Microsoft and the age of insecurity

All computers are inherently insecure. Years ago Security people recognized that adding a floppy drive and network adapter added a significant amount of risk that was difficult or impossible to control. The issues here are not specifically Microsoft's deficiencies per se but:
1) How well your product is designed to ward off attacks and your processes to identify and deliver patches to your client base
2) The volume and impact of the attacks that you are enduring
3) The ability of your integrated technology systems to ward off attacks.

Most companies do a poor job of Security which is NOT technology centered as you may think but oriented around:
People
Policy
Process

As part of my job as a security consultant I keep seeing the same issues time after time which is basically most companies don't want to bother with security as it adds costs and time to their business functions. At least not until a devastating problem like TJX recently experienced crops up.

On the positive side it generates lots of work for people like me.

I went to bed leaving my PC on with the monitor switched off. Overnight Vista was rebooted by Microsoft for my own protection. It's the first time it's happened and while I didn't lose any data I was not happy--I did lose my suspended trains of thought as not all windows resumed (Explorer no, Firefox and Opera yes). This just DOESN'T HAPPEN with Linux (Ubuntu). I am tired of it. Yes, I can shut off the net connection or tell my PC not to install updates without permission, but I suspect I'll probably get hammered if I do this. It'll happen some day.

I've had one previous incident where Vista didn't wake up properly from a sleep. The list of fixes it's installed since Day 1 (Jan 30) is long.

Predation and parasitism are a given in the natural world where passing a law doesn't work. I suspect we'll always have insecurity but trying to defeat predators and parasites with only technical means is not likely to work. What countries have decent laws and penalties for computer malfeasance--and actually enforces them?

To DougE
It most certainly DOES have to do with Microsoft, I have worked there, and their development management process is terrible. They don't understand project management or the Software Development Life Cycle, have poor change management, and there are so many developers with bad know-it-all attitudes - it is one of the most dysfunctional companies around. I recently bought a simple MS program (Money) and it crashed on 2 of my machines upon installing/configuring it. And of course the tech help is unbelievably horrible, after waiting 45 minutes on the phone, they were unable to help. After the unsurprisingly horrible Vista feedbacks I have read, I have decided to definitively switch to the non-MS world.

To Ralph:
I don't disagree with you ... but the issue is bigger than Microsoft its industry wide. Microsoft could probably be called the cheerleader for crappy design, process and management. They set the "gold" standard (cough) but a LOT of other companies execute the same way. The net of this is even if Microsoft made secure products the way companies develop and deliver business function using Microsoft technology would probably shift the focus away from easy to exploit Microsoft issues to easy to exploit application and systems designs.

Open Source comments are priceless:

"What Fortify has found from running the project is that the defect density of open-source code is "astronomical," Chess said, pointing out one project in particular that Fortify has inspected over the past year: Net Trust, with an estimated 12.215 errors per 1,000 lines of code."

Read the rest at:

http://www.eweek.com/article2/0,1895,2128071,00.asp?kc=EWEWEMNL051007EP41C

The issue is simple. For starts, Microsoft needs to exit the security business. They suck at it. Secondly, users pull the plug on the net. Grasp?!?!? Oh yeah. Problem solved. Need data? Use a USB stick (modern day floppy). Throw a STANDALONE anti-virus software on the box. Your cover.

People just don't want to pull the plug on the internet.

Geez.

I've long held that hacking in general, malware and any virus that does more than $200K in damages should be subject to the death penalty. Yes, I am serious. In any event, the penalty is not as important as the ability to catch the perps.

I am hoping that IPV6 will enable enough hooks to facilitate backtracing hackers.

The other option is that victimized businesses around the world could chip in to create a covert force that would track and quietly eliminate hackers as they were discovered.

Laws would have to be changed to eliminate legal and criminal liability for the force, but we are in the equivalent of the wild west days here and the hackers have the upper hand. The existing tools out there are not addressing the root of the problem of large-scale hacking communities in the US and foreign countries.

If you want computer security all you have to do is stop the flow of electrons.

It is NOT an industry-wide problem, except in the Microsloth world. Bill The Shepherd has been mistreating his sheep for many years, but the sheep continue to follow blindly.

I have an always-on broadband connection for my Mac and don't have the OSX Firewall turned on or run virus protection - never have.

I realize that OSX is not perfect and various compenents have had holes found and repaired, but how concerned am I? Zero.

One more vote for thinking differently.

I don't allow any Microsoft bugware on my small ISP site of eight computers. I still have the odd security problem -- a one-line change to /etc/php.ini resulted in thieves using one of my client's form mail pages to send spam -- but at least the core is solid. The only time I re-boot MacOS is when I install a software update that requires re-booting.

Oh yea, there is one other problem: my web logs are filled and bloated with break-in attempts from compromised Winblows computers. Ugh, you just can't get away from the scourge.