12.07.08

Gemini version available ♊︎

Eye on Security: ‘Fun’ with Zombies, Press Ignorance, and Bizarre Solutions

Posted in Microsoft, Security, Windows at 8:54 pm by Dr. Roy Schestowitz

“Our products just aren’t engineered for security.”

Brian Valentine, Microsoft executive

Microsoft software is not exactly renowned for being secure, despite attempts to manipulate journalists. The software is notorious for being deficient or defective. To Microsoft, security and networking were an afterthought, not a design consideration, as shown here. Granted, trouble should be anticipated.

Zombies Conundrum

Stories about Windows zombies are a dime a dozen, just like zombie nodes. It is estimated that about 320 million Windows PCs are zombies. Here is the latest story on this never-ending (and very costly) battle.

Researchers at Trend reported that 500,000 unique hosts have been infected across the globe. Macalintal said that because of the behavior of the worm, he expected to see the botnet grow bigger and produce more variants.

That’s small potatoes compared to the whole, but it just happens to be a new example. Not so long ago we witnessed hospitals and army bases becoming botnets, as well. It’s a hugely serious subject that results in many untold deaths.

Insecure by Design

As prior links demonstrate (we strive to avoid repetition), it is agreed even by Microsoft’s biggest of fans that Windows fails at security because it’s just bad at it. It’s nothing to do with market share and those lies are running thin. In the following new article, Microsoft’s security model comes under fire.

When Microsoft released an emergency patch last month for a critical vulnerability in the server service in Windows, administrators and security teams in enterprises around the world scrambled to test the fix, schedule downtime and get the patch distributed as quickly as possible. If ever there was an occasion to use all due haste in deploying a patch, this was it. Not only was the vulnerability present in every supported version of Windows, but Microsoft officials had warned that it was a prime candidate for a worm.

Here is another one from the news.

Security Manager’s Journal: When is a patch not really a patch?

[...]

If you don’t reboot a Windows server after a patch is applied, the patch doesn’t take effect, but SMS doesn’t notice that failure to reboot. This insistence on rebooting is one of the things I dislike about Windows. In the Unix world, all that’s usually required is that a particular process be restarted.

There has been lots of chatter about a flaw in Mozilla Firefox, but like many previous ones, this new vulnerability only applies to Windows, where Firefox inherits some risky behaviour which it sometimes attempts to mimic due to necessity. Why isn’t the press covering this properly?

Bad, wicked Firefox, bad wicked open source…except that this trojan *only* works on Windows…which means it’s bad wicked Windows, yet again. But the article never mentions this, of course.

[...]

And yes, you guessed it, it only works on Windows. So that bit about “[t]he most remarkable feature of the episode may not be the breach of security, but the cost of dealing with it” is really about the cost of using Windows – well, it’s The Economist, what do you expect, accuracy? When will they ever learn?

As Glyn Moody shows, there are rare exceptions among the reporters.

The Web Vector

Adding to a mountain of reasons for infection:

1. Facebook hit by virus

“Koobface” that uses the social network’s messaging system to infect PCs, then tries to gather sensitive information such as credit card numbers.

2. Most recent Windows infections result from the same simple trick

BitDefender’s Top 10 E-Threats Report identifies just one type of attack as being responsible for more than a third of Windows infections in the past month: fake anti-virus scans, also known as scareware.

Attacking the Outcome, Not the Cause

Here is a good and short article titled “Punishment vs. Prevention.”

Finally, I feel compelled to issue the warning, “Be careful what you wish for, because you might just get it.” If the government takes over Internet security, there is sure to be a large amount of new regulation imposed. And this could mean security companies like F-Secure would have to devote a lot of resources towards compliance. I think it would be much better for us to take responsibility for finding solutions ourselves.

This is a hot topic at the moment because concerned authorities ponder tackling the zombies issues by making punishment for those caught a lot more severe. But it’s totally the wrong way of addressing the issue. As Carla argues very rightly: ““Instead of Throwing Everyone In Jail, Fix Your Lousy Products”

Have any of them– has one single vendor, whether it’s Symantec or Trend or McAfee or F-Secure or anyone– ever said “Quit throwing your money down a rathole– stop using Windows, or at least don’t put it on the Internet”? Wouldn’t that little tidbit of honesty be refreshing? But no, they’ll never do that. If the same conditions existed in, say, the small home appliances industry people would be getting electrocuted by their toasters and hair dryers every day, and the manufacturers would advise them to learn correct handling of live wires, and a thriving industry of insulated safety garments would prey on the survivors. If they made safety gear for swimmers it would be so bulky and uncomfortable they either wouldn’t use it, or they would drown under the weight of it.

Following current trends, anyone who criticized them would be persecuted under the DMCA.

Instead of pointing a finger at those who produce and sell shoddy software, those who suffer are blamed for negligence and stricter rules are devised as means of punishment (false cure), not prevention. It won’t work. The systems need to be changed, as opposed to just their side-effects.

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

DecorWhat Else is New


  1. Links 04/06/2023: Why Flatpak and Wealth of Devices With GNU/Linux

    Links for the day



  2. Gemini Links 04/06/2023: Rosy Crow 1.1.3 and NearlyFreeSpeech.NET

    Links for the day



  3. IRC Proceedings: Saturday, June 03, 2023

    IRC logs for Saturday, June 03, 2023



  4. Links 04/06/2023: Azure Outage Again (So Many!) and Tiananmen Massacre Censored

    Links for the day



  5. Links 03/06/2023: Qubes OS 4.2.0 RC1 and elementaryOS Updates for May

    Links for the day



  6. Gemini Links 03/06/2023: Hidden Communities and Exam Prep is Not Education

    Links for the day



  7. Links 03/06/2023: IBM Betraying LibreOffice Some More (After Laying off LibreOffice Developers)

    Links for the day



  8. Gemini Links 03/06/2023: Bubble Woes and Zond Updates

    Links for the day



  9. Links 03/06/2023: Apache NetBeans 18 and ArcaOS 5.0.8

    Links for the day



  10. IRC Proceedings: Friday, June 02, 2023

    IRC logs for Friday, June 02, 2023



  11. The Developing World Abandons Microsoft Windows, GNU/Linux at All-Time Highs on Desktops/Laptops

    Microsoft, with 80 billion dollars in longterm debt and endless layoffs, is losing the monopolies; the media doesn’t mention this, but some publicly-accessible data helps demonstrate that



  12. Links 02/06/2023: Elive ‘Retrowave’ Stable and Microsoft's Half a Billion Dollar Fine for LinkeIn Surveillance in Europe

    Links for the day



  13. Linux Foundation 'Research' Has a New Report and Of Course It Uses Only Proprietary Software

    The Linux Foundation has a new report, promoted by Clickfraud Spamnil and others; of course they’re rejecting Free software, they’re just riding the “Linux” brand and speak of “Open Source” (which they reject themselves)



  14. Links 02/06/2023: Arti 1.1.5 and SQL:2023

    Links for the day



  15. Gemini Links 02/06/2023: Vimwiki Revisited, SGGS Revisited

    Links for the day



  16. Geminispace/GemText/Gemini Protocol Turn 4 on June 20th

    Gemini is turning 4 this month (on the 20th, according to the founder) and I thought I’d do a spontaneous video about how I use Gemini, why it's so good, and why it’s still growing (Stéphane Bortzmeyer fixed the broken cron job — or equivalent of it — a day or two after I had mentioned the issue)



  17. HMRC Does Not Care About Tax Fraud Committed by UK Government Contractor, Sirius 'Open Source'

    The tax crimes of Sirius ‘Open Source’ were reported to HMRC two weeks ago; HMRC did not bother getting back to the reporters (victims of the crime) and it’s worth noting that the reporters worked on UK government systems for many years, so maybe there’s a hidden incentive to bury this under the rug



  18. Our IRC at 15th Anniversary

    So our IRC community turns 15 today (sort of) and I’ve decided to do a video reflecting on the fact that some of the same people are still there after 15 years



  19. IRC Proceedings: Thursday, June 01, 2023

    IRC logs for Thursday, June 01, 2023



  20. Links 02/06/2023: NixOS 23.05 and Rust 1.70.0

    Links for the day



  21. Gemini Links 02/06/2023: Flying High With Gemini and Gogios Released

    Links for the day



  22. Links 01/06/2023: KStars 3.6.5 and VEGA ET1031 RISC-V Microprocessor in Use

    Links for the day



  23. Gemini Links 01/06/2023: Scam Call and Flying High With Gemini

    Links for the day



  24. Links 01/06/2023: Spleen 2.0.0 Released and Team UPC Celebrates Its Own Corruption

    Links for the day



  25. IRC Proceedings: Wednesday, May 31, 2023

    IRC logs for Wednesday, May 31, 2023



  26. Tux Machines Closing the Door on Twitter Because Twitter is Dead (for a Lot of People)

    Tux Machines recently joined millions of others who had already quit Twitter, including passive posting (fully or partly automated)



  27. Links 31/05/2023: Inkscape’s 1.3 Plans and New ARM Cortex-A55-Based Linux Chip

    Links for the day



  28. Gemini Links 31/05/2023: Personality of Software Engineers

    Links for the day



  29. Links 31/05/2023: Armbian 23.05 Release and Illegal UPC

    Links for the day



  30. IRC Proceedings: Tuesday, May 30, 2023

    IRC logs for Tuesday, May 30, 2023


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts