Forgot your password?
typodupeerror
Microsoft Security Software Linux

Open Letter to a Digital World 545

Posted by michael
from the no-one's-listening-la-la-la dept.
jg21 writes "Exasperated after spending 5 hours removing spyware and trojans from his wife's Windows PC, sysadmin Chris Spencer has written an impassioned Open Letter to a Digital World. In the letter he reviews the 'elephants in the closet' - i.e. unfixed bugs and glaring security vulnerabilities - that Microsoft in his view hopes ordinary users will ignore, including some discussed in previous Slashdot stories."
This discussion has been archived. No new comments can be posted.

Open Letter to a Digital World

Comments Filter:
  • I don't get it. (Score:5, Insightful)

    by spacefight (577141) on Sunday December 19, 2004 @05:11AM (#11129016)
    He has a CS degree, runs Linux himself and still let his wife surfing the web with IE? What went wrong? We all now that alternatives exist.
    • Re:I don't get it. (Score:5, Insightful)

      by Bagsy (176584) on Sunday December 19, 2004 @05:20AM (#11129039)
      Not only that, I bet his wife belongs to the administrator group aswell. There are far too many people who have the wrong user rights.
      • Re:I don't get it. (Score:4, Insightful)

        by mentin (202456) on Sunday December 19, 2004 @05:38AM (#11129088)
        I regret I don't have moderator points for parent.

        He claims to be a "system administrator and have a degree in computer science", and he lets his wife run as admin.

        More than that, with all that experience he is naive enough to believe that he can clean machine using the very same machine - have he ever heard of rootkits and stealth program? Maybe he is just an idiot?

        • He should educate his woman. My girlfriend 2 and a half years ago used Windows 98 IE and had the comet cursors (plus a load of other crap). Now she hates windows and its trying to think which distro to put on her new computer.

          I think its the boot logo that did it (tux)
        • Re:I don't get it. (Score:5, Insightful)

          by fishbot (301821) on Sunday December 19, 2004 @06:19AM (#11129179) Homepage
          More than that, with all that experience he is naive enough to believe that he can clean machine using the very same machine - have he ever heard of rootkits and stealth program? Maybe he is just an idiot?

          Doesn't that kind of prove his point? Joe Public wants to use the computer. The computer won't let him. Just run it as admin! That's the default, so it must be OK, right?

          Now he's infested with spyware, trojans, viruses and the like. So, he installs SpyBot, AVG, ZoneAlarm, whatever. Nobody told him that wouldn't work because the processes are on the same box. Of course he has to go out and buy another machine for the sole purpose of disinfecting the first! (OK, he doesn't, but Joe Public won't understand the difference between 'installed on another hard drive' and 'another computer')

          It just goes further to prove that to clean your PC of all these attacks the first thing to do is remove Windows and all its failings. Or buy a Mac.
        • Re:I don't get it. (Score:5, Insightful)

          by niiler (716140) on Sunday December 19, 2004 @07:09AM (#11129292) Journal
          It's one thing to have experience in secure computing; it's quite another to share that with someone else.

          After securing my brother-in-law's household by setting up a specific administrator account for software installs, removing IE links where-ever I could find them and replacing them with Firefox, installing SP2, installing AdAware, installing a decent firewall and several other things, they are now constantly calling because such and such doesn't work properly.

          The call is usually one of the following:
          1) Such and such program that worked before you did the SP2 upgrade doesn't work anymore. Could you come over and figure out a way to fix it? I need to run it.
          2) I can't use such and such website because it needs IE. (And no, the UserAgentSwitcher extension isn't working in this case). Please give me access to IE so I can circumvent all the security you've installed.
          3) I really want to install known spyware/adware containing program, but I can't unless I get into the administrative account.
          4) Why can't I just run as administrator? Aren't you a bit paranoid for putting all this security on our computer? Now I have to actually switch users in order to install stuff and the extra two or three clicks is really annoying.

          Just for fun, I've given them an extra computer running KDE 3.3.0 on top of Linux with all the latest scanning, printing, image processing, instant messenging, browsing, cd-burning, dvd-watching software...but they won't use it because:
          1) It looks different. They're deeply uncomfortable with that fact.
          2) They try to download and install Windows programs, and of course, it doesn't work. This despite being given a compatibility list and where to get compiled binaries. (and an invitation for me to install things if they're really uncomfortable with nice GUI installer)
          3) They want to buy software at Best Buy and install it on the computer and it won't run. Again, they tend to ignore the compatibility list.
          4) Did I mention that it looks different than Windows?

          The point is that you can educate users, but most simply don't want to be educated. They have gotten comfortable in their current paradigm (usually some mixture of the "freedom" of Windows 95/98 with the performance and "security" of windows XP) and don't want to change/learn anything different. Not only that, but remember that when it comes to family and friends, you can't set a policy like you can in a company. Telling the wife - NO - you cannot run that program that you love and have been using for ages because it is insecure is, in general a bad move.

          In short, I've been where this guy has, and I'm totally sympathetic. Let's not take cheap shots and call the guy an idiot because he didn't go the next step and use a root kit.

          • Re:I don't get it. (Score:5, Interesting)

            by the_rev_matt (239420) <slashbot@r e v m a t t .com> on Sunday December 19, 2004 @09:17AM (#11129732) Homepage
            Hear hear! I've had similar experiences with friends and family in the past. During the .com days I got calls all the time "can you come undo the stupid shit I did to my computer?" One of the biggest selling points of linux, to me, is that for four years I've not had to fix a single computer for software related issues. None of my computers has had any problems I didn't create myself (like accidentally deleting the home tree). The calls started tapering off real fast when I started saying "I don't use Windows, so I'm not up to date on what to do to fix it."

            The sad part was realizing how many people were friends solely because I could fix their computers. Once I stopped being their free 24/7 tech support line they disappeared.
            • Don't be sad, be glad. One thing you have to do in your life is the "right-sizing" of your pool of friends. Eventually, you have to remove all the vampires (i.e. life-draining leeches) and ogres (i.e. abusive bullies) from your life lest they drag you down into being some pot-bellied loser sitting in some shitty apartment watching another inane "reality" show.
            • My father switched from a Mac to a PC because some nutjob told him it would be easier.

              Afterwards he called me several times a week with problems he was having. Eventually I told him that I would buy him a mac but I would not answer any more questions about the PC. He didn't let me buy him a mac but he did stop calling. Now he is hassling the nutjob who told him to buy a PC and that's the best outcome for everybody.
        • Re:I don't get it. (Score:3, Insightful)

          by fymidos (512362)
          >he is naive enough to believe that he can clean
          >machine using the very same machine

          well, he apparently managed to "clean machine using the very same machine" so that would make him a bit less "naive" and a bit more "capable".

          >he lets his wife run as admin

          some people buy their own computers,and they believe that they can do anything they want with them. Many people don't ask permission from their family members before they open their brand new computer - which by they way happens to automagical
          • Re:I don't get it. (Score:3, Insightful)

            by mentin (202456)
            well, he apparently managed to "clean machine using the very same machine" so that would make him a bit less "naive" and a bit more "capable".

            You don't get it. A good rootkit will only let you see what the rootkit wants you to see (when using the very same machine where rootkit runs). However capable he is, he (if the rootkit was installed) has no way to know whether the trojan was installed, far less being able to clean it.

            You looks in the registry, but the rootkit intercept registry API. You looks

        • by dogugotw (635657) on Sunday December 19, 2004 @09:44AM (#11129846)
          Don't know how things work in your home but in my home, I have a computer (Mandrake) and my wife has a computer (XP home). I don't 'let' her do anything with her pc, she does what she damn well wants thank you very much and god help me if I start screwing with her setup and make something burp... and yes, I do have to clean up the mess when things go bad.

          the good news is that her system is well patched, runs zone alarm, avg, mozilla, and I just switched her from aim to gaim. Step by step the migration to FLOSS goes forward.

          Keep in mind that 'her' computer is for more than home and has to work at her place of employ (Windows and apple shop) so some of the 'hands off' has to do with not screwing up use of the system at work.

          Anyway - bottom line, at home you are NOT a sys admin, you're a spouse with special skills.

          dogu
        • by stealth.c (724419) on Sunday December 19, 2004 @06:09PM (#11133116)
          How do people get +3 Insightful for completely missing the point?

          First, I don't know about anyone else, but it is an incredible pain trying to run Windows (2000, at least, in my experience) as anything but Administrator.

          Second: what is this "Maybe he is just an idiot" crap? He could easily have a wife who, like anybody else, would prefer to have their computer how they want it and for others to leave it alone. I know plenty of people who get irritated if anyone changes things on their personal computers--much less use them. As for rootkits, etc., are 80% of Windows users (the people who have this problem) really going to have access to those things, the skills to use them, or even the dimmest knowledge of their existence? Of course not.

          Jumping down this guy's throat over the state of his wife's computer is completely missing the point. His point is that there are millions of people just like her, and his weighing of the pros and cons makes Windows an absurd choice for a desktop OS. Address that. Stop grasping for ways to tear him down instead of his argument.
    • Re:I don't get it. (Score:5, Insightful)

      by Anonymous Coward on Sunday December 19, 2004 @05:27AM (#11129057)
      He has a CS degree, runs Linux himself and still let his wife surfing the web with IE?

      Yeah, it's almost as if she has a mind of her own.
      • Re:I don't get it. (Score:5, Insightful)

        by Anonymous Coward on Sunday December 19, 2004 @07:05AM (#11129284)
        Yeah, it's almost as if she has a mind of her own.

        Not only a foreign concept for many Slahsdotters when it comes to women apparently :) but also increasingly when it comes to posting/modding.

        I've been lurking here a long time, and still wonder when exactly this fundamentalist turn happened. Suddenly everything is either black or white. Only One Way. And bias and fud (the thing we used to be against) is more important than facts. Bullshit (and I don't mean opinions but facts) are rated +5 informative just because it is pro-Linux and/or anti-MS, while facts correcting this are modded down.

        I've been using both Linux and Windows for a long time, and both have strength and weaknesses. I can see a lot of reasons for choosing one or the other, that varies with situation, needs and what people want (yes, they can prioritize different than You without making them Wrong, or Joe Schmoes or whatever the popular derogative is for people daring to think and choose different than You...)

        Sometimes I wonder if that sig someone had (no, not me :) saying "I see more xp ignorance in here than Linux ignorance in an AOL room" really is true, or if we just let it appear that way - so that facts don't mess up our world view, or something.

        I guess for the young and righteous, this sounds like old people yapping about "the youth today" or "everything was better before". But I miss when it really was more News for nerds, and less religion for nerds.
        • by m50d (797211) on Sunday December 19, 2004 @07:29AM (#11129340) Homepage Journal
          I think it happened as more of us moved to linux and realised that EVERYWHERE on the web, it is completely against linux users. So we withdrew into our own fundamentalist community, shunning the outside, like those guys who recently emerged from the jungle and discovered the Korean war was over.
          • Re:I don't get it. (Score:3, Informative)

            by Some Bitch (645438)
            If you "could care less" that means you *do* care. Think about it for a minute.

            The original British cliche was, "I couldn't care less" and is still used over here. The nonsense bastardisation is a purely US construction.

    • Re:I don't get it. (Score:2, Informative)

      by d3v (778364)
      Definitely. Update windows, install Firefox and she'll be fine. Even if she insists on visiting the darker side of the web...
    • Re:I don't get it. (Score:5, Insightful)

      by Soko (17987) on Sunday December 19, 2004 @05:29AM (#11129064) Homepage
      He has a CS degree, runs Linux himself and still let(sic) his wife surfing the web with IE? What went wrong? We all now that alternatives exist.

      Let his wife? Let?!?!?! You sir, are obviously not married.

      Besides, we still have to deal with IE only websites, which perhaps his wife has to use in her career? You've made a faulty assumption, friend.

      The only fault I can find with the author is that he didn't realise what his wife was dealing with in the first place. She should be using Firefox for browsing, unless she needs an ActiveX control for a particular site for some reason.

      We know Windows has these problems, so we should take whatever steps we can to mitigate the risks when we need to use that OS.

      Soko
      • by Master of Transhuman (597628) on Sunday December 19, 2004 @05:37AM (#11129083) Homepage
        "You sir, are obviously not married."

        Not married?

        This is /. - he can't even get a date!

        Date? He hasn't even been apprised of the fact that there are two sexes!

        Oh, wait, yes he has - vi and emacs...

      • Let his wife? Let?!?!?! You sir, are obviously not married. ... The only fault I can find with the author is that he didn't realise what his wife was dealing with in the first place. She should be using Firefox for browsing

        My wife has a mind of her own. Let me tell you this: if she runs IE, it's not my fault. It's her computer. If I don't realize what she's doing, it's my fault for not invading her privacy and that's where that ends.

        • by Soko (17987) on Sunday December 19, 2004 @06:57AM (#11129263) Homepage
          My wife has a mind of her own.

          As does mine, thankfully.

          Let me tell you this: if she runs IE, it's not my fault. It's her computer. If I don't realize what she's doing, it's my fault for not invading her privacy and that's where that ends.

          Hunh? I discuss these things with my bride. Such a trivial thing should not ba a matter of privacy. My wife knows why Firefox is a better browser, why I removed WebShots and why the computer is mostly booted into Linux. She realises I'm the sysadmin, an expert in my field, and is willing to trust my judgement, seeing as we're married and all.

          I respectfully submit that if you can't relate such a simple thing to your life partner, there's something of a communications issue there.

          Thank $DEITY I have no such problems.

          Soko
          • Re:I don't get it. (Score:5, Interesting)

            by ninewands (105734) on Sunday December 19, 2004 @07:46AM (#11129387)
            I agree with the parent poster.

            My wife Was using Win98 and IE6.1 SP whatever up until six months ago. Her IE installation got so corrupted with spyware that it wouldn't even launch, so I installed Firefox and Thunderbird with my favorite extensions (AdBlock, TTLO, User Agent Switcher, etc.) and it took her all of 3 days to fall in love with it.

            I then picked up a cut-price generic Athlon box, that was some 12 times as fast as her old machine at Fry's for about $200.00, installed Fedora Core 2 on it and gave it to her. To make her feel like she had a safety belt, I also got her "Linux for Non-Geeks" which she has barely opened. Her first question when the box booted up after the install was "where's Firefox?"

            She now snipes at Windows almost as much as the most zealous penguinista at your local Junior High. She will occasionally run into content on the 'net that won't load, but when she asks me about it, it's usually something designed to exploit Windows' poor security model (like ActiveX controls and browser hijacks).

            She's happy with her newer, faster machine and is learning to love the penguin, but I would NEVER have done it if she wasn't: 1) willing to learn, and 2) pre-conditioned by a few months' favorable experience with Firefox and Thunderbird.
      • she tried to help Mariam Abacha, the widow of the now deceased General Sanni Abacha, move $80 million from Nigeria to the U.S. (God willing).
    • He has a CS degree, runs Linux himself ...

      Me think she was making a lot of "friends" on Yahoo Personals using IE, without sharing her browsing history with her husband who's been busy lately.

    • The degree means nothing - they don't teach security, or even basic common sense.

      He needs to get some real-world experience. Then he'd know to install firefox and make sure the Windows PC is locked down & behind a good firewall.
      • Re:I don't get it. (Score:2, Insightful)

        by laka21 (839785)
        hah! what was that for ? degrees dont teach anything ?? well my friend school is the basis for education. I dont understand why have to make such a generalized statement here.
        btw it was his wife who was using IE not him and if you are married then you wouldnt simply put the blame on him.
        The person has written a credible article and he deserves some applause and not some useless 1 liners.
    • Chris is wrong. (Score:3, Insightful)

      by gad_zuki! (70830)
      Sorry, but all my relatives who I have switched over to Firefox or Mozilla do not have ANY spyware. Nada. Nothing. I showed them a list of spyware apps, in other words what not to install and they have healthy and happy PCs.

      Claiming switching to linux is the only solution is a huge admission of ignorance of how the spyware problem stems almost exclusively from one piece of software, namely Internet Explorer.

      Windows, even as admin, can be safe for the technophobe. I've seen it and I continue to see it. The
      • "if Linux hits critical mass on the desktop (yeah Im not holding my breath either, OSX has a much beter chance of toppling Windows) then spyware developers will target it also. Grandma will still get emails like "Funnyshit.rpm" and the browser will ask if you want to install "super-search.xpi." These apps will hide themselves anywhere they can, just like they do in windows."

        Wild guess here ... you dont know anything about linux or OSS do you ? Linux does not have browsers with hooks into the kernel, it
      • Re:Chris is wrong. (Score:4, Interesting)

        by ninewands (105734) on Sunday December 19, 2004 @08:07AM (#11129453)
        Quoth the poster:
        Grandma will still get emails like "Funnyshit.rpm" and the browser will ask if you want to install "super-search.xpi." These apps will hide themselves anywhere they can, just like they do in windows.
        ... which will be limited to Grandma's $HOME ... not a hard thing to search and clean.

        You seem not to understand the difference in security models between *n?x and Windows applications, and the security implications of Microsoft's obsession with backward compatibility. Over the years lazy coders in Windows development shops have built up such a bank of apps that REQUIRE Admin privileges that Grandma must run as Administrator, or at least be a member of the Admin group, to do what she wants to do.

        *n?x apps, OTOH, are designed to function properly under the "least privilege" model. They do not require Admin privileges because they will only store stuff in the use's $HOME and they don't require privileged access to the hardware. They don't require direct access to the kernel. In short, they are "secure by design." The few apps that DO require such access have their permissions set so that normal users can't run them.

        I'd be tickled to death if OS X would topple Windows, but don't hold you breath. The price point just isn't right since one company controls both the hardware and the software. Additionally, I doubt that Apple has the marketing clout that IBM and Novell have in the corporate market. The home market is peanuts compared to the Enterprise, just ask Microsoft, they've been trying to get into the data center for YEARS.
      • Re:Chris is wrong. (Score:3, Informative)

        by strider44 (650833)
        I'm not a total linux zealot, though I do use it as preference, and sorry, but you're wrong. IE isn't the only problem. Besides the fact that outlook [express] is a huge security hole (I'll count that under Internet Explorer, since you've probably changed to thunderbird as well) there are huge holes in Windows generally that makes it insecure.

        There are a large number of security faults in Windows that make it inherently insecure, most of all default admin access.

        Now besides the accepted fact that li
  • by venicebeach (702856) on Sunday December 19, 2004 @05:14AM (#11129022) Homepage Journal
    Well, this is a nice letter and all, but I have a feeling the only people with the patience to read through the whole thing are already convinced of its content...

    • Not true.

      I'm converted by philosophy, but not in practice.

      I have this year installed a number of Linux distros (Red Hat, Gentoo, Mepis, Debian, Mandrake) and am yet to find one that recognises all of my hardware (my RME-DigiPST [rme-audio.com] sound card proving impossible to get working) or fulfils all of my software requirements (a contact manager that can sync with both an Ericsson and Motorola phone for example).

      I am still finding that each time I look at Linux that I lack things... be it something that replaces

      • a contact manager that can sync with both an Ericsson and Motorola phone

        I use Evolution and Multisync to sync my Sony Ericsson P900 over bluetooth.

        EAC and LAME

        Grip and Lame.

        Now, the point of this post is this... each time I have looked at Linux to date I find it is not quite ready

        I've not used a Windows machine (for anything serious) in over 2 years (and before then I wasn't using Windows very much). I've yet to find anything (that I want to do) that I can't do on Linux but I could do on Windows
  • by Icarus1919 (802533) on Sunday December 19, 2004 @05:25AM (#11129051)
    All this time, with all the antitrust lawsuits, and it turns out all Microsoft needed was a stern talking to. Man, wish I could think outside the box like that...
    • Re:Oh, hey, Wow! (Score:3, Insightful)

      by levell (538346)

      He's not hoping to affect MS with stern words, he's hoping people start to switch away, which can happen when enough of the geek population think it's right (as Firefox is starting to show).

      Once people in numbers start to switch away, it is possible Microsoft will react with better products (again, as an example they have restarted IE development because of Firefox), everyone wins then (even the people who haven't switched).

  • 5 hours!? (Score:5, Informative)

    by JamesTRexx (675890) <m.nystrom@mb i t z . nl> on Sunday December 19, 2004 @05:31AM (#11129067) Homepage Journal
    I've found a quicker way to get rid of those files, identify the executables through task manager and the "run" keys in the registry, then change filepermissions to block the system and user accounts on those files and/or directories, kill processes, remove registry entries, reboot, delete files. No more respawning webrebates etc..
    And if you haven't set the filesystem to NTFS, you need to be slapped silly.
    • Re:5 hours!? (Score:4, Informative)

      by tomjen (839882) on Sunday December 19, 2004 @05:40AM (#11129093)
      And if you haven't set the filesystem to NTFS, you need to be slapped silly. Or you run a dual boot system and need linux to read/write your win files
    • "identify the executables through task manager and the "run" keys in the registry"

      Heh, heh, you've never done this, have you?

      Where do think he put in the five hours? He's a LINUX admin - he had to spend an hour or more figuring out which of the weirdly named processes in the process manager were legit.

      Then he had to surf the Net to anti-spyware sites for an hour to identify all the spyware and determine WHICH registry keys and executables and DLLs had been scattered all over the system.

      Then he had to g
      • Heh, heh, you've never done this, have you?

        Oh, only about at least a dozen times when my esteemed colleagues weren't able to get rid of spyware on the pc's of our users. And I'll be doing it more often because IE is the standard browser in our company. Unfortunately.
        Hopefully that'll change when the reports of our helpdesk system shows a chunk of incidents being caused by spyware.
    • The nasty ones aren't executables anymore, they're .dlls which get loaded into various parts of the operating system: IE, the explorer shell, the network stack, etc. You can't delete the files because they're locked while the OS is running, and in some cases if you do somehow prevent them from loading it can screw up your system. It's gotten to the point where do-it-yourself spyware removal is too complex; you would have to have a PhD in Windows OS internals to extract some of this crap.
  • by gfecyk (117430) on Sunday December 19, 2004 @05:33AM (#11129077) Homepage Journal
    Not by letting her run IE, but by letting her run IE on a Windows box as full admin.

    "... despite the anti-virus, regular Windows updates, having the good sense not to open attachments, using a firewall, and avoiding any type of seedy activities online..."

    Let's see, it's 2004, XP is two years old, 2K is four years old, and your wife got spyware for one of two reasons:

    * You let her run too old a version of Windows (98/ME) with no built in security, (Melissa got past anti-virus software remember) or
    * You let her run 2K or XP with full admin or "power user" access.

    You two only have yourselves to blame for choosing to run a machine insecurely. Yes, you. You could've stopped all of this before the fact if you ran a modern version of Windows as limited users, if you used a mail program Designed for XP and kept that up to date as well as the OS, if you treated the 'net like any other public place instead of trusting everyone by default.

    You chose Windows, and you chose to run it insecurely. If you think running Linux is the cure, go right ahead. But if you run it as root, you don't deserve any sympathy from me. And if you run XP as a full admin, you deserve even less sympathy.

    Take charge of your own computer security already, however you do it. Don't whine at Microsoft because you let it happen.

    And damn my slashdot karma to Hell anyway. I'm sick of this whining: "Microsoft (this), Microsoft (that), Microsoft (whatever)." Lazy bastards. How come MY MOTHER doesn't get spyware or viruses or whatever when she's running only XP Service Pack 1? Without any AV software? Explain that.
    • Does your mother not have a modem? (what do I win?)
      • My wife is always connected to DSL line, still she never ever got any virus or trojan.

        It is very simple:
        1) turn on Windows firewall
        2) make her regular user (non admin)
        3) turn on automatic install of updates

        That is all - after following these simple steps I just don't worry about her computer, and she never got any problem.

    • The author is talking about JPEG processing bug and he claims that "each of those products linked to it individually." But this is not true on XP, where the DLL in question is always loaded from the side-by-side cache (Windows\WinSxS).

      So I am afraid you are right that his wife is running Windows 98 - in which case he got just what he deserves.

    • What about applications that for some reason need to be root, like the sims
    • Most consuner PC's are sold with Windows XP Home Edition preinstalled. There is no such thing as a non-"power user" login in XP Home Edition. It just seems silly for you to blame the author for a lack of security in an operating system when Microsoft itself purposely removed the security from said operating system.
    • by Apathetic1 (631198) on Sunday December 19, 2004 @06:47AM (#11129239) Journal
      Let's face it, Windows XP (and to a lesser extent Windows 2000) is designed to be run as an Administrator. They tell you in the documentation not to run the computer as an Administrator but the first user who logs into an XP Home machine is an Administrator by default. Several popular CD burning applications will not run correctly without Administrator priveleges. Hell, Diablo II won't run if the user is not an Administrator.

      I have a heterogeneous network of a half-dozen computers here, some Windows, some Mac, some BSD, some Linux. Don't get me wrong, after it's been properly secured I don't mind running Windows but explaining to my mom why she couldn't burn CDs, install software, etc. was causing more headaches than it was worth. Other operating systems (notably Mac OS X) deal with this sort of thing fairly intelligently, why can't Windows?
    • You let her run 2K or XP with full admin or "power user" access.

      What if it's 2K and she wants to burn CDs?

  • by Otis_INF (130595) on Sunday December 19, 2004 @05:50AM (#11129117) Homepage
    Why didn't he setup a non-root account for his wife on the windows box? Why didn't he install THE browser, Firefox, on his wife computer? Why didn't he enable excessive auditing so he could track down which app installed what and when?

    Oh, that's too hard? If that's too hard, you're not a sysadmin.

    True, spyware can be almost viral these days, but there is one factor which enables it in the first place: the user. "Oh, this nice free tool from www.[the tool's name].com is so handy!", should ring a bell, a lot of bells, alarmbells to be exact. NO search bar comes for free, unless it's open source, to name an example.

    First I thought, hmm could be a great article, but after a few paragraphs it was clear this article is not great, it's the frustration of a person who doesn't WANT to understand windows and blames the consequences of that to the OS. I mean, blaming IE and not having firefox installed should be enough to categorize this article as "ordinairy propaganda".
  • by Caine (784) on Sunday December 19, 2004 @05:58AM (#11129134)
    I run Windows. I didn't use to. Between 1993 and 2001 I ran Linux almost exclusively. When Windows 2000 was established I switched on the simple basis of that it was better.

    I don't run anti-virus. I don't have a firewall. I don't run spyware-removals under normal circumstances. If I feel the computer is feeling odd I download and run F-Prot's free DOS version [f-secure.com] followed by running Adaware 6. On some single occasion I've run Norton Anti-virus just to be on the safe side

    I'm not alone in using this computer, my not quite so computer-literate girlfriend does too. I often download shareware games and freeware programes, not to mention warez every now and then.

    Despite all this - I have never (*knock on wood*) been virus-infected. I have never gotten any spyware.

    So I have to ask myself, what to do all these people do to get their computers so messed up? Why isn't it happening to me, when I run the same Windows without any protection? Is it really Windows fault?

    • Why is this modded as redundant? I don't see any other posts saying the same thing, and it is an interesting point.

      And I have to say, I have the same experience. I run Win2K with mozilla as my browser and e-mail client and have _never_ had trouble. And that's not through lack of checking for it, or for lack of doing things that are typically seen as "risky" activities.
    • by Anonymous Coward
      So tell me, how do you know there is nothing wrong?
      • Ah, the question I get the most.

        1. As I said, if I feel something is 'odd' I do run AV.
        2. I have a good sense about how my computer should act.
        3. I had a...less than legal youth, which means I have a fair idea of what can and will be done.

        But mostly it's gut feeling.

    • Firewalls are useless crap as long as you install all the Windows updates when the automatic thingy tells you to. Anti-virus software doesn't work on the newest viruses (i.e. the biggest threats), only ones that have been discovered and documented; and it doesn't remove spyware either. Spyware removers often miss one or more of the problems on any given computer. The only thing that really keeps a computer safe is good users.

      Obviously you are a good user, and apparently your girlfriend is too (some hea

  • by cranos (592602) on Sunday December 19, 2004 @06:20AM (#11129184) Homepage Journal
    Telling all the stories you like about how your (or your mothers/wives/SO's) machine has never had a virus/spyware attack even though you never run anti-virus software nor a spyware detection suite isn't going to mnean a lot.

    The simple fact is that many of the people on this board have to work with windows (from 95 to 2003) everyday and can tell you horror stories about machines that have been secured, reside behind a natting firewall, etc etc but still they get slapped down by the newest virus which has snuck in through a vulnerability which was patched three months ago.

    The other area you seem to be missing is the inate ability of users to fuck things up, no matter how secure you make it. All it takes is one innocent click on a link and all of a sudden you have spyware coming out your nose.

  • by Anonymous Coward

    I read a number of people who indicate one should run Windows XP in user mode, but have they actually tried it? Unless you wish to simple browse the Internet, you are pretty restricted and unlike Linux, a myriad of programs require "root access" and cannot be installed locally.

    The first thing one should do before connecting Windows to the Internet is simply install a firewall, then run Windows Update, then install Firefox -- sites exclusively reserved to Internet Explorer users are becoming decreasingly co

  • 5 hours?!? (sigh) (Score:4, Informative)

    by mjh49746 (807327) on Sunday December 19, 2004 @06:42AM (#11129232)
    It takes him no less than FIVE hours to clean all the spyware from a Windows PC? And he has a degree in computer science, RHCE, and ten years of system administration expirence?


    You know, that's pretty funny if you ask me, because I can usually do it in about 30-60 minutes or less (give or take), and with no degrees and no professional training whatsoever.


    Here's how you do it....


    1. Run msconfig


    2. Uncheck all startup entries that look suspicious


    3. reboot


    4. Update and run Lavasoft AdAware


    5. Update and run Spybot Search and Destroy


    6. If you have them, and you should, update and run your favorite antivirus scanner.


    7. Make sure all the spyware leftovers and their folders, if any, are deleted.


    8. Run msconfig again and reenable anything legitimate that you might have disabled


    9. reboot


    Now, why do you want to disable the suspicious shit with msconfig first? If you ever get really 'stubborn to remove' shit like Ebates Moe Money Maker and friends, they're practically impossible to remove just by spyware scanning alone. You have to stop them from loading in the first place before you can get rid of them.


    Well, other than the fact that he's laughably inept at cleaning spyware, he's still got a very valid point about just how utterly shitty and insecure the Windows platform is. It's been woefully insecure for years, it's woefully insecure now, and it will be woefully insecure for the unforseeable future. That's not just my opinion, it's a well known fact that Windows has been full of holes since at least since Windows 95, and likely earlier.


    So, here we have a company that doesn't give a shit about it's product, doesn't give a shit about it's customers, doesn't give a shit about the law, and still it abuses its monopoly after being convicted of such in court. And as much as I blame Micro$oft for all the ills of the computer world, I'm a lot more pissed off at the consuming public for being the lazy, complacent sheep that they are for tolerating this abuse upon society for as long as they have, and instead of sitting on their fat asses allicted with "Homer Simpson Syndrome", they ought to be complaining to their government enmass and threatening to vote out the whole of Congress itself if that's what it takes to get them to do something about Microsoft. Damn! It's almost like walking into a run down crime ridden neighborhood, and looking at the people in it acting as though it's all normal that the neighborhood is all run down, vagrants and junkies sprawled out on the streets, drug pushers on every block, and hearing the sounds of gunshots, security alarms, and police sirens all the time.


    Total batshit insanity, man! Just total batshit! But I guess it's what the people want. They don't really want freedom or justice, they just want to sit on their ass, watch that braindead 'Survivor' or 'American Idol' bullshit and wait for the TV to reprogram them into wanting the latest 'excercise in a bottle' weight loss fad or the latest $50,000 SUV that gets 3 mpg, has a DVD, and increases your penis size a whole 5 inches! What an utter travestry!


    Well, that's my rant. Probably won't do anything to change the world no more than that 'Open Letter to a Digital World' will, but who knows? It only takes a few angry and motivated people to get the ball rolling.

    • 2. Uncheck all startup entries that look suspicious.

      And which ones are those? Seriously.

      Given that the programs can register themselves by whatever name they like, this is non-trivial. Given that the names of many of the valid entries look pretty odd already, by just unchecking things you can quickly find yourself with an unusable system.

  • I teach school and our administration has chosen to do all communication to us through Lotus Notes. I have four choices: (1) Read mail without the ability to delete or respond to it on Linux running Firefox; (2) Not read mail from the administrators (my personal favorite choice); (3) Get any of the information I need from the secretary who checks her mail twenty times each day; (4) Have full access to mail functions by running Windows and using IE.

    So far I'm doing a mixture of choices 1-3 (4 is just too ri
  • He kind of lost me when it took this super trained sysadmin 5 hours to sort out his squeeze's PC.

    I've just been through this with teenage bimbo from hell's laptop, which was chocka with kazaa and other such crap.

    a) download firewall: agnitum outpost
    b) download antivirus : AVG
    c) download some XP fixes
    d) d/l S&D

    that did not take 5 hours. It took about as long as her mum took to cook a nice spag bol, as it turned out.
  • by 3seas (184403) on Sunday December 19, 2004 @08:38AM (#11129556) Journal
    ...break.

    There are several people whom I have cleaned their system from running IE on the internet. If its bad enough, where I have to do a fresh install, I set it up with a Linux partition, but in any case I install firefox as a default browser, etc...

    90% of the time they go back to polluting their system.

    Its frustrating, considering I'm doing the cleaning as a friend. But as soon as I find out they are contridicting my efforts, I tell them it up to them to clean it from now on.

    Recent /. article about MS buying up a spyware removal company.... but heres the deal. MS sees things from a commercial basic limited view money making perspective and as such they understand the value of spyware and such... so of course they support it. They will never really work to remove it, but rather use it.

  • Yuck! (Score:3, Funny)

    by SharpFang (651121) on Sunday December 19, 2004 @09:25AM (#11129768) Homepage Journal
    Call me crazy but I am having a hard time finding any truth in the "facts" as reported by Microsoft.

    Damned karma whore!
  • Thin ice (Score:4, Insightful)

    by boodaman (791877) on Sunday December 19, 2004 @09:41AM (#11129833)
    I'm probably on thin ice saying this here, but oh well.

    I run three OSs at home: OS X, Fedora Core 3, and Xp Pro. At work, I admin XP Pro and Red Hat.

    My company has about 150 PCs running some form of Windows. In the last year, we've had one infection. One.

    At home, I've never had any. Ever.

    While I totally support GNU/Linux (including monetary donations and buying distros like SuSE at retail price), I also pay for and use XP Pro for various reasons. I agree that Windows is deficient in many ways, and I agree that Microsoft could do things differently and be better for it in the long run.

    However, I find it very difficult to understand how so many people's computers get infected. Windows or not. I do nothing special at home...the only thing I've done is use a broadband router from Netgear (because I have more than one computer), make sure I keep my XP Pro machine updated, install anti-virus and keep it updated (automatic) and use Firefox.

    This guy is a sys-admin, and his wife's computer gets infected? How? If it is "his wife's" computer, that implies he has multiple computers at home. This implies some sort of router...even a $20 router uses NAT and has basic firewalling built in.

    Either this guy is a poor sys-admin, or his wife did something with the computer to get it infected. So, Windows and Microsoft flaws aside, what we're really talking about here is a user education issue. I, as a user, at home, am educated about security issues on my PC. The people at work are educated. I don't have problems at home, and neither do we have problems at work.

    So, while his open letter is all well and good, maybe in his case he should focus on better education at home and spend the $50 required to get a decent NAT router with firewalling, instead of bleating about Windows.
  • 80% Infected (Score:3, Insightful)

    by HangingChad (677530) on Sunday December 19, 2004 @10:38AM (#11130149) Homepage
    80% of Windows users suffer from spyware

    And the other 20% are unplugged.

  • by WindBourne (631190) on Sunday December 19, 2004 @02:46PM (#11131777) Journal
    I have converted some 20 families to Linux. All of them complaign about not being able to run certain programs. But in every case, all the ones that they need run on Wine or have alternatives. In fact, several of these families were using works and love moving up to OpenOffice. The parents love the fact that they are no longer worried about the system (spyware, etc). In addition, I have set up squid guard for cntroling the kids access to the net. Works great. I have only a couple of big issues.
    1. Quicken or MS Books is needed. Yeah, GnuCash, and the KDE alternatives are not cutting it. They want one of the 2 big alternatives. Intuit is making such a big mistake. MS (with books and some tax package) will probably port to Linux before Intuit just to help kill Intuit off.
    2. Lack of downloadable Music. They all have kids that want to download mp3/ogg/etc. Itunes is doing what they can to prevent it. If one of the side ones really wanted to eat into ITunes, they would support Linux and own that desktop BEFORE any major got in there. It is normally the first that has the advantage. (if shawn gordon and his minddawn was smart, they would be doing hiphop and what the kids want to hear, rather than what the adults listen to; kids move quickly)
  • by gone.fishing (213219) on Sunday December 19, 2004 @03:33PM (#11132081) Journal
    I too hate the lack of security and the number of exploits that the typical Windows machine is exposed to. I feel that Microsoft has a responsibility to do something more than they are doing to fix the problem and sadly, I don't see them doing enough in the near future at least.

    But I disagree that this is what it should take for people to migrate from Windows to Linux. People should make their choice for the right reasons and only one of those reasons is security. They also have to weigh things like user-friendlyness, support, cost, effort required to learn, availability of the applications that they require and probably a dozen other user variables.

    Open Source in general and Linux in particular, has been making great progress in virtually every aspect that I can imagine. In many ways it is ready for "prime time." Yet to claim everyone should move to it, I can't quite accept that yet. In my business, you can't find particular applications (relating to "industrial formulation calculators" for instance) that are necessary for the operation of the business in open source (I've researched this).

    While I am able to work my way around a Linux Desktop with KDE and be fairly comfortable with it, members of my family don't seem quite as capable and frankly, I don't want to spend the time teaching them.

    Still, I spend close to fifty percent of my workday dealing with spyware (and another 1 or 2 percent dealing with viruses, worms, and trojans) and I hate it. I haven't found a single product out there that does an acceptable job of preventing it or cleaning it although on my home Windows machine the McAffee suite + AdAware + Yahoo Anti-Spy seems to mount a pretty good defense. The McAfee is always on and auto-updated, I run automated anti-virus scans every night. I run AdAware every couple of days, and right now, since it is new, I am running Yahoo Anti-spy every day. My ISP also filters my email with an anti-virus program and I practice all the common preventitive measures and am quite liberal at assigning "spam" tags on incoming emails.

    Still, all of this amounts to a lot of work. I do think Microsoft shares the blame with the malware authors in the same way that car manufacturers used to carry part of the blame for car thefts (since cars were so easy to steal). Microsoft it would seem to me has the same kind of responsibility that car makers had, to develop a safer product. I am willing to share part of this expense (developing products costs money and that cost is passed on to customers - it is what for-profit companies have to do). I also hope we get help from legislators and from ISP's, and even hardware companies who each in their own way can develop things that would make malware harder to propogate.

    I'd also like to challenge computer makers to provide us with additional choices, like packaged Linux boxes, better secured Windows boxes, and software that actually works that comes bundled with machines so that so many people don't download "free" spyware-laden products to do something they expected their computer to do out of the box (Dell, Sonic - do you hear me?).

  • by zerofoo (262795) on Sunday December 19, 2004 @05:59PM (#11133047)
    I hate these types of "letters". All they do is make Microsoft look bad, but they don't make Linux look very good. Most people I talk to that are frustrated with Microsoft look at linux (on the desktop) and say - OK, it's free, but it isn't as "nice" as windows.

    Those same users really like OS X - but they don't want to buy an expensive computer to run it.

    The reason spyware is not a problem for linux yet is two-fold:

    1. Marketshare - if you are writing spyware, wouldn't you want to "spy" on the largest user base?

    2. Application installation ease - most spyware does not install itself. Most spyware i've run into came from users directly downloading and double-clicking files. Installing apps on Linux is not nearly that easy - and that's why my sisters, neices and nephews don't like Linux. They can't double-click and install.

    Sure, eventually Linux will HAVE to be that easy to get the marketshare that Microsoft has. Don't rattle off the excuse about being prompted for a password in OS X - i've seen users blindly type in an admin password every time the installation box pops up.

    When *nix becomes easy (and popular), spyware will become a problem on *nix.

    -ted

CCI Power 6/40: one board, a megabyte of cache, and an attitude...

Working...