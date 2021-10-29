from the it's-deja-vu-all-over-again dept.
Back in 1998, Paul Strassmann, a former CIO of Xerox, NASA, and the US Department of Defense, wrote in Computerworld about how Microsoft's overly complex, defective, and vulnerable systems which were already a threat to national security even back then. The intervening time has shown Strassmann to have been more than correct as the problems he identified with Microsoft and its products worsen monatonically. Mitchel Lewis writes a guest post at Techrights about the current situation and how Microsoft remains a security threat against national security and systematic reliability of our computer-based society today:
That said, I think enough time has elapsed to confirm that Paul Strassmann is an authority on such matters and that Microsoft is precisely who he said they were. Further and with hindsight in our pocket, it seems as if Microsoft was merely projecting when they said Strassmann's paper was flawed and that he made errors in analyzing the state of computer security and its causes in light of their 95–99% monopoly on ransomware infections alone and that ransomware is already considered to be a national security threat.
[...] However, I'd like to think that Microsoft would get creative if the government were to sanction Microsoft by allowing allow citizens and businesses impacted by ransomware to bill Microsoft for the cost of the ransom and their losses in productivity. And although Microsoft cannot be faulted for the attacks, they can be faulted for their shit-in-hand approach to quality and security while sanctioning them until they actually take a common-sensical approach to quality and security appears to be the simplest means of combating ransomware and mitigating the threat it poses to our national security.
While 2% of known ransomware affects Android, which makes 72% of the mobile market and 41% of all clients, the rest is for Microsoft's product line which weighs in at 32% of the market nowadays. So far Microsoft's response has been weak and based on strawman fallacies with the occasional feeble ad-hominem fallacy thrown in.
Previously:
Many posts about Windows ransomware
(2021) The State Department and Three Other US Agencies Earn a D for Cybersecurity
(2016) DNC Creates A 'Cybersecurity Board' Without A Single Cybersecurity Expert
(2016) Execs: We're Not Responsible for Cybersecurity
Related Stories
Now this is scary. CNBC has a story posted: Execs: We're not responsible for cybersecurity. The story was posted on April 1, but I do not think this is a joke.
More than 90 percent of corporate executives said they cannot read a cybersecurity report and are not prepared to handle a major attack, according to a new survey.
More distressing is that 40 percent of executives said they don't feel responsible for the repercussions of hackings, said Dave Damato, chief security officer at Tanium, which commissioned the survey with the Nasdaq.
"I think the most shocking statistic was really the fact that the individuals at the top of an organization — executives like CEOs and CIOs, and even board members — didn't feel personally responsible for cybersecurity or protecting the customer data," Damato told CNBC's "Squawk Box". ...
"As a result they're handing this off to their techies, and they're really just placing their heads in the sand right now," he said.
I suppose I should not be surprised, but I find it absolutely appalling that there could be this level of active ignorance at such a high level in an organization. What would it take to make said "leaders" actually care about security?
Current practices of providing a year or two of credit monitoring seems woefully inadequate compensation. What if the affected company had to make an actual cash payout of, say, $500 to every person who had their personally identifiable information (PII) compromised? Treble that amount if the notification is not "timely"?
Submitted via IRC for TheMightyBuzzard
The Democratic National Committee (DNC), still reeling from the hack on its computer system that resulted in a bunch of leaked emails and the resignation of basically all of its top people, has now created a "cybersecurity advisory board" to improve its cybersecurity and to "prevent future attacks." .
"To prevent future attacks and ensure that the DNC's cybersecurity capabilities are best-in-class, I am creating a Cybersecurity Advisory Board composed of distinguished experts in the field," interim DNC Chairwoman Donna Brazile wrote in a memo. "The Advisory Board will work closely with me and the entire DNC to ensure that the party is prepared for the grave threats it faces—today and in the future."
Sure. That sounds like a good idea. But, then there's this:
Members include Rand Beers, former Department of Homeland Security acting secretary; Nicole Wong, former deputy chief technology officer of the U.S. and a former technology lawyer for Google and Twitter; Aneesh Copra, co-founder of Hunch Analytics and former chief technology officer of the U.S.; and Michael Sussmann, a partner in privacy and data security at the law firm Perkins Coie and a former Justice Department cybercrime prosecutor.
[...] But none of them are actual cybersecurity experts. I have no problem with these people being on this advisory board, but it's insane to put together a cybersecurity advisory board that doesn't include at least a single (and probably more) actual technologist with experience in cybersecurity.
Source: https://www.techdirt.com/articles/20160815/09190935246/democratic-national-committee-creates-cybersecurity-board-without-single-cybersecurity-expert.shtml
The State Department and 3 other US agencies earn a D for cybersecurity:
Cybersecurity at eight federal agencies is so poor that four of them earned grades of D, three got Cs, and only one received a B in a report issued Tuesday by a US Senate Committee.
"It is clear that the data entrusted to these eight key agencies remains at risk," the 47-page report stated. "As hackers, both state-sponsored and otherwise, become increasingly sophisticated and persistent, Congress and the executive branch cannot continue to allow PII and national security secrets to remain vulnerable."
The report, issued by the Senate Committee on Homeland Security and Governmental Affairs, comes two years after a separate report found systemic failures by the same eight federal agencies in complying with federal cybersecurity standards. The earlier report found that during the decade spanning 2008 to 2018, the agencies failed to properly protect personally identifiable information, maintain a list of all hardware and software used on agency networks, and install vendor-supplied security patches in a timely manner.
The 2019 report also highlighted that the agencies were operating legacy systems that were costly to maintain and hard to secure. All eight agencies—including the Social Security Administration and the Departments of Homeland Security, State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, and Education—failed to protect sensitive information they stored or maintained.
(Score: 0) by Anonymous Coward on Sunday October 31, @12:06PM
All you can do is make it more trouble than it is worth to find a way in.
One way is to provide a lot of low hanging fruit in other folks systems. (Might say Msoft provides a public service?)
Another way would be to actually secure the system.
I wonder if that is even possible at this point.
A simple kernel and CPU without side channels seems reasonable even if there isn't one with performance yet.
Network and security stack is more complicated, but maybe.
Web browser looks hopelessly complex. (Even without a plugin for every media type known to man?)
Perhaps a first goal should be to make something small and tight for SCADA/IOT stuff.
Then try to get it to support a really tight sandbox which can safely run the bad guy's code.
(To be tight, it needs to be simple. Using the browser as the sandbox seems a useful layer, but not trustworthy.)
The economics of the WWW is built on other folks running code you your computer, so it seems fundamentally hard to make secure from the start.