It's 2015 and Microsoft has figured out anything can break Windows Microsoft head software engineer Lee Holmes says Windows 10 applications will now be able to plug into installed anti-virus platforms to better combat malicious scripts. Holmes says the Windows 10 Antimalware Scan Interface (AMSI) will allow apps and services to use anti-virus to find badness operating in memory. He says most …
The effort going into malware fixing is obscene (without even mentioning all the runtime resources).
Surely it would be easier to just start again and write a robust OS from the ground up? I can't think the Windows API is that stuffed that it could not be done simpler than what we've seen.
>>"Surely it would be easier to just start again and write a robust OS from the ground up?"
Like how Mozilla decided to throw out the Netscape code and do a clean slate approach to a browser - with near disastrous consequences and leading directly to IE6 being the dominant browser for so long? Because an OS isn't already several orders of magnitude more complex than a browser.
If there's one thing that modern software development has learned, it's that you don't start from scratch without a very good reason. But let's ignore that you put "easy" and "write a robust OS from the ground up" in the same sentence. What is it you would do differently in a new OS that current Windows doesn't do (or vice versa) which would make your new OS inherently more secure? I would like a genuine answer to that as I am curious.
"If there's one thing that modern software development has learned, it's that you don't start from scratch without a very good reason."
I take issue with you scoping things down to "modern software development", it was true when I started hacking 6502 assembler >30 years ago. It's common sense. :)
With that said the original poster may have a valid point because some vulnerabilities stem from the design and usage of an OS, and in some cases you may well *have* to start from scratch because there is a design fault that simply can't be worked around effectively. To MS's credit they have taken this approach in the past.
However, in this case MS have added code that will have privileged access to the address space of any app that makes use of the API. In addition that code's behavior will be driven by a bunch of virus signatures so the security & safety of that complex code will be a function of the signatures and time. In essence they've added another set of attack vectors are a function of an arbitrary opaque dictionary of virus definitions that changes over time. They've made AV software more invasive, when they really should be working to make it obsolete.
Personally I would have preferred MS to have looked at the known attack vectors and tried to design them out of the OS (ie: re-write bits of it or the whole thing). :)
"What is it you would do differently in a new OS that current Windows doesn't do (or vice versa) which would make your new OS inherently more secure? "
Well, actually use the security features that have been present on all Intel chips since the 286...
However, I expect that would break backwards compatibility...
"And the major alternatives like OS-X and Linux have vastly more security holes in than current versions of Windows."
Except they don't. Because - again, like a goddamned broken record - you are counting every security issue in every package of a distro against the core Windows OS, without regard to vulnerability type or severity.
Linux distributions include hundreds if not thousands of applications whereas the Windows operating system only includes dozens to low hundreds. Windows does not, for example, include a full productivity suite nor a full suite of vulnerability assessment tools, multiple web servers and databases, multiple development environments and IDEs and so forth.
Windows' issues tend to be far more severe, and they take far longer to get fixed. Open source's issues are mostly that issues can (and do) go unnoticed (sometimes for years) because there simply aren't enough penetration testers willing to test open source. (Bounties are paid by proprietary companies!) Of course, Microsoft will gleefully discover a bug then sit on the damned thing for years, so that is somewhat moot.
You are correct in that it is harder to not run Windows in the specific circumstance where you are already deeply wedded to the Windows ecosystem and have critical Windows only applications. It's been a long time since that was a universal experience for all businesses, and more and more are getting out...and staying out of Microsoft's clutches.
Microsoft and Windows absolutely have their advantages. But you, sir, purposefully and knowingly distort statistics and facts to turn complex - but quantifiable - truths into blatant lies.
"Except they don't. Because - again, like a goddamned broken record - you are counting every security issue in every package of a distro against the core Windows OS, without regard to vulnerability type or severity."
Sorry, Trevor, but you are wrong. Let's take the latest full year (2014) . And let's take Windows 8.1 and compare to *just* the Linux kernel. From there on you can add X, Gnome/KDE to get to the same functional level as Windows 8.1. But just the kernel:
Linux kernel: http://www.cvedetails.com/vulnerability-list/vendor_id-33/year-2014/Linux.html
Windows 8.1: http://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-26434/year-2014/Microsoft-Windows-8.1.html
Linux kernel, year 2014: 135
Windows 8.1, year 2014: 38
For the the year 2015 so far the numbers are 60/40 in Linux favor but keep in mind that it is not a full year and that it counts only KERNEL vulnerabilities for Linux versus ALL vulnerabilities for Windows 8.1
Let's go back to 2012-2013 then. Windows 8.1 did not have a full year of 2013, so let's compare Windows 7 to Linux (kernel only again) for 2013:
Linux kernel for year 2013: 189 vulns
Windows 7 for year 2013: 100 vulns.
Linux kernel for year 2012: 116 vulns
Windows 7 for year 2012: 44 vulns.
Again, contrary to your claims this is counting only Linux KERNEL vulns against a fully functional Windows.
So it would appear that you are incorrect, Trevor.
"Linux kernel, year 2014: 135"
"Windows 8.1, year 2014: 38"
Nice set of numbers you've got there. Shame if anything happened to them...like discovering CVE-2014-8439 among the "Linux kernel" vulnerabilities, and being absent from the Windows 8.1 list.
It's none other than our good friend Adobe Flash.
>> you are counting every security issue in every package of a distro against the core Windows OS, without regard to vulnerability type or severity. Linux distributions include hundreds if not thousands of applications whereas the Windows operating system only includes dozens to low hundreds.
You have this somewhat backward Trevor. Most stats do exactly the opposite - compare "linux kernel" against whole distros of windows.
Check out http://www.cvedetails.com/top-50-products.php. From 2004 - 2015, "Linux kernel" has had more vulns than any version of windows every year except 2011 and 2015 (which isn't over) and has not been in the top 5 offenders only 3 out of the 12 years. You are just fabricating nonsense based on your unshakable belief that Linux is inherently more secure than anything else.
>> Windows' issues tend to be far more severe, and they take far longer to get fixed
More hand waving. Any facts to support that?
>> Open source's issues are mostly that issues can (and do) go unnoticed (sometimes for years) because there simply aren't enough penetration testers willing to test open source
So the "many eyes" argument can finally be layed to rest? May it R.I.P.
And it is going to borgify all existing anti-virus applications.
Then if will "plug into" any app that starts up, "for security reasons".
Then it will "plug into" your mail, to do preemptive security.
Finally, it will "plug into" your bank account, for your security obviously, but there it can more conveniently send itself money every month. Because it would be so bad if something happened to your data, wouldn't it ?
All of that, of course, at the disposal of any US judge who thinks that the data might be relevant to the case he is presiding.
Come on Microsoft - just give up with this rubbish and make a Linux distro and open source anything you have that is propitiatory so that everyone can run software than ran previously.
Microsoft must have the most stubborn and pig headed management team (They need to have their minds changed).
Then the IT landscape would welcome Microsoft whole heartedly instead of replacing their products at every opportunity as is the current trend!
Why would they have to give up their multibillion pound business? Microsoft already gives software for free - doesn't mean that businesses don't also use their paid for services!
Can all you Windows people please stop thinking like blacksmiths about to lose their jobs because the car has been invented?
@ Lost all faith...
I am not taking part in the "should MS use Linux or not" but I would like to point out that you don't have to give Linux away for free at all. You can charge as much as you want, the free is not free as in beer. I think you know that very well. As I recall Linus suggested about 15 years ago that Microsoft could sell Windows with a Linux kernel. I don't think they will but they could and who knows, perhaps they should, but that is all up to them.
That would not become a Linux desktop but Windows with a Linux kernel.
Actually, Microsoft do sell GNU/Linux. You can pay for GNU/Linux instances on Azure and MS also provide some tools of their own to manage configuration of them. What they don't do, is publish their own distro which is probably sensible given that RedHat and others provide good enterprise-focused distros themselves.
>> What they don't do, is publish their own distro which is probably sensible given that RedHat and others provide good enterprise-focused distros themselves.
But isnt the whole point of linux to spin up a new distro rather than agree on anything, and create a mindbending dependency mess for everyone that uses it? Wow... I misread that one
"Can all you Windows people please stop thinking like blacksmiths about to lose their jobs because the car has been invented?"
The "windows people" are actually IT Professionals who are paid to deliver (generally) the cheapest solution to a requirement handed to us by the people who pay our saleries. Frankly, our jobs won't change much if we are using Windows or *nix because the job of the OS is to Operate Systems and we build and maintain those systems.
The businesses we work for tend to want particular bits of software, not windows. In my particular enviroment to run any currently available flavour of *nix on the desktop would entail accepting the loss of a huge swathe of boring, mundane tools that improve the productivity of the people who make money in the business. (As in, it would cost us money because our productivity would drop)
The business exists for the sole purpose of making money, and the IT exists for the sole purpose of supporting the business in it's objectives, which dictates that we use the OS those tools work on. For the most part, we *really* DO NOT CARE which OS we use.
Incidentally, the biggest thing that Linux fans could do to help increase the utilisation of Linux would be to cease harming the the "Linux" name by making any proponent of Linux look like a stark raving madman or a frothing zealot. These idiots have done, and continue to do far more damage to Linux's name than Microsoft's FUD tactics with patent threats etc ever aspired to cause.
As a result it is vastly more difficult (and in some cases utterly impossible) to get Linux into deployments where it makes commercial sense. If you really want to do Linux a favour, stop making yourself, and everybody else proposing a solution based on it look like an unprofessional hippie with the reasoning skills of a five year old.
You cannot stop the tide. Linux is the most common operating system in the world. It is only on Desktops that Windows still dominates. I am saying that Microsoft should use Linux as the basis for Windows and if you really do not care what operating system you use then what is your problem?
>>"I am saying that Microsoft should use Linux as the basis for Windows and if you really do not care what operating system you use then what is your problem?"
What are you suggesting, specifically. That Linux should form the kernel of Windows? That is a very big ask from an engineering point of view and I'm uncertain what the point would be.
What exactly do you think should be done and what do you imagine the benefit would be? Please give at least some detail in the answer because with something as massive a task as I think you may be suggesting, discussing it without specifics is meaningless.
" You cannot stop the tide. Linux is the most common operating system in the world. It is only on Desktops that Windows still dominates. I am saying that Microsoft should use Linux as the basis for Windows and if you really do not care what operating system you use then what is your problem?"
Why? If they were really going to go down that route, they'd opt for a BSD system, not the legal GNU minefield.
There is precident. Google "Apple OS X"
HTH
I would honestly love to use Linux and ditch Windows. In fact I try a latest Linux install regularly about 4 times a year just to see whether it is yet suitable. Every single time I am balked because Linux cannot do something that I want to use my PC for, or it would take a significant learning curve for me to configure it to do something that I can get running on my Windows PC in 10 minutes. Then there's the fact that when I have a problem with a new bit of USB hardware I've just bought and I call the company's support staff, they won't have a clue about Linux. A lot of it is of course chicken-and-egg. Until Linux desktops are more prevalent, manufacturers are really not interested in providing drivers & support etc. and so people like myself cannot use it.
My very latest attempt was a couple of weeks ago when I tried to use my SDR on Linux. Now I am sure that GnuRadio is a fantastic bit of software that will do everything I would want and much more besides - but unfortunately it looks like it needs several weeks of study followed by hours of custom programming (after learning Python) before I could get it to even receive my local FM radio station in mono. On Windows I was listening to full stereo FM within seconds, and receiving satellite images and decoding pager transmissions within an hour of downloading a few suitable applications, and I did not have to write so much as a .bat file or know the difference between a local oscillator and a first stage mixer. I have not even found a way to get Linux to provide me with a way to watch movies without either buying new expensive video & audio hardware or putting up with significant compromises that I simply don't have to make using Windows.
"Every single time I am balked because Linux cannot do something that I want to use my PC for, or it would take a significant learning curve for me to configure it to do something that I can get running on my Windows PC in 10 minutes"
I have had the same problem with both Windows and Linux down the years, but in latter times I'm finding that it happens with Linux far more rarely that Windows. Installing Windows 8.1 (on 3 different machines) 3 months back took over double your 20 minutes to install (excluding the mandatory massive update & reboot), and I was unable to watch a DVD at the end of it. To watch the DVD I had to install a bunch of third party drivers to make the motherboard, network hardware and graphics hardware work. By contrast a Linux Mint default desktop install came up roses without any third party guff (on the same boxes) and let me watch a DVD straight away in under 10 minutes.
IMO your point about hardware support is valid for Linux and Windows, but in Windows land because it's only a tiny proportion of the user-base who has to go through that pain because vendors do it for them. Windows bare metal installs really haven't changed much since XP: you still have to install a bunch of 3rd party drivers for motherboards, chipsets, graphics, audio, network interfaces and USB ports. Personally I find this intolerable because I don't see any reason to trust code I don't have the source code for and can't build, so there is no way I want that code running with Admin/Kernel/Root type privilege.
I believe that the current state of affairs with opaque 3rd party binaries running at ring 0 is NOT sustainable in a connected world where criminals, companies & nations trojan machines as SOP. MS have some smart people working for them, I'm sure they're aware of the drawbacks and the risks they force Windows to take, the question is whether they'll fix it or not. Extending the reach of AV software really doesn't fix the fundamental security problems at the lower levels of the stack.
"To watch the DVD I had to install a bunch of third party drivers to make the motherboard, network hardware and graphics hardware work. By contrast a Linux Mint default desktop install came up roses without any third party guff (on the same boxes) and let me watch a DVD straight away in under 10 minutes.
"
I would hope so. DVD is very old technology, and Linux is usually able to cope adequately with old technology. These days my minimum AV requirement is 3D Blu-ray and 5.1 sound. The last Linux distro I tried would not drive my 5 year old sound card in anything better than 2 channel and did not have the 3D support that I've had on my Win 7 machine for the past 2 years. The Linux community predictably blamed the card manufacturers for not supplying Linux drivers for their products, but that really doesn't help me.
> Of course it is vulnerable but FAR less and with the correct configuration almost impervious!
Try a thought experiment for a moment. Assume that every single Windows desktop and server in the world magically became a linux desktop or server last night. Assume all Windows software - including Office, java and Flash - were migrated along with the OS.
Now tell me, what is every single malware author in the world doing right this second?
Yeah.
Now go away.
Here is a thought experiment - Linux is run on more computers than any other operating system. I am not talking about just desktop PC's where the current majority runs Windows, I am talking about ALL computers including TV's, phones (android is a kind of Linux and iOS is BSD which is similar), network switches as well as 99% of the Top 500 list of super computers!
>>"But the clever ones do it with Linux or through their phone. And remember the backend (the servers etc) of the online banking system will be running Linux too."
And maintained by professionals who know what they're doing. Here's something that is true - compromising a GNU/Linux system that is kept up to date by knowledgeable people who are unlikely to fall for common tricks or link their server up to disreputable websites, is hard to do. Here is something else that is true - compromising a current Windows system that is kept up to date by knowledgeable people who are unlikely to fall for common tricks or link their server up to disreputable websites, is hard to do
See the points of comparison? Now here is something else - compromising end user installations of Windows run by people who have no understanding of keeping software up to date, who connect it to disreputable sites, who download software from untrusted places and ignore bright yellow warnings and proceed to give it free reign to do what it wants to their OS, is much easier.
Notice the difference between these two scenarios is not the OS, but the environment it finds itself in.
>> compromising a current Windows system that is kept up to date by knowledgeable people who are unlikely to fall for common tricks... is hard to do
Yes. And Valve steam, apt / yum, ninite etc demonstrate that the update process for applications and windows update itself could be far more friendly and less fault-prone if Microsoft put effort into it; instead we have every company with their own second-rate update service, changing your home page in the process; scheduled to fight with each other at boot time.
It's windows app store effort is poor in comparison. Can't even record and redeploy our OEM / Retail MS Office licenses from it; that's yet another website mess.
Windows home and SBE licensing up to now has compounded the problem.
You bought a pretty laptop with Windows vista ultimate / Pro? No affordable upgrade to an windows 7 home for you without a complete wipe. So will not be done.
- Microsoft loses potential upgrade revenue for 8 years, (OS followed by Office, services, apps)
- the affected customer associates Microsoft with obsolescence and viruses, when one of their 300 windows updates fails and breaks the windows update service, blocking the rest.
- Developers end up with the costs of supporting XP for 20% of the market.
Can't that SKU stuff just be an aftermarket feature like media centre, downgradable as well as upgradable?
And even the supported upgrades for 8 and 10 are so horribly fault prone, with hours wasted on the "Reverting" process. Wouldn't it be nice if the old and new OS could sit side-by-side with the old as a reserve for a week. In theory it can be done, at the expense of diskspace.
>>"Yes. And Valve steam, apt / yum, ninite etc demonstrate that the update process for applications and windows update itself could be far more friendly and less fault-prone if Microsoft put effort into it; instead we have every company with their own second-rate update service, changing your home page in the process; scheduled to fight with each other at boot time."
Then prepare to be happy. MS are producing a full package manager for Windows with an API.
"Here's something that is true - compromising a GNU/Linux system that is kept up to date by knowledgeable people who are unlikely to fall for common tricks or link their server up to disreputable websites, is hard to do. "
It should be. But then it does not explain this: http://arstechnica.com/information-technology/2011/09/linux-kernel-archives-host-compromised-by-attacker/
One should think that kernel.org was maintained by "knowledgeable people".
At roughly the same time, linuxfoundation and linux.com was compromised as well: http://thehackernews.com/2011/09/linux-foundation-linuxcom-multiple.html
Again, one should think that it would be hard to find anyone more knowledgeable on Linux than the people who oversee the development, and who would know full well how a embarrassing a successful attack would be to the cause.
>>"It should be. But then it does not explain this"
Does it need to? Of course some systems get compromised, whether that is GNU/Linux or Windows. What I wrote that it is much harder to do this than with a non-professional end user who doesn't keep things up to date and doesn't understand security. Meaning that you can't simply compare the amount of malware or rate of infections between two different OSs across different environments. You can only fairly compare them within the same environment. The odd high-profile hack doesn't change that.
Where's the experiment? All you say is that there's a lot of Linux about. No experiment, thought or otherwise
And then you trip up by the comment about BSD being like Linux. You've got the resemblances in the wrong order. BSD is a Unix variant. Linux is a Unix-like OS - and one that's rapidly becoming less Unix-like in the estimation of many of us.
OK, so I was stating what I was responding to "Here is a thought experiment" and I meant that BSD is similar to Linux - I am not really interested in arguing the differences between the two in this forum.
It is a shame that you have to resort to semantic arguments but at least you are no longer trolling me with non facts now....
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
