[quote=“blaeceorcanstan, post:77, topic:74131”]
Sure Windows is larger target than MacOS, Linux, BSD etc., but also because its security is laughable. [/quote]
As vulnerability lists show, this is mythology.
[quote=“blaeceorcanstan, post:77, topic:74131”]
I use Windows alongside of Linux, and am not an inept user of either, but even turning on all sorts of “protection” in Windows, it’s nearly impossible to avoid malware/viruses without disconnecting from the Internet.[/quote]
As the vast number of Windows users avoiding malware and viruses shows, this too is mythology.
In my entire company we’ve had only one successful instance in the last few years of a malware/virus successfully running on a computer. It arrived in an encrypted fake invoice PDF, and would have done so on Linux or Mac OS. It wouldn’t have run on Linux (without Wine) or MAC OS - but not because they had better security.
(After, we set our mail server to block encrypted PDFs, because they can’t be scanned. With exceptions for several companies that we DO receive encrypted PDFs from.)
The same claim can be made for the Apple store with roughly the same credibility, and more so for the Android store.
I use Windows alongside of Linux, and am not an inept user of either, but even turning on all sorts of “protection” in Windows, it’s nearly impossible to avoid malware/viruses without disconnecting from the Internet.
That’s either an outright lie, or you are an inept user and you just don’t realise it. I haven’t had a single virus or other piece of malware on a single one of my own 10-15 windows boxes (various dev, server, testing and personal boxes, VMs and otherwise) in well over a decade. I also look after clients with over 100 pcs and have only had to deal with a handful of instances in the same time frame (usually from the same users of course).
The official MS Windows store on Windows10 is full of software riddled with malware, as far as my experience shows.
This is a completely separate issue to OS security, I don’t know if it’s true (and coming from you would doubt it), but installing any app carries risks, regardless of OS. Every OS on the market today is vulnerable to malware if users have admin rights and deliberately install shitty software. The Win10 app model dramatically reduces the attack surface area in this regard actually (so I was wrong to say there were no significant improvements there before), so I can only assume you are either talking about Win32 apps in the Windows 10 Store, or making shit up.
Yes, that’s part of why Apple’s numbers are huge - they have a lot of apps and a BSD userland they’re patching all the time, and MS is in a similar boat.
Here’s a more meaningful view:
Sadly it looks like you can’t filter by year without an account.
Anyway, none of this has to do with my point which was that your claim that Win10 is “certainly as secure in principle as any other OS these days” is simply false. OpenBSD is more secure in principle with real-world results that illustrate that fact. Sadly, it’s not used very widely (and is not an ideal desktop OS).
No disagreement there. But there are other reasons why you don’t see it in common use beyond a fraction of web servers.
In any case, if you were to swap MAC OS’s or Linux’s popularity for that of Windows, then that’s what the virus writers would target. Viruses arriving in encrypted PDFs would get through in the same way, and run in the same way. Malware attached to game and utility downloads from questionable sites would run in the same way.
Like with Windows, people would be always installing new apps and device drivers. Like with Windows, the requirement for administrator privileges to do so would lead many to simply run all the time with administrator privileges, or to automatically OK a security warning pop-up. I’m not sure that even BSD could solve this problem. (Without users switching OS’s because they can’t blindly install their apps and drivers.)
I mean, I’m the guy that assigns Firefox CVEs so I’m pretty sure I know. If OpenBSD has no CVEs, that could be meaningless because there could just be no one there assigning them to their code or acknowledging the ones from shared code that they get updated libraries for… Does OpenBSD even write security advisories?
Mitre sends blocks of CVEs for vendors to use and vendors then assign them to vulnerabilities. Sometimes, when a vendor does that or Mitre is working with someone, a CVE is assigned by a third party for code that multiple folks use and then people get told about the vuln and the CVE together so they can go fix their variant.
CVEs are not a measurement of vulnerabilities. They are a measurement of vulnerabilities that someone has acknowledged (by assigning a CVE) and then (usually) shipped updated code for. This is like measuring security advisories or disclosures. Just because a company didn’t disclosure any vulnerabilities, doesn’t mean they didn’t have them. It just means they haven’t told you or discussed them.
Yes, CVEs aren’t a sufficient gauge. Yes, the OpenBSD team does write security advisories and there are OpenBSD CVEs, it’s just that they’re less common: https://www.cvedetails.com/product/163/Openbsd-Openbsd.html?vendor_id=97
These are the same people that deliver OpenSSH and they write advisories for that as well.
The OS is more secure in part because:
the OS is designed with security as its primary goal so it has secure defaults
the OS is often the earliest with security features (like W^X/ASLR/etc.) and will sacrifice performance for enhanced security
they’re religious about chrooting and use privilege separation and privilege revocation to limit what an exploit in a binary can do
the maintainers replaced more dangerous libc calls like str*() with bounded/safer versions and update packages to use them
the maintainers run various forms of static analysis on every line of code in the OS and packages and fix findings
the maintainers engage in a continuous running code review for security issues and are very good at what they do
the maintainers ship a minimalist OS so installs tend to focus on only having the applications they require on their systems
It is all sausage being made, and they’ve had a few RCEs over the years, but OpenBSD does have security as their primary goal and it shows.
It definitely has downsides - it’s slower than Linux, is really only useful as a server (no accelerated X11), and while I found administration straightforward, I learned UNIX on BSDs to begin with, so for admins who aren’t used to that there’s a learning curve. Also Theo’s a complete dick, they’re terrible at marketing, and have various other issues with petty squabbling with the other BSD teams.
I’m really glad they’re forked OpenSSL to LibreSSL, this should eventually make the internet a safer place.
Anyway, I was responding to the claim that Windows 10 was “as secure in principle as any other OS these days,” which is false.
I assume the handful of instances are the cases where someone actually tried to install software.
The official MS Windows store on Windows10 is full of software riddled with malware, as far as my experience shows.
This is a completely separate issue to OS security, I don’t know if it’s true (and coming from you would doubt it), but installing any app carries risks, regardless of OS. Every OS on the market today is vulnerable to malware if users have admin rights and deliberately install shitty software. The Win10 app model dramatically reduces the attack surface area in this regard actually (so I was wrong to say there were no significant improvements there before), so I can only assume you are either talking about Win32 apps in the Windows 10 Store, or making shit up.
No, it’s not. If I am using a Linux distro, and that distro’s repositories are full of malware, I’m not going to say “well, it’s not the OS’s fault”. However the software in the Windows store is vetted, it appears to allow for loopholes, where some of the apps after installing go out to the internet and pull in other things (including malware).
I assume the handful of instances are the cases where someone actually tried to install software.
No, not cases where they tried to install software, cases where they tried to install all of the software (e.g. one guy had around 6 browser toolbars installed).
No, it’s not. If I am using a Linux distro, and that distro’s repositories are full of malware, I’m not going to say “well, it’s not the OS’s fault”.
They are separate, an operating system is one thing, software that can be installed on it is another thing entirely.
However the software in the Windows store is vetted, it appears to allow for loopholes, where some of the apps after installing go out to the internet and pull in other things (including malware).
You never answered my question, but I can assume from this that you did only mean Win32 apps, because WinRT apps run in a sandboxed environment which is pretty hard to run malware in.
One thing the windows store does contain a lot of is crapware, but the only thing that’ll damage is your wallet if you’re dumb enough to buy any of it. There’s also a lot of this crap in the other commercial app marketplaces, but Microsoft’s is definitely worse.
What the FBI is trying to coerce Apple into doing is to devote engineers and resources into writing a version of the OS that does not exist yet. That in itself is pretty sleazy, if you ask me, in that it is asking a company to do your work for you. Then it comes out that there were already tools in place, but that the FBI fucked up and locked themselves out. Oh, and to top it off, the chances of the phone having any valuable info is slim since they have the records from other sources, but internal memos revealed that the FBI thought the magic word “terrorism” would give them an edge in setting a precedent.
Now, ol’ Bill is not an unknown around these parts, so it does fit a narrative we know about him to put the FBI before the end users. After all, he never sold MS DOS, Office or Windows to end users, he sold them to OEM’s and to IT departments.
MS DOS, Office and Windows always had massive sales to end users. I worked in computer stores for a decade, none of which had OEM agreements. We sold a whole lot of MS DOS, Office and Windows products, all of them the end user versions.
The methods have evolved - you can now buy Windows or Office online or buy a license key card at Best Buy and elsewhere and then download it - but that’s still selling to end users.
