Security 'impossible' for Win9x

[FreeUS]

Yesterday Microsoft senior VP and head trustworthy computing honcho Craig Mundie delivered his 'annual report' on the company's trustworthy computing initiative. He had much to say about the progress that has been made since Microsoft discovered security, but the bit that interested us was way down the bottom of this, where he explained why people are going to have to ditch their old MS stuff and buy lots of lovely new MS stuff instead.
He begins with a graph, which regrettably we do not have, but clearly it illustrates the deployed population of different versions of Windows within a total active user base of approximately 400 million. He notes that the "single largest bump on this graph is Windows 95," while "the newest systems, the ones that have had all this work [all what work? Security work, allegedly, anyway] done to them are down here in these little slices. They're the ones that are in the earliest stages of deployment."
This is not good. Not good for security, not good for Microsoft, not good for the economy (The economy of who?, of M$? of course , and they think about the new economy, controlled by... M$). "And what society is doing and we're doing as a business is dragging around behind us a giant tail of systems that, of course, were built and deployed quite a long time ago." Tut. Society is to blame. As well as Microsoft, that is.
"If we wanted to go out, and some days I think about the challenge that we face and we say, oh, if you have to do this with the conscious effort of real people it would be roughly many times worse than just saying, okay, we just want to get every single person in New York City to do the same thing today to their computer system, please to fix it today. And even if it was just New York City you'd have a tough time. The reality is we have the equivalent of about 30 or 40 New York Cities that all want to in some sense move together or get repaired in one fell swoop."
And here comes the axe: "So we know that in practice it's impossible for us to remediate the threats that we know exist in the world today in systems that were designed in 1991, '2 and '3 and deployed in '95 and which are actively still in use today... Now, we know that these waves just keep rolling through and they will ultimately change, but it shows how long the threat exists of bad things happening and why it's not completely possible to fix every old system.
"The message here is that there will have to be two tradeoffs that have to be made, and to some extent the events of last September have facilitated us in making one of those tradeoffs or changes."
Windows 95, and presumably the decidedly similar Windows 98, will be tossed to the wolves, reluctantly and begrudgingly: "We have decided that we will begrudgingly forsake certain app compatibility things when, in fact, they don't allow us to have a default configuration that opts for more security. In the past, the biggest thing that happened to us was IT managers would come to the company and say, hey, all those new features, they're great, all that new security stuff, that's great, but whatever you do don't break my app. So just turn it all off and trust me, we'll fix the apps and then we'll turn it all on. And the reality is that never happened.
"And so we're going to tell people that even if it means we're going to break some of your apps we're going to make these things more secure and you're just going to have to go back and [here comes the tab] pay the price."
Naturally, being secure is going to cost money, but if you are insecure because you're unprepared to fot that bill, then your insecurity stems from your own irresponsibility: "And the other thing is that the customers, whether they're individuals or corporations, are going to have to make a decision about when and how much they spend to get these machines to be more secure. And to some extent you can do it by insulating them, to some extent you can do it by putting things around them or in front of them that protect them, you know, firewalls in some sense. And then in some cases, you can just replace them when you get new machines or new software or both that have intrinsically better capabilities.
"But I think one of the things that we say, and even if you look at the national cyber security plan that was put forth, Dick Clark and the people at the White House have realized that security is going to cost some money, whether it's having a new transportation safety authority to make people feel like they have more security in the airport or spending other things on homeland defense. It isn't free, and to some extent as the threat models continue to emerge in new ways, then we are all going to collectively have to spend more, both in the development and maintenance of these machines if we're going to be secure."
Mundie also, incidentally, had a few words to say about Longhorn, first indicating that it was still a couple of years off, then this:
"So Longhorn, which will be the next big version of Windows -- the rights management architecture, the underlying Palladium, which is the codename for our system working with the hardware folks to create a trusted security environment within the hardware framework -- all of these things will be there."
The "rights management architecture" is a particularly interesting component, because it sounds rather like it will be the Windows half of the Palladium.

[PGHammer]

The *worst* part about it is that, believe it or not, he's *absolutely right*.

However, we (as consumers) haven't wanted to face up to this.

While some of us *individually* have (and upgraded to Windows 2000 or XP), the great majority of us haven't and (for whatever reason) refuse to upgrade.

Sure, everyone talks about FUD holding up corporate upgrades, but the biggest stoppage of upgrades due to FUD is in the *consumer* (not corporate) space. And what's the biggest holdup? Worries about game compatibility.

Let's answer this once and for all.

Unless the game in question is *older* than Quake II *and* runs as a Win16/Windows 3.1 application, in ninety-nine out of one hundred cases, it will run in Windows XP (in most cases, *better* than it ran on the previous version of Windows).

Hardware compatibility (especially older hardware)? So far, I have installed XP Professional on one P-III, one K6, and a pair of PentiumPro-powered Dell OptiPlexes. The OptiPlexes have 200 MHz Pentium Pros, 128 MB of RAM, and 2 MB S3 PCI graphics cards; not exactly state-of-the-art, even for when they were built (the one saving grace is that the hard drive and CD-ROM drive are easily upgradeable).

If you're worried about cost, then you had better decide what is more important: increased compatibility, or increased security.

Windows 9x is *not* a secure operating system, and wasn't designed to be. When Windows 9x was being designed, there was no thought to needing high security in a desktop home-use operating system. The general reasoning was "If you need high security in a desktop OS, you have Windows NT or UNIX." The reasoning at the time actually made sense: telecommuting didn't exist, the Internet at home was still largely non-existent, and it was online services (not ISPs) that were the rage. (This was 1994.) However, in late 1994, beta 2 of the then-nascent Windows 95 reached the testers (of which I was one). To say that it shook people up was an *understatement*. You could run some applications designed for *Windows NT* on this fledgling OS. On the other hand, the Windows NT folks started screaming that they wanted the 9x UI on a future version of NT. (Starting with NT 4.0, they would get it.)
Windows 9x became more of a *testing ground* for NT at this point; features could be tested on 9x for usability and customer acceptance, then migrated to the *corporate/business OS*.

The problem is now, there *is* a secure desktop/home use OS, albeit designed on the corporate/business OS.

And the concern is how well all those applications they have grown up with will run on a basically corporate/business OS.

Well, the business/corporate OS folks have a life outside of business...and they don't want to have to change OSes to have it.

The chief reason this didn't happen sooner? The IHVs wanted more time to write WDM drivers for their hardware.

There was a reason Windows ME was a joke; it was an *unplanned OS*. Originally, Windows 98 Second Edition was to be the last non-NT operating system from Microsoft. A consumer version of Windows 2000 *was* planned; and the work on it was mostly done. But it was the IHVs (not PC makers) that wanted another 9x OS. (I actually recommended *Windows 2000 Professional* for home use when it shipped, and saw nothing that would change that until XP Professional went into testing.)

[FreeUS]

1st at all, delete the double post

Quote:

The *worst* part about it is that, believe it or not, he's *absolutely right*.

h34r:" class="inlineimg" /> <_<
LOL?

Quote:

However, we (as consumers) haven't wanted to face up to this.

Please dont include me on 'that' list...

Quote:

While some of us *individually* have (and upgraded to Windows 2000 or XP), the great majority of us haven't and (for whatever reason) refuse to upgrade.

Its right or wrong that?. Why any person on this world should "upgrade" their system?. Or a company?. Why?. Because M$ say that?. Come on. They do the software.
I will tell you a simple "experience". Here, where I live, I try to survive. Doing what I learn to do. Programming. I have costumers... They still using old PC like XT (yes 8086) with my programs running. And until now, I still supporting my system program.
Why the biggest software company on the planet earth cant do the same?. Simple, there force to the people to upgrade, on their time. When M$ think they that to do. And the people pay for that!!.
Buy new machines to run their software. And Bill Gate$ gain every day a step on his monopoly game. Yep, he wants to control everything.
If 9x is an unsecure system, then who to blame?. Hackers?. Bugs?. or M$?. They develop a OS, and many ppl use their unsecure system. They should provide an solution. And no say: upgrade... Because many poeple can't pay their price.
And whats next?. When XP will be repaced with 'longhorn'. They should be upgrade again?. Why?. Because XP is untrusted?. And longhorn yes?.
Who gain everytime more money to support that developing company? (I mean M$). Can you pay the price?. Can you support the rest of your life that?. They upgrade, and you pay, without questions... Good Slave .
And whats next, a trusted computer?. Where you can do what M$ want you can do?. Where is the free choose?. Where is the freedom to produce or develop anything?. Limited on the imagination of M$?. Where you wanna go today?. Where M$ wants?. To pay M$ Bills?. Can you trust in M$?. M$ its a company, and their objective is make it everyday more big. Nothing more. The dont do this for 'the software' evolution. They do this because they gain billions every year.If they can force to the people upgrade (Im not talking about 9x) when the conditions are favorable, they will win the game.
One more thing, the rest of the world doesnt have the economic condition that US have. Remember that... Before you sleep.

[DoG]

EDIT: Deleted Duped Post

Also whilst i am here........................
@PGHammer...

90% of my home users know nothing about computer security. So you are telling me that because they bought an operating system at full price for their shiny new computers its their fault that they have an insecure system?

Or is it mine for installing the OS?

NEITHER.

The blame lays solely on the software maufacturer.

WHY?

Because they should never have been allowed to release an operating system that either wasnt finished or wasnt tested for its secureness. You can forgive the earlier win9X platforms- if you are extremely forgiving- but to release windows XP with the amount of security flaws that it has is bordering on negligence.

When Windows Longhorn is released i will be expected to advise all the user of XP and 2000 that their systems are insecure and sell them the new OS. Which within 2 weeks will be found to have more leaks than the Titanic on a good day and will have more patches than a kingsize patchwork quilt. Will this be their fault as well? Sure it will. Then 2 years after that MS will release Palladium- and i will be expected to go back to my customers and tell them, once again that their systems are insecure and this time they will have to buy a fulll new system to run MS's new "Secure" OS that will have as many leaks as................................................ ... you get the picture i'm sure.

The only people who profit from this situation are MS and their chosen hardware partners who will be developing the new hardware. Thats the reason MS is in this game. It isnt to provide a better more secure compting experience. It's pure and simply to make money. And lots of it- no matter who they tread on along the way (See the past, recent and future antitrust/copyright law cases for proof of this attitude)

MS should stop work on coding their new OS's and put all the coders to work fixing their multiple cock-ups with their previous OS's. It will take all of their coders about 2 years to fix them, if ever they could.

Stopping now- dont want to start ranting h34r:" class="inlineimg" />

[Cactus]

Quote:

Originally posted by FreeUS@Nov 14 2002, 09:20 PM
They still using old PC like XT (yes 8086) with my programs running. And until now, I still supporting my system program.

Hehe,

A bit of topic, but I installed a new system for one of my customers a few weeks ago running (of course) Windows XP. The man has been moping ever since. So today I installed a second harddisk (40 G and installed dos 6.22 on it for him, and gav him a floppy so he could boot it.

It's weird to see a grown man drewl of happyness

Some people just don't like the way the world is going . . .

[Sephiroth]

Quote:

Originally posted by DoG@Nov 14 2002, 05:53 PM
EDIT: Deleted Duped Post

Also whilst i am here........................
@PGHammer...

90% of my home users know nothing about computer security. So you are telling me that because they bought an operating system at full price for their shiny new computers its their fault that they have an insecure system?

Or is it mine for installing the OS?

NEITHER.

The blame lays solely on the software maufacturer.

WHY?

Because they should never have been allowed to release an operating system that either wasnt finished or wasnt tested for its secureness. You can forgive the earlier win9X platforms- if you are extremely forgiving- but to release windows XP with the amount of security flaws that it has is bordering on negligence.

When Windows Longhorn is released i will be expected to advise all the user of XP and 2000 that their systems are insecure and sell them the new OS. Which within 2 weeks will be found to have more leaks than the Titanic on a good day and will have more patches than a kingsize patchwork quilt. Will this be their fault as well? Sure it will. Then 2 years after that MS will release Palladium- and i will be expected to go back to my customers and tell them, once again that their systems are insecure and this time they will have to buy a fulll new system to run MS's new "Secure" OS that will have as many leaks as................................................ ... you get the picture i'm sure.

The only people who profit from this situation are MS and their chosen hardware partners who will be developing the new hardware. Thats the reason MS is in this game. It isnt to provide a better more secure compting experience. It's pure and simply to make money. And lots of it- no matter who they tread on along the way (See the past, recent and future antitrust/copyright law cases for proof of this attitude)

MS should stop work on coding their new OS's and put all the coders to work fixing their multiple cock-ups with their previous OS's. It will take all of their coders about 2 years to fix them, if ever they could.

Stopping now- dont want to start ranting h34r:" class="inlineimg" />

This is one of the biggest reasons I am more and more tempted every day to move to Linux permanently. Upgrades are free. Software is free. Software is open source. Unlike Windows, if a hole is discovered, it is patched within hours, not weeks or months, hell, even years. If you want to run a server, all you do is download a few packages and install them. HTTP, FTP, Database, SSH, SSL, ASP, DNS, DHCP, it's all free. Then there's the alternative. Buy 2K Server or 2K Advanced Server, clocking in at around 3 to 500$, for something that is usually more insecure, and definatly way more expensive. Over 60% of the net's servers run Linux with Apache, Bind, ProftpD, OpenSSL, etc. Why? Security and price. Two things Microsoft is seriously lacking. Yes, Linux has a much steeper learning curve. But would you rather take the time to learn it than have an OS that you have to pay 200 bucks a year or two to upgrade if you're on a workstation, 3 to 500 a year to upgrade if you're on a server?