mailto: blog -at- heyrick -dot- eu
Microsoft - WTF?
Sometimes you read something and there is no response other than to shake your head in disbelief...
I shall quote salient points, however you may read the full blog entry which is sure to attract a lot of attention.
In a nutshell - Microsoft dude reckons infected computers ought to be quarantined.
most computer security experts believe that a well-resourced and persistent adversary will more often than not be successful in attacking systems,
No system is secure. Every system is vulnerable. Yes, this includes Macs and Linux. The reason these machines have not been targetted is that Macs are sort-of mainstream and Linux is still largely in the domain of the geek sector. In other words, a vast majority of Windows users are idiots. There is a significant majority of Windows users who are unable to tell the difference between "the Internet" and that little blue 'e'.
Lots of Windows users do dopey things, fall for scams, and so on. This, with problems inherent in Windows (I will slam later on...) make for easy pickings. Mac and Linux users tend to be smarter on the whole. Let's face it, if you can get Linux installed and talking to all of your hardware, you gotta be pretty clever... I gave up trying to get Ubuntu to recognise my printer.
[...] it appears to many people that neither governments nor industry are well-positioned to respond to this highly complex threat [...]
And what, Microsoft can do better? Sorry, no. Microsoft has consistantly FAILED in this arena.
Despite our best efforts, many consumer computers are host to malware or are part of a botnet.
You meant to say ...many consumer computer running Windows are host....
devastating consequences if used for an attack on critical government infrastructure or financial systems.
And this is why more and more governments are turning to more secure open source solutions.
Just as when an individual who is not vaccinated puts others’ health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society.
I call bullshit on this. Why?
These rules break down in cases where infection is unknown or vaccines do not exist, in which case quarantining is an important part of medical procedure, however it is insufficient to say "our operating system security is a piece of crap so we recommend that everybody affected be quarantined".
- A non-vaccinated individual is not a risk to a vaccinated person, else what point the vacine?
- A vaccinated individual is greater risk to non-vaccinated people as they have the potential to be a silent carrier.
Simply put, we need to improve and maintain the health of consumer devices connected to the Internet in order to avoid greater societal risk.
So I understand that this means Microsoft will be removing Internet support from their computers as of the next update cycle? No? Then shut up you hypocritical moron.
To realize this vision, there are steps that can be taken by governments, the IT industry, Internet access providers, users and others to evaluate the health of consumer devices before granting them unfettered access to the Internet or other critical resources.
As opposed to, say, an operating system that by default would allow unfettered access to system resources? Come on, people, malware and rootkits only walk in the door if the operating system says it's okay. Anti-virus solutions do a fair amount to protect users, but they are mostly reactive rather than pro-active; thus meaning a zero-day attack could walk right through an anti-virus which has yet to 'learn' of the new threat.
there is a huge opportunity to promote this Internet health model. As part of this discussion,
Frankly, I think the issue of botnets - while important - will shrink when compared against the looming disaster that is IPv6. Or, more likely, the vast numbers of domestic equipment (including modern and current ADSL routers) which have no real support for IPv6 plus operating systems which don't support it, plus a whole new epic problem in the fact that the current practice of hiding computers on an intranet hiding behind a router (how many of you are using computers with IP address 192.168.x.x?) ceases to happen with IPv6, at which point every machine becomes uniquely addressable using a hairy scheme not unlike 54:a4:e7:34:10 which is so easy to remember...
Personally, I think IPv6 should be scrapped and a more transitional and compatible system should be introduced - IPv6 only really answers the lack of addresses while creating many new issues.
The risk that botnets present to Internet users and critical infrastructures must be addressed.
A public health model can empower consumers and improve Internet security.
Disagreed. It makes sense on the surface, but - well - how are people supposed to find solutions to the problem if they are cut off? How do you explain to somebody who does "facebook" and looks up their lottery numbers that their computer is a great lurking hazard?
And this will entail what - expensive support? Are you trying to push work to second-rate IT consultants?
Voluntary behavior and market forces are the preferred means to drive action but if those means fail, then governments should ensure these concepts are advanced.
Some ISPs are warning users if traffic profiles indicate botnet activity. But government interference? WTF are you on, numbnuts? How about government intervention to target spam? How about government intervention to target those running botnets? Oh, wait, you can't. Because you're just urinating into a hurricane when it turns out that said servers are out of your governments jurisdiction.
This is not to mention a whole host of freedom of speech issues, plus issues arising from not being provided for the service for which you pay...
Privacy concerns must be carefully considered in any effort to promote Internet security by focusing on device health.
Privacy concerns? This coming from an American!? Got two words for you: Google and Facebook, the CEOs of each having stated words to the effect of privacy being more or less a non-issue in the world.
In that regard, examining health is not the same as examining content;
Not true. I have stated twice to Orange (and received bogus replies, but I have kept copies of my mails and their responses) that I do not consent to having my internet connection monitored. They claim it is to better know what sort of products and services I might be interested in. This is their claim, but what is involved in providing such a service? Remember, your ISP pretty much the only point in the entire world (the other being your router) where it is possible to collate a list of all the sites you visit, what ports (and, therefore, technologies) are used, and even down to the level of snooping on all content passing.
Given this privileged position, is it not unreasonable to have some expectation of privacy, or even professional responsibility, from your service provider?
Remember - a lot of stuff (POP3 passwords, numerous site logins) are sent as cleartext.
We will also advocate for legislation and policies worldwide that help advance the model, but does so in a way that advances principles supporting user control and privacy
If we are going to go the legislation route (which is a crock, but very American), why don't we start with operating system developers who release operating systems with severe faults.
Now we've reached the end of this mind-numbing blog post, let's look at why Microsoft are in potentially the worst possible position to advocate anything of this nature:
- Windows XP was a massive change to the heart of Windows computing. The system became a lot more secure with regards hardware access than the older Win32 that let any application access any hardware.
While this is all a good thing, Microsoft epically failed on the security front. Pretty much anything that worked on Win32 needed new drivers to work on XP. So why the hell did they not take this further with the security model?
A default basic installation of Windows XP asks you for your name, creates a user profile for you, and gives you administration access. WHY? Oh, it's because you need administration access to have numerous things work properly.
Thanks to Microsoft's lack of giving a damn for a decade, there was no push to make things work with limited user accounts.
This coupled with the user account system being somewhat broken...
Don't suggest playing with user policies, as this is "complicated" and you don't get the policy editor with the home edition. Registry tweaks? Don't even go there...
- You need to be an administrator to install a fair bit of software. While this makes sense for stuff downloaded from the Internet, it can be tedious to change back and forth. In addition, if you are not admin, you only know about this when installation fails inexplicably. Try logging in as a limited user and installing Flash...
What is needed is a special "install this product" mechanism that provides sufficient rights for most software installs without overly compromising the system.
- I have on my backdrop a logout shortcut, namely "
%windir%\system32\shutdown.exe -l -t 1" which is easier than going through the menus.
Can't do that on a limited account.
Wait, you can't programmatically log out? Are you kidding me?!
You can't set the clock either.
- Vista attempted to mitigate this issue with User Access Control. We have met UAC, it's that bogus warning that pops up too damn often for pointless things. I'll give you an example - most of my programs store data in its own application folder. This isn't good form, but it works reliably on all breeds of Windows. This coupled with VB providing easy access to that sort of data (
App.Path...) while providing nothing for finding out important things such as, say, "user home folder" or "current temp folder". This coupled with the DOS/Windows filename expansion being a piece of crap - they (and Unix too) ought to look at how RISC OS handled paths. A great and truly flexible system, nothing else compares...
- DEP - this apparently needs to be supported by the software, on a per-product basis. Why? Why doesn't the OS provide DEP automatically across the board?
So let's see: we have inadequate user controls, possibly an opt-in system for software process protection, plus the most widely deployed operating system to date having given users administrator rights by default.
And now they're complaining about internet health?
The irony is unbearable. I think I'll stop here and go wet myself laughing...
Please note that while I check this page every so often, I am not able to control what users write; therefore I disclaim all liability for unpleasant and/or infringing and/or defamatory material. Undesired content will be removed as soon as it is noticed. By leaving a comment, you agree not to post material that is illegal or in bad taste, and you should be aware that the time and your IP address are both recorded, should it be necessary to find out who you are. Oh, and don't bother trying to inline HTML. I'm not that stupid! ☺ ADDING COMMENTS DOES NOT WORK IF READING TRANSLATED VERSIONS.
You can now follow comment additions with the comment RSS feed. This is distinct from the b.log RSS feed, so you can subscribe to one or both as you wish.
(Felicity? Marte? Find out!)
List all b.log entries
Return to the site index
PS: Don't try to be clever.
It's a simple substring match.
Last read at 21:39 on 2021/01/26.
© 2010 Rick Murray
This web page is licenced for your personal, private, non-commercial use only. No automated processing by advertising systems is permitted.
RIPA notice: No consent is given for interception of page transmission.