Writing on the Wall

Year of 12 January, 2006

It's indelible.

Spyware is the writing on the wall for Windows: it's the ultimate proof the platform cannot and will not survive.

Recent tests of leading anti-spyware utilities, including Microsoft's own, show that any one of the best on the market can hope to eradicate only 70% of the crud that accumulates. Using several anti-spyware utilities all at once gets the user closer to that worn-out description of how things are on the Unix platforms: 'mostly virus free'.

But as a writer online pointed out, 'mostly virus free' is like a claim of 'mostly herpes free'. Imagine coming home to one's partner and declaring 'honey I got great news from the doctor - I'm mostly herpes free!' That's not going to go over big.

And 'mostly virus free' doesn't go over any bigger in the world of operating systems. Corporations have a greater difficulty abandoning the platform, due in part to the intransigence of suits who just don't want to listen, and due in part to 'lock-ins' Microsoft have previously perpetrated on them.

Home consumers don't have these worries. They can in theory wait to see what Vista brings, but even there no one will know for a great while how things are going to be. If history tells us anything, it screams 'abandon Windows': despite all the pseudo sincerity about cleaning up one's act, the exploits continue - and in many cases actually get worse.

Microsoft could - in theory that is - come out with something radically more secure than what they're offering today, but such a system would be a kludge of a Unix at the very best - and Windows users already have a kludge, so why should they wait?

If Windows is very very good - which it's not going to be but anyway - it will approach Unix in functionality and overall finess. But it's never going to be closer than within sighting distance of Unix; passing it by is out of the question.

Unix was long seen as more of a philosophy than an operating system, but today it's the accumulation of serious thought on security based on how the Internet works and how users - and systems - can protect themselves.

The Internet as we know it today - in its present incarnation as part of the web revolution - is only a meagre ten years old. Ten years ago things were hunky dory for the most part. Microsoft came out with Windows 95 on 24 August 1995; Linus Torvalds was asking for help with his minimal rewrite of the Unix kernel; Apple were at the end of their rope with Copland; NT was out and eating market share from Unix and Sun; etc.

But that was back then. The Internet as we know it today was very young. The things we see today were hardly even conceived back then. The Love Bug of May 2000 changed all that forever.

On 5 May 2000 the Microsoft users on the planet learned a dear lesson: it was easy to break into Microsoft machines, steal things, and propagate malicious software to other connected machines. In a matter of hours the whole world was collapsing - all because of a little script written with an interface no one had ever used, a script that had total access to everything on the machine.

The Love Bug went in and renamed and corrupted files willy nilly; it stole the contents of the Outlook address book and propagated itself across the net; it just spread and spread and spread, and there wasn't a thing Microsoft users could do about it. The damage caused by the Love Bug is estimated at $5.5 billion.

Hackers became more sophisticated. No longer involved in innocuous pranks, they started working in sweat shops owned and operated by organised crime, and today they and not Microsoft are the experts at Windows. They use the one form of malware to propagate the rest and vice-versa and so on.

Earthlink found in a study of over 1,000,000 Windows computers that the average Windows computer had 29.7 trojans. There was a similar study in the UK that showed nearly 90% of all Windows PCs are infected. That's a lot of malware.

Getting rid of bad files and - on Windows bad Registry entries - is no big deal. The E3 Security Kit engine can be fed instructions in its metalanguage to remove anything. And this is basically how the anti-spyware utilities work. Much the same as traditional antivirus programs.

But trojans are smarter than that today. They're not going to let themselves be eradicated so easily. They clone themselves and keep a watch on one another. If an anti-spyware utility finds one sibling, the others generate a new name and location for it and clone it again. For this reason it is quite common to see anti-spyware continually finding new threats on a disconnected machine that's already been scanned and cleansed and given a clean bill of health - they can't match the dexterity of their opponents.

And there are new techniques coming all the time. The anti-spyware business can't hope to keep up. But it goes deeper than that.

On any self-respecting system the malware wouldn't find a place to roost even if it somehow got in. Windows machines are easy to detect online and hackers will of course drop everything and concentrate on a Windows box if they find one. And that's what they're primarily looking for. And Windows machines are continually advertising what they are - Windows machines, eminently hackable.

By 5 May 2000 it became painfully obvious to everyone that the era of the standalone 'personal' computer was at an end. Standalone wasn't going to work in the Internetted world. In the five years since then we've seem the destruction mount as Microsoft's standalone system - and their users - got clobbered worse and worse.

There are perhaps those who think things are not as bad as they can get, but if so these people are incredibly naive. Things are hopeless and Windows as the world knows it can never be patched, can never be made secure, can never be fixed. It's a standalone system and it has no defences whatsoever.

Microsoft can at best chase the bad guys once they've got inside the compound; they can't keep them out. Many corporations attempt instead to beef up their defences elsewhere, for they know that as soon as bad code touches a Windows box, it's all over.

None of this is arcane or difficult to understand even for the layman. Look where your system files are. Browse to their directory. Try renaming one - and be sure to rename it back again right away. It worked, didn't it?

But think about it: it should not have worked. A real operating system would protect itself from corruption. What is your login identity? Are you SYSTEM? Do you have full authority over every resource on that computer? No. Yet you were able to modify - to corrupt - the system and the system offered no resistance whatsoever.

You played it smart: you only tested the theory. Now imagine you want to exploit that weakness. Imagine you have a file of your own to replace a system file. A file that will perform all the tasks of the original but also add a little spice of its own. What will the system do to stop you? That's right: nothing.

Real operating systems don't work that way. They never have and they never will. Historically only Windows has worked that way. Windows isn't a real operating system.

Now try another experiment: find out where on disk you have your startup items. They're in a directory of their own. Find that directory. Now put a shortcut to a program in that directory. For a lark, try rebooting your machine and see if your new program comes up. It does, doesn't it? It shouldn't.

You just mucked with the startup configuration of your computer and the system didn't stop you. You just did something which could gravely corrupt and jeopardise your personal security and you got no resistance whatsoever. It was a turkey shoot. And you were the turkey.

There are thousands of examples like this, and thousands more no one has yet got around to trying, and what they have in common is that fantasy is the limit: the system is wide open, it's not a real operating system, you can do anything. And believe it: the hackers and criminal gangs will do it.

Anytime alien code gets on your computer it's going to run in your user context. It will have the same rights and privileges as you do. In effect it is you. And you don't exactly get stopped and told to turn around anywhere, do you? If you can do anything at all to your system without authentication, something is very wrong. It's like having automobiles without door locks: sure, if you never leave the car you might avoid it getting stolen - but take ten steps in any direction and it can be gone in a flash - it can't defend itself.

Windows has two file systems: FAT and NTFS. The latter is securable, but even with NTFS there are other insurmountable Windows security issues. And Microsoft have to support FAT, and FAT is anything but a secure system.

FAT has very few attributes at its disposal and none of them are protected by authentication. Any user and any program can go in and change these attributes at any time.

Do you think that a FAT file marked as 'read-only' is going to be protected if a program tries to overwrite it? Think again.

Sophisticated malware can go even further: they can save the time stamps on files before writing to them, save the attributes as well, then remove the attributes, overwrite the files, then restore the attributes and finally the time stamps. And you'll be none the wiser. And they don't have to have access to any advanced authentication on your machine to do it: anyone can at any time.

There are no defences. Period. Say that over and over again until your brain starts to feel numb from the abuse. No defences. You are not protected. You have at best a group of Keystone Kops who chase the bad guys once they get inside. And that is not security and never will be. It's the best Windows will ever be able to do, but it's not good enough and you deserve better.

You could wait for Vista. It's another year yet - at least. And you might be bamboozled by the coming Microsoft hype machine and give in once again and upgrade. And it will seem relatively OK for a few months. And then the attacks will start again and in no time things will be back to where they are today.

Think about it: the reason this site doesn't have an anti-spyware utility to offer is no coincidence or because of lack of ambition: it's because the bloody thing is pointless. Because Windows itself is doomed. Because spyware in itself represents the writing on the wall for Windows. Windows cannot and will not survive.

You're never going to get better than 'mostly virus free' - and as with 'mostly herpes free', it doesn't really go over that big.