All Things Microsoft > Microsoft Software

How to make your Windows machine more stable and secure

<< < (3/36) > >>

jtpenrod:

--- Quote ---
I'm not a believer of the "computer is a media center" ideology. I think computer is a general purpose tool, particularly practical for all sorts of automation and computation. If people want to use computers yet are unwilling to learn to use them, they should be given Live CDs to boot from along with their internet connectivity subscription, and new CD mailed in every month. It could run on xbox. This would eliminate a lot of the problems, and the real computer users could focus on actually using the computer.

--- End quote ---


That would be a good thing. After all, you don't need much more for doing what most folks do: send/receive E-Mails, 'Net surf, balance the checkbook, write the occasional document. They tried selling these "web appliances" years ago, but they didn't go over so well. Probably because the advertising was unintentionally offensive by implying that even stupid, nosey old ladies could use them.

Basically, I think windows haters are just ignorant, and want to see if this hypothesis holds true.

I would tend to doubt that highly. Except for the long-term Mac users, everyone here is either an ex-Windows user or are seeking to leave the Windows world. Even a dedicated Mac user has probably been exposed to Win-whatever at some point or other. The fact that a web site like this could have been started, and last as long as it has, demonstrates that Microsoft has created plenty of highly dissatisfied customers. Simple "ignorance" or "Bill Gates jealousy" isn't going to sustain the haters for very long. The regulars here are a tech-savvy collection of "geeks" who simply don't appreciate unstable, insecure, poorly designed systems.


So, would you be so kind to entertain me, and tell me why you think windows is such a bad OS? To narrow the focus, I'm only talking about the NT series (Windows 2000 and 2003 particularly), and just the operating system.

What else can one say about an op-sys that depends so heavily on third-party apps to overcome its inherent design flaws? An entire industry exists for no other purpose: companies such as Symentec, MacAffee, Lavasoft,  do little else:

--- Quote ---
Profile
Symantec is the global leader in information security providing a broad range of software, appliances and services designed to help individuals, small and mid-sized businesses, and large enterprises secure and manage their IT infrastructure. Symantec's Norton brand of products is the worldwide leader in consumer security and problem-solving solutions. Headquartered in Cupertino, Calif., Symantec has operations in more than 35 countries.

about symentec

--- End quote ---

These companies would not exist had Win-d'ohs been designed properly from the get-go. What better testament to the piss-poor engineering of the beast is there? Then there's IIS (Internet Information Services) which has become notorious for its security flaws, and behaves more like a worm propagator than a server.


--- Quote ---
Use a different web browser

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. These technologies are implemented in operating system libraries that are used by IE and many other programs to provide web browser functionality. IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.

It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when viewing untrusted HTML documents (e.g., web sites, HTML email messages). Such a decision may, however, reduce the functionality of sites that require IE-specific features such as proprietary DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control (WebOC), or the HTML rendering engine (MSHTML).

Vulnerability Note VU#713878

--- End quote ---


When the gov't itself simply gives up and recommends that everyone quit using Inter-nut Expl-Horror, you know that there are some serious problems here. This is inexcusable. If I'm asked to spend far more for something like Win-XP (then put up with WPA, the phone-home "daemons", the nag-ware) than I'd spend on even the priciest Linux non-enterprise OS, I damn well expect better than that. Nor do I like the idea of forking over even more $$$$$ to get those third-party anti-virus apps, the adware and spyware killers, and the rest of the Norton System Works suite just to keep the damn thing running. I get a helluvalot more from Linux for a helluvalot less.

Then there's the question of doing programming. When I wanted to get into this, I had to fork over some $100 for the Borland C++Builder suite of programming apps. The only reason I got it so "cheap" is that this was in early 2000, on the eve of the initial release of Win-XP, and Borland was unloading them for whatever they could get as it wouldn't run on XP anyway. Linux (except for Linare :mad: ) OTOH, includes everything you need to code Linux apps. And let's not forget that you will need to pay extra for other apps, such as the MS Office suite. You get word processors, office apps, art programs with just about any Linux distro, right there on the install CDs. Linux is just a better value.

And we haven't gotten into the business "ethics" of MS itself. The Halloween Documents would be a good place to start as for looking into this.

Yeah, I have lots of reasons for disliking Win-Doesn't and its parent company.  :p

muzzy:

--- Quote from: jtpenrod ---Basically, I think windows haters are just ignorant, and want to see if this hypothesis holds true.

I would tend to doubt that highly. Except for the long-term Mac users, everyone here is either an ex-Windows user or are seeking to leave the Windows world. Even a dedicated Mac user has probably been exposed to Win-whatever at some point or other. The fact that a web site like this could have been started, and last as long as it has, demonstrates that Microsoft has created plenty of highly dissatisfied customers. Simple "ignorance" or "Bill Gates jealousy" isn't going to sustain the haters for very long. The regulars here are a tech-savvy collection of "geeks" who simply don't appreciate unstable, insecure, poorly designed systems.
--- End quote ---

Tech-savvy or not, I've found that most windows haters simply do not understand how windows works. I won't defend Microsoft as a company, although I think the US government is partially to blame for the inability to cut MS into pieces. A lot of problems with Microsoft come from the fact that they're so damn big and so damn rich, that they can do pretty much anything they want to.

I've found windows to be fairly stable, quite secure, and many parts are well designed. Unfortunately, microsoft values backwards compatibility more than security, so there are some total braindead things around left from single user win16 times. I wish they'd go away, however the problem only relates to win32 apis and the concerned executive subsystem. If some day we can throw that away and move completely to .NET, a lot of the problems will just simply disappear.


--- Quote from: jtpenrod ---
So, would you be so kind to entertain me, and tell me why you think windows is such a bad OS? To narrow the focus, I'm only talking about the NT series (Windows 2000 and 2003 particularly), and just the operating system.

What else can one say about an op-sys that depends so heavily on third-party apps to overcome its inherent design flaws? An entire industry exists for no other purpose: companies such as Symentec, MacAffee, Lavasoft,  do little else

These companies would not exist had Win-d'ohs been designed properly from the get-go. What better testament to the piss-poor engineering of the beast is there? Then there's IIS (Internet Information Services) which has become notorious for its security flaws, and behaves more like a worm propagator than a server.
--- End quote ---

I'm afraid these companies existence isn't completely dependant on issues with Windows. There have been several viruses out there which have depended on tricking the user to run the attached executable. Users don't understand the consequences of running untrusted binaries, and shit happens. Vulnerabilities exist in a lot of software, and pretty much all modern operating systems are equally vulnerable by design. Windows just happens to get all the attention because worm propagation efficiency is linearry proportional to vulnerable userbase squared. If you're ten times as popular as the other guy, you get hundred times more problems.

There have been several vulnerabilities in apache, mysql and other alternative applications that would've allowed for worm propagation, had the application been more popular. Obviously this is a weakness of a monoculture, but it's also a weakness to the compilers and languages used today. C and C++ are both specified in a way that encourages unsafe code generation. What's up with a language that specifies operations that result in undefined behaviour, which in practice can mean execution flow being diverted? I'm aware that there is a place for such languages, but most applications should be written in highlevel languages such as C#, Java, Python, Ocaml, etc... The problem isn't a Microsoft specific one.


--- Quote from: jtpenrod ---When the gov't itself simply gives up and recommends that everyone quit using Inter-nut Expl-Horror, you know that there are some serious problems here. This is inexcusable. If I'm asked to spend far more for something like Win-XP (then put up with WPA, the phone-home "daemons", the nag-ware) than I'd spend on even the priciest Linux non-enterprise OS, I damn well expect better than that. Nor do I like the idea of forking over even more $$$$$ to get those third-party anti-virus apps, the adware and spyware killers, and the rest of the Norton System Works suite just to keep the damn thing running. I get a helluvalot more from Linux for a helluvalot less.
--- End quote ---


Internet Explorer used to progress really well, until Microsoft basically stopped the development. That sucked. Thank god we have firefox around now to motivate them again. I'm using IE myself, but with activescripting and activex turned off. As of such, nearly no past vulnerabilities have affected me.

I don't run any anti-virus software on my windows systems and I've been totally fine. However I have made preparations and know what to do if something bad happens. I regularly use all sorts of scanners (VICE, for example) to see that there's nothing naughty on my system. So far, I've never been infected.

Btw, I hate XP, too. That's why I'm still running w2k on this box, and w2k3 on the other. W2k3 happens to be the best windows ever, IMO, even for desktop use after proper configuration.


--- Quote from: jtpenrod ---Then there's the question of doing programming. When I wanted to get into this, I had to fork over some $100 for the Borland C++Builder suite of programming apps. The only reason I got it so "cheap" is that this was in early 2000, on the eve of the initial release of Win-XP, and Borland was unloading them for whatever they could get as it wouldn't run on XP anyway. Linux (except for Linare :mad: ) OTOH, includes everything you need to code Linux apps. And let's not forget that you will need to pay extra for other apps, such as the MS Office suite. You get word processors, office apps, art programs with just about any Linux distro, right there on the install CDs. Linux is just a better value.
--- End quote ---

You have a point there. The availability of development tools for linux is a big bonus, but the system is targeted for a whole different people than windows is. Nowadays you can always get MinGW for windows, or the commandline compiler Visual C++, for free. Scripting was always possible either way, although nearly no home users use Windows Scripting Host for anything. One of the big problems of WSH is lack of generic purpose GUI dialog object. So, you simply can't create a GUI apps with jscript/vbscript, without third party GUI object installed on the system.

Regarding Office apps, they're available for windows, too. If only Microsoft allowed people to make their own distributions, things would be so different. And if the OS development was separated from the rest of the club, I think they definitely would do so. Why the heck didn't they split Microsoft? Anyway, I don't have MS Office and I haven't missed it at all. I can write documents in HTML or RTF, or PDF if the layout matters.

Also, Windows ships with MS Paint. Don't diss ms paint, it's an art program too, and perfectly suitable for drawing stuff. I use it all the time myself.


--- Quote from: jtpenrod ---And we haven't gotten into the business "ethics" of MS itself. The Halloween Documents would be a good place to start as for looking into this.

Yeah, I have lots of reasons for disliking Win-Doesn't and its parent company.  :p
--- End quote ---

I can understand disliking the parent company, but IMO Windows itself is great, as are many of Microsoft's products.

PS. This post is growing long. For next reply, I'll have to drop some parts x_x

jtpenrod:
Tech-savvy or not, I've found that most windows haters simply do not understand how windows works.

I don't see the relevance here. What's the correlation between "understanding how windows works" and having bad experiences with it? How is such a thing even possible, considering that the source code isn't available?

Vulnerabilities exist in a lot of software, and pretty much all modern operating systems are equally vulnerable by design.

It's been estimated that soft contains one bug for an average of five lines of code. Not much you can do about that as bugs become something you live with once you get much beyond the "Hello World" stage of programming. However, this does not make "all modern operating systems" "equally vulnerable" by any means. Linux is certainly more secure by design, and Open BSD is the champion of security. All are more secure than Windows, since security was a consideration from the get-go, not an after-thought.

There have been several viruses out there which have depended on tricking the user to run the attached executable. Users don't understand the consequences of running untrusted binaries, and shit happens.

Not much you can do about "social engineering". Big difference though: running untrusted binaries on a *NIX system will trash the user's home directory; it will not trash the entire system, if the users don't have root access. Unless priveledge escallation occurs, there's not much harm that malware can do to a *NIX system. It's considerably more difficult to escallate priveledge on a *NIX system than on a Win* ssytem.

C and C++ are both specified in a way that encourages unsafe code generation. What's up with a language that specifies operations that result in undefined behaviour, which in practice can mean execution flow being diverted?

C/C++ were designed to meet a specific need: low-level access that had traditionally been handled by Assembly. In order to grant the maximum freedom and flexibility, it is also necessary to assume that your programmers know what they're doing. There is no excuse for creating unguarded buffers that can be overflowed. I certainly don't write such code. Don't blame the language; blame the dumbasses who aren't competent in it. A lot of the blame for this goes to "RAD environments" that all too easily lead to horrible code hiding behind pretty GUIs. Dumbed-down development environment == dumbed-down developers.

I'm aware that there is a place for such languages, but most applications should be written in highlevel languages such as C#, Java, Python, Ocaml, etc... The problem isn't a Microsoft specific one.

Not possible. I've used such languages, however, all graphical apps written with one of these use GUI toolkits that are written in C/C++, with a "wrapper lib" to connect the Python/Ruby/Java/etc. code.

Also, Windows ships with MS Paint. Don't diss ms paint, it's an art program too, and perfectly suitable for drawing stuff. I use it all the time myself.

Still, it's nowhere near as capable as The GIMP.

If some day we can throw that away and move completely to .NET, a lot of the problems will just simply disappear.

A day I hope I never see. Not only do I see this as a kludged-up, unworkable mess (how else can you get dozens of apps all written in different programming languages to make nice?) but I do not trust these folks any farther than I can throw them:

--- Quote ---
Scenario    Operating system

Client    Microsoft Windows 98

Microsoft Windows 98 Second Edition

Microsoft Windows Millennium Edition

Microsoft Windows NT 4.0 Workstation with Service Pack 6.0a or later

Microsoft Windows NT? 4.0 Server with Service Pack 6.0a or later

Microsoft Windows 2000 Professional

Microsoft Windows 2000 Server

Microsoft Windows 2000 Advanced Server

Microsoft Windows 2000 Datacenter Server

Microsoft Windows XP Home Edition

Microsoft Windows XP Professional

Microsoft Windows Server 2003 family

    Note   On all these systems, Microsoft Internet Explorer 5.01 or later and Microsoft Windows Installer 2.0 or later are also required.

.NET Framework Developer Framework

--- End quote ---


See any mention that this will work on Linux, or anything else that isn't windows? :nothappy:

muzzy:
I don't see the relevance here. What's the correlation between "understanding how windows works" and having bad experiences with it? How is such a thing even possible, considering that the source code isn't available?

Bad experiences tend to be because something unexpected and frustrating happens. If you understand the system, there will be significantly less of such experiences. And so what if the source isn't available? There is documentation, and the binaries are still there to be analyzed. What, can't read disassembly? Well, not everyone can read C.

It's been estimated that soft contains one bug for an average of five lines of code. Not much you can do about that as bugs become something you live with once you get much beyond the "Hello World" stage of programming. However, this does not make "all modern operating systems" "equally vulnerable" by any means. Linux is certainly more secure by design, and Open BSD is the champion of security. All are more secure than Windows, since security was a consideration from the get-go, not an after-thought.

In most cases, when you have admin/root access, the system is competely compromised. Further, such access is required for many applications to function. In ideal OS design, the scope of access would be minimized in all ways. In-process memory curtaining, limited visibility to filesystem, limited ability to execute syscalls, inability to directly jump into library functions, yaddayadda. If the system could enforce such fine grained access, any problems with application logic wouldn't have such a big impact. Once TCPA comes around it will be possible to implement a lot of this in hardware, but even now it could be implemented through virtualization. For example, see the project Xen for limited (yet very practical) application of this.

Linux isn't more secure by design, linux is totally braindead when it comes to design. No ACLs by default, everything's a one big hack, it's a wonder the OS works at all. With processes having to be suid for things to work, everything's pretty damn messy. Also, I laugh at your view that openbsd would be a champion of security. That's just ridiculous.

Not much you can do about "social engineering". Big difference though: running untrusted binaries on a *NIX system will trash the user's home directory; it will not trash the entire system, if the users don't have root access. Unless priveledge escallation occurs, there's not much harm that malware can do to a *NIX system. It's considerably more difficult to escallate priveledge on a *NIX system than on a Win* ssytem.

And what if it cannot escalate privileges? Keyloggers on X only need access to the X display, which can be implemented by "merely" taking over the user account. Good luck never typing passwords in X. And that's not the only attack that can be performed by just taking over the user account. You don't need to be root to do significant damage.

C/C++ were designed to meet a specific need: low-level access that had traditionally been handled by Assembly. In order to grant the maximum freedom and flexibility, it is also necessary to assume that your programmers know what they're doing. There is no excuse for creating unguarded buffers that can be overflowed. I certainly don't write such code. Don't blame the language; blame the dumbasses who aren't competent in it. A lot of the blame for this goes to "RAD environments" that all too easily lead to horrible code hiding behind pretty GUIs. Dumbed-down development environment == dumbed-down developers.

That's some harsh text, and definitely arrogant. Human error is the inevitable input to any complex system. Tell me, why are high level applications written in a low level languages? I like to think that I'm above writing buffer overflows in my own code, but all the time it turns out to be false. You know, they happen in many other ways than just the trivial case. In C++, you have to consider object lifetime issues, object destruction order, object ownership issues, etc. They're not trivial things. Yet, a bad pointer can cause nasty stuff to happen since the class methods still get executed, and operated on the pointed data. There are solutions, smart pointers and class dependency managers, but it just gets horribly complex. And mistakes happen. It'd be better if the language didn't allow for code execution path to get fucked.

Not possible. I've used such languages, however, all graphical apps written with one of these use GUI toolkits that are written in C/C++, with a "wrapper lib" to connect the Python/Ruby/Java/etc. code.

