How Microsoft fuels Internet terrorism

By Russ McGuire

This past week, everyday when I opened my Wall Street Journal, I was met with a full page ad from Microsoft. This ad was dominated by three simple words "Protect your PC." This strikes me as something akin to the Saudi government running ads in the New York Times in mid-September of 2001 saying "Protect your Tall Buildings." First, the message comes a little late. Second, we wouldn't have to protect our PCs if Microsoft hadn't provided criminals with all the elements they need to terrorize us Internet citizens.

Yes, I did say terrorize, and I mean it. I got a call last week from a friend who recently bought her family their first computer. She said "my printer won't work." Usually, I'd be the last one someone would call to fix a real computer problem, and usually I'd find the quickest way to escape such a question, but this friend is like a sister to our family, and she is definitely at the very beginning of the PC learning curve. So, I asked "what message is it giving you?" "Just a minute, I need to wait for the computer to reboot. Why does it keep rebooting?" Uh oh. Like a doctor telling a patient she has cancer, I had to break the news to this sister that her computer had a virus (or more precisely, a worm). I heard her catch her breath and, after a long silent moment, "what do I do?"

(snip)

You see, the MSBlaster virus was built using one of many new "features" built into the latest versions of Microsoft Windows. Microsoft has computer manufacturers ship home PCs with the Remote Procedure Call feature activated. Chances are 99% of consumers will never use any application that needs this feature. But the terrorist who brought down businesses, government agencies, and who knows how many home PCs found a way to use it.

(snip)

Bottom line, thanks to the powerful tools (or should I say weapons) that Microsoft has built into their products, criminals now dominate the Internet. Common citizens don't feel safe anymore. They fear that their thousand dollar computer investment will be destroyed by these criminals, and due to the increasing unusability of the Internet, in many respects they already have been. I hate to say it, but maybe these terrorists have won.

(more)

http://www.worldnetdaily.com/news/article.asp?ARTICLE_ID=34231
(yeah, I know it's WorldNetDaily, but it's commentary, so why not...)

on Ford? Why not, it's the same thing.

I agree Microsoft isn't the most ethical company in the world, but gawd damnit, I'm so freaking sick of mindless MS bashing. MS provided the patch months before MSBlaster was released. No operating system is perfectly secure. None.

The 'same thing' would be blaming all deaths due to exploding Ford Pintos on Ford, since the design flaw was their fault.

It's not about being perfectly secure. It's about due diligence by a company that has more than enough resources to do so.

Make that at least a decade. This is NOT the same thing. MS tells us, in ad after ad, how secure their products are. From the OS to the apps, it all comes from MS. If MS was honest about this, and said in their ads "there may be security problems with our products", then you might have a leg to stand on. But they don't, they push their products out the door, knowing full well how much of their customer base is willing and able to upgrade for the "security patch of the week". MS is the problem here, not the users. Get a grip.

This essay is wrong on so many levels, it's hard to determine where to start. I've noticed this argument popping up around the internet a lot in the last few days, but it couldn't be so off base.

Just to lay out a few of the actual facts:
Microsoft provides a free and automatic option in their operating systems for receiving and installing patches. Most users do not turn this option on despite Microsoft's repeated efforts to educate the public through their own web sites and the media.

Microsoft provides operating systems, not end solutions. Just as any engineer who uses steel and bolts is ultimately responsible for choosing the right components for a building, the steel producer is not responsible when the engineer chooses to use twine to secure the steel beams together. Likewise, Microsoft is not responsible for the end user who chooses to expose their computers to the internet and not take the time to educate themselves about updates and patches.

Microsoft posted a patch for the SOBIG "virus" six months ago. Yet apparently some large corporations either are too stupid to know how to use the software or are too stupid to recognize that the reason their systems failed is wholly unrelated to the SOBIG virus and they just use the latest "scapegoat" to cover up their own incompetence.

I could go on, but I think I've made the high-level of my point ...

I don't share your views

This essay is wrong on so many levels, it's hard to determine where to start. I've noticed this argument popping up around the internet a lot in the last few days, but it couldn't be so off base.

Just to lay out a few of the actual facts:
Microsoft provides a free and automatic option in their operating systems for receiving and installing patches. Most users do not turn this option on despite Microsoft's repeated efforts to educate the public through their own web sites and the media.

All well and good if you have a high speed connection, but many of the patchs are 10Mb or more - some as much as 18Mb, which can take hours to download over a 56K modem. The average user just doesn't have the patience. Another problem is that many ISP's have timeouts on their connection time, that dissconnects long downloads, since their timeouts are based on their server recieveing key press signals from the user every so many minutes in order to keep the connection alive. Yes there are programs like Keepalive which will do that for you, but how many people know about them, and even more importantly - if you read the service agreement of many ISP's one very common feature is a clause that specifically disallows programs like Keepalive, making running one grounds for termination of the contract.

Microsoft provides operating systems, not end solutions. Just as any engineer who uses steel and bolts is ultimately responsible for choosing the right components for a building, the steel producer is not responsible when the engineer chooses to use twine to secure the steel beams together. Likewise, Microsoft is not responsible for the end user who chooses to expose their computers to the internet and not take the time to educate themselves about updates and patches.<\quote>

Bullshit. Most of MS's software (word, IE, etc.) are just as prone to security holes. Your attitude seems to be that unless your are Microsoft certified you shouldn't have a computer (I provide tech support hundreds of students, faculty and staff - have done so since 1984 - and while I firmly believe there are some people who just should not be allowed near a computer - reality says that my opinion on this subject just doesn't matter - the argument was lost 20 years ago). The consumer has to be educated, yes - but the reality is that most just don't have time - their boss has told them to use the damn thing, and they have to produce product - they just don't have the time or interest to learn more than they absolutly have to.

Microsoft posted a patch for the SOBIG "virus" six months ago. Yet apparently some large corporations either are too stupid to know how to use the software or are too stupid to recognize that the reason their systems failed is wholly unrelated to the SOBIG virus and they just use the latest "scapegoat" to cover up their own incompetence.

The Sobig virus is not affected by the MS patch. It is prevented by keeping your anti-virus software updated. The patch that has been available for some time, is the DCOM patch. The MaxBlaster Worm, Stealther Worm, and the Nichi Worm all take advantage of the vulnerability in that service if its unpatched. Most IT groups are understaffed and do not have the resources they need to educate users on how to keep their systems current. Not an excuse, just a fact. I maintain about 150 systems scattered over the State of Del. I support about 50 faculty and staff, and about 1000 students. I spend close to 40 hours a month just in travel time between campuses, I have a very mixed bag of operating systems, users and hardware, and I have no help - I manage the network, do the webpages, maintain the licenses, deal with the vendors, install the software, pull the wire thru the ceilings - all by my lonesome.

My situation is not unusual - the fact that the Bush Admin has caused the States to have to cut budgets (my budget is appropriated by the state), the current business climate has caused businesses to cut their IT budgets to the bone - isn't the fault of the people who have to keep this stuff running, nor is it the fault of the entities who have to fund it _ well the large corporations must take a large part of the blame because they funded Shrubya's election, but they made their bed, now they have to lie in it.

In my opinion however most of this could have been avoided if MS would not activate services by default, but make the user deliberatly activate them, and if they did a much better job in testing their software, before it released to JQ Public. MS should have a division of thier company devoted to the task of breaking their own software, before the pimply faced bad guys do.

Sobig's biggest method of spreading is via social engineering (i.e. open me, I'm an important file) and is based upon inherent architectural flaws in the way Windows works. The same type of social engineering methodologies do not work in the *nix world simply because the architectural differences do not allow attacks via this methodology (try to open me and I can't really do anything because I don't have the correct permissions to do anything harmful).

Yes, the patch will help in certain aspects of the Sobig virus and is based upon inherent security flaws in the way shares work and allowing certain file types to be opened via Outlook. Unfortunately as a corporate IT Manager I can tell you, not a single Sobig infection in our network came from an email received in Outlook as we take precautions at the Exchange level. Where those infections came from were people accessing external email accounts via web browsers, mostly Hotmail (Microsoft).

My next point is the virus he was talking about was MSBlaster. Yes, there was a patch available for the vulnerability six weeks before Blaster hit. The issue is, the fundamental underlying architecture of the NOS allows for a huge impact when this sort of exploit is not immediately patched. You simply do not find this type of an impact in other operating systems for flaws in the NOS because the underlying architecture does not allow for it. Yes, damage can be done via a worm on a Linux system, however, the damage is minimalized because the underlying architecture is inherently more secure.

edited to add this final point

The requirement that MS machines run AV software itself is the biggest indicator of the fundamental flaw in the architecture of the Operating System. The only time I need AV software on my Unix and Linux boxes is when they run Microsoft protocol sets in order top accomodate ease of use by the Microsoft users, and it is installed only then to prtect the Microsoft users from themselves as the viruses deteced invariable always only affect Microsoft systems and have no effect whatsoever on the *nix system hosting the Microsoft based protocol and files.

with it in my business.....so if the "world of business" depends on MS.....then they need to get their act together and fix all these bugs and viruses and all the resto of their stuff. I've only used a computer since '96 so I'm a "newbie" but I'm telling you that I HAVE to use MS for business....no other way.....and they are the KING of CRASHES.....sloppy programs which work okay ...until one has a problem......and yet are always open to viruses, crashes, malfunctions and whatever.

Now.....someone did try to get me onto "Lotus Notes" last year.......?????????????

While MS dominates.......we have to work to make them better with "consumer pressure."

And, I don't want to hear some person say....just buy a Mac or go with Linux......in my business that wouldn't work. We have to get Gates to do something about MS......for those of us who need employment NOW and not down some "Linus/Mac" road for the future!