Leaving the Chicken Coop open for the Foxes
It's easy to view hacking as purely an act of aggression, but it has more to do with other human failings like pride, willful ignorance, and a lack of responsibility. Yes, that can be true of malicious hackers, but I mean more on the part of the companies who develop the software we all depend on. Yes, as I wrote in How to Survive the Hacking Wars, we must take responsibility as individuals by not doing stupid things like revealing our account details, or clicking links emailed to us by strangers. However, some of the biggest software companies are prone to leaving the chicken coop open to hackers.
It's not that Microsoft software has vulnerabilities. Given the complexity of everything it does, it'd be more surprising if it didn't. No, it's that some Microsoft vulnerabilities remain unpatched for so long. One vulnerability in Microsoft's Internet Explorer browser was reported to Microsoft on 11 October 2013. However, a patch for the vulnerability wasn't released by Microsoft until June 10 2014. It was classified by Microsoft as a 'Critical' issue, but given that it took 8 months to patch, was actually dealing with it treated as critical? This vulnerability's severity is sourced in the fact that it affected every version of Internet Explorer from version 6 to version 11, 32 bit versions and 64 bit versions.
Another serious vulnerability in Microsoft's Windows operating system lay undiscovered for 19 years! It first crept into Windows 95 and has been patched...but only for Windows versions Vista, 7, and 8.x. If you're using Windows XP, then the vulnerability is still there. Mind you, if you purposefully go on using an operating system that old...
Continuing the story of 'massive tech companies f------ up' is this unpleasant contribution from Google. Microsoft had taken one day too long for Google's liking to fix a vulnerability, so they went public with the details, potentially exposing that vulnerability the day before it was due to be patched. Within a matter of days though it was discovered that Google was purposefully leaving a vulnerability in Android unpatched. Given that the most recent version of Android it affects, version 4.3, is just 15 months old, this is a particularly sour decision.
For countless years there have been a tribe of Mac users that have claimed that security and viruses are just Windows problems. They aren't. When a security vulnerability was discovered by Sun in its Java platform, it released an update for all platforms, except Apple ones, in mid February 2012. Apple maintains its own version of Java and released an update...on 3 April 2012. By then though somewhere in the region of 650,000 Macs had been compromised and wound up on a botnet (a collection of compromised systems grouped together for purposes as malign as launching Distributed Denial of Service attacks). Worse, it appears that the initial patch did little to counteract the problem. In January 2014, an estimated 22,000 Macs were still on the same botnet.
Apple launched a much heralded service to automate updates to its software, with the first update going out on 23 December 2014...a mere 19 years after the first automatic Windows update.
If there's one thing we can learn from all this, it's that all software has vulnerabilities and bugs. Few, if any, software developers can be said to be perfect on this front. Tribal loyalties are therefore pretty silly, especially when so many developers can be seen acting in an irresponsible manner when it comes to protecting their customers.
But let's finish with a little light relief. Remember the Lizard Squad from How to Survive the Hacking Wars? Turns out their mighty attack tool stores all its user names and passwords in plain text, making it an open door for hacking. If any professional or commercial site was discovered to do this, it would be roundly condemned. Turns out that even the foxes can't get it right. Oh, and what would you think if intelligence agencies did this?
Chickens, foxes, and game-keepers all getting it wrong. As with so much technology, the weakest components are the fleshy ones!
What are your experiences of computer security? Have you run into problems that you've subsequently solved? I'd love to hear all about them in the comments.