[« From Juan Cole today:] [Ron Reagan lays out the case against Bush.... »]
08/18/2004: This brings a new meaning....
to the term "total cost of ownership". From The Evil Empire:
Microsoft has been waiting for security researchers to say that its Windows operating system has a lower total cost of ownership. One finally has, but that's not good news.I said it the moment I first heard about the "Trustworthy Computing" initiative.
On Friday, David Aitel, a noted security professional and managing director of vulnerability assessment firm Immunity, published a paper stating that "owning" a computer--hacker-speak for compromising a system--is easier if the target computer runs Windows. While couched in puns and jokes, the paper takes a serious stance on the security of Windows compared with modern Linux, Aitel said.
The Aitel paper marks the first time that a security professional with hands-on experience of hacking both Linux and Windows systems has weighed in on the issue. His conclusion: The security of Windows computers is easier to breach than modern Linux computers, despite more than two years of work by Microsoft to secure its operating system under its Trustworthy Computing initiative. Microsoft declined to comment on the paper.
Trustworthy Computing my ass.
Len on 08.18.04 @ 12:49 PM CST
Replies: 4 comments
on Wednesday, August 18th, 2004 at 2:34 PM CST, josh said
0wn3d!
Hasn't this pretty much seeped into the common conscience by now?
I read an article the other day that the lifespan of an unpatched MS computer in the wild these days is 20 minutes.
on Wednesday, August 18th, 2004 at 2:59 PM CST, Len Cleavelin said
It's seeped into common consciousness, but the significance is, I think, that this is the first acknowledgement in a formal paper by a security professional who has experience with securing both Windows and Linux.
And the scary thing about the 20 minute figure is that it's going to take a lot longer than 20 minutes connected to the 'net to download the appropriate patches. Better to get them on a CD, and get the first level of patch (W2K SP4/XP SP1) installed *before* connecting the machine to the 'net.
on Thursday, August 19th, 2004 at 12:17 AM CST, bryan@dumka.com">Bryan said
The 20 minutes assumes a "bare" Windows machine, without the firewall or virus software. Manufacturers now enable both when they shop the machines to give the owner a prayer of downloading fixes before they get attacked.
I run XP because my clients do, but I use Mozilla and Pegasus. I would be much happier if I could delete IE, but they won't let you do that.
The XP update is supposed to be available with several magazines, so I won't be downloading it.
on Thursday, August 19th, 2004 at 8:20 AM CST, Len Cleavelin said
I'm hearing that XP SP2 breaks a whole bunch of programs. Big surprise, I know. Another proof of the principle that no Microsoft software is out of beta until v. 3.1 at least....
True that the 20 minute figure does assume lack of a firewall (I don't know if anti-virus software would stymie those worms that do network probes to find unpatched machines). Fortunately for me, I do run my home boxen behind a hardware firewall; not all home users are that savvy, alas.
At my work, I've been fighting a rearguard action against XP for a couple years now, but of course that's a losing battle, since new hardware comes with XP pre-installed. Still, I go Firefox and Eudora (paid mode--if I could I'd marry the spam filter in that one) for my default browser/email.
Anybody remember "Windows 98 Lite"?--some hacker developed a way of stripping IE from Win98 and had it out there for download/general use. Why hasn't some enterprising hacker done the same for Win2k/XP?