Worms bring out the Hatred in people

Phil Karn (aka KA9Q) has a hatred for Microsoft and their lack of security. Well explained one at that.

It seems Microsoft used some open source/public domain code in Windows XP which had Phil's email address in it from work he did previously. Microsoft was kind enough to give him credit in a release note... which ended up doing more harm than good.

Why? Well Klez and SoBig found the email address and bombarded him ... repeatidly. Gotta love worms that scan harddrives looking for email addresses. Basically, there is a chance that every XP machine that was compromised has had an opportunity to fire an email of the Phil.

Phil shows a nice chart of the attack. By the end of August he was getting hit by over 900,000 email spams from the worms. Oh how nice.

Goes to show you the side affects of Microsoft's mistakes. We all suffer from it. The lack of security of others affects me personally as I have to defend against the compromised hosts. Of course, now if you are an open source developer whose code gets used by Microsoft... you have a chance to become a target as well. *sigh*

What I can't fathem is how we got this far. I have a lot of respect for people like Michael Howard over in the Secure Windows Initiative. But even still, I don't think half the campus is TRUELY listening to what the security gurus on their own campus are saying. Taking a month off to audit code doesn't seem to be enough, because these latest attacks (which are getting incrementally smarter and more creative) all come from code that WAS audited.

Now I have heard the comments about Microsoft being the victim because of their marketshare in the industry. That doesn't fly with me. They may be a bigger target, but they have the resources to DEFEND against it they CHOSE to. (Notice I said CHOSE to, this is a senior management issue... not something the programmers or lower levels can do about it) With $50 Billion in cash, if they spent even a billion more on securing existing code they would probably make it back within a year or two... from those customers they are going to continue to lose or speak out in the midst of this. Don't believe me? Check out this open letter to Tom Ridge(Homeland Security guy) from the Computer and Communications Industry Association. Imagine if the US government started listening to this, and Microsoft lost its government contracts. Bet you then they would take more action.

Frankly, this is why I left my last company and formed a new one. We need creative solutions to defend against these and new unknown threats. Its sad to say, but Microsoft has created a market for us. As they continue to miss out on these opportunities to fix their problems and take care of their client's concerns in relation to security, there is a pain that needs to be soothed. And more to the point, instead of bitching about the lack of security, I want to be proactive and do something about it.

By the end of the year, you'll see how.