Microsoft-Sponsored Study Says Problems Caused By Using Windows Software Will Cost Businesses $500 Billion In 2014
from the awkward dept
The copyright industries’ obsession with trying to shoot down piracy at all costs can sometimes cause them to end up shooting themselves in the foot. Here, for example, is a great example from Microsoft, which has recently been fulminating against the dangers of software piracy:
A new study released Tuesday reaffirms what we in Microsoft’s Digital Crimes Unit have seen for some time now — cybercrime is a booming business for organized crime groups all over the world. The study, conducted by IDC and the National University of Singapore (NUS), reveals that businesses worldwide will spend nearly $500 billion in 2014 to deal with the problems caused by malware on pirated software. Individual consumers, meanwhile, are expected to spend $25 billion and waste 1.2 billion hours this year because of security threats and costly computer fixes.
The study fills out the picture with some details of the methodology (pdf):
In 2013 IDC tested pirated software from more than 550 Web and P2P sites or CDs bought in street markets to determine the prevalence of malware in pirated software. In January and February of 2014, the Department of Electrical and Computer Engineering at National University of Singapore conducted a forensic analysis of 203 PCs that were purchased from PC resellers, specialty shops, and PC markets in typical buying situations in 11 countries. Together, this research found the chances of encountering malware in a pirated copy of software is one in three. The chance of encountering malware in a PC purchased with pirated software is more than 60%.
Although the report doesn’t say so explicitly, we are clearly dealing with Windows systems here — computers are referred to throughout as “PCs,” never as Macs, and some of the malware is named as “Win32/Enosch.A, Win32/Sality.AT, Win32/Pramro.F,” which attack Windows systems exclusively. We can also be pretty sure that none of the infected programs was open source. Why? Because pirating software that is already freely available makes no sense — and is certainly unlikely to be as profitable as offering black market versions of costly closed-source programs.
Putting this information together — in order to “Get The Facts” as Microsoft always liked to say — we arrive at the interesting conclusion that the use of commercial closed-source programs running on Microsoft Windows will cost businesses around $500 billion in 2014 alone because of the wasted time, lost data and reputational damage that will result from associated malware infections.
Assuming the research results are representative of what’s happening — and there’s no reason to suppose they aren’t — the obvious conclusion to draw from them for PC users is not just to stop using pirated software (a good idea), but to stop using Windows-based programs too, and to switch to open source applications running on an open source operating system like GNU/Linux. After all, free software is even cheaper than pirated software, and yet rarely has any of the problems identified in the new report.
That’s a really useful message for those facing the unwelcome prospect of paying their share of $500 billion to deal with the multiple problems associated with the Windows platform, but probably not the one Microsoft had in mind when it sponsored the research.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: copyright, infringement, malware, open source, piracy, software
Companies: microsoft
Comments on “Microsoft-Sponsored Study Says Problems Caused By Using Windows Software Will Cost Businesses $500 Billion In 2014”
The concept of the “Year of the Linux Desktop” is something of a running joke in the open source community. It is to the point where no one in the Linux community will dare declare next year as the Year of the Linux Desktop.
But honestly, the time has finally arrived when we really need a year of the Linux desktop. The technologically challenged should probably be running Linux Mint with a Cinnamon desktop instead of Windows. Linux in any GUI form would keep our grandparents out of many of their computer troubles. The more technologically proficient can find a version of Linux that will meet their needs and preferences.
Re: Re:
Considering most people use the computer for online stuff and office yeah, Linux should suffice. There are issues though. DRM comes right to mind as I can’t run Netflix on Linux as far as I tried a few weeks ago. But you see, if Linux becomes the norm then it will be targeted. And naturally dangerous behavior is the user’s own fault, not the software..
Re: Re: Re:
“I can’t run Netflix on Linux”
Yeah, that they don’t support this is an ongoing thorn, especially since you can run Netflix on Android, which is Linux.
However, you can actually run Netflix on desktop Linux. You can find instructions for how on the net. It’s a pain to set up, but doable.
Re: Re: Re: Re:
I’ll check it out. I’ve been meaning to ditch Windows for some time now but there are plenty of things that won’t run in Linux even with wine.
Re: Re: Re:2 Re:
Be aware, the main reason Netflix doesn’t run on Linux is because the media companies don’t want it too.
Netflix running on Silverlight isn’t the main issue… The **IA seem to think that Linux is home to the lawless folk and so don’t want to license for the platform.
Re: Re: Re:2 Re:
Have you tried running Windows in a VM within linux? I strongly recommend it to people with proprietary software that they need to run.
Re: Re: Re:
Getting Netflix to run is fairly easy with pipelight and a patched version of Wine.
If you are running Arch or Ubuntu it’s very simple to set up.
Re: Re: Re: Re:
Linux needs to get to the point where everything works out of the box, not “install this non-related software and patch this other non-related software”.
Re: Re: Re:2 Re:
Not everyone needs or wants WINE let alone a patched version.
That’s just like saying Windows needs a program that functions like Photoshop installed by default because ~5% of the market needs it. It’s wasteful with computing resources and can increase costs, even in an open source project.
Re: Re: Re:2 Re:
Linux has been at that point for a long while. Netflix is intentionally unsupported on Linux because of the movie companies. It’s not a problem with Linux as such.
Re: Re: Re:3 Re:
Linux has been at that point for a long while.
What Linux really needs (IMO) is to get to the point where a search for how to do something in Linux easily and quickly turns up instructions for how to do it without opening a terminal.
Re: Re: Re:4 Re:
Even instruction for fixing things in windows often use the command line. This is because it is much easier to say type this, and …, than it is to describe navigation through a menu system. Describing menu navigation in Linux can be difficult as it depends on window manager and menu system used, while the command line is consistent.
Finding how to fix things in Linux is usually quite easy, even if it does lead to the Arch wiki. (fixing problems through the command line of an installed system is much easier than installing Arch.)
Re: Re: Re:5 Re:
Even instruction for fixing things in windows often use the command line.
It happens, but it’s pretty unusual in my experience.
Describing menu navigation in Linux can be difficult as it depends on window manager and menu system used, while the command line is consistent.
Yes, the help would pretty much have to be specific to a window manager, and of course most users don’t know what a window manager is. Many probably would not even know what distribution they’re using or what a distribution is, so it’s quite a challenge to get Linux support to the level it needs to be for truly widespread adoption.
