02.17.11

Gemini version available ♊︎

MSBBC Cracked, Canadian Government Cracked, Microsoft Blames Users, and .NET-based Aviation System Crashes

Posted in Microsoft, Servers, Windows at 2:39 pm by Dr. Roy Schestowitz

When system crashes can lead to plane crashes

Aeroplane

Summary: Another atrocious week for Microsoft’s security and reliability record

“Thanks to Windows’ built-in insecurity, its easy to create huge Windows botnets,” wrote the honourable SJVN a few days ago. It is widely recognised that Microsoft is largely responsible for many of Windows’ security failings, but Microsoft pressures journalists not to call out Windows using techniques that we covered here before.

MSBBC’s music sites have just been cracked and they turned hostile towards site visitors who use Windows. As the report puts it, “other top name insecurity vendors like Sophos, McAfee and even Microsoft’s anti-virus tools didn’t register the hack at all. That is an appalling detection rate from both free and paid-for anti-virus kits and, as of yesterday, Websense reckoned the anti-virus toolkits were still vulnerable.” This is just a Windows problem and someone who informed us that the Canadian government had just been cracked too says that 99% of the systems there run Windows (we cannot verify this claim, but if anyone can, please leave a comment).

It is unclear whether the attackers managed to compromise other departmental computer networks, including those that contain Canadians’ sensitive personal information such as tax and health records.

Once the attack was detected, government cybersecurity officials immediately shut down all internet access in both departments in an attempt to stop stolen information from being sent back to the hackers over the net.

It is obvious what’s happening here. A suicidal dependence on poor systems (such as Windows) is a crucial factor that can easily affect national security or suspend emergency services like dispatch of ambulances. The latter new example speaks of Windows viruses leading to a likely loss of lives (although disruption to service is denied by the face-saving officials). What is Microsoft’s response to all of this? As we noted yesterday, the company’s lobbyist from the government [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13] is trying to blame the users and there are strong responses to it again, such as:

Microsoft Vice President Scott Charney, a longtime advocate of a coordinated approach to cybersecurity, describes a vision of Internet health:

“We broke Windows. It’s your problem now.”

At least, that’s how I interpret his comments. Charney wants to have users pass a kind of “health test” for their computer before they can use web services.

“Security is not a problem that can be addressed fully by individual consumers, or even individual companies or governments. That is what led to the development of my public health model proposal, which calls for collective defense against cyber threats,” he said.

Charney uses a public health model to support his new idea. Basically, in order to access web services (say, your bank – or cloud services, maybe even social networking like Facebook) you first need to let the provider run their virus check on your computer. Intrusive? I think so. Would you let a web site run their code (virus scan) on your machine before you are allowed to use their web application? I think I smell more malware coming.

Charney’s appalling remarks are also mentioned by Lia Timson at ITWire and Lia’s colleague Sam Varghese, who writes:

Passing the buck is a game at which Microsoft is adept. In the computer security industry, one needs to have tons of chutzpah to hold others responsible for one’s own security stuff-ups.

The good folk at Redmond possess this quality in spades.

Probably the best example of chutzpah that I can recall came from a young Bill Gates many years ago when the company was getting off the starting blocks. As Paul Allen, the other co-founder, had also taken up a job as head of software at MITs, the maker of the Altair, Gates argued that since he was working for Microsoft only and Allen was dividing his time, he (Gates) should have 64 percent of the founders’ shares and Allen should only get 36 percent.

Shortly after the division was done this way, young Bill went to MITs founder Ed Roberts and got a job there as well, for $US10 an hour. Microsoft’s culture has always been defined by Gates.

Scott Charney’s comments at the ongoing RSA conference are a good example of the blithe manner in which Microsoft tries to force the rest of the world to carry the can for the abysmal security of its products.

The monoculture otherwise known as Windows is in the main responsible for the plethora of viruses, worms, malware, scumware and other such $wares that plague the internet. DDoS attacks come, more often than not, from armies of Windows machines grouped in a botnet.

Sure, there are other operating systems involved too but they are in a minority. A very small minority. Windows is the main problem and everyone, his/her dog, his/her cat and his/her goldfish is aware of that.

Dr. Glyn Moody links to the article “Microsoft has a change of heart on how to keep Internet safe” and he adds: “or how about if Microsoft just wrote some decent code?”

