Bonum Certa Men Certa

“Microsoft Will Have Blood on Its Hands.”


Summary: In the midst of Wikileaks drama we learn that an executions-savvy regime will benefit from Windows cracks

"Windooze insecurity puts Iranian dissidents in mortal danger," states the subject line of an anonymous USENET post, quoting this article. "A Dutch CA called DigiNotar," says the poster, "was hacked by Iranian hackers, likely with the intention of intercepting SSL traffic (Gmail, Facebook etc.) of Iranian activists and freedom fighters. I checked DigiNotar's website and guess what operating system they're using? You guessed it! WINDOOZE ASP.NET!!!

"So now Microsoft will have blood on its hands. Its insecure graphical-shell-pretending-to-be-an-operating-system is now possibly responsible for the deaths and prosecution of many Iranians!! [..] THIS COMPANY SHOULDN'T BE SPLIT UP, IT SHOULD BE SHUT DOWN"

“And as long as otherwise respectable companies insist on e-mailing me "slide shows" in the form of IrfanView .exe files because "it's so user-friendly", Windows will remain as secure as a wet paper bag.”
      --Richard Rasker
A more moderate Dutch poster, Richard Rasker, wrote separately: "I guess we've all heard how a Dutch Certificate Authority by the name of Diginotar, formerly used by even the Dutch IRS authority and countless city councils, has screwed up severely, when their systems were breached by Iranian hackers, who managed to poison the world with many hundreds of bogus certificates. Then they screwed up even more by hushing up about the hack for months -- a huge no-no in a world where trust is the highest good.

"And now it turns out that the screw-up has soared to even greater heights. In case you wondered what OS these people were using, here's the answer:

"For those who don't understand Dutch:

"Fox-IT: Diginotar didn't even use a virusscaner

Fox IT has delivered a devastating verdict on Diginotar's infrastructure. The company didn't adhere to agreements and procedures. Even elementary security measures were totally absent.

These are the conclusions from an investigation by Fox IT into the security breach at Diginotar, as passed by Webwereld and through a governmental source. It turns out that all operations were taking place from within one single Windows domain. This made it possible to gain access to the certificate administration from any work station; logging in to one's work station was sufficient to get access to the systems. This is a mortal sin in the world of IT security. In addition, Diginotar was already aware of the abuse of its certificates as early as July.

No secure zones Even when issuing certificates for government use, standard security rules were trodden underfoot. The government's PKI computers operate from within a secure vault, and should never have been connected to Diginotar's network. Yet even on those machines, investigators found evidence that connections had been made to the Windows domain.

..." [no virus scanner ... no proper logging ... no strong password enforcement ... inadequate intrusion detection ... hackers got & used administrator rights ... certificates chucked in an easily accessible database ... etcetera]

"Now I won't say that this could never have happened in a Linux environment," notes Rasker, "but for a screw-up of these truly epic proportions, Windows is the OS of choice -- because it traditionally "makes things easy", and because Windows users are traditionally not used to working with proper permissions, secure networks and strong passwords.

"And as long as otherwise respectable companies insist on e-mailing me "slide shows" in the form of IrfanView .exe files because "it's so user-friendly", Windows will remain as secure as a wet paper bag. QED."

Recent Techrights' Posts

[Meme] Follow the Law, Not Corrupt Bosses
pressuring staff to break the rules to make more money
The EPO Uses Appraisals to Force Staff to Illegally Grant European Patents or Lose the Job. The Matter is Being Escalated en Masse to ILO-AT, Requesting a Review of Appraisal Reports.
it is only getting worse over time
Debian History Harassment & Abuse culture evolution
Reprinted with permission from Daniel Pocock
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, February 25, 2024
IRC logs for Sunday, February 25, 2024IRC logs for Sunday, February 25, 2024
Gemini Links 25/02/2024: Chronic Pain and a Hall of the Broken Things
Links for the day
Links 25/02/2024: New Rants About 'Hey Hi' Hype and JavaScript Bloat
Links for the day
Going Static Helped the Planet, Too
As we've been saying since last year
Chris Rutter, Winchester College, Clare College choir, Arm Ltd, underage workers & Debian accidental deaths
Reprinted with permission from Daniel Pocock
Gemini Links 25/02/2024: Blocking Crawlers and Moving to gemserv
Links for the day
IRC Proceedings: Saturday, February 24, 2024
IRC logs for Saturday, February 24, 2024
Over at Tux Machines...
GNU/Linux news for the past day
[Meme] Objective Objection at the EPO
No more quality control
EPO Staff Explains Why It Cannot Issue EPC-Compliant European Patents (in Other Words, Why Many Fake Patents Get Issued)
chaos inside
Links 24/02/2024: More Sanctions Against BRICS, Software Patents Squashed
Links for the day
Microsoft's Demise on the Server Side Continues Unabated This Month
Netcraft says so
Bonnie B. Dalzell Explains Her Experience With Richard Stallman
new essay
Gemini Links 24/02/2024: OpenBSD Advocacy and Nonfree Firmware Debated
Links for the day
Mark Shuttleworth & Debian Day Volunteer Suicide cover-up
Reprinted with permission from Daniel Pocock
IRC Proceedings: Friday, February 23, 2024
IRC logs for Friday, February 23, 2024
Over at Tux Machines...
GNU/Linux news for the past day
Links 24/02/2024: EA Planning Layoffs and 'Liquor Regulators Are Seeking Revenge on Bars That Broke Pandemic Rules'
Links for the day
Gemini Links 24/02/2024: In Defense of Boilerplate and TinyWM Broke
Links for the day