Finding how to fix things in Linux is usually quite easy, even if it does lead to the Arch wiki.
I don’t know what Arch is, but yes I agree it’s easy – if you’re comfortable pasting and running commands you don’t understand from a person you don’t know. Between simple intimidation and confusion, and concerns about risk, I think there are a lot of people who aren’t.
Re: Re: Re:6 Re:
Following instructions to click buttons and fill in boxes etc. is no different. It is just as easy to get someone to break a system doing administrative tasks using a wimp interface as it is using the command line.
Re: Re: Re:7 Re:
Following instructions to click buttons and fill in boxes etc. is no different.
It’s very different, because it’s much easier to understand what the buttons are doing. To an uneducated user, the following is gibberish: sudo apt-get install packagename (and that’s one of the less opaque linux commands you might find). But opening up “software center” or something similar, searching for the name of the software they want, finding it in the list, and clicking a button that says “Install” makes sense.
Re: Re: Re:8 Re:
I suspect people are more likely to carry out further research when following command line instructions than when using a wimp interface. Many people think if it is in a wimp interface then it is something that is safe to do.
By the way the software center, and apt-get, are Linux specific, and relatively safe ways of adding software. On of the big problems with windows is having to find, download and install software from somewhere on the net, including critical system drivers if the CD/DVD is damaged.
Re: Re: Re:8 Linux
Ok, as a long term full-time linux user, I have to speak up here. I use Fedora linux. If I want to install a new program, I can use the command line, or I can open what is essentially the start menu, begin typing Apper, and it will appear at the top of the list of choices (fun fact: this function, along with many others, were stolen from linux to put into Windows). Alternatively, if I want to check for updates, to everything installed, I open Apper and click ‘Check for updates’.
Not all flavors of linux work exactly the same way, but for things like this which are common, there is pretty much always a GUI front-end for the command line back-end.
Re: Re: Re:9 Linux
Not all flavors of linux work exactly the same way, but for things like this which are common, there is pretty much always a GUI front-end for the command line back-end.
Of course, but I’m not sure what your point is. Nobody was claiming that Linux is lacking in GUI tools.
Re: Re: Re:4 Re:
What Linux really needs (IMO) is to get to the point where a search for how to do something in Linux easily and quickly turns up instructions for how to do it without opening a terminal.
Yeah, I’ll agree with you there.
While I am comfortable using the terminal and command lines (my first real computer learning experiences were with a computer with IBM PC-DOS 1.1 back in the early 80’s), I tend to do most things on Debian with the GUI interfaces too and when I need to search for how to do something I usually end up parsing the terminal commands into the GUI world and use those tools instead. Nautilus to move and copy files and to change permissions. Synaptic instead of apt-get for packages. And so on.
Re: Re: Re:5 Re:
I agree too.. for us old enough to remember edlin on DOS (you and me are old farts it seems LOL) Windows 2 and then 3.0/1, ME (shudders), 98, Xp, 7 etc made us get lazier and lazier.
Though strangely I still cannot use the mouse to copy/paste and use Wordstar commands constantly still (muscle memory) within Wordprocessors.
I think ease of use with Windows and with most people seeing a command terminal as “Evil Voodoo Majicks” (Which really has always been) is the main problem with consumer uptake of *nix.
Thankfully Android and OSX/iOS are are all *nix base and are subliminally creating a huge base of users that really don’t care what OS they use as long as it works and does what they want without too much fiddling with the “majicks” underneath.
Re: Re: Re:4 Re:
What Linux really needs
Not singling you out. It’s just such a common phrase to see and every time I see it, it’s followed by a technical reason why Linux has low desktop market share, when there are more likely business reasons for that. I just don’t think the Linux community should beat themselves up for not making an OS that’s “good enough” to grab market share from Windows, because it doesn’t work that way.
Re: Re: Re:5 Re:
I think the main reason Windows has retained the lead is Microsoft pressure on hardware vendors to only supply machines with Windows preinstalled. Chromebooks are selling because they are preinstalled, as are Android phones.
Re: Re: Re:5 Re:
It’s just such a common phrase to see and every time I see it, it’s followed by a technical reason why Linux has low desktop market share, when there are more likely business reasons for that.
I was thinking of the home market, but yes that’s definitely true.
Re: Re: Re:3 Re:
Indeed. After it’s installed there’s very little you need to do. And you can mostly do it from the distro repository (trusted, easy source).
Re: Re: Re:2 Re:
The problem is not with Linux, but rather the content Industry, they will not provide the DRM code for an operating system that allows the user to get at the low level plumbing.
Re: Re: Re:2 Re:
It’s currently better than windows.
Internet on windows doesn’t work out of the box, you need to download your hardware’s driver and install it.
A lot of hard drives, including a common western digital hard drive I have, need downloaded drivers to work.
Try, uh, doing that or locating the right ones without a connection to the internet or a hard drive to put them on. I couldn’t figure out how to install windows on the hard drive until I made my own usb-windows installer . . . from a linux app.
I’m not joking. I recently had to install windows grumble because the software for sending a particular type of bioinformatics simulation job to a particular type of computer cluster is written in visual c++ and installing windows seemed easier at the time than writing my own version or something.
Probably still is easier to isntall windows, but I have doubts now.
Now we just need the market share for 3rd partys to program for linux.
Re: Re: Re:2 Re:
You are obviously not very familiar with Linux distros.
Linux Mint for example does work straight “out of the box”, does not require any patching and is an easy way for a windows user to take a first step into the Linux world
There are many other distros doing the same.
Re: Re: Re:
Netflix on Linux is becoming less of an issue now that TVs have Netflix built in. Plug a Roku into your TV and you’re all set.
Re: Re: Re: Re:
Netflix on Linux is becoming less of an issue now that TVs have Netflix built in. Plug a Roku into your TV and you’re all set.
If Netflix is built in, why do you need a Roku?
Re: Re: It's actually a very old idea.
Use pipelight if you really want to use your desktop web browser to watch Netflix.
It’s a variation on the old Crossover plugin for enabling iTunes in Linux. It’s a wrapper around wine. You just run the Windows plugin.
