MSBBC Cracked, Canadian Government Cracked, Microsoft Blames Users, and .NET-based Aviation System Crashes
When system crashes can lead to plane crashes
Summary: Another atrocious week for Microsoft’s security and reliability record
“Thanks to Windows’ built-in insecurity, its easy to create huge Windows botnets,” wrote the honourable SJVN a few days ago. It is widely recognised that Microsoft is largely responsible for many of Windows’ security failings, but Microsoft pressures journalists not to call out Windows using techniques that we covered here before.
MSBBC’s music sites have just been cracked and they turned hostile towards site visitors who use Windows. As the report puts it, “other top name insecurity vendors like Sophos, McAfee and even Microsoft’s anti-virus tools didn’t register the hack at all. That is an appalling detection rate from both free and paid-for anti-virus kits and, as of yesterday, Websense reckoned the anti-virus toolkits were still vulnerable.” This is just a Windows problem and someone who informed us that the Canadian government had just been cracked too says that 99% of the systems there run Windows (we cannot verify this claim, but if anyone can, please leave a comment).
It is unclear whether the attackers managed to compromise other departmental computer networks, including those that contain Canadians’ sensitive personal information such as tax and health records.
Once the attack was detected, government cybersecurity officials immediately shut down all internet access in both departments in an attempt to stop stolen information from being sent back to the hackers over the net.
It is obvious what’s happening here. A suicidal dependence on poor systems (such as Windows) is a crucial factor that can easily affect national security or suspend emergency services like dispatch of ambulances. The latter new example speaks of Windows viruses leading to a likely loss of lives (although disruption to service is denied by the face-saving officials). What is Microsoft’s response to all of this? As we noted yesterday, the company’s lobbyist from the government [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13] is trying to blame the users and there are strong responses to it again, such as:
Microsoft Vice President Scott Charney, a longtime advocate of a coordinated approach to cybersecurity, describes a vision of Internet health:
“We broke Windows. It’s your problem now.”
At least, that’s how I interpret his comments. Charney wants to have users pass a kind of “health test” for their computer before they can use web services.
“Security is not a problem that can be addressed fully by individual consumers, or even individual companies or governments. That is what led to the development of my public health model proposal, which calls for collective defense against cyber threats,” he said.
Charney uses a public health model to support his new idea. Basically, in order to access web services (say, your bank – or cloud services, maybe even social networking like Facebook) you first need to let the provider run their virus check on your computer. Intrusive? I think so. Would you let a web site run their code (virus scan) on your machine before you are allowed to use their web application? I think I smell more malware coming.
Passing the buck is a game at which Microsoft is adept. In the computer security industry, one needs to have tons of chutzpah to hold others responsible for one’s own security stuff-ups.
The good folk at Redmond possess this quality in spades.
Probably the best example of chutzpah that I can recall came from a young Bill Gates many years ago when the company was getting off the starting blocks. As Paul Allen, the other co-founder, had also taken up a job as head of software at MITs, the maker of the Altair, Gates argued that since he was working for Microsoft only and Allen was dividing his time, he (Gates) should have 64 percent of the founders’ shares and Allen should only get 36 percent.
Shortly after the division was done this way, young Bill went to MITs founder Ed Roberts and got a job there as well, for $US10 an hour. Microsoft’s culture has always been defined by Gates.
Scott Charney’s comments at the ongoing RSA conference are a good example of the blithe manner in which Microsoft tries to force the rest of the world to carry the can for the abysmal security of its products.
The monoculture otherwise known as Windows is in the main responsible for the plethora of viruses, worms, malware, scumware and other such $wares that plague the internet. DDoS attacks come, more often than not, from armies of Windows machines grouped in a botnet.
Sure, there are other operating systems involved too but they are in a minority. A very small minority. Windows is the main problem and everyone, his/her dog, his/her cat and his/her goldfish is aware of that.
Dr. Glyn Moody links to the article “Microsoft has a change of heart on how to keep Internet safe” and he adds: “or how about if Microsoft just wrote some decent code?”
“Will Virgin do the same thing as LSE following this daunting incident?”Yes, journalists too recognise that this is Microsoft’s fault, as stated at the beginning. The gullible, weak ones just bend to Microsoft PR agents and deceive the public about it. These are the sorts of people who do the scaremongering regarding “cyber war” so that companies like Microsoft and suppressive regimes can find good excuses for taking more control over people’s computers, spying on PCs of Windows users for example.
There is another timely example of the failed design of Microsoft software. It’s a major .NET failure just like the ones in LSE (a former Microsoft poster child). Not so long ago it turned out that a plane crash had been caused by Windows malware (with Microsoft boosters blaming IBM in vain [1, 2]) and amid other plane crashes and downtimes in airports [1, 2] it became evident that Microsoft belongs nowhere near aviation. Virgin made the mistake of going with Microsoft and watch what happens:
This latest computer crash, which looks to be as serious as the 2010 fiasco, will place more question marks around the integrity and robustness of the .NET based Navitaire New Skies system which claims to be able to handle load spikes and scale easily as passenger volumes increase.
The crash also raises questions about the level of redundancy built into Navitaire, which is supposed to provide back-up systems in the event of failure.
Will Virgin do the same thing as LSE following this daunting incident? █