SitePoint Sponsor

User Tag List

Page 2 of 4 FirstFirst 1234 LastLast
Results 26 to 50 of 81
  1. #26
    Mlle. Ledoyen silver trophy seanf's Avatar
    Join Date
    Jan 2001
    Location
    UK
    Posts
    7,168
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by KLB
    Microsoft providing a free spyware tool is simply them making good on the fact that they are partially responsible for the problem to begin with
    This is not going to be a free product though is it? Once it is out of beta there will be a subscription fee. Hopefully that will just be for SpyNet and you can still use the rest of the program

    Sean
    Harry Potter

    -- You lived inside my world so softly
    -- Protected only by the kindness of your nature

  2. #27
    SitePoint Wizard silver trophy KLB's Avatar
    Join Date
    Nov 2003
    Location
    Maine USA
    Posts
    3,781
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by seanf
    This is not going to be a free product though is it? Once it is out of beta there will be a subscription fee. Hopefully that will just be for SpyNet and you can still use the rest of the program

    Sean
    If Microsoft were to charge for the program, I'd say that it was another preditory tactic and a inappropriate as they were the ones who created the problem in the first place. If it is free, however, I'd say they were owning up to their responsiblities for having created part of the conditions for spyware to exist. The question remains, will Microsoft try to use this to earn more money or to improve their public image.
    Ken Barbalace: EnvironmentalChemistry.com (Blog, Careers)
    InternetSAR.org
    Volunteers Assist Search and Rescue via Internet
    My Firefox Theme: Classic Compact
    Based onFirefox's default theme but uses much less window space

  3. #28

    Join Date
    Oct 2003
    Location
    €uroLand
    Posts
    1,340
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by KLB
    They could, but think about it, the spyware-defense market is an artificial market created by security weaknesses in Microsoft's products. One could look at it as users are having to pay extra for Microsoft's problems and Microsoft providing a free spyware tool is simply them making good on the fact that they are partially responsible for the problem to begin with. Notice that there isn't a need for a spyware-defense market in the Mac world.
    Which problems exactly did Microsoft create in the first place?

    Sure, there are certain security leaks and an improperly configured ActiveX isnt the most secure thing as well. However, the former is almost solely used by worms and other virus-like software and for the latter the rules were changed with SP2. Most spyware applications simply come with installations of dubious software and this is certainly not the fault of Microsoft. As with worms the reason why Microsoft products are the primary target is just its popularity. A more or less malicious application for Windows reaches much more people that the same application for OS X or Linux.

  4. #29
    SitePoint Wizard silver trophy KLB's Avatar
    Join Date
    Nov 2003
    Location
    Maine USA
    Posts
    3,781
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by drzoid
    Which problems exactly did Microsoft create in the first place?

    Sure, there are certain security leaks and an improperly configured ActiveX isnt the most secure thing as well. However, the former is almost solely used by worms and other virus-like software and for the latter the rules were changed with SP2. Most spyware applications simply come with installations of dubious software and this is certainly not the fault of Microsoft. As with worms the reason why Microsoft products are the primary target is just its popularity. A more or less malicious application for Windows reaches much more people that the same application for OS X or Linux.
    No the creation of dubious software is not directly Microsoft's fault. Historically, however, there is a fundamental difference in philosophy between UNIX (notice I don't say Linux) and Windows. UNIX evolved in a network type environment where systems were supported by highly skilled people and thus tends to place a higher premium on security over functionality and wasn't as concerned about ease of implementation. Microsoft Windows, however, initially began to develop in a non-networked environment where systems were often times managed by non-technical personnel and as a result put a higher premium on functionality and easy of implementation over security. When Windows wasn't commonly connected to Networks, this was not a serious issue and one could argue was a reasonable approach.

    This preference of functionality and ease of implementation over security became a very deeply rooted culture within Microsoft. As Windows evolved, unnecessary services and ports tended to been installed and enabled by default rather than taking the UNIX approach where services were not installed by default and desired services had to be installed separately. This culture of functionality over security also crept into productivity products like MS Office, Outlook and of course MSIE. As a result, we saw the invention macros within MS Office and then with the invention of Active-X, which was given hooks into the core O/S to ease the ability of developing readily shareable programming.

    The problem is, that in a connected environment those technologies that can have beneficial uses can also be subverted by those with malice intentions. Thus after macros were introduced to Office; we saw the rise of macro viruses. When Active-X and VBScript was created and then incorporated into Outlook and MSIE, we saw the rise of malice Active-X and VBScripts. Whereas, technologies like pure JavaScript and Java that play in sandboxes and don't have deep hooks into the operating system have not given rise to malicious code. All technologies incorporated in a networked environment need to be initially closed and distrusting.

