Langa Letter: Enough Already: Microsoft Must Change
Fred Langa wonders if Microsoft will do what it takes to greatly improve its software development processes and improve its product security
But Wait, There's More
Microsoft's shortcomings are real, but are only part of the problem in desktop security. There also are factors involving human nature and market forces--which is to say, involving you and me--and all these factors have to be considered as part of the solution.
For example, consider the simplistic argument "Dump Microsoft--switch to [name of favorite alternate OS here]." Today, Microsoft software is ubiquitous. It's a fat, easy target for crackers and other miscreants, especially those who seek public notoriety or the acclaim of their fellow crackers: By targeting the software with the largest market share, malicious coders are guaranteed a huge pool of potential victims, thus amplifying the effect of whatever harm they can do. If the market were different--say, if Linux were top dog--then it would receive far more hostile attention than it does today, and Linux's weaknesses would be in the limelight. (All software contains at least some flaws and
coding errors (see "Linux Has Bugs: Get Over It"). Switching vendors in and of itself won't eliminate security problems because malicious
hackers will simply target the new top dog.
A related issue is the "newbie factor." Because marketshare-leading Microsoft software comes bundled with most new PCs, there's a higher percentage of newbies using Microsoft's products than any other vendors'. This helps malicious coders because these newbies can be relied upon to do the wrong thing. For example, the recent Blaster worm infected tens of millions of PCs, but it did so only because
these PCs were all running without even the most basic security measures--the operating systems weren't properly patched, didn't have a decent desktop firewall, and were running without a good antivirus tool. Any one of those three precautions would have stopped the Blaster worm in its tracks, but clearly, huge numbers of users still are running their PCs wide open and unprotected.
Newbies will err, no matter what operating system they use, and any long-term solution to improving desktop security has to allow for the "newbie factor." This isn't a Microsoft problem per se. In fact, I think it's safe to say that a mass migration to Linux would make things worse, at least for a while:
Linux has many strengths, but newbie-friendliness isn't one of them.
To solve the newbie problem, an operating system has to be safe enough out of the box to foil at least the most basic kinds of attacks, but still has to be easy enough so unskilled users can connect to a LAN or the Internet without undue trouble. That's a tough balancing act, but several vendors are getting close. For example, Red Hat Linux offers very simple auto-configuration of its firewall, and Microsoft includes a simple click-to-activate firewall in XP.
But that points out another problem affecting security: How do you get people to move to new software? For example, Microsoft has twice tried to kill off Win98--a five-year-old operating system that itself was mostly a refinement of the eight-year-old Win95. But customers howled: "We want our old software!" As a result, Microsoft has twice extended the life of Win98; active support now will
continue until January 2004, and Microsoft won't completely pull the plug on Win98 until January 2005 (see "Microsoft's Adjusted 'Product Lifecycle' Plans").
When Microsoft finally retires Win98, the core of that operating system will be 10 years old. Think of what the computing world was like then: Computers were nowhere nearly as common as they are today; and most computer users had never natively surfed the Web or directly navigated the Internet. What worms and
viruses existed then mostly traveled hand-to-hand, by floppy disk!
Microsoft's corporate blind spot about things like buffer overruns may be inexcusable, but I also think it's unreasonable to expect any decade-old software to deal with threats that mostly didn't exist at the time the software first appeared. A 10-year-old copy of Linux also won't look very good compared to today's versions, for example; a 10-year-old Mac will likewise look pretty lame. No operating system from eight or 10 years ago is really up to all the challenges of today's needs.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.