Absolute, monumental stupidity at NPR

[elfs]

This afternoon, NPR's "All Things Considered" had two tech stories back to back that demonstrate absolutely everything that is wrong with with tech reporting.

In the first article, NPR host Robert Siegel and reporter Ari Shapiro discussed an coordinated denial-of-service attack against various American government institutions. The attack occurred over the weekend, and took down some of the US and South Korea's best-known government and media websites for an extended period. Ari Shapiro, with complete innocence, described the attack as coming from "a network of some 50,000 zombie computers."

In the second article, Wendy Kaufman reported on the Google Chrome OS, a vaporware announcement from Google that it was going to marry a new windowing environment based on the Chromium base with a Linux kernel and market it as an alternative to the current crop of operating systems. With a complete lack of reflection, Kaufman told Siegel that "90% of all computers out there are running Microsoft Windows."

It takes a special lack of awareness for an editor to run these two stories back-to-back without somehow illuminating the fact that the entirety of the botnet runs on Microsoft Windows. NPR does its listeners a disservice when it fails to point out that individuals can be running Windows and not know that their machine is infected and controlled by nefarious outsiders, that owning a Windows box is an attractive nuisance to criminals who would use it to attack our own government and our own country, and Microsoft has failed in its legal duty of care to protect its users and its nation of origin.

Someday, when the final financial reckoning is done, Microsoft will be remembered as fondly as Bernie Madoff. It will have become an enormous public company without regard for its responsibilities to its customers, and the total cost of ownership of Microsoft products will have to include the price needed to protect Windows from itself, the cost of recovery after an attack, the burdens imposed by corrupted Windows installations, and the overall loss of GDP resulting from downtime.

NPR should point out that zombie botnets run Windows, and running something else, anything else, denying criminals access to your hardware, is both a financial and moral boon.

Comments

[whipartist.livejournal.com]

I was just thinking this afternoon that I'm shocked that the gummint hasn't put more pressure on Microsoft to close its security holes.

[solarbird]

You expect the media to draw conclusions and/or point out realities? What planet are you on?

My job requires me to run Windows

[(Anonymous)]

The three programs we use are all interdependent and require Windows OS. Does it avoid this issue at all to not run Windows as the primary OS if it still accesses the Internet?

[featheredfrog.livejournal.com]

I'm sure NPR would appreciate hearing this. Did you forward this to them?

[elfs.livejournal.com]

No, I sent them a nicely worded letter, cc'ing Ari Shapiro.

[tagryn]

As the old saying goes: when asked why he robbed banks, the criminal replied "Because that's where the money is!"

I don't believe LINUX and Mac are inherently immune from botnet programming, more just that they don't get hackers' attention because they're not common enough to be worth bothering with. I love Macs, but I'm not about to spend a extra $1,000+ to get the same amount of computing power, and LINUX remains a platform that most users have barely heard of. It may well be a case of "everybody uses Windows because everybody else uses Windows," but that's an indictment of Apple's and LINUX's failure to reach users, as well.

[omahas.livejournal.com]

That's an age-old argument that has no basis in fact, actually. There is in fact no evidence that hackers don't hack Linux and Mac machines because there "they're not common enough to be worth bothering about". First, many hackers hack machines for the challenge. They don't care how many are out there, or how much money they can make off of it. If Macs and Linux are so easy to hack, then why aren't there significantly more hacks out there for them?

Secondly, in late 2008, Apple reported sales in excess of 9 million Macs. You don't need a a 100 million machines to create a botnet, nor to make money off of one. Any hacker can create a decent one off of that many Macs and use it to hack sites. But that's not happening.

Inherently immune? No, I don't think any machine is "inherently immune". But both Mac and Linux have a much stronger defense against such hacks then Windows.

As for everybody using Windows being an indictment of Apple's and Linux's failure to reach users, I think you underestimate the power of a monopoly. When you buy a PC and Windows is already on there by default (and some hardware manufacturers even give the impression that removing Windows will void the hardware warranty when that isn't the case) you aren't likely to go looking around for a new OS. At least, Jim Bob and little Miss Betty won't.

[tagryn]

First, many hackers hack machines for the challenge. They don't care how many are out there, or how much money they can make off of it. If Macs and Linux are so easy to hack, then why aren't there significantly more hacks out there for them?

That used to be the case, but cybercrime is increasingly the domain of organized crime and state security apparati. From their perspective, Macs and LINUX are not worth the bother: there's either not enough $$$ (users/machines) in it for the former, or not enough damage potential for the latter, to be significant.

Secondly, in late 2008, Apple reported sales in excess of 9 million Macs. You don't need a a 100 million machines to create a botnet, nor to make money off of one. Any hacker can create a decent one off of that many Macs and use it to hack sites. But that's not happening.

They don't need 100 million machines, but if I can build a program to infect and control those 100 million, compared to (say) 9 million, its pretty obvious which one has more bang for the effort. The additional "armoring" of Macs and LINUX against hacking doesn't hurt, but if the numbers were reversed, I doubt the criminals would be concentrating their efforts on the more-easily-broken Windows, because that's not where the profit is to be made.

[blaisepascal]

They are not inherently immune, but they are definitely inherently resistant.

Unix has been around for 40 years, and Dennis Ritchie's patent on the Unix security model is nearly 35 years old. The first major Internet Worm was released over 20 years ago attacking Unix systems, which caused Unix professionals to really start to take the issue seriously years before Windows 95 was even developed. Unix has separation of privileges, restricted user rights, multi-user design in its core, etc, and has had these fundamental security-minded design issues for decades. Linux adopted the Unix API and security model wholesale. MacOS X is layered on a BSD Unix layer on top of Mach (or at least it was, originally), a microkernel developed with the same separation-of-privilege concerns as Unix itself. For malware to attack a Unix box and do lasting damage, it has to (a) get access to the system, and (b) escalate its privileges to superuser/administrator status. Social Engineering can allow (a), but 20-40 years of development has gone into making (b) as hard as possible.

Windows, on the other hand, started out with a single-user model, and had no separation of privileges. In effect, the (single) user was an administrator. Unfortunately, this has lead to software being dependent on administrator privileges to install or sometimes to run. Microsoft has been trying to fix this problem for years, but the pervasiveness of the issue as well as backward compatibility concerns has made it extremely difficult to do. As such, it is much easier, once an attacker has gained access to the machine, to escalate to sufficient privileges to do lasting damage. Microsoft used to advertise that it's Windows NT product was C2 security rated by the US Government, but neglected to mention that the C2-rated configuration was not network connected and had no floppy drive or other removable media.

It's true that part of the issue is that there isn't enough of an installed base to attack, but it's not true that that's the whole story.

[ionotter.livejournal.com]

I think your argument is a bit flawed.

Granted, Windows and MS software IS full of holes. And their attitude and behaviour up until three years ago has been one of security through obscurity, and still is for the most part. But the Storm, Blaster and a few others have knocked out too many teeth for them to keep following that modus operandi.

However, Windows machines are vulnerable for a very few, specific reasons.

#1: User ignorance.

This is the top of the list. Windows machines are designed to run, straight out of the box for the most part, and everything is set to default. Most of the time, you just have to fill out a few forms, register the software and then jump online. There's really very little you actually have to DO in order to get things to work, just plug it all in and go.

That's not the case of 10 years ago, but things have become MUCH simpler.

The bottom line is that people don't WANT to fiddle, don't WANT to be bothered by anything other than their porn/news/blogs/IM/torrents. They want to treat their computer like the subway; get in, sit down, go.

Mac users are even MORE ignorant, so don't let yourself feel too good about their imaginary "resistance". Macs are the true plug-in-and-go devices, with no fiddling required whatsoever. They are the 1st class traveling section of the information superhighway, with all the snobbery-and ignorance-that entails.

*ix users are the MacGuyver's of the internet. They didn't just hop on the information superhighway, they friggin BUILT that gleaming, chrome flying car they drive using spit and rubber bands. And they have this quirky tendency to repair the potholes in the ISH as they go along. They are the definition of "mad scientist".

I am a Windows user.

However, I am FULLY aware of every single vulnerability, every hole, every crack and every seam. I use FireFox with several security extensions, I run a firewall, anti-virus, MailWasher, PeerGuardian and use OpenDNS.

I also treat the internet like a warzone.

I don't click without looking at the lower left-hand corner to see where it's taking me. I pay attention to https and the lock icon. Mailwasher sandboxes all my emails, so I can delete them before they even hit my machine. I don't use MSIE or Outlook, and even if I did, my existing precautions would keep me protected. I don't go to porn sites I don't have to pay for, and I almost never download warez.

The ONLY thing I am truly vulnerable to is a zero-day exploit that somehow manages to bypass ZoneAlarm, AVG and my router, in which case we're all screwed anyway. Well, that and laziness or stupidity on my part.

So don't be too high and mighty on your gleaming air-car of Linux badness. Because no matter what happens to humanity, humans are ALWAYS going to want things to be easy, and the various flavors of *ix will be continuously dumbed-down and simplified until your average Windows user can use it straight out of the can.

[(Anonymous)]

Lets also not forget that people love taking shots at who's on top. Hatred for Microsoft could be plenty reason enough for a lot of people to hack Windows over the others.

Apple escape some of this by actually having a decent PR department.