Making it mandatory for the OS to help the user maintain ‘best practices’ should be the mandate, especially for a company involved in OS development for 30+ years now. Expecting a bit more of a company like Microsoft is not a bad thing they make billions of dollars a year making the OS, hire the most talented developers and have the most pull in the industry, we should be in digital nirvana by now. Alas we deal with constant “security theater” due to OS ‘best practices’ not being followed. Wouldn’t it be nice if we could pay for someone to do that?

Like or Dislike: 0  0

Upon starting both machines this morning, I discovered that Automatic Updates had been “automatically” turned ON & both machines were busily downloading updates.

Rebooted, and AU stayed OFF, but I’m getting the annoying “Your computer may be vulnerable” notification at startup.

Has anyone experienced this? I’ve had automatic updates turned off on all my machines for more than 2 years.

Like or Dislike: 0  0

Second, you’re being disingenuous as your entire argument is based on a user being logged in as a full administrator which goes against best practices. Like other modern OS’s, Windows does have a security architecture that allows you to lock down/secure the system. The problem is that running as administrator, you’ve basically disabled all those security features built into the OS and given the keys to the castle to anything that runs on that system. Without administrator access, rootkits, as well as, most malware would NEVER be able to get their hooks into the system. The most they could do is affect the current user profile, NOT the entire system.

The issue of running as administrator stems from an old paradigm where a great majority of software developers, including Microsoft designed software that required admin access. Something malware authors have taken full advantage of these days. It was a different ecosystem back then. We didn’t have the Internet connecting all these computer systems together. You didn’t have the threat landscape that exists today. Obviously, much as changed and it’s been a long drawn out struggle to change that old paradigm, which requires software to be rewritten and ecosystems to be changed. It’s not a simple process considering the ubiquitous nature of Windows. Much has been accomplished over recent years, although there is still much to be done, primarily now, I believe, in user education.

Ultimately, it’s a compromise between usability and security. The most secure system is one powered off, but it’s not one that is very useful. Microsoft could default more toward security, but that would break a plethora of software applications that still require admin access and tilt the apple cart away from usability upsetting many users (ex. outcry with Vista’s UAC). Regardless, considering the nature of threats these days, it is imperative to implement one of the biggest defenses against malware, the use of a non-admin account. Overall, it’s part of a defense in depth strategy that should be common practice. The problem is people don’t want to be bothered. They just want their computers to work out of the box without much effort. To most security is an afterthought. That is until they become a victim of malware. It must be understood that security is a process, not a onetime thing like installing antivirus/security software and thinking you’re safe. Until that mentality changes, we will continue to have these issues.

Like or Dislike: 3  1

Following your own (correct) logic:

by the time the next versions of MSRT and Microsoft Security Essentials are released (in March), Alureon will have changed once again…and will not be detectable.

I guess the same holds true for Avast, MBAM, etc.
The “stealth race” is on…

Like or Dislike: 0  0

My understanding (I may be wrong),
is that
XP SP3 = XP SP2 + all win updates.

I have (up to now), installed all the monthly patches.

Anyhow, I’ll have to install XP SP3 later,
‘coz M$ will suspend all update patches to XP SP2
in June 2010.

Like or Dislike: 0  2

Come to think of it, I got a new Windows-7 laptop at work yesterday, and I installed a bunch of stuff. I don’t recall seeing any UAC dialogs…

Like or Dislike: 0  0

@Rick,
For the most part I agree with you and find your taking a step back to view the problem at a higher level refreshing. I spent many years working with mainframes and was reasonably familiar with the internal OS design. Thus, like you, I see the painfully poor design choices made with Windows.

Much of it goes back to the early days when hardware was very different. Mainframes never made a concession to security or reliability even when their hardware was less powerful.

That said, you are targeting the worst case here, which may not be fair. Anyone who runs as an Admin level user is all but asking for it. This turns off whatever security MS has baked into the system. Not a fair fight.

Yet, many Windows users run as Admin and don’t realize the danger this entails.

Whose fault is poor user education?

Microsoft is REALLY at fault with Win7 where they recommend running as a restricted user and where the OS does this fairly well. Yet, they default everyone to being admin users.

These are the Fred Flinstone years in personal computing. Future generations will look upon this era as brutally crude, the same way we might regard a 1910 era automobile.

Well-loved. Like or Dislike: 4  0

‘The biggest crime is that generations are being taught patching – post discovery of exploits – is normal and to be expected.’

Bingo. Pavlovian. A lot of people make a lot of money off making fools out of everybody else.

Amit Yoran and Alex Cox @ NetWitness say expressly that AV cannot protect against attacks like these and an analysis by Trusteer ascertains the effectivity of AV to stop Zeus at a pathetic 23%.

You can never compensate for a system that architecturally has no security.

Hot debate. What do you think? 6  5