Re: Re: Netflix
Just wanted to comment on Netflix on Linux. Go here, http://www.makeuseof.com/tag/easily-enable-silverlight-watch-netflix-linux/ works great, allows you to watch it right in Chrome.
Re: Re:
Sounds good in theory. In practice:
* My wife can’t use Linux because, as a mystery shopper, some sites still require IE
* As a realtor, the forms program requires Windows
* My daughter is studying graphic design, she’s required to use Photoshop and Illustrator
* My kids are required to use Word for school; when I tried Linux one stupid teacher practically gave my daughter a zero because the formatting wasn’t correct after it came over from OpenOffice
It sounds easy, but it’s not. There’s constantly another party requiring Windows in some form or another.
Re: Re: Re:
For 1, 2, and 4 you can use a virtualized copy of Windows. 3 you could as well, but it might be too slow.
Might want to look into VirtualBox.
Re: Re: Re: Re:
Actually, for 1, you can just use a Linux browser (Iceweasel, Firefox, Opera, Chrome, etc.) and tell it to identify itself as IE. I’ve never had that fail to work.
Re: Re: Re: Re:
The only problem with that is that you need to purchase a copy of Windows specifically for that Virtual machine. The license that comes with most any computer these days is an OEM which only applies to that machine installed bare-metal (no VM). And don’t forget it has to be Professional or Enterprise (finally becoming something normal people can buy). Oh yeah, you may need CALs with that for others to use it and device CALs to remotely access via remote desktop. Then there’s VDI.
Microsoft licencing is such a pain in the ass that it’s a complete IT specialization of its own. I’m trying to create an any OS, any application, any device for our multiple home/office setup here and… ‘Oh, my aching head!’ Sorting through all the Open Source and Distribution licenses ain’t much fun either as you have Community licenses (what do you have to contribute if you change anything?) then you have the Support licenses with their funky rules. BTW, if you think all of this is bad, I can introduce you to Oracle et. al. Double Jeopardy! You want BSA with that?
Re: Re: Re:
What Wine or Virtualbox for those few use cases?
Re: Re: Re: Re:
Those aren’t a few cases. That sounds like the bulk of their computer needs – school and work. What is left to justify needing Linux? Using a browser?
Re: Re: Re:2 Re:
I would have thought that not being spied upon by your government should be a higher priority.
Re: Re: Re:3 Re:
As far as I know, Windows is not a requirement for being spied upon. The governments of the world are tapping into the back end, not the user OS. Unix is not going to help with that.
Re: Re: Re:
Funny how people roll over and assume the position when confronted with “you must use X because I say so”…
* Sites that require IE are broken, nobody not support such businesses.
* Have you tried Wine with those forms programs? I know at least my realtor uses some forms software that runs from a website and uses Java (not that this is much better).
* Ah yes, the uber-expensive Adobe lockin – by the way, do they allow OS X users to particpiate?
* Word does happen to run on Linux – but my kids all use OpenOffice and haven’t had any problems yet. Usuually it is acceptable to convert such documents to PDF when submitting them, isn’t it? Why do we still allow teachers to dictate our choices in life?
Re: Re: Re: Re:
“Word does happen to run on Linux – but my kids all use OpenOffice and haven’t had any problems yet. Usuually it is acceptable to convert such documents to PDF when submitting them, isn’t it? Why do we still allow teachers to dictate our choices in life?”
I routinely save to MS formats from LibreOffice and no one has ever noticed or commented on my formatting. I suspect if no one told the teacher, no one would know.
Re: Re: Re:2 Re:
This. I’ve been using OpenOffice for years, and exchange word docs with Word users daily. It’s never been a problem.
“After all, free software is even cheaper than pirated software, and yet rarely has any of the problems identified in the new report.”
This is a dangerous and disingenuous statement. Anyone who programs will tell you this isn’t true, and worse, it assumes the habits of people will change when installing software.
All we need to do is look at Android, which now has an exponential growth on malware installs because both the user and exploits are easy to take advantage of.
I’m more terrified of using an Android device than I am of a Windows system, unprotected. Even without anti-virus software, there are built-in options I can set that prevents unauthorized installs on my computer (which most people argued Microsoft’s UAC was too intrusive, which is a problem of users).
In addition to the malware threats are the oft-used “single sign on” systems, such as Facebook and Google, which allows a breach of multiple accounts because of one nefarious install/visit of an application.
Another study showed that the majority of users who download Android apps do not read the permissions, instead sacrificing understanding for the app. This is a problem, not the software.
Linux is also seeing a growth of exploits, as well as Java (which is used on most non-computer systems, just as DVR, phones, etc).
I’m not advocating Microsoft is untouched here, but most of the problems (often wrongly attributed to the company) is actually the fault of third party software, improperly written to allow the exploit. Adobe Flash, anyone?
Open source software will not remove the problem, which will always be the burden of the user.
Even Enterprise is finding “open source” to be a problem, since they’re chasing profits and allowing uneducated IT people to install software they are not familiar with. Since it’s open source, there’s no licenses to be concerned with, meaning problems will get worse before they get better.
Education is key, but if Microsoft wants to turn things around, the first order of business would be to make its flagship OS easier to obtain financially.
Oh, wait. They are. Microsoft jut announced anything with a 7″ screen or less has a zero cost to its OS.
That’s a start, but it doesn’t include the PC, the most targeted device at the moment.
When PC sales continue to decline for the tablet-based system, in 10 years from now, the tablet will be the new target.
Unless we can educate billions of people by then.
Re: Re:
Indeed. The biggest business cost is in technological stupidity and incoherent anti-malware stratagems.
Re: Re:
First, to Glyn Moody: the title of this post is misleading. The study said that using pirated Windows will cost businesses $500 million, where as the post’s title implies that using any Microsoft product will cost businesses $500 million. These two assertions are fundamentally very different.
Similarly, “free software is even cheaper than pirated software, and yet rarely has any of the problems”, is misleading. There’s a difference between ‘free’ and ‘free and open source’, and ‘well-vetted free and open source’. I think you mean the latter of the three.
Next, onto Violynne: “I’m more terrified of using an Android device than I am of a Windows system, unprotected.” Well, at least you’re still somewhat terrified of using Windows 😉
>”but most of the problems (often wrongly attributed to the company) is actually the fault of third party software, improperly written to allow the exploit.”
Windows provides an environment with a lot of holes, to the point where it’s not clear any major software can be written properly. Outlook, Office, etc, ties into IE, which ties into the kernel, etc, etc. That’s why there are exploits that can take over a Windows machine just by opening an email in Outlook, without even clicking on an attachment. Message queuing between processes is unauthenticated, anything can clobber the Registry, and they still haven’t quite figured out networking. Former Microsoft VP Jim Allchin once stated, under oath, that the flaws in Windows were so bad, that releasing the source code would be a threat to national security.
>”Since it’s open source, there’s no licenses to be concerned with, meaning problems will get worse before they get better.”
Since when has a license had anything to do with computer security or operating system design?
Re: Re: Re:
Agreed as to the misleading title.
Re: Re: Re:
First, to Glyn Moody: the title of this post is misleading. The study said that using pirated Windows will cost businesses $500 million, where as the post’s title implies that using any Microsoft product will cost businesses $500 million. These two assertions are fundamentally very different.
If you agree that the subject of the report is entirely or almost entirely Windows systems, then the actual cost will be this:
The $500 million from malware listed in the study
+
The cost incurred from malware and other problems in legitimately purchased Windows and Windows software
–
The cost that would be incurred by using open source instead
So unless C is bigger than B, the actual cost of using Windows will be more than $500 million.
Re: Re:
“I’m more terrified of using an Android device than I am of a Windows system”
You shouldn’t be, though. Android is no more dangerous to use than anything else, and you can install all the usual protection software (firewall, etc.)
“All we need to do is look at Android, which now has an exponential growth on malware installs because both the user and exploits are easy to take advantage of.”
I think you’re misstating why malware installs are more common in Android than other platforms. It’s not because Android is inherently less safe to use than anything else (it isn’t). The rate is larger than with desktop Linux simply because it’s a more commonly targeted platform. It’s better to compare malware rates between iPhone and Android.
Android has a greater number of malware installs, but the media makes the difference out to be greater than it actually is. Most of those come about because of people installing from third-party marketplaces or sideloading, not because Android is inherently less secure. If users never do those things, the rates are roughly comparable between the two platforms.
Re: Re: Re:
I don’t disagree with some of this, but Android does not give me the option to disallow permissions I believe it shouldn’t need, and that’s why I find it a risk.
Not that I’d be downloading malware. Google’s pretty good at removing risky apps, but it seems to shrug its shoulders on given app creators significant leeway in what can, and can not, be used for app building.
As for the Microsoft holes, can’t agree there. The majority of exploits are done via memory access, and it’s impossible to protect against every possible threat, much in the same way it’s impossible to determine every copyright is infringing.
Because many process remain in memory, especially those critical to OS operation, they’re subject to attacks. Though there are individual processes, most still share memory address space.
Computers wouldn’t work well without this sharing, unless every app takes minutes to load.
Most exploits take advantage of improper memory clearing, and this is not solely due to Microsoft’s code.
If it were, then it truly would be a closed system.
Re: Re: Re: Re:
Re: Re: Re:2 Re:
One thing that bothers me about Windows is the fact that Windows 8 computers no longer comes with a re-installation disk. So what happens if something destroyed the operating system two years later after any warranty is gone? You’re supposed to just either buy a new Windows license or buy a new computer?
Re: Re: Re:3 Re:
My solution is to not buy a Windows 8 computer, but I’m not sure how long that will work. Assuming I buy another Windows computer (not a sure thing), I’ll want to make sure there’s a way to make recovery disks. Don’t they come with a recovery partition on the hard drive or something?
Re: Re: Re:3 Re:
Does the system not offer the user a chance to make a single set of restore DVDs? (Base windows 7 went to two dvds).
Re: Re: Re:4 Re:
No. There is a way to do it but even an 8.5 GB DVD is too small and it doesn’t allow for a way to use more than one DVD for some reason when I tried it with my laptop (Oh, I tried, I played with it, called Samsung, called Microsoft, requested an installation disk from both, asked them questions, got nowhere). I ended up having to dedicate an entire hard drive just to make the backup of how I got the laptop and who knows how it’ll work or even if it’ll work if something does go wrong.
Also, most users who buy a computer aren’t going to do this or even know to do this. At least back in the days if someone had a computer with something wrong I can ask them if they have their installation disks and, hopefully, if they were smart, they kept those disks in a smart place they can find it and I can do a reinstall. But now they don’t get any disks and chances are they didn’t do any backups so if something goes severely wrong they maybe out of luck. Maybe that’s the plan, who knows.
Re: Re: Re:5 Re:
Knowing windows, I would not trust backup to another hard drive unless it was carried out by a bit clone of the drive, and the restore is done the same way. There is the small matter of drive-id and DRM, which bit cloning preserves.
Re: Re: Re:5 Re:
But now they don’t get any disks and chances are they didn’t do any backups so if something goes severely wrong they maybe out of luck. Maybe that’s the plan, who knows.
Could be. Spend $200 to get Windows back, try Linux for free, or spend $300-400 (varying quite a bit of course) for a new computer. Buying Windows is a pretty unattractive proposition. I don’t think they’re shooting for that, but maybe hoping people will just buy a new machine.
Re: Re: Re:3 Re:
“One thing that bothers me about Windows is the fact that Windows 8 computers no longer comes with a re-installation disk.”
That’s not a limitation of Windows 8, that’s a limitation of the manufacturer. HP got rid of the recovery CDs back near the end of the XP days.
Re: Response to: Violynne on Apr 3rd, 2014 @ 5:01am
Most installations of Android are not open source, and neither are the apps people install.
I fully agree with you assessment that it is by no means a safe platform, but because of the above facts you can’t draw an analogy from there to linux laptops and desktops.
Implying “malware hidden in pirated software” is the biggest malware issue.
Web hosted exploit kits are the major threats. Also microsoft not having DEFAULT software like DeepFreeze is an issue.
Windows users: http://www.faronics.com/en-uk/products/deep-freeze/
You’re welcome
Re: Re:
Disk imaging software doesn’t stop malware. It just lets you get rid of it by reverting to a snapshot of the system prior to the presence of software — in other words, it’s just restoring your system from a backup. I don’t think that Windows lacking disk imaging software by default is a security issue at all.
BTW, there are many disk imaging systems that are open source or free. There’s no need to purchase one.
Re: Re: Re:
“It just lets you get rid of it by reverting to a snapshot of the system prior to the presence of software”
I use the backup and recovery tools built into windows to do that now. I know it’s in Windows 7, but I think it’s been built into Windows since Vista, possibly XP. Hell, I do that when it’s just time to start fresh, faster then loading the OS and drivers from CD.
There’s also the System Restore function that I’m also fairly sure was built into XP, but that only does system files. That’s another thing that’s saved several computers from Viruses in my Tech support history. I don’t like using it though, it potentially leaves the original, bad file on the disk where the Backup and Recovery tool overwrites the entire drive.
Re: Re: Re:
You can’t stop malware. End of. I never claimed as such either.
Look at what deep freeze is before assuming a basic “average imaging tool”. It’s automatic. EVERY time you boot the box. Avoids all entropy issues as a consequence too. Implying system restore is 1% as good as deepfreeze. lol
I manage multiple internet cafes with about 600 windows boxes… and trust me, if there was a free version of software like deepfreeze I would use it.
This bit though…lol
You’re taking the piss, right?
With the amount of 0days out there that target everything from your browser to word documents. Web hosted exploit kits WILL get your windows box.
“WILL” being the operative word. You can’t do anything about it except to never go online.
That’s why deepfreeze is a must bit of windows software. Also the whole “no entropy” is pretty cool too. Sure beats running a sandbox or restoring backups all the time.
We need new Operating System architectures
We need new archictectures.
A recent job ad at FoxIT stated that ‘for candidates there is no difference between Windows and Linux’. They meant that one should be proficient in both to apply.
The analogy goes deeper. Both Windows, Linux, OSX, and their mobile variants are built with the assumption that the user *knows what he’s doing*, that he tell good software from bad, and be correct every time. Heck, not even experts can do that at a glance, yet we blame the end user for making the wrong choice.
We need different architectures. These are based upon capability-security, virtualisation, compartimentalisation and reduction of the trusted computing base. These architectures are much more resiliant against user errors, spyware.
Examples are: Genode.org, Qubes-OS.org.
There was a capability project, done by HP-labs, roughy ten years ago. They build (and sold) a user interface replacement – called Polaris – that made XP probably more secure against trojans than W7 or W8 today.
But don’t get your hopes up. Even the author of the Capsicum project can’t get it into android/chromebooks: http://www.eros-os.org/pipermail/cap-talk/2014-April/016082.html
The technology is out there, now we need to deploy it.
Re: We need new Operating System architectures
While I agree with you, the user must have some level of freedom to do what he/she wants or use becomes a hassle. I like the idea that Linux allows you to do whatever in your own user but the changes don’t propagate and if serious structural changes are requested you’d need to provide root permissions. I’ve tried to set up a limited account on Windows. It’s a nightmare, most software demand administrative privileges so if you are doing more than surfing the net, using pre-installed software things get quite complicated. Not that this is bad per se but it’s an issue many aren’t willing to deal with and end up running everyday Windows as administrators.
Re: Re: We need new Operating System architectures
The limited user thing in Windows is a copy of it’s counterpart in Unix. It works the same, and provides the same annoyances. If Unix took over, the average user would just run as root or get into the habit of using sudo before everything.
That problem is with the end user, not the OS.
As a network administrator that runs Windows 2008 Terminal Services, UAC is not that big of a problem. If you’re running software that requires administrative access just to run, you’re probably running the wrong software. It’d be like software asking for the root password in Unix just to run. It shouldn’t be happening.
Re: Re: Re: We need new Operating System architectures
…….
Unix and Linux do not require root for the vast majority of things. Sudo to get root is rarely used. 99%(I’m allowing a very generous 1% merely to stem off arguments) of user actions take place in user space.
Root space is used for system level installs and functions. I run a data center with users and developers, and 95% of them never need to use root permissions ever. The remaining 5% are usually testers who are trying to break things.
Re: Re: Re:2 We need new Operating System architectures
That. You are virtually locked out with Windows limited accounts. As you said, on Linux most software will run without needing sudo at all.
@Chronno: I’m not the average user, I know enough to notice the difference. If you are just doing regular browsing and text editing the limited account is fine. But quite a few software out there, known and respected ones mind you, will require admin privileges for merely executing (not mentioning installation). If you deny some will not run or will run with severe limitations.
Re: Re: Re:3 We need new Operating System architectures
The major cause of this is (mis)-use of the registry, which is also the common cause of system slowdowns. Also because most user setting go in there as well it is not easy to preserve user settings over system upgrades etc. This is also what makes system recovery such a pain.
Re: Re: Re:3 We need new Operating System architectures
I’m a network administrator as I said, so I’m not the average user ether. I use a range of programs from video games to professional programs like ACT. I’ve only ever been asked for administrative access to run a program a hand full of times. Mostly with open source software.
I agree with AC up there, most things should not require administrative access. But what you think, what I think, what AC thinks doesn’t matter. All that matters is how the system is going to be used, and that is how it would be used if Unix was king.
It’s the human element that you hear about every now and then. People will use the system in this way. Changing the skin isn’t going to change the people.
Re: Re: Re: We need new Operating System architectures
The major use of Linux root privileges is to install applications and update the system. Otherwise, the average user would not use root privileges. Also, when Linux updates, it rarely requires a reboot and for most it will update the entire system. So you do not get serial messages at boot to check for updates from MS, Oracle, Apple, Virus Scanner, etc.
The problem with the MS system is that there is no centralized system updater and the user privileges seemed to be too narrow.
Re: We need new Operating System architectures
Virtualization can help a great deal, but it’s far from a silver bullet — there exist many exploits that break through the virtualized box and install on the base machine.
In the end, users who know what they’re doing will always be required. Systems can (and should) be designed in a more resilient fashion, but there’s actually a security concern in doing this as well:
Perfect security is impossible, period. But if you have a system that users feel have something close to perfect security, they’ll be more reckless in how they use the machine, leading to reduced security through bad practices.
You see this effect everywhere. It’s fundamental human nature. The variation that most people might be familiar with is football safety equipment and rules actually making the game more dangerous: http://espn.go.com/racing/story/_/id/7075285/every-sports-league-shares-hidden-danger-safer-equipment-espn-magazine
Same thing.
Re: Re: We need new Operating System architectures
Your point about virtualization’s vulnerabilities is well-taken. On that subject, I’d like to quote Theo De Raadt:
“You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can’t write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.“
I agree with him. I suspect that we’re just about on the cusp of discovering that our virtualized systems aren’t nearly as isolated we would like to think they are. This doesn’t bode well for those who’ve made large-scale commitments to cloud computing without thinking through the accompanying risks.
Re: We need new Operating System architectures
No. Unix is not built based on the idea that the user knows what he’s doing. Quite the opposite in fact. Unix is designed with the exact opposite assumption in mind.
That’s why Linux and MacOS are much more secure than Windows. They do less of the obviously boneheaded things that cause problems with Windows.
The biggest problem with Android is trojans. Some of these trojans are even in “respectable” app stores.
The main problem is blurring the line between data and executables. Windows has pushed this for a long time and web browsers in general also try to blur this line as well.
Re: Re: We need new Operating System architectures
The problem with malware is not that it needs root to do damage.
Most people run a single user id. Every little program has access to everything that’s stored under that userid.
Examples: the card games have access to the stored mail, whether they want to or not. The text editor (libreoffice) has access to the photo’s, whether the user wants to include a picture or not.
The problem is that every program has access to everything. As user I need to trust every program to behave nice. Including that program that promises dancing pigs.
With capability architectures, a program only has access to those resources that I, the user explicitly give it. LibreOffice only gets that single picture that I drag onto it. The card games get nothing, neither does the dancing pigs app I downloaded.
That’s the difference between the Posix/Windows security model and the capability access control model.
Re: We need new Operating System architectures
This is not correct. Windows, Linux, and OSX assume that the sysadmin knows what he’s doing. This is not an unreasonable assumption to make.
The problem with Windows (and to a lesser extent OSX) is that it assumes that the sysadmin and the user are the same person.
Open source isn't a panacea/Windows source code
Violynne makes a number of excellent points, and I want to reinforce one of them: open-source is not the magic cure-all for the myriad of security problems that afflict us. It’s necessary–but NOT sufficient. As we’ve seen, open-source software can contain its own bugs and holes, some of which take a very long time to discover and fix. The community seems to be slowly internalizing this realization and developing methods to deal with it, but there’s still a lot of complacency. Many eyeballs DO make deep bugs shallow, but only if those eyeballs are focused, clueful, and diligent.
What open-source software does is give us a fighting chance. No more. Because of that, it’s inherently superior to closed-source software — but that’s not saying much, and it’s certainly not enough to survive the contemporary threat environment.
Shifting gears a bit, an Anonymous Coward upthread astutely observes “Former Microsoft VP Jim Allchin once stated, under oath, that the flaws in Windows were so bad, that releasing the source code would be a threat to national security.
The bad guys have almost certainly had their hands on the Windows source code for decades: of course they have, it’s in their interest to have it, and there are FAR too many people with access to it for it to remain a kept secret for long. All it would take is a security breach at one of the governments with a copy of it, or a payoff to a disgruntled and greedy employee at one of the corporations, or a security issue at Microsoft itself (which we just saw last week) and voila! the code is in the wild.
I think this has probably already happened. Multiple times.
So in one sense, due to the pervasive use of Windows in government (including the military) this could constitute a national security problem. But in another sense, it’s not the release of the code which is the real issue, it’s the abysmal quality of the code. Windows is still astonishingly primitive: there are operating system features that appeared in Unix decades ago that are still not part of the architecture and implementation of Windows.
yea, 1 in 3 pirated copies of windows probably has malware… that’s why you don’t randomly grab pirated copies of windows.
It isn’t a flipping die roll. Do these people believe all back alley deals are done blind?
There is one aspect when dealing with malware on a GNU/Linux that is far superior to Windows.
By keeping my /root and /home directories on separate partitions I can reload (or change) my entire OS in an hour or so without losing my settings, data or custom tweaks.
I have no clue how much time I’ve spent in my life reinstalling Windows installations because of infections or whatnot and then having to find and reinstall every program I use again, but it’s definitely time I could have spent on more productive endeavors.
Re: Re:
Well there are these things called system restore points…
Re: Re: Re:
Well there are these things called system restore points…
True.
More often then not (for me at least) System Restore doesn’t fix the problems I’ve run up against.
Re: Re: Re: Re:
My understanding is that system restore points are a partial snapshot of the system and restoring from it requires reconciling the current state of the system with the snapshot, trying to avoid overwriting new configuration settings.
.msi files use the same setup, which is why they can be so dog-slow to install the programs contained within: they’re solving a traveling-salesman problem.
Re: Re: Re: Re:
Two useful tools for Windows 8 (well, they sorta work together) are SFC and DISM (in the command prompt, you’ll need admin access).
What we really need is an out of OS file integrity checker. Some way to boot from a non-infected read only disk and load a non-infected integrity checker from the disk that will check all system and even other files if they are digitally signed and if so check the integrity of the file (make sure the signature is legit) and list all non-digitally signed files (and perhaps their last modification dates). Then the user can decide what to do with any non-digitally signed files.
Once the integrity of all system files have been verified the disk should be able to check all startup items from the bootdisk (outside the OS) so that the user can look for any changes.
Re: Re: Assuming it's even useful.
…which become totally moot once my own personal data is well isolated from root system files and I can blow away and easily recreate all of the system files (and apps) at will.
So a 30 year old solution becomes more effective than the latest and greatest and probably unnecessarily complicated new-shiny-shiny.
I dont believe it.
Long story SHORT..
I had done a full re-install of windows, and had to setup the dialup.
Upon Clicking IE it went to MSN..(I hadnt installed updates or protection)
It took me 15 minutes to gain control of the computer..
8 virus and 15 bots, installed.
I sent a note to MSN about scanning 3rd party adverts, 1 year later, NO ADVERTS..
How many languages used on the net? MORE THEN NEEDED..
HOW many sites TRY to make money…MORE then need to.
HOw many EXTRA scripts needed on a site? TO MANY..
WHy do we run NOSCRIPT and SCAN every script into our machines??
AT LEAST when I Download something, I KNOW to ISOLATE IT and scan it to death.
HOW do you do that with a site??
Re: I dont believe it.
Yes. Web hosted exploit kits are the biggest threat.
see. http://www.techdirt.com/articles/20140402/07091926775/microsoft-sponsored-study-says-problems-caused-using-windows-software-will-cost-businesses-500-billion-2014.shtml#c1245
This weekend I will be installing Linux
and the weekend after that…and the weekend after that…and the weekend after that…
Re: This weekend I will be installing Linux
I assume that was some joke you heard from the 90s…
I can get a fully patched Linux install up and running in less than an hour on most new machines, and why would you need to reinstall it after that?
Re: This weekend I will be installing Linux
While I’ve had many problems over the years with Linux systems (nearly 100% having to do with either incompatible hardware or me doing stupid stuff), very few things have required I completely reinstall.
Re: This weekend I will be installing Linux
This weekend I will be installing Linux
and the weekend after that…and the weekend after that…and the weekend after that…
Huh. To be honest, that scenario has been more prevalent with Windows for me. My laptop has been running Debian AMD64 for a couple of years now. The times I’ve had to reinstall Debian were because I was messing around and mucked up something in the /root directory as a superuser. I also had to reinstall when I migrated to 64-bit and another time when I reduced my Windows partition to less then a quarter of my hard drive space to give more to Debian.
Re: Re: This weekend I will be installing Linux
To be honest, that scenario has been more prevalent with Windows for me.
Same here. My Windows 8 laptop has been refreshed or restored from scratch about twice a month since I got it.
Heck, my Dad even found Windows ME worked great as long as he reinstalled from scratch every 2-3 months?
Re: This weekend I will be installing Linux
You must be talking about windows 9x. That were the last OS where you had to do that. seriously, I knew the product key of 95 from memory…
@22
any site that uses IE is hackable and thus your credit card is going to get stolen
if your that far back that your business cant use chrome or mozilla your hopeless mister realtor ( what realty are you ???)
graphic design you say…you might go have a look at a mac…that runs OMG OMG on a form a BSD unix….
i would tell the school about openoffice and threaten a lawsuit. ten bucks says the school would get the hint.
——————-
only space where YOU NEED windows is gaming….
Re: @22
sites, using IE? do go on…. You sound very informed.
Re: Re: @22
I’d worry more about attacks using client-side scripting languages like PHP. 😛
When We All Go to Linux Heaven...Pie in the Sky
Linux is safer, because it’s unpopular. That’s a temporary, security by obscurity type of safety. If all our lesser, i.e., Windozy, brethren flock to the call of “Linux is safe and free,” the denizens of the malware world will find it economically feasible to attack Linux with the same voracity they now display towards Windoze. Since the users won’t likely have improved, I ‘spect similar degrees of success for the bad guys.
Just think how much simpler the crafting of malware when you don’t have to infer operations from hit-or-miss methods or read disassembled code; you can simply review the full (open) source code in the search for potential exploits.
Those of us who use (desktop) Linux now are in the sweet-spot. Reliable OSs, good software, few adopters.
Re: When We All Go to Linux Heaven...Pie in the Sky
While that’s a reasonable opinion at first glance, I think you’re seriously discounting the amount of excellent security features that go into major Linux distributions like Ubuntu and especially Fedora.
OS X is a case-study here: while the amount of malware has increased as its popularity has, nothing like the predicted malware explosion has yet occurred. And there are plenty of OS X users out there now, if the students and faculty of my university are any indication.
I honestly doubt viruses or email worms will ever be major threats to average Linux users. Trojans and spyware will continue to be a threat but that’s because they trick the user into authorizing their activities.
Re: When We All Go to Linux Heaven...Pie in the Sky
“Linux is safer, because it’s unpopular.“
To borrow a line from Enrico Fermi, that is not even good enough to be wrong.
If “popularity” was a viable metric for assessing the relative safety of operating systems, then we would not have made the observations that we have over the past 30 years. Let me share just one of those, for brevity.
As (I hope) everyone knows, the last decade-plus has seen the rise of botnets. One of the ways that we can measure that is by noting which systems exhibit behavior that indicates botnet membership (for example: coordinated spam emission) and then using passive OS fingerprinting to identify the operating system they’re running.
If relative system popularity was a viable metric for assessing vulnerability, then we would expect to see the botnet population reflect overall system statistics. Thus if the OS’s available were A (50%), B (30%) and C (20%), we would expect to see a 50-30-20 breakdown among bots.
That’s not what we see. Not even close. For years, the botnet population was dominated by Windows to — depending on how the statistics were calculated — six or seven 9’s. In other words, one could look at millions to tens of millions of bots before noting one not running Windows. That diverges wildly from the overall system population statistics, which are certainly dominated by Windows — but not anywhere remotely close to so much.
That’s not an accident. That’s not because botnet operators didn’t want to co-opt other systems. That’s not because they didn’t know how. That’s not because they didn’t try. It’s because getting into a Unix/Linux box is both quantitatively and qualitatively more difficult. (In the case of some variations, MUCH more difficult.)
Like I said above, that’s just one data point. There are others — many others. The bottom line, though, is that popularity may be discarded as a relevant factor in assessing relative OS security.
Re: Re: When We All Go to Linux Heaven...Pie in the Sky
“If relative system popularity was a viable metric for assessing vulnerability…”
Apparently, you did not feel the wind as the point went whistling over your head. I’m not assessing, discussing, or implying vulnerability as a function of popularity under the title “Pie in the Sky.” I’m pointing out the vastly greater potential for financial rewards that results from attacking the overwhelmingly prevalent personal OS, and hence, the hugely superior allure to bad guys. Desktop Linux acceptance levels ain’t yet worth the effort.
Re: Re: Re: When We All Go to Linux Heaven...Pie in the Sky
I’m sorry that you failed to articulate your point clearly; however, you’re completely wrong about this as well.
First, not everyone is motivated by the prospect of financial reward. In fact, quite a bit of activity stems from other motivations: politics, ideology, curiosity, religion, nationalism, espionage (state or corporate), stalking, etc. It’s often blithely (and incorrectly) presumed that one can ascertain the motives of attackers based on target selection; but that’s proven to be dubious guesswork.
Second, if we confine our discussion solely to those who are seeking to profit, it is of course obvious that they will largely target Unix and Linux systems, because “that’s where the money is” (h/t John Dillinger). Oh, they may attack Windows or MacOS systems en route to that goal, because of course getting into those might make it easier; but they’re just stepping stones on the way to the final objective. The real prize, at almost every enterprise, university, ISP, or government is running Solaris or AIX or FreeBSD or Red Hat — and getting into one of those systems is easily far more profitable than getting into 100K Windows desktops. (Which has by the way now become so easy and routine that it’s no longer a challenge, merely another yawn-worthy daily occurrence.)
This situation is unlikely to change: the vastly superior architecture of Unix (and Linux) tends to mitigate the scope and severity of security holes, while the laughably inferior architecture of Windows exacerbates them. Microsoft could fix this, but of course that would require admitting their colossal mistakes — so it won’t happen. They would rather continue to pretend that it’s actually possible to wallpaper over their mistakes. (Hint: it’s not. As we’ve seen. For twenty years.)
Re: Re: Re:2 When We All Go to Linux Heaven...Pie in the Sky
Microsoft could fix this, but of course that would require admitting their colossal mistakes — so it won’t happen.
I think the bigger problem is it would break backward compatibility. They could easily come up with some reason for doing it without publicly admitting how bad Windows security is.
Re: Re: When We All Go to Linux Heaven...Pie in the Sky
Linux safety also has to do with how administrative and user spaces are handled. With Linux, one logs/boots into a user space and I am not sure if one directly boot into the admin space. On Windows, it is very common to boot directly into the admin space and Windows does not force one to make or use user accounts. Thus many Windows users are always root users which makes it easier to install stuff in the background. Linux users in an user space with limited privileges and most escalate privileges to install something. A Linux user could install malware but it requires an affirmative permission to do so. If a Linux user is taught to only install and update from the distro’s repositories the chances of malware infecting system are very low. Add that distros con be grouped into families which use different packaging and package management tools; complicating the malware writer’s problems.
Re: Re: Re: When We All Go to Linux Heaven...Pie in the Sky
Linux safety also has to do with how administrative and user spaces are handled. With Linux, one logs/boots into a user space and I am not sure if one directly boot into the admin space. On Windows, it is very common to boot directly into the admin space and Windows does not force one to make or use user accounts.
On OS X and Ubuntu the setup gives the primary user account sudo privileges and disables the root account entirely. You can perform all the functions of root but only by way of the sudo program, which requires periodic authorization by entering the user’s password.
Home versions of Windows before Vista added UAC confused user and admin roles. Basically, the primary user was root and doing administrative tasks required no authorization. With UAC, admin roles got separated more cleanly and you have to provide (trivial) authorization prior to performing admin tasks. That’s helped, although the system as a whole is still not as tightly locked-down as Linux.
That’s my understanding.
IF'
If MS would LOCK down the windows DIR..
IF Adobe and js would SANDBOX themselves..
IF MS would FORCE programs to STAY in their OWN DIR..
IF BROWSERS LOCKEd things, only to WORK in browsers and would STAY in a sandbox..
IF a note was placed on ANY Cookie, Script loaded on my machine..about the SITE I GOT IT.. I would have someone to SUE..
ON loss to MS for lost MS sales..
Lets understand something strange. HOW do most people END UP with Windows.
They BUY a new computer. over 80% do not WILLINGLY BUY WINDOWS ANYWAY..
NEED a better or NEW computer, GET the NEWEST windows LOADED..FREE??
> the chances of encountering malware in a pirated copy of software is one in three.
Microsoft calls a lot of things malware that do nothing bad. For instance Microsoft calls a serial number generator malware even if it’s only function is generating serial numbers. Also to pirate games you need the steam.dll to stop calling home for that game and replacing the steam.dll with something inert is considered malware.
There can be malware in pirated software, but the study would find far less malware if it was properly defined as doing something bad or unwanted to your computer.
This seems like a non-story.
Windows is targeted the most because it has the most market-share.
And on a separate note, changing to linux for businesses is rarely free. A bad switch-over can end up costing more in increased IT costs and lost productivity. That’s kinda why redhat has a business at all, selling support for a free product. Or had a business that did that, I haven’t thought about redhat in years. They may well have changed or disappeared.
Re: Re:
Upgrading or changing OSes can be a minefield because of various hardware, software incompatibilities. Windows to Windows has problems and Windows to Linux has another set of problems. Both are solvable but require proper planning.
RedHat is still around and doing very well. They are still selling support and maintenance for a free product.
Re: Re:
How much did the switch to the ribbon interface cost businesses? How much will the switch from XP to 7 or 8 cost businesses? This upgrade is unlikely to go smoothly, especially if there are any in house application to switch over, or any dependencies on older browser technologies.
Re: this is a half-truth
Since I know something about both OS’s, I have to respond. Even if Windows had a lower market share, it’s a safe bet that it would still receive the bulk of the attacks. If you were a brickthrower, would you target a glass or a brick house? Same deal. Windows’ architecture guarantees an easy mark, even with fulltime IT on hand.
Just to be sure to keep topics separate, this is exclusing socially-oriented attacks. These are for the most part OS independent.
Linux and BSD are still not the ultimate. Microkernels would be better, since the modularity would further increase modularity. However, monolithic kernel structures are still far, far better than Window’s megalithic Gordian knot architecture.
People are just too lazy to switch to Linux.
Ubuntu, Xubuntu and Linux Mint are good alternatives for newbies.
Microsoft’s Digital Crimes Unit. Coming this fall to NBC.
restore disks
I have an HP windows box, I mucked up a linux install on my second hard drive, I installed on the windows disk, bye bye windows, with NO restore disks ( the first CD of my windows install disk went bad ) what to do, I went to the HP website and found I could BUY the restore disks, I though great now I’m out 2-300 dollars. To my shock, it’was 12$ plus 5$ shipping, and it only took 4 days to get them (yes it was a LOOONG 4 days)
I still love the live CD of PCLinuxOS, I don’t even need to install it to use it (works on a 4 gig thumb drive, 8 gigs and it’s a stand alone and can be updated as needed) it’s awesome to fix windoze with in “most” cases….
It's nice to know
This is precisely why I use Linux based Operating Systems and Open Source Software for everything I use computers for, from personal use, to my business, and why when I provide services as a consultant I try to find ways to service my clients needs by providing them with Open Source options.
It’s nice to know that Microsoft support my assessment of their Operating System and software in general.