Want to laugh? There is a hilarious interview with Bill Gates by Der Spiegel, in which they ask him many questions about security, malware, and other things, and it includes this classic interchange:
SPIEGEL: Microsoft is not only a part of the solution, but also, because of its market power, part of the problem. When a company provides more than 90 percent of all personal computers with software it is inevitably a target for hackers interested in causing the most damage possible.
Gates: There are actually a large number of operating systems in addition to Windows, for example, such as OS from Apple or Linux and Unix...
SPIEGEL: ... but in the realm of normal personal computers, they don't play a large role worldwide.
Gates: The truth is: the fewer operating systems there are within a company, the better it is from a security point of view.
SPIEGEL: I beg your pardon?
I beg your pardon, indeed. Yes, you heard him. Monocultures are a security plus.
Here is a paper [PDF] by some security professionals presenting a decidedly different opinion.
What is there to do but laugh?
Doug Pike, the "Doubtful Accounts"
cartoonist who specializes in financial cartoons, has been inspired by Microsoft. Maybe he got his inspiration when he read that Microsoft will be releasing 13 security patches on Tuesday, including several critical updates. They won't tell us what they are in detail until a teleconference on Wednesday, though, so surf the Internet at your own risk, Windows users.
Or maybe he read about MySQL having only one bug per 4,000 lines of code, compared to 1 to 7 bugs per 1,000 lines of commercial code:
"Commercial code typically has anywhere from one to seven bugs per 1,000 lines of code, according to an April report from the National Cybersecurity Partnership's Working Group on the Software Lifecycle, which cited an analysis of development methods by the Software Engineering Institute at Carnegie Mellon University.
"Coverity's analysis of MySQL found an average of one bug in every 4,000 lines of code--results that are at least four times better than is typical with commercial software.
"The findings parallel earlier work by Coverity in auditing the Linux kernel; that work found that a recent version of the kernel had 985 flaws
in 5.7 million lines of code, less than a single flaw in every 10,000 lines of code."
Or maybe it was reading about Microsoft launching a program to create a partnership with governments worldwide "to share information and conduct joint projects on network and information technology security," with the goal of more effectively handling viruses, worms and other incidents.
I'm sure that will work out. And it won't cost much either.
Here is the press release about it. Why don't they just fix the software? I think it would be cheaper and certainly easier on the rest of us. Or just switch to GNU/Linux, folks, and do yourselves a favor.
ComputerWeekly's report on the new SCP program says Microsoft is "hoping to help governments handle internet security threats more effectively" through the new program. Microsoft? Help governments handle internet security? When they think a monoculture is a security plus?
Well. Where is the little boy who says the emperor has no clothes when you need him? OK. I'll fill in: Isn't Microsoft's software the problem in the first place? I view it like this: If your doctor operates on you and leaves the scalpel inside you by mistake, will you ask him to do the surgery to remove it? Similarly, if Microsoft's software is insecure and causing security problems, do you ask them to handle your security? Why not find better, more secure software to use instead? Duh.
Canada has signed on, and so has Norway and Chile. And Delaware, which uses a lot of Microsoft software:
"As participants, Canada, Chile, Norway and the United States will work cooperatively with Microsoft, exchanging information that can be used to better anticipate, help prevent, and respond to and mitigate the effects of information technology ( IT ) security attacks. Among the types of data to be exchanged are these:
Information about publicly known and reported vulnerabilities that Microsoft is investigating
- Information about upcoming and released software updates to facilitate resource planning and deployment
- Security incident metrics
- Incident information in the event of a critical incident or emergency
- Information on Microsoft® product security, Microsoft's approach to security, and its incident response process
"In addition to information exchange, the SCP provides opportunities for cooperation with Microsoft on projects identified by the participating government agencies, including these:
Cooperative consumer outreach and education activities, including development and distribution of materials and special events
- Collaboration in computer incident response processes, including joint response in the event of an emergency"
So, tax dollars will be spent dealing with Microsoft malware. I think they've come up with a business model that might just work. Create a problem, and then charge money to deal with it. Get governments to pitch in.
Speaking of problems, cryptography expert Phil Zimmerman says a recently discovered flaw in Word and Excel encryption is serious:
"'I think this is a serious flaw — it is highly exploitable. It is not a theoretical attack,' says Zimmermann, referring to a flaw in Microsoft’s use of RC4 document encryption unearthed recently by a researcher in Singapore.
"'The lay user ought to be entitled to assume that the encryption produced by Microsoft is adequate … If Microsoft wants to earn the respect of the cryptographic community and the public it must rise to the occasion by producing competent security.'
"Microsoft has been dismissive of the seriousness of the flaw, which relates to the way it has implemented the RC4 encryption stream cipher. As explained by Hungjun Wu of the Institute of Infocomm Research, it would allow anyone able to gain access to two or more versions of the same password and encrypted document to reverse engineer the scheme used to make it secure."
Or maybe Pike was inspired by this Microsoft answer to a question about security and IE, posed by Neowin:
"5. One of the main areas of concern, in terms of security, has always been IE's extremely tight integration into Windows itself. Does Microsoft have any plans of, perhaps, going towards a more module based environment, with Longhorn, in hopes of further securing the OS?
"Internet Explorer remains a viable, valuable, and mature browser that meets the needs of our customers and ISVs who have a great deal invested in it. Major security improvements were made in SP2 and innovating on Internet Explorer in the future and continuing to honor the investment our customers and ISVs have made in Internet Explorer remains the best and smartest option available to us.
"The IE team is in the process of designing and developing Internet Explorer for Longhorn. It's too early to provide a list of specific features, but major investments are being made in the areas of end user features, security and privacy, and developer support (for both add-on and website developers)."
That's their story, and they're sticking to it. That article also mentions their Security Response Center:
"Microsoft is also bolