StratVantage – The News 03/08/02

Anti-Microsoft Hyperbole on Security

 Alert SNS Reader Jacob Jaffe was offended by the article I linked to in the last SNS that said that Microsoft was a greater threat to security than Osama bin Laden. Speaking for himself and not his employer, he pointed out that Microsoft has done an awful lot lately to improve its position on software security. Jacob writes:

As you know, the article to which you linked was authored December 14, 2001.  Since then, Microsoft has initiated a number of efforts to improve the security of its products, including:

Yes, with a historical focus on usability and functionality, Microsoft’s track record on security has been less than desirable.  And, it’s true that actions — and not words — will prove the company’s commitment to security, which MUST succeed for .NET to become a reality.  My only point is that readers should be informed that Microsoft has recently taken steps in an effort to address these past “mistakes” (again, my own words).

On a separate but related note, by suggesting that Microsoft is a worse threat than Osama Bin Laden, I can’t help but to feel that Mr. Ruffin has trivialized the value of each and every innocent person who, on that fateful day (and as a result of the many terrorist attacks prior to 9/11), perished at the hands of Al Queda.  Sure, I could say more, like:

  • how many people have died as a result of security flaws in Microsoft software?
  • how many more billions of dollars did/has/will the events of 9/11 cost compared to the costs of all Microsoft security flaws combined?

…but, I think you get my point.

I do get Jacob’s point, and couldn’t agree more. Microsoft has made great strides in the last six months in addressing its security problems. And it is irresponsible for anyone to compare a murderous madman to Microsoft. The author of the Register article (which I hesitate to link to again lest others be offended) appears to be a member of the lunatic anti-Microsoft fringe, which I usually find pretty entertaining.

I do not consider myself to be part of that fringe, which sees Microsoft as the Great Satan, although I have a lot of problems with Microsoft and at the moment am not a big fan of the monopoly. I’ve made a lot of money over the years leveraging their technology, and I am truly grateful for many of their innovations. My main problems with the company are its bullying abuse of monopoly power and its, up until now, lack of concern with security.

Nonetheless, the author of the Register article, the improbably named Oxblood Ruffin, makes valid points about Microsoft’s treatment of vulnerabilities, despite his unfair and over the top characterization of the company. Ruffin is a member of the CULT OF THE DEAD COW, a developer of Internet privacy and security tools.

The jury is out as to whether Microsoft will be successful in improving its security. After all, there are many, many millions of lines of code in Microsoft’s products. It’s not going to be easy, nor desirable, to graft security onto the existing code base. Microsoft needs a complete reorientation of their development philosophy, in my opinion.

The company has given the world some terrific innovations and capabilities by stressing usability and interoperability. Visual Basic for Microsoft Office is a great example of this. By enabling all the components of Office to communicate with one another and be part of integrated custom applications, Microsoft has enhanced the user experience. By doing this with little regard for or awareness of the security ramifications, Microsoft has produced a fertile breeding ground for viruses and worms.

Back in the day, when these innovations were conceived, the world was a simpler place. Networking was in its infancy and most viruses rode into a PC on a floppy disk. The connected world we’re now living in was only dimly envisioned, and the degree of threat we face today from online malware (malicious code) was not anticipated. The mistake Microsoft made was not realizing the stakes had changed once computers became organized into private networks and then exposed to the public Internet.

Bill Gates has admitted he missed the significance of the Internet. I’m not sure he’s admitted he missed the importance of security, but his mandate to stop feature development and concentrate on security is unprecedented, courageous, and encouraging. Let’s hope it’s also effective.

Briefly Noted

  • Shameless Self-Promotion Dept.: CyberCrime Fighter Forum 2002 happens March 12th in St. Paul, MN. If you’re in the area, I hope to see you there.Also, in conjunction with the new CTOMentor paper, Basic Home Networking Security, we’re running a survey on home networking policies and procedures. The first survey cycle closed yesterday, but you can get in on the second, which will run through March 11.

    CTOMentor is also offering a two-part white paper on peer-to-peer technology: Peer-to-Peer Computing and Business Networks: More Than Meets the Ear. Part 1, What is P2P?, is available for free on the CTOMentor Web site. Part 2, How Are Businesses Using P2P?, is available for $50.
    CTOMentor

  • Sony in P2P Deal: Alert SNS Reader Graeme Thickins sent a long an article that reports that Peer-to-Peer software vendor CenterSpan has inked a deal with Sony Entertainment to distribute Sony’s music on its service. CenterSpan previously bought pioneering P2P file sharing company Scour and in April 2001 launched a free trial of C-Star CDN. The new service allows people to trade encrypted files authorized for copying by copyright holders. This is a big boost for P2P networks, although it remains to be seen if it will be successful.
    News.com
  • Verizon Launches First US 3G Network: Verizon Wireless has released its new 3G wireless network in three areas: a corridor that runs from Norfolk, Virginia to Portland, Maine; the Salt Lake City area; and the San Francisco/Silicon Valley area. The new Express Network promises high speed Internet access up to 144 kilobits per second (kbps).
    CNN.com

 


Alert SNS Reader Hall of Fame

This newsletter would be a good deal less interesting if it were not for the legions of Alert SNS Readers who send me ideas for columns. Below are those who have been honored by admission to the Alert SNS Reader Hall of Fame.

Alert SNS Reader (tally)
Roger Hamm (14)
Larry Kuhn (13)
Andrew Hargreave (12)
David Dabbs (11)
Bill Lehnertz (9)
Andy Stevko (5)
Nick Stanley (4)
Todd Mortenson (4)
Jeff Ellsworth (4)
Doug Laney (4)
Tim Plas (3)
John Gehring (3)
Mike Todey (3)
Ken Florian (3)
Seth Freeman (3)
Dr. Andrew Odlyzko (2)
John Skach (2)
Dean Cowdery (2)
Jacob Jaffe (2)
Peter Ellsworth

(2)

Pete Simpson
Jacqueline Miller
Eric Strauss
Valerie Janda
Steve Harr
Marv Vikla
Bob Burkhart
Dave Harkins
Deb Ellsworth
Nick Caffarra
Claudia Swan
Frank Siegler
Patty Kolbo
Robert Koerner