Langa Letter: Enough Already: Microsoft Must Change - InformationWeek
IoT
IoT
Software // Enterprise Applications
Commentary
9/25/2003
03:54 PM
Fred Langa
Fred Langa
Commentary
50%
50%
RELATED EVENTS
[Cybersecurity] Costs, Risks, & Benefits
Feb 28, 2017
How much should your organization spend on information security? What's the potential cost of a ma ...Read More>>

Langa Letter: Enough Already: Microsoft Must Change

Fred Langa wonders if Microsoft will do what it takes to greatly improve its software development processes and improve its product security

But Wait, There's More
Microsoft's shortcomings are real, but are only part of the problem in desktop security. There also are factors involving human nature and market forces--which is to say, involving you and me--and all these factors have to be considered as part of the solution.

For example, consider the simplistic argument "Dump Microsoft--switch to [name of favorite alternate OS here]." Today, Microsoft software is ubiquitous. It's a fat, easy target for crackers and other miscreants, especially those who seek public notoriety or the acclaim of their fellow crackers: By targeting the software with the largest market share, malicious coders are guaranteed a huge pool of potential victims, thus amplifying the effect of whatever harm they can do. If the market were different--say, if Linux were top dog--then it would receive far more hostile attention than it does today, and Linux's weaknesses would be in the limelight. (All software contains at least some flaws and coding errors (see "Linux Has Bugs: Get Over It"). Switching vendors in and of itself won't eliminate security problems because malicious hackers will simply target the new top dog.

A related issue is the "newbie factor." Because marketshare-leading Microsoft software comes bundled with most new PCs, there's a higher percentage of newbies using Microsoft's products than any other vendors'. This helps malicious coders because these newbies can be relied upon to do the wrong thing. For example, the recent Blaster worm infected tens of millions of PCs, but it did so only because these PCs were all running without even the most basic security measures--the operating systems weren't properly patched, didn't have a decent desktop firewall, and were running without a good antivirus tool. Any one of those three precautions would have stopped the Blaster worm in its tracks, but clearly, huge numbers of users still are running their PCs wide open and unprotected.

Newbies will err, no matter what operating system they use, and any long-term solution to improving desktop security has to allow for the "newbie factor." This isn't a Microsoft problem per se. In fact, I think it's safe to say that a mass migration to Linux would make things worse, at least for a while: Linux has many strengths, but newbie-friendliness isn't one of them.

To solve the newbie problem, an operating system has to be safe enough out of the box to foil at least the most basic kinds of attacks, but still has to be easy enough so unskilled users can connect to a LAN or the Internet without undue trouble. That's a tough balancing act, but several vendors are getting close. For example, Red Hat Linux offers very simple auto-configuration of its firewall, and Microsoft includes a simple click-to-activate firewall in XP.

But that points out another problem affecting security: How do you get people to move to new software? For example, Microsoft has twice tried to kill off Win98--a five-year-old operating system that itself was mostly a refinement of the eight-year-old Win95. But customers howled: "We want our old software!" As a result, Microsoft has twice extended the life of Win98; active support now will continue until January 2004, and Microsoft won't completely pull the plug on Win98 until January 2005 (see "Microsoft's Adjusted 'Product Lifecycle' Plans").

When Microsoft finally retires Win98, the core of that operating system will be 10 years old. Think of what the computing world was like then: Computers were nowhere nearly as common as they are today; and most computer users had never natively surfed the Web or directly navigated the Internet. What worms and viruses existed then mostly traveled hand-to-hand, by floppy disk!

Microsoft's corporate blind spot about things like buffer overruns may be inexcusable, but I also think it's unreasonable to expect any decade-old software to deal with threats that mostly didn't exist at the time the software first appeared. A 10-year-old copy of Linux also won't look very good compared to today's versions, for example; a 10-year-old Mac will likewise look pretty lame. No operating system from eight or 10 years ago is really up to all the challenges of today's needs.

Previous
2 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll