Thread: AOPA Flight Planner - Microsoft only?
View Single Post
  #67  
Old March 20th 04, 04:27 AM
Peter Duniho
external usenet poster
  
Posts: n/a
Default
"Dylan Smith" wrote in message
...
The problem with Windows is cultural. Windows comes from a single user,
single tasking culture - and many of its features have been added on
without regard for the fact they might be connected to a public network.
[...] if you buy a brand
new Windows package with all the latest updates, it STILL has the RPC
ports open by default, despite all the worms that have exploited holes
in it!

True. Things should be shut down by default, not open. However, as you
say, this is a cultural thing. For any software company, and especially for
Microsoft, one of the biggest cost centers is customer support. Most of the
calls are for stupid things like "what icon do I click to read email"?
Cost-wise, in the past, it has been much less expensive to enable everything
by default, so Microsoft doesn't have to answer phone calls that are
basically just asking how to turn the light switch on.

I disagree that it's ALL Microsoft's fault. It's mostly simple economics.
Of course, now security issues are touching the bottom line, generating
plenty of bad press. They are now more important than saving some money
over at Product Support Services. This is a good thing.

Then there's the software writer part of the Windows culture. Many
software companies are still writing software which won't run at all or
not properly unless you are running as administrator - meaning users are
forced to run insecurely if they want to run some software.

I'd be curious to see what happened to the Windows Logo program. It was
instituted when Win95 was released, and had a long list of strict
requirements a program had to meet, otherwise the Windows logo could not be
displayed on product packaging. I know in the year or so after, it got
watered down a lot.

I haven't checked up on it lately to see if it's still around, or what it
requires if it is. It ought to require that software run under restricted
accounts unless there's a good reason for them not to.

IMHO, end-user software that requires the user to be admin should be taken
out and shot. There's even software out there now that actually *checks* to
see if you're admin, and refuses to run if you're not. This prevents people
who know how to modify security settings from allowing the software to run
(usually all that needs to be changed is access rights to a single
subdirectory and/or registry key).

No difference here from other single-user paradigm environments though, the
Mac being one. MacOS X has required a major learning curve from the old Mac
camp, just as XP is requiring from the old Windows camp.

Finally, there's the usual things such as Outlook making it very easy to
just click on email attachments to *run* them. The basic OS
architectural problem that just giving your file an .exe extension makes
them executable, and therefore if you find another bug like the MIME
bugs OE suffered from, you can leverage it to make executables attached
to email run automatically.

As opposed to Unix where you can attempt to run ANY file, regardless of
extension? I'm not sure what your point here is.

Of course, there are many users who can be socially engineered to run
anything (people download and run spyware voluntarily, and it's not even
emailed to them!) which would be a problem regardless of which OS is
run.

And it is a problem. The vast majority of viruses and worms are dependent
solely on human factors. In fact, some of the most successful viruses
contain no code at all. They are just plain text email messages.

As for security cultu consider this. Although Apache by far and large
is the most common web server, all the serious exploits so far has been
for the minority web server - IIS (Code Red et al.)

See my other message.

Pete