Microsoft-Sponsored Study Says Problems Caused By Using Windows Software Will Cost Businesses $500 Billion In 2014
from the awkward dept
The copyright industries' obsession with trying to shoot down piracy at all costs can sometimes cause them to end up shooting themselves in the foot. Here, for example, is a great example from Microsoft, which has recently been fulminating against the dangers of software piracy:
A new study released Tuesday reaffirms what we in Microsoft’s Digital Crimes Unit have seen for some time now -- cybercrime is a booming business for organized crime groups all over the world. The study, conducted by IDC and the National University of Singapore (NUS), reveals that businesses worldwide will spend nearly $500 billion in 2014 to deal with the problems caused by malware on pirated software. Individual consumers, meanwhile, are expected to spend $25 billion and waste 1.2 billion hours this year because of security threats and costly computer fixes.
The study fills out the picture with some details of the methodology (pdf):
In 2013 IDC tested pirated software from more than 550 Web and P2P sites or CDs bought in street markets to determine the prevalence of malware in pirated software. In January and February of 2014, the Department of Electrical and Computer Engineering at National University of Singapore conducted a forensic analysis of 203 PCs that were purchased from PC resellers, specialty shops, and PC markets in typical buying situations in 11 countries. Together, this research found the chances of encountering malware in a pirated copy of software is one in three. The chance of encountering malware in a PC purchased with pirated software is more than 60%.
Although the report doesn't say so explicitly, we are clearly dealing with Windows systems here -- computers are referred to throughout as "PCs," never as Macs, and some of the malware is named as "Win32/Enosch.A, Win32/Sality.AT, Win32/Pramro.F," which attack Windows systems exclusively. We can also be pretty sure that none of the infected programs was open source. Why? Because pirating software that is already freely available makes no sense -- and is certainly unlikely to be as profitable as offering black market versions of costly closed-source programs.
Putting this information together -- in order to "Get The Facts" as Microsoft always liked to say -- we arrive at the interesting conclusion that the use of commercial closed-source programs running on Microsoft Windows will cost businesses around $500 billion in 2014 alone because of the wasted time, lost data and reputational damage that will result from associated malware infections.
Assuming the research results are representative of what's happening -- and there's no reason to suppose they aren't -- the obvious conclusion to draw from them for PC users is not just to stop using pirated software (a good idea), but to stop using Windows-based programs too, and to switch to open source applications running on an open source operating system like GNU/Linux. After all, free software is even cheaper than pirated software, and yet rarely has any of the problems identified in the new report.
That's a really useful message for those facing the unwelcome prospect of paying their share of $500 billion to deal with the multiple problems associated with the Windows platform, but probably not the one Microsoft had in mind when it sponsored the research.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: copyright, infringement, malware, open source, piracy, software
Companies: microsoft
Reader Comments
Subscribe: RSS
View by: Time | Thread
But honestly, the time has finally arrived when we really need a year of the Linux desktop. The technologically challenged should probably be running Linux Mint with a Cinnamon desktop instead of Windows. Linux in any GUI form would keep our grandparents out of many of their computer troubles. The more technologically proficient can find a version of Linux that will meet their needs and preferences.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Yeah, that they don't support this is an ongoing thorn, especially since you can run Netflix on Android, which is Linux.
However, you can actually run Netflix on desktop Linux. You can find instructions for how on the net. It's a pain to set up, but doable.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
Netflix running on Silverlight isn't the main issue... The **IA seem to think that Linux is home to the lawless folk and so don't want to license for the platform.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
If you are running Arch or Ubuntu it's very simple to set up.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
That's just like saying Windows needs a program that functions like Photoshop installed by default because ~5% of the market needs it. It's wasteful with computing resources and can increase costs, even in an open source project.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
What Linux really needs (IMO) is to get to the point where a search for how to do something in Linux easily and quickly turns up instructions for how to do it without opening a terminal.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
Finding how to fix things in Linux is usually quite easy, even if it does lead to the Arch wiki. (fixing problems through the command line of an installed system is much easier than installing Arch.)
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
It happens, but it's pretty unusual in my experience.
Describing menu navigation in Linux can be difficult as it depends on window manager and menu system used, while the command line is consistent.
Yes, the help would pretty much have to be specific to a window manager, and of course most users don't know what a window manager is. Many probably would not even know what distribution they're using or what a distribution is, so it's quite a challenge to get Linux support to the level it needs to be for truly widespread adoption.
Finding how to fix things in Linux is usually quite easy, even if it does lead to the Arch wiki.
I don't know what Arch is, but yes I agree it's easy - if you're comfortable pasting and running commands you don't understand from a person you don't know. Between simple intimidation and confusion, and concerns about risk, I think there are a lot of people who aren't.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re:
Following instructions to click buttons and fill in boxes etc. is no different. It is just as easy to get someone to break a system doing administrative tasks using a wimp interface as it is using the command line.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re:
It's very different, because it's much easier to understand what the buttons are doing. To an uneducated user, the following is gibberish: sudo apt-get install packagename (and that's one of the less opaque linux commands you might find). But opening up "software center" or something similar, searching for the name of the software they want, finding it in the list, and clicking a button that says "Install" makes sense.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
By the way the software center, and apt-get, are Linux specific, and relatively safe ways of adding software. On of the big problems with windows is having to find, download and install software from somewhere on the net, including critical system drivers if the CD/DVD is damaged.
[ link to this | view in chronology ]
Linux
Not all flavors of linux work exactly the same way, but for things like this which are common, there is pretty much always a GUI front-end for the command line back-end.
[ link to this | view in chronology ]
Re: Linux
Of course, but I'm not sure what your point is. Nobody was claiming that Linux is lacking in GUI tools.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
Yeah, I'll agree with you there.
While I am comfortable using the terminal and command lines (my first real computer learning experiences were with a computer with IBM PC-DOS 1.1 back in the early 80's), I tend to do most things on Debian with the GUI interfaces too and when I need to search for how to do something I usually end up parsing the terminal commands into the GUI world and use those tools instead. Nautilus to move and copy files and to change permissions. Synaptic instead of apt-get for packages. And so on.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
Though strangely I still cannot use the mouse to copy/paste and use Wordstar commands constantly still (muscle memory) within Wordprocessors.
I think ease of use with Windows and with most people seeing a command terminal as "Evil Voodoo Majicks" (Which really has always been) is the main problem with consumer uptake of *nix.
Thankfully Android and OSX/iOS are are all *nix base and are subliminally creating a huge base of users that really don't care what OS they use as long as it works and does what they want without too much fiddling with the "majicks" underneath.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
Not singling you out. It's just such a common phrase to see and every time I see it, it's followed by a technical reason why Linux has low desktop market share, when there are more likely business reasons for that. I just don't think the Linux community should beat themselves up for not making an OS that's "good enough" to grab market share from Windows, because it doesn't work that way.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
I was thinking of the home market, but yes that's definitely true.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
Internet on windows doesn't work out of the box, you need to download your hardware's driver and install it.
A lot of hard drives, including a common western digital hard drive I have, need downloaded drivers to work.
Try, uh, doing that or locating the right ones without a connection to the internet or a hard drive to put them on. I couldn't figure out how to install windows on the hard drive until I made my own usb-windows installer . . . from a linux app.
I'm not joking. I recently had to install windows *grumble* because the software for sending a particular type of bioinformatics simulation job to a particular type of computer cluster is written in visual c++ and installing windows seemed easier at the time than writing my own version or something.
Probably still is easier to isntall windows, but I have doubts now.
Now we just need the market share for 3rd partys to program for linux.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Linux Mint for example does work straight "out of the box", does not require any patching and is an easy way for a windows user to take a first step into the Linux world
There are many other distros doing the same.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
If Netflix is built in, why do you need a Roku?
[ link to this | view in chronology ]
It's actually a very old idea.
It's a variation on the old Crossover plugin for enabling iTunes in Linux. It's a wrapper around wine. You just run the Windows plugin.
[ link to this | view in chronology ]
Re: Netflix
[ link to this | view in chronology ]
Re:
* My wife can't use Linux because, as a mystery shopper, some sites still require IE
* As a realtor, the forms program requires Windows
* My daughter is studying graphic design, she's required to use Photoshop and Illustrator
* My kids are required to use Word for school; when I tried Linux one stupid teacher practically gave my daughter a zero because the formatting wasn't correct after it came over from OpenOffice
It sounds easy, but it's not. There's constantly another party requiring Windows in some form or another.
[ link to this | view in chronology ]
Re: Re:
Might want to look into VirtualBox.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Microsoft licencing is such a pain in the ass that it's a complete IT specialization of its own. I'm trying to create an any OS, any application, any device for our multiple home/office setup here and... 'Oh, my aching head!' Sorting through all the Open Source and Distribution licenses ain't much fun either as you have Community licenses (what do you have to contribute if you change anything?) then you have the Support licenses with their funky rules. BTW, if you think all of this is bad, I can introduce you to Oracle et. al. Double Jeopardy! You want BSA with that?
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
* Sites that require IE are broken, nobody not support such businesses.
* Have you tried Wine with those forms programs? I know at least my realtor uses some forms software that runs from a website and uses Java (not that this is much better).
* Ah yes, the uber-expensive Adobe lockin - by the way, do they allow OS X users to particpiate?
* Word does happen to run on Linux - but my kids all use OpenOffice and haven't had any problems yet. Usuually it is acceptable to convert such documents to PDF when submitting them, isn't it? Why do we still allow teachers to dictate our choices in life?
[ link to this | view in chronology ]
Re: Re: Re:
I routinely save to MS formats from LibreOffice and no one has ever noticed or commented on my formatting. I suspect if no one told the teacher, no one would know.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
This is a dangerous and disingenuous statement. Anyone who programs will tell you this isn't true, and worse, it assumes the habits of people will change when installing software.
All we need to do is look at Android, which now has an exponential growth on malware installs because both the user and exploits are easy to take advantage of.
I'm more terrified of using an Android device than I am of a Windows system, unprotected. Even without anti-virus software, there are built-in options I can set that prevents unauthorized installs on my computer (which most people argued Microsoft's UAC was too intrusive, which is a problem of users).
In addition to the malware threats are the oft-used "single sign on" systems, such as Facebook and Google, which allows a breach of multiple accounts because of one nefarious install/visit of an application.
Another study showed that the majority of users who download Android apps do not read the permissions, instead sacrificing understanding for the app. This is a problem, not the software.
Linux is also seeing a growth of exploits, as well as Java (which is used on most non-computer systems, just as DVR, phones, etc).
I'm not advocating Microsoft is untouched here, but most of the problems (often wrongly attributed to the company) is actually the fault of third party software, improperly written to allow the exploit. Adobe Flash, anyone?
Open source software will not remove the problem, which will always be the burden of the user.
Even Enterprise is finding "open source" to be a problem, since they're chasing profits and allowing uneducated IT people to install software they are not familiar with. Since it's open source, there's no licenses to be concerned with, meaning problems will get worse before they get better.
Education is key, but if Microsoft wants to turn things around, the first order of business would be to make its flagship OS easier to obtain financially.
Oh, wait. They are. Microsoft jut announced anything with a 7" screen or less has a zero cost to its OS.
That's a start, but it doesn't include the PC, the most targeted device at the moment.
When PC sales continue to decline for the tablet-based system, in 10 years from now, the tablet will be the new target.
Unless we can educate billions of people by then.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Similarly, "free software is even cheaper than pirated software, and yet rarely has any of the problems", is misleading. There's a difference between 'free' and 'free and open source', and 'well-vetted free and open source'. I think you mean the latter of the three.
Next, onto Violynne: "I'm more terrified of using an Android device than I am of a Windows system, unprotected." Well, at least you're still somewhat terrified of using Windows ;)
>"but most of the problems (often wrongly attributed to the company) is actually the fault of third party software, improperly written to allow the exploit."
Windows provides an environment with a lot of holes, to the point where it's not clear any major software can be written properly. Outlook, Office, etc, ties into IE, which ties into the kernel, etc, etc. That's why there are exploits that can take over a Windows machine just by opening an email in Outlook, without even clicking on an attachment. Message queuing between processes is unauthenticated, anything can clobber the Registry, and they still haven't quite figured out networking. Former Microsoft VP Jim Allchin once stated, under oath, that the flaws in Windows were so bad, that releasing the source code would be a threat to national security.
>"Since it's open source, there's no licenses to be concerned with, meaning problems will get worse before they get better."
Since when has a license had anything to do with computer security or operating system design?
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
If you agree that the subject of the report is entirely or almost entirely Windows systems, then the actual cost will be this:
The $500 million from malware listed in the study
+
The cost incurred from malware and other problems in legitimately purchased Windows and Windows software
-
The cost that would be incurred by using open source instead
So unless C is bigger than B, the actual cost of using Windows will be more than $500 million.
[ link to this | view in chronology ]
Re:
You shouldn't be, though. Android is no more dangerous to use than anything else, and you can install all the usual protection software (firewall, etc.)
"All we need to do is look at Android, which now has an exponential growth on malware installs because both the user and exploits are easy to take advantage of."
I think you're misstating why malware installs are more common in Android than other platforms. It's not because Android is inherently less safe to use than anything else (it isn't). The rate is larger than with desktop Linux simply because it's a more commonly targeted platform. It's better to compare malware rates between iPhone and Android.
Android has a greater number of malware installs, but the media makes the difference out to be greater than it actually is. Most of those come about because of people installing from third-party marketplaces or sideloading, not because Android is inherently less secure. If users never do those things, the rates are roughly comparable between the two platforms.
[ link to this | view in chronology ]
Re: Re:
Not that I'd be downloading malware. Google's pretty good at removing risky apps, but it seems to shrug its shoulders on given app creators significant leeway in what can, and can not, be used for app building.
As for the Microsoft holes, can't agree there. The majority of exploits are done via memory access, and it's impossible to protect against every possible threat, much in the same way it's impossible to determine every copyright is infringing.
Because many process remain in memory, especially those critical to OS operation, they're subject to attacks. Though there are individual processes, most still share memory address space.
Computers wouldn't work well without this sharing, unless every app takes minutes to load.
Most exploits take advantage of improper memory clearing, and this is not solely due to Microsoft's code.
If it were, then it truly would be a closed system.
[ link to this | view in chronology ]
Re: Re: Re:
Unix/Linux give each process separate address spaces because letting any process trample over any other process's memory is a Bad Thing. DOS had this problem, but I thought Windows was moving in the right direction starting with the NT kernel.
Only the old legacy 16-bit code runs in the same address space (and I don't think there's much, if any, of that anymore). Maybe someone more familiar can explain the Windows side of things.
>"Computers wouldn't work well without this sharing, unless every app takes minutes to load."
I'm confused. Linux/Unix (and I think even Windows) provides memory protection, but it doesn't take minutes to load programs.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
Also, most users who buy a computer aren't going to do this or even know to do this. At least back in the days if someone had a computer with something wrong I can ask them if they have their installation disks and, hopefully, if they were smart, they kept those disks in a smart place they can find it and I can do a reinstall. But now they don't get any disks and chances are they didn't do any backups so if something goes severely wrong they maybe out of luck. Maybe that's the plan, who knows.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
Could be. Spend $200 to get Windows back, try Linux for free, or spend $300-400 (varying quite a bit of course) for a new computer. Buying Windows is a pretty unattractive proposition. I don't think they're shooting for that, but maybe hoping people will just buy a new machine.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
That's not a limitation of Windows 8, that's a limitation of the manufacturer. HP got rid of the recovery CDs back near the end of the XP days.
[ link to this | view in chronology ]
Response to: Violynne on Apr 3rd, 2014 @ 5:01am
I fully agree with you assessment that it is by no means a safe platform, but because of the above facts you can't draw an analogy from there to linux laptops and desktops.
[ link to this | view in chronology ]
Web hosted exploit kits are the major threats. Also microsoft not having DEFAULT software like DeepFreeze is an issue.
Windows users: http://www.faronics.com/en-uk/products/deep-freeze/
You're welcome
[ link to this | view in chronology ]
Re:
BTW, there are many disk imaging systems that are open source or free. There's no need to purchase one.
[ link to this | view in chronology ]
Re: Re:
I use the backup and recovery tools built into windows to do that now. I know it's in Windows 7, but I think it's been built into Windows since Vista, possibly XP. Hell, I do that when it's just time to start fresh, faster then loading the OS and drivers from CD.
There's also the System Restore function that I'm also fairly sure was built into XP, but that only does system files. That's another thing that's saved several computers from Viruses in my Tech support history. I don't like using it though, it potentially leaves the original, bad file on the disk where the Backup and Recovery tool overwrites the entire drive.
[ link to this | view in chronology ]
Re: Re:
Look at what deep freeze is before assuming a basic "average imaging tool". It's automatic. EVERY time you boot the box. Avoids all entropy issues as a consequence too. Implying system restore is 1% as good as deepfreeze. lol
I manage multiple internet cafes with about 600 windows boxes... and trust me, if there was a free version of software like deepfreeze I would use it.
This bit though...lol
You're taking the piss, right?
With the amount of 0days out there that target everything from your browser to word documents. Web hosted exploit kits WILL get your windows box.
"WILL" being the operative word. You can't do anything about it except to never go online.
That's why deepfreeze is a must bit of windows software. Also the whole "no entropy" is pretty cool too. Sure beats running a sandbox or restoring backups all the time.
[ link to this | view in chronology ]
We need new Operating System architectures
A recent job ad at FoxIT stated that 'for candidates there is no difference between Windows and Linux'. They meant that one should be proficient in both to apply.
The analogy goes deeper. Both Windows, Linux, OSX, and their mobile variants are built with the assumption that the user *knows what he's doing*, that he tell good software from bad, and be correct every time. Heck, not even experts can do that at a glance, yet we blame the end user for making the wrong choice.
We need different architectures. These are based upon capability-security, virtualisation, compartimentalisation and reduction of the trusted computing base. These architectures are much more resiliant against user errors, spyware.
Examples are: Genode.org, Qubes-OS.org.
There was a capability project, done by HP-labs, roughy ten years ago. They build (and sold) a user interface replacement - called Polaris - that made XP probably more secure against trojans than W7 or W8 today.
But don't get your hopes up. Even the author of the Capsicum project can't get it into android/chromebooks: http://www.eros-os.org/pipermail/cap-talk/2014-April/016082.html
The technology is out there, now we need to deploy it.
[ link to this | view in chronology ]
Re: We need new Operating System architectures
[ link to this | view in chronology ]
Re: Re: We need new Operating System architectures
That problem is with the end user, not the OS.
As a network administrator that runs Windows 2008 Terminal Services, UAC is not that big of a problem. If you're running software that requires administrative access just to run, you're probably running the wrong software. It'd be like software asking for the root password in Unix just to run. It shouldn't be happening.
[ link to this | view in chronology ]
Re: Re: Re: We need new Operating System architectures
Unix and Linux do not require root for the vast majority of things. Sudo to get root is rarely used. 99%(I'm allowing a very generous 1% merely to stem off arguments) of user actions take place in user space.
Root space is used for system level installs and functions. I run a data center with users and developers, and 95% of them never need to use root permissions ever. The remaining 5% are usually testers who are trying to break things.
[ link to this | view in chronology ]
Re: Re: Re: Re: We need new Operating System architectures
@Chronno: I'm not the average user, I know enough to notice the difference. If you are just doing regular browsing and text editing the limited account is fine. But quite a few software out there, known and respected ones mind you, will require admin privileges for merely executing (not mentioning installation). If you deny some will not run or will run with severe limitations.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: We need new Operating System architectures
The major cause of this is (mis)-use of the registry, which is also the common cause of system slowdowns. Also because most user setting go in there as well it is not easy to preserve user settings over system upgrades etc. This is also what makes system recovery such a pain.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: We need new Operating System architectures
I agree with AC up there, most things should not require administrative access. But what you think, what I think, what AC thinks doesn't matter. All that matters is how the system is going to be used, and that is how it would be used if Unix was king.
It's the human element that you hear about every now and then. People will use the system in this way. Changing the skin isn't going to change the people.
[ link to this | view in chronology ]
Re: Re: Re: We need new Operating System architectures
The problem with the MS system is that there is no centralized system updater and the user privileges seemed to be too narrow.
[ link to this | view in chronology ]
Re: We need new Operating System architectures
In the end, users who know what they're doing will always be required. Systems can (and should) be designed in a more resilient fashion, but there's actually a security concern in doing this as well:
Perfect security is impossible, period. But if you have a system that users feel have something close to perfect security, they'll be more reckless in how they use the machine, leading to reduced security through bad practices.
You see this effect everywhere. It's fundamental human nature. The variation that most people might be familiar with is football safety equipment and rules actually making the game more dangerous: http://espn.go.com/racing/story/_/id/7075285/every-sports-league-shares-hidden-danger-safer-equipmen t-espn-magazine
Same thing.
[ link to this | view in chronology ]
Re: Re: We need new Operating System architectures
"You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes."
I agree with him. I suspect that we're just about on the cusp of discovering that our virtualized systems aren't nearly as isolated we would like to think they are. This doesn't bode well for those who've made large-scale commitments to cloud computing without thinking through the accompanying risks.
[ link to this | view in chronology ]
Re: We need new Operating System architectures
That's why Linux and MacOS are much more secure than Windows. They do less of the obviously boneheaded things that cause problems with Windows.
The biggest problem with Android is trojans. Some of these trojans are even in "respectable" app stores.
The main problem is blurring the line between data and executables. Windows has pushed this for a long time and web browsers in general also try to blur this line as well.
[ link to this | view in chronology ]
Re: Re: We need new Operating System architectures
Most people run a single user id. Every little program has access to everything that's stored under that userid.
Examples: the card games have access to the stored mail, whether they want to or not. The text editor (libreoffice) has access to the photo's, whether the user wants to include a picture or not.
The problem is that every program has access to everything. As user I need to trust every program to behave nice. Including that program that promises dancing pigs.
