Langa Letter: Enough Already: Microsoft Must Change - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Enterprise Applications
Commentary
9/25/2003
03:54 PM
Fred Langa
Fred Langa
Commentary
50%
50%

Langa Letter: Enough Already: Microsoft Must Change

Fred Langa wonders if Microsoft will do what it takes to greatly improve its software development processes and improve its product security

But Wait, There's More
Microsoft's shortcomings are real, but are only part of the problem in desktop security. There also are factors involving human nature and market forces--which is to say, involving you and me--and all these factors have to be considered as part of the solution.

For example, consider the simplistic argument "Dump Microsoft--switch to [name of favorite alternate OS here]." Today, Microsoft software is ubiquitous. It's a fat, easy target for crackers and other miscreants, especially those who seek public notoriety or the acclaim of their fellow crackers: By targeting the software with the largest market share, malicious coders are guaranteed a huge pool of potential victims, thus amplifying the effect of whatever harm they can do. If the market were different--say, if Linux were top dog--then it would receive far more hostile attention than it does today, and Linux's weaknesses would be in the limelight. (All software contains at least some flaws and coding errors (see "Linux Has Bugs: Get Over It"). Switching vendors in and of itself won't eliminate security problems because malicious hackers will simply target the new top dog.

A related issue is the "newbie factor." Because marketshare-leading Microsoft software comes bundled with most new PCs, there's a higher percentage of newbies using Microsoft's products than any other vendors'. This helps malicious coders because these newbies can be relied upon to do the wrong thing. For example, the recent Blaster worm infected tens of millions of PCs, but it did so only because these PCs were all running without even the most basic security measures--the operating systems weren't properly patched, didn't have a decent desktop firewall, and were running without a good antivirus tool. Any one of those three precautions would have stopped the Blaster worm in its tracks, but clearly, huge numbers of users still are running their PCs wide open and unprotected.

Newbies will err, no matter what operating system they use, and any long-term solution to improving desktop security has to allow for the "newbie factor." This isn't a Microsoft problem per se. In fact, I think it's safe to say that a mass migration to Linux would make things worse, at least for a while: Linux has many strengths, but newbie-friendliness isn't one of them.

To solve the newbie problem, an operating system has to be safe enough out of the box to foil at least the most basic kinds of attacks, but still has to be easy enough so unskilled users can connect to a LAN or the Internet without undue trouble. That's a tough balancing act, but several vendors are getting close. For example, Red Hat Linux offers very simple auto-configuration of its firewall, and Microsoft includes a simple click-to-activate firewall in XP.

But that points out another problem affecting security: How do you get people to move to new software? For example, Microsoft has twice tried to kill off Win98--a five-year-old operating system that itself was mostly a refinement of the eight-year-old Win95. But customers howled: "We want our old software!" As a result, Microsoft has twice extended the life of Win98; active support now will continue until January 2004, and Microsoft won't completely pull the plug on Win98 until January 2005 (see "Microsoft's Adjusted 'Product Lifecycle' Plans").

When Microsoft finally retires Win98, the core of that operating system will be 10 years old. Think of what the computing world was like then: Computers were nowhere nearly as common as they are today; and most computer users had never natively surfed the Web or directly navigated the Internet. What worms and viruses existed then mostly traveled hand-to-hand, by floppy disk!

Microsoft's corporate blind spot about things like buffer overruns may be inexcusable, but I also think it's unreasonable to expect any decade-old software to deal with threats that mostly didn't exist at the time the software first appeared. A 10-year-old copy of Linux also won't look very good compared to today's versions, for example; a 10-year-old Mac will likewise look pretty lame. No operating system from eight or 10 years ago is really up to all the challenges of today's needs.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
2 of 3
Next
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

News
Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
News
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
Slideshows
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll