Thread: Windows virus?

Nah... I'm not that safe on Linux when being a newb. In fact, there's nothing more dangerous to Linux than a newb with computer knowledge, as my latest menu.lst edit revealed when I realized I couldn't boot the computer anymore.

That's more devastating than what many computer virus can do these days.

If there is a price for newbness, on Windows you pay it in network security, on linux I pay it in system integrity.

Originally Posted by cyberfish

Hmm. Ubuntu installation takes ~ half an hour on my machine. I spend an additional hour or so installing programs I need. I don't need to consciously do anything to improve security.

But you have paid for this extra security over a Windows system with user friendliness. Just for a second, be my mom. Go to your local library, grab a 7-year-old WeightWatchers CD with a leaflet read so often you are afraid it will turn to dust if you touch it, take the CD, insert it into your drive and have it running in 5 minutes without any knowledge about your computer, sudo, a root password or even the fact that just because it's a "computer CD", it doesn't have to work on every computer/OS.

Yes, the fact that autorun is enabled because she wouldn't know how to start the executable on the CD otherwise and the fact that she is running as administrator because I won't give a three-hour-lecture about running a system with different users are tearing a security hole in the system that's the size of a small moon. But that's the price people pay.

On Windows, especially before Vista, it's practically impossible to use a limited user account (the UNIX way), simply because programs were designed assuming the user has admin priviledge.

That's true. But don't blame the OS. The operating system itself is safe. Applications are crappy. And your desire to run them is greater than your desire for security. Your email client is running arbitrary code and requires admin priviledges ? Well, throw it in the bin and get a better mail client. But people don't want that. Because running OEx is so simple right ?

Windows (NT upwards) wasn't a bad operating system. It was pretty secure. If you used it. If you abused it, you'd experience the same problems you'd have with a *nix system having a totally clueless user running as root all time installing buggy software.

Vista security is not user-friendly. Worse, it's not user-logical. By that I mean the following:

1) I enter the control panel and go to the network settings.
2) I change the network settings.
3) I press OK.
4) A dialog pops up, asking me to confirm my change of the network settings.
5) I go, "Huh?"

As a computer engineer, I know why this happens: a program could change those settings without user interaction, and the dialog is sent from the inaccessible security layer to confirm that it was really the user who did that, not some malicious program.

As a normal user, I have no idea what the difference between normal programs and the security layer is, and I simply get annoyed that I have to confirm the action I just took. Sometimes, if the configuration dialog has its own extra confirmation, I have to confirm my changes thrice! (Click OK on the dialog, click OK on the confirmation, confirm for UAC.)

Here's another example of user-unfriendly security, this one dating to XP: my uncle wanted to book a rental car via the web. Aside from the sites being extremely unfriendly (not Windows's fault), there was another subtle problem. The one my uncle went with wanted him to fill out a big form. He did, then got to the field that asked for the credit card details, so he went to fetch his card.
While away, Windows Update decided to restart the computer, because that's what it does if you don't explicitly tell it to stay. Needless to say, the form information was lost.

Sure, restarting the computer after a security update in the core OS is important, because if you don't, the update isn't in effect and you're still vulnerable. Still, that Windows will go for the destructive option by default and with a timeout is not nice.


These are the times when I think that there has to be a better way.

UAC was explicitly made to annoy and not as a security measure, though... Microsoft admitted that.
Or rather, it is a security measure in such a way that it would force application developers to stop creating admin-only apps. But nothing other than that.

Regardless, I hold no love for UAC. When I did test Vista, I always disabled it completely.
And Windows Update is also something that I avoid like the plague. Want something from there? Then I go to the website, because it doesn't force stuff down your throat. Although it does demand a reboot after installing the updates which is pretty annoying.

Well, most of the time it probably does. It's just bad PR to tell.

If Windows knows better than its users, depends on what its user knows. Because of this, the path has been taken to treat everyone equally dumb, with the option to turn it off in case that's just not true.

The irony is that by making it easier to use by everyone, the operating system is making it considerably harder on itself. Because:

a) This type of security features operating at an higher abstraction layer (that of the UI and of guess work) is falling down on the operating system, increasing its code size, changing usage patterns with very new version and making it considerably harder to use. Every attempt at mitigating the effects can only be done through lots of brain power being poured in, more code and more complex code, making the whole thing more expensive (money-wise too). All this energy could instead be diverted towards building security features at the core and delegating the rest to 3rd party tools.

b) In other words, the operating system is calling on itself a responsibility it shouldn't have. On most cases this means protecting the users from themselves. As new threats are devised and new ways for these threats to operate are arranged (some targeting exactly the new security features) the need for new solutions accumulate and need to be addressed by creating even more code, even more complex code and eventually even more changes in usage patterns.

c) Since the operating system demands less and less thought from the user, it creates less and less informed users, which only complicates matters since invariably this leads to more dumb down features to make up for the increased lack in computer expertise.

d) Similarly, because the operating system calls on itself the task of protecting users from themselves (or provide at the UI level security features that should instead be present at the core where they would be more effective and future-proof), it gives birth to - this time rightful - complaints when those security features are not sufficient or fail to operate as intended due to bugs or new threats being devised. What I mean is that because it's now the operating system responsibility, it is also the operating system fault. So... ever increasing maintenance work, ever larger maintenance teams and, worst, an ever increasing need for post-sales support. Costs only tend to rise and consequently price.

...

Necessarily that's more or less how things work. That is, one can't expect developments in the computer area to not be matched with more complexity. But the question remains if is there any effort to reduce the entropy. My personal answer is no. On the contrary, I think operating systems the likes of Windows are making things exceedingly complicated by blindly following the marketing pattern of "make it simple to use". The bubble will burst one day if it keeps moving this way. Bill Gates himself admitted Vista should have been given more thought. What's extraordinary, he did it before launch day.

...

My opinion, and to finalize, operating systems security features should be made at its core as architectural features (for instance root on Linux). Any security features implemented at the UI level should reflect these core features and no more. Anything else being implemented at the UI level are usually nothing more than band aids meant to address an incomplete architecture. This isn't necessarily bad, but should be instead addressed either by 3rd party tools or OS tools that stay out of the way unless the user turns them on.

Microsoft Windows has a long standing record of insecure features and insecure all around demeanor. Some well deserved, but most not really. Regardless, the thought of Windows being an insecure operating system has been popularized since maybe Windows 95 and yet it didn't stop it from remaining the most popular operating system and keep increasing its quota and sales.

Will this change of heart change things? It definitely has for me since I lost all interest in Windows after around 20 years (I've arrived a little later in the scene Bubba, around 3.something) of using it, and have changed to Linux. The reason I'm writing this on Windows still is merely because a) Windows XP is still being supported until 2010 and b) I'm still in the process of switching from Visual Studio C++ and don't wish to throw away the considerable investment I made in C++ windows development applications in the past couple years.

But all in all, I do everything else in Linux and am loving in it what I learned to love in Windows. I.e. It doesn't try to get in my way.