Barry,
Thanks for finding this article. I was quite surprised that she is even
more cynical about Microsoft than I am!
Microsoft is starting to take security seriosly and SP2 is a step in the
right direction. I do not know if overhauling the code base as she suggests
would cause backward compatibility problems. Also security on its own does
not really sell, lots of new cool features do. Even if they contain
security floors in them.
As far as I know windows screen readers are the most advanced of any
operating system in terms of development time spent on them. No operating
system is completely secure and another OS may not be as user friendly.
However steps can be taken to secure your windows box against attacks which
may be more time effective than learning a new OS and screen reader.
Particularly if you are employed and have to use windows in your job.
On the other hand given a year or 2 it is going to be very interesting to
see how Apples screen reader develops over time. From what i hear they have
already made a good start although it will be fairly basic when compared to
Jaws when released. But at least it comes with the operating system.
I have been told that hardware firewalls are very effective, but I don't
know if they come with a GUI that you need to use to set them up?
Also if you are a home user then i recomend disabling file and printer
sharing if you are not using that service. Sorry i can't remember off hand
where they moved it to in XP.
Maybe some one can answer these 2 questions.
Thanks,
Nigel
----- Original Message -----
From: "Barry" <bbinc@xxxxxxxxxxxxx>
To: "Jaws list" <jaws-uk@xxxxxxxxxxxxx>
Sent: Wednesday, March 09, 2005 9:19 PM
Subject: [jaws-uk] Alternative to Windows
Hi all
I found the article that prompted the title:
Gates Misses the Mark, and the Point, on Security March 7, 2005 By Linda LeBlanc
Bill Gates wants us to believe security is Microsoft's new Number One priority. He wants us to believe they have the users' best interests at heart.
I, personally, want to believe the moon is made of green cheese. The problem
with both of these situations is I know too much for either to ever happen.
Until Microsoft announces a major effort to rearchitect the source code for
the Windows operating system, everything he says about security should fall
on deaf ears.
Windows machines account for somewhere between 70 and 90 percent of all computers on the Internet -- for safety's sake, we'll put those numbers in the U.S. Windows' Number One selling point is ease-of-use for the end user. Well, that and it's cute, too.
From the beginning, the emphasis has not been on security.
How can I make such a bold statement? Two words: Buffer Overflow.
In the very first class I took in programming (those many years ago), we
were berated class after class about proper bounds checking to prevent
buffer overflows.
What this means in simple terms is that every time my program asked the user
for input, it had better check to make sure the input fit in the place I
reserved
for it. If I asked for a ''Y/N'' and I got a ''yes'' or a ''no'', those
extra characters had to go somewhere and I had better be prepared for them.
Buffer overflows are just the beginning of security flaws written into the Windows operating system.
Gates states that the new IE 7.0 will fix ''most security flaws'' in
Internet Explorer. That's great, but it will only be available to WindowsXP
Service
Pack 2 users. What? If you're running Windows 2000, that's just too darn
bad. Security isn't for you.
But that's kind of OK, because it really isn't for the XP SP2 crowd, either.
Why is that? Service Pack 2 is a package of patches, updates, and fixes all
rolled into one large executable. It's also the size of a small operating
system
(about 40Mb). And it doesn't fix everything or we wouldn't currently be
experiencing the revival of the MyDoom virus on networks around the world.
According to
Microsoft,
there are more than 70 security patches rolled into Service Pack 2. This
doesn't include the ones that are listed as base operating system patches,
IE patches,
RPC patches and ''other'', many of which involve that little thing known as
the Buffer Overflow, which ''could allow arbitrary code execution''.
My favorite patch in Service Pack 2 is listed as Windows XP and Windows XP
Service Pack 1 (SP1) Kernel Rollup Hotfix Package. Do you want to know what
this
fixes? It fixes a Buffer Overflow in Service Pack 1.
Yah, it's all about the security.
The week before the recent RSA Conference in San Francisco, Microsoft
announced 14 new vulnerabilities in Windows XP. Since the first of the year,
there
have been more than 20 vulnerabilities found in Windows, and these are just
the ones being tracked by the SANS Critical Vulnerability Assessment group.
In 2001, when XP was released, it was held up as a new paradigm in operating
systems, built to withstand the foibles of the older DOS-based OS. But
Service
Pack 1 came out in late 2002, the patch to the patch was released in May
2003 and Service Pack 2 was released in November of 2004.
It's clear they haven't gotten it worked out yet. But they are going to continue to throw patches and hotfixes at the problem rather than resolve the underlying weakness in the source code.
To top it all off, there are free operating systems on the Internet that are
smaller than the latest Service Pack. Yes. They are complete operating
systems
that will run on your PC, and that are smaller than Microsoft's latest patch
rollup.
There also are free browsers that do a much, much better job of preventing
the installation of subversive code without your knowledge. They also block
all
those annoying popup ads, which are the source of much spyware. Why isn't
everyone bolting for a more secure, better managed operating system? They
don't
have the Windows-like simple interface and plug-n-play abilities. In some
cases, they aren't even cute.
But what about free browsers? Why wait for the latest and greatest Internet
Explorer to come out this summer? Take a look at Firefox and see what you
think
for yourself.
And we can't forget that buffer overflows are just one example of vulnerabilities.
Windows users are under threat from privilege elevation exploits,
denial-of-service attacks, spyware and malware, which are probably the most
insidious
of all vulnerabilities.
At the recent RSA conference, Gates said security is a challenging area. ''New threats are emerging all the time... but we're working to mitigate those problems,'' he added.
But the question remains -- What is being done about preventing the threat in the first place?
If you don't build a house made of glass, every rock-throwing little kid won't be a threat.
One argument that I've heard from various sources is that Microsoft is a
victim of it's own popularity. Because it is the predominant operating
system in
use, the bad guys target it for attack because the victim pool is so large.
My response is phrased in a simple proverb I learned in my childhood -- ''To
whom much is given, much shall be required.''
Microsoft has the money and the resources, and it has an obligation to the
people who swear by Windows to do it right, and do it right the first time.
Gates
wants more market share. He wants the space shuttle to run Windows (And to
be honest, it probably already DOES run Windows on some systems. Isn't that
a scary thought?) But he never acknowledges the need to complete a top
down/bottom up overhaul of the existing code base.
If I had the money Gates does, I could write an operating system that
incorporates security, does everything Windows does for the user, and more.
It's never been about security for Microsoft and I don't think it is now.
** To leave the list, click on the immediately-following link:- ** [mailto:jaws-uk-request@xxxxxxxxxxxxx?subject=unsubscribe] ** If this link doesn't work then send a message to: ** jaws-uk-request@xxxxxxxxxxxxx ** and in the Subject line type ** unsubscribe ** For other list commands such as vacation mode, click on the ** immediately-following link:- ** [mailto:jaws-uk-request@xxxxxxxxxxxxx?subject=faq] ** or send a message, to ** jaws-uk-request@xxxxxxxxxxxxx with the Subject:- faq
-- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.7.1 - Release Date: 09/03/2005
