Bonum Certa Men Certa

Microsoft and Insecurity: Vulnerabilities, Botnets, and a Whole Lot of Nerve

Hand on glass



Summary: Windows insecurity a matter of persistence, Windows botnets a lost cause, and Microsoft's staff interferes with security policy

From One Critical Vulnerability to Another



THE security problems in Windows are a never-ending problem. Those patches that we mentioned last week arrived on Patch Tuesday, as usual. Here are some of last week's articles about it [1, 2, 3, 4] and indication that Microsoft may be silencing researchers again:



Microsoft Exploits Talk Dropped From RSA Agenda



An RSA Conference presentation on Microsoft (NSDQ:MSFT) application hacks and exploits that was originally slated for Tuesday was canceled, although it's unclear why.

An RSA Conference spokesperson told Channelweb.com on Tuesday that the session appears to have been canceled in early January, but didn't offer a reason for the cancellation. A Microsoft spokesperson declined to comment on whether the session was canceled at Microsoft's behest.


Whether Microsoft was behind this or not, the company definitely had been doing such things before. There's security through obscurity and security through gagging. And in other news, "Microsoft resumes XP patch distribution; says rootkit remover coming soon"

In mid-February, Microsoft halted automatic distribution of one of its Windows patches, blaming the interaction of the patch with already-present malware on users’ systems for a rash of blue-screen-of-death reports among XP users.


Microsoft would love to just blame "a rootkit", but this was caused by lack of security in the first place. It is a circular trap that still has Microsoft deserving at least some of the blame. This problem was also covered in [1, 2].

In other news, we soon learn that "patchy Windows patching leaves users insecure," according to Secunia.

Windows users need to patch their systems an average of every five days to stay ahead of security vulnerabilities, according to a study this week.

The numbers come from a company called Secunia which just happens to be developing an all-in-one patching tool to reduce update headaches for consumers.

Stats from the two million existing users of Secunia's free Personal Software Inspector tool show the average home user needs an average of 75 patches from 22 different vendors to be fully secure. The complexity of patching means that most users are not even in the race, meaning that hackers hoping to exploit software vulnerabilities to infect vulnerable systems stay well ahead of the game.

Matters are further complicated by the variety of different update mechanisms applied by differing suppliers.


Secunia says that "The core of this patching issue is that the software industry has, so far, failed to come up with a unified patching solution that can help home users on a large scale; that is, encompassing all software programs" and as our reader put it, "Doesn't Linux have a one-stop-shop for the distro? As long as you stick with the official "repository", everything can be automatically updated, including the apps."

From One Windows Botnet to Another



Microsoft has a new zero-day vulnerability in its hands and the attempt to suspend Windows botnets is of course futile. There are just too many Windows botnets out there.

Spamhaus: Microsoft's botnet cull had little effect



Microsoft's takedown of the Waledac botnet has not been effective, according to some security researchers.

The throttling of Waledac, which Microsoft claimed to have achieved by means of legal action last week, has led to no appreciable reduction of junk mail coming from the botnet, anti-spam organisation Spamhaus told ZDNet UK on Tuesday.


We wrote about the Waledac takedown in [1, 2, 3]. Here is more new information about it:

Well, criticism has come from two main areas: Firstly, as Jose Nazario of Arbor Networks Inc. , a security solutions provider, told The Wall Street Journal, the Internet addresses that Microsoft’s lawsuit brought down could be a small percentage of those used by hackers to control the network. "The botnet will survive in many cases," said Nazario.

And Richard Cox, the chief information officer at anti-spam service Spamhaus told ComputerWorld: "If this did affect spam, we haven't noticed… Waledac was not a high threat; it's less than 1% of spam traffic.”


On the face of it, Microsoft Windows may rely on Free software to secure the Web from itself.

From Microsoft to Apple



Apple is suing Linux (we covered this in [1, 2, 3, 4, 5]). Apple becomes more of a fighting company (an aggressor), not a pacifier.

Apple is also hiring from Microsoft, based on this report about Window Snyder.

Window Snyder's first day at Apple was Monday, according to PC World. While it noted that Apple was the "third browser-maker in the past five years that has employed Snyder," it did not indicate whether she would work on the Safari browser or some other technology for the Cupertino, Calif., company.


Microsoft was spreading lies about Firefox (and sometimes GNU/Linux too), but even Snyder, who had worked for Microsoft, told them off for it*. It all happened when she worked for Mozilla, but she luckily left after using her Mozilla hat to praise Microsoft. She is going to Apple now.

From US DOJ to Microsoft



Microsoft's fairly new hire from the US DOJ is upsetting many people. Scott Charney's remarks [1, 2, 3] led to some strong reactions. "Blow me," says this one article from iStockAnalyst to Microsoft:

In short, these machines are infested (not infected, infested) because their operating system has historically been full of security holes (this has improved, especially in Windows 7, to be fair.)

So what does Microsoft propose?

So who would foot the bill? "Maybe markets will make it work," Charney said. But an Internet usage tax might be the way to go. "You could say it's a public safety issue and do it with general taxation," he said.

That's nice.

Sell an insecure operating system and then get someone else to pay a tax because they bought an arguably-defective product you sold? How about this instead Microsoft?

For each computer infested, the publisher of the operating system sold to that user is assessed a fine of US $100,000 by the Department of Justice.


Here is what The Atlantic argues:

Most opponents of a tax would say that software companies should be responsible for paying, since it's their responsibility to develop a safe product. Indeed, some criticize Microsoft for advocating a tax as an excuse to spend less of their own money developing safer software.


Also see:

Microsoft's Ideas for Making PCs Safer

Microsoft's Scott Charney Calls For Disrupting Cybercrime Activities

Microsoft Security Chief proposes taxes to protect the Internet

Microsoft moots digital healthcare tax

Microsoft's Ideas for Making PCs Safer

Microsoft and the Incredible 'Internet Usage Tax'

Say It Ain't So, Microsoft

Maybe Microsoft Vice President for Trustworthy Computing Scott Charney wanted to see if his audience was really awake. Maybe he entered a time warp and thought it was April 1st. Maybe someone gave him a funny cookie. Or maybe he really didn't think it would be sheer lunacy to suggest levying an Internet tax on Americans to pay for cybersecurity.

[...]

What Were You Thinking, Scott?

Not satisfied with blaming and seeking to punish the victim, Charney then went on to suggest the imposition of a tax on Internet users to ensure cybersecurity.

"You could say it's a public safety issue and do it with general taxation," he said.

Really, Scott? Why should we the users pay for the ineptness of software vendors? And please, don't give me that tired routine about the bad guys being out there always looking for flaws.

Let's take an analogy from real life. When you're a kid your parents tell you the rules for living safely. Don't talk to strangers or take candy from them. Look both ways before you cross the street. Don't walk down dark streets or alleys at night. Never walk between a parked van and the wall, especially at night. Keep your doors locked.


Even some Microsoft boosters disagree with Microsoft on this, whereas most are unable to sincerely criticise it [1, 2, 3]. ______ * Microsoft hates real numbers, so it manufactures its own.

Recent Techrights' Posts

Daniel Pocock: "I've Gone to Some Lengths to Demonstrate How Corporate Bad Actors Have Used Amateur-hour Codes of Conduct to Push Volunteers Into Modern Slavery"
"As David explains, the Codes of Conduct should work the other way around to regulate the poor behavior of corporations who have been far too close to the Debian Suicide Cluster."
 
Links 18/05/2024: Caledonia Emergency Powers, "UK Prosecutor's Office Went Too Far in the Assange Case"
Links for the day
Microsoft ("a Dying Megacorporation that Does Not Create") and IBM: An Era of Dying Giants With Leadership Deficits and Corporate Bailouts (Subsidies From Taxpayers)
Microsoft seems to be resorting to lots of bribes and chasing of bailouts (i.e. money from taxpayers worldwide)
US Patent and Trademark Office Sends Out a Warning to People Who Do Not Use Microsoft's Proprietary Formats
They're punishing people who wish to use open formats
Links 18/05/2024: Fury in Microsoft Over Studio Shutdowns, More Gaming Layoffs
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, May 17, 2024
IRC logs for Friday, May 17, 2024
Links 18/05/2024: KOReader, Benben v0.5.0 Progress Update, and More
Links for the day
Microsoft-Connected Sites Trying to Shift Attention Away From Microsoft's Megebreach Only Days Before Important If Not Unprecedented Grilling by the US Government?
Why does the mainstream media not entertain the possibility a lot of these talking points are directed out of Redmond?
[Meme] UEFI 'Secure' Boot Boiling Frog
UEFI 'Secure' Boot: You can just ignore it. You can just turn it off. You can hack on it as a workaround. Just use Windows dammit!
The Market Wants to Delete Windows and Install GNU/Linux, UEFI 'Secure' Boot Must Go!
To be very clear, this has nothing to do with security and those who insist that it is have absolutely no credentials
In the United States Of America the Estimated Share of Google Search Grew After Microsoft's Chatbot Hype (Which Coincided With Mass Layoffs at Bing)
Microsoft's chatbot hype started in late 2022
Techrights Will Categorically Object to Any Attempts to Deny Its Right to Publish Informative, Factual Material
we'll continue to publish about 20 pages per day while challenging censorship attempts
Links 17/05/2024: Microsoft Masks Layoffs With Return-to-office (RTO) Mandates, More YouTube Censorship
Links for the day
YouTube Progresses to the Next Level
YouTube is a ticking time bomb
Journalists and Human Rights Groups Back Julian Assange Ahead of Monday's Likely Very Final Decision
From the past 24 hours...
[Meme] George Washington and the Bill of Rights
Centuries have passed since the days of George Washington, but the principles are still the same
Video of Richard Stallman's Talk From Four Weeks Ago
2-hour video of Richard Stallman speaking less than a month ago
statCounter Says Twitter/X Share in Russia Fell From 23% to 2.3% in 3 Years
it seems like YouTube gained a lot
Journalist Who Won Awards for His Coverage of the Julian Assange Ordeals Excluded and Denied Access to Final Hearing
One can speculate about the true reason/s
Richard Stallman's Talk, Scheduled for Two Days Ago, Was Not Canceled But Really Delayed
American in Paris
3 More Weeks for Daniel Pocock's Campaign to Win a Seat in European Parliament Elections
Friday 3 weeks from now is polling day
Microsoft Should Have Been Fined and Sanctioned Over UEFI 'Lockout' (Locking GNU/Linux Out of New PCs)
Why did that not happen?
Gemini Links 16/05/2024: Microsoft Masks Layoffs With Return-to-office (RTO) Mandates, Cash Issues
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, May 16, 2024
IRC logs for Thursday, May 16, 2024
Ex-Red Hat CEO Paul Cormier Did Not Retire, He Just Left IBM/Red Hat a Month Ago (Ahead of Layoff Speculations)
Rather than retire he took a similar position at another company
Linux.com Made Its First 'Article' in Over and Month, It Was 10 Words in Total, and It's Not About Linux
play some 'webapp' and maybe get some digital 'certificate' for a meme like 'clown computing'
[Meme] Never Appease the Occupiers
Freedom requires truth. Free speech emancipates.
Thorny Issues, Violent Response
They say protests (or strikes) that do not disrupt anything are simply not effective. The same can be said about reporting.
GNU/Linux in Malaysia: From 0.2 Percent to 6+ Percent
That's like 30-fold increase in relative share
Liberty in Liberia? Windows Falls Below 10% and Below iOS
This is clearly a problem for Microsoft
Techrights Congratulates Raspberry Pi (With Caution and Reservations)
Raspberry Pi will "make or break" based on the decisions made in its boardroom
OSI Makes a Killing for Bill Gates and Microsoft (Plagiarism and GPL Violations Whitewashed and Openwashed)
meme and more
The FSF Ought to Protest Against UEFI 'Secure Boot' (Like It Used To)
libreplanet-discuss stuff
People Who Defend Richard Stallman's Right to Deliver Talks About His Work Are Subjected to Online Abuse and Censorship
Stallman video removed
GNU/Linux Grows in Denmark, But Much of That is ChromeOS, Which Means No Freedom
Google never designs operating systems with freedom in mind
Links 16/05/2024: Vehicles Lasting Fewer Years, Habitat Fragmentation Concerns
Links for the day
GNU/Linux Reaches 6.5% in Canada (Including ChromeOS), Based on statCounter
Not many news sites are left to cover this, let alone advocate for GNU/Linux
Links 16/05/2024: Orangutans as Political Props, VMware Calls Proprietary 'Free'
Links for the day
The Only Thing the So-called 'Hey Hi Revolution' Gave Microsoft is More Debt
Microsoft bailouts
TechTarget (and Computer Weekly et al): We Target 'Audiences' to Sell Your Products (Using Fake Articles and Surveillance)
It is a deeply rogue industry that's killing legitimate journalism by drowning out the signal (real journalism) with sponsored fodder
FUD Alert: 2024 is Not 2011 and Ebury is Not "Linux"
We've seen Microsofers (actual Microsoft employees) putting in a lot of effort to shift the heat to Linux
Links 15/05/2024: XBox Trouble, Slovakia PM Shot 5 Times
Links for the day
Windows in Times of Conflict
In pictures
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, May 15, 2024
IRC logs for Wednesday, May 15, 2024