Computer Security - Anything But Windows. Seriously.
2009-Sep-09, Wednesday 14:31![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thorfinnAmongst a swathe of other "[Win]" security alerts from AusCERT, this one stands out:
AusCERT Security Bulletin: ESB-2009.1267 - ALERT [Win] Windows TCP/IP: Multiple vulnerabilities
Product: Windows TCP/IP
Publisher:Microsoft
Operating System: Windows 2000, Windows Server 2003, Windows Vista, Windows Server 2008
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Original Bulletin: http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx
Why does this particular instance stand out to me? Because TCP/IP is the fundamental core of Internet communications - if your device does Internet, it does TCP/IP. The code to do it has been around for a few decades now, and pretty much everyone knows how to do it securely. Except, apparently, Microsoft.
This sort of security vulnerability can theoretically exist on other OS platforms, yes. That said, the only competing OS family these days is Unix - there are no extant OS platforms in common use that are not some type of Unix. Even Mac OS X is a version of Unix with a very shiny graphics layer on top.
Unix is designed from the ground up with a highly layered security approach, and in the layers where security is critical (i.e., the "kernel" - the part of the OS that deals with the computer hardware, and therefore can do things like snoop passwords, steal data from anyone on the machine, etc), the programmers tend to be very very careful, and most of the code is not actually new, and has been inspected heavily by many many people over the long decades that the technology has existed for, and tested by lots and lots of people who are pretty crazy about security, and think about it a lot.
Microsoft, fairly clearly, don't organise their code and their programmers to work that way. Every time they release a new OS version, they say "now more secure!" Every time they say that, they're proven wrong. Again. With several different hacks that break into the kernel layer, not just surface compromises. A Linux blogger describes the experience best:Windows Users - The Charlie Browns of Computing. Go on, kick the football. We promise it's secure this time. Really.
Don't get me wrong: You absolutely need to take security measures on other computers too. If you've got a Mac, you should still be purchasing anti-virus software, and if you've got Linux, or FreeBSD, or Solaris, or any other UNIX, you still need to be securing your computer in a variety of ways.
But on Windows - none of that matters. You can run all the anti-virus software you like, but if the Windows TCP/IP stack is open to a remote hacker, the remote hack will disable your anti-virus software, and install a bunch of stuff that will keep your computer broken and hacked, permanently.
If that happens to you, you can expect your computer to use all your bandwidth sending out spam email, attempt to crash and hack other computers on the Internet, send all your banking details to people who might be interested in stealing your money, send anything resembling personal data to the same people, and so on. Not good, not fun.
So, if you care about having a secure computer, don't use Windows. Ever. Really.
If you really do have to use Windows, then don't connect it directly to the Internet. Ever. Put that computer behind a secure firewall of some kind. If you don't know how to do that, find out from a tech-savvy friend. For your own sake.
AusCERT Security Bulletin: ESB-2009.1267 - ALERT [Win] Windows TCP/IP: Multiple vulnerabilities
Product: Windows TCP/IP
Publisher:Microsoft
Operating System: Windows 2000, Windows Server 2003, Windows Vista, Windows Server 2008
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Original Bulletin: http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx
Why does this particular instance stand out to me? Because TCP/IP is the fundamental core of Internet communications - if your device does Internet, it does TCP/IP. The code to do it has been around for a few decades now, and pretty much everyone knows how to do it securely. Except, apparently, Microsoft.
This sort of security vulnerability can theoretically exist on other OS platforms, yes. That said, the only competing OS family these days is Unix - there are no extant OS platforms in common use that are not some type of Unix. Even Mac OS X is a version of Unix with a very shiny graphics layer on top.
Unix is designed from the ground up with a highly layered security approach, and in the layers where security is critical (i.e., the "kernel" - the part of the OS that deals with the computer hardware, and therefore can do things like snoop passwords, steal data from anyone on the machine, etc), the programmers tend to be very very careful, and most of the code is not actually new, and has been inspected heavily by many many people over the long decades that the technology has existed for, and tested by lots and lots of people who are pretty crazy about security, and think about it a lot.
Microsoft, fairly clearly, don't organise their code and their programmers to work that way. Every time they release a new OS version, they say "now more secure!" Every time they say that, they're proven wrong. Again. With several different hacks that break into the kernel layer, not just surface compromises. A Linux blogger describes the experience best:Windows Users - The Charlie Browns of Computing. Go on, kick the football. We promise it's secure this time. Really.
Don't get me wrong: You absolutely need to take security measures on other computers too. If you've got a Mac, you should still be purchasing anti-virus software, and if you've got Linux, or FreeBSD, or Solaris, or any other UNIX, you still need to be securing your computer in a variety of ways.
But on Windows - none of that matters. You can run all the anti-virus software you like, but if the Windows TCP/IP stack is open to a remote hacker, the remote hack will disable your anti-virus software, and install a bunch of stuff that will keep your computer broken and hacked, permanently.
If that happens to you, you can expect your computer to use all your bandwidth sending out spam email, attempt to crash and hack other computers on the Internet, send all your banking details to people who might be interested in stealing your money, send anything resembling personal data to the same people, and so on. Not good, not fun.
So, if you care about having a secure computer, don't use Windows. Ever. Really.
If you really do have to use Windows, then don't connect it directly to the Internet. Ever. Put that computer behind a secure firewall of some kind. If you don't know how to do that, find out from a tech-savvy friend. For your own sake.
(no subject)
Date: 2009-09-09 11:51 (UTC)Run personal systems behind a firewall and don't click on random crap like a drug-addled monkey and you'll generally be OK. Be at least minimally picky about what software you run -- no, Outlook Express is not a good option, and yes, there are still people using that particular plague-ship -- and you are probably going to be fine.
(I've run any number of shoddy-OS systems this way over many years, and the only time I've ever had any sort of problem was my own damned fault.)
(no subject)
Date: 2009-09-10 02:24 (UTC)- AV controller finding out about a new virus and blocking it before you get attacked by it
- AV software doing something bad
Personally, I think that the risk of AV software doing something bad is low - they have pretty strong incentive to make as sure as possible that they avoid such failures.
I also think that whilst there are no known active Mac viruses out there at the present time, I like that if someone sends me a word doc with a macro virus, I'll know about it, even though I'm not affected by it. And that's not a theoretical example - I've been sent such documents.
You're right though - do what you say and you'll mostly be alright. Especially if you go for known relatively reputable software download locations, rather than doing silly things like downloading from "hackedsoftware.com.invalid". :-)
(no subject)
Date: 2009-09-10 08:09 (UTC)As it happens I'm not sharing documents around the place so macro viruses are not something I worry about. On the very rare occasions when I need to work on such a shared document from a home machine I'm doing it with Google Docs.
(At work we've got mandatory AV and so on, but we're also running Windows XP desktops.)
(no subject)
Date: 2009-09-10 08:01 (UTC)Ubuntu 9.10 will, when you double-click on an .exe, ask if you want to install Wine ... and will fetch ClamAV as well. Remember than any program running in Wine on Linux can easily int 0x80 its way out of the .wine directory ... WHAT COULD POSSIBLY GO WRONG.
(no subject)
Date: 2009-09-10 08:06 (UTC)These days just doing a naive scan out-of-hours isn't enough if you're taking viruses seriously as a threat, you need wacky always-on slow-things-down-and-open-some-holes-ware instead to really properly trash your system.
(no subject)
Date: 2009-09-10 08:07 (UTC)Though both have been virused by crap received over MSN and had their machines reimaged. And both have been warned that next virus, they get Ubuntu whether they like it or not. MUWAHAHA.
(no subject)
Date: 2009-09-10 08:10 (UTC)