|Home » Security
Your Weakest Link
Fill in the blank yourself.
The Internet - the World Wide Web - has again been plunged into a state of chaos and confusion, thanks to the Google story. There's panic everywhere. The message boards are ripe with cries of desperation and cries for help. But nothing helps. Because at the end of the day, people do nothing. They cry and they scream and they discuss, but they end up doing nothing.
This is not a technical article. Neither is it an article about operating system aesthetics. It's an article about crowd psychology. It's an article about how and why the Internet and the World Wide Web can sink to such a sorry level.
Botnets rule. They literally rule. Up to 97% of all email traffic is spam. Spam no one wants and no wants to pay for. Yet people are paying for it all the time. And not just by being exploited (so easily) but by virtue of the fact their Internet providers turn extra costs over to their subscribers. To you.
Both the botnet traffic and the spam traffic are generated exclusively by computers running Microsoft Windows. They're attacked through Microsoft Outlook and Microsoft Internet Explorer and the attacks can easily penetrate the nonexistent defences of the operating system Microsoft Windows, whether it be Windows XP, Windows Vista, or Windows 7.
Bill Gates issued a personal apology to the world at large back in 2002. Eight years ago this month. He personally apologised for all the 'pain and suffering' his software had caused. Implicit in that statement was a recognition that things had to change and a promise that they would change. And yet the world's most powerful software corporation hasn't done either. Not in all the years prior to 2002 and obviously not in the years since.
And now when the Google story breaks and people learn - surprise surprise - that there just might be an exploit in Internet Explorer or Windows XP, they're in a panic - as if all this is shocking news to them. And instead of seeing them get their act together, innocent bystanders are assailed with the following.
Should I use McAfee or should I use Norton?
Maybe it's time to abandon Windows XP and upgrade to Windows 7.
My cheap video capture card won't work with Windows 7.
Microsoft are only doing this so we upgrade from Windows XP to Windows 7.
At my company we still run Windows XP and Internet Explorer 6.
It's easy to upgrade to Windows 7.
XP is about ten years old so it's time to upgrade.
All of which is the equivalent of Davy Crockett telling his friends things'll be OK after they regroup or Armstrong Custer telling his soldiers he can save the day.
The Alamo. Little Big Horn. Redmond Washington.
The Internet and the World Wide Web were both built *on* Unix, *with* Unix, and *for* Unix. All current technology runs some flavour of *Unix*. And it matters not what flavour is being used, whether it's a BSD (FreeBSD, NetBSD, OpenBSD, OS X) or a Linux (Ubuntu, Kubuntu, Debian, Gentoo, Mandriva, Red Hat, Fedora, ad infinitum). All are equivalently securable. All have the same basic architecture. With Unix and only Unix on the web tomorrow, botnets hacks and spam are a thing of the past. They can't survive.
And yet people still ask whether it's better to run McAfee or Norton. Something is missing. Somewhere there's an explanation out there. A factor no one has thought about before. A reason these 'lusers' simply don't get it.
Unix is a securable system. This is not to say Unix can't be hacked - it's to say that most of the time it will not be hacked, and organised crime intent on reaping billions by hacking by the numbers will be up the proverbial creek if they try. Hacking Unix is simply *not profitable on a general basis*. Hacking Windows on the other hand is a turkey shoot. And Windows lusers are the turkeys.
Unix has a secure architecture because it was built as a serious professional multiuser system. Windows can't be secured because it relies on an architecture dating back to the standalone personal computer. Any attack on Unix can be thwarted but the attacks on Windows will never cease. And now that this planet is ten years into a new millennium and the supposedly intelligent homo sapiens who populate it are still running that Microsoft junk, one has to wonder how sapiens the race is and one has to fear for the future of the Internet and the planet itself.
Botnets rule. Millions of Microsoft Windows computers are compromised every day, recruited into botnets. Billions of spam messages are sent out with further attacks that Microsoft remain basically powerless to stop.
97% of all email traffic. Hundreds of millions of Windows PCs in botnets. Several hundred thousand strains of Microsoft Windows malware in the wild. When are people going to wake up?
The hackers can't hide on a Unix system. Despite its sophistication, nothing on a Unix system is inaccessible or difficult to find. Unix users never have a situation where they're forced to look for a needle in a stack of needles. But that's all the Windows people ever get.
Microsoft's abominable Registry puts everything together in one inglorious glob. And Microsoft officially discourage users and professionals alike from entering that inglorious glob. Guess where the hackers hide?
Windows is an architectural mess that not even the people at Microsoft fully understand. But the hackers understand it. They understand it much better. Their only task is to find ways to compromise it and places to hide their compromises.
Attacks on Windows have become extraordinarily sophisticated over the years. Getting an alert from an OS vendor that a system has been compromised and you should reinstall everything: that doesn't happen anywhere but on Windows, where it's not that uncommon. And people should be asking themselves what kind of operating system is so helpless that it can *know* about system attacks but is powerless to *prevent* them?
But they don't ask that. Instead they ask if they should use McAfee or Norton.
Instead they have huge databases online they consult to see which of their thousands of system files are actually malware or real system files that have been infected. They never ask how those files got there in the first place. Or how they got corrupted. Or why their operating system didn't protect them.
Instead they get help from other sites to identify further sites known for proliferating 'drive by attacks' - 'attacks' where a mere visit to such a site - and doing nothing else - will compromise a Windows computer. They never ask how a system can be so weak that merely visiting a website can corrupt everything.
Instead they pay people like Geek Squad hundreds upon hundreds of dollars to 'wipe and reinstall' - because their poor system can't defend itself. They never ask how many people not running Windows have to 'wipe and reinstall'.
Malware is a big business - ask Brian Krebs who's even managed to creep behind enemy lines. It's a multi-billion dollar industry. But the question is whether that in itself is the complete picture. The industries ostensibly fighting malware - companies such as McAfee and Norton and F-Secure and Sophos and Trend and who knows how many thousands of others, together with PC repair shops doing little more than reinstalling things that shouldn't need to be reinstalled - must surely be making more.
And it's not productive. None of it. All the waste in worldwide bandwidth. All the waste in fighting spam. All the waste in 'antivirus' products. All the waste in all the companies dedicated to researching Internet crime waves. All the website real estate wasted on reporting on and discussing Windows malware attacks. All that and more: it's all about Windows.
The Internet should be a quiet place. After ten years of this nonsense - with ILOVEYOU and Code Red and Zbots and all the rest - you'd think people would come to their senses. There's no insurmountable obstacle blocking their way. You'd think they'd avail themselves of the opportunity. You'd think they'd do the little research necessary to learn the true score if by some fluke they didn't already know. You'd think they were finally prepared to act responsibly.
But no. They instead ask if they should use McAfee or Norton.
There's nothing more anyone can do to make the Internet - and the World Wide Web - more secure. There's already been too much done. Security isn't that hard at all. It's actually very easy. But this technology can't help people who refuse act responsibly, buy a clue, use the technology, and help themselves.
There's no further technology needed to secure the web and make it a nice place for everyone. There's no need to get involved in discussions about whose graphical user interface is better. But there is a need for each and every Windows luser to fully understand why things are so bad today, have been bad for so long, and will go on being this bad. It's because of your weakest link, Windows lusers.
That weakest link is you.
Security: The Internet Should Be a Quiet Place