03 July 2004

Microsoft and security

Bruce Scheneier argues that Microsoft is unwilling to do what's necessary to meet their alleged goal of enhanced security with their products.
The security of your computer and network depends on two things: what you do to secure your computer and network, and what everyone else does to secure their computers and networks. It's not enough for you to maintain a secure network. If other people don't maintain their security, we're all more vulnerable to attack. When many unsecure computers are connected to the Internet, worms spread faster and more extensively, distributed denial-of-service attacks are easier to launch, and spammers have more platforms from which to send e-mail. The more unsecure the average computer on the Internet is, the more unsecure your computer is.
...
Initial news stories reported that Microsoft would make this [security-oriented] upgrade available to all XP users, both licensed and unlicensed. To me, this was a smart move on Microsoft's part. Think about all the ways the company would benefit. Licensed users would be more secure and happier. Worms that attack Microsoft products would be less virulent, so Microsoft wouldn't look as bad in the press. Microsoft would win, its customers would win and the Internet would win. It's the kind of marketing move about which best-selling books are written.

Then Microsoft said the initial comments were wrong; SP2 would not run on pirated copies of XP. Only legal copies of the software could be secured. This is the wrong decision.

Not surprising to me. Microsoft makes their money by selling you software that creates problems for you, then selling you software which solves those problems ... but then gives you new problems, so they can sell you software which solves those problems ... but then gives you new problems ... and so on.

Now that Windows is fairly reliable, they need to get us into some serious pain over security so that they can ride in on a white horse and fix that problem. We're just not in enough pain yet.

No comments: