| | |
|
AndreiVoinigescuFirstPaper 11 - 14 Apr 2009 - Main.AndreiVoinigescu
|
|
<
< |
| META TOPICPARENT | name="FirstPaper%25" |
|---|
| >
> |
| META TOPICPARENT | name="FirstPaper" |
|---|
| | | Making Microsoft Pay for Windows' Shoddy Security
-- By AndreiVoinigescu - 07 Apr 2009 | | |
Introduction | |
<
< | Conficker was hypothesized by some as the progenitor of a cyber-9/11. The worm, which targets vulnerabilities in the network code of all versions of Microsoft Windows in common use, has managed to infect at least nine million computers worldwide, including government and military networks. It has created a vast network of zombie machines--a botnet--which awaits instructions from the worm's creator. Like all botnets, it could be used to generate spam messages, to overload websites and networked services in denial-of-service attacks, and to fetch sensitive data from the infected machines. | >
> | Conficker is the latest in a series of malware exploiting security vulnerabilities in the Windows operating system and other commonly-used Microsoft software. The 'worm' has managed to infect at least nine million computers worldwide, including government and military networks. It has created a vast network of zombie machines--a botnet--which awaits instructions from the worm's creator. Like all botnets, it could be used to generate spam messages, to overload websites and networked services in denial-of-service attacks, and to fetch sensitive data from the infected machines. Given its unprecedented spread, the Conficker botnet might even be able to orchestrate the internet equivalent of the 9/11 or Pearl Harbor attacks. | | | Lost productivity caused by malware and the costs of anti-malware measures is in the billions, and rising. Cellphone companies and governmental agencies who favor a move towards walled private networks with built-in layers for perfect identification, surveillance and enforcement have seized upon the cost of malware as part of their rhetoric. If a cyber-9/11 really does come to pass, it probably won't take long for legislation eliminating the last vestiges of network openness and anonymity to be pushed through. | | | It seems, to me at least, that smart computing has a large effect on whether a PC is able to avoid being turned into a zombie, either by running recommended security measures (as listed above), or by not running random .exe files sent by strangers, with the subject line "ILOVEYOU."
-- JonathanBonilla - 11 Apr 2009 | |
>
> |
Jonathan -- good point about the link. I had linked Wired blog as shorthand to aggregate a number of different articles about the Conficker worm, but I can see how it undercuts my argument. On further consideration, I've revised that paragraph.
Your raise two interesting substantive points, both arguments which Microsoft would probably seize upon if sued. I will concede that 'smart computing' reduces the risk from malware substantially. As may warnings -- though I would argue that the over-reliance on warning dialogs in Vista is actually detrimental to security, since the annoyance factor convinces many users to just turn the warnings off or subconsciously ignore them.
Can Microsoft discharge its duty of care/design responsibilities with warnings and partial fixes? I would argue that it can't, though I think this is an unsettled area of tort law. But it seems to me that claiming 'my product is pretty safe, and in any case, I warn users of the danger' shouldn't be enough when you can take additional precautions that have a favorable cost:benefit ratio.
After Microsoft patched some of the NetBIOS? vulnerabilities the Conficker worm was using to spread, the worm modified its behavior to take spread via USB drives. Windows sets the autorun on by default for USB drives, though users can disable it manually. Changing the default to off seems like the kind of design decision that would increase security at minimal cost. Should Microsoft be able to ignore changes like that by merely warning users about the danger of autorun?
-- AndreiVoinigescu - 14 Apr 2009 | | | |
|
|
|
|
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
|
|
| | |