Armageddon, M$-style

“On May 12, hackers hit more than a hundred countries, exploiting a stolen N.S.A. tool that targeted vulnerabilities of Microsoft software. The attacks infected only machines running on Windows operative system. Among the victims are public administrative bodies such as NHS hospitals in the UK. Investigate Europe spent months to investigate the dire dependency of European countries on Microsoft – and the security risks this entails”
 
See Why Europe’s dependency on Microsoft is a huge security risk – Investigate Europe
Thanks to software developed by USA’s NSA and which was allowed to get into the wild, the world is being held hostage. Well, the world of users of M$’s OS I call That Other Operating System, or TOOS, for short, was put at great risk because millions of PCs in vital roles in government, industry and personal use were vulnerable at the same instant to the same malware, a vulnerability in some of TOOS’ friendly list of overly complex features, must-haves…

There is a simple solution, FLOSS, Free/Libre Open Source Software. With it I run my computers, City of Munich runs its computers, and folks who care about security run their computers with no fear of such widespread vulnerability. I use Debian GNU/Linux, LibreOffice and FireFox web browser. I don’t need TOOS for anything and you don’t either. What’s holding you back from the good life when using TOOS could make you hostage to any kid or criminal who can write a bit of software?

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology and tagged , , , , , , , , , , , . Bookmark the permalink.

43 Responses to Armageddon, M$-style

  1. Grece says:

    Don’t let this man distract you from the fact that in 1998, The Undertaker threw Mankind off Hell In A Cell, and plummeted 16 ft through an announcer’s table.

  2. oiaohm says:

    Claiming that running 10 year old program does not work on Debian and lot of other Linux is false.

  3. oiaohm says:

    Wizard Emeritus it does not change the fact you are a idiot who is commenting who has never read the debian manuals that in fact describe how to-do the feature I describe under backports. So keep on going and prove you as being a idiot claiming a feature does not exist when it does.

    Why when you need to build a package for a old version of debian on current hardware you need to use the newer kernel and graphical to test stuff.

    So running 10 year old program using the backport methods of debian works. Right back to the first version of debian. Issue is useably is questionable. The debian administration manual recommends against it on security grounds.

    Complaining about poor useablity for running 10 year old programs is true. Claiming that running 10 year old program on Debian and lot of other Linux is false.

  4. Wizard Emeritus says:

    “Sorry compatibility is not always easy. The debian way is as bad as manual shimming under Windows.”

    The statement changes nothing – the feature you speak of still doesn’t exist.

  5. oiaohm says:

    Wizard Emeritus so using shims to make old windows applications don’t exist either where you have to manually alter the database at times.

    Sorry compatibility is not always easy. The debian way is as bad as manual shimming under Windows.

  6. Wizard Emeritus says:

    “The big thing that is missing is a compatibility mode dialogue to-do a lot of this stuff in back ground easily.”

    Then it doesn’t exist.

  7. oiaohm says:

    Ah, but to be conciliaitory here. Which particular app from ten years ago still works for you (with no recompiling effort, of course) on Debian?
    DrLoser I still run some Loki games from the year 2000 on latest testing debian.

    Its surprising what works when you bundle the runtime.
    https://forums.gentoo.org/viewtopic-t-390993-start-0.html

    Please note libraries for old versions of debian. http://snapshot.debian.org/ yep debian repositories include a time travel system for chroot or for sourcing libraries to use with a ld-so override combination.

    The big thing that is missing is a compatibility mode dialogue to-do a lot of this stuff in back ground easily.

  8. DrLoser says:

    Next question.

    Fair enough, Kurks. Next question: what makes you think that a single thing you have just claimed about Windows is true?

    Don’t pull a Fifi on us. Linkies, please.

  9. Kurkosdr says:

    Why is Linux able to run on my old equipment just as it did on day one?

    Because Linux has a tight monolithic kernel instead of the piece-of-crap hybrid kernel of Windows that was slow in XP and got slower with Vista. Because Linux users don’t run an antivirus, thinking they are immune from malware. Because Windows likes to start putting things im swap even when it doesn’t need to, a remnant from the NT3.5 days when memory was expensive and the OS had to proactively put thing in swap assuming that memory will run out, an old habit of Windows that nobody bothered to fix. Next question.

    Desktop Linux is the perfect system for resurrecting old boxes. Unfortunately, it sucks on new boxes. No good AMD or Nvidia drivers, buggy Intel drivers too, bad experimental switchable graphics while Windows had stable switchable graphics half a decade ago, bad power management, crap app ecosystem and dependency hell, three-year old OS releases not getting new apps.

  10. DrLoser says:

    What? Why is Linux able to run on my old equipment just as it did on day one? I’ve never had to buy new equipment to keep Linux running.

    Which explains your desire for the nonexistent Cello, of course.

    Fact is, Robert, Windows OS has a recycle time of three years at most. Linux LTS has a (dubious, imo) recycle time of two years every single time.

    I don’t pretend to insist that anybody else uses my preferred OS, whatever advantages it has. So why do you? And who on earth do you think is listening?

    Ah, but to be conciliaitory here. Which particular app from ten years ago still works for you (with no recompiling effort, of course) on Debian?

    I’m guessing the recipe database, but not much else.

  11. DrLoser wrote, “Linux LTS releases, which do in fact fit the two year cycle … though, backwards compatibility? Not so much.”

    What? Why is Linux able to run on my old equipment just as it did on day one? I’ve never had to buy new equipment to keep Linux running.

  12. DrLoser says:

    I meant “biennial” for Windows.

    Which still wouldn’t be correct. Since XP, every Windows OS has had a life-cycle of 8-10 years, and an average time between releases of slightly over three years. And then, of course, there’s that little matter of maniacal attention to backwards compatibility.

    Perhaps you are thinking of Linux LTS releases, which do in fact fit the two year cycle … though, backwards compatibility? Not so much.

  13. Old Bill says:

    “bi-annual” OS upgrades

    That is a lot of OS/2. I meant “biennial” for Windows.

  14. Kurkosdr says:

    You are not very correct here, Kurks. Most users would get updated by default.

    Sadly, not. svchost.exe takes some dozen minutes to work its magic on older systems (especially on the balanced power mode on battery), and as we all know, before svchost.exe has finished doing its magic, no windows update icon appears at the bottom right, and there is no clue to the user that the system needs to update. Which means that if a system sees light usage, basically turn it on, do bank transfer or send scanned document, and then turn it off, the system has no chance to update. In fact, as unfulfilled Patch Tuesdays pile on, svchost takes longer and longer to work its magic, eventually requiring hours to finish (again on balanced power mode, on battery), so even with less light usage occasionally, the system might still have no chance to update.

    My parents have such a Windows 7 system at home (they use tablets for their daily browsing), and that system hasn’t seen a patch since October 2016, but I was able to successfully utilise the WannaCry scare to pesker my parents and convince them leave the system running all weekend on high performance power mode while plugged in, so it has a chance to update. Can I have a cookie for my efforts?

    So, as I said, you can’t trust anyone to update. Which is the reason I am thinking of buying my parents a Chromebook, if it ever gets scanner support.

    But perhaps you could guide us through the process by which opening “fred.XXX,” where XXX is an extension invisible to the user, causes a security issue?
    In the early days of XP and previous versions of Windows, the OS would run (unsigned) exe files just by the user double-clicking on them, no warnings and no questions asked (if memory serves well). Combined with the auto-hiding of the extension, all you had to do as a malware writer is give the exe some “innocent” icon such as the Adobe Acrobat Reader icon or the jpg icon (the one provided by the default photo viewer) and send the file as an attachment, waiting for the non-knowledgable user to double-click on it. And yes, common malware used this technique to spread before email providers banned the sending and receiving of attachments with exes or exes in zips. Combined with the autorun USB thing, these two misfeatures gave XP a (well-earned) reputation for malware. Of course, both of these security holes got fixed years ago, even in XP. But for some reason, Pog still feels compelled to whine about them. He is doing the 3 users still stuck on Windows 98SE a favor though by exposing their security problems.

