02.17.11
MSBBC Cracked, Canadian Government Cracked, Microsoft Blames Users, and .NET-based Aviation System Crashes
When system crashes can lead to plane crashes
Summary: Another atrocious week for Microsoft’s security and reliability record
“Thanks to Windows’ built-in insecurity, its easy to create huge Windows botnets,” wrote the honourable SJVN a few days ago. It is widely recognised that Microsoft is largely responsible for many of Windows’ security failings, but Microsoft pressures journalists not to call out Windows using techniques that we covered here before.
MSBBC’s music sites have just been cracked and they turned hostile towards site visitors who use Windows. As the report puts it, “other top name insecurity vendors like Sophos, McAfee and even Microsoft’s anti-virus tools didn’t register the hack at all. That is an appalling detection rate from both free and paid-for anti-virus kits and, as of yesterday, Websense reckoned the anti-virus toolkits were still vulnerable.” This is just a Windows problem and someone who informed us that the Canadian government had just been cracked too says that 99% of the systems there run Windows (we cannot verify this claim, but if anyone can, please leave a comment).
It is unclear whether the attackers managed to compromise other departmental computer networks, including those that contain Canadians’ sensitive personal information such as tax and health records.
Once the attack was detected, government cybersecurity officials immediately shut down all internet access in both departments in an attempt to stop stolen information from being sent back to the hackers over the net.
It is obvious what’s happening here. A suicidal dependence on poor systems (such as Windows) is a crucial factor that can easily affect national security or suspend emergency services like dispatch of ambulances. The latter new example speaks of Windows viruses leading to a likely loss of lives (although disruption to service is denied by the face-saving officials). What is Microsoft’s response to all of this? As we noted yesterday, the company’s lobbyist from the government [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13] is trying to blame the users and there are strong responses to it again, such as:
Microsoft Vice President Scott Charney, a longtime advocate of a coordinated approach to cybersecurity, describes a vision of Internet health:
“We broke Windows. It’s your problem now.”
At least, that’s how I interpret his comments. Charney wants to have users pass a kind of “health test” for their computer before they can use web services.
“Security is not a problem that can be addressed fully by individual consumers, or even individual companies or governments. That is what led to the development of my public health model proposal, which calls for collective defense against cyber threats,” he said.
Charney uses a public health model to support his new idea. Basically, in order to access web services (say, your bank – or cloud services, maybe even social networking like Facebook) you first need to let the provider run their virus check on your computer. Intrusive? I think so. Would you let a web site run their code (virus scan) on your machine before you are allowed to use their web application? I think I smell more malware coming.
Charney’s appalling remarks are also mentioned by Lia Timson at ITWire and Lia’s colleague Sam Varghese, who writes:
Passing the buck is a game at which Microsoft is adept. In the computer security industry, one needs to have tons of chutzpah to hold others responsible for one’s own security stuff-ups.
The good folk at Redmond possess this quality in spades.
Probably the best example of chutzpah that I can recall came from a young Bill Gates many years ago when the company was getting off the starting blocks. As Paul Allen, the other co-founder, had also taken up a job as head of software at MITs, the maker of the Altair, Gates argued that since he was working for Microsoft only and Allen was dividing his time, he (Gates) should have 64 percent of the founders’ shares and Allen should only get 36 percent.
Shortly after the division was done this way, young Bill went to MITs founder Ed Roberts and got a job there as well, for $US10 an hour. Microsoft’s culture has always been defined by Gates.
Scott Charney’s comments at the ongoing RSA conference are a good example of the blithe manner in which Microsoft tries to force the rest of the world to carry the can for the abysmal security of its products.
The monoculture otherwise known as Windows is in the main responsible for the plethora of viruses, worms, malware, scumware and other such $wares that plague the internet. DDoS attacks come, more often than not, from armies of Windows machines grouped in a botnet.
Sure, there are other operating systems involved too but they are in a minority. A very small minority. Windows is the main problem and everyone, his/her dog, his/her cat and his/her goldfish is aware of that.
Dr. Glyn Moody links to the article “Microsoft has a change of heart on how to keep Internet safe” and he adds: “or how about if Microsoft just wrote some decent code?”
“Will Virgin do the same thing as LSE following this daunting incident?”Yes, journalists too recognise that this is Microsoft’s fault, as stated at the beginning. The gullible, weak ones just bend to Microsoft PR agents and deceive the public about it. These are the sorts of people who do the scaremongering regarding “cyber war” so that companies like Microsoft and suppressive regimes can find good excuses for taking more control over people’s computers, spying on PCs of Windows users for example.
There is another timely example of the failed design of Microsoft software. It’s a major .NET failure just like the ones in LSE (a former Microsoft poster child). Not so long ago it turned out that a plane crash had been caused by Windows malware (with Microsoft boosters blaming IBM in vain [1, 2]) and amid other plane crashes and downtimes in airports [1, 2] it became evident that Microsoft belongs nowhere near aviation. Virgin made the mistake of going with Microsoft and watch what happens:
This latest computer crash, which looks to be as serious as the 2010 fiasco, will place more question marks around the integrity and robustness of the .NET based Navitaire New Skies system which claims to be able to handle load spikes and scale easily as passenger volumes increase.
The crash also raises questions about the level of redundancy built into Navitaire, which is supposed to provide back-up systems in the event of failure.
Will Virgin do the same thing as LSE following this daunting incident? █
twitter said,
February 17, 2011 at 6:18 pm
Another good reason for governments to dump Microsoft comes from the Aaron Barr, HBGary disclosures. The exploits he advertised are almost all Microsoft problems or software that runs on Windows He brags about screwing private companies, governments, presumably the US included, as well as the “progressive groups” targeted by the US Chamber of Commerce and Bank of America.
As usual, the crooks go for the softest target and that is people’s home computers running Windows. One of the reasons Barr targeted family members of his targets was to gain access to company and organizational networks. In one of the images he’s quoted as saying, “An example. Richard probably has a home network. Richard and [his wife] probably share the same network, maybe even the same home computer. Either way. [sic] If I can exploit her account through one of her social connections I can exploit the home network/system.” The nasty things he does with such information and control are well documented, harass, demoralize, fracture, discredit and destroy the targeted groups and people.
The best way for governments, companies and progressives alike to avoid this kind of screw over is for them to all start using free software which is miles ahead of non free software in all ways related to security, privacy and attribution. People using free software can easily sign or encrypt their communications and documents to assure privacy and authorship. That eliminates many of the social attacks Microsoft boosters will try to highlight in order to deflect attention from Microsoft flaws, the old “all software is crap, blame the user” misdirection. The number of free software exploits is vanishingly small because of inherently better design, continuous, rapid improvement and diversity based on architecture and distribution. Non free software was designed to exploit the user with unjust demands, so it is no surprise that backdoors and other treachery are more common than things users want.
twitter said,
February 18, 2011 at 1:00 am
NASDAQ was also cracked the other day. No, not the GNU/Linux trading computers, something called Directors Desk that they foolishly ran on Windows. NASDAQ and Slashdot both fail to call out Windows, and the Slashdot submitter disgraced themselves by saying, “the attackers are winning, and even well-funded organizations like NASDAQ can’t secure their networks reliably.” No one can secure Windows or any network with Windows on it. Google figured this out and banned Windows from their networks. When will other companies get with it?
Dr. Roy Schestowitz Reply:
February 18th, 2011 at 1:29 am
I put that in daily links as I could not confirm that Windows was to blame.
twitter Reply:
February 18th, 2011 at 1:52 am
Oh my, here’s Forbes rushing to Microsoft’s rescue. Mention of EU privacy violations is interesting but not as much fun as the estimated year of penetration “hackers” had to the supposed treasure trove of information on 10,000 board of directors, including Fortune 500 companies. The forbes rescue is that this attack had to be State-Sponsored because of how long it went undetected! It was an “Advanced Persistant Threat attack” (APT)!! The author splurges on,
Call the author right away because he “provides custom security solutions that focus exclusively on the special needs of C-level and other senior executives.”
News about the hack is ranked high in Google search results for “NASDAQ Directors Desk” but none of the articles in the first two pages call out Windows. This one (USA Today) thinks a poison pdf might have been planted but fails to mention the target would be Adobe Reader on Windows or that the attack was against a crappy Windows server. Instead the author calls Director’s desk a, “no-nonsense social network for very privileged users. Nasdaq describes it as a “complete turnkey, fully hosted online board technology solution”. Right. The author then details how a poison pdf would have been slipped it from a board member’s “PC” that got p0wnt by someone who had done a little HBGary style research, as Windows PCs often are. No mention is made of Windws, however. That Windows is insecure on desktops or servers is simply too easy a solution, a non story that won’t sell any fancy insecurity products. Network World fails to call out Windows, but comments do. There’s no mention of Windows here or in the New York Times or The Wall Street Journal.
By not calling out Windows, all of these big publishers create panic without a reasonable solution, and set people up for great harm. Readers are invited to panic as they realize that criminals have penetrated all sorts of networks, private and government. They would not be so scared if they simply ditched Microsoft. Instead, I’m afraid Microsoft is going to use their failures to gain yet more power. People, ignorant of the cause of their problems, will be fleeced by snake oil vendors and Microsoft’s “public health” proposals will be used to discriminate against people who don’t use Windows and don’t have the problems. The snake oil solutions are a never ending story that Microsoft has pushed since the early days of MSDOS.
Dr. Roy Schestowitz Reply:
February 18th, 2011 at 2:03 am
Google knew better and also named Windows.