Microsoft Talks Back To Google's Security Claims 528
Kilrah_il writes "Yesterday there was a piece about Google ditching Windows for internal use because of security concerns. Now Microsoft is fighting back, claiming its products are the most secure — more than Google's and Apple's. 'When it comes to security, even hackers admit we're doing a better job making our products more secure than anyone else. And it's not just the hackers; third-party influentials and industry leaders like Cisco tell us regularly that our focus and investment continues to surpass others.'"
Cisco (Score:5, Interesting)
Well, I can tell you right now that a lot of Cisco's engineers use Macs, and server-side it's Linux. That said, I imagine Cisco management, marketing, etc. are mostly Windows-based.
Uh huh (Score:5, Interesting)
And all those idiotic corporate restrictions on email attachments can go, too. That'll be a great relief, because right now I can't even attach a zipfile without Outlook complaining about it.
And those flashes of screen content that appear when I reconnect to a locked Remote Terminal session, those are just in my imagination. No information exposure there, any more. Good, cause that was really stupid. Wait, I'd better check. Nope, still there.
And those irritating and needless messages requesting permission after I've launched an Active Directory management window, those are gone too, right? Because now the system has finally caught up to the X Window System technology available back in 1993?
Oh, no. Actually, I just checked, and it hasn't.
Wow, Microsoft. I am impressed. You actually drank the kool-aid to prove that it was harmless. Except that it's not.
iPad (Score:1, Interesting)
The iPad actually seems to be a perfect device for doing Banking. Mac/Windows or Linux - I am always scared when opening a browser and browsing to my bank's website. Who knows when and what got installed on the machine - even open source stuff sometimes has had malware (I forgot the name of the one where the author just emailed everyone's passwords to his mail account.)
Locked down device like the iPad is godsend - never install any apps and just use it for browsing and email. Feels much secure. (One only needs to worry about Apple - hopefully the disgruntled Foxconn employees don't go installing bad stuff on the iPads.)
You can hate me now - a) for bringing up the iPad and b) for being paranoid.
Re:Keep saying it and one day it might stick (Score:3, Interesting)
Any serious geek will tell you the long sorded history of windows and all its memorable virii, malware and hacks...
Where are the equivalent virii in 2010? I remember Code Red and Slammer and the really malicious code that was raping any system stupid enough to expose 135/137 and 445 to the world. I don't remember any malware of that league in recent memory. The worst malware these days seems to be the AntiVirus 2010 and its related ilk. The malware itself is insidious and requires a pave and rebuild "just to be sure". The infection vector is the same old, same old mess of compromised websites and browser exploits. So in that regard Microsoft is getting better. Their software isn't getting owned two minutes after being connected to the internet. Like others have mentioned, they still have a long way to go.
I will believe that Microsoft has figured out secure software once they properly sandbox their browser and manage to prevent malicious code from breaking out of it to compromise the system. There is not any reason why visiting a webpage, either deliberately or through a redirect, should result in a compromised system.
Re:Both have problems (Score:3, Interesting)
The latest results I could find was from 2006. Do you have a link to a new competition?
Microsoft products are the most secure lawnmowers (Score:5, Interesting)
Poor chaps, they can only make a "c2" grade in the old orange-book (U.S.Department of Defense) grading by removing the networking, while a mainline Linux distro hits b1 (courtesy of the CIA).
--dave
Re:Keep saying it and one day it might stick (Score:4, Interesting)
You are right that the focus has changed. The infection vector has also changed. The old vectors don't work, or if they do the access to them has been mitigated on the client by the software firewall, and on the network permimeter by hardware firewalls. The operating system has been hardened to the point that most of the exploits are targetting applications. That is an improvement. Once they figure out how to properly sandbox the applications, the entire system will become more stable. Whether or not Microsoft is really up to the task is debatable.
Absolute vs. Relative. (Score:5, Interesting)
When we speak about GNU/Linux functionality, nobody takes relative values into account. They only take into account the absolute final result. Example, nobody takes into account the great hardware compatibility considering 99% of all drivers were written by the community after reverse engineering the hardware and/or other OSes privative drivers. People (including microsoft) only mention that GNU/Linux doesn't support all features of X hardware, and windows does, and therefore it's better.
Same thing for apps, marketshare, etc. They only say "More people have windows, it supports more apps, whatever, period. ".
So, why should we take into account relative values when talking about windows?
I don't care if they are trying hard, or if they have more marketshare, or about any other factor. The ONLY operating system that requires antivirus, antispyware, and other crap is windows. It is also the only operating system that is consistently, publicly and massively cracked around the world all the time. There are several botnets around the net that are the source of most spam, and this botnets consist of windows machines only.
So, in absolute terms, the most secure OS is OpenBSD. The most insecure is Windows.
Re:Some Helpful Advise (Score:5, Interesting)
Linux and FreeBSD boxes get hacked all the time. One can claim it's because people use weak passwords or use the same password on their box as they do on every site on the internet, and there are probably a lot of those boxes that compromised that way, but a lot are also do flaws in software installed on Linux boxes. Spend some time going through sites like Zone-H [zone-h.org] and you'll see that Linux sites get successfully attaced as much, if not more so than Windows servers (the numbers change from day to day).
You're living in a dream world if you think Linux security is any better or worse than anyone elses. Most Linux boxes have 1000x more software installed on them, and each software package is a potential security flaw waiting to happen. Most of those can only compromise the account it runs on, but attackers are getting smart and creating blended attackes that include multiple vulnerabilities, including local root vulnerabilites that get executed via a user-level remote attack.
But really, the only people who attack Linux boxes are those looking to either brag, or those looking for fat pipe DDoS zombies. Malware authors, who target stupid users who will pay $50 to the fake virus writers are going to target the vast majority of systems.. ie windows.
Re:Security? (Score:3, Interesting)
A security model ain't worth crap when so many applications won't run if you're not an administrator.
That's not a problem with security model. It's a problem with applications. Most of them don't have to be designed to, say, write to "C:\Program Files" - indeed, most can be trivially changed to avoid this - but they still do, because developers are lazy, and because you could do that in Win9x. This has nothing to do with XP as an OS at all.
Probably because you're talking crap. People don't complain about gksudo because they hardly ever see it, and generally only do so when performing some kind of operation that absolutely requires admin priviledges; UAC comes up routinely when you run ordinary every day pre-Vista software and with some that's not even that old.
Again, "UAC coming up routinely" is not part of the OS security model. It's a problem with badly coded legacy applications.
Note, I'm not arguing that it's not a problem. It definitely is, which is why e.g. to get "Certified for Vista/7" sticker you have to write apps properly - so Microsoft pushes software developers to fix this in their apps. However, your original comment says:
Windows XP was allowed to ship without a proper security model.
and my point is that none of your examples demonstrate any flaws with security model of Windows XP per se.
Re:Some Helpful Advise (Score:3, Interesting)
Now we are comparing UNIX boxes that run financial institutions to Windows XP boxes run by 14 year old girls who's primary concern in life is weather or not facebook.com loads?
Hilarious.
UNIX systems in Banking institutions are run by competent people and sit on network secured by competent people. It's much easier and less risky to take control of 100,000 Windows machines run by people with zero knowledge of security and next to zero chance of figuring out they are infected than infiltrate a corporate network owned by a bank and run by a professional. Some bank machine getting hacked is going to attract a ton of of law enforcement attention whereas 100,000 Windows boxes being owned is going to attract nothing.
Re:Some Helpful Advise (Score:1, Interesting)
Except your ec2 cluster would be taken out very quickly by any one who wants to stop you. The botnet is distributed and can do it's work from many places and can a lot of times not be traced back to the user.
And, are the banks, or military, or engineering design company (By the way I do not believe most companies like this do all of their systems through UNIX), going to be able to find the problem and nullify it compared to the grandfather? So why target the people who have more people who are capable of finding and destroying the kit? They can target mass amounts of computers most of which have no security, have not been updated in forever and contain people dumb enough to click on links in their emails.
Mac's & UNIX - Not the numbers required in the general population to make for suitable attack vectors.
Re:Some Helpful Advise (Score:4, Interesting)
the point is that the value isn't by building a bigger botnet, it's by getting prime targets. If it takes you 10,000 times more effort to get on the large banking system than it does to break on to a windows7 box someone uses at home...so what, it's likely going to be that much more valuable. Even with massive, massive numbers of compromised systems, botnets aren't a money-making venture. Getting that random keylogger to get access to someone's bank account is FAR, FAR more difficult than shooting a spam email to 100,000 people just asking them for the info - you'll get it from a few of them. No need to actually break on to a box for that sort of thing, you just break the person. The OS is thus irrelevant.