If the toolkit can guarantee execution path consistency, it does its job. Any bugs in the C/C++ portion are isolated there, and can be fixed by fixing the library... as long as static linking doesn't happen (repeat after me: yay zlib)

Still, it's nowhere near as capable as The GIMP.

Users can always install gimp if they want it. MS Paint is capable of drawing stuff, and if the user needs something more powerful they typically know where to get it.

A day I hope I never see. Not only do I see this as a kludged-up, unworkable mess (how else can you get dozens of apps all written in different programming languages to make nice?) but I do not trust these folks any farther than I can throw them:

(.. list here ..)

See any mention that this will work on Linux, or anything else that isn't windows? :nothappy:

They happen to be ECMA standards, so I'm sorry but you lose. Just because Microsoft isn't implementing it for linux doesn't mean nobody is. Check out http://www.mono-project.com/Mono:About

Granted, the mono implementation isn't quite perfect yet, but it's getting better. It already works and can run .NET applications, and C# compiler apparently works great too.

Regarding "unworkable mess", it's not going to be a mess. Everything gets compiled to bytecode, and everything works together on this level. Since bytecode becomes the new machine abstraction, the actual hardware and underlying OS can be changed at will and the applications will still work. This is the future, and this is what I hope will change the whole computing world.

jtpenrod:
Bad experiences tend to be because something unexpected and frustrating happens. If you understand the system, there will be significantly less of such experiences. And so what if the source isn't available? There is documentation, and the binaries are still there to be analyzed. What, can't read disassembly? Well, not everyone can read C.

Now you've left the realm of user-land and entered geek territory. Most users aren't going to be able to do that. As for myself, what do I care? I don't use Windows, I don't want to use Windows, and Windows does absolutely nothing that I want badly enough to make me consider getting it. If it works for you, then that's wonderful. Use it and be happy, but don't expect to convert the rest of us. The Microsoft Eradication Society exists for a reason: plenty of less-than-satisfied customers who have had enough.


Linux isn't more secure by design, linux is totally braindead when it comes to design. No ACLs by default, everything's a one big hack, it's a wonder the OS works at all.

Doth the pot sayeth unto the kettle: "Thou art black"? Sounds like a Linux-ignorant statement to me. Furthermore, didn't you already concede that maintaining backwards compatability was a source of problems for Win-*? Doesn't doing that make Win-* just as much a "hack"?  :p

Also, I laugh at your view that openbsd would be a champion of security. That's just ridiculous.

Laugh all you want, but not at me. Take it up with these guys: http://geodsoft.com/opinion/server_comp/security/openbsd.htm


--- Quote ---
So what does "Four years without a remote hole in the default install!" really mean? It means that no one who has installed OpenBSD with default options has actually experienced a network based intrusion in four years. Since the OpneBSD authors can only go on what they know, it means no one who has reported such an intrusion. As OpenBSD is only used those who are more than casually concerned about security in the first place, it's very likely if such an intrusion had occured, it would have been reported. Even though OpenBSD is not widely used, it is an impressive record. I know in my Internet explorations, I've seen statements to the effect that many would be intruders, as soon as they determine a target system is OpenBSD, move onto other targets.

--- End quote ---


Tell me, why are high level applications written in a low level languages?

For speed. I have a couple of projects up at SourceForge: FurCoder and FurCoderCXX. The one and only difference between them is that the former was coded in Ruby, while the latter is a C++ app. Both do exactly the same thing; both use the FOX GUI toolkit for graphics. However, FurCoderCXX is a helluvalot more responsive. There is no waiting for the GUI to update, as this happens with no noticeable lag. The Ruby app takes a couple of seconds to update.

They happen to be ECMA standards, so I'm sorry but you lose. Just because Microsoft isn't implementing it for linux doesn't mean nobody is.

So what? The W3C sets standards for HTML. We all know how reliable MS has already proved to be when it comes to making Inter-nut Expl-Horror compliant to standards.  :rolleyes:  Perhaps they will do better with .NET and the ECMA, but I'm certainly not going to bet on that.  :p

This is the future, and this is what I hope will change the whole computing world.

Yeah: thin clients with all the apps rented, and hosted on MS's servers. That "future" is looking more and more like 1975 when I started with the WATFOR FORTRAN compiler, keypunch machines, card readers, and line printers run from some remote "big iron" mainframe no one ever saw. Been there; done that. PC's were originally intended to free us from remote hosting and rent-an-app soft that was out of your control. I have no desire to give up control of my system to any outside entity, let alone the Redmond Beast.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version