“Will Virgin do the same thing as LSE following this daunting incident?”Yes, journalists too recognise that this is Microsoft’s fault, as stated at the beginning. The gullible, weak ones just bend to Microsoft PR agents and deceive the public about it. These are the sorts of people who do the scaremongering regarding “cyber war” so that companies like Microsoft and suppressive regimes can find good excuses for taking more control over people’s computers, spying on PCs of Windows users for example.

There is another timely example of the failed design of Microsoft software. It’s a major .NET failure just like the ones in LSE (a former Microsoft poster child). Not so long ago it turned out that a plane crash had been caused by Windows malware (with Microsoft boosters blaming IBM in vain [1, 2]) and amid other plane crashes and downtimes in airports [1, 2] it became evident that Microsoft belongs nowhere near aviation. Virgin made the mistake of going with Microsoft and watch what happens:

This latest computer crash, which looks to be as serious as the 2010 fiasco, will place more question marks around the integrity and robustness of the .NET based Navitaire New Skies system which claims to be able to handle load spikes and scale easily as passenger volumes increase.

The crash also raises questions about the level of redundancy built into Navitaire, which is supposed to provide back-up systems in the event of failure.

Will Virgin do the same thing as LSE following this daunting incident?

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

5 Comments

  1. twitter said,

    February 17, 2011 at 6:18 pm

    Gravatar

    Another good reason for governments to dump Microsoft comes from the Aaron Barr, HBGary disclosures. The exploits he advertised are almost all Microsoft problems or software that runs on Windows He brags about screwing private companies, governments, presumably the US included, as well as the “progressive groups” targeted by the US Chamber of Commerce and Bank of America.

    If I want to gain access to the Exelon plant up in Pottsdown PA I only have to go as far as LinkedIn to identify Nuclear engineers being employed by Exelon in that location. Jump over to Facebook to start doing link analysis and profiling. Add data from twitter and other social media services. I have enough information to develop a highly targeted exploitation effort.

    I can and have gained access to various government and government contractor groups in the social media space using this technique (more detailed but you get the point). Given that people work from home, access home services from work — getting access to the target is just a matter of time and nominal effort.

    As usual, the crooks go for the softest target and that is people’s home computers running Windows. One of the reasons Barr targeted family members of his targets was to gain access to company and organizational networks. In one of the images he’s quoted as saying, “An example. Richard probably has a home network. Richard and [his wife] probably share the same network, maybe even the same home computer. Either way. [sic] If I can exploit her account through one of her social connections I can exploit the home network/system.” The nasty things he does with such information and control are well documented, harass, demoralize, fracture, discredit and destroy the targeted groups and people.

    The best way for governments, companies and progressives alike to avoid this kind of screw over is for them to all start using free software which is miles ahead of non free software in all ways related to security, privacy and attribution. People using free software can easily sign or encrypt their communications and documents to assure privacy and authorship. That eliminates many of the social attacks Microsoft boosters will try to highlight in order to deflect attention from Microsoft flaws, the old “all software is crap, blame the user” misdirection. The number of free software exploits is vanishingly small because of inherently better design, continuous, rapid improvement and diversity based on architecture and distribution. Non free software was designed to exploit the user with unjust demands, so it is no surprise that backdoors and other treachery are more common than things users want.

  2. twitter said,

    February 18, 2011 at 1:00 am

    Gravatar

    NASDAQ was also cracked the other day. No, not the GNU/Linux trading computers, something called Directors Desk that they foolishly ran on Windows. NASDAQ and Slashdot both fail to call out Windows, and the Slashdot submitter disgraced themselves by saying, “the attackers are winning, and even well-funded organizations like NASDAQ can’t secure their networks reliably.” No one can secure Windows or any network with Windows on it. Google figured this out and banned Windows from their networks. When will other companies get with it?