Linux isn't less of a target, it's *more* of one. There is less success hacking it not because people don't want to hack it, but instead...wait for it...because it's more secure. I could go over the reasons why in detail, but if you haven't figured it out for yourself after all these years, then...hey, fanboi away.
Re:Some Helpful Advise (Score:3, Interesting)
Er... stupid 4chan meme is... lame and old and tired and, well... stupid.
I honestly don't know what the fark you are talking about.
Also, yeah, let's see how long your "few $k a month" server(s) stands up to 10GB/s sustained DoS from Zeus or the remnants of Mariposa
Wow. Well, you um...quoted part of that sentence, and either ignored or didn't understand the rest. Let's repeat it, shall we?
"For just a few $k a month I could build an ec2 cluster that would destroy any botnet in sheer computing power"
Unless you're a person merely after epeen, then botnets are outdated. If you're actually trying to do something useful with a horde of computers, then that's another matter. I have lots of ec2 instances that cost me 3.1 pennies...that's $0.031....per hour to run. That's with 1.7G of ram, and I don't even remember how much disk space (I discard what it comes with and use ebs, so meh). So let me repeat - for just a few $k I could build a globally distributed ec2 cluster running out of dozens of different data centers, and serving content from globally distributed CDNs. Your grandpa XP box botnet will indeed have a hard time not only doing something useful, but even taking down such a beast. That said, I don't need to get crazy with any such clusters, because...well, I'm not trying to compete with large botnets :) But for the effort required to create and manage one, I could do better in the cloud. It's why botnets are dying.
Additionally, you missed the points raised by other posters above re: low-hanging fruit.
Farking bloody hell I did not. I deliberately and distinctly said I disagree with that notion. The fruit is hanging lower not because it's more prolific, but because it's easier. Social hacking is OS-agnostic, and is more rewarding than going after grandpa's info brute-force, because...well, who the hell knows where he put that bank info, but if you can send out 500,000 spam emails saying people need to send in their bank info or they'll lose their accounts...and only 10 of them reply...it just cost you almost nothing to get that money. Far less effort than actually trying to break on to 500,000 boxes and rifle through their files.
Windows is hacked via script-kiddies that use old, easy, exploits. It's hacked via silly exploits that make your computer do silly things. And almost all the time, the net result is your computer is farked up, and you need to clean it. Generally, considering the automated nature of the hacking, they haven't done anything useful yet if you figure it out relatively soon.
And not a damn bit of that has anything to do with the fact that unix was built as a multi-user server environment, with no regard for clippie, games, or etc - while Windows was built as a single-user desktop environment, with no regards to ssh, stuff other people want to do on the machine, etc. They're just different systems, meant for different things. MS can try to dress up their latest thing as some new monster, but really...they should just be pointing out that their OS is far more user-friendly and intuitive to the general public than unix is, but that such comes with a cost. The old adage goes pick 2: cheap, fast, good. Windows chose cheap and fast. Maybe the great innovator Gates shouldn't have been so dismissive of the Internet for so long, and he wouldn't still be playing catch-up.
Re:Some Helpful Advise (Score:1, Interesting)
Correction, they are run by supposedly competent people... These banks also have windows boxes which again are supposedly run by competent people...
Having had experience performing penetration tests against various financial institutions, whenever we've been given an ethernet socket and free reign to attack the network we have had success compromising the windows domain (yes they always run an active directory domain which makes life so much easier when trying to compromise things)... Our record with compromising unix (or z/os os/400 and vms) systems is a lot weaker...
Gone are the days of redhat 4, modern unix systems are pretty solid out of the box and it is quite rare we would be able to compromise one directly.. Many of the unix boxes we see are default installs, but default unix installs don't have a lot of remote exploits these days. Many of the windows systems we see have had some attempts to harden them, and yet we still get in.. The easiest way to get into unix machines these days is actually to compromise the windows workstation of one of the admins and monitor his keystrokes until he logs in.
I have never encountered a corporate network (including financial institutions) where a single ethernet socket on their corporate lan wasn't all that's necessary to compromise every windows system on the network, and from there compromising everything else through keylogging...
I've also never encountered a corporate network where these actions were noticed, all of these companies rely on automated tools such as a/v to detect compromise, and its trivial to bypass these. I can do a 1 week pentest where the staff are fully aware that i'm attacking their network and will be diligently monitoring and at the end of the week they will have seen nothing, and will be extremely surprised to see a list of all their passwords.