    Another very good example of the difference between this initially opened or initially closed philosophy; one should look at MS-IIS vs. Apache. Apache has around 70% of the web server market while IIS has around 25% of the market. Yet the vast majority of all web server exploits affect IIS not Apache. Yes one can protect IIS by properly patching it and configuring it, but this is the problem. IIS should be locked down by default and it should require knowledge to know how to unlock that functionality that is desired not the other way around.

    To be fair, Microsoft has shifted its stance over time as we saw with WinXP SP2 and are seeing in their latest generation of server software, however, the fact remains that it was Windows permissive environment that gave spyware, worms and Trojans the ability to spread so easily. Thus it is only appropriate that Microsoft give users the tools they need to undo the damage that is being done as a result of this permissive environment.

    --Edit--
    One after thought. As most computer users have very limited computer abilities and couldn't explain the difference between Windows Explorer and Internet Explorer, software vendors have an even greater responsiblity to place these users into a sandbox that is locked down by default and to protect users from themselves.
    Ken Barbalace: EnvironmentalChemistry.com (Blog, Careers)
    InternetSAR.org
    Volunteers Assist Search and Rescue via Internet
    My Firefox Theme: Classic Compact
    Based onFirefox's default theme but uses much less window space

  5. #30

    Join Date
    Oct 2003
    Location
    €uroLand
    Posts
    1,340
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I absolutely agree with most what you mentioned, however I have some remarks.

    Quote Originally Posted by KLB
    Apache has around 70% of the web server market while IIS has around 25% of the market. Yet the vast majority of all web server exploits affect IIS not Apache.
    The fact of this market share voids the general "popularity" argument only on the first sight. These exploits primarily target inexperienced users who have their webservers running incidentally. In this group of users IIS has once again a much higher market share than Apache.

    Quote Originally Posted by KLB
    , however, the fact remains that it was Windows permissive environment that gave spyware, worms and Trojans the ability to spread so easily. Thus it is only appropriate that Microsoft give users the tools they need to undo the damage that is being done as a result of this permissive environment.
    Well, this thread is specifically about spyware and not about worms or virus-like software. The two latter are an issue for anti-virus software but not for anti-spyware. Spyware itself is usually not caused by leaks in Microsoft applications, but because user install it - usually unknowingly however.

  6. #31
    SitePoint Wizard silver trophy KLB's Avatar
    Join Date
    Nov 2003
    Location
    Maine USA
    Posts
    3,781
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by drzoid
    The fact of this market share voids the general "popularity" argument only on the first sight. These exploits primarily target inexperienced users who have their webservers running incidentally. In this group of users IIS has once again a much higher market share than Apache.
    The popularity argument for Windows being exploited is crap. Yes lots of people are vulnerable because they have IIS incidentally running and this is oftentimes Microsoft's fault. However, even when looking at honest to goodness web sites, IIS is exploited more often. The reason is that by default, it is more permissive than is Apache in its default configuration. If I take and install Apache in its default configuration and IIS in its default configuration, Apache is much less vulnerable because it is locked down by default, where as IIS is open by default (I have been responsible for configuring both in production environments). Let me tell you from first hand experience, securing IIS takes a lot more work than securing Apache, in part because IIS digs so many tentacles deep into the OS, whereas Apache runs isolated from the OS.

    The primary reason Windows in more vulnerable than its counterparts is because of the permissive culture that Windows evolved within that I mentioned earlier. Yes this is changing as I previously stated, however, even Microsoft admits this change will take time. I look at Microsoft's providing free spyware removal software as a stop gap measure to deal with past mistakes.

    Quote Originally Posted by drzoid
    Well, this thread is specifically about spyware and not about worms or virus-like software. The two latter are an issue for anti-virus software but not for anti-spyware. Spyware itself is usually not caused by leaks in Microsoft applications, but because user install it - usually unknowingly however.
    Often times, spyware and worms go hand in hand. Not all spyware comes piggy backed with your P2P software. Sometimes it is spread via trojans or Active-X or VBScript exploits. So yes spyware is spread by leaks or naturally permissive configurations of Microsoft Products not just by users inability to understand the EULAs that they agree to. How many times have we heard of MSIE and Outlook Exploits that infect PCs by simply viewing an email message in the preview pane or surfing to an infected website without the user ever needing to click on or agree to anything? Why less than two months ago an ad-agency was hacked and started serving infected code along with their banner ads.

    -----

    The reality of Microsoft's problem is that it is much easier for the UNIX/Linux of the world to be inherently more secure because their user base understands and accepts the fact that they will have exert some effort to configure their systems to allow for the functionality they want. Microsoft's customers on the other hand often times do not have the technical savvy to configure their systems to do what they want. As such, Microsoft is stuck between trying to make it easier for non-technical users to implement those features they want and keeping systems tightly locked down. This is not an easy fix to be in.
    Ken Barbalace: EnvironmentalChemistry.com (Blog, Careers)
    InternetSAR.org
    Volunteers Assist Search and Rescue via Internet
    My Firefox Theme: Classic Compact
    Based onFirefox's default theme but uses much less window space

  7. #32

    Join Date
    Oct 2003
    Location
    €uroLand
    Posts
    1,340
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You are contradictory in your statements. On one hand you are saying the problem is that Microsoft's application are too permissive, on the other you are saying the problem is the typical Microsoft Home user is not technical savvy enough to configure his systems.

    Both are true to some extent. However the primary problem is still that these "typical" users are often not experienced enough to secure their installations. Of course, some of Microsoft's application were (and still are in some points) too permissive, but this once again only an issue as long as they are not secured well enough. IIS sites run and maintained by people who know what they are doing were usually not compromised by these attacks.

    Quote Originally Posted by KLB
    The popularity argument for Windows being exploited is crap.
    This is not true at all. Microsoft's applications would never be such a target if they werent that popular. Believe me, once other systems gain a noticeable market share they will be exploited just as well. The best example is the recent php vulnerability.

    Quote Originally Posted by KLB
    Let me tell you from first hand experience, securing IIS takes a lot more work than securing Apache, in part because IIS digs so many tentacles deep into the OS, whereas Apache runs isolated from the OS.
    Can you elaborate more on these "tentacles"?

    Quote Originally Posted by KLB
    Often times, spyware and worms go hand in hand. Not all spyware comes piggy backed with your P2P software. Sometimes it is spread via trojans or Active-X or VBScript exploits. So yes spyware is spread by leaks or naturally permissive configurations of Microsoft Products not just by users inability to understand the EULAs that they agree to. How many times have we heard of MSIE and Outlook Exploits that infect PCs by simply viewing an email message in the preview pane or surfing to an infected website without the user ever needing to click on or agree to anything? Why less than two months ago an ad-agency was hacked and started serving infected code along with their banner ads.
    The typical spyware does not come through security leaks but are either additionally installed with other applications or come - as you mentioned - through ActiveX (which is then however no exploit, but - as I said - an improper ActiveX configuration, however this changed with SP2). Bugs like the RPC overflow are only exploited by worms but not by actual spyware.

  8. #33
    SitePoint Wizard silver trophy KLB's Avatar
    Join Date
    Nov 2003
    Location
    Maine USA
    Posts
    3,781
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by drzoid
    You are contradictory in your statements. On one hand you are saying the problem is that Microsoft's application are too permissive, on the other you are saying the problem is the typical Microsoft Home user is not technical savvy enough to configure his systems.
    These are not contradictory. Microsoft's software is to permissive from a security standpoint by this I mean it comes with too many unnecessary services installed and operating by default. The default install of a system should have as few services running and ports open as is possible. With the user responsible for implementing those services they want. The problem is, that often times users are not technically savvy enough to configure their systems (even though they sometimes think they can).

    Quote Originally Posted by drzoid
    Of course, some of Microsoft's application were (and still are in some points) too permissive, but this once again only an issue as long as they are not secured well enough. IIS sites run and maintained by people who know what they are doing were usually not compromised by these attacks.
    The problem is, many people are not as savvy at configuring IIS as they think they are. Securing IIS correctly and really locking it down takes a great deal of work. I personally had a check list that was several pages long and when a new server arrived, it would take me a few days of focused work to take to install Windows and IIS and then lock everything down. I would agree that IIS could be locked down to an extent that puts it on par with Apache from a security perspective, the problem is not enough people who run IIS know how to do it. Where as the out of the box, Apache is pretty tight. Yes someone might be able to hack a site running a default install of Apache, but the worst they would do is muck up the site. With a default install of IIS, one could gain control of the whole system.


    Quote Originally Posted by drzoid
    This is not true at all. Microsoft's applications would never be such a target if they werent that popular. Believe me, once other systems gain a noticeable market share they will be exploited just as well. The best example is the recent php vulnerability.
    I'm not sure what you are referring to with PHP. With that said, since ASP only runs on IIS and PHP runs on Apache AND IIS, PHP has a much bigger market share than ASP.

    Yes popularity can affect how big a target specific software becomes, however, using this as a shield for Microsoft's woes overlooks the fact that most of our current security problems aren't because Microsoft is so popular a target, but because of the technologies Microsoft made available made very easy targets (e.g. VBScript, ActiveX, Macros, etc.). If popularity made for juicy targets, Apache should be a much larger target than IIS but it isn't.

    Quote Originally Posted by drzoid
    Can you elaborate more on these "tentacles"?
    IIS can build its permissions off of the user accounts and groups of the O/S. While this eases system administration (e.g. an Intranet) it also makes IIS vulnerable to any weaknesses related to how accounts are configured. Plus IIS is able to gain access to O/S API's whereas Apache runs completely separate from the O/S. Yes the way IIS is tied to the O/S makes it more convenient in many instances, it also complicates security and configuration issues.

    Quote Originally Posted by drzoid
    The typical spyware does not come through security leaks but are either additionally installed with other applications or come - as you mentioned - through ActiveX (which is then however no exploit, but - as I said - an improper ActiveX configuration, however this changed with SP2). Bugs like the RPC overflow are only exploited by worms but not by actual spyware.
    Define a proper configuration of Active-X and then define the default configuration of MSIE. Then convince us that the common user understands the difference between a system prompt, a popup ad and a "oh crap something really bad is going to happen if I click okay" alert. Now convince us that the majority of users actually get all of the system patches they are supposed to. Lets face some realities here. Spyware would not be a problem if Outlook, Outlook Express and MSIE did not support ActiveX and VBScript.

    There is no proper and safe configuration of ActiveX or VBScript because accidents happen and all too often "legitimate" programs/ActiveX controls actually change these security settings without the user knowing it. I personally have seen mission critical commercial CRM type web applications change the security settings of MSIE's security zones leaving them set at low. And on many occasions seen "legitimate" websites including the help desk at a major U.S. bank tell customers to change their security settings to low for the Internet Zone. If the common user can't even tell us the difference between Internet Explorer and Windows Explorer how are they to know that changing their security settings to low in Internet Explorer is a really bad idea when it is the IT department of their bank that is telling them to do it.

    Microsoft knows this is a problem. Hence WinXP SP2 makes it harder to run Active-X code, they now have automatic updates turned on by default and Microsoft now has the firewall turned on by default. The big problem is, and Microsoft knows this, is that it will be a long time before the vast majority of users get their systems updated or are taking advantage of Microsoft's new security practices. As such there will be a lot of users for some time to come who will routinely get infected with spyware. For this reason, just as it was logical for Microsoft to try and secure the home user by adding a Firewall to WinXP and turning it on by default, it is logical for them to make spyware protection available for free.

    Microsoft's security sins of the past greatly displease me, however, I applaud the efforts they are making to make their software safer in the long run.

    --Edit--

    I think we have successfully veered another good thread totally off course. We might want to bring it back on course as to whether people like Microsoft's new Spyware program. I for one like it. It was easy to use and I think it was a good move by Microsoft for the reasons previously stated.
    Ken Barbalace: EnvironmentalChemistry.com (Blog, Careers)
    InternetSAR.org
    Volunteers Assist Search and Rescue via Internet
    My Firefox Theme: Classic Compact
    Based onFirefox's default theme but uses much less window space

  9. #34

    Join Date
    Oct 2003
    Location
    €uroLand
    Posts
    1,340
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by KLB
    These are not contradictory. Microsoft's software is to permissive from a security standpoint by this I mean it comes with too many unnecessary services installed and operating by default. The default install of a system should have as few services running and ports open as is possible. With the user responsible for implementing those services they want. The problem is, that often times users are not technically savvy enough to configure their systems (even though they sometimes think they can).

    I would agree that IIS could be locked down to an extent that puts it on par with Apache from a security perspective, the problem is not enough people who run IIS know how to do it. Where as the out of the box, Apache is pretty tight. Yes someone might be able to hack a site running a default install of Apache, but the worst they would do is muck up the site. With a default install of IIS, one could gain control of the whole system.
    Yes, thats exactly what I said. The problem is not a technical one, but the default settings. However this changed completely with SP2.

    Quote Originally Posted by KLB
    I'm not sure what you are referring to with PHP. With that said, since ASP only runs on IIS and PHP runs on Apache AND IIS, PHP has a much bigger market share than ASP.
    Did I say something else?

    Quote Originally Posted by KLB
    Yes popularity can affect how big a target specific software becomes, however, using this as a shield for Microsoft's woes overlooks the fact that most of our current security problems aren't because Microsoft is so popular a target, but because of the technologies Microsoft made available made very easy targets (e.g. VBScript, ActiveX, Macros, etc.). If popularity made for juicy targets, Apache should be a much larger target than IIS but it isn't.
    Please read my posting again.

    Quote Originally Posted by KLB
    Plus IIS is able to gain access to O/S API's whereas Apache runs completely separate from the O/S.
    Can you please explain this more detailed? Apache uses the operating system's API just in the same way as IIS does. There is no difference at all.

    Quote Originally Posted by KLB
    Yes the way IIS is tied to the O/S makes it more convenient in many instances, it also complicates security and configuration issues.
    What exactly do you mean by "tied" in this context?