    Dr. Roy Schestowitz Reply:

    I put that in daily links as I could not confirm that Windows was to blame.

    twitter Reply:

    Oh my, here’s Forbes rushing to Microsoft’s rescue. Mention of EU privacy violations is interesting but not as much fun as the estimated year of penetration “hackers” had to the supposed treasure trove of information on 10,000 board of directors, including Fortune 500 companies. The forbes rescue is that this attack had to be State-Sponsored because of how long it went undetected! It was an “Advanced Persistant Threat attack” (APT)!! The author splurges on,

    The security measures advertised on the Directors Desk website such as compliance with ISO27001, firewalls, IDS, and strong passwords are useless against APT because attacks are specifically designed to bypass everything that the target has put in place; even encryption. … NASDAQ needs to consult with security experts who understand and work APT attacks as soon as possible. If you’re a Directors Desk LLC customer, you should probably do the same.

    Call the author right away because he “provides custom security solutions that focus exclusively on the special needs of C-level and other senior executives.”

    News about the hack is ranked high in Google search results for “NASDAQ Directors Desk” but none of the articles in the first two pages call out Windows. This one (USA Today) thinks a poison pdf might have been planted but fails to mention the target would be Adobe Reader on Windows or that the attack was against a crappy Windows server. Instead the author calls Director’s desk a, “no-nonsense social network for very privileged users. Nasdaq describes it as a “complete turnkey, fully hosted online board technology solution”. Right. The author then details how a poison pdf would have been slipped it from a board member’s “PC” that got p0wnt by someone who had done a little HBGary style research, as Windows PCs often are. No mention is made of Windws, however. That Windows is insecure on desktops or servers is simply too easy a solution, a non story that won’t sell any fancy insecurity products. Network World fails to call out Windows, but comments do. There’s no mention of Windows here or in the New York Times or The Wall Street Journal.

    By not calling out Windows, all of these big publishers create panic without a reasonable solution, and set people up for great harm. Readers are invited to panic as they realize that criminals have penetrated all sorts of networks, private and government. They would not be so scared if they simply ditched Microsoft. Instead, I’m afraid Microsoft is going to use their failures to gain yet more power. People, ignorant of the cause of their problems, will be fleeced by snake oil vendors and Microsoft’s “public health” proposals will be used to discriminate against people who don’t use Windows and don’t have the problems. The snake oil solutions are a never ending story that Microsoft has pushed since the early days of MSDOS.

    Dr. Roy Schestowitz Reply:

    Google knew better and also named Windows.

DecorWhat Else is New


  1. Unmasking AI

    A guest article by Andy Farnell



  2. The ISO Delusion/Sirius Corporation: A 'Tech' Company Run by Non-Technical People

    Sirius ‘Open Source’ was hiring people who brought to the company a culture of redundant tasks and unwanted, even hostile technology; today we continue to tell the story of a company run by the CEO whose friends and acquaintances did severe damage



  3. Links 28/01/2023: Lots of Catching Up (Had Hardware Crash)

    Links for the day



  4. IRC Proceedings: Friday, January 27, 2023

    IRC logs for Friday, January 27, 2023



  5. Microsoft DuckDuckGo Falls to Lowest Share in 2 Years After Being Widely Exposed as Microsoft Proxy, Fake 'Privacy'

    DuckDuckGo, according to this latest data from Statcounter, fell from about 0.71% to just 0.58%; all the gains have been lost amid scandals, such as widespread realisation that DuckDuckGo is a Microsoft informant, curated by Microsoft and hosted by Microsoft (Bing is meanwhile laying off many people, but the media isn’t covering that or barely bothers)



  6. This is What the Microsoft-Sponsored Media Has Been Hyping Up for Weeks (Ahead of Microsoft Layoffs)

    Reprinted with permission from Ryan



  7. [Meme] António Campinos Wants to Be F***ing President Until 2028

    António Campinos insists he will be EPO President for 10 years, i.e. even longer than Benoît Battistelli (despite having appalling approval rates from staff)



  8. European Patent Office Staff Losing Hope

    The EPO’s management with its shallow campaign of obfuscation (pretending to protect children or some other nonsense) is not fooling patent examiners, who have grown tired and whose representatives say “the administration shows no intention of involving the staff representation in the drafting of the consultant’s mandate” (like in Sirius ‘Open Source’ where technical staff is ignored completely for misguided proposals to pass in the dark)



  9. IRC Proceedings: Thursday, January 26, 2023

    IRC logs for Thursday, January 26, 2023



  10. Sirius Relegated/Demoted/Destined Itself to Technical Hell by Refusing to Listen to the Technical Staff (Which Wanted to Stay With Asterisk/Free Software)

    In my final year at Sirius ‘Open Source’ communication systems had already become chaotic; there were too many dysfunctional tools, a lack of instructions, a lack of coordination and the proposed ‘solution’ (this past October) was just more complexity and red tape



  11. Geminispace Approaching Another Growth Milestone (2,300 Active Capsules)

    The expansion of Geminispace is worth noting again because another milestone is approached, flirted with, or will be surpassed this coming weekend



  12. [Meme] Cannot Get a Phone to Work... in 2022

    Sirius ‘Open Source’ wasted hours of workers’ time just testing the phone after it had moved to a defective system of Google (proprietary); instead of a rollback (back to Asterisk) the company doubled down on the faulty system and the phones still didn’t work properly, resulting in missing calls and angst (the company just blamed the workers who all along rejected this new system)



  13. [Meme] Modern Phones

    Sirius ‘Open Source’ is mistaking “modern” for better; insecurity and a lack of tech savvy typically leads to that



  14. The ISO Delusion: Sirius Corporation Demonstrates a Lack of Understanding of Security and Privacy

    Sirius ‘Open Source’, emboldened by ISO ‘paperwork’ (certification), lost sight of what it truly takes to run a business securely, mistaking worthless gadgets for “advancement” while compelling staff to sign a new contract in a hurry (prior contract-signing scandals notwithstanding)



  15. Links 26/01/2023: LibreOffice 7.4.5 and Ubuntu Pro Offers

    Links for the day



  16. Links 26/01/2023: GNU poke 3.0 and PipeWire 0.3.65

    Links for the day



  17. IRC Proceedings: Wednesday, January 25, 2023

    IRC logs for Wednesday, January 25, 2023



  18. Companies Would Collapse Upon Abandoning Their Original Goals (That Attracted All the Productive Staff)

    Staff with technical skills won't stick around in companies that reject technical arguments and moreover move to proprietary software in a company that brands itself "Open Source"



  19. [Meme] Listen to Your Workers, Avert Disaster

    Companies that refuse to take input from staff are doomed to fail



  20. The ISO Delusion: When the Employer Doesn’t Understand the Company's Value Proposition (Building Systems) and Rejects Security

    Sirius ‘Open Source’ has failed to sell what it was actually good at; instead it hired unqualified people and outsourced almost everything



  21. Links 25/01/2023: NuTyX 23.01.1 and GNU Guile 3.0.9 Released

    Links for the day



  22. Links 25/01/2023: Stratis 3.5.0 and Many Political Links

    Links for the day



  23. New Record Low: Only One 'Linux' Article in ZDNet in More Than Two Weeks

    Only a few years ago ZDNet published about 3 “Linux” stories per day (mostly FUD pieces); now it’s a ghost town, painted in ‘alien green’; considering ZDNet’s agenda (and sponsors) maybe it’s better this way



  24. Links 25/01/2023: Pale Moon 32.0 and DXVK 2.1

    Links for the day



  25. IRC Proceedings: Tuesday, January 24, 2023

    IRC logs for Tuesday, January 24, 2023



  26. ISO Certification Hardly Tackles Any of the Real Issues

    The real-world threats faced by private companies or non-profit organisations aren't covered by the ISO certification mill; today we publish the last post on this topic before proceeding to some practical examples



  27. [Meme] Medical Data Sovereignty

    What happens when your medical records/data are accessible to a company based abroad after a mysterious NDA with the Gates Foundation? The International Organization for Standardization (ISO) does not mind.



  28. The ISO Delusion: Sirius Open Wash Ltd. and Medical Data/Projects at Risk/Peril

    Sirius ‘Open Source’ was good at gloating about “ISO” as in ISO certification (see our ISO wiki to understand what ISO truly is; ISO certification needs to be more widely condemned and exposed) while signing all sorts of dodgy deals and lying to clients (some, like the Gates Foundation, were never mentioned because of a mysterious NDA); security and privacy were systematically neglected and some qualified as criminal negligence (with fines/penalties likely an applicable liability if caught/reported)



  29. Links 24/01/2023: Wine 8.0 is Ready, FSF Bolsters Copyleft

    Links for the day



  30. Azure Has Layoffs Again, Microsoft Still Cutting

    Even supposed ‘growth’ areas at Microsoft are being culled (this growth is faked, it is a lie)


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts