No, unless you're running a sensitive server. Securing your box and updating it should be fun... The paranoid mindset ultimately undermines your health.

Another problem is that many paid "professionals" wants all things done in a hurry. Things cannot be made right that way.

This is a security fact, and it may be a Zen truth... All things must evolve
Any fun in life comes from things not being 100% predictable. But this is philosophy and common sense anyway. Let's talk about computer (in)security because it's stimulating.

This virus/malware thing it quite interesting. I have a lot of Microsoft geeks telling me that they will come hunting us as soon as Linux gets popular enough. But then I start wondering. Aren't we popular enough? I mean come on, we have a part of the desktop market, that should be interesting for a virus/malware writer. And we have a lot of market share in the server area, wouldn't it be nice to spread virus or spyware to servers? Come on, we are big enough for viruses IMO, still we have not seen ANYTHING except a handful of viruses written in labs. How long do we have to wait before we are big enough to get infected? I think that it will not happen actually, maybe some few but not as much as in the M$ world.

My opinon, RFC..

I ran WindowsME for years, actually up until last November when my windows hd died. Not once did I get a virus/trojan.

I used a:
1) router with builtin firewall. My system was stealthed according to the test at grc.com with no open ports.
2) Antispyware apps like Spyblaster, winpatrol
3) Used Mozilla then Firefox as my browser
4) AVG antivirus
5) Used a host file to block a lot of bad crap
6) Spampal with a few plugins for my email (block 99% of bad/spam emails)
7) Used Xenobar and the popup blocker in Mozilla/firefox
8) didn't use java unless I needed it to play a game
9) never downloaded and install anything , unless it was from a trusted site ; no cracks, no shareware with other apps included

Never in 5 years did my windows machine get any type of infection.

The original design of the Windows-NT kernel was definitely weakened by some of the things that Microsoft did during its court-battle. They seriously compromised also in an effort to enable "old" programs to run, that shouldn't have. But still, their basic design can be securable, at least far-more securable than it turns out to be today.

Yet this is a Linux forum, and I know that.

The reason why I say "popularity" is simply that script-kiddies can create, and mass-produce and mass-deploy, attacks that are "stupid as sin," as far as computer-programs go, yet they work and cause havoc because an exploitable number of IP-addresses out there will turn out to be running Windows, and will turn out to have security (effectively) turned-off, or be an older version that has no security at all. The programs are exploiting nothing more than random chance. Your overall odds of encountering and being bedeviled by a "script kiddie" are much higher than that of being singled-out by the Kremlin or the CIA. Thus, a comparatively simple defense consisting mostly of "basic precautions" (such as running Linux ) are extremely effective.

But enuf of this...

Thanks everyone for enlightening me =)
one more qn. how do we access those Active-X sites securely? i mean since this enabling Active-X provides security loopholes, rite? Does disabling active-x prevent the website from showing all its content?
Sorry for my ignorance. =)

This speaks for itself. Windows takes much more effort to make secure. Not many people know about securing their Windows and what do we have? A lot of zombies sending spam all over the Internet.

Why would one need to make so much effort avoiding malware/viruses? Use Linux and get rid of it. We do not have IE, and Thunderbird gets rid of all my spam at least. And we have a tougher environment for malware and viruses.

I think you're being far too lenient on Microsoft. Yes, it's true that many security breaches are due to the user being careless (such as opening .exe attachments in Email) but it's also an unavoidable fact that there are huge numbers of security vulnerabilities inherent within Windows, particularly with IE. Specifically, if somebody is simply using their PC to surf the Internet, these vulnerabilities expose the user to being hacked, through no fault of their own. My "favorite" (?) example of a Windows vulnerabilty is this security bulletin from last year. To quote:
Lovely - so in other words if Joe Newbie happens to simply accidentally type a bad URL and ends up visiting a malicious web page, regardless of whether or not he's even using IE, his system can be compromised. This is not a hallmark of a secure OS. Granted, one could argue that Joe Newbie "should have known" that he shouldn't be running under the Admin account, but it would be plain unrealistic to assume that non-technical people would somehow just automatically realize this. Let's face it, for most non-techies, a PC is just an appliance like a TV or microwave, and they just want to be able to take it out of the box, plug it in, and start using it, without having to go through complicated series of preparation actions. Practically speaking, taking the steps to secure a box is just not something that the typical non-techie is capable of doing (heck, even 'simple' tasks like installing a new video card or adding a second hard drive are too intimidating for most non-techies to even attempt) and Microsoft doesn't help matters by making the Admin level the default.

Overall, I agree with you on the point that there are many cases where the user's action was the direct cause of the problem, but I think it's valid to say that there is plenty of blame that can properly be attributed to Windows as well. Just look at the continuous parade of new, "critical" security patches coming out of Redmond. Just my 2 cents -- J.W.

I think the point of that post was to say it is possible to run Windows securely--it's not inevitable that you will be infected if you take precautions. But your point is a good one--the precautions you have to take are quite sophisticated (I know this because I use Windows XP at work, and I have to take similar precautions--a lot of my co-workers who don't do so get infested with malware).

Well, this isn't really fair. I'm a big proponent of Linux (just read the links in my sig), but it is not for everyone, and it cannot meet every need. There is some software that runs on only Windows (I've just been playing around with Google Earth, for example, and there's no Linux version of that). Also, switching to Linux isn't easy. I'm not saying using Linux isn't easy. I think using Linux is a lot easier than using Windows, but switching is hard. People are used to Windows. They usually don't have to install Windows. Commercial software is almost always made for Windows. It's not like they can just start using Linux and life is a lot easier. Linux is an investment of time just as securing a Windows computer is an investment of time. I've just found proactively investing my time in learning to install and use a new operating system is more fruitful than retractively investing my time in learning to defend an old operating system. That's my choice, though. I can't make that choice for anyone else.

I don't know if it is as simple as that. Sure, there's a grain of truth to what you're saying. If five out of seven people are wearing blue shirts, and you "spray" them with a machine-gun, you're more likely to hit someone with a blue shirt than a red shirt.

Still, the same "bullets" that harm Microsoft do not necessarily harm Linux. Scripts usually have to be designed to exploit a particular system's vulnerability/structure. If someone doesn't have Wine installed on her Linux computer, not only will an .exe do very little harm, it will probably do nothing at all. Likewise, if you don't have ActiveX, it doesn't matter if your IP address gets randomly "selected," ActiveX exploits won't do anything to your computer.

There are also a lot of social components to malware-writing ("script-kiddies," as you call them). Anyone who's going to write a piece of malware has one of two motives: mischief or greed. If a piece of malware steals credit card info and logs keystrokes to get passwords, that's probably motivated by greed. If it just makes people's systems crash and pop up an animated bunny that repeatedly says "Ah ha! Ah ha! Ah ha!" it's probably motivated by mischief. And why would "script-kiddies" want to cause mischief in Linux-land? They probably wouldn't. Delinquents and criminals often view themselves as anti-establishment, and what could be more "establishment" in operating systems than Windows? So, they target Windows.

There are very few websites out there that require ActiveX in order to be functional. I think it's safe to say that you should use Firefox, Opera, or some alternative browser on almost every site you visit. If you come across one that absolutely requires ActiveX to function, visit that one page with IE. Change all your IE settings to maximum security, and put that one site on the "Trusted sites" list along with Windows Update. Then, if you're using Firefox, you can download the IEView extension, visit that page, go to Tools, and click on "Always View this Page in IE." Then, every time you visit that page, it'll automatically pop up in Internet Explorer, so you can use ActiveX.

I have yet to find a single site (besides Windows Update) that I use or have even visited that requires ActiveX for functionality.

These Microsoft "geeks" have nothing better to do... They target a popular OS to boost their little egos. Nothing more...

I bet that, if they try to switch to Linux, the 1st thing they'd do is to go into IRC and brag about their new found toy.

This is totally different from the romantic portrayal of hackers who want to learn something new, or real anti-establishment crackers who dream to hack into nuclear sites and deactivate these bombs, or something alike... See http://www.theregister.com/2005/07/1...ences_hackers/


I still can't compreheend how much does "popularity" affects security. The only obvious thing is that a bug would harm too much machines (and the solution would be to fight monopoly). I believe that technical design has a lot more weight (much like personal will over fate, although they're not the same thing)

None of which you were aware, at least. Many of the malware programs that took/take advantage of undocumented or little documented MS security holes are not detected, i.e., the HUGE WMF hole that had been a part of the OS for ages.

I had a friend illustrate, in 1994, MS Corp's use of their OS/Office software to clandestinely gather (what I would consider) sensitive information. It was not documented, he just happened to catch it.

http://www.manilastandardtoday.com/?...06_july04_2006
http://www.junkbusters.com/microsoft.html

The problem with a closed development system is the timeliness of security issues reporting. With OpenSource, it is transparent, with a proprietary system, what you do not know CAN hurt you, and you would be none the wiser.

EDIT: Fixed grammar error & added links

No one is mentioning the fact that Windows actively encourages you to run as an administrator. This encouragement comes about because of the difficulty in becoming an administrator if you are doing the right thing and browsing as a restricted user. If you need to do administrative things, you have to change your logon, which is a royal pain.

Not only that but many third party software developers (notably Electronic Arts) are putting out products that simply won't run unless they have administrative rights.

Anyone who codes a game that needs administrative rights should be put out of business, IMNSHO.

Nonetheless, it happens. I actually have gone to the effort of setting up security profiles and establishing run scripts for some EA games so that my kids could play their games on Windows computers with the restricted access which is all I give them.

So, Microsoft actively encourages bad behavior by users (running as administrator) through their design decisions, third party developers get lazy and require bad behavior to use their products, and the Clueless User, who only knows Windows, doesn't want to be a guru, and doesn't understand what/why constitutes good behavior, gets thoroughly screwed.

And, as I say all of that, I say it on my WinXP laptop, where I am logged in as an Administrator (bad behavior) and connected wirelessly to my LAN, where I am browsing the net via an SSH tunnel to my Linux workstation with the HTTP proxy on it.

Thank you kindly. This information is very usefull for me. Great site! Thanks again!

--------------------------------------------------------------------------------------------------------

http://www.neolink.ro

IF a windows computer is infected with something, is it possible to key-log what you type into ssh vpn and https programs?

this would be horrible for online banking and such