With capability architectures, a program only has access to those resources that I, the user explicitly give it. LibreOffice only gets that single picture that I drag onto it. The card games get nothing, neither does the dancing pigs app I downloaded.
That's the difference between the Posix/Windows security model and the capability access control model.
[ link to this | view in chronology ]
Re: We need new Operating System architectures
This is not correct. Windows, Linux, and OSX assume that the *sysadmin* knows what he's doing. This is not an unreasonable assumption to make.
The problem with Windows (and to a lesser extent OSX) is that it assumes that the sysadmin and the user are the same person.
[ link to this | view in chronology ]
Open source isn't a panacea/Windows source code
What open-source software does is give us a fighting chance. No more. Because of that, it's inherently superior to closed-source software -- but that's not saying much, and it's certainly not enough to survive the contemporary threat environment.
Shifting gears a bit, an Anonymous Coward upthread astutely observes "Former Microsoft VP Jim Allchin once stated, under oath, that the flaws in Windows were so bad, that releasing the source code would be a threat to national security.
The bad guys have almost certainly had their hands on the Windows source code for decades: of course they have, it's in their interest to have it, and there are FAR too many people with access to it for it to remain a kept secret for long. All it would take is a security breach at one of the governments with a copy of it, or a payoff to a disgruntled and greedy employee at one of the corporations, or a security issue at Microsoft itself (which we just saw last week) and voila! the code is in the wild.
I think this has probably already happened. Multiple times.
So in one sense, due to the pervasive use of Windows in government (including the military) this could constitute a national security problem. But in another sense, it's not the release of the code which is the real issue, it's the abysmal quality of the code. Windows is still astonishingly primitive: there are operating system features that appeared in Unix decades ago that are still not part of the architecture and implementation of Windows.
[ link to this | view in chronology ]
It isn't a flipping die roll. Do these people believe all back alley deals are done blind?
[ link to this | view in chronology ]
By keeping my /root and /home directories on separate partitions I can reload (or change) my entire OS in an hour or so without losing my settings, data or custom tweaks.
I have no clue how much time I've spent in my life reinstalling Windows installations because of infections or whatnot and then having to find and reinstall every program I use again, but it's definitely time I could have spent on more productive endeavors.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
True.
More often then not (for me at least) System Restore doesn't fix the problems I've run up against.
[ link to this | view in chronology ]
Re: Re: Re:
.msi files use the same setup, which is why they can be so dog-slow to install the programs contained within: they're solving a traveling-salesman problem.
[ link to this | view in chronology ]
Re: Re: Re:
What we really need is an out of OS file integrity checker. Some way to boot from a non-infected read only disk and load a non-infected integrity checker from the disk that will check all system and even other files if they are digitally signed and if so check the integrity of the file (make sure the signature is legit) and list all non-digitally signed files (and perhaps their last modification dates). Then the user can decide what to do with any non-digitally signed files.
Once the integrity of all system files have been verified the disk should be able to check all startup items from the bootdisk (outside the OS) so that the user can look for any changes.
[ link to this | view in chronology ]
Assuming it's even useful.
So a 30 year old solution becomes more effective than the latest and greatest and probably unnecessarily complicated new-shiny-shiny.
[ link to this | view in chronology ]
I dont believe it.
I had done a full re-install of windows, and had to setup the dialup.
Upon Clicking IE it went to MSN..(I hadnt installed updates or protection)
It took me 15 minutes to gain control of the computer..
8 virus and 15 bots, installed.
I sent a note to MSN about scanning 3rd party adverts, 1 year later, NO ADVERTS..
How many languages used on the net? MORE THEN NEEDED..
HOW many sites TRY to make money...MORE then need to.
HOw many EXTRA scripts needed on a site? TO MANY..
WHy do we run NOSCRIPT and SCAN every script into our machines??
AT LEAST when I Download something, I KNOW to ISOLATE IT and scan it to death.
HOW do you do that with a site??
[ link to this | view in chronology ]
Re: I dont believe it.
see. http://www.techdirt.com/articles/20140402/07091926775/microsoft-sponsored-study-says-problems-caused -using-windows-software-will-cost-businesses-500-billion-2014.shtml#c1245
[ link to this | view in chronology ]
This weekend I will be installing Linux
[ link to this | view in chronology ]
Re: This weekend I will be installing Linux
I can get a fully patched Linux install up and running in less than an hour on most new machines, and why would you need to reinstall it after that?
[ link to this | view in chronology ]
Re: This weekend I will be installing Linux
[ link to this | view in chronology ]
Re: This weekend I will be installing Linux
and the weekend after that...and the weekend after that...and the weekend after that...
Huh. To be honest, that scenario has been more prevalent with Windows for me. My laptop has been running Debian AMD64 for a couple of years now. The times I've had to reinstall Debian were because I was messing around and mucked up something in the /root directory as a superuser. I also had to reinstall when I migrated to 64-bit and another time when I reduced my Windows partition to less then a quarter of my hard drive space to give more to Debian.
[ link to this | view in chronology ]
Re: Re: This weekend I will be installing Linux
Same here. My Windows 8 laptop has been refreshed or restored from scratch about twice a month since I got it.
Heck, my Dad even found Windows ME worked great as long as he reinstalled from scratch every 2-3 months…
[ link to this | view in chronology ]
Re: This weekend I will be installing Linux
[ link to this | view in chronology ]
@22
if your that far back that your business cant use chrome or mozilla your hopeless mister realtor ( what realty are you ???)
graphic design you say...you might go have a look at a mac...that runs OMG OMG on a form a BSD unix....
i would tell the school about openoffice and threaten a lawsuit. ten bucks says the school would get the hint.
-------------------
only space where YOU NEED windows is gaming....
[ link to this | view in chronology ]
Re: @22
[ link to this | view in chronology ]
Re: Re: @22
[ link to this | view in chronology ]
When We All Go to Linux Heaven...Pie in the Sky
Just think how much simpler the crafting of malware when you don't have to infer operations from hit-or-miss methods or read disassembled code; you can simply review the full (open) source code in the search for potential exploits.
Those of us who use (desktop) Linux now are in the sweet-spot. Reliable OSs, good software, few adopters.
[ link to this | view in chronology ]
Re: When We All Go to Linux Heaven...Pie in the Sky
OS X is a case-study here: while the amount of malware has increased as its popularity has, nothing like the predicted malware explosion has yet occurred. And there are plenty of OS X users out there now, if the students and faculty of my university are any indication.
I honestly doubt viruses or email worms will ever be major threats to average Linux users. Trojans and spyware will continue to be a threat but that's because they trick the user into authorizing their activities.
[ link to this | view in chronology ]
Re: When We All Go to Linux Heaven...Pie in the Sky
To borrow a line from Enrico Fermi, that is not even good enough to be wrong.
If "popularity" was a viable metric for assessing the relative safety of operating systems, then we would not have made the observations that we have over the past 30 years. Let me share just one of those, for brevity.
As (I hope) everyone knows, the last decade-plus has seen the rise of botnets. One of the ways that we can measure that is by noting which systems exhibit behavior that indicates botnet membership (for example: coordinated spam emission) and then using passive OS fingerprinting to identify the operating system they're running.
If relative system popularity was a viable metric for assessing vulnerability, then we would expect to see the botnet population reflect overall system statistics. Thus if the OS's available were A (50%), B (30%) and C (20%), we would expect to see a 50-30-20 breakdown among bots.
That's not what we see. Not even close. For years, the botnet population was dominated by Windows to -- depending on how the statistics were calculated -- six or seven 9's. In other words, one could look at millions to tens of millions of bots before noting one not running Windows. That diverges wildly from the overall system population statistics, which are certainly dominated by Windows -- but not anywhere remotely close to so much.
That's not an accident. That's not because botnet operators didn't want to co-opt other systems. That's not because they didn't know how. That's not because they didn't try. It's because getting into a Unix/Linux box is both quantitatively and qualitatively more difficult. (In the case of some variations, MUCH more difficult.)
Like I said above, that's just one data point. There are others -- many others. The bottom line, though, is that popularity may be discarded as a relevant factor in assessing relative OS security.
[ link to this | view in chronology ]
Re: Re: When We All Go to Linux Heaven...Pie in the Sky
Apparently, you did not feel the wind as the point went whistling over your head. I'm not assessing, discussing, or implying vulnerability as a function of popularity under the title "Pie in the Sky." I'm pointing out the vastly greater potential for financial rewards that results from attacking the overwhelmingly prevalent personal OS, and hence, the hugely superior allure to bad guys. Desktop Linux acceptance levels ain't *yet* worth the effort.
[ link to this | view in chronology ]
Re: Re: Re: When We All Go to Linux Heaven...Pie in the Sky
First, not everyone is motivated by the prospect of financial reward. In fact, quite a bit of activity stems from other motivations: politics, ideology, curiosity, religion, nationalism, espionage (state or corporate), stalking, etc. It's often blithely (and incorrectly) presumed that one can ascertain the motives of attackers based on target selection; but that's proven to be dubious guesswork.
