Networking Tips: The Problem with Windows (Or Any Other OS) Malware Takes Aim at More Than Just Windows Michael Hall
There's a popular game among online journalists that bears a mild resemblance to batting at a piñata: It's called "Keeping Up with The New York Times Technology Page." It's fun for some because the writers at the Times, trying to write for a general audience, are largely helpless against charges that they're behind the times.
Earlier this month, for instance, the New York Times' John Markoff decided to ease everyone into Sunday with a bit of advice. This comment set off a round of either snickering and jeering from Linux, Mac, and anything-but-Microsoft devotees — or eye-rolling and finger-wagging from Windows users:
Botnet programs and other malicious software largely take aim at PCs running the Microsoft Windows operating system, because Windows ubiquity makes it fertile ground for network-based attacks.
Using a non-Windows-based PC may be one defense against these programs, known as malware ...
Markoff shows a deft touch for eliciting the sort of snarling, spitting, back-arching discomfiture at which people who do not consider computers a lifestyle choice are frequently taken aback.
For the Linux and Mac people, mention of "Windows' ubiquity" is a two-fold sin. First, it lets Microsoft off the hook for its security problems. Second, it reminds them that the only time you see the words "Mac" or "Linux" next to the word "ubiquitous," they come with additional words like "design departments" or "Cheeto-smelling dorm rooms at technical colleges."
For Windows people, the whole "non Windows-based PC" business is a scurrilous, shady nostrum that will be no better for users, some ill-defined concept of "innovation," or "invested enterprise stakeholders" than Marxism was for East Germany, and about as fun.
It's a classic case of everybody being a little bit to mostly right, combined, frankly, with an abundance of human obnoxiousness ... a substance we've been unable to use to solve the world's pressing energy needs except when it comes to powering the Internet. Let's break it down.
The Problem with Windows
Terrible things happen to Windows users. I don't need to spend much time on this. Just go visit your favorite anti-virus vendor or a Web site that carries security news and the case makes itself.
The only places one might argue more terrible things happen to more victims is at the end of the long chute at a cattle yard. And Markoff's right: Windows is ubiquitous, so it provides more bang for the tiny amount of bucks it takes to turn a worm loose, so it's numerous and unfortunate holes are frequently and zealously exploited by bad people.
Windows machines make swell zombies; they excel at hammering networks with worms, and the industry that provides security software for them has worked so hard to insert itself into user consciousness that machines already sagging under the weight of vendor add-ons like "help centers" and "media monitors" and assorted branding goo-gaws become even more slow and miserable to use. Why did it take four seconds between the "d" and the "a" in "damnit this machine is slow?" Because your anti-virus software needed to pop up to remind you it's on the job, or needs an update, or is going to sleep now, or is concerned that you've had so few viruses it may be a sign that you've got a really bad virus.
Making this situation worse is the decidedly undramatic way in which malware is behaving these days. It doesn't wipe out your hard drive or delete all your files or change your screensaver to a shocking and pornographic display illegal in 49 states. It tends to make itself one background task among many, either hanging around and doing nothing or just churning out spam until someone traces it down and makes it stop. People don't have their noses rubbed in their computer's infected state with a lot of drama and flashing lights and lost files, so ... .
The Problem with Not-Windows
I'm not going to spend a lot of time on this either, I guess. People use Windows for all sorts of reasons, and most of them have an investment in it. Maybe that investment is training, maybe it's in software, or maybe it's even in hardware that won't work very well or not at all with Linux or a Mac. Telling these people "run something besides Windows" isn't very helpful. They'll continue to suffer because of that investment.
There's really nothing wrong with Linux or Macs from an "all things are equal" point of view, which they never are. And as many Linux people are fond of pointing out, how much of the stuff my colleague over at Linux Today refers to as "greeting card software" do you really need when the Web is becoming the real platform?
The Problem with the Future
Besides the fact that none of us is ever going to get a flying car, or the unhappy silence with which my repeated requests to Apple to start including free quad-core Mac Pros with the purchase of Cheerios has been greeted, the big problem with "the future," where "the future" is "that period of time when we aren't running Microsoft Office in favor of some Web-thinger from Google," is the way security threats are going to change. In fact, they're already changing.
Consider a story recently posted on MSNBC's site about Dave DeSmidt, a worker planning to retire in a few years. According to the article, DeSmidt's 401(k) retirement account was raided and all $179,000 transferred with an online transaction. Before finally caving with some media attention and giving DeSmidt his money back, the brokerage firm reportedly had this to say:
"J.P. Morgan concludes there was no external or internal breach of controls with the J.P. Morgan environment, ... Access and authentication controls established within J.P. Morgan worked appropriately."
In other words, it wasn't some stealthy hacker sliding through the corporate firewall. Rather, it was someone who scored DeSmidt's username and password and put them to work. How that information was obtained is anybody's guess, but if any security breach has been gaining in the past few years, it's been phishing attacks, and the accomplices in some of those attacks are the Web browsers themselves, which have fallen victim to a number of cross-site scripting attacks (define) as well as more obscure vulnerabilities involving URL character encoding and more.
In some ways, we've come full circle in terms of computer security: The Kevin Mitnicks of the '80s and '90s prospered by learning to get the humans running the computers to cough up useful information. Phishing attacks just automate the process of getting unwary users to give out a password or account number.
But since this is supposed to be an upbeat and cheery column, designed to fill you with hope for the new year, I'll throw out something you can look at right now if you're concerned about phishing and want to get a head start on the future:
PhishTank is a clearing house for phishing information. It provides a public database and API (define) designed to help protect users from phishing attacks. There are Phishtank-powered tools built into the Opera browser, as well as tools for securing Outlook and Outlook Express. Prefer Firefox? There's an extension for that, too.
I'll soon look at other ways to use PhishTank and other technologies. In the meantime, try out those extensions and plugins, and maybe even Opera. And quit picking on the guy from the Times.
