Security Week in Review articles
Update on Microsoft EU decision
Microsoft bungles every opportunity to win hearts and minds
It’s taken a while, but MS has finally nailed its stripes to the wall and entered the security space, with the release of new anti-virus and anti-spyware tools, available free (for now) off their website. The latter was fully expected, as MS bought Giant Company Software – a newbie anti-spyware company last month, and promised a beta version of the software within a month.
Clearly there was insufficient time for branding, as the new product is dubbed, ‘Microsoft Windows AntiSpyware’. It comes with the worldwide ‘SpyNet’ community (note: poor branding is worse than none at all) – a voluntary network of users that will help identify emerging threats and improve the overall utility of the product. Or so the story goes. Any Windows user, however lowly, can choose to join the community and rat out the bad guys to Microsoft.
Win. 98 and Millennium users out in the cold
Except for those loyal Windows users running Windows 98 or Windows Millennium (probably the worst dog of an OS ever written) that is. Alas, the new malware fighting tools are only available to Windows XP and Win. 2000 users.
There is a decent (in every sense of the word) argument to be made by any Win. Me. user who bought a new and expensive PC in 2000, in good faith from Dell (for instance), that they were entitled to a product fit for the purpose provided, and at the very least one that was not so buggy and defective it could cause them to conceivably become the victim of identity theft.
And there is no credible argument to be made that in 2000 such threats were not eminently foreseeable. We are not talking the advent of the Internet here, back in the annals of time when no one saw the need for security to be bolted in. This is recent - not medieval history. But the folks at MS do not seem to care about such small and insignificant niceties.
You bought a lemon. And apparently that is your problem. Unless you upgrade of course.
Imagine- you buy a lemon car. Your only redress is to buy another car (at a discount) from the same dealer. Indeed, this is a truly spectacular business model for MS.
When software bites
MS released two “critical” security bulletins last week (Jan 11) to address security holes an attacker could use to take over your computer, change and delete data, and install malicious programs. The first flaw affects Windows Server 2003, Windows 98, ME, 2000 and XP, including the much- hyped Service Pack 2. Windows NT 4.0 is also affected if Internet Explorer 6.0 SP1 has been installed. The second flaw affects Windows 98, ME, NT, 2000, XP and Server 2003.
In a MS Advisory on these threats, it reminds us that Microsoft will only release security updates for ‘critical’ security issues for Windows 98, Windows 98 Second Edition, and Windows Me until June 30, 2006. ‘Non-critical security issues are not offered during this support period’.
However, ‘customers may request non-critical security fixes for Windows 98, Windows 98 Second Edition, Windows Me, and the most current version of their components until June 30, 2006 through typical assisted-support channels’.
Now let us speculate. What is the likelihood that the average home user will have any clue what ‘through typical assisted-support channels’ means? Will they instead (to the extent they even know) feel they have been sold a lemon and royally shafted? The bets are on.
As for security flaws in notoriously buggy Windows Internet Explorer (IE), and Media Player (that came bundled with Win 98 and Win. Me). – the same (no) support deal applies.
Little wonder poor Walter gets mad
But does anyone care about the little guy? At least the CIOs at major corporations can screech so loudly they have a hope at getting some form of redress- even MS can’t blatantly ignore them. But does the average person have a clue why their computer seems to crash constantly running Win. Me? Or that they are only covered to 2006 for ‘critical’ security flaws in this software - as determined by MS? Me think not.
And this is the scenario that MS would like to see migrate into our living rooms, and onto our error free zone - the much loved TV set. I shudder with apprehension.
If MS ever has a hope of countering a reputation for arrogance and high-handedness, they must imbue everything they do with a new radical consciousness – the customer comes first. Alas, although it is early days, things are not looking good.
Walter Mossberg, the highly influential Wall Street Journal technology guru, and long term MS critic, reviewed the new MS anti- spyware product last week, and found it lacking (WSJ- ‘Personal Technology’ – Jan. 13, 2005).
(On a positive note, Walter indicated (sighs of gratitude in Redmond for a scintilla of good press from the WSJ) that he does not believe there is any impediment to MS bundling anything they want with Windows if it relates to 'core functionality' - and that the need to protect consumers with security products/features must trump anti-trust considerations).
I expressed similar misgivings (in my analysis of the MS EU decision) that the doomsayers (including most of the analyst community) are correct when it comes to suggesting that MS is prohibited from bundling security products with Windows).
It was not so much that there were any gaping technical flaws as such in the MS anti spyware product (although Walter prefers the Spysweeper product from Webroot Software Inc). Rather, he concluded that MS may be using ‘security software to promote its other products at the expense of the competition’.
Walter was unimpressed and suspicious of the way the MS tool deals with hijacked web home pages (where your choices are hijacked by an evil programme). Most anti -spyware programmes try to restore the users preferences. However, the MS tool tries to replace the bad pages with home and search pages from MSN - the MS service. To Walter, this smacks of “the same type of coercion that spyware authors are using”.
In other words, instead of getting back your original home page selections, the links to the Russian Mob home page are replaced by the MS tool with: pages selected for you from MSN. The lesser of two evils one might argue, but a poor conclusion from the perspective of respecting the users right to choose.
While this tool is free, there may be few dissenters- except Walter. But will the masses pay for something that removes one evil, but then tries to manipulate them to its own corporate ends? Especially when freeware products are available to do the job- with no hidden agendas?
Walter also found the MS tool only protects IE users from page jacking- and not rival browsers such as the Mozilla Foundation web browser - Firefox (recently getting cosy with Google - an MS arch rival).
Even if what Walter found is not confirmation of some devious plot at MS, they should remember that perception is nine tenths reality and that consistency is key to any effort at re-branding.
You can’t whistle dixie out of both sides of your mouth and expect to be found credible.
And why is that so very hard?
It is hard because most corporations (especially in North America) are under immense pressure to deliver unrealistic returns for shareholders, quarter over quarter. They must beat 'analysts expectations' time after time, or face the wrath of the market.
All too few managers in such a cutthroat environment feel they have the luxury to 'do the right thing' if they believe it will negatively impact the bottom line. So they will take it to the limit - test the boundaries, and see what they can get away with. And in the software game, there is so much to get away with.
Hence the crucial role played by regulators and consumer advocates - they must strive to temper the zeal for profts with respect for decent behaviour towards consumers - without whom there would be no markets to fuel; no pots to stoke.
Indeed, a propensity to 'do the right thing' can become the cornerstone of the most trusted and envied brands - a fact often overlooked by the most ruthless (and shortsighted) organisations.
In a fine example of how warped the corporate world has really become, the Costco CEO Jim Sinegal was recently forced to defend himself against heinous charges- charges that he was a) treating customers 'too well' (so much for CRM), for instance, by adding extra staff to shorten lines, and b) doing way too much of the right thing by paying workers a decent wage, paying for their health care benefits, and generally treating them like human beings.
The market reproached him saying he could eke out more profits if only he, well, if only he treated workers more like "the other crowd". No names needed. And let those darn customers wait a bit longer to be served....
What a stellar recommendation to shop at Costco? Long may Jim hold out against the myopic hyenas.
T-Mobile needs more than Catherine Zeta Jones
A 21 year old US hacker, Nicholas Jacobsen, with the handle 'Ethics' had access to the personal details (including many social security numbers) of 16.3 million T- Mobile customers. He was circulating highly sensitive data stolen from the My-T-Mobile account of a US Secret Service cybercrime operative when fingered by an informant in an underground chatroom.
He was eventually conned into using a Secret Service honeypot (trap) proxy server, where the Feds watched him log on with the stolen username and passwords of various T- Mobile customers.
SecurityFocus broke the story - maintaining that the Secret Service is keeping it quiet as Jacobsen (previously a network administrator at a company in California, and now living in Oregon) may be 'co-operating' to save his neck, and don't want to blow his cover.
However, the fact SecurityFocus describe the crucial informant as 'an administrator and moderator on the Shadowcrew site' probably did a good job of blowing his cover- so more help is undoubtedly needed.
Supposedly Jacobsen amused himself by using the account details of celebrities to view photos they had taken on their mobile phones (hopefully not photos taken by the lovely Catherine herself).
Naiveté and money
In the litigious spat between the brokerage arm of CIBC (Canada) and errant ex-employees who left to start Genuity Capital Markets, there was consternation on Bay Street (Toronto) when CIBC produced less than flattering emails from Genuity staff - discussing their glee at the prospect of making ‘lots of ‘moohla’, etc.
Many broker types were apparently astonished that CIBC could access their 'private' emails (sent over company Blackberrys) as they were secured by their very own PINs.
What strikes me as singularly more astonishing is that folk with the reasonable expectation of making ‘lots of moohla’ haven’t got the slightest clue about the most basic concepts behind electronic communications.
What the T- Mobile story reveals is that even if they had used external providers for email purposes, there is every chance that a 21 year old hacker could access their accounts, peruse their innermost thoughts, view their saved photographs, and have a good laugh at their expense.
Forewarned is forearmed.
|
