[Infowarrior] - Microsoft security--no more second chances?

Fri Aug 11 10:07:44 EDT 2006

Microsoft security--no more second chances?

By Charles Cooper
http://news.com.com/Microsoft+security-no+more+second+chances/2010-1002_3-61
04512.html

Story last modified Fri Aug 11 05:58:02 PDT 2006

As if Homeland Security Secretary Michael Chertoff didn't have enough on his
plate.

Not only has he had to deal with Katrina and Osama. Now he's also got to
whip Steve Ballmer and the crew at Microsoft into shape. If past is
prologue, that last task may be the most daunting of all.

In a remarkable declaration earlier this week, the Department of Homeland
Security--a bureaucracy set up to deal with stuff that generally falls under
the category of national emergency--called on all users of Windows software
to install a new security patch issued by Microsoft.

This wasn't your garden variety flaw. The fear in Washington was a repeat of
something like the chaos caused by the MSBlast worm in 2003.
By now, Chertoff's people must be thoroughly frustrated that Microsoft still
turns out poorly designed products.

By now, Chertoff's people must be thoroughly frustrated that Microsoft still
turns out poorly designed products. What with terror plots being uncovered
overseas and threats of airline bombings, cybersecurity obviously is not the
top headline this week.

But the threat of a network meltdown has not disappeared--especially when
flaws so regularly turn up in Windows, the computer operating system most
people in this country use.

The Microsoft monoculture is a fact of life in government and corporate
circles. And that comes at a price in the coin of vulnerable computer
security.

Microsoft contends that the situation is improving and that it's doing the
maximum to make sure that Windows and the other software products it sells
go out the door with as few problems as possible.

Each month, the company issues a security update in which it patches
problems. And every Microsoft spokesman within earshot can be counted on to
solemnly pledge the company's maximum effort.

It's a familiar refrain.

Ever since Bill Gates announced Microsoft's Trustworthy Computing initiative
four and a half years ago, the company says it has reshuffled its
development priorities. Cool new features were to take a backseat to
improved security and privacy.

Yet the problem lingers. In the last three years, Microsoft has issued an
increasing number of yearly security bulletins, in which several patches get
put online to fix problems in existing applications. The company sees this
as evidence that it's on top of things, not an indictment of managerial
incompetence.

If you want to find someone to blame, Gates says, point a finger at the
"malicious people" out there looking to "take advantage of whatever things
there are."

What did you expect him to say? That it's Microsoft's fault? That would be
too hot to handle. Gates and the rest of the brass stick closely to the
script but clearly know that Microsoft can't keep turning out finished
products that are as porous as Swiss cheese.

Defenders will argue that it's unfair to demand perfection from Microsoft;
that software is an imperfect art. And besides, they add, is the Mac
operating system or Linux bulletproof? Clearly, the answer is no. But the
number of security holes turning up in either operating system is a fraction
of what turns up in the Windows world.

The oddest part is how we've become so accustomed to the status quo when
"Patch Tuesday" rolls around. Another few holes get closed with a magic
Microsoft download, and we're safe (unless the bad guys first found a way to
burrow into our systems).

Here's something to consider: If bridge builders or airplane designers
applied the same standards to their labors, do you believe that the public
would so easily forgive the regularity with which bridges would collapse and
airliners fall out of the sky?