    Quote Originally Posted by KLB
    Define a proper configuration of Active-X and then define the default configuration of MSIE. Then convince us that the common user understands the difference between a system prompt, a popup ad and a "oh crap something really bad is going to happen if I click okay" alert. Now convince us that the majority of users actually get all of the system patches they are supposed to. Lets face some realities here. Spyware would not be a problem if Outlook, Outlook Express and MSIE did not support ActiveX and VBScript.
    I never said that ActiveX is the most secure technology, but with proper settings the worst can be prevented. Especially SP2 introduced settings which are very careful in the matter and actually disallow most of the potentially dangerous actions. As long as IE is not configured to actually download and execute each and every ActiveX control (perhaps even unsigned ones), the chance to have spyware installed is minimal or non-existent (I speak out of experience).

    Beside this ActiveX case, there is no other reason why Microsoft could be blamed for any spyware issue. Hence my initial statement, that this problem was not actually caused by Microsoft.
    Last edited by drzoid; Jan 10, 2005 at 01:50.

  10. #35
    SitePoint Wizard mark_W's Avatar
    Join Date
    Mar 2004
    Location
    West Midlands, United Kingdom
    Posts
    2,631
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by stymiee
    Due to the nature of what VNC does I would not say classifying it as spyware is inappropriate. Especially since some malicious users do try to install it on user's machines in an attempt to hijack them.
    Yeah, I never really thought of it like that!

    Cheers!

  11. #36
    Entrepreneur Spencer F.'s Avatar
    Join Date
    Dec 2003
    Location
    New York, NY
    Posts
    571
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Dunedin
    Another windows 'quirk'. Another unpatched trojan.
    Another Windows XP machine that is so bloated with patches and updates that well written software failed.

    Nah, OS X, its easier.

    TM:2005
    That's just ignorance. Your computer is secure as the Administrator behind it.
    + Carbonmade - Easiest way to display and manage your portfolio.
    + Burstoid - Design magazine.

    + twitter/spencerfry

  12. #37
    He's No Good To Me Dead silver trophybronze trophy stymiee's Avatar
    Join Date
    Feb 2003
    Location
    Slave I
    Posts
    23,424
    Mentioned
    2 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Spencer F.
    That's just ignorance. Your computer is secure as the Administrator behind it.
    But is an accepted fact that most "Administrators" have no clue what the heck they are doing. That's the market MS is targetting (just as much as the "knowledgeable" market) with Win ME and Win XP Home.

  13. #38
    SitePoint Wizard silver trophy KLB's Avatar
    Join Date
    Nov 2003
    Location
    Maine USA
    Posts
    3,781
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by drzoid
    Yes, thats exactly what I said. The problem is not a technical one, but the default settings. However this changed completely with SP2.
    Enabling too many unnecessary services by default and not having good default security settings is a technical problem. Plus the incorporating too many technologies like VBScript and ActiveX as ubiquitous features throughout Microsoft products is also a technical problem. Yes SP2 addresses a lot, but no it does not completely change the situation. More needs to be done. For instance, Microsoft needs to eliminate VBScript and ActiveX or at least seriously restrict their access to the OS, file system and registry. Why ActiveX is allowed to change the security settings of Internet Explorer is beyond me.


    Quote Originally Posted by drzoid
    Did I say something else?
    I have no idea; you weren't very clear in regards to what you meant.
    You mentioned a security flaw within PHP, but you did not elaborate how that flaw related to this discussion.

    Quote Originally Posted by drzoid
    Can you please explain this more detailed? Apache uses the operating system's API just in the same way as IIS does. There is no difference at all.
    There are major differences between these two servers. IIS is a part of the operating system, just as MSIE is a part of the operating system, whereas, Apache is not. Furthermore, with Apache is locked down by default. You don't get a scripting module (e.g. PHP) unless you install it separately. Apache also doesn't have the ability (at least that I am aware) to build its user base off of the OS's user accounts it has to use its own security regime. There are benefits to tying the web server's security to the OS's security, however, it also adds greater risks that have to be mitigated.


    Quote Originally Posted by drzoid
    I never said that ActiveX is the most secure technology, but with proper settings the worst can be prevented. Especially SP2 introduced settings which are very careful in the matter and actually disallow most of the potentially dangerous actions. As long as IE is not configured to actually download and execute each and every ActiveX control (perhaps even unsigned ones), the chance to have spyware installed is minimal or non-existent (I speak out of experience).
    This is totally unworkable. Normal users do not have the ability nor desire to understand the technical ramifications of the various settings. In addition "legitimate" ActiveX controls can and do change the security settings of Internet Explorer without the user knowing this has happened. I have seen some very major business type web applications where the ActiveX components added new security zones or changed existing zones setting the security level for those zones to low. When I was working in a corporate IT setting, I even had the IT departments of vendors who's web application our people were trying to use tell me to change our security settings to low and to allow unsigned ActiveX controls. One of these IT departments was a major U.S. bank (Fleet Boston), one was a vendor who provided web based access to SCADA type controls and another was a national manufacturer who required its dealers to use their CRM.

