Re: My Solution to Securing Windows 98, ME Against Network Modification and Spying, using Linux.

From: grunes (grunes_at_yahoo.com)
Date: 05/27/03 

Date: 26 May 2003 16:10:17 -0700

"Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message news:
> Well, do note that the root kits that modify core OS utilities to make it
> difficult to detect an intrusion were until recently only a *nix phenomenon,
> not Windows.

I'm not smart enough to know what you are saying, but the spyware
directory that TurboTax loaded was not available to the Start -> Find
menu item, even though I turn on searching for system and hidden
files. I found it using something else.

> I'm not sure OpenBSD is a good choice for a workstation for most users.
> It's secure because most things are disabled by default, there is no GUI by
> default, and once the user starts enabling these other workstation-type
> services, it can decrease the security and will definitely increase the
> number of remotely exploitable vulnerabilities in OpenBSD. Even then, you
> still need to patch just like any other OS.

In other words it isn't instrinsically secure. Sigh.

OpenBSD advertises that they have had only one remote hole in the
default install in 7 years. So why would I need to patch? Or is that
only if I want to use things ad-ons like Mozilla and Bochs?

> Your idea of reloading the OS from an image at regular intervals is not a
> bad idea and has been used successfully in environments like computer labs
> in universities...

It only takes a few minutes to create a new disk image in the hard
disk partition. So I could reload a fresh copy, download patches and
anti-virus updates, and make a fresh back-up. CD burns would be a fair
bit slower. During that short interval viruses wouldn't be an issue,
unless someone did take over the patch or virus list server, because I
would only be visiting the patch and virus list server. Besides, other
back-doors could sneak in.

> You say you used the default install of Windows 98... as you might already
> know, there are some things that you can change to the default install of
> Windows 98 to improve its security. [Possibly you did some of these things
> and I just missed the section where you mentioned it.]

Sigh again. No I don't use a default install, but mostly not for
security; I don't know enough. I'm sure I have some things I
shouldn't. I did get rid of or delete Outlook express and everything I
could find having to do with instant messenger.

It has always seemed to me it would be easy to create an operating
system that was intrinsically secure. Operating systems are insecure
because they let applications do thinks they shouldn't. The dificulty
with Windows security is that it wasn't designed to be secure from the
beginning. For security to work, applications (especially 3rd party
applications) must have access to an extremely restricted set of
operations, with explicit command line opening of files and network
channels for input and output. Trying to secure Windows after the fact
is like patching a fallen dike with ones fingers.

Like I said in the beginning, I wasn't trying for a complete solution,
only to be more secure than most people.