[LINK] Rampaging bugbear
Sat, 5 Oct 2002 17:37:45 +1000
Correct me when I'm wrong here:
1. MS was the one who spent all their time over the last few years
integrating all their internet applications with the operating system.
2. MS was the one who at the anti-trust trial categorically stated
their browser software could not be removed from the OS.
3. MS is the one who promoted an integrated suite of free Internet
applications that they write and they have integrated with their OS.
4. MS is the one who has promoted Win32API, ActiveX and COM ...
strangely all the technologies that give rise to these e-mail viruses.
5. Windows is a platform on which there are currently in excess of
60,000 viruses ... not UNIX, not the MacOS, and not any other OS ...
which all have demonstrably fewer instances of attack even given
6. By and large e-mail viruses take advantage of the 'integrated'
Internet applications approach. With MS you don't just get Helpers
like you get in other non-MS IP applications ... you get serious
cross application connectivity at OS level.
7. Since MS has promoted everyone using their applications to the
exclusion of all others, when a script kiddie writes a e-mail virus
it's s simple matter to take advantage of this cross application
connectivity. It does not take genius level programming skills to
write an MS virus ... and there's almost nothing in the way to stop
you doing various devastating things. File and directory protection?
"Nah, we don't need that ... that's for geeks!". Instruction
controls? "Hey, ActiveX is about the free passing of instructions and
data between apps, Man" Win32 API ... enough said.
8. Most AVERAGE MS users bought cheap hardware and an OS that will
run on it. They generally aren't IT sophisticated and generally
bought their package based primarily on cost and the software it
9. Even MS corporate and enterprise users have trouble keeping up
with the updates MS makes available on an almost daily basis.
10. MS is the one who has issued 57 security alerts this year.
11. MS is the one who has withdrawn support for all older software of late.
12. e-Mail viruses by their very nature are one-shot attacks. Bottom
line, to be successful they have to get out there and do their stuff
in a very short time period ... between the user using the Net and
the anti-virus package producer producing a new virus definition to
wipe the offending little creep. This is why they are so devastating.
Now I'm not an MS basher. You've seen many posts from me here where I
have defended .NET (I actually like it ... it's JAVA by another name
that's not cross platform, but it's also the first stable process
efficient mature IP network ready OS I've seen from MS). You've seen
situations where I've defended MS on other issues ... the recent
share price one for example.
But I'm also not an uncritical MS devotee either.
The bottom line is MS's security record is abysmal ... admit it. Get
over it. It happens. Don't even think about defending MS on this
issue. It's an utterly ludicrous and unsustainable position. You
might as well try to defend a child molester on the grounds he likes
They are completely and utterly useless at security.
Bill Gates admits it. All Redmond's various technologists admit it.
Steve Ballmer admits it in a recent TechWeb interview. What do you
think the big change of policy was about ... you know, the 'security
first' one 8 months back?
Their security sucks. They know it. They admit it. They can face up
to it. They've seen the light.
The MS auto-update process is flawed ... admit it.
The fact that their marketing people are still pushing the integrated
one standard MS environment is something their security people will
eventually tell them is a no-no. Makes things too easy for the script
bunnies and the like.
The thing is, if you admire MS ... don't for God's sake admire them
for something they're a complete and utter failure at.
If a BugBear arises don't spring to their defence like an automated
bot. Think about the problem structurally. Yes, today it's BugBear
... but tomorrow it will probably be BugBunny e-mail virus. What's
gonna stop BugBunny? Or the next Script Kiddie macro like Melissa,
Best Boy or whatever.
To me little numbers like breaking the application chain on MS
systems are a good start and I said so. I saw no yea or nay comment
from you on that. What I did see was an INSTANT jumping to MS's
defence telling us that a bug fix had been released months previously
(and believe me most of us can read the relevant press releases) and
another unsustainable position ... almost as if you've been
That's what I meant by 'consideration'. Consider the bloody problem.
Propose serious solutions. Do something about it. Don't simply make
excuses and/or by implication blame the millions of affected AVERAGE
as well as corporate users. MS has plenty of PR muscle already there
to do that.
For Link list information see http://sunsite.anu.edu.au/link/