    If the IT departments of a major bank or a provider of web access to SCADA controls honestly believes that allowing unsigned Active-X controls is an acceptable practice, how is some grandma to know any better?

    It isn't enough to simply have security settings that disable specific functionalities problematic technologies. The functionalities that pose a security risk must be removed from the technologies in question. This means that at the very least, ActiveX should not be able to allow unsigned ActiveX controls to run under any circumstances. It also means that the security settings of zones like the Internet Zone should not be able to be lowered beyond a certain point and that the trusted zone should not be able to allow non-SSL sites. It also means that risky technologies like VBScript have the ability to be disabled separately from safe technologies like "pure" JavaScript or Java applets.

    Quote Originally Posted by drzoid
    Beside this ActiveX case, there is no other reason why Microsoft could be blamed for any spyware issue. Hence my initial statement, that this problem was not actually caused by Microsoft.
    Sure there is, how many times has spyware been inserted into systems by worms and Trojans via vulnerabilities or unsecured ports within the Windows operating system? The days of worms and Trojans that exist purely to muck up computer systems and self replicate are over. Worms and Trojans are now being created by organized criminals who infect systems to turn them into zombie networks and/or to mine the target computers for usernames, passwords, bank accounts, credit card numbers, social security numbers, etc. If this doesn't count as spyware, I don't know what does. These malicious programs are able to get a foothold with in the Windows operating system, not just because computer configuration problems but because of very critical security flaws that are constantly being discovered within Windows, IIS, MSIE, Outlook, etc. Why right now there are three "extremely critical" flaws that Microsoft has yet to address.
    http://news.com.com/IE+flaw+threat+h...3-5517457.html
    http://news.com.com/Critical+Windows...3-5517567.html

    Yes Firefox, Apache, Linux, etc. have vulnerabilities that get discovered from time to time, but rarely if ever do they rise to the level of threat that Microsoft's do. Furthermore, if the argument that all software has problems it's just that Microsoft is such a big target were true, then Apache, which has had a lock on the web server market since shortly after its inception should have a very large bulls eye painted on it. This is especially true since Apache's code is exposed to the. Yet we have seen that year after year that more flaws are discovered in IIS than Apache and that year after year, more IIS servers are compromised than Apache.

    Quote Originally Posted by Spencer F.
    That's just ignorance. Your computer is secure as the Administrator behind it.
    Then world is in deep, deep doo doo.

    BTW you should read http://www.techweb.com/wire/security/56200327
    Ken Barbalace: EnvironmentalChemistry.com (Blog, Careers)
    InternetSAR.org
    Volunteers Assist Search and Rescue via Internet
    My Firefox Theme: Classic Compact
    Based onFirefox's default theme but uses much less window space

  14. #39

    Join Date
    Oct 2003
    Location
    €uroLand
    Posts
    1,340
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by KLB
    or at least seriously restrict their access to the OS, file system and registry. Why ActiveX is allowed to change the security settings of Internet Explorer is beyond me.
    I would have expected you to know that this is not possible with the current implementation of ActiveX.

    Quote Originally Posted by KLB
    There are major differences between these two servers. IIS is a part of the operating system, just as MSIE is a part of the operating system, whereas, Apache is not. Furthermore, with Apache is locked down by default.
    I am sorry but this is completely rubbish. Neither IIS nor IE are a part for the operating system. IE is just an application which is automatically installed along with Windows and there is simply just no official option to remove it. IIS is even not installed automatically at all.

    The only difference between Apache and IIS is that - as you mentioned - IIS supports a broader range of Windows specific features. This is due to its only-Windows nature.

    Quote Originally Posted by KLB
    You don't get a scripting module (e.g. PHP) unless you install it separately.
    And?

    Quote Originally Posted by KLB
    Sure there is, how many times has spyware been inserted into systems by worms and Trojans via vulnerabilities or unsecured ports within the Windows operating system?
    Can you name a single spyware (read, no worm or virus) application which was distributed through an actual security leak?

    Quote Originally Posted by KLB
    Furthermore, if the argument that all software has problems it's just that Microsoft is such a big target were true, then Apache, which has had a lock on the web server market since shortly after its inception should have a very large bulls eye painted on it. This is especially true since Apache's code is exposed to the. Yet we have seen that year after year that more flaws are discovered in IIS than Apache and that year after year, more IIS servers are compromised than Apache.
    Okay, I have explained it now already two times why this argument does not apply here and I am certainly not gonna explain it a third time.

  15. #40
    He's No Good To Me Dead silver trophybronze trophy stymiee's Avatar
    Join Date
    Feb 2003
    Location
    Slave I
    Posts
    23,424
    Mentioned
    2 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by drzoid
    I am sorry but this is completely rubbish. Neither IIS nor IE are a part for the operating system. IE is just an application which is automatically installed along with Windows and there is simply just no official option to remove it. IIS is even not installed automatically at all.
    Actually they are part of the OS (or at least IE is). It was the cornerstone of MS's anti-trust lawsuit. They said it wasn't bundled with windows because it is a part of windows and is esential for it to function.

  16. #41
    Your Lord and Master, Foamy gold trophy Hierophant's Avatar
    Join Date
    Aug 1999
    Location
    Lancaster, Ca. USA
    Posts
    12,305
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by stymiee
    Actually they are part of the OS (or at least IE is). It was the cornerstone of MS's anti-trust lawsuit. They said it wasn't bundled with windows because it is a part of windows and is esential for it to function.
    This is correct...
    Wayne Luke
    ------------


  17. #42

    Join Date
    Oct 2003
    Location
    €uroLand
    Posts
    1,340
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Come on guys, dont reply in such a childish way. You should know better. Just because they used some odd "arguments" to defend themselves against these ridiculous lawsuits doesnt make them real. Of course you can remove IE.

  18. #43
    Employed Again Viflux's Avatar
    Join Date
    May 2003
    Location
    London, On.
    Posts
    1,127
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You can, and then try running Windows Update.

  19. #44

    Join Date
    Oct 2003
    Location
    €uroLand
    Posts
    1,340
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Viflux
    You can, and then try running Windows Update.
    What do you want to say? That the Windows Update site requires the IE? Thats not the point here. The point is that IE is not part of the operating system.

  20. #45
    SitePoint Wizard silver trophy KLB's Avatar
    Join Date
    Nov 2003
    Location
    Maine USA
    Posts
    3,781
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by drzoid
    I would have expected you to know that this is not possible with the current implementation of ActiveX.
    Please define the following:
    • Current implementation of ActiveX - current as of when? What patch or version? The following is a registry entry I found inserted on one of my computers by an ActiveX control after I watched the individual access the related website. This happened in Febuary of 2004.
      Code:
      REGEDIT4
      
      [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\5]
      "DisplayName"="MLXchange"
      "Description"="Browser settings required for proper MLXchange navigation."
      "Icon"="C:\\WINDOWS\\DOWNLOADED PROGRAM FILES\\MLXCLIENTUTILS.DLL#000000CC"
      "Flags"=dword:00000000
      "1001"=dword:00000000
      "1004"=dword:00000000
      "1200"=dword:00000000
      "1201"=dword:00000000
      "1405"=dword:00000000
      "1406"=dword:00000000
      "1A02"=dword:00000000
      "1A03"=dword:00000000
      "1804"=dword:00000000
      "1601"=dword:00000000
      "1803"=dword:00000000
      "1A00"=dword:00000000
      "1400"=dword:00000000
      "1407"=dword:00000000
      "1606"=dword:00000000
      "1607"=dword:00000000
      "1604"=dword:00000000
      "1402"=dword:00000000
      "1605"=dword:00000000
      "1800"=dword:00000000
      "1802"=dword:00000000
      "1805"=dword:00000000
      "1A04"=dword:00000000
      "1C00"=hex:00,00,01,00
      "1E05"=dword:00010000
      "MinLevel"=dword:00000000
      "RecommendedLevel"=dword:00000000
      "CurrentLevel"=dword:00000000
    • Define proper security configuration for ActiveX. I asked this before, but you have chosen to ignore that request.


    Also:
    • Give examples of how Apache makes use of core OS functionality just like IIS. For instance Windows file permissions and ACLs
    • Tell us how many critical security vulnerabilities have been reported for Apache/PHP and how many have been reported for IIS. How many buffer overflows?
    • Tell us how MSIE, ActiveX and VBScript can be removed by the common non-technical user.
    • Please show us how users of any web browser that does not support ActiveX and VBScript are vulnerable to spyware.
    • Please show us how prior to SP2 Microsoft protected their users from hackers via Windows' ports.


    You have stated that MSIE is not part of the OS, it most certainly is. Yes you can disable access to it, but you can not fully remove MSIE from Windows the way you can remove Firefox. Even fingers of Outlook Express and Microsoft Messenger always exist on a Windows system after they has been "uninstalled."

    As I have said, yes Microsoft is making great strides in improving the security regime of their systems, however, there are a lot of older and unpatched systems out there that are configured based on Microsoft's old way of doing things and there will be for a very long time. This new spyware program is part of Microsoft's effort to address this issue.

    We can not put the burden of securing systems on the end user. It just isn't technically reasonable. Hence Microsoft is slowly evolving their security culture and they are providing new security tools like their Firewall and this spyware removal program. In future evolutions of Windows, I expect that virus scanning software and spyware protection software will be standard equipment just like a Firewall is with WinXP. In a way Microsoft has to do this, because it is the only way they can really help users protect themselves.
    Ken Barbalace: EnvironmentalChemistry.com (Blog, Careers)
    InternetSAR.org
    Volunteers Assist Search and Rescue via Internet
    My Firefox Theme: Classic Compact
    Based onFirefox's default theme but uses much less window space

  21. #46
    Employed Again Viflux's Avatar
    Join Date
    May 2003
    Location
    London, On.
    Posts
    1,127
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by drzoid
    What do you want to say? That the Windows Update site requires the IE? Thats not the point here. The point is that IE is not part of the operating system.
    We went through a project about 18 months ago where our mission was to remove IE from our user's desktops.

    After many discussions with IBM and their Microsoft Engineers, it was determined that in order for ANY Windows Update functionality, the core components of Internet Explorer are necessary.

    It may or may not be correct, but I wouldn't wager on the IBM guys playing that card unless it was true.

  22. #47
    SitePoint Wizard silver trophy KLB's Avatar
    Join Date
    Nov 2003
    Location
    Maine USA
    Posts
    3,781
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by drzoid
    What do you want to say? That the Windows Update site requires the IE? Thats not the point here. The point is that IE is not part of the operating system.
    I agree with you that not being able to access windows update if IE is "uninstalled" is not appropriate proof that IE is tied to the OS.

    However, try to uninstall IE. Tell us how this is done. Besides web browsing, what other functionality do you lose?

    Also tell us what happens if you go to windows explorer and type in the domain name of your favorite website. Better yet do this when your default browser is set to something other than MSIE. MSIE is part of the windows operating system and Microsoft made sure that they are all but inseparable. Yes this was done for legal reasons; however the fact remains Windows and IE have become inseparable. Yes you can hide the browser interface from users, but the core code still exists and functions.
    Ken Barbalace: EnvironmentalChemistry.com (Blog, Careers)
    InternetSAR.org
    Volunteers Assist Search and Rescue via Internet
    My Firefox Theme: Classic Compact
    Based onFirefox's default theme but uses much less window space

  23. #48
    l º 0 º l silver trophybronze trophy lo0ol's Avatar
    Join Date
    Aug 2002
    Location
    Palo Alto
    Posts
    5,329
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Hrm. The top few posts of this thread actually made it seem like a good discussion might take place on Microsoft's new spyware offering.
    .
    Zach Holman
    good-tutorialsblogtwitterlast.fm

  24. #49
    Your Lord and Master, Foamy gold trophy Hierophant's Avatar
    Join Date
    Aug 1999
    Location
    Lancaster, Ca. USA
    Posts
    12,305
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    The test of whether a series of APIs is part of the Operating System is whether or not it can be used with other applications without further changes.

    The following applications use and rely on the IEHTML API distributed with Windows in order to operate: Windows Media Player, Microsoft Office, Intuit's Quicken, Most WYISYWG HTML Editors, Outlook Express, Norton Anti-virus, Active Desktop, Windows Help, Topstyle 3 and many more.

    I actually think this is a good thing and belief that the rendering of HTML objects should be done at the operating system level. And while, Microsoft's security is not as good as it should be and Windows was not originally envisioned as a Network OS, that the overall paradigm is inherently sound. User-based permissions such as those used in Linux, Unix and any Networked Windows computer are not needed for the Home Computer user. The trick or goal is allowing freedom to connect and use our computers as we see fit without having to take weeks of computer classes while maintaining security. On this Microsoft hasn't quite grasped the concept but they are getting better. The anti-spyware and anti-virus offerings they are working on are steps towards achieving that goal. I think it will actually allow more freedom on the Internet than restrict it as people will feel safer.

    No other operating system outside of the Macintosh OS has acheived the simplicity of setup, use and connectivity that Windows has brought to the computer world. With ease of use you sacrifice security and visa versa. This really has nothing to do with the code or what is part of the OS or isn't. Most exploits (worms, trojans, viruses, spyware, et al.) are not created because of holes or flaws in the code but through published APIs. Every Microsoft API is thoroughly documented and available to anyone with an Internet Connection. No amount of built-in security is going to overcome human action. Even the most secure networks with User-Based permissions installed and "zero maintanence policies" are brought down because of people downloading some game off the Internet and playing it on their work computer. Doesn't matter what you do to lock out the fools because a better fool always comes along.
    Wayne Luke
    ------------


  25. #50
    Your Lord and Master, Foamy gold trophy Hierophant's Avatar
    Join Date
    Aug 1999
    Location
    Lancaster, Ca. USA
    Posts
    12,305
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by lo0ol
    Hrm. The top few posts of this thread actually made it seem like a good discussion might take place on Microsoft's new spyware offering.
    Yeah, the anti-microsoft people always ruin it.
    Wayne Luke
    ------------



Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •