Forget Blaming Microsoft or Google – Blame Yourself

Friday, January 22, 2010

People from all walks of life including influential decision makers are quickly firing off ye ole “Blame Microsoft” rants this week after another debacle involving Google and China. The debacle involved so-called State Sponsored (from China) “hacktivities” to compromise Gmail accounts. The attacks were – as we’re told – targeted towards Internet Explorer version 6 (IE6). I’m curious to know why someone is even bringing Microsoft into this mix. I say, blame those still using IE6. There certainly is a lot of controversy surrounding China’s “hacktivities” [1,2,3] and security theater [4] in the past so this won’t be discussed right now. What I will discuss for a few paragraphs, is pure common sense for a little bit.

Imagine for a moment that you are a new parent. You purchase a crib and get your proper usage of that crib. As time goes on, you never rid yourself of the crib and leave it lying around for a couple of years. Move ahead 10 years later, the crib maker has since released many versions of the crib and has notified you time and time again – this crib is EOL’d (end of life’d – retired). [5] There are so many security risks they suggest that users of CribVersion whatever, move to the latest crib. As a consumer you have a choice, you either deal with that crib, or find another one. [6,7] It is that simple.

Moving on, nine years pass and you have another child. You decide to go back to the old crib you’d been using for years – this after the fact that you’ve seen through those nine long years – the recalls, the security issues associated with that crib. The question is now, whose responsibility is the safety of your child at this point? Your own or the manufacturer of the crib. If you answered the latter – I suppose your children themselves have a lot more to worry about in their lifetime.

The same logical method applies – or at least should apply – to just about anything you can think of. Whether its a browser on an operating system, a washing machine for your home or even tires for your car. Companies who were using IE6 and were compromised obviously have little concern for the data on their systems nor the clients who pay for their services. They deserve to be taken to court and held accountable for their stupidity and I state this with conviction. Patches, upgrades and warnings were as obvious as the statement “tomorrow is another day.”

Someone would have to be an Internet caveman to have been online for 9 years (IE6 was released 12/31/2001) and not see the issues with Internet Explorer. It has been hacked, broken, replaced, patched and countless articles have been written on the dangers of Internet Explorer as a whole (all versions) – that it is actually surprising that anyone even uses IE – let alone complain that they were compromised after using IE6. I refer back to the crib analogy.

None of those 30 companies mentioned deserve any sympathy – not one IOTA of them. For starters, Microsoft Updates tried in a decent fashion to rid users of IE6 which  means – someone wasn’t even updating their machines. I personally don’t even believe that any decent security patching up until about 2007 would have allowed for IE6 to remain on a system. It is now obvious that if any of those businesses were tasked with meeting any compliance mandates, they failed miserably. Shifting the blame is an altogether different story. Don’t blame Microsoft on this one, blame the administrators and owners of those machines.

As for the Google slash media spin of shifting the blame to Microsoft, the obvious answer to the problem is (drum roll): Use Google Chrome. Right away. A browser is a browser is a browser – had those machines that were compromised – been kept up to date, the likelihood of this attack even making the news would be close to none. It seems that Google is what seems to be opportunistically – taking a swipe at Microsoft because of an instance of Gmail attacks – searching for a sympathetic ear.

Had Google an idea of what was really occurring during the compromise phase, they could have easily inserted a script that when a user landed on Gmail, it would have redirected users of affected browsers to warning page: “Beginning INSERT_DATE_HERE, you will no longer be able to access Gmail using IE6. Please update your browser as it exposes you to a lot of risk” or something along those lines. This would have given Google a more “caring” like approach. “Aww, Google cares for my security!” If anyone can make something move on the Internet it certainly is Google. Google to their credit warned users in 2008 to drop IE6 [8] yet everyone is shifting the blame to Microsoft. I say, blame the users.


Problem Exists Between Keyboard and Chair

Original Post:
Possibly Related Articles:
Operating Systems Viruses & Malware Security Awareness Breaches Webappsec->General
Google Microsoft China IE6
Post Rating I Like this!
Rick Clowers From a security viewpoint I would have to agree. No one should be continuing to use IE6 of their own accord. However, one major issue that companies are faced with on a constant basis is that of support for other systems/products. In one shining example (and I use the word shining as in shiner - a black eye), is an issue my company has had to deal with. I work for a healthcare agency that includes several hospitals. We have a product that allows the physicians to access patient information over an https site instead of installing a fat or thin client. Over a million dollars has been dropped into this system over time and the manufacturer is a very well known software supplier to hospital systems. Now the problem is that after shelling out all of this money for a product AND product support in case of problems, the supplier will not give the support we paid for if we are not using the "approved" standards that they recommend. The case in point is that if we were to call in an issue and during the process of investigating they discovered that the browser being used is IE 7 or 8 or Firefox or whatever, they will close the ticket and proclaim that we are using products that are not approved so that must be the problem. Therefore we are held back to IE6 because they have not "cleared" their code for the newer browsers. I am in total agreement that when Microsoft does its job that the rest is up to us but in situations like the one I described, liability should transfer to whomever is holding up progress. If they are going to update the HIPAA laws, they should extend responsibility to the software companies that supply the systems themselves. Maybe they would move a little faster on testing their code.
Anthony M. Freed I wonder what HIPAA would have to say about Google Adwords?

It will read your emails between you and your physician, perhaps discussing high cholesterol, and before you know it - there are cholesterol drug ads being aimed at you.

Can anyone weigh in on that?