Windows Can Be Secure

So today I put up a post on ufies with great picture of ad-aware on a badly infested system. The parent post used the headline of “friends shouldn’t use friends use windows”. I thought it was funny. Anyway, Dana took offense a bit and pointed out that this post was silly and you can run windows securely.

I completely agree. It’s a bit of work, and involves turning on firewalls (assuming you’re not behind one already), installing a different web browser and email client than those that are bundled, installing spyware catchers like ad-aware or spybot search & destroy, installing a virus scanner, checking your system periodically (I’m waiting for my ad-aware run to finish as we speak, but I’m going to guess it’ll look similar to this), and possibly running as a user without administrator rights (I don’t do this, but I know Dana does and loves the runas command.

Read more as I ramble…

Before anyone (you know who you are) chime in to say that you have to do work on a Linux system as well and it’s got things running by default, and distro X still ships with an exploitable program foo or whatever, I know this, all OSs suck. I’m talking about windows in particular right now.

Anyway. Windows can be made secure. If you take a bit of time and know a bit about what you’re doing it’s very possible to have a system that you could even trust to hook directly to the Internet. The problem is that that’s still too hard for the average user. People still use IE for heaven’s sake! Why would you do that? Because you don’t know any better or don’t care, or are too busy with “real” work that taking the time to secure your system and put up with the extra minor hurdles that are involved in running a secure system (ie: using runas to install software instead of just clicky-clicky).

I believe that people, in general, simply use the OS and applications as provided. They turn on their computer and use the web browser, email client, click on pop ups, click on .exe attachments offering them penis enlargement pills from nigeria, etc.

My bitch is that they are allowed to do this. When setting up the windows OS the path of least resistance in XP (and as I understand this hasn’t changed in the latest Longhorn build) is to set yourself up as an administrator with full rights to all files on the system. This means that viruses, spyware and adware have far less problems infecting the entire system instead of just the users’s account. The original image just shows the possible result of this. And I’ve seen this sort of thing first hand.

Now, while apple’s OS/X isn’t the best system in the world, it’s miles better than windows for separating users from their administrative privilages while still making the system very usable. Oh, and security out of the box appears a lot better as well, but that’s a different point.

Basically the security model works similarly to windows’, but when you are an admin you don’t get free and clear access to everything, you still have to authenticate yourself with a sudo system. There is also still a ‘root’ user that you can su into in the terminal which acts as any normal root account would.

For quite a while I’ve mentioned this to scoble on his page as a good way of securely dealing with users and admin authentication, but with no real response. I’m sure it’s being given serious consideration by the Longhorn team though. Uh huh. According to Dana his post on channel9 got nothing as far as attention or conversation. I’m going to guess that it’s either because no one wants to think about it, no one wants to admit they have it all messed up, it’s already copied from the way that XP does it and it’s too late to change anything, or they have a much better idea that’ll be here when Longhorn is released in anywhere from 2 to 5 years. Well, no one really knows when it’ll come out actually…

<sarcasm> but it’ll be really great when it does, so don’t bother changing over to that silly Linux thing while you wait, cause really, believe me Longhorn will be awsome when it’s finally out. </sarcasm>

So by now I’ve forgotten what my original point was, and no one is still reading anyway, so it doesn’t really matter. Windows can be secured, but I don’t think that it is in 90% of the cases (or 80% if you go with the 80/20 rule), so most people run insecure and end up full of viruses and crap on their system and then ask me to clean it off and find out why their computer isn’t running as fast as it used to.

By the way Dana, get your product out ASAP, the latest issue of PC Week/world/whatever is a big expose on antivirus, anti-adware, anti-spyware, and how to protect yourself, and notes that the apps seldom catch brand new threats.