how-to block ads
reply to Tuulilapsi
Re: Are you using security protection I can see not using protection on a non-windows OS, entirely feasible. But Windows? You are asking for trouble, even with a heavily locked down system infections are common, and some of the threats are beyond the capability of the vast majority of people to detect. For example a replacement of services.exe would go undetected and ultimately result in a full system compromise without realization of such. I've seen it, and I have seen it go undetected around several very good techs.
I'm pretty confident in Webroot these days because it picks up enormous numbers of unknown threats with it's heuristics and deep cloud analysis. For example on one of our machines it snagged two fresh ITW a couple days ago that only 1 other AV/AT/AS product on the planet detected these. These threats would be installed and go unnoticed by 99% of everyone. NOD32 was the only other one to pick it up out of the 40ish AV engines tested, and it only got 1 out of the 2 threats. Webroot got them both.
said by Steve Smith :Before commenting on whether or not I could agree with that, I'd like to hear your definition of a "heavily locked down system", and what kind of infections such systems get so often as to be called "common", and how such infections occurred exactly. I get the feeling our definitions for heavy lockdown might be rather different (it can't be heavy lockdown if your users can intentionally and easily execute untrusted new software they just downloaded, as one point).
I can see not using protection on a non-windows OS, entirely feasible. But Windows? You are asking for trouble, even with a heavily locked down system infections are common, and some of the threats are beyond the capability of the vast majority of people to detect. For example a replacement of services.exe would go undetected and ultimately result in a full system compromise without realization of such.
From my point of view, seeing any infection on a heavily locked down system is, slightly exaggerated, rarer than a dog who speaks Norwegian. Seeing a heavily locked down system used by smart users that has still gotten infected with something is rarer than a dog who speaks Forest Nenets. Yes, on Windows.
As for the services.exe part, I do realize I'm nitpicking here, but heavens forgive me, I can't resist: if something malicious can replace services.exe, then that there malicious thingamabob is already executing with admin privileges, and that's enough of a full system compromise right there, so I don't see how the replacement would "ultimately result in a full system compromise" when the system already has to be fully compromised for the replacement to occur in the first place.
Limited User Accounts.
Software Restriction Policies.
The thing is, having a totally locked down system doesn't make it a good system to use. You can always pull a box off the net, but what's the point? There are a lot of quality, and secure OS's out there that allow you to operate with relative impunity whilst not sacrificing operational stability, ease of use, and functionality. Windows is not one of those.
99.999% of the world won't find a heavily locked down windows box to be acceptable. Yet those same people would run other OS's and not even notice how secure they are, or any lack of functionality. Windows - frankly - probably has already peaked and is on the way out. I guarantee you when this state sponsored cyberwar starts to really ramp up, windows will be rendered virtually unusable as an all purpose OS. That day is long welcome for many of us. I had to laugh when the military used heavily locked down windows boxes, and discovered even then, they could be quite readily compromised. Just wait, there are threats already ITW that basically render windows boxes bricks, and it is getting much much worse.
I think the most viable solution at this time is to have a vanilla, hardened windows for only pure high end gaming with a dual boot of a secure, functional, and full featured OS as your primary. This is how I am seeing well over 30-40% of the boxes being setup these days from non-big box sellers (like Dell). But isn't Microsoft doing something to that Windows 8 abomination to prevent dual booting? Say goodbye to microsoft.
"Totally" locked down is, I agree, not comfortable to use. But "heavily", is, in my experience. That doesn't require disconnection from networks, even the Intertubes.
But for the sake of conversation, let's go with the thinking that Windows is not viable as malware gets meaner and nation-state cyberwar ramps up. Somebody please give me a brief technical explanation of what exactly makes non-Windows operating systems, say Linux or OS X or even OpenBSD, so much more resistant towards such malware dangers than Windows that they shall remain happily viable where Windows goes into smoky ruin of infection. A technical explanation is needed here: I'm not looking to hear "because MS just codes for ease of use over security", I want to hear something rather more like "because operating system SS is coded in an elvish variant of C that removes all vulnerabilities except ones forged in the fires of Mount Doom with considerable personal soul powah, and also takes all control away from the user so they can't stupidly execute malware". Because, I keep hearing that Windows can't survive the increasingly nasty malware ecosystem, but what I don't hear is what exactly makes other operating systems immune or even much better protected. Let's say Windows dies next year, and by 2015, everyone who runs Windows today is running, say, Ubuntu (I have the feeling that OpenBSD isn't gonna get popular any day soon). Now what is the tech that makes those formerly Windows but now bravely Linux boxes and their mostly computer-ignorant users all that much safer from malware and even that cyberwar threat? Anybody have that technical explanation?
Because the day that something else usurps Windows' place as most popular desktop OS, the evil folks are going to be on it like white on rice, they're going to find vulns to exploit and get their code running - sometimes as just a luser, more rarely escalating to root - and they're going to find easy ways to socially engineer the human users to run evil code. And guess what? Readily compromised, unusable OS, here we come!
Limited User Accounts.
Software Restriction Policies.
The registry in a huge weak spot in Windows, for starters. What a conveniently centralized location to implement all kinds of nastiness! I had to manually clean up an ugly, registry-centered infection once - because even the most powerful anti-malware programs of the time couldn't find it, much less clean it up. (These anti-malware programs were already loaded and running on that system before the infection occurred, BTW. Some of them got replaced after this particular battle, while the remainder got upgraded - and stay upgraded - and some additional ones were added.) It took a considerable amount of investigation and work on my part, but ultimately I was successful. Most PC "experts", however, would have just given up on it pretty quickly and completely wiped the box - OS, programs, data, and all.
And even on a "clean" (assumed to be uninfected) system, the registry is often such a cluttered and nasty mess that a sane and reasonable person is usually afraid to go near it. They might occasionally run a registry scanner, though, which will almost always call out so many real and potential registry problems that it makes even the most hardened PC cynic (like me) blanch!
Now, like many things in Windows, it may be true that as of late Microsoft has attempted to address issues here (I haven't really kept up with the latest). But this type of after-the-fact remediation tends to fall into the "too little, too late" category; also generally into the "we'll promise a lot more than we will actually deliver" category, too. And until basically every Microsoft PC out there gets upgraded or replaced and reaches this level of "maturity" (a term that I use loosely here), then essentially the entire ecosystem still remains at risk.
It's true, though, that the end user is the weakest link, and that social engineering and such will remain a huge danger point. Which is one reason why smart organizations these days are moving away from the "PC on every desktop" paradigm, and back towards a more centralized, controlled, and secure environment.
PS: I noticed a bit too late that you specifically asked about other operating systems. OK, then. I've worked on true enterprise-class systems (which were originally designed and implemented decades ago, before Windows even existed) that among other things (a) secure the individual programs in such a way that they can't really be tampered with - and if they do get tampered with, they won't even load, much less run; (b) don't generally allow you to make critical system-level software changes without direct physical access to the system - which usually requires a special password, and often a special key or key-like device, plus placing the system in a special maintenance mode (granted this can be inconvenient at times, especially for remote systems, but these types of system-level changes are relatively rare - unlike Windows updates); (c) have always had powerful, flexible, multi-level, all-but-unbreakable security built-in, from the ground-up (not as some late-to-the-game relative afterthought); (d) have never had a successful virus or other similar malware attack that I'm aware of - and although some theoretical attacks have been speculated about on paper but maybe never executed outside of a special test environment (AFAIK), the vendor went ahead and addressed these theoretical weaknesses with software updates anyway (unlike Microsoft - and too many others - who will leave known exploit vectors unpatched for months or even years).
I can't speak specifically to Linux or OS X or OpenBSD (although I know OpenBSD takes great efforts to be secure by design, and Wikipedia gives a good overview on this), the fact that they are all derived from Unix - itself a relatively enterprise-class system, with a long operational history, and generally designed and built by people who knew what they were doing - means that they started from a sounder foundation. And while none of these systems - not even then one that I described above - can be assumed to be defect-free and totally secure, their "attack surface" is generally much, much smaller than that of Windows (even in its new, "improved" versions), and they suffer less from the legacy problems that have plagued Windows from day one.
Very nice post. Essentially the entire windows ecosystem(planet) is so corrupt it needs a new foundation (great flood), and a rebuilding of a new platform.. I agree, and I see this happen so much for example FF is becoming so bloated these days they really need to sort of just start over. Essentially they have a contaminated bloodline on their hands.
Unix, and it's derivatives, I believe had a stronger foundation partly because the people doing it loved what they were doing, it really wasn't done for profit. While Microsoft has greed, corruption, and the lust of money at the core of what they do. They lack the passion, love, and drive these other OS's had when they grew up, and spawned derivatives. It's the old adage that anything done for greed is blessed by satan, anything done for love is blessed by God. Essentially Windows is a cursed system because of the greed that drove it's execution, rather than the passion that drove Linux/Unix type systems along.
It makes perfect sense, and it means MS will likely never fix it. The world needs to wake up and move away from it to let it die. The longer people buy boxes with Windows on it, the longer people wait in line for each new release spending hundreds of dollars, the longer this abomination will plague our world. I think we can all do our part by educating people about alternatives, then ensuring we help them move to them. Ubuntu or Mint are outstanding operating systems to install for general consumers! Secure, virtually problem free, easy to use, attractive, and feature rich.. So why do we keep installing windows on their machines?
I hope MS drops the ball on their next few releases, so much so, that people collectively start moving to alternatives, which will then force game developers to develop on these other boxes. It's a crime right now how developers in the game business essentially ignore the linux market, and we need to reverse this - which would then put the final nail in MS's coffin. Deny Microsoft money, any way you can, and you starve the beast.