Unconfigured Ad Widget

Collapse

Announcement

Collapse
No announcement yet.

Now Hear This: Viruses are a Windows Problem

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Now Hear This: Viruses are a Windows Problem

    I have received message after message from people asking me, "Since you seem to know so much about computers, I was wondering if you could tell me how I can keep my computer safe from hackers?" I can't tell you how many of these I've received over the years. Easily hundreds. Perhaps a thousand. Everytime I take part in a conversation on this forum, I inevitably have a message waiting in my Myspace inbox asking this question again.

    I'm thirty years old now and I remember using computers since I was four. From a Sorceror to C64 to Kaypro III to PC. From CP/M to DOS to OS/2 to NetWare to UNIX to Windows. I can program in at least seven different programming languages. I don't just know how to set up a web server, I have written web server software. Over the years, I have developed software for Windows as well as NetWare, OS/2 and UNIX variants.

    That's who I am, this is my background and here it is folks. The short answer:

    Stop using Outlook, Internet Explorer and Windows -- in that order of importance.

    No, I'm not joking. And I'm not exaggerating either. I'm dead serious. You use Windows at your peril. If you don't know how to protect your computer, if you are a computer newbie/novice, if the idea of becoming intimately familiar with how your computer works or if you are the type of person who leaves messages in my and other people's inboxes asking for security advice, STOP USING WINDOWS NOW. Spend the extra money and buy a Mac or spend some time learning how to use Linux or BSD.

    If you don't want that answer, then don't ask the question. While it's true that no operating system is safe, if you use IE and Outlook on Windows because "that's what came with my computer," you are doing something that for computers is conspicuously similar to sticking hypodermic needles you found on the ground in Times Square straight into your neck morning, noon and night each and every day all year round.

    It's not as simple as a one-time patch or service pack that needs to be applied. There are fundamental design flaws at work here. And I can hear you starting to say, "But... but... but..." You want to play your games but still be safe. You want your calendaring but still be safe. Guess what? That's not an option for you. You can play the newest games easily and be insecure or go through a lot of pain and education. You can have your calendering only while leaving a big, fat sign on your forehead that says, "Hack me please." The folks that know about the issues and can effectively mitigate those problems -- people commonly referred to with such term as computer geeks, programmers and system adminitrators -- still have the sign on their foreheads saying, "Hack me please." The difference is that they know the computer equivalent of Karate, Kung Fu and Gracie Jiujitsu.

    When you ask me and others like me how to keep yourself safe, many of us know that the real answer involves teaching you the computer equivalents of Karate, Kung Fu and Gracie Jiujitsu. Most of us don't have the patience to teach you these disciplines. Hell! They took us years when we actually like spending all day in front of a computer even when someone isn't paying us.

    I'm not teaching these things to you. None of us has the time, patience or inclination. I'm telling you how to take the "Hack me please" sign off your forehead.

    -----

    More detail for those that need to know why:

    There are those that assert that Windows is hit by so many worms, viruses, trojans, malware and spyware due to its popularity.

    This is wrong.

    On Windows, the name determines the operating system behavior. And to be honest, this worked fairly well pre-internet. It was a simple and efficient way of identifying the files on your system. .exe is an executable program, .txt is a text file, .doc is a word processing document, etc. Double-click on the file and Windows would know what to do with it. Once the internet took off however, this system broke down.

    First, I will begin with the operating system. In Windows, files types are determined by file extension. This is a holdover from DOS and its predecessor CP/M back in the late 1970s/early 1980s. The net is a hostile environment though. You need an extra step to say, "This is safe to execute, but this is not."

    Older systems such as UNIX use what is known as an executable bit to determine if a file is an executable program or a data file. Variants of UNIX (Linux, FreeBSD, OpenBSD, NetSBD, OS X, Irix, Solaris, AIX, etc.) still use this executable bit to this day. This executable bit is part of what is commonly referred to as file metadata. File metadata includes things like when a file was last modified, when it was created, who owns the file, who has the right to read/write, etc.

    Windows lacks an executable bit. There is no common mechanism for determining whether a file can be safely run or not. And just so we're clear at this point, the executable bit is older than DOS. A solution to this problem existed before DOS and Windows were even written.

    In addition, as a single-user, desktop operating system, Windows wasn't built with security even as an afterthought. The person at the keyboard, any person at the keyboard, could do anything to the system. This meant that anything the user did wrong could potentially disrupt the system.

    In some corporate environments, later, more robust revisions of Windows (NT, 2000, XP) could be made to be "locked down," but this required a knowledge and expertise that many businesses did not have available let alone the typical home user.

    Other operating systems were different though. They would have what is known as a priviledged user (commonly called "root") to perform certain system tasks with everyday users just using what was available. Even if a system had only one person using the machine, the system acted like it had two users: the priviledged user and the normal user. You can see this in action in OS X whenever you do a software update. You are asked to provide your password so that you can act as a priviledged user in order to update the system. A random virus on the net wouldn't know your password and so couldn't infect your system.

    Then of course there are the popup windows that would appear on people's desktops at random. Some of them were even so crass as to say, "Stop unwanted popups by clicking here."

    This went on for years without being fixed.

    The fix of course was to turn off the Messenger service by default, a service only useful in some corporate environments anyway. Instead, desktop users were expected to open up the Windows registry and toggle a flag manually. Bear in mind, these are usually the same users that are generally afraid that if they press the wrong button, their computer will blow up.

    -------

    Now let's go on to Internet Explorer. I could go on and on about how this particular browser has recently made my life a living hell at times because of its quirks and failure to implement standards (or improve much at all since they effectively killed Netscape). But that's not the point here.

    There was something even worse going on under the surface. The internet was born on UNIX, not Windows. The idea of file extensions doing as much as they do on Windows didn't occur to the designers of email and the web. They were trying to solve their own problems, not solve Windows'. One of the concepts born of solving their own problems was the MIME type. I won't bore you with the details, but this MIME type tells the client what a file is -- without regard to the file name/extension.

    I feel that I need to repeat that last part so that it sinks in. The MIME type tells the client what a file is -- without regard to the file name/extension.

    But Windows used to execute things solely based on its file extension. By adding support for MIME types, people who were used to looking at a file and knowing what it did suddenly couldn't be sure what was safe and what wasn't anymore. In fact, they couldn't unless they had a great deal more than a basic knowledge of how Windows worked. When faced with this ever increasing complexity, most folks just threw up their hands and hoped for the best.

    Then, to add insult to injury (and to combat a challenge by Netscape and a new technology known as the Java applet), ActiveX was added to Internet Explorer. This technology was a drastic change from the rest of the internet up to that point. While email, name services, the world wide web and other protocols were written so that any computer -- UNIX, Mac, Windows, etc. -- could use them and work together, ActiveX would only work on an Intel-compatible computer running Windows. This was because ActiveX was really just the Windows API exposed to a web page. Executable code.

    As I've covered before, the net is a hostile environment. To their credit, Microsoft required that ActiveX controls be digitally signed before they were installed. Unfortunately, that signing process as well as the mechanism to verify those digital signatures has been far from perfect. So what did we have? Arbitrary code running on your machine simply by visiting a web site.

    Remember the Messenger service I mentioned earlier? When Internet Explorer was formally integrated into the operating system, Messenger used the IE engine for its popups. Individually, they were a security hole waiting to happen. Together, they were a security nightmare. Just by having your computer connected to the internet and doing nothing else -- no email, no web browsing, no IM, no file sharing -- your computer could be hijacked. And what usually happened once your computer was hijacked? It would look for other computers on the internet to hijack. It made you an unwilling and unknowing accomplice.

    -------

    Moving on to email, Outlook (and its little brother, Outlook Express) are responsible for more email exploits than all other email clients combined... at least times ten. People just assume that since email attachments can cause bad things, it's the attachment's fault, not Outlook.

    This is also wrong, but not all Outlook's fault.

    First off, Outlook uses the Internet Explorer rendering and scripting widgets to display email. So many of the bugs you find in Internet Explorer have crept into Outlook as well. The vulnerabilities inherent to Windows only serve to further compound the situation.

    Outlook, in the effort to make things "easier" for the user, used to just allow the user to click on a virus attachment. Then, they added a dialog box to "warn" the user that it might not be safe. But then virus authors found that they could actually execute scripts within the emails themselves. These scripts even executed the attachments automatically without the user's help.

