Forget Blaming Microsoft or Google – Blame Yourself

2010 January 22

People from all walks of life including influential decision makers are quickly firing off ye ole “Blame Microsoft” rants this week after another debacle involving Google and China. The debacle involved so-called State Sponsored (from China) “hacktivities” to compromise Gmail accounts. The attacks were – as we’re told – targeted towards Internet Explorer version 6 (IE6). I’m curious to know why someone is even bringing Microsoft into this mix. I say, blame those still using IE6. There certainly is a lot of controversy surrounding China’s “hacktivities” [1,2,3] and security theater [4] in the past so this won’t be discussed right now. What I will discuss for a few paragraphs, is pure common sense for a little bit.

Imagine for a moment that you are a new parent. You purchase a crib and get your proper usage of that crib. As time goes on, you never rid yourself of the crib and leave it lying around for a couple of years. Move ahead 10 years later, the crib maker has since released many versions of the crib and has notified you time and time again – this crib is EOL’d (end of life’d – retired). [5] There are so many security risks they suggest that users of CribVersion whatever, move to the latest crib. As a consumer you have a choice, you either deal with that crib, or find another one. [6,7] It is that simple.

Moving on, nine years pass and you have another child. You decide to go back to the old crib you’d been using for years – this after the fact that you’ve seen through those nine long years – the recalls, the security issues associated with that crib. The question is now, whose responsibility is the safety of your child at this point? Your own or the manufacturer of the crib. If you answered the latter – I suppose your children themselves have a lot more to worry about in their lifetime.

The same logical method applies – or at least should apply – to just about anything you can think of. Whether its a browser on an operating system, a washing machine for your home or even tires for your car. Companies who were using IE6 and were compromised obviously have little concern for the data on their systems nor the clients who pay for their services. They deserve to be taken to court and held accountable for their stupidity and I state this with conviction. Patches, upgrades and warnings were as obvious as the statement “tomorrow is another day.”

Someone would have to be an Internet caveman to have been online for 9 years (IE6 was released 12/31/2001) and not see the issues with Internet Explorer. It has been hacked, broken, replaced, patched and countless articles have been written on the dangers of Internet Explorer as a whole (all versions) – that it is actually surprising that anyone even uses IE – let alone complain that they were compromised after using IE6. I refer back to the crib analogy.

None of those 30 companies mentioned deserve any sympathy – not one IOTA of them. For starters, Microsoft Updates tried in a decent fashion to rid users of IE6 which¬† means – someone wasn’t even updating their machines. I personally don’t even believe that any decent security patching up until about 2007 would have allowed for IE6 to remain on a system. It is now obvious that if any of those businesses were tasked with meeting any compliance mandates, they failed miserably. Shifting the blame is an altogether different story. Don’t blame Microsoft on this one, blame the administrators and owners of those machines.

As for the Google slash media spin of shifting the blame to Microsoft, the obvious answer to the problem is (drum roll): Use Google Chrome. Right away. A browser is a browser is a browser – had those machines that were compromised – been kept up to date, the likelihood of this attack even making the news would be close to none. It seems that Google is what seems to be opportunistically – taking a swipe at Microsoft because of an instance of Gmail attacks – searching for a sympathetic ear.

Had Google an idea of what was really occurring during the compromise phase, they could have easily inserted a script that when a user landed on Gmail, it would have redirected users of affected browsers to warning page: “Beginning INSERT_DATE_HERE, you will no longer be able to access Gmail using IE6. Please update your browser as it exposes you to a lot of risk” or something along those lines. This would have given Google a more “caring” like approach. “Aww, Google cares for my security!” If anyone can make something move on the Internet it certainly is Google. Google to their credit warned users in 2008 to drop IE6 [8] yet everyone is shifting the blame to Microsoft. I say, blame the users.

[1] http://infiltrated.net/chinaBoogeymen.html
[2] http://infiltrated.net/chinaSuperninjas.html
[3] http://infiltrated.net/scadaboogeymen.html
[4] http://en.wikipedia.org/wiki/Security_theater
[5] http://support.microsoft.com/lifecycle/?LN=en-us&x=17&y=8&p1=2073
[6] http://www.getfirefox.com/
[7] http://www.opera.com/
[8] http://www.tgdaily.com/software-features/40785-google-tells-users-to-drop-ie6

Problem Exists Between Keyboard and Chair

Problem Exists Between Keyboard and Chair

5 Responses leave one →
  1. lop1 permalink
    January 28, 2010

    What about the users of windows 95 and Windows 98 that can’t upgrade because the new windows don’t support their chipset ?

    • January 28, 2010

      Computing costs have gone down. Any business who is still using Windows 95 is obviously out of touch with reality. If in 15 years you haven’t made enough money to update, then your business model is horrible. For users of 98, same applies.

  2. February 2, 2010

    @lop1
    I can somewhat understand your situation. I worked for a R&D company with a very large lab that had specialized software (read: no updates possible). However, we found alternatives, such as Citrix or other terminal services for certain activities. I will add that if you are using 95/98 you have bigger concerns beyond the browser and would strongly recommend that you at least buy one system that can run a modern OS and use that system for on-line activities, period. If you’re completely stuck, I can assure you that ANY hardware you have will run Linux and many distributions of Linux today will do anything other OS’s can do, especially old versions. Of course, I have to reflect Aeon here… I bought a decent PC for $350 the other day… running Win7 perfectly. If you’re really strapped, you can build a PC for half that. Sorry, but there are very few “excuses” for running 15 year old OS’s – there are just too many options available.

    @aeon
    I’m a fan and have enjoyed your posts, and I think this one really stands out as “spot on”. I can’t seem to get over how everyone is making such a big deal and pointing fingers when dealing with such old and extensively documented insecure browser platform. It’s madness. I think you really captured the root in this post – bravo.

    On a side note, and I’m sure you know this, Google announced they are not supporting IE6 any longer – to your point specifically. Lastly, it turns out that based on the exposure of Google information (at least this is claimed, but not necessarily confirmed by Google) that implies employees of Google are/were using IE6! If true, and everything points to this potential conclusion, then that is truly messed up.

    I think the world today is too busy trying to blame others and assume no responsibility or accountability for their own actions. If you are effectively and clearly warned (especially multiple times) and chose to not act on those warnings, then you are responsible. Simple.

  3. hdante permalink
    February 18, 2010

    In an advisory on January 14, 2010, Microsoft said that attackers targeting Google and other U.S. companies used software that exploits a hole in Internet Explorer. The vulnerability affects Internet Explorer versions 6, 7, and 8 on Windows 7, Vista, Windows XP, Server 2003, Server 2008 R2, as well as IE 6 Service Pack 1 on Windows 2000 Service Pack 4.[23]

    ^ Mills, Elinor (14 January 2010). “New IE hole exploited in attacks on U.S. firms”. CNET. Retrieved 22 January 2010. http://news.cnet.com/8301-27080_3-10435232-245.html

    The above article is a big pile of bullshit. You have been warned for more than 1 decade to to stay away from Microsoft. Now you will swallow it all the way down.

    • February 18, 2010

      Alright, I’ll post this comment because I don’t believe in “filtering” anyone’s (I REPEAT ANYONE’S) point of view. I do ask however, that profanities not be used as I do try to keep things professional. I thought I made it clear that regardless of *WHAT* the software is, it is up to the end user at the end of the day to keep their systems secure.

      In the cases of enterprise networks still using vulnerable software, I have an article in the works which addresses some of the “fluff” concerning people who say “we can’t get rid of…”, “we can’t block…”

Leave a Reply

You must be logged in to post a comment.