|Home » Learning Curve » Red Hat Diaries
Ten Years, Millions of Attacks, Billions of Dollars in Damages - And Nothing Learnt
The ten-year puberty of the world wide web in the New Millennium has been a costly fiasco.
Did the world wide web make us all go mad? How fitting, in a weird crazy way, that the apotheosis of an event ten years ago should turn out to be a nearly identical event ten years later. Same scenario, same dimwit users, same indefensible excuse for an operating system.
But why should we be surprised? Just look at the way Microsoft have shored up their defences, wined and dined members of the House of Lords, hobnobbed with their pals in Washington, used their spin doctors to deflect the blame for cataclysmic attack after cataclysmic attack. It's never Microsoft's fault. It's 'user error'. Or students in the Philippines. Or a militant arabic organisation. Or aliens from another solar system, in another dimension. It's never Microsoft's fault. They work harder than anyone on security. Don't they?
It's been ten years since the 'love letter' ('ILOVEYOU') worm hit. The first of the big digitally transmitted diseases (DTD) brought to Windows users just as the world wide web reached puberty. Today the web is well beyond legal age but is still acting like a child.
$5.5 billion in damages. That's what that first onslaught cost. It was followed by the AnnaK worm (which uses the same ruse as the current attack) which in turn was followed by an unending succession of similar worms which all did the same thing: exploited untested and insecure Microsoft 'technologies' in the world's poorest excuse ever for an email program, corrupted things on disk (with no system security to limit the damage) and started mailing itself out to everyone (at least the first 50) in the Windows Address Book.
Microsoft kept a lid on the cause of the outbreak as long as they could. They used their considerable influence to stop news agencies from pinpointing what they already knew and wanted to tell people - it affected only Windows and it specifically attacked Outlook and the scripting available within.
If you've never seen a typical dimwit Windows user struggle with Outlook then you're missing a singular treat. Malware floods into the inbox because everyone in the address book is being sent the same shit over and over again. And as soon as Outlook is opened, it selects the first message in the inbox and previews it. And as soon as the preview begins, the malware is activated - which can very well not only corrupt the operating system as a whole, but crash Outlook.
So watch them deal with their mail. Double-click an Outlook icon somewhere, then hang for dear life on the arrow down key. As soon as Outlook comes up, starting banging like mad on that arrow down key. And hope you get beyond the malware queueing in the inbox and to a real (uninfected) message before you get a BSOD.
The second most alarming thing about this scenario (which can be witnessed) is that dimwit Windows users somehow accept this - they're sold a crap product and just work out that 'this is the way the Internet is, we need the Internet today, so we have to learn to deal with things like this today'.
And who makes the profit from this incredible loss? Microsoft of course. And all the companies that work with Microsoft. Microsoft continue to up the price of their less than worthless operating system, the big AV companies - Symantec, McAfee, Sophos, Secunia, F-Secure, Trend Micro, countless others - continue to churn out useless 'signature list' subscriptions that never worked and work even less today. Hundreds of thousands - perhaps millions - of websites prey on the paranoia and insecurities people develop as they learn more and more about a system they more and more realise they should never have purchased.
And of course the malware writers. Who have taken an old art form and turned it into a self-contained money making machine. The lines between virus, trojan, worm fade away. Today's malware combines a bit of them all. Propagate through email or infected websites, take control of the local machine with technologies Microsoft can't defeat, propagate further, hook into an IRC channel, enlist, await instructions. Spew out hundreds of thousands, millions, of malware laden mail packages on command.
Build up a network of money mules - people who insist they are duped to avoid criminal charges. Start targeting dimwit SMBs still running Windows. Use keystroke loggers, man in the middle attacks, whatever to intercept supposedly secure communications. Take out small amounts that stay under the radar but keep taking out until you make a good six digits. Hundreds of millions or billions are lost each year because of this. What's the initial $5.5 billion of 'ILOVEYOU' compared to today's #1 online business?
Zero day attacks on Microsoft web server software. The black hats scour the web for likely dimwits, infect their servers, plant booby traps for dimwit Windows users merely 'driving by'.
Zeus and Conficker - the Batman and Robin of today's malware industry - can't be stopped by AV products even though they're well known and everybody's waiting for them.
Richard Stallman tells people Windows is unfit for use. The Electronic Frontier Foundation tells people to avoid Windows and Microsoft products at all costs. The governments of Europe start warning their citizenries about using Microsoft products. Yet who still controls the market ten years later?
Ten years, millions of attacks, billions of dollars in damages - and nothing learnt.
This latest 'virus' shows 'security weaknesses', say the jackals. Back in 2000, Microsoft found themselves tongue-tied when 'ILOVEYOU' crippled the globe. And all they could come with - honestly, this was all - was 'be careful when you open email attachments'. Like that helped the Outlook user who has to hammer arrow down to prevent a Microsoft product from opening the attachments anyway. Like it helps when - as was shown a few months later already in the year 2000 - you don't even have to sucker the user into clicking anything: you just let good old Outlook do it for you.
That was ten years ago. What do the so-called experts say today, ten years later?
'This is 2010 - going on 2011! Shouldn't users just know by now that poorly worded email messages imploring you to click on cryptic links or file attachments are always bad news even if the message claims to be from their own mother? Shouldn't all IT and security admins have already configured network and email gateways to filter and block executable file attachments?'
Ten years. Ten years have gone by. Ten years ago, Microsoft had no way to defend against a simple email attack. Ten years later, they still don't - and they're still going to blame their users.
Microsoft users love to believe their recurring computing calamities are the world's concern. The irony is they really are - in a perverted kind of way.
Microsoft and Microsoft users are holding the web back. They're preventing the great majority of netizens from realising the potential of the world wide web. Instead, their machines are crashing, behaving weirdly, spewing out spam traffic in a system where only 3% (three percent) of all traffic today is not spam they've generated, leaving dimwit Windows users with inboxes flooded with spam, getting them to use 'spam filters' which has to be the sorriest way ever to fight something like this (as the damage is already done when the spam is sent out) and so forth. The Internet is crap, it's a bad neighbourhood, and who knows why any of us got on it, and no one is going to treat it with respect or much less learn what it can really be good for.
There is no way the world wide web can realise its potential with Windows around. There is no way the planet's netizens can ever begin to grasp what the Internet can offer if Windows remains.
'So, since security best practices that have been the standard preached for nearly a decade are still insufficient to protect networks against such a rudimentary attack, perhaps it's time for a new malware defense strategy.'
And what would that be? How about Microsoft coming out with an ebook for 'teenagers' about staying safe online? Except Microsoft are the last people you want to ask about safety, and they didn't write the sorry thing anyway - they just put their logo on it. And it's dumb. And it solves nothing. But more about that in another article.
Windows and all Microsoft products for the web need to be banned from the world wide web by yesterday. Governments must band together for the good of the planet and pass legislation that makes use of Microsoft products illegal on the web. That is the only way this carnage will stop. That is the only chance the people of this planet have for a future in this new millennium.