About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Home » Learning Curve

What To Do (To Be Secure)

Windows is and will always be an insecure standalone system. It is not suitable for Internet use. If you're running Windows, get offline or get Unix before the attackers get you.

Microsoft Windows - whether it's the 32-bit wrapper (Win9x - 95, 98, 98SE, ME) on old Windows for Workgroups (WFW 3.11) or from the somewhat network-savvy NTx family (NT, 2K, XP) is not and never will be ready for 'prime time' on the Internet. All these systems are designed for personal use (as in personal computer) and when you get connected to the Internet, things fall apart.

Unix was from the outset a multi-user system. Its name is even a slur on the original processing power - 'multi-user for at most one user' - but the main thing is it had multiple users with mandatory login from the very beginning. Every user has their own part of the system disk - the home directory - where one's files are stored and where no one else can go.

Windows doesn't have this because it's based on what many called 'not an operating system but a hardware interface': MS-DOS (or PC-DOS, the IBM variant of the fork). These systems were in turn an outgrowth of the immensely popular CP/M (Control Program for Microprocessors) written by Gary Kildall (RIP) for Intel in the beginning of the 1970s. Intel's top three engineers quit after the introduction of Intel's second one-chip 8-bit processor, the 8080, and founded Zilog and came out with their own processor, the legendary Z80, which became the mainstay of the home computer market for the 1970s. Tim Paterson made a 'cross-assembled' variant of CP/M for the Intel 8086 (compatible with the 16/8-bit Intel 8088) which he called 'Quick and Dirty Operating System'. The name is not a joke: it truly was, as its predecessor, a hardware interface. Home computers back then did not run as the PDPs Unix ran on: they had no hard drives, and there was no thought they would ever be 'connected', and there was no World Wide Web to connect to. They were home computers meant for tinkering with by the technically inclined, by computer engineers, in their own homes. The simple realisation that such computers could ever even be useful was still years away - people did not regard these machines as having any justification for existence other than as curioso objects.

Unix on the other hand was meant for professional use from the beginning. It was built in the absence of the awaited and promised operating system from Digital Equipment Corporation (being written by David Cutler - small world) that never seemed to materialise. Unix was to be the working environment for all the PhDs in the Bell Labs Computer Science Research Center in Murray Hill New Jersey. They were to develop a 'word processing system' for the Bell Labs patent department (and they did, and eventually got the contract as well). Unix was from the get-go a system meant for serious work. It was not a toy.

IBM gradually started to believe they'd made a mistake with the PC. Compaq had succeeded in legally cloning their BIOS, other companies followed suit, selling only the BIOS to yet further hardware companies around the world who churned out PC clones, and IBM felt they'd lost out. Their research departments came up with a new architecture which would be more difficult to legally clone, established a royalty system for those companies still interested in cloning, and even designed a new operating system to go on top of it - the stillborn OS/2.

At Comdex in 1983, when Bill Gates was still a relative nobody working out of a high-rise in downtown Seattle, a PC software company grabbed everyone's attention with a preview of a coming PC operating system with a graphical interface. Bill had been working with Steve Jobs and Apple on Multiplan and other applications for the coming Macintosh, was just as Jobs totally convinced the GUI would take the day, and felt miffed by being upstaged by his competitor. He rushed home to Seattle ahead of time and called Harvard friend Steve Ballmer and put him in charge of the not-yet born 'Windows' project. It was vaporware: Gates told the industry his company also had a new operating system with a GUI and that it was almost ready for release. Gradually Windows was born, seeing the light of day first in December 1985 - over two years later.

Windows was built right on top of MS-DOS. It looked absolutely terrible and performed worse, but the die had been cast. Across the continent, IBM continued their work on OS/2, but the product suffered from a typically lacklustre IBM interface good enough for the world of mainframes but hopelessly out of it in the world of microcomputers. Intel processors at the time were lagging far behind their Motorola counterparts, and Apple had graduated to 32/16-bit computing already in the early 1980s, but Intel, always desirous of backward compatibility with older architectures, could never seem to catch up.

It was the combined efforts of Lotus Corporation, Intel, and Microsoft - the so-called 'LIM' consortium - which gradually addressed the weaknesses in Intel-based machines. Their first venture, the so-called 'EMS' standard, was abysmal. It gave the PC the capability of addressing a lot more memory than before, but this memory was 'off-board' and could only be shuttled in and out of ordinary RAM in 32 KB chunks - the adjective 'slow' doesn't begin to describe things. LIM's next venture was far better: called 'XMS', it literally opened the PC to memory and made systems such as the memory and disk intensive Windows an accessible possibility.

Steve Ballmer traveled to Armonk to end the OS/2 joint venture with IBM. Microsoft called in all their OS/2 programmers and work began immediately on Windows version 3.0. This version was a resounding success, so much so that Microsoft understood they needed to do it again and quick. Efforts were redoubled, every line of code was rewritten, and in 1992 the world was struck by Windows 3.1, the break-through for Bill Gates and his ticket to becoming the richest person in the world.

He hired jumbo jets (747s). He had entire trains and fleets of lorries. He had lorries waiting at airports. He hired 7,000 extra workers just to package the diskettes. And he ran out of diskettes too, and had to travel personally to the Orient to find new suppliers. It was that bad. Or good.

Did Windows work? Yes it did. Was it as good as MacOS? Different strokes for different folks. But the market said 'it is good'. By closing time on the first day of release, every Tandy Radio Shack store in the US was sold out. Every single last one. It was sensational.

How did Windows work? Yes, it crashed. It was a cooperative multitasking system. There was basically one application running one thread and all the so-called applications were running in the same address space. There was one message queue. And when you started your computer, you were greeted by the familiar MS-DOS.

Was Windows secure?

Windows ran on top of MS-DOS. Windows did not change the basic MS-DOS system. You still had drives 0x00 and 0x01 (A: and B:) for the floppies and drives starting with 0x80 (C:) for the hard drives. You had very few file attributes. Files did not have owners - they just existed.

MS-DOS file attributes are the following.

V Volume Bit - used only for setting the name of a volume, theoretically found only in a root directory (later exploited by Windows 9x to allow 'long file names')
DDirectory Bit - used to signify a directory as opposed to a file
AArchive Bit - means the file has been written to since last backup (in MS-DOS, the Archive Bit is always set on file writes - it's the MS-DOS backup system at work)
RRead-Only Bit - files can be marked read-only so they may not be overwritten
HHidden Bit - files may be hidden so some programs will ignore them
SSystem Bit - does nothing except signify the file might be important

Of all these attributes, none actually affect use except the read-only bit, and even then it's a wave of the hand to remove the bit, write to the file, and restore the bit again.

None of these bits even hint at security. The system bit means a file may be sensitive, but it does not qualify use in any way shape or form.

There are no users on MS-DOS. The person that turns on the power is the user. There are no accounts on MS-DOS. It is a hardware interface.

As there is no such thing as a defined user, there is no way to say 'this file belongs to so-and-so'. The files are just there, eminently accessible to all - to anyone who turns on the power.

MS-DOS directory entries tell the rest of the story.

8 bytes File name (christian name)
3 bytesExtension (surname - 'dot' is implied: if extension exists, a dot is used to separate the name from the extension; it does not actually exist on disk)
1 byteAttributes (as there are only 6 they fit snugly in one byte)
10 bytesUnused (possible compatibility question with XENIX)
2 bytesDate stamp (only one - 'last modified')
2 bytesTime stamp (counts only pairs of seconds because of storage limitations)
4 bytesFile size
2 bytesStarting cluster 'pigeon hole' in FAT

You have a name, possibly an extension, the attributes explained above, a time and date stamp, the starting location and the file size, and ten empty bytes.

No more.

You have no owner, no restrictions, no 'if you belong to this security group you can use this', no 'you may not execute this program', no 'you can read this but not write to it', no 'you can write to it but I won't let you read it' - nothing of the sort.

Everything is wide open. And in the days of the Internet, this translates directly into 'everything is wide open to attack'.

This is the first, the best, and the most easily understandable reason a system like Unix is going to protect you and a 'hardware interface' like Windows is not: even if the bad guys get on your Unix disk, they still can't just go where they please.

PC hardware manufacturers were very interested in a more sophisticated, more secure MS-DOS and had for the longest time been petitioning Bill Gates to do something about the situation, but they were routinely ignored. Tim Paterson, the author of the original 'Quick and Dirty DOS', had himself envisioned his system as multi-user with a modicum of security farther down the line, but Bill Gates made it very clear to him he was not interested in any such thing. Finally, when the manufacturers could stand no more, they contracted a programmer on their own to write this new DOS. When Bill Gates found out about it, in the months leading up to the release of Windows 95, he ordered work be done to 'FUD' the new product, the result being the infamous 'AARD code', so named for its first encrypted bytes. Hidden within Windows 95 and encrypted so as to elude detection, this code, part of the startup routines for Windows 95, tested the one discrepancy between MS-DOS and the new so-called DR-DOS in a system control block and if the competitor's DOS was running, hijacked the entire computer screen and issued a scare message claiming the competitive product could damage computer systems. PCs remained standalone and insecure.

Microsoft began working on 'NT' already in 1988. Development files with Dave Cutler's name turn up as early as October 1989. NT is based directly on Dave's earlier VMS, which was a true multi-user system like Unix, but security with any system is tied first and foremost to the disk, and NT (or 2K or XP) does not demand use of a secure file system. NT has its own NTFS file system, and security is greater when this file system is used, but its use is not mandatory. An NT or 2K or XP system running FAT16 or FAT32 is not inherently more secure than its Windows 95 counterparts because there is no way of shutting out users on disk.

And NT - based even more directly on Dave's ongoing project for Digital Equipment Corporation in Seattle at the time, Prism - has to follow not the hardware and user architecture of VMS or Prism, but that of Windows. Drives are given separate drive letters. There is no unified hierarchical system. Floppies and CDs and DVDs may be attached at any time as new drives with new drive letters. And most importantly, no user has a proprietary area on any drive. Program files are stored in one location for all users; file associations are found in the Registry alias HKEY_CLASSES_ROOT, which everyone on the same machine will suffer to have in common; there is no real place for a user to put private files, and users do not generally construct such areas on their own where authentication is needed to enter.

Most users of NTx systems log in as a 'superuser' - a member of the 'Administrators' group, which gives them almost total control over everything in the entire system. And files and Registry keys they don't own and don't control can still be had by assuming control and ownership - a prerogative of members of this group.

There is no way for users to temporarily escalate their privileges to that of the superuser, only to be deflected back down again at the end of the proposed operation (as with Unix sudo). Users are either the equivalent of the Unix 'root' (or awfully close) or they're a lot less and cannot get at what they want, even temporarily.

Even with NTFS being used as the native file system, files are not owned, and there is no simple authentication system. Access control lists are used instead, and they are extremely complicated, so much so that ordinary users probably do not use them. But above all, NT - even with NTFS - is a 'retro-fit' of an idea from another multi-user system forced onto what is at most a standalone hardware interface and no more. Even if the system appears to be impervious today to external assaults, there is no guarantee it will be as invulnerable tomorrow. As the foundation is so wobbly, there is always a significant risk exploits will be found.

And all this is given a 'ceteris paribus' of the coding quality in Redmond being on a par with the rest of the industry, which of course it never is. Microsoft programmers are recruited only from the ranks of the uninitiated and unproven, precisely and deliberately because these people are more malleable, easier to control as a work force, and Microsoft above all else strive for 100% total control. Given no pedigree of any sort amongst the developers, a situation equivalent to 'the blind leading the blind', it is no wonder the code is so poor - and hardly an outside bet it will remain so for the foreseeable future as well.

So what can you do as a Windows user?

  1. Make sure you're not broadcasting. A lot of Windows setups put you out on the Internet by default with the IIS web server. If you really need your own web server, get Apache and talk to an expert to protect your local machines.

  2. Don't advertise you're running Windows. Ideally all your ports should be closed; make sure none of the ports left open identify you as running Windows. If the attackers know you're running Windows, they'll be back.