  15. DrLoser says:

    Chuckle. If there’s any silver lining in this, it’s that TLW asked me to make sure I back up her files.

    And yet one more time, Robert.

    1) It’s apparently a problem exclusive to Windows. (No it’s not, but let’s dream on.) According to you, TWWWTTAH does not use Windows. Although, for some bizarre reason, this particular exploit has finally convinced her to “back up” her files.

    2) It’s news to me that you need to “back up your files” when you are using a thin client.

    3) According to Ancient Druids, when using thin clients, one backs up one’s files via rsync or amanda or something like that. Does it really take a random M$ vulnerability to persuade your good lady to ask for that? If so, why were you not doing it in the first place?

    4) You’re telling porkies as usual, aren’t you? TWWWTTAH is still using a Windows machine for work, unless she has thrown it away. Which is unlikely.

    TWWWTTAH can pull the wool over your eyes, Robert, because she is a fine and decent and honest person. You, on the other hand, cannot pull the wool over our eyes. Because you are none of that.

  16. DrLoser says:

    Uh, suppose it’s an executable which deletes all files, or encrypts them, or installs a key-logger, or a trojan or…

    And suppose it magics up a pink unicorn?

    Not my question Robert. Try harder. Do what I said. Guide us through the process, you ignorant buffoon.

  17. DrLoser says:

    And since an earlier commentroid mentioned OS/2 and “bi-annual” OS upgrades, here goes with OS/2:

    December 1987 OS/2 1.0
    November 1988 OS/2 1.1
    October 1989 OS/2 1.2
    December 1990 OS/2 1.3
    October 1991 OS/2 2.0 LA (Limited Availability)
    April 1992 OS/2 2.0
    October 1992 OS/2 2.00.1
    November 1993 OS/2 for Windows
    February 1994 OS/2 2.11
    July 1994 OS/2 2.11 SMP
    October 1994 OS/2 Warp
    May 1995 OS/2 Warp Connect
    December 1995 OS/2 Warp, PowerPC Edition
    February 1996 OS/2 Warp Server 4
    September 1996 OS/2 Warp 4

    You want to see a “bi-annual” OS release? That is a bi-annual OS release.

    And sadly, I bought three of them.

  18. DrLoser wrote, “perhaps you could guide us through the process by which opening “fred.XXX,” where XXX is an extension invisible to the user, causes a security issue?”

    Uh, suppose it’s an executable which deletes all files, or encrypts them, or installs a key-logger, or a trojan or…

  19. DrLoser says:

    Just look a stupid things like hiding the file-extension from users. That allowed flowers_and_puppies.jpg.exe to look harmless to the user as flowers_and_puppies.jpg so they are more inclined to open the file…

    Now, I do not personally recommend the practice of hiding the extension myself, Robert.

    But perhaps you could guide us through the process by which opening “fred.XXX,” where XXX is an extension invisible to the user, causes a security issue?

    Big clue-bat (as usual) — this file is, according to you, already downloaded to a directory on your computer.

  20. DrLoser says:

    By the time the situation corrected itself, IBM was on the outside looking in and people were firmly used to waiting bi-annually for the “new Windows” that would fix the problems of the old.

    A gem, a real gem. Can anybody out there cite a single OS (anywhere! From anybody!) that needed a wholesale replacement in two years?

    I think not, bozo.

  21. DrLoser says:

    One more question, if I may.

    Does Debian have automatic updates?

    And, if so, do you personally have that option turned on?

  22. DrLoser says:

    Yes.

    An honest answer. Next question then.

    When did your wife forsake Windows machines? By your own account, it must have been quite recently.

  23. DrLoser says:

    Chuckle. If there’s any silver lining in this, it’s that TLW asked me to make sure I back up her files.

    In March, or April, or May, Robert? Enquiring minds need to know.

    Naturally, these files will be on a Linux desktop — or not.

    Again, enquiring minds need to know.

    One more thing that enquiring minds need to know: have you explained to TWWWTTAH how to completely avoid this sort of ransomware?

    Clue: it’s nothing at all to do with the OS. But, just in case, I suggest you advise your far better half on how to deal with the threat.

  24. DrLoser wrote, “Can you put your hand on your heart and honestly tell us all that TWWWTTAH never uses a Microsoft Windows machine at work?”

    Yes.

  25. DrLoser says:

    And since you mention The Woman Who Wears The Trousers Around Here, Robert:

    Can you put your hand on your heart and honestly tell us all that TWWWTTAH never uses a Microsoft Windows machine at work?

    Well, can you?

  26. DrLoser says:

    I’m actually astonished that it has taken you five or six days to bring this issue up, Robert. You’re slipping, old man. Time was, you’d be happily repeating everything that Dr Roy Schestowitz said, practically verbatim. What’s the matter? You got annoyted by the little Yid’s attack on IBM?

    Still, anything to get you off your tricycle fetish, Allah Be Praised.

    Do you have any coherent advice on short-term solutions? (Moving to Debian is hardly a short-term solution.) Clue: teaching a class of underprivileged children how to clean fur-balls out of a 1990s Pentium machine doesn’t help much. So — I don’t think you do.

    Now, as it happens, there are short-term solutions. A rather drastic (though overdue) one is to disconnect every single XP machine from the network until they are replaced. For some bizarre reason, the NHS in the UK apparently depends upon contractors, etc, who are still running XP on 5% of machines.

    An even simpler solution is to turn on automatic updates. As a general principle, and unless there is an administrative process to do with testing first and distributing updates afterwards, this is clearly a good thing.

    And, finally, there is the attack vector used. Do you know what that is? Do you have a long term solution (on any OS whatsoever)?

    I do. And I do.

    You are, as per usual, completely clueless.

  27. DrLoser says:

    Thanks to software developed by USA’s NSA and which was allowed to get into the wild, the world is being held hostage.

    That’s not actually what happened, you blockhead.

    Do some (trivial) research, just for once.

    Clues: March, XP, etc, etc.

  28. Deaf Spy says:

    Thank ME that we don’t still use TOOS around here.

    Do you deserve thanks for patching Heartbleed, just to start with? Perhaps you do, you compile kernels for sports. Which puts you slightly higher than those who turn-off auto-updates, and those who refuse to follow security bulletins and don’t upgrade the systems they are responsible for on time.

  29. Deaf Spy says:

    anymore than a desktop user can be trusted to update his Windows

    You are not very correct here, Kurks. Most users would get updated by default. Woe on those who would listen to the pimpled-skin son of their neighbor, local hacker-wanna-be, who advises everyone to stop services and disable UAC and auto-updates to “make the computer faster”. Others, they just get updated and carry on.

    push towards “serverless”

    Serverless architecture is a neat new thing, but security is not what I’d choose it for, not by any chance. It is in no way more secure than App Fabric (Azure), which is just a host for your web-services, but on dedicated core / RAM sets, which scale up to a pre-paid plan only. Serverless is also rather bleak when you happen to need state – then you’ll be forced to drag along state tokens, recreate state from everywhere, and lose performance due to the wide and unknown distribution of the execution environment. But if you just need to process some data, and pay up to what you do (and you pay a lot, I can tell you), serverless is pretty cool.

  30. Kurkosdr wrote, “Fill up your disk quota in Debian, and see X.org crash all the time.”

    Beast is still short of disc space and has run out several times with no effect on X. I’ve just been too lazy to switch over to the new drives, thinking I would waste the effort by having to do it again on the switch to ARMed servers.

  31. Kurkosdr says:

    The problem was patched on 14 March, but “competent” administrators didn’t bother to install the patch so far. And then it is all MS’s fault that they want to install updates forcibly. </strong

    You see, my dear hearing-impaired military intelligence gatherer, Desktop Linux has the privilege of being completely irrelevant on the desktop (home desktop and office desktop) which means that Desktop Linux has the privilege of getting hacked silently. My security professor back at uni told me that when he subscribes to some web site which asks for an email address, he creates an email account just for this site which he doesn't use for anything else. If some of those purpose-built email accounts gets flooded with spam, he knows the site behind it got hacked. Of course, most sites don't inform users about this.

    One thing is for certain, a graybeard sysadmin cannot he trusted to install patches against shellshock and reboot his system in order for the new binaries to be loaded anymore than a desktop user can be trusted to update his Windows. Which one​ of the reasons​ for the push towards "serverless" (AWS LambdaFunctions and Google AppEngine) in the server space.

  32. Kurkosdr says:

    The last place I worked that a school’s lab actually used Lose ’98, hardly a class passed that one or more students didn’t have a crash, just browsing or word-processing.

    Windows 98 (non SE) was indeed Lose 98. The other versions were OK.

    When XP came around, a student in my class figured out how to crash it with just a couple of clicks. He would “select all” on the desktop and open them… Amazingly, XP didn’t crash opening that stuff but it crashed after a few were closed… I guess it couldn’t keep track of the memory.

    Oh, we are talking about people trying to break stuff? Fill up your disk quota in Debian, and see X.org crash all the time.

  33. oiaohm wrote, “Then we had Nvidia break up the team to develop common video driver interface in 2004 that set the Linux Desktop development way back.”

    There was a simple solution for that, “Stay away from Nvidia!”. Linus was right about that. The servers at Easterville did have Nvidia chipsets and they were a pain. I had to tweak settings on the NICs just to prevent dropouts of Ethernet. I used AMD video cards successfully there on the servers and multiseat clients. The VIA video drivers were also a pain on the thin clients. I had to shop for a driver that worked. Fortunately, I found one.

  34. oiaohm says:

    1995 I was using Linux and other than being a complete pain to get X11 working the thing was mostly stable once you did. Main reason for using it was building applications. It still true day as it was then that if you were using intel or open source compliers they are faster under Linux than under Windows or Apple OSs and that has not changed in the 20+ years.

    Grece redhat work for decent had landed by 1994. They started in 1993.

    So your IPO time line is way out. Linux X11 nasty start being fixed about 2003 when X11 at long last implements auto configuration and that work is not related to Redhat in anyway that we have a Intel developer to thank for.

    Then we had Nvidia break up the team to develop common video driver interface in 2004 that set the Linux Desktop development way back.

  35. Kurkosdr wrote, of Lose ‘9x, “objectively there weren’t any real issues”.

    Well, you have to turn those boxes on…

    The last place I worked that a school’s lab actually used Lose ’98, hardly a class passed that one or more students didn’t have a crash, just browsing or word-processing. I figured out how to crash the machines in 3-5 minutes just in normal use. ISTR you had to open four windows on the browser or browse plus word-processing would bring a crash pretty smartly. I’m pretty sure it could not handle a shortage of memory very gracefully. When XP came around, a student in my class figured out how to crash it with just a couple of clicks. He would “select all” on the desktop and open them… Amazingly, XP didn’t crash opening that stuff but it crashed after a few were closed… I guess it couldn’t keep track of the memory. Meanwhile, I’ve rarely seen a stock GNU/Linux install that didn’t eventually do the right thing even when swapping viciously. When I replaced Lose ’95 on those 72MB machines way back when, they went from crashing daily to crashing never. Well, there was one crash. A student turned off the power. That did wonders for an ext2 file-system. We went six months of use about 4h daily with no failures of the software and only that one problem with hardware. I’ve never had a serious problem since, although systemd sure was a pain…

  36. Kurkosdr says:

    Win95 was so successful, though, for the very reason that it provided so many new things to crash.

    Ah, yeah, the myth that MacOS, AmigaOS and OS/2 didn’t crash, despite being memory-unprotected OSes too. In fact, OS/2 initially had a single input queue for every application running on it, which means that if one application stopped serving it’s input requests, the whole desktop became unresponsive, with no way to bring it back. And it couldn’t install itself. And couldn’t print.

    With the exception of Windows 98 (not 98SE), I ‘ve never have experienced a truly bad Windows 9x release. Even Windows Me was stable if you didn’t load old 16-32bit drivers on it. It was stable for me. Even the 3-day crash bug was fixed, not that many people kept their home PCs on for so long.

    By the time the situation corrected itself, IBM was on the outside looking in and people were firmly used to waiting bi-annually for the “new Windows” that would fix the problems of the old.
    Nah, these are not the experiences of many people who were happy with Windows 95 and stuck with it, and you could see it in offices even in the early 2000s. There was no objective deficiencies of Windows 95 and Windows 98SE compared to the more expensive competition. Not even Windows Me after the first updates. Graybeards would compare Windows 95 boxes to SGI and Sun workstations costing 10 times more money and whine about bluescreens, but objectively there weren’t any real issues. The high upgrade rates were because in the 90s, even educational software and digital encyclopedias were outpacing the capabilities of 3-year old or even 2-year old hardware and for that reason new versions of Windows quickly gained marketshare as PCs got rapidly replaced, not because people were unhappy. Meanwhile, good luck if your flimsy iMac got a hardware defect just month out of warranty.

  37. Old Bill says:

    The “mission” statement on this page says that Robert started using Linux in 2001, apparently putting up with the vagaries of Win95 for quite a while. I can see where that would certainly produce a high degree of frustration.

    Win95 was so successful, though, for the very reason that it provided so many new things to crash. OS2 from IBM had the same stuff, but needed adequate RAM for better stability. At that time in history Ronald Reagan had managed to punish the Japanese semiconductor makers for dumping cheap RAM on the US market and retail prices had risen to nearly $1 per K for RAM, making the cost for moving to OS2, and the necessary 4mbytes, prohibitive for many. By the time the situation corrected itself, IBM was on the outside looking in and people were firmly used to waiting bi-annually for the “new Windows” that would fix the problems of the old.

  38. Grece says:

    I decided to switch to GNU/Linux as a result of the insulting crashes of Lose ’95.

    Linux was a POS in the mid to late 90s, it got somewhat better at the turn of the century and started to take off when RedHat went IPO.

    What did you do with Linux in 1995 Robert?

  39. Ivan says:

    So rather than learn the lesson about letting bureaucracy get in the way of support contracts, you choose to lie about the security of linux… Your priorities are misplaced, Bob.

  40. Bob Parker wrote, “Every version of Windows they have made has been insecure.”

    I’m sure that’s true. In the 1990s, M$ shipped huge codes with tens of thousands of bugs, many of which contained vulnerabilities. TOOS is just a poor design with unlikely parts of the OS intertwined like spaghetti. It can’t be untangled. It can’t be debugged. There are way too many crevices in the heaping pile for intruders to attack.

    Just look a stupid things like hiding the file-extension from users. That allowed flowers_and_puppies.jpg.exe to look harmless to the user as flowers_and_puppies.jpg so they are more inclined to open the file… What idiot thought that one up, an open door to malware? It’s a useless feature but so ingrained that M$ dare not remove it. Auto-run, SMB complexities,… Repeat ad nauseam.

    I decided to switch to GNU/Linux as a result of the insulting crashes of Lose ’95. I’m glad I did. I’ve dodged many waves of worms, viruses, malware and network intrusions simply because I chose to use GNU/Linux instead of TOOS.

  41. Bob Parker says:

    Full marks to Microsoft for consistency. Every version of Windows they have made has been insecure.

  42. Deaf Spy wrote, “thanks for the competent “administrators” or their own folly that disks never fail, hacks never happen, and so on (gosh, sounds like you, Robert).”

    Chuckle. If there’s any silver lining in this, it’s that TLW asked me to make sure I back up her files. I do. Thank ME that we don’t still use TOOS around here. I think the only sign that TOOS was ever here is a sticker on the bottom of her much-abused notebook. I can’t be bothered to peel it off.

  43. Deaf Spy says:

    The problem was patched on 14 March, but “competent” administrators didn’t bother to install the patch so far. And then it is all MS’s fault that they want to install updates forcibly.

    Then comes the fact that these people were totally reckless about having up-to-date backups of their data. Again, thanks for the competent “administrators” or their own folly that disks never fail, hacks never happen, and so on (gosh, sounds like you, Robert).

Leave a Reply

Your email address will not be published. Required fields are marked *