What is it about Windows that everybody likes? (A rant)

[RampantAndroid]

Does it matter what OS JP Morgan is using in this case? The system was compromised by an employee handing over their username and password in a phishing scam. I don't think any OS is going to protect you against that.

I think a lot of these data breaches are the result of such attacks.

Really, it won't matter, as the vulnerabilities extend beyond the OS into the applications as well...

But Skaendo is on a witch hunt here...

 

[Skaendo]

Does it matter what OS JP Morgan is using in this case? The system was compromised by an employee handing over their username and password in a phishing scam. I don't think any OS is going to protect you against that.

I think a lot of these data breaches are the result of such attacks.

Bloomberg.com:

The attack on the lender, which is being probed by the Federal Bureau of Investigation and other agencies, started in June at the digital equivalent of the company’s front door, exploiting an overlooked flaw in one of its websites, two people familiar with the bank’s investigation have said.

Says nothing about someone giving up their password. Headline hints that it was an employees password, not how they got it.

 

[Skaendo]

But Skaendo is on a witch hunt here...

I started this thread to find out why people prefer Windows over other OSs. I use Windows and Linux both. If I were on a witch hunt, why would I be a witch and a hunter?

 

[RampantAndroid]

Hard to say.

It is a lot harder to hack a *nix system. Not that it cant be done. But there has never been a widespread hack, virus etc on linux ever like is common on Windows.

I suggest you look up the results of some of these conferences. Some linux distros fall in seconds. Some don't fall...

 

[Cerb]

If you're a gamer is there a reason to use Linux? I can't find one even though I love Linux.

Do the RPi or BBB run Windows at all? Is it easy to develop/tinker w/ FOSS software in Windows? No in both cases, usually (seriously, I can't count how many times I've looked for tutorials/guides on something, since basic docs almost always leave out critical steps in actually creating anything that works, being mainly for reference purposes, and come across a Windows one, where 75% of it is dealing with getting the software to run on Windows...just use Virtualbox, and get on with it!).

I also happen to like video games.

 

[Skaendo]

I suggest you look up the results of some of these conferences. Some linux distros fall in seconds. Some don't fall...

These aren't conferences. They are contests, shows. All the script kiddies have all the time in the world to prepare for these shows. Time to set things up etc. And then supposedly they get rewarded for showing flaws in apps, flaws that have been in the wild and they have been not telling anyone about for who knows how long, and probably exploiting them themselves.

I wonder what OSs they run themselves.

 

[RampantAndroid]

These aren't conferences. They are contests, shows. All the script kiddies have all the time in the world to prepare for these shows. Time to set things up etc. And then supposedly they get rewarded for showing flaws in apps, flaws that have been in the wild and they have been not telling anyone about for who knows how long, and probably exploiting them themselves.

I wonder what OSs they run themselves.

You realize many of these people are paid to find vulnerabilities and report them? The rewards at these conventions and conferences aren't really that different from the rewards you get from going to Microsoft or Apple and say "I've found a major bug in a component of your software and I'll sell it to you." This happens often. It's an accepted norm in software. There's a difference between hackers and crackers.

 

[Skaendo]

You realize many of these people are paid to find vulnerabilities and report them? The rewards at these conventions and conferences aren't really that different from the rewards you get from going to Microsoft or Apple and say "I've found a major bug in a component of your software and I'll sell it to you." This happens often. It's an accepted norm in software. There's a difference between hackers and crackers.

If they are paid to find vulnerabilities and report them, why would they still be able to exploit them at these shows? Should they not have reported them and got paid for it?

The term hacker has changed a lot since its inception. These people at these shows are not hackers. They are script kiddies. And a cracker has to do with an application, mostly for unlocking like having stolen keys for it.

 

[alkemyst]

Can you tell me where I can find more information on these hacker conferences?

http://lanyrd.com/topics/hacking/

 

[seepy83]

There are some wild ideas being thrown around in this thread. Exploit Developers are not script kiddies. Yes, there is plenty of code, payloads, etc. out there for a script kiddie to use. But the people that are developing and disclosing 0-days are not script kiddies.

Why do some people chose to release their exploits at conferences where there is prize money? For the prize money. Because the bounty programs don't match the amount of money they can make at some of the contests.

 

[alkemyst]

If they are paid to find vulnerabilities and report them, why would they still be able to exploit them at these shows? Should they not have reported them and got paid for it?

The term hacker has changed a lot since its inception. These people at these shows are not hackers. They are script kiddies. And a cracker has to do with an application, mostly for unlocking like having stolen keys for it.

At the conventions there are indeed true hackers.

One of the huge things is for any of these companies to fix something they want to see the breach in the wild which an ethical hacker will not do.

Below is a pretty good example (by my brother who is an expert at most of this) and how it's a difficult road to get manufacturers to fix things. Below also shows *NIX is only safe because it's rare and not targetted.

NX-OS is vulnerable. But it has been vulnerable to a great many exploits for a long time. I think its the remotely exploitable things, like the CDP attack I mention below that really are serious threats to our customers.

If you need access into the box to begin with, and can just execute commands or root the box, I personally don't find that to be a big deal, as if you have access to the physical box its just a hard disk anyways, so its game over.

For details on how to just access the filesystem once you have access to the disk image see my posts:
http://www.feeny.org/deconstructing-nx-os-part-1-exploding-kickstart/
http://www.feeny.org/deconstructing-nx-os-part-2-exploding-the-system-image/

I discovered at least three different ways to root NX-OS, I filed PSIRTs and they went ignored. The only way to actually get a manufacturer to patch something unfortunately, is to actually post the exploit. This counter-intuitive behavior was realized years ago, and has accelerated security patches ever since. My first exploit I shared with a a computer security firm that I was cooperating with at the time, they did a presentation on the vulnerability, without revealing enough code to fully exploit.

The last several NX-OS exploits I have found go unacknowledged. I have not tested this on the latest versions of NX-OS. I will not post the exploit, even internally, as it would just upset Cisco. Would be nice however if when you email a manufacturer an exploit if they actually acknowledged it, posted a PSIRT and then an appropriate patch.

Here is an example of the ease I have had in rooting NX-OS, which runs a modified "secure" version of Linux called MonteVista which is based on Hard Hat Linux:

I have so far been able to file 3 PSIRTs on NX-OS vulnerabilities, most of which really aren't security risks, but just show insecurity in the protection of the UNIX OS (which itself is a secure version of Linux "Hard Hat Linux"). One PSIRT involved oversized CDP packets and the ability to take down a production system, others were more or less UNIX root exploits.

The latest NX-OS looks like it fixed almost all of these, so I had to go looking deeper, and it seems there is no end to the amount one can discover.

Here is an example, enabled by the use of bash at the CLI, ability to write to the filesystem, ability to manipulate the environment variables, and then most importantly ability to execute a certain binary that does not fully qualify its pathnames, and thus the combination of events leads to a successful manipulation of the passwd file.

The exploit below is useless to anyone that would not know the very specific binary I am exploiting and means of execution.

[snip]

 

[piasabird]

I have a tablet without windows and it runs fine. However, I don't do office work on it.

At work we would have to redo all our servers to disconnect from Microsoft. It would be possible, but it would be lots of work. Some application might not have Linux support.

 

[Skaendo]

I can accept that it is because Linux is not widely used that it is not a focused target for exploiting.

Another reason is that there is so many different flavours, (RedHat, Suse, Debian etc) that it is hard to create an exploit for one that can be executed on another.

And yet another is Live distros that don't run from HDD or SSD. Therefore you cant write files to the filesystem, you may be able to execute them while the distro is running, but once you turn it off, everything is gone. RAM cleared. No more problem.

So, if the market was for example; 33% Windows, 33% Mac OS X (BSD/Unix), 33% Linux, how would the numbers add up then? No one can tell really, but couldn't it make the overall safer?

I still believe that Linux is safer. Especially since Microsoft, Google and Apple are being pressured by the NSA to give them information. Again, I'm not doing anything wrong that would bring the NSA knocking on my door, but why do they want to know what I'm doing? And what gives them the right?

US Constitution Amendment 4:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

 

[ControlD]

OK, back to the original question: what do people like about Windows?

I recently upgraded my system to a i5 Haswell / Z87X system. I also got a new monitor that I connect to my AMD video card via a display port cable.

Installing Windows 8.1 went like this:
(1) Reset system to factory defaults does a clean install
(2) Install Windows updates
(3) Update my drivers
(4) Use the system

This thread got me motivated to getting Linux installed as well. I had problems with some earlier versions of Mint / Kubuntu due to UEFI issues, but it seems those problems have been fixed so I downloaded the latest version of Mint and booted with the DVD. This is what I get:

(1) The boot DVD refuses to recognize the display port. The only way to get the display working is to hook up to the DVI port on my video card and monitor.
(2) Install Mint
(3) I guess the audio driver STILL hasn't been fixed since my last attempt at this (Mint 15) so I get a constant, annoying pop-pop-pop coming out of my speakers.
(4) I have to install the proprietary AMD drivers to get 3D acceleration. No big deal.
(5) Do all of the suggested upgrades and reboot.
(6) Presented with a black screen because I forgot to disable the driver from step 4. How long has this issue been around and not addressed? Forever is my guess.
(7) Uninstall / Re-Install the AMD driver from the command prompt, reboot and my system is back.
(8) The audio popping finally drives me crazy so I am back in Windows 8.1

Maybe this is why people prefer running Windows.

**edit**
I'll keep plugging away because I am a geek and that's what I do. But how many people are going to do that? Most will just go back to what works "out of the box".

 

[Skaendo]

I don't know about Mint except that it is built on Debian & Ubuntu. (which is what that guy was talking about in Linux Sucks video, forking, yes it sucks. You cant make the best better IMO.)

Try a straight up Debian net install, defaults with Gnome Desktop but has KDE (I prefer, more like windows) and XFCE as options. Only prob I ever had was NON-FREE wireless drivers that I now keep and use for installs on USB stick.

Also after install, updating apt's sources to testing will give latest updates for software. I haven't had a hiccup in years using testing, but i update frequently via apt.

 

[ControlD]

I thought about going straight Debian, but trying to dual boot with Windows 8.1 on a UEFI system looks tricky at best. Maybe after some more research.

 

[alkemyst]

I can accept that it is because Linux is not widely used that it is not a focused target for exploiting.

Another reason is that there is so many different flavours, (RedHat, Suse, Debian etc) that it is hard to create an exploit for one that can be executed on another.

And yet another is Live distros that don't run from HDD or SSD. Therefore you cant write files to the filesystem, you may be able to execute them while the distro is running, but once you turn it off, everything is gone. RAM cleared. No more problem.

So, if the market was for example; 33% Windows, 33% Mac OS X (BSD/Unix), 33% Linux, how would the numbers add up then? No one can tell really, but couldn't it make the overall safer?

I still believe that Linux is safer. Especially since Microsoft, Google and Apple are being pressured by the NSA to give them information. Again, I'm not doing anything wrong that would bring the NSA knocking on my door, but why do they want to know what I'm doing? And what gives them the right?

US Constitution Amendment 4:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Most *Nix variants have common exploits. They are all based off only a handful of base code.

 

[hrsetrdr]

Try a straight up Debian net install, defaults with Gnome Desktop but has KDE (I prefer, more like windows) and XFCE as options. Only prob I ever had was NON-FREE wireless drivers that I now keep and use for installs on USB stick.

I don't care for Gnome 3, but MATE is a reasonable facsimile of Gnome 2.xx.

 

[Skaendo]

I don't care for Gnome 3, but MATE is a reasonable facsimile of Gnome 2.xx.

I agree, Gnome is crappy, even Gnome 4 is bad. KDE has a nice Windows style look and feel to it to me.

 

[Skaendo]

I thought about going straight Debian, but trying to dual boot with Windows 8.1 on a UEFI system looks tricky at best. Maybe after some more research.

I don't know, Debian installs grub and asks to install to MBR on mine. I used to run dual system and it worked well for me way back when.

 

[ControlD]

I don't know, Debian installs grub and asks to install to MBR on mine. I used to run dual system and it worked well for me way back when.

Yeah, UEFI just plain sucks all around.

I'm downloading the KDE Live Debian iso right now. I'll give it a shot tomorrow.

 

[massmedia]

#1 - microsoft office (they use it at work, they edit work docs at home)
#2 - games

that's really enough of an explanation right there... but wait, there's more!

some other software (not sure if these run on GNU linux):
Autodesk AutoCAD
Autodesk Maya
Autodesk 3DS Max
Autodesk....
...
...
Autodesk Architecture
Adobe Photoshop
Adobe Illustrator
Adobe Premier Pro
....
....
Adobe Lightroom
CorelDRAW
Avid Media Composer
Avid Sibelius
Avid Pro Tools
EON VUE
Speedtree


...and even more games


------------------
to say that GNU linux has all the same or equivalent offerings is a tad incorrect

 

[Defenestration]

Windows gained it's massive market share through some shrewd early deals by Bill Gates, and a focus on ease of use (something that Linux has now caught up on to an extent). Once people were using it, the familiarity of Windows is what has kept it at the front of the market.

Windows has more choice when it comes to third-party software.

 

[massmedia]

and to be quite honest...

how many people choose an OS based on install time or boot time?
i'm skeptical that those are factors

 

[owensdj]

Almost everything you do with Windows is much easier than with any Linux distribution. Initial install, installing apps, installing drivers, OS configuration. Windows has Linux beat. Keep in mind I was working with Unix-like operating systems before I ever saw Windows 3.0.

This point was hammered home when I couldn't figure out the convoluted instructions for getting my network printer installed on Ubuntu. This install was trivially easy on Win7.