Second, if we confine our discussion solely to those who are seeking to profit, it is of course obvious that they will largely target Unix and Linux systems, because "that's where the money is" (h/t John Dillinger). Oh, they may attack Windows or MacOS systems en route to that goal, because of course getting into those might make it easier; but they're just stepping stones on the way to the final objective. The real prize, at almost every enterprise, university, ISP, or government is running Solaris or AIX or FreeBSD or Red Hat -- and getting into one of those systems is easily far more profitable than getting into 100K Windows desktops. (Which has by the way now become so easy and routine that it's no longer a challenge, merely another yawn-worthy daily occurrence.)
This situation is unlikely to change: the vastly superior architecture of Unix (and Linux) tends to mitigate the scope and severity of security holes, while the laughably inferior architecture of Windows exacerbates them. Microsoft could fix this, but of course that would require admitting their colossal mistakes -- so it won't happen. They would rather continue to pretend that it's actually possible to wallpaper over their mistakes. (Hint: it's not. As we've seen. For twenty years.)
[ link to this | view in chronology ]
Re: Re: Re: Re: When We All Go to Linux Heaven...Pie in the Sky
I think the bigger problem is it would break backward compatibility. They could easily come up with some reason for doing it without publicly admitting how bad Windows security is.
[ link to this | view in chronology ]
Re: Re: When We All Go to Linux Heaven...Pie in the Sky
[ link to this | view in chronology ]
Re: Re: Re: When We All Go to Linux Heaven...Pie in the Sky
On OS X and Ubuntu the setup gives the primary user account sudo privileges and disables the root account entirely. You can perform all the functions of root but only by way of the sudo program, which requires periodic authorization by entering the user's password.
Home versions of Windows before Vista added UAC confused user and admin roles. Basically, the primary user was root and doing administrative tasks required no authorization. With UAC, admin roles got separated more cleanly and you have to provide (trivial) authorization prior to performing admin tasks. That's helped, although the system as a whole is still not as tightly locked-down as Linux.
That's my understanding.
[ link to this | view in chronology ]
IF'
IF Adobe and js would SANDBOX themselves..
IF MS would FORCE programs to STAY in their OWN DIR..
IF BROWSERS LOCKEd things, only to WORK in browsers and would STAY in a sandbox..
IF a note was placed on ANY Cookie, Script loaded on my machine..about the SITE I GOT IT.. I would have someone to SUE..
ON loss to MS for lost MS sales..
Lets understand something strange. HOW do most people END UP with Windows.
They BUY a new computer. over 80% do not WILLINGLY BUY WINDOWS ANYWAY..
NEED a better or NEW computer, GET the NEWEST windows LOADED..FREE??
[ link to this | view in chronology ]
Microsoft calls a lot of things malware that do nothing bad. For instance Microsoft calls a serial number generator malware even if it's only function is generating serial numbers. Also to pirate games you need the steam.dll to stop calling home for that game and replacing the steam.dll with something inert is considered malware.
There can be malware in pirated software, but the study would find far less malware if it was properly defined as doing something bad or unwanted to your computer.
[ link to this | view in chronology ]
Windows is targeted the most because it has the most market-share.
And on a separate note, changing to linux for businesses is rarely free. A bad switch-over can end up costing more in increased IT costs and lost productivity. That's kinda why redhat has a business at all, selling support for a free product. Or had a business that did that, I haven't thought about redhat in years. They may well have changed or disappeared.
[ link to this | view in chronology ]
Re:
RedHat is still around and doing very well. They are still selling support and maintenance for a free product.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
this is a half-truth
Just to be sure to keep topics separate, this is exclusing socially-oriented attacks. These are for the most part OS independent.
Linux and BSD are still not the ultimate. Microkernels would be better, since the modularity would further increase modularity. However, monolithic kernel structures are still far, far better than Window's megalithic Gordian knot architecture.
[ link to this | view in chronology ]
Ubuntu, Xubuntu and Linux Mint are good alternatives for newbies.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
restore disks
I still love the live CD of PCLinuxOS, I don't even need to install it to use it (works on a 4 gig thumb drive, 8 gigs and it's a stand alone and can be updated as needed) it's awesome to fix windoze with in "most" cases....
[ link to this | view in chronology ]
It's nice to know
It's nice to know that Microsoft support my assessment of their Operating System and software in general.
[ link to this | view in chronology ]