  3. Use no Internet Explorer technology. The IE engine is not IEXPLORE.EXE - it's MSHTML.DLL, and this is the one with all the holes and wobbly code. Any exploit that works on IE will in principle work on any program using 'IE tecnology'. This includes but is not limited to Outlook, Outlook Express, Eudora Mail, the Visual Studio help system, and even MS Office. If you have to use any of these programs, make sure you do so unconnected, and as for any web applications in this bunch, do not use them at all. Do not use JavaScript either - the most dangerous exploits need JavaScript to execute. And if JavaScript is not allowed, and it is the most secure form of scripting on Windows (and only insecure because Microsoft wrote the virtual machine and wrote it poorly), then surely it comes as no surprise that all the other forms of scripting - most importantly Microsoft's own scripting - are far greater security risks and should be turned off permanently, to never ever be turned back on again.

  4. Do not let your email program resolve web links. Never accept anything but plain text anyway, and preferably get an email client that can't understand HTML even if it wants to. Letting an email client resolve web links means you can be identified and can also be exploited by code behind the links. And as above, never allow JavaScript or any form of scripting. If scripting is questionable in a web browser, it is downright dumb in an email client. Never allow any scripting in an email reader.

  5. Never send and absolutely never accept anything but plain text email. No attachments, no vCards, no nothing. Get into the habit of doing this and your friends might get a clue and follow suit. Plain text email has been a sine qua non amongst the security-aware for years, and Microsoft themselves are today finally advising the same, so don't hesitate or question it any longer: plain text only.

  6. Leave Windows if you can, at least when it comes to Internet connectivity. If you have applications you must use or games you're addicted to, make sure you're not connected when you work or play around. Use a Unix system for connecting to the net.

  7. Never enable your root account on your Unix box, and absolutely not when you're online. If your Unix setup makes you root by default, use this account to set up an administrative account, log in with the new account and disable root, and only then connect to the net. You can use 'sudo' at any time to execute programs with only a temporary privilege escalation to root, and do so only when you're not connected. Consider even creating a very low powered account just for surfing, or use built-in accounts like 'nobody'.

  8. Inspect your Unix disk for world-writable files, SUID root files, and SGID 0 files. Make sure nothing is granted to any program that is absolutely not necessary. World-writables are almost never needed, and many programs are marked SUID and SGID as a convenience - while at the same time posing an unnecessary security risk.

  9. Check your user database from time to time to make sure no phantom users are listed as 0:0 (a root account). Use 'ps' to make sure nothing is running as root that shouldn't be.

  10. Close off your entire home directory. Folders get mode 0755 by default; change this to 0700. Always mask 'group' and 'other' to 0 unless you have a very good reason to not do so. (Drop box directories are of course exempt - but they're there precisely to let you use an 0700 mask on everything else.)

Doesn't sound like fun? What good is the World Wide Web when you can't do anything? You can do almost anything - you just can't do it on Windows. It's not your fault Windows is so leaky and insecure, but it is your fault if you get exploited and lose your life savings or get handed a $100,000 bill for Internet connections because a gang used your computer as a spam relay.

You can safely surf the Internet today without risk if you use Unix - if you just abandon Windows. In fact, the gangs of criminals and other attackers out there wouldn't even exist if you weren't running Windows - there's no future in attacking a secure system like Unix; as long as people stay in the dark about these issues, they will continue, because for them it's fun to humiliate you and take all your money.

Bill Gates will never tell you your biggest mistake is buying his products. He is fully aware of this, but he will keep on selling to you if you keep on buying. His company are not exactly the biggest innovators in the world: they sell what they can acquire - or steal, or on rare occasions develop themselves. If it's good, then that's better, but most often it's not good, but they will market it anyway. And that's the situation with Windows. It's built around a legacy of software based on what experts call a standalone 'hardware interface' and not a multi-user operating system: it has no built-in security; so when things go 'connected', there is nothing to protect you - except patch after patch after patch - which never seem to hold and never will.

Keep buying, and they'll keep on selling. They know what risks you take, but they're not about to tell you the truth - which is you'll be a lot safer if you don't use their products ever again.

About | Buy | Forum | Industry Watch | Learning Curve | Products | Search | Twitter | Xnews
Copyright © Rixstep. All rights reserved.