mailto: blog -at- heyrick -dot- eu

Navi: Previous entry Display calendar Next entry
Switch to desktop version

FYI! Last read at 18:53 on 2024/11/21.

Microsoft - WTF?

Sometimes you read something and there is no response other than to shake your head in disbelief...

I shall quote salient points, however you may read the full blog entry which is sure to attract a lot of attention.

In a nutshell - Microsoft dude reckons infected computers ought to be quarantined.

 

most computer security experts believe that a well-resourced and persistent adversary will more often than not be successful in attacking systems,
No system is secure. Every system is vulnerable. Yes, this includes Macs and Linux. The reason these machines have not been targetted is that Macs are sort-of mainstream and Linux is still largely in the domain of the geek sector. In other words, a vast majority of Windows users are idiots. There is a significant majority of Windows users who are unable to tell the difference between "the Internet" and that little blue 'e'.
Lots of Windows users do dopey things, fall for scams, and so on. This, with problems inherent in Windows (I will slam later on...) make for easy pickings. Mac and Linux users tend to be smarter on the whole. Let's face it, if you can get Linux installed and talking to all of your hardware, you gotta be pretty clever... I gave up trying to get Ubuntu to recognise my printer.

[...] it appears to many people that neither governments nor industry are well-positioned to respond to this highly complex threat [...]
And what, Microsoft can do better? Sorry, no. Microsoft has consistantly FAILED in this arena.

Despite our best efforts, many consumer computers are host to malware or are part of a botnet.
You meant to say ...many consumer computer running Windows are host....

devastating consequences if used for an attack on critical government infrastructure or financial systems.
And this is why more and more governments are turning to more secure open source solutions.

Just as when an individual who is not vaccinated puts others’ health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society.
I call bullshit on this. Why? These rules break down in cases where infection is unknown or vaccines do not exist, in which case quarantining is an important part of medical procedure, however it is insufficient to say "our operating system security is a piece of crap so we recommend that everybody affected be quarantined".

Simply put, we need to improve and maintain the health of consumer devices connected to the Internet in order to avoid greater societal risk.
So I understand that this means Microsoft will be removing Internet support from their computers as of the next update cycle? No? Then shut up you hypocritical moron.

To realize this vision, there are steps that can be taken by governments, the IT industry, Internet access providers, users and others to evaluate the health of consumer devices before granting them unfettered access to the Internet or other critical resources.
As opposed to, say, an operating system that by default would allow unfettered access to system resources? Come on, people, malware and rootkits only walk in the door if the operating system says it's okay. Anti-virus solutions do a fair amount to protect users, but they are mostly reactive rather than pro-active; thus meaning a zero-day attack could walk right through an anti-virus which has yet to 'learn' of the new threat.

there is a huge opportunity to promote this Internet health model. As part of this discussion,
Frankly, I think the issue of botnets - while important - will shrink when compared against the looming disaster that is IPv6. Or, more likely, the vast numbers of domestic equipment (including modern and current ADSL routers) which have no real support for IPv6 plus operating systems which don't support it, plus a whole new epic problem in the fact that the current practice of hiding computers on an intranet hiding behind a router (how many of you are using computers with IP address 192.168.x.x?) ceases to happen with IPv6, at which point every machine becomes uniquely addressable using a hairy scheme not unlike 54:a4:e7:34:10 which is so easy to remember...
Personally, I think IPv6 should be scrapped and a more transitional and compatible system should be introduced - IPv6 only really answers the lack of addresses while creating many new issues.

The risk that botnets present to Internet users and critical infrastructures must be addressed.
Agreed.

A public health model can empower consumers and improve Internet security.
Disagreed. It makes sense on the surface, but - well - how are people supposed to find solutions to the problem if they are cut off? How do you explain to somebody who does "facebook" and looks up their lottery numbers that their computer is a great lurking hazard?
And this will entail what - expensive support? Are you trying to push work to second-rate IT consultants?

Voluntary behavior and market forces are the preferred means to drive action but if those means fail, then governments should ensure these concepts are advanced.
Some ISPs are warning users if traffic profiles indicate botnet activity. But government interference? WTF are you on, numbnuts? How about government intervention to target spam? How about government intervention to target those running botnets? Oh, wait, you can't. Because you're just urinating into a hurricane when it turns out that said servers are out of your governments jurisdiction.

This is not to mention a whole host of freedom of speech issues, plus issues arising from not being provided for the service for which you pay...

Privacy concerns must be carefully considered in any effort to promote Internet security by focusing on device health.
Privacy concerns? This coming from an American!? Got two words for you: Google and Facebook, the CEOs of each having stated words to the effect of privacy being more or less a non-issue in the world.

In that regard, examining health is not the same as examining content;
Not true. I have stated twice to Orange (and received bogus replies, but I have kept copies of my mails and their responses) that I do not consent to having my internet connection monitored. They claim it is to better know what sort of products and services I might be interested in. This is their claim, but what is involved in providing such a service? Remember, your ISP pretty much the only point in the entire world (the other being your router) where it is possible to collate a list of all the sites you visit, what ports (and, therefore, technologies) are used, and even down to the level of snooping on all content passing.
Given this privileged position, is it not unreasonable to have some expectation of privacy, or even professional responsibility, from your service provider?
Remember - a lot of stuff (POP3 passwords, numerous site logins) are sent as cleartext.

We will also advocate for legislation and policies worldwide that help advance the model, but does so in a way that advances principles supporting user control and privacy
If we are going to go the legislation route (which is a crock, but very American), why don't we start with operating system developers who release operating systems with severe faults.

Now we've reached the end of this mind-numbing blog post, let's look at why Microsoft are in potentially the worst possible position to advocate anything of this nature:

So let's see: we have inadequate user controls, possibly an opt-in system for software process protection, plus the most widely deployed operating system to date having given users administrator rights by default.
And now they're complaining about internet health?

The irony is unbearable. I think I'll stop here and go wet myself laughing...

 

Your comments:

No comments yet...

Add a comment (v0.11) [help?]
Your name:

 
Your email (optional):

 
Validation:
Please type 45271 backwards.

 
Your comment:

 

Navi: Previous entry Display calendar Next entry
Switch to desktop version

Search:

See the rest of HeyRick :-)