mailto: blog -at- heyrick -dot- eu
Microsoft smells the coffee
Last month, Microsoft unveiled a technet blog posting calling for, as the title says, "The Need for Global Collective Defense on the Internet".
I wrote a comment slamming the idea with respect to Microsoft, but this post either failed silently, or was deleted. Well well... Anyway...
After a good couple of opening paragraphs, with respect to "Cyber" security and "Cyber Threats" (I'm sorry, I can't take anybody seriously when they refer to "Cyber"-anything in a non-ironic sense), we start to see the dark vision appear:
This approach involves implementing a global collective defense of Internet health much like what we see in place today in the world of public health.
What exactly does this mean, "Internet health"? How does one define health on the internet? One person might define it as "no more porn", another as "no damn advertising", and Google might think all is healthy when their click-advertising is pulling in good revenue. To that matter, how does one call a computer "sick"? When it is misbehaving? Aside from actual hardware faults, computers only follow instructions. Sometimes even the major applications or the operating system itself can crash. Sometimes there is no reason or pattern. Is the computer sick? Or is this simply a quirk of the unimaginable amounts of code residing on the machine, crafted by tens of thousands of people, with more information than will pass through your mind in your lifetime whizzing around its digital circuitry every minute. It is a marvel of modern design, and sometimes a miracle it works at all. But those times when it doesn't, is it a quirk, an error, or sick?
Despite our best efforts, many consumer computers are host to malware or are part of a botnet.
The irony here is killing me. While everything, from the lowly desktop PC to embedded devices like printers, is liable to be an attack vector, the basic fact of the matter is that the majority risk is... Windows.
Mac owners are, by and large, stupid. The number of times I have seen Mac users say they are safe and don't need anti-virus and firewalls... frankly Mac accounts for around 5%. Windows, in various incarnations, accounts for around 90% (Linux and 'other' making up the difference). There's no point in killing the MBR and wiping harddiscs, now it is organised crime and money. Thus, it is preferable to break into the computer to retrieve logins, card details, and such.
And, tell me, which web browser have various governments actually warned their citizens not to use?
Just as when an individual who is not vaccinated puts others’ health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society.
Actually, you could equally argue that vaccinated people are of greater risk to others if those others are not vaccinated. Why? Because they appear to be normal healthy people, but are carriers. If they were ill, at least the unvaccinated would know to stay away from them.
Likewise, I don't give a crap about uncle Joe's computer. I run an active firewall, I am careful about what is on my machine, and I use a well known anti-virus product. You can no longer say this is the sort of world you can get away with just not bothering and expecting others to take care of your security for you.
Greater threat to society? Wanting to fine people $$$$ for sharing a song, while saying that they cannot legally buy said song in their region, that crap like that flies is a threat to society. That we, in Europe, are restricted in what we are able to go as a result of American Software Patent law, is a threat to society; as are the patents awarded to ideas which can hardly be described as novel...
In the physical world, international, national, and local health organizations identify, track and control the spread of disease which can include, where necessary, quarantining people to avoid the infection of others.
Because, as if it actually needs to be pointed out, threats like "Bird Flu" and "SARS" (isn't that a TV station?) have the possibility to KILL people. If your computer gets infected, it could be damaging to your reputation, it could lead to identity theft. But it does, to a degree, depend upon what you put out. For example, I am on Facebook as part of a group of "us from work". They have my email address as heyrickmail-facebook at Yahoo! and they do not have my home address. There is my DOB and a list of interests, but that's about it. I have not "bought" any apps, I have not (and never will) give them my card. For sites I trust, I use my bank card. For everything else (and this specifically includes anything to do with PayPal), I use the virtual credit card.
Are we on StreetView these days? Maybe, maybe not. What you won't ever see is a "here, check out my house" with a link. The less you share, the less you risk.
Simply put, we need to improve and maintain the health of consumer devices connected to the Internet in order to avoid greater societal risk.
Maintain, huh? Given that Windows XP is the most widely deployed operating system, how long will Microsoft maintain XP?
I believe Internet Explorer 9 is coming to be a reasonable browser, but sorry - not only does it not work on XP, it is decades too late. Really, IE6 is perhaps the biggest harm inflicted on the Internet in recent times. And lots of people still use IE6, some of whom are stuck with it because their fancy utilities are not compatible with later versions. Sure, this is not exactly Microsoft's fault, but I seem to recall at one point Microsoft saying IE6 was like the definitive version of IE...
...and, I guess, more fool the overpaid webdevs who believed that.
The risk that botnets present to Internet users and critical infrastructures must be addressed.
Collective defense can and should be used to help improve the security of consumer devices and protect against such cyber threats.
My paranoia itch is starting to tingle. A collective defence run by who? The Americans? Thank you, but since the Americans have been wetting themselves near-constantly since 9/11, I am not sure I'd want them in charge of anything whatsoever. The current airport scanning and data transfer requirements are an intrusive security pantomime. Welcome, Americans, to what other countries have been dealing with for many years. I don't recall the British in full panic mode following IRA bombs (which, one could argue, have been part-funded by Americans).
A public health model can empower consumers and improve Internet security.
This is an empty statement that says nothing. Beaurocracy rarely empowers users. And given the lack of legal control and the many participating countries, how effective will this really be? My God, we still have failed to come up with a decent framework for dealing with unsolicited advertising by email.
Voluntary behavior and market forces are the preferred means to drive action but if those means fail, then governments should ensure these concepts are advanced.
No. Find me one large British government IT contract that hasn't been ridiculously expensive, badly specified, and partially broken. Sorry, I would not trust the government to do this sanely, correctly, and without attracting needless "fees" and "fines" as it will be seen as another source of revenue (rather like how the global warming melodrama has lead to a variety of eco-taxes, which I seriously doubt are being spent on environmental projects.
Privacy concerns must be carefully considered in any effort to promote Internet security by focusing on device health. In that regard, examining health is not the same as examining content; communicating health is not the same as communicating identity; and consumers can be protected in privacy-centric ways that do not adversely impact freedom of expression and freedom of association.
There is a thing called trust. I already have a serious lack of trust with my ISP (Orange France) for them sneaking into the new Tc&Cs that they have the right to monitor my communications in order to better know my requirements (for advertising services). Monitor what? And how? And when I mailed them to register my objection, I was told that I can take my name on or off of the "do not call" list. Given I quoted the term involved, this is either a deliberate misreading or a really stupid customer support agent (given some experience, I'd suggest the latter!). In any case, I do not trust Orange. Neither would I trust a government to report on the "health" of my devices. The opportunity to data-grab is just too great - look at Phorm.
Notwithstanding, how exactly does anybody plan to assess my devices? Intrusive hack attempts? That would be not legal and not welcome. Signed and verified code? Yeah, like that is feasible. Doubly so for open source dev cycles measured in days. Something that is perfectly safe can in an hour become perfectly vulnerable if a 0-day exploit does the rounds. So how exactly is anybody proposing to perform health checking on devices?
...or do they think blocking users running IE6 and Win32 systems will magically cause all of these problems to cease?
For its part, Microsoft looks forward to continuing to provide and promote research and development that will make system scanning and cleanup more cost effective, along with looking to solve current technical barriers. We will also advocate for legislation and policies worldwide that help advance the model, but does so in a way that advances principles supporting user control and privacy.
I know that a group of coders within Microsoft face a daunting task in making Windows bulletproof, but until it is, I really don't think Microsoft is the company in a position to talk to anybody about Internet security.
I accept that things are improving with Windows 7, however XP is the most deployed at this time, and Microsoft missed a HUGE opportunity with the transition to XP.
XP was different enough to earlier builds that it pretty much required new drivers to be written. XP introduced security rings in order, pretty much, to protect the system from itself. Little concern was given to external security, so we had:
- An operating system that created a default user profile that had full admin access.
This epic fail has led to a number of drivers/programs that, quite simply, will not work unless you are an admin (try installing Flash, for instance).
You could, of course, say this is a fault of the people releasing the drivers, and that is true. But Microsoft missed an opportunity to enforce decent user access rights.
- The group admin policy stuff was considered a tool for the "professional" user, and as such how can you tweak what a user can and cannot do? For example, the "admin" is too permissive, while a "limited" user is too restricted. I would like, for instance, to be able to alter my system clock and set up various desktop-related options and rights, while blocking applications from messing around with
\Windows or important parts of the system registry. Is this possible? Honestly, I do not know. I run as an admin and I take great care in what I let pass into my machine. It is not a good solution, but it is a solution that works better than being a limited user, for that is too restrictive. But, I am at risk of a rootkit being able to install itself, due largely to Microsoft's inability to understand what users actually need to do while remaining protected. And this, dear friends, is how botnets operate. A little bit of very clever software installs itself at a very low level and sits, in the background, virtually undetectable. And how does it get there? Microsoft's "admin-by-default" policy.
- The Windows firewall is yet more fail. Firstly, you can
ping a Windows box. While this makes it simple for testing a LAN is hooked up correctly, it does show that the machine is present. A proper filewall will not respond to any communications (at all) unless it has been specifically permitted for exposure. The grc.com "Shields Up!" test for the common service ports should show all green - if it does not, there is a problem.
But an even bigger problem is that the Windows firewall does not even attempt to block outgoing connections. I just reset my firewall to its defaults and loaded up my VeroDes, which attempts to connect to heyrick.co.uk to see if there is an update. Which it did, with no warning from the Firewall. The only time the XP firewall asks you anything is when a program wants to open a port for incoming connections. Which is, frankly, not a lot of use for those who have software wishing to "phone home" what it finds. Indeed, while a botnet typically opens a port and awaits instructions, it would be trivial to write a program to fire a "what should I do" request every hour, and this would completely bypass the default XP firewall.
What we need to see is the following window pop up for every application that makes a socket connection, regardless of direction...
And, to be brutally honest, until the Windows XP firewall is capable of even performing such a basic task, I'm afraid I just cannot take anything Microsoft says about security seriously.
This, however, is not taking into account alternative issues, such as:
- If you are banished from the Internet...
...how do you go to look for information on what is going on? Wait, hang on, you only have what - if anything - the organisation blocking you decides your are able to have. Furthermore, if one computer behind a router is "sick", will that IP address (and any other computers) be blocked as well? How do you prove your machine is "healthy"? What recourse if your OS is in any way unusual and the remedy you are deigned to access does not work, or is loaded with advertising and such and you don't want to install it, or it makes things worse? This will, I assume, also block your access to basic services (news, weather, emails/forums)? Do we not have a right to the communications channel?
- We are starting to see a potential class war
For no doubt any of these provisions will not be free. One of the main reasons I have never gone to Windows 7 is that I just cannot justify the cost for what is, to me, a redesigned XP. Does Win7 bring orgasmic new features? No, not really. At least, nothing I can justify nearly a week's wage on buying. For only marginally more than the cost of a Windows 7 licence (and no, not the crappy "basic" version), I can buy a completely new eeePC (with XP...). I think I know which I would find more useful, as it comes down to "new OS or whole new computer". Gee, that's a hard one...
Likewise, I cannot imagine any government or commercial enterprise around will manage "computer health" for free, so we will start to see a situation where people cannot afford to do that which is necessary to permit them to go on-line, while the affluent just rack it up as another thing to use as a tax deduction. All of this because the so-called professionals created a vulnerable system and now act shocked at the fact that it is attacked. Did anybody notice there were no figures in the original posting? Maybe Microsoft couldn't face the bleedin' obvious - but to me it is mindblowing that the company that is most directly responsible for the widespread deployment of malware now wants such machines kicked off of the Internet. This post surely belongs on April 1st?
There is a technical approach that could be implemented at the ISP level. Botnets need somewhere to call home to, and (depending on technology) they may use specific ports. Well, the ISP is your "portal" to The Wired and it is one of the few places in the entire Internet structure where your connection can be completely monitored.
Thus, a solution that could work is to block IP addresses of botnet controllers, and also block specific ports. An example of this in operation is that on my Orange network, it is simply impossible to connect to the SMTP port on any machine other than orange.fr. I don't know why they bother, since I sent myself an email from "email@example.com"... but I digress, it shouldn't be difficult to maintain a list of bad IPs and bad ports, and block them.
To be honest, since this can be used against BitTorrent clients (that suffer the weakness of needing to translate to a "tracker"), I'm surprised it hasn't been implemented already...
So for a laugh, I downloaded the free Virtual Woman software. It is quite dated looking, and the AI is, shall we say, lacking.
It took around five minutes and some really cheesy lines to get the cute(ish) Asian "Lucy" to:
Seriously, the things I had to say to get her willing to strip (what, right in front of me? in public? are you kidding?) really would have enticed a real girl to slap me. Hard.
So I tried a new girl with a different approach:
Do you think I look fat?
And it got worse. I think I was able to exercise every Anglo-Saxon word I know about a dozen times before she said:
Seriously, you can be honest about how I look. Sometimes I think certain outfits make me look dumpy. Do I look like I need to lose some weight?
Let's talk about something else.
No, you're fat.
Well, I don't obsess about my weight, but I do try to keep fit. I just don't get crazy about it like some girls do.
You should obsess, you are a giant balloon.
Why are you interested in whether or not I am a giant balloon?
You're fat, ugly, fake, and you have the lamest parser I've ever seen. A schoolchild could do better.
Teachers and I never seemed to get along.
You belong in an asylum.
Are you talking about me?
Yes, bitch, who the hell else is here?
I can tell where you get most of your dates.
I don't care what you think, in fact, **** you.
That's great. I think I see a cute guy over there I'm going to talk to.
The lesson here? It is harder to annoy a chick than to get her to show me her panties. Hardly realistic, huh?
Well, for most of the day it was quite windy. I tried in a gentle breeze in the evening and had the amusing result of my little helicopter literally lobbing itself right over a full sized oak tree - damn I wish I had a camera attached for that!
The thing is, you need to hit the throttle to get it into the air, but then quickly ease up. There's an evil part of me wondering quite how high it'd go. But when you ease up, you don't want to slacken off until it falls right back out of the sky! This is why it would be good to have a decent running time, to get a feel for the controls. I adapted pretty quickly to the ups and downs so it held itself fairly steady instead of yoyoing.
Getting the budgie in trim is not so easy, especially as it seems also to depend upon battery charge (the two rotors are driven by independent motors). Sadly this is something of an issue, offering 5-10 (not actually timed it yet) minutes of flying time on a charge. That's some battery abuse going on there!
I tried again at night with the outside lights and it was pretty fine. I was able to get it to a pretty steady hover, stable enough that I could reach up and have it settle down onto my hand. It still drifted, slowly, on account of the barely-perceptable breeze.
Here is the helicopter hovering at a height of about two metres:
The main problem, I feel, is that the tail rotor (forward/backward) is barely capable of pushing the helicopter around. In fact, it is more inclined to make it start to spin. I fixed an AA battery to the rubber skids to throw off the centre of gravity to make it inclined in the forwards direction, but amusingly this didn't appear to make much difference! It'll be nice to know if there's a bit of "play" in the centre of gravity, as this means I could be more flexible with any camera I hook up.
You need to go up about 30-40cm to clear the worst of the ground effect:
I might see if the field barn is enclosed enough I can fly it in a wind-free area, but I am wondering if, when I play with the camera, it isn't a case of going up and hoping for the best. The main thing, I guess, will be to trim out the tendency to spin, and then just point it in the direction of interest.
One of the really dodgy things is if the battery runs low, the motors will just cut out. And without the wind beneath, it has the attributes of a lead balloon. So you really only ought to take it high off a fresh charge. Because I was flying at a height of about two and a half metres (to clear the washing line, that I could not see (it was night, remember)) when it just gave up. And fell from the sky.
The most amazing thing? The little walnut tree poked a branch in the tail boom support and caught it (!wow!), with a branch in the landing gear just to be sure!
No doubt I'll play more. With or without piccies. ☺ That said, I think the last battery charge took around two hours. Ouch! It is 3.7V at 1000mAh. I wonder if I can find a cell with greater capacity? In theory a 2000mAh cell ought to offer around a quarter hour of flying time. Perhaps one of these?
Please note that while I check this page every so often, I am not able to control what users write; therefore I disclaim all liability for unpleasant and/or infringing and/or defamatory material. Undesired content will be removed as soon as it is noticed. By leaving a comment, you agree not to post material that is illegal or in bad taste, and you should be aware that the time and your IP address are both recorded, should it be necessary to find out who you are. Oh, and don't bother trying to inline HTML. I'm not that stupid! ☺ ADDING COMMENTS DOES NOT WORK IF READING TRANSLATED VERSIONS.
You can now follow comment additions with the comment RSS feed. This is distinct from the b.log RSS feed, so you can subscribe to one or both as you wish.
(Felicity? Marte? Find out!)
List all b.log entries
Return to the site index
PS: Don't try to be clever.
It's a simple substring match.
Last read at 06:32 on 2022/07/05.
© 2010 Rick Murray
This web page is licenced for your personal, private, non-commercial use only. No automated processing by advertising systems is permitted.
RIPA notice: No consent is given for interception of page transmission.