In article , C J Campbell wrote:
Windows is insecure enough that the US Army migrated to Apple software
based
servers to improve security of it's network several year ago.
BWAAHAHA! What a colossal waste of money! That is like trying to improve
security by moving the hinges of a gate from one side to the other.
OK, several years ago: what did we have?
Windows was a DOS-extender then. A veneer over a single user, single
tasking operating system (Windows = WinME, exclduding NT are DOS
extenders). Although MacOS = 9 was also from the ground up single user,
it didn't have any of the inherent problems that WinME and below have
by their nature as DOS extenders.
The real problem with Windows isn't so much the features it has (or
lacks) - like any other OS, it has bugs, and like any other OS, stupid
people use it. Win2K3 Server + AD + WinXP on the workstation has some
very *good* security features. You can now do a much better job of
locking a Windows system down.
The problem with Windows is cultural. Windows comes from a single user,
single tasking culture - and many of its features have been added on
without regard for the fact they might be connected to a public network.
These cultural aspects are endemic from Microsoft themselves to the
people who use the OS. Unix-based OSes, on the other hand, come from a
culture of being plugged in to public networks from day one, and being
multi user, multi tasking from day one. RedHat learned many years ago
why you don't enable 1001 services by default in a fresh install (that's
why it got nicknamed RedHack in the 6.0 days). Debian always seemed to
have this particular bit of clue. On the other hand, if you buy a brand
new Windows package with all the latest updates, it STILL has the RPC
ports open by default, despite all the worms that have exploited holes
in it! This is Microsoft's fault. Finally they are fixing it in Windows
XP SP2. How long until a significant number of users are running SP2,
and have these vulnerable services open by default and no firewall by
default? Years, I wager. There's still a significant number of Win98/ME
machines still in use, and I bet there's a lot of unpatched XP systems
out there.
Then there's the software writer part of the Windows culture. Many
software companies are still writing software which won't run at all or
not properly unless you are running as administrator - meaning users are
forced to run insecurely if they want to run some software. But then
again, since when you create new users on XP, they are Administrator by
default, software houses can get away with it because users are insecure
by default anyway. Note in the Mac OSX world and the Linux/Unix/BSD
world, new users aren't root by default. (In fact, OSX comes with the
root account *disabled*).
Finally, there's the usual things such as Outlook making it very easy to
just click on email attachments to *run* them. The basic OS
architectural problem that just giving your file an .exe extension makes
them executable, and therefore if you find another bug like the MIME
bugs OE suffered from, you can leverage it to make executables attached
to email run automatically.
Of course, there are many users who can be socially engineered to run
anything (people download and run spyware voluntarily, and it's not even
emailed to them!) which would be a problem regardless of which OS is
run.
As for security cultu consider this. Although Apache by far and large
is the most common web server, all the serious exploits so far has been
for the minority web server - IIS (Code Red et al.) I'm still getting
hits from attempted Code Red infections. Perhaps there is something to
the differing security cultures since in an area where Microsoft are a
decided minority, they *still* are the attack vector of choice?
--
Dylan Smith, Castletown, Isle of Man
Flying:
http://www.dylansmith.net
Frontier Elite Universe:
http://www.alioth.net
"Maintain thine airspeed, lest the ground come up and smite thee"