    I want to make it clear to people reading that this also went on for years.

    Microsoft put in patches that incrementally tightened up security but never quite addressed the underlying design defect -- a flag to say that a file was in fact safe for execution.

    Let's take a look at what would happen on a OS X Mac on the other hand. (Note: this is about the same for every operating system/email client combination outside of Windows.) An email with a virus is sent to your inbox. Your email client shows that there's an attachment to the email. First of all, just be viewing the email, you will not execute the attachment. Ever. This was a stupid design decision only perpetuated by older versions of Outlook. Next, you click on the attachment. The client checks the MIME type. The filename and extension are *completely* ignored. If the MIME type is executable, it asks if you want to save the file to your hard drive. Once on your hard drive, just double-clicking the file will not run the file. There is no executable bit set on the file. So for some odd reason, you set the executable bit. Then you double-click and run it. But you aren't a priviledged user by default. It could delete files in your home directory (your own damn fault by the way because you explicitly set the execute bit), but it can't wipe out your system or infect your system binaries with a virus. You would have to first sign on as a priviledged user and then run the program.

    Of course, this assumes that the evil program was written with your operating system -- and commonly your computer hardware type -- in mind. A Windows virus for a PC cannot infect a PowerPC-based Mac and vice versa.

    To reiterate, you would have to be both technically knowledgeable and mind-bogglingly stupid to be affected by an email attachment when using anything but Windows.

    I understand that many people use Outlook for its calendering features. If you do and are willing to take the risk, that's your decision. If you don't use the group calendering features of Outlook -- and I want to make this perfectly clear -- you have no good excuse for using Outlook.

    Use any alternative. Eudora. Mozila Mail. Thunderbird. These are all available on Windows and many many more.

    -------------------------------------------

    Security is important for everyone. Even if you're one of those people who says, "But I don't have anything private or important on my computer. If a hacker gets into my computer, what difference does it make?"

    1. How much did you spend on anti-virus software?
    2. How important is your privacy?
    3. How much do you spend on an internet connection per month?
    4. How much time do you spend on spam?


    Yet another point I want to make clear: The anti-virus software industry exists solely because of design defects of Microsoft products when exposed to the internet. If the defects in Windows were fixed today, the anti-virus industry as we know it today would collapse. If everyone dumped their PC and bought a Mac, the anti-virus industry as we know it today would collapse. If people installed Linux or BSD in place of Windows... you know the routine.

    Having your computer be easily compromised doesn't just mean viruses. It also allows unscrupulous marketeers to monitor the web sites you visit, put ads up on your desktop while you are busy doing other things (even when you're not connected to the internet at the time), and collect credit card or bank information to use at their leisure or sell to others.

    If you are on a modem and your system gets hacked, say goodbye to the internet. You thought it was slow before? Just wait until your machine starts spitting out hundreds of pieces of spam. And if you have a broadband connection, do you know what that means? It means that you can send hundreds of thousands of pieces of spam and infect a thousand computers and never know.

    Which brings me to my final point. If you use Windows, Internet Explorer and Outlook, you are likely part of the reason why we all get hundreds of offers for Rolexes and kinky sex in our email inboxes. Yes, you!

    Everytime you look at your email and see, "Your loan pre-approved," I want you to thank Windows. Everytime you see:
    I'm a young 22 Y.O. lady looking for fun !
    Nothing serious for now but who knows where it might get us !
    I also got a webcam
    I want you to thank Windows. Everytime you get an email that says, "Your computer is vulnerable. Just click on the attached file to fix," I want you to thank Outlook.

    Scared yet? Good. Stop doing it.

    I'm tired of my inbox being full of spam, and it's YOUR FAULT. I'm tired of my web server logs being filled with attempted IIS exploits, and it's YOUR FAULT. I'm not saying this because I'm bitter although I am bitter. I'm not saying this to make you feel bad although I want you to change your behavior.

    And while you're at it, tell your parents, children, aunts, uncles, grandparents, cousins and friends that it's their fault too.

    IT'S YOUR FAULT! NOW STOP HURTING EVERYONE!

Unconfigured Ad Widget

Collapse
Working...
X