 @ 5:23 pm
“I’m running windows XP SP1, i’ve never recived anything more then spywear”
—
How do you know? If you are running a standard Windows installation with a direct connection to the Internet via either a Cable or DSL modem, and an anti-virus program such as Norton, I can bet with confidence that you have 3-7 trojans on your computer.
“I don’t see how besides stupidity on the users part, or a program outside of windows actual base operating system…”
—
In the case of Windows current iterations, you can definitly blame Windows due to the integration of Internet Explorer into Windows.
In doing so, Microsoft tied a _VERY_ insecure web browser, hence, as you mentioned Internet Explorer is now part of Windows. Problems with Internet Explorer? These are now problems with Windoes, and noone from either side of the fence can change that except Bill Gates and/or Microsoft.
“…if you’re worried about security and not getting hacked, then don’t download/run any email attachments ever, and don’t download anything from the internet.. oh, and don’t use IE.”
—
As correct as you are on these items, you are missing:
Don’t open a Word or Excell document from any source
Don’t use Outlook or Outlook Express (they use IE for HTML mail.)
Don’t access any CD, floppies, Zip, firewire or UDB disks.
And yes, Linux has it’s faults, as does Mac, but they just aren’t as horendous as Windows faults generally speaking.
» JBlanch
05/8/05 @ 6:10 pm
I know i don’t have any trojans because i constantly check and reformat, and if i don’t remformat i monitor outgoing and incomming connections overnight with a simple port scanner i wrote.
I’m kind of just arguing about the prestent time, where holes in outlook, word, and other programs have been fixed already even without SP2.
» Dan
05/9/05 @ 5:33 pm
I have to agree, reformatting will definitely handle any trojan!
Now you don’t appear to be a normal computer user since you wrote your own port scanner, but you forget that holes in Outlook and Outlook Express _have to include_ holes in Internet Explorer since they both use Internet Explorer to view HTML email.
In that light therefore, new holes in Outlook and Outlook Express (that cannot have been fixed by SP2 since they are new) continue to occur with regularity.
I would again point you to this article to support my opinion on Windows security:
http://www.theregister.co.uk/security/security_report_windows_vs_linux/
and assume that you are not taking into account the fact that I deal with Windows problems on a daily basis, and have done so since May of 1991.
Is my opinion based on prejudice? Slanted in any way due to my experiences supporting Windows.
Yes, and I admit that I see, handle or repair the bad side of Windows daily - as opposed to my simple use of Windows daily (which doesn’t happen.)
» JBlanch
05/9/05 @ 5:56 pm
Yes you do seem very basised and disgusted with windows, i just wanted to push the real buttons that you’re hitting on that you’ve hidden to the general (non-geeky) public. I acctually agree with you and already knew about all these holes, sorry to come off as a bit of hypocrite but i just wanted to make sure there wasn’t somthing else i’m missing here and don’t even know about!
I wish you would write more in depth like that in the articles, or at least put it out there in a read more section maybe ;)
» Diane Vigil
05/10/05 @ 9:34 am
As a long-time client of Dan’s, I wouldn’t say that Dan doesn’t advise properly about Windows insecurities. I’d have thought that was apparent from this blog, but maybe not. And maybe I’m geeky after all. :)
» Dan
05/10/05 @ 9:49 am
Thank you for the compliment, and it doesn’t appear that you’ve missed anything JB… :-)
And yes, Diane, you are geeky, in a user-friendly way. :-)
The problem I have seen in writing deeper in detail of the current situation with Windows and the Internet is that most of the public would not believe me if I did. And behind me I have years of ‘preaching’ to the public, my clients, regarding this.
The common viewpoint is that they themselves (the general public) would not do the things that are in fact going on today, and therefore, cannot believe that someone else would do these same actions.
Which of course, says loads regarding these people and their good intentions. However, it also says loads regarding their lack of willingness to even look at what is going on, much less fight back.
(Unfortunately, in more areas of their lives than just computers.)
Most of this is of course due to their lack of education in the actual operations of computers and whatever other areas they don’t look at.
I will however, endevour to write a bit more in-depth in the future.
Thank you for taking the time to reply to my articles!
» FTC Lonely Housewives Lawsuit
05/28/05 @ 5:22 pm
[…] the group used compromised computer networks to send the spam and obscure its source. So compromised computers can be used to nefarious ends, such as […]
» Computer Anti-Virus Programs
05/28/05 @ 5:43 pm
[…] computers to send out spam email. What are the odds of this happening? See ITdiaries.com’s compromised computers. The good news, however, is that one d […]