According to the Guardian, "cybercriminals" are exploiting social networking sites like MySpace and using university students to distribute their tools for identity fraud purposes. Now, aside from the prefix "cyber" (asl?) being as annoying prefixing things with "e-", this story is another of those that reports problems and always ignores the solution.
All of these problem stems from one thing, and one thing only. The Windows security model. Pretty much by default under Windows XP everyone has full read, write and execute to the entire system by design. The result is that not particularly sophisticated websites can effectively execute code on client machine that is malicious.
Apparently, this might actually be something that is fixed in Windows Vista although I have yet to see the evidence of that, and I'm a tad cynical of it actually being true. Under POSIX based systems, i.e. Linux, OSX, etc, these sort of things simply cannot happens unless the user is logged into the system as root, and if they are, they deserve it for being stupid.
All roads lead to Microsoft when it comes to prevalence of malware that creates drone networks of compromised machines. Security is not the basis of the OS and the notion of least privileged access to core system actions, such as the installation of software, and the ability to access raw sockets so easily makes the uneducated vulnerable.
Sadly, the marketing team in Microsoft dominate the OEM pre-install market on x86 architecture for home use. With the exception of the new x86 Mac hardware (which is highly restricted), purchasing a computer from a standard retailer without Microsoft Windows installed is next to impossible. There is of course no requirement to purchase a Windows license with new kit, but visit PC World and tell them you don't want Windows and they will probably tell you it's illegal to sell a computer without it.
The result of this domination is that the market is non-existent for the ordinary end consumer. We shouldn't therefore be surprised at the rise in Internet based crimes which exploits inherently weak security models. Of course, this is not to say there is a panacea for security, no computer can ever be truly secure, but the application of sensible information security principles in the development of systems really ought to make a difference. I wait for a full release version of Vista with baited breath.
No comments:
Post a Comment