Re: Microsoft: No responsibility accepted

From: Alun Jones [MS MVP] (alun_at_texis.com)
Date: 11/06/03 

Date: Thu, 06 Nov 2003 02:05:17 GMT

In article <pan.2003.11.05.21.06.01.626014@gil.com>, "Craig" <craig@gil.com>
wrote:
>While I do not condone intrusion ("virus") software of any kind, and
>believe that the writers of such software should be punished to the full
>extent of the law, this is an amazing story. Microsoft have been very
>sneaky here and put ALL the blame for viruses on the law-breakers who
>write them.

Uh, yes... What's wrong with that?

If someone breaks into my house and steals my TV, who's to blame? Me for
not having super-duper triple-titanium locks on my house, or the burglar who
engaged in theft?

>But there is a bigger picture here.
>
>A Windows "virus" is a program that is written to access one of the many
>security holes in Windows and cause problems. If there were no security
>holes in Windows, there would be no "viruses".

If there were no people, there'd be no murders. If there were no
possessions, there'd be no theft. If there were no laws, there'd be no
criminals. We can all make vague and stupid statements like that.

Truth is, no matter how hard you work at a program, there are always bugs,
or misfeatures (yes, some of them are really brought about by people
thinking "oh, this'd be a good idea"). Some of those can be exploited as
security holes. So, while we're saying "if there were no security holes in
Windows" (or any software, for that matter) why don't we also say "if there
were a tooth fairy on every corner, and Santa came visiting twice a week"?

And are bugs necessary for viruses? Hardly. Look at MiMail - it requires
the user to open a zip file sent to them out of the blue by a random
address, and then run the file inside the zip. Where's the security hole
there? In the user's head. Clearly, without security holes, viruses would
still proliferate.

>Microsoft have been very successful in diverting blame away from
>themselves, naming the intruding software, a "virus" - seemingly and
>unpleasant and uninvited attacking organism that needs to eradicated, and
>the following quote from the above article confirms that master stroke
>that they have played:

I think you'll find that the term "virus" was _not_ invented at Microsoft.
[It may even predate Microsoft, I haven't bothered to check, because it's
not important.] It's a deliberately malicious piece of code (and it doesn't
necessarily need to exploit a security hole - the most frequently exploited
vulnerability is that of _people_ to believe that the email they've received
needs to be opened and run). Why _not_ blame its authors?

>This is a remarkable statement, as it seems to condone Microsoft's weak
>software security and shift the blame on to the intrusion software
>writers. Surely this is just another ploy by Microsoft, were they are
>using some funds from their massive war chest to distract attention away
>from themselves.

I don't think it says anything positive or negative about Microsoft's
software security. I think it says that various law enforcement operatives
appreciate another tool that will help them catch the bad guys and send them
to jail.

>There are about 60,000 viruses known for Windows, 40 or so for the
>Macintosh, about 5 for commercial Unix versions, and perhaps 40 for Linux.

Uh, yeah. Once again, the sacred mantra:

Malware authors will attack the biggest target. Attackers require only one
entry point, therefore the target need not even be the weakest.

Comparing one OS against another is ludicrous - they each have their
foibles, and the "weakest one" is the one with the one vulnerability that
your attacker chooses to exploit.

>As I see it, Microsoft's insecurity it is akin to you going on holidays
>and leaving your windows open and the light on. Sure the burglar is at
>fault, but have you taken the necessary precautions to inhibit their
>access?

If the burglar takes advantage of that situation, will he not still be
chased by police and charged with theft? Sure, people might say you were
stupid for leaving your house poorly secured, but that doesn't lessen the
crime. Breaking and entering is a crime even when the doors are wide open.
Same for unauthorised access.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.] 

-- 
Texas Imperial Software   | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place   | alun@texis.com.
Cedar Park TX 78613-1419  | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.

Relevant Pages

  • Re: using file management window cause Word to crash
    ... I want security holes this big plugged. ... It was not the Microsoft product that stops the computer from ... This message is posted to a newsgroup. ... am thankful for all of the respondents who cared enough to assist others ...
    (microsoft.public.word.application.errors)
  • Re: How to set Http Request Header?
    ... >While I'm no more impressed than anyone by MS's dismal record of security holes ... This last is the likely reason that non-IE browsers support ... the feature, while Microsoft does not. ... Rather than fix the security hole, ...
    (comp.lang.java.programmer)
  • Re: M$ Updates = homepage hijacker
    ... I doubt they're purposely putting security holes in just so they could ... I'm willing to bet that also when you did that, your default browser ... Maybe the Microsoft guys could get some tips from them on how ... No security problems, built-in pop-up blocking, and it's faster than IE. ...
    (microsoft.public.windowsxp.general)
  • Re: SP2 and XP
    ... >Perhaps Microsoft should have done some sort of test, but the fact is, ... Look at the number of massive security holes they have ... be the greatest little toy to have vast parts of windows installed behind ...
    (microsoft.public.windowsxp.general)