Sunday, July 29, 2007

Hasta la Vista, part 3: Of Windows security and other oxy-morons

If you happen to be a regular reader of my blog you know I have this thing with editors, especially when they are reporting on IT developments (a subject I know a thing or two about). The point is, I find most of them either too dumb or too corrupt. I've also reported on the ethics of Open Source FUD, and compared to the ethics editors should follow, I'm not even doing too bad:
  • Test the accuracy of information from all sources and exercise care to avoid inadvertent error. Deliberate distortion is never permissible.
  • Distinguish between advocacy and news reporting.
  • Distinguish news from advertising and shun hybrids that blur the lines between the two.

Why do you give Microsoft a platform to spread its FUD? Why are you guys deliberately spreading FUD? Where is the independent research journalism you were so proud of in the past? Are you really thinking you're objectively reporting about the world around you and what is actually happening there?
  • Support the open exchange of views, even views they find repugnant.
  • Tell the story of the diversity and magnitude of the human experience boldly, even when it is unpopular to do so.
  • Give voice to the voiceless; official and unofficial sources of information can be equally valid.
  • Diligently seek out subjects of news stories to give them the opportunity to respond to allegations of wrongdoing.
We're already happy when some comments make it past the moderator. Hardly ever an editor – or any other IT journalist for that matter – asks an Open Source proponent for comment. You just pickup the press releases – or worse: download them, so you don't have to type them in – and copy them to your word processor. I must admit, it saves a lot of time, but whether that is true journalism remains to be seen.

Exhibit one. Where was the news coverage of Linux in 1999? Most people – including me – were still thinking it was an experimental, command line driven system. I was considering a Windows NT system when I bought a German magazine and found out Linux was a perfect replacement of Windows 3.11. I installed it February 2000 and after a few months I booted Windows 3.11 perhaps once a week to play a DOS game or scan a picture. A real history of "telling the story of the diversity" and "giving a voice to the voiceless", huh?

Exhibit two. Linux coverage in the Netherlands has been abysmal, to say the least. Most Dutch magazines don't seem to see the difference between "Freeware" and "Open Source", although they acknowledge there is something out there that is called "Shareware". The only Linux question you'll ever see is "How do I uninstall Linux", and the only Linux articles that are published carry headlines like "Is Linux after all these years still not ready for the desktop"? Main argument: "Most people use Windows", which is true and if you won't do your duty as a journalist, it will stay that way.

Of those magazines, Computer!Totaal really isn't the worst. They even know there is something out there called Open Source and every once in a while they do report on how to use Linux to set up some kind of server. Some editors are willing to discuss matters in length with you, which is a good thing. However, the editorial of the September issue is one of the worst I've seen in a long, long time.

José Pauty, argued that buying a safe computer makes no sense. People are just too stupid for such devices. They visit fishing sites, click on every attachment, install ActiveX components. Secure computers are a waste of money.

And that calls himself – in order to avoid prejudice, I hope it is a guy - an editor. It is a excellent example of how some editors can spin out of control and write pure nonsense if they are not subjected to a proper peer review. Think about it: you don't need to buy a decent lock since you always open up when the doorbell rings. Better, why buy a door at all? All houses are vulnerable anyway. Hey, in most cases people even know their assailant. The only way you can secure your house is to wall yourself in. Security? Better save yourself the money! It can't be done!

Still, I can laugh about such ignorance, until blatant lies pop up. Linux just seems more secure, because there are so few of them. That is FUD. And if you're a competent editor, you know it is FUD. Why? Well, when it comes to web servers, the biggest target is Apache, the Internet's server of choice, even after attempts of Microsoft to bring its share down. Attacks on Apache are nevertheless far fewer in number, and cause less damage. And in some case Apache-related attacks have the most serious effect on Windows machines. Attacks are of course aimed at Windows because of the numbers of users, but its design makes it a much easier target, and much easier for an attack to wreak havoc. Windows' widespread (and often unnecessary) use of features such as RPC meanwhile adds vulnerabilities that really need not be there. Linux's design is not vulnerable in the same ways, and no matter how successful it eventually becomes it simply cannot experience attacks to similar levels, inflicting similar levels of damage, to Windows.

Why is Windows so vulnerable? There are several reasons for that. First, Windows has long been hampered by its origin as a single-user system. Windows was originally designed to allow both users and applications free access to the entire system, which means anyone could tamper with a critical system program or file. That means viruses, Trojans, spyware and other malware can do that too. Windows Server 2003 makes some more progress toward true multi-user capabilities, but even Windows Server 2003 hasn't escaped all of the leftover single-user security holes. That's why Windows Server 2003 has to turn off many browser capabilities (such as ActiveX, scripting, etc.) by default.

Second, Windows is monolithic by design, not modular like Linux and OS/X. These architectural models have very deep security implications, one being that a monolithic system tends to make security vulnerabilities more critical than they need to be, since every flaw in a piece of the system is exposed through all of the services and applications that depend on that piece. E.g. when Microsoft integrated Internet Explorer into the operating system, Microsoft created a system where any flaw in Internet Explorer could expose your Windows desktop to risks that go far beyond what you do with your browser. A single flaw in Internet Explorer is therefore exposed in countless other applications, many of which may use Internet Explorer in a way that is not obvious to the user.

If you are a Windows user and you're reading this using Internet Explorer, I can only advise you one thing: go to the nearest Firefox distribution point, get the 5 MB package, install it and come back. Still reading this? Getting a bit red in the face? Think I'm unfair? Well, I challenge you to copy a few credit card numbers to your clipboard. It would be very nice if you'd add some PIN codes too. I'm doing this too on my Linux/Firefox workstation, don't worry. It won't infect your Windows installation in any way, it just shows how information can leak out - and it works with other information too, not just credit card numbers. Now click this link. Still so happy with Windows and Internet Explorer? Still think I'm unfair? Here is how it works. And note this is only one of Internet Explorers vulnerabilities.

And last, but not least, because of the horrible quality of coding at Microsoft itself. This blog really shocked a few people when it came out. And don't think Vista will do much better. Apart from being nagged by UAC popups, it will only get worse since Microsoft has decided security cannot be left to third parties. Well, that feels good, being totally dependent on Microsoft for your digital security..

Some Windows zealots boast that Windows has C2 level security, but what few people know is that this is only valid in a standalone configuration – yes, that means no network – and no floppy. Microsoft acknowledges this on their site, but hides the actual information in an executable or buries you in a lot of information. It bashes Novell, lists C2 requirements extensively, only to say in the middle of a paragraph that "this means that the evaluation of Windows NT Server as a standalone system (..) is complete, and that the evaluation of the networking functions (..) is still in process".

Ok, let's wrap it up. I think it is clear by now that Windows security was primarily designed for a single user, stand alone Operating System. For a long time Microsoft focused on selling software, as much as possible and as fast as possible. Proper design and good coding had to take a backseat. Instead of fixing these fundamental problems, Microsoft has continued to add kludges, which in essence don't solve anything. It was not until after several attacks had decimated Windows installations that Bill Gates declared that security was the topmost priority.

That was January 2002. And what did Microsoft do after these disasters? Did they scramble and fix the problem? No, they spread more FUD, and more FUD and still more FUD. Up to this day. And the big news sites sat up and barked happily along when Microsoft issued another boring, FUD-ridden press release instead of doing what they should be doing and do some proper research of their own.

We've come full circle here. In the next and final part of this series I'll be delving in the dark, murky dungeons of Windows backdoors. Don't believe they are there? I'd be most surprised if they weren't there and so will you.

No comments: