Microsoft proposes Internet Tax to Clean Viruses

[migopod]

OHAI!

Um, no.

Viruses have been around long before the internet and web-browsers, and they have been spread by infecting all kinds of code including code that was created by vendors other than Microsoft. Before the internet I used to participate in Bulletin Board Systems (BBS) and viruses could be found in virtually any program, game, etc. that a virus writer targeted. The vulnerabilities were in the application code, not the operating system. While Microsoft has, indeed, opened more than its fair share of security holes, they are not the culprit.

True enough. The first worms and viruses that were released were actually targeting UNIces. My first and last virus infection was the Form boot-sector virus contracted on a MS DOS 5 system via infected floppy disk. If you're up on your virus history, you can date this incident to the early 1990's .

In ye olden dayes the virus was typically a tiny bit of asm designed to incorporate its self into .com and .exe files or write its self to the boot sector of a disk in order to be retained in system RAM and keep on infecting individual executable code as it was run.

Back in the early 1990's there were still a number of potentially viable desktop computers, NeXT, Be Boxen, Amigas, Macs and the ever more popular IBM clone systems. RAM and disk space was limited enough that virus writers had to be extra sneaky in order to fly under the radar of the average computer owner even without antivirus software, and viruses were written for pretty much any OS.

Unfortunately something happened around 1995 with the advent of the relatively inexpensive pentium class systems and Windows 95. Home computer use exploded. Be, Commodore and NeXT went away, and about the only choices left were a really crappy (yet super expensive) Mac (system 7? gawd!), Windows 95 and the fledgeling i386 Linux and BSDs. While some date the death of the internet as September 1993, I think that the perfect storm of Windows 95, AOL and millions of new users with no idea how their computers work were the true beginning of the end.

Bots are programs that do something automatically for someone . Computers are tools that can be used to automate complex or repetitive tasks, so a "bot" just takes advantage of that. A bot (short for roBOT) can be programmed to send out e-mails, post fake personal ads, insert advertising into forums, search for e-mail addresses in web-sites, etc. Basically, a "bot" does the same things that a person could do manually, but it automates the task. A "bot" can be created using any operating system. Once again, Microsoft is not the culprit.

True again. Bots can be written for any OS. I use bots every day (for good, not evil) to do things that are tedious but necessary. Where I blame MS for the explosion of bots, viruses and trojans is that they have a long and sordid history of having easily exploited bugs and that privilege escalation tended to be pretty trivial. Things that on a mature UNIX would have been a big deal for an individual, non-privileged user became system-crippling infections on a Windows box. Until Windows 2000 (an NT4 variant for gawd's sake) the Windows OS was intended to be single-user with that user having unlimited access to everything. This, plus the sudden monoculture of desktop OS plus the sudden introduction of millions of non-technical people lead to the Cambrian Explosion of viruses, trojans and social engineering trickery.

Phishing is nothing more than social engineering. Phishing (as in "fishing for information") is simply an attempt by someone with nefarious intentions to extract personal information from you by pretending to be a reputable resource. Phishing can be done via e-mail, on a web-site, even by traditional snail-mail. It has nothing to do with operating systems. Microsoft is not the culprit.

No disagreements. Phishing is meatspace hackery alone. If MS could be blamed at all, it's for the one thing I grudgingly thank them for having done, which will be disclosed in my conclusion.

Spam (I hate that name because the food product Spam is actually not bad.) is unsolicited e-mail. Plain and simple. It is no different than the "junk" mail that you receive in your mailbox at home. An e-mail server can be built to send out advertising via e-mail from virtually any operating system. Once again - not Microsoft's fault.

I'm somewhat spoiled, thanks to fine appliances like IronPort and a nicely robust SpamAssassin implementation. I maybe get one or two pieces of SPAM in my inbox a day. Other people I know insist that they get loads of SPAM. Spamhaus estimates that 90% of email sent is unsolicited commercial junk. Seriously, only around 10% of email is actual email. About 80% of SPAM comes from botnets which are nearly entirely virus infected Windows personal computers. Again, not exactly the fault of Microsoft, but security flaws in the OS plus an uneducated user base who happily opens every attachment promising adorable kittens leads to more SPAM.

By the way, before I was a vegetarian I really liked SPAM the product as well. We can blame the etymology on Monty Python plus usenet news I'm afraid.

Don't get me wrong - I do not drink the Microsoft "kool-aid". Given a choice of databases, I will choose Oracle over SQL Server. When choosing an enterprise-quality server, I will go with a variant of UNIX over Windows. But these choices are because of functionality, not a "religious" devotion to one position or another.

So if Microsoft is not the culprit, who is?

Simple - the people who write viruses, bots, phishing texts, and spam. There are people out there that want to take advantage of others. If we tracked them down and cut off their fingers, I bet we would eventually see a lot less of all that annoying stuff.

I think you're half right on this... or maybe a third. Microsoft is responsible for easily exploitable bugs that are frequently left without patches for long periods of time that make Windows susceptible to viruses and trojans and security models that make those infections far more serious than they should be. Microsoft is also responsible for basically making the PC as ubiquitous as it is. This is the thing that I appreciate. Pre-95 personal computers were expensive and much more rare than they are now. When I started in (higher ed) IT I supported general access student computer labs. Almost nobody had a laptop and very few students had a home PC. Since then labs of that kind have nearly become obsolete. The only real purpose they serve any longer is for expensive software that individual students don't have and for printing.

MS probably more than any other entity is responsible for bringing inexpensive PC to the public, and that's a touch awesome. I can buy a nice laptop for under $500 on which to install Ubuntu. Ten years ago I would have spent well over a thousand for a reasonably crappy laptop and struggled to get Slackware up and running on it.

The other two components in the axis of infection though are as you said the authors of malware, but also the people who fall for phishing, SPAM and trojans and leave their computers unpatched, without antivirus software and connected 24/7 to the public internet with no firewall. In a way I think MS can be partially responsible for the existence of those users, but not really responsible for how those users behave once they shell out for the PC and OEM windows install.

[telkanuru]

If it manages to have less security holes than Unix systems, I'd be amazed. Though I guess it'd better have massive security if it's going to have access to enough of my personal information to fund an entire desktop OS team with extremely targeted marketing.

Google Calendar already creeps me out when it reads my emails and suggests appointments. Soon it'll try to schedule the appointment, make dinner reservations, pay using my credit card, and provide a link for the exact type of antibiotics I'll need the next day.

Try using a phone with Android. At this point for me, it has enough data to be fairly intuitive in predicting what I need or want it to do. I think this is pretty awesome. IMO, the future of computing is in the cloud, anyway.

[Gav]

Try using a phone with Android. At this point for me, it has enough data to be fairly intuitive in predicting what I need or want it to do. I think this is pretty awesome. IMO, the future of computing is in the cloud, anyway.

My emphasis.

Until everyone (and I mean everyone) has access to ubiquitous (meaning available anywhere), ultra cheap, ultra reliable, ultra fast connections this is a pipe dream let alone desirable.

[I_luv_saber]

I think the cloud will become far more extensive and utilized (myself, I'm a big fan of Google Docs already), but I don't think we're going to see it happening in the way that some people are forseeing.

[kalivor]

1. Microsoft creates operating systems full of security holes without any regard to teaching customers good security practices such as not running everything as "Administrator".

Buy a Mac, don't pay the tax

Macs provide the following defenses against viruses, botnets, etc.
1. With only a 2.5% market share, nobody bothers to target Macs.
2. With only a 2.5% market share, viruses that DO target Macs have a harder time spreading.

Microsoft's product is not inherently less secure than Apple's -- in fact, if anything, it's more secure (see links below). Microsoft is simply a victim of their own success. If they didn't have a 97% market share, their *better* security would have hackers targeting other Operating Systems, and this wouldn't be considered a Microsoft problem.

Links for those who think that a Mac actually provides security:
http://www.macworld.com/article/1464...wn_safari.html
http://blogs.zdnet.com/security/?p=2917

And a source for my market share stats:
http://blogs.zdnet.com/web2explorer/?p=262

[kalivor]

I do not feel that MicroSloth should be trusted to cleansing the interwebs of malware. That would be like trying to give an enema to... something that would not react well to have an attempted enema.

Where in the article does it say that Microsoft should be handed such a responsibility? Scott Charney (who works for Microsoft, but is not Microsoft) is proposing an industry strategy to do this, not asking that Microsoft be handed tax money to do it.

The Micro$oft issue is that they try to "put a computer in every home" without thinking about if they should.

Yes. A software company, trying to sell software. How dare they.

They make it so "easy" for people by doing everything for everyone. People do not have to know how to use a computer to use a computer.

There is something wrong with that sentence.

I assume that you mean that people use computers without having complete mastery of their entire functionality.

By corollary, I suppose people who only speak a bit of French should never speak it. And anybody who ever makes a grammatical error or spelling mistake should not be allowed to write things down. Or even read.

Also, cars should be taken away from those people who do not know how to pre-set the radio channels, have trouble setting the cruise control, or don't know how to change their own oil.

They do too much to be distributed like telephones.

Yep. Useful things should not be distributed to the general public. Who were the buffoons who decided that people could decide what they're allowed to buy for themselves?

You know what's also too useful? Swiss Army Knives.

And telephones.... what, for mercy's sake, happened to phones that were just for calling people or being called? This may seem like it is completely off topic, but it is not. These parents that give their kiddos fancy phones with internet access.... Do you think they watch everything that their kids do on their phones... everywhere they go?

Actually, yes. The phones have GPS and video. Shhhh. You're going to give away parenting secrets!

These are the same parents that let kids have unsupervised broadband access in the privacy of their own rooms - and they do not have the discipline or education to use basic security practices.

Kids these days. Allowed to play in their own rooms unsupervised! What will the world come to?

[jeff]

While it is indeed true that Microsoft's success makes it the target of choice due to volume, there are specific design and implementation flaws that make it especially vulnerable.

The attack surface historically and currently include the many privileged services that are listening on a network port at all times, macro viruses in Office, ActiveX controls, holes in IE, etc. It's not just that any one program may have a bug and somebody exploits it, but that privilege escalation (and the fact that so many applications and users run with system privileges) is so widespread. A lot of the "convenience" that makes it possible for dynamic content to launch an application, or for mail in Exchange or Outlook to invoke a COM/ActiveX/.Net service (depending on what year you're talking about) facilitates penetration.

They have improved a lot, but that's not a big endorsement when you consider the starting point.

Crooks attack where the money is, and you don't see a lot of successful hacks against mainframe or Unix systems where a lot of money is transacted. I personally ran a mainframe system live on the Internet without a firewall without any fear. The last "virus" I know of on a mainframe was in 1987 (The Christma exec exploit and you had to actually run the program - it was more of a social engineering attack). Robert Morris's Unix worm was 1987. There are not a lot of exploits "in the wild".

By comparison, 3 or 4 years ago I was at a meeting of New York-area university CIOs, and one of them said that a PC without *current* virus protection would be compromised within 12 to 18 seconds of being powered up and on the network.

[Inquartata]

1. With only a 2.5% market share, nobody bothers to target Macs.
2. With only a 2.5% market share, viruses that DO target Macs have a harder time spreading.

Or maybe 7.5% http://news.cnet.com/8300-12_3-37.ht...d=market+share

Or possibly 9.61% http://www.pcmag.com/article2/0,2817,2342257,00.asp

IOW, who really knows?

But wouldn't the relevant comparison be operating systems? I mean, whatever Apple's share of the PC or laptop markets, it's competitors all use some version of Windows.

So what's Mac OS's market share vs. Windows?

10.9% ( North America ) http://www.tuaw.com/2010/02/27/quant...t-shrinks-sli/

Or maybe 5.11% http://arstechnica.com/microsoft/new...kes-mac-os.ars

Or possibly 5.02% http://www.netmarketshare.com/operat...e.aspx?qprid=8

Or 11.2% http://www.statowl.com/operating_sys...rket_share.php

Again...who really knows?

I've heard this "too small to bother" argument a lot, but it doesn't explain satisfactorily ( IMO ) why NO one has gone after the supposedly defenseless low-hanging fruit ( )...especially considering the money that could be made by exploding Apple's image of invulnerability vis-a-vis MS...

[telkanuru]

I propose a virus tax to fix Microsoft. Most viruses originate in Soviet Russia, you know.

[migopod]

I've heard this "too small to bother" argument a lot, but it doesn't explain satisfactorily ( IMO ) why NO one has gone after the supposedly defenseless low-hanging fruit ( )...especially considering the money that could be made by exploding Apple's image of invulnerability vis-a-vis MS...

Most current viruses are designed to make botnets out of infected computers in order to generate spam. There's not really much point in trying to work around OS X and numerous flavours of Linuxy security models in order to devise a clever virus except for the novelty factor and bragging rights since the Windows PC is both very ubiquitous and security flaws are easy to exploit. Especially since most Windows users are not up to date on security patches and antivirus software.

OS X and *n?xes are not without security holes, but the Windows vulnerabilities are more likely to be reasonably well understood by virus writers, more likely to remain unpatched by users and are more likely to lead to widespread infections thus maximizing the investment.

[Sean Butler]

OS X and *n?xes are not without security holes, but the Windows vulnerabilities are more likely to be reasonably well understood by virus writers, more likely to remain unpatched by users and are more likely to lead to widespread infections thus maximizing the investment.

Hmm, not sure that I agree with second part of what you said there. Windows software is largely a black box which one has to exploit by trial and error or through some ingenious deduction. Linux on the other hand is mostly open source and any would be virus writer can download that source and look for the security holes himself. Further, many Linux boxes which aren't under the arm of some large corporation with an army of Linux geeks maintaining them or possibly on a campus full of delightfully eager undergrads, are by and large not maintained well and have not had updates in a long time. This is because it takes a more technically savvy user to maintain said box.

I do however agree with your earlier comments. Virus writers are usually after the credit cards, bank passwords, profiling of individual users, and spam advertising. Since Micro$oft has the largest market share of operating systems for consumer PCs, it doesn't make much economic since to write viruses for anything else.

[jeff]

The "it's open source and therefore easier to hack" argument doesn't hold up. "Security through obscurity" is known to be ineffective, and the fact that source code is available for some OSes makes it easier for white-hats to review them for exposures. When new encryption technologies come out, the algorithms and are published to permit analysts to see if they are strong, or the security community doesn't accept it. The "trial and error" methods for piercing Windows are well known and reproducible.

Yes, the massive market share of Windows makes it by far the target of choice for best possible return, but Windows architecture also makes it the target of convenience as well. A lot of banks run mainframe operating systems, Unix and Linux - if they were easier to hack it would be a reasonable attack for bad guys to get jobs in banks and run attacks from their laptops on the same network, but that doesn't happen (insider jobs are in fact really important security exposures, but that's about people using authorization granted them to do bad things rather than breaking the OS)

migopod's point "more likely to remain unpatched by users" is also apropos: Joe User is not usually a good sysadmin.

[I_luv_saber]

The "it's open source and therefore easier to hack" argument doesn't hold up. "Security through obscurity" is known to be ineffective, and the fact that source code is available for some OSes makes it easier for white-hats to review them for exposures. When new encryption technologies come out, the algorithms and are published to permit analysts to see if they are strong, or the security community doesn't accept it. The "trial and error" methods for piercing Windows are well known and reproducible.

I had heard it explained once like this, and it makes the most sense:

While it is true someone wanting to sabotage your computer will have an easier time of it when he's able to freely see all the little nooks and crannies, it's also much easier for you (or someone) to fix and see what's wrong. Imagine, if you will, that someone has sabotaged your car. Would rather be figuring out what's wrong and fixing it with the hood welded shut, or being able to see all the inner workings with blueprints?

[migopod]

Hmm, not sure that I agree with second part of what you said there. Windows software is largely a black box which one has to exploit by trial and error or through some ingenious deduction. Linux on the other hand is mostly open source and any would be virus writer can download that source and look for the security holes himself. Further, many Linux boxes which aren't under the arm of some large corporation with an army of Linux geeks maintaining them or possibly on a campus full of delightfully eager undergrads, are by and large not maintained well and have not had updates in a long time. This is because it takes a more technically savvy user to maintain said box.

I do however agree with your earlier comments. Virus writers are usually after the credit cards, bank passwords, profiling of individual users, and spam advertising. Since Micro$oft has the largest market share of operating systems for consumer PCs, it doesn't make much economic since to write viruses for anything else.

The idea of security holes in Windows being rather well known by virus writers is generally due to the fact that they tend to recycle code and often don't address security flaws as rapidly as they should. Discovery of exploitable bugs is somewhat easier if one has access to the source, but I don't think it's necessarily much more valuable than straight up reverse engineering and just testing common exploit methods and seeing what happens.

I seem to remember recently, for example, that the Windows Vista and beta of 7 both suffered from an exploitable hole in their implementation of SMB that was identical to a flaw exposed in Windows 98 but that was not present in 2k and XP. It's reasonably easy to just try things that once worked and see if they're still problems. Probably the ideal would be to just try to break things and then if successful drill down into the code to figure out how best to exploit the hole.

Notably the largest PC market share by OS is still Windows XP, almost ten years old now. It's been around long enough that it's not really as much of a black box as it might have once been.

Maybe a good comparison would be IE vs Firefox. Both are pretty common on windows and only one is open source. IE has a much worse track record for security than does Firefox, and while exploits for Firefox show up on occasion they aren't generally as dire since it's not as tightly interwoven with the underlying OS.

[I_luv_saber]

Maybe a good comparison would be IE vs Firefox. Both are pretty common on windows and only one is open source. IE has a much worse track record for security than does Firefox, and while exploits for Firefox show up on occasion they aren't generally as dire since it's not as tightly interwoven with the underlying OS.

And, IIRC, those exploits that did come up on FF tended to be via the 3rd party add-ons...

[jeff]

Guys - please look at http://www.reuters.com/article/idUSTRE62N29T20100324

Be careful out there, y'hear?