06 October 2010

Dr Microsoft: Time to Be Struck Off

A Microsoft researcher offers an interesting medical metaphor:

Just as when an individual who is not vaccinated puts others’ health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society. In the physical world, international, national, and local health organizations identify, track and control the spread of disease which can include, where necessary, quarantining people to avoid the infection of others. Simply put, we need to improve and maintain the health of consumer devices connected to the Internet in order to avoid greater societal risk. To realize this vision, there are steps that can be taken by governments, the IT industry, Internet access providers, users and others to evaluate the health of consumer devices before granting them unfettered access to the Internet or other critical resources.

So, we're talking about computers "compromised with a bot": now, which ones might they be? Oh look, that would be almost exclusively Windows users. And why would that be? Because no matter how diligent users are in installing endless security updates to the Swiss cheese-like applications known as Windows, Internet Explorer and Microsoft Office, there are always more critical bugs that pop out of the proverbial digital woodwork to lay them open to attack and subversion.

So, where does that leave us when it comes to "improving" and "maintaining" the "health of consumer devices connected to the Internet"? Well, it means that by Microsoft's own logic, the solution is for everyone to junk a system that is still insecure, despite promise after promise after promise that this just was some minor technical detail that Microsoft would fix in the next release.

For Windows has manifestly not been fixed; moreover, Windows will *not* be fixed, because it's just not a priority; Windows may even be *unfixable*. The only sane solution is for people to move to inherently safer (although certainly not perfect or impregnable) alternatives like GNU/Linux.

For a researcher at Microsoft to attempt to avoid this inevitable conclusion by pushing the blame for this endless series of security lapses onto end users this way, and to suggest they, rather than Microsoft, should be thrown into the outer darkness. is beyond pathetic. (Via @rlancefield.)

Follow me @glynmoody on Twitter or identi.ca.


PV said...

On the one hand, it's true that a good many users are to blame for security issues because they don't exercise good security sense (e.g. not clicking on popups, not opening emails from unknown senders, not going to known malware-infested sites, etc.). On the other hand, it certainly isn't right to blame all users for security issues, because no matter how diligent a Windows user is, eventually Windows will fail. This happened to me as well on my old computer (and I consider myself fairly diligent about which sites to visit and which sites not to visit).
What's worse is that Microsoft in some state governments is pushing for taxes on all citizens to cover for monetary losses due to downtime stemming from malware infections. Oh, the hubris of Microsoft.
a Linux Mint user since 2009 May 1

Glyn Moody said...

@PV: yes, agreed. there are certainly many users who are to blame for their sloppy attitude to security, but it's hard to tell them from those that try and are let down by the software. so any schemes aimed at locking them out are bound to be unfair.

Lefty said...

I can't honestly say what to make of this, Glyn, and on several scores.

First, one needs to recognize that the relative vulnerability to malware of Windows systems versus Linux systems (or Macs, for that matter) isn't a matter of some sort of magical excellence on Linux's part that makes it immune: it's a question of market share. Virus writers are like anyone else, and they want their efforts to be widely "used". There aren't enough desktop Linux systems to make them interesting to malware peddlers.

Second, I don't see what's inherently unreasonable about saying (regardless of the operating system), if a PC is infested with a "bot", and thus poses a potential danger to other systems (again, regardless of its OS), then it should be taken off the net until it's fixed.

In a number of states here in the US, when you take your car in to have it registered, you have to have it inspected, as well. If your headlights don't work, or if your brakes are too worn, or if some other condition exists that makes the car unsafe to others, then you have to get the problem repaired before you can legally drive it.

Yet, no one complains that, for instance, Chryslers should be exempt because the headlights on Chryslers are more prone to burning out no matter how frequently you replace them, and I have to believe such a complaint would be viewed as pretty silly.

(Now, this might be an argument against buying Chryslers, or Windows systems, but that's a separate issue, and a matter of personal preference on the part of the buyer. You can't enforce your preferences on other people, for better or worse.)

Nor does anyone—as my usually sober friend, Carlo Piana claimed on identi.ca—that "car access" is a "basic human right". Let's please try to get away from rhetoric like that, it's a distraction to the actual discussion. Internet access isn't a "right", nor is having a telephone, a car or a television.

Glyn Moody said...

@lefty: you're of course right that the much larger market share of Windows makes it a more attractive target: that explains why it gets hit so much.

But I don't think it explains why there are so many vulnerabilities in the first place, and why often Microsoft is slow to acknowledge and patch them.

I've been writing about Microsoft for 30 years now (eek), and it has always had a very unsatisfactory attitude to security. Even when it seemed to be taking it seriously - when Bill Gates made it absolute priority in the 1990s - little happened.

So given that track record, which means that ordinary users might well become part of a botnet despite their best efforts to keep their systems secure, blaming them seems a little rich.

Had Microsoft adopted a slightly more humble attitude - admitting that much of the fault lies on *its* side - then I'd be more inclined to take its suggestion seriously. But instead, it seems simply to be saying, well, we're in a right mess aren't we? - how tiresome. Why don't we just boot off all the infected PCs, that would solve it?

And yes, you#'re right that cars have to pass safety tests of various kinds before they are legally allowed on the road. Leaving aside the fact that unsafe cars kill people (well, actually even safe ones, do, alas), the issue again comes down to the fixability. As I wrote above, if people have made best-effort attempts to fix their PC/car, why should they be thrown off the Net/road just because of continuing flaws in the software?

If a car is not fixable over a period of time, the obvious thing would be to change manufacturer, no? But because of lock-in, as well as a refusal of mainstream media even to mention that Stuxnet, bots and malware are nearly always problems of Windows systems (the BBC is terrible in this regard), most end-users don't even know that there are other car manufacturers.

Maybe if they did then more problems would turn up, and there would be more attacks on GNU/Linux. Given the way GNU/Linux is designed, I don't think so (although there would certainly be more attacks and flaws founds.) But it can hardly be worse than the current situation, so why don't we let people know there is this option and begin to explore that as a solution, instead of talking of throwing people off the Internet?

PV said...

@Lefty: While Linux's low market share relative to Microsoft Windows certainly does make it less of a target, things like user privileges and chmod (among many other features stemming from Linux's roots as a multi-user server platform) means that Linux will at the end of the day be inherently more secure than Microsoft Windows (though things like runas and Administrator privileges is helping Windows catch up). Mac OS X has only a slightly higher market share than Linux, yet according to a new Secunia report, it is even more vulnerable to malware than Microsoft Windows (based on data from the past 5 years, specifically looking at 2009).
a Linux Mint user since 2009 May 1

Valdis said...

Windows will always fail to be secure because of security compromises, which were introduced due to poorly written applications. And because applications and OS is controlled by different parties without code sharing, improvements will be never ending story.