A fairy tale about three little pigs--alopng with some unrelated discussion about Microsoft vs. open source security. Really. Completely unrelated.
Once upon a time, there was a little pig who built his house in the meadow out of straw. He did it because he had always built his house out of straw, and so did all the other little pigs in the meadow. Straw wasn't the best building material available, but it was good enough. It was easy to work with. And the labor costs associated with straw were low, because the meadow was filled with animals who were trained in the use of straw (they were called Meadow Certified Straw Engineers, or MCSEs).
But over time, Big Bad Wolves infiltrated the meadow, and began huffing and puffing and blowing the houses of straw down.
Now, the little pig had a big brother, who'd built his house out of brick. The little pig's big brother urged the little pig to re-build his house out of brick, instead of straw.
"Not by the hair of my chinny-chin-chin," said the little pig. "The only reason brick appears safer than straw is that so few pigs build their houses out of brick. Big Bad Wolves target straw houses because straw has a monopoly on the building materials market. If brick had the same market share, then the Big Bad Wolves would be huffing and puffing and blowing down brick houses."
The little pig's big brother said, "Dude, you can't blow down a brick house. Brick is fundamentally more resistant to huffing and puffing."
But the little pig was confident. "Not by the hair of my chinny-chin-chin. You're only saying that because you've been brainwashed by the FUD spread by straw community."
The preceding has been a fairy tale with no bearing on the current state of Internet security.
Bill Wyman, President, Seven-Tel Systems: "If millions of users heeded your advice and did just what you have advised, Mozilla Firefox would be hacked and attacked six ways from Sunday before next Saturday, and we'd quickly be back where we are now. There are very few pickpockets in the Mojave Desert."
John D. Anderson, consultant, Accounting Technology Resource Network: "Alternative browsers are not necessarily the answer to the IE problem. Educating users about how to use IE safely can also be an answer."
That's the most common argument used by Microsoft and its defenders: That Microsoft is attacked so often because it's the most popular software around. If open-source software and the Mac were as popular as Microsoft, they'd be attacked as often, too.
I can make several counter-arguments to that:
Counter-Argument #1: The Microsoft Monoculture
Some of you may remember the foofaraw last year about the "Microsoft monoculture."
A panel convened by Microsoft competitors and headed up by Dan Geer, then chief technology officer at security consultants @stake, argued that Microsoft defenders were half-right--the reason we see so many attacks on Microsoft software is, at least in part, because Microsoft has a monopoly.
The solution, said the panel: Users need to diversify their installed base.
Security experts called the Microsoft installed base a "monoculture," borrowing a term from anthropology used to describe a civilization that depends on cultivation of a single crop. A disease or disaster that wipes out that one crop can lead to famine, whereas a culture with a more diversified agricultural base can weather the loss of a single crop.
But Mozilla Firefox is NOT a monoculture, and there is no reason to assume that Mozilla Firefox--or any alternative browser--will ever achieve the dominance that Internet Explorer has achieved. Internet Explorer is pretty well entrenched.
Counter-Argument #2: Oh, Yeah? So What?
Even if Mozilla Firefox does steal all of Internet Explorer's market share, that'll take a couple of years. For now, users are relatively safe hiding out in their rare houses of brick, while the Big Bad Wolves focus their efforts on the straw houses. If bricks attain a monopoly, users can simply switch to another platform. Switching browsers is cheap, in terms of time and effort, unlike switching operating systems or databases, which can be quite expensive conversions.
Counter Argument #3: The Alternatives Are Inherently Better. They Just Are
I'm not entirely convinced that attackers will find alternative browsers as susceptible to attack as Internet Explorer, because the assumption underlying that argument is that Microsoft software and other software are equally secure. Which is not necessarily so. A house made of brick is more sturdy than a house made of straw--and Microsoft critics argue that straw is what the Microsoft house is made of.
I'd like to explore this subject a little deeper--I confess my programming and architecture skills are not up to the task of analyzing the relative security of Microsoft vs. competitive code. But if you're an advocate of the superior security of Mozilla, Firefox, Linux, or the Mac, write and let me know why those platforms are more secure than Microsoft software. We'll publish the best of your letters.
Of course, there are counter-counter-arguments to be raised by Microsoft defenders.
#1: Out Of The Frying Pan....
For an alternative take on the monoculture question, read a column by analyst Rob Enderle, who argued that users who diversify their installed base will trade the monoculture problem for increased support and maintenance complexity, giving network managers multiple platforms to install, configure, keep updated, maintain, and provide technical support for. More platforms--more headaches!
#2: It's The Users, Stupid. Or The Stupid Users
Reader Bill Wyman argues, in the article I referenced above, that many of the security problems blamed on Internet Explorer are actually human error. They're con-jobs, good ol' "social engineering," where attackers trick users into giving out information using techniques familiar to hustlers for centuries.
You don't have to use the Internet to trick people out of their credit card numbers, you can just pick up the phone and make an official-sounding call.
And A Couple Of Other Things
#1: By the way: I don't have kids myself, and so I had to remind myself of the details of the story of the Three Little Pigs. Like a lot of fairy tales, it's actually pretty gruesome when you get into it. I mean, they boil the wolf in a pot of water. Dude. That's harsh. I'm surprised kindergarten children don't have nightmares every night.
#2: In my earlier blog entry, I said that "The Music Man" was the second-most wholesome movie ever made. Reader Chip Burkitt, St. Paul, Minn., wants to know: "What's the most wholesome movie ever made?" Answer: "Chitty Chitty Bang Bang." Or anything with Dean Jones in it.
I also said that I "omit" sulfurous language, and he asked, "Do you 'omit' or 'emit' sulphurous language? You certainly omit it from your columns, perhaps because you emit it in your office?"
Answer: I can't believe I made that @#$%&!-ing typo.
IT's Reputation: What the Data SaysInformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
What The Business Really Thinks Of IT: 3 Hard TruthsThey say perception is reality. If so, many in-house IT departments have reason to worry. InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business views IT's performance in delivering services - and, more important, powering innovation. The news isn't great.