Archive for February, 2009

Windows security – there are no guarantees

Friday, February 20th, 2009

This isn’t some sort of pro-Linux rant, but rather a general security rant so take it as such.

With regards to security, Windows is provided “AS IS”. Show me one place where Microsoft even makes the slightest guarantee about security. The product was never engineered to be secure from the beginning, and barring a complete rewrite, it never will be. They’re not dumb, they know it’s not very secure, and they don’t advertise it as such. They don’t need to “disclaim liability”, the courts need to prove why it should be assigned to them in the first place.

Anyone who has an expectation of security in Windows is a sucker, plain and simple. Think about the common excuses: “99% of our customers use it so we have to also.” “We store all our data on it, it OUGHT to be secure.” “It’s too expensive to switch to something else.” You choose to use Windows, you get what you pay for. If you failed to do proper research and just created an assumption of security inside your head, it’s your own fault. Quit whining about it.

Everyone wants to sue Microsoft just because they exploit human stupidity, and they’re really good at it. Great use of the court system.

Unix security is generally not an issue because it was designed with security in mind from the very beginning. Windows was never set up with multiple user accounts in mind, nor was it set up with security in mind. This is not necessarily a bash on Windows, it’s just a fact of how it was designed. Multiple user accounts seperated from the root account and manditory secondary user account creation are definitely two very strong points that assist in Unix security. The Linux and BSD family were based off of Unix, so those two “variants” were also designed with security in mind from the beginning as well.

Now that Windows is, and has been, pretty much the most used operating system amongst home users and businesses, Microsoft has to backport their operating system to obtain the security that the internet demands. Since home users and businesses rely on Windows now and are pretty much locked in to requiring Windows and Microsoft software, Microsoft knows that they can just keep patching their shoddy software rather than doing what should be done – a complete rework from the ground up.

What’s worse is that even if a security flaw is found, Microsoft still only releases patches on “patch Tuesday”. That’s right, you have to wait for them to create the patch rather than having several agencies able to view their source code and create a patch for them or work with them toward creating a patch. If you think about that for a second, a virus writer could take advantage of a flaw and create a worm/virus and take over thousands and thousands of Windows machines in no time…all while waiting for Microsoft to create a patch. Yes, this has happened several times in the past and has had devistating effects on everyone using the internet. From “slowing down the internet” because of bandwidth-consuming worms (think Code Red, Blaster), to receiving tons of spam in your inbox every day (think Beagle, Sobig), to computers being rebooted every few minutes without user intervention (think Zotob). So while worms generally don’t directly affect Unix-based machines, they indirectly affect Unix-based machines by consuming resources by worms attempting to propogate and by receiving the payload (spam) of worm-infected machines.