12.07.08

Gemini version available ♊︎

Eye on Security: ‘Fun’ with Zombies, Press Ignorance, and Bizarre Solutions

Posted in Microsoft, Security, Windows at 8:54 pm by Dr. Roy Schestowitz

“Our products just aren’t engineered for security.”

Brian Valentine, Microsoft executive

Microsoft software is not exactly renowned for being secure, despite attempts to manipulate journalists. The software is notorious for being deficient or defective. To Microsoft, security and networking were an afterthought, not a design consideration, as shown here. Granted, trouble should be anticipated.

Zombies Conundrum

Stories about Windows zombies are a dime a dozen, just like zombie nodes. It is estimated that about 320 million Windows PCs are zombies. Here is the latest story on this never-ending (and very costly) battle.

Researchers at Trend reported that 500,000 unique hosts have been infected across the globe. Macalintal said that because of the behavior of the worm, he expected to see the botnet grow bigger and produce more variants.

That’s small potatoes compared to the whole, but it just happens to be a new example. Not so long ago we witnessed hospitals and army bases becoming botnets, as well. It’s a hugely serious subject that results in many untold deaths.

Insecure by Design

As prior links demonstrate (we strive to avoid repetition), it is agreed even by Microsoft’s biggest of fans that Windows fails at security because it’s just bad at it. It’s nothing to do with market share and those lies are running thin. In the following new article, Microsoft’s security model comes under fire.

When Microsoft released an emergency patch last month for a critical vulnerability in the server service in Windows, administrators and security teams in enterprises around the world scrambled to test the fix, schedule downtime and get the patch distributed as quickly as possible. If ever there was an occasion to use all due haste in deploying a patch, this was it. Not only was the vulnerability present in every supported version of Windows, but Microsoft officials had warned that it was a prime candidate for a worm.

Here is another one from the news.

Security Manager’s Journal: When is a patch not really a patch?

[...]

If you don’t reboot a Windows server after a patch is applied, the patch doesn’t take effect, but SMS doesn’t notice that failure to reboot. This insistence on rebooting is one of the things I dislike about Windows. In the Unix world, all that’s usually required is that a particular process be restarted.

There has been lots of chatter about a flaw in Mozilla Firefox, but like many previous ones, this new vulnerability only applies to Windows, where Firefox inherits some risky behaviour which it sometimes attempts to mimic due to necessity. Why isn’t the press covering this properly?

Bad, wicked Firefox, bad wicked open source…except that this trojan *only* works on Windows…which means it’s bad wicked Windows, yet again. But the article never mentions this, of course.

[...]

And yes, you guessed it, it only works on Windows. So that bit about “[t]he most remarkable feature of the episode may not be the breach of security, but the cost of dealing with it” is really about the cost of using Windows – well, it’s The Economist, what do you expect, accuracy? When will they ever learn?

As Glyn Moody shows, there are rare exceptions among the reporters.

The Web Vector

Adding to a mountain of reasons for infection:

1. Facebook hit by virus

“Koobface” that uses the social network’s messaging system to infect PCs, then tries to gather sensitive information such as credit card numbers.

2. Most recent Windows infections result from the same simple trick

BitDefender’s Top 10 E-Threats Report identifies just one type of attack as being responsible for more than a third of Windows infections in the past month: fake anti-virus scans, also known as scareware.

Attacking the Outcome, Not the Cause

Here is a good and short article titled “Punishment vs. Prevention.”

Finally, I feel compelled to issue the warning, “Be careful what you wish for, because you might just get it.” If the government takes over Internet security, there is sure to be a large amount of new regulation imposed. And this could mean security companies like F-Secure would have to devote a lot of resources towards compliance. I think it would be much better for us to take responsibility for finding solutions ourselves.

This is a hot topic at the moment because concerned authorities ponder tackling the zombies issues by making punishment for those caught a lot more severe. But it’s totally the wrong way of addressing the issue. As Carla argues very rightly: ““Instead of Throwing Everyone In Jail, Fix Your Lousy Products”

Have any of them– has one single vendor, whether it’s Symantec or Trend or McAfee or F-Secure or anyone– ever said “Quit throwing your money down a rathole– stop using Windows, or at least don’t put it on the Internet”? Wouldn’t that little tidbit of honesty be refreshing? But no, they’ll never do that. If the same conditions existed in, say, the small home appliances industry people would be getting electrocuted by their toasters and hair dryers every day, and the manufacturers would advise them to learn correct handling of live wires, and a thriving industry of insulated safety garments would prey on the survivors. If they made safety gear for swimmers it would be so bulky and uncomfortable they either wouldn’t use it, or they would drown under the weight of it.

Following current trends, anyone who criticized them would be persecuted under the DMCA.

Instead of pointing a finger at those who produce and sell shoddy software, those who suffer are blamed for negligence and stricter rules are devised as means of punishment (false cure), not prevention. It won’t work. The systems need to be changed, as opposed to just their side-effects.

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

DecorWhat Else is New


  1. 'Satellite States' of EPO Autocrats

    Today we look more closely at how Baltic states were rendered 'voting fodder' by large European states, looking to rubber-stamp new and oppressive measures which disempower the masses



  2. [Meme] Don't Mention 'Brexit' to Team UPC

    It seems perfectly clear that UPC cannot start, contrary to what the EPO‘s António Campinos told the Council last week (lying, as usual) and what the EPO insinuates in Twitter; in fact, a legal challenge to this should be almost trivial



  3. The EPO’s Overseer/Overseen Collusion — Part IXX: The Baltic States

    How unlawful EPO rules were unsurprisingly supported by Benoît Battistelli‘s friends in Baltic states; António Campinos maintained those same unlawful rules and Baltic connections, in effect liaising with offices known for their corruption (convicted officials, too; they did not have diplomatic immunity, unlike Battistelli and Campinos)



  4. Links 21/10/2021: GIMP 2.99.8 Released, Hardware Shortages, Mozilla Crisis

    Links for the day



  5. How Oppressive Governments and Web Monopolists Might Try to Discourage Adoption of Internet Protocols Like Gemini

    Popular movements and even some courageous publications have long been subverted by demonisation tactics, splits along unrelated grounds (such as controversial politics) and — failing that — technical sabotage and censorship; one must familiarise oneself with commonly-recurring themes of social control by altercation



  6. [Meme] Strike Triangulations, Reception Issues

    Financial strangulations for Benoît Battistelli‘s unlawful “Strike Regulations”? The EPO will come to regret 2013…



  7. [Meme] Is Saying “No!” to Unlawful Proposals Considered “Impolite”?

    A ‘toxic mix’ of enablers and cowards (who won’t vote negatively on EPO proposals which they know to be unlawful) can serve to show that the EPO isn’t a “social democracy” as Benoît Battistelli liked to call it; it’s just a dictatorship, currently run by the son of a person who actually fought dictatorship



  8. IRC Proceedings: Wednesday, October 20, 2021

    IRC logs for Wednesday, October 20, 2021



  9. [Meme] EPO Legal Sophistry and Double Dipping

    An imaginary EPO intercept of Administrative Council discussions in June 2013...



  10. Links 21/10/2021: PostgreSQL JDBC 42.3.0 and Maui Report

    Links for the day



  11. [Meme] [Teaser] “Judge a Person Both by His Friends and Enemies”

    Fervent supporters of Team Battistelli or Team Campinos (a dark EPO era) are showing their allegiances; WIPO and EPO have abused staff similarly over the past decade or so



  12. 'Cluster-Voting' in the European Patent Office/Organisation (When a Country With 1.9 Million Citizens Has the Same Voting Power as a Country With 83.1 Million Citizens)

    Today we examine who has been running the Finnish patent office and has moreover voted in the EPO during the ballot on unlawful "Strike Regulations"; they voted in favour of manifestly illegal rules and for 8.5 years after that (including last Wednesday) they continued to back a shady regime which undermines the EPO's mission statement



  13. The EPO’s Overseer/Overseen Collusion — Part XVIII: Helsinki's Accord

    The Finnish outpost has long been strategic to the EPO because it can help control the vote of four or more nations; evidence suggests this has not changed



  14. [Meme] Living as a Human Resource, Working for Despots

    The EPO has become a truly awful place/employer to work for; salary is 2,000 euros for some (despite workplace stress, sometimes relocation to a foreign country)



  15. Links 20/10/2021: New Redcore Linux and Hospital Adoption of GNU Health

    Links for the day



  16. IRC Proceedings: Tuesday, October 19, 2021

    IRC logs for Tuesday, October 19, 2021



  17. Links 19/10/2021: Karanbir Singh Leaves CentOS Board, GPL Violations at Vizio

    Links for the day



  18. [Meme] Giving the Knee

    The 'knee' champion Kratochvìl and 'kneel' champion Erlingsdóttir are simply crushing the law; they’re ignoring the trouble of EPO staff and abuses of the Office, facilitated by the Council itself (i.e. facilitated by themselves)



  19. Josef Kratochvìl Rewarded Again for Covering Up EPO Corruption and the EPO Bribes the Press for Lies Whilst Also Lying About Its Colossal Privacy Violations

    Corrupt officials and officials who actively enable the crimes still control the Office and also the body which was supposed to oversee it; it's pretty evident and clear judging by this week's press statements at the EPO's official Web site



  20. [Meme] Sorry, Wrong Country (Or: Slovenia isn't Great Britain)

    Team UPC is trying to go ahead with a total hoax which a high-level European court would certainly put an end to (if or when a referral is initiated)



  21. How Denmark, Iceland, Finland, Norway and Sweden Voted on Patently Unlawful Regulations at the EPO

    We look back and examine what happened 8 years ago when oppressed staff was subjected to unlawful new “regulations” (long enjoyed by António Campinos, the current EPO autocrat)



  22. The EPO’s Overseer/Overseen Collusion — Part XVII: The Non-Monolithic Nordic Bloc

    We start our investigation of how countries in northern Europe ended up voting on the unlawful “Strike Regulations” at the EPO and why



  23. Proof That Windows “11” is a Hoax

    Guest post by Ryan, reprinted with permission



  24. Firefox Becomes as Morally Reprehensible as Apple, Facebook, or Uber

    Guest post by Ryan, reprinted with permission



  25. Links 19/10/2021: GNU dbm 1.22 and Godot 3.4 RC 1

    Links for the day



  26. [Meme] [Teaser] GitHub an Expensive and Dangerous Trap (Also: Misogyny Hub)

    The ongoing Microsoft GitHub exposé will give people compelling reasons to avoid GitHub, which is basically just a subsidised (at a loss) trap



  27. Norway Should Have Voted Against Benoît Battistelli's Illegal (Anti-)'Strike Regulations' at the European Patent Office

    Benoît Battistelli‘s EPO faced no real and potent opposition from Norwegian delegates, who chose to abstain from the vote on the notorious and illegal so-called ‘Strike Regulations’ (they’re just an attack on strikes, an assault on basic rights of labourers)



  28. Links 19/10/2021: Sequoia PGP LGPL 2.0+, Open RAN Adoption

    Links for the day



  29. [Meme] [Teaser] Benoît Battistelli, King of Iceland

    Later today we shall see how the current deputy of the head of the EPO‘s overseeing body was in fact likely rewarded for her complicity in Benoît Battistelli‘s abuses against EPO staff, including staff from Iceland



  30. IRC Proceedings: Monday, October 18, 2021

    IRC logs for Monday, October 18, 2021


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts