[LINK] Rampaging bugbear

Sat, 5 Oct 2002 17:37:45 +1000

Malcolm,

Correct me when I'm wrong here:

1. MS was the one who spent all their time over the last few years 
integrating all their internet applications with the operating system.

2. MS was the one who at the anti-trust trial categorically stated 
their browser software could not be removed from the OS.

3. MS is the one who promoted an integrated suite of free Internet 
applications that they write and they have integrated with their OS.

4. MS is the one who has promoted Win32API, ActiveX and COM ... 
strangely all the technologies that give rise to these e-mail viruses.

5. Windows is a platform on which there are currently in excess of 
60,000 viruses ... not UNIX, not the MacOS, and not any other OS ... 
which all have demonstrably fewer instances of attack even given 
their demographics.

6. By and large e-mail viruses take advantage of the 'integrated' 
Internet applications approach. With MS you don't just get Helpers 
like you get in other non-MS IP applications ... you get serious 
cross application connectivity at OS level.

7. Since MS has promoted everyone using their applications to the 
exclusion of all others, when a script kiddie writes a e-mail virus 
it's s simple matter to take advantage of this cross application 
connectivity. It does not take genius level programming skills to 
write an MS virus ... and there's almost nothing in the way to stop 
you doing various devastating things. File and directory protection? 
"Nah, we don't need that ... that's for geeks!". Instruction 
controls? "Hey, ActiveX is about the free passing of instructions and 
data between apps, Man" Win32 API ... enough said.

8. Most AVERAGE MS users bought cheap hardware and an OS that will 
run on it. They generally aren't IT sophisticated and generally 
bought their package based primarily on cost and the software it 
would run.

9. Even MS corporate and enterprise users have trouble keeping up 
with the updates MS makes available on an almost daily basis.

10. MS is the one who has issued 57 security alerts this year.

11. MS is the one who has withdrawn support for all older software of late.

12. e-Mail viruses by their very nature are one-shot attacks. Bottom 
line, to be successful they have to get out there and do their stuff 
in a very short time period ... between the user using the Net and 
the anti-virus package producer producing a new virus definition to 
wipe the offending little creep. This is why they are so devastating.

Now I'm not an MS basher. You've seen many posts from me here where I 
have defended .NET (I actually like it ... it's JAVA by another name 
that's not cross platform, but it's also the first stable process 
efficient mature IP network ready OS I've seen from MS). You've seen 
situations where I've defended MS on other issues ... the recent 
share price one for example.

But I'm also not an uncritical MS devotee either.

The bottom line is MS's security record is abysmal ... admit it. Get 
over it. It happens. Don't even think about defending MS on this 
issue. It's an utterly ludicrous and unsustainable position. You 
might as well try to defend a child molester on the grounds he likes 
children.

They are completely and utterly useless at security.

Bill Gates admits it. All Redmond's various technologists admit it. 
Steve Ballmer admits it in a recent TechWeb interview. What do you 
think the big change of policy was about ... you know, the 'security 
first' one 8 months back?

Their security sucks. They know it. They admit it. They can face up 
to it. They've seen the light.

The MS auto-update process is flawed ... admit it.

The fact that their marketing people are still pushing the integrated 
one standard MS environment is something their security people will 
eventually tell them is a no-no. Makes things too easy for the script 
bunnies and the like.

The thing is, if you admire MS ... don't for God's sake admire them 
for something they're a complete and utter failure at.

If a BugBear arises don't spring to their defence like an automated 
bot. Think about the problem structurally. Yes, today it's BugBear 
... but tomorrow it will probably be BugBunny e-mail virus. What's 
gonna stop BugBunny? Or the next Script Kiddie macro like Melissa, 
Best Boy or whatever.

To me little numbers like breaking the application chain on MS 
systems are a good start and I said so. I saw no yea or nay comment 
from you on that. What I did see was an INSTANT jumping to MS's 
defence telling us that a bug fix had been released months previously 
(and believe me most of us can read the relevant press releases) and 
another unsustainable position ... almost as if you've been 
programmed.

That's what I meant by 'consideration'. Consider the bloody problem. 
Propose serious solutions. Do something about it. Don't simply make 
excuses and/or by implication blame the millions of affected AVERAGE 
as well as corporate users. MS has plenty of PR muscle already there 
to do that.

	Regards,
----------
For Link list information see http://sunsite.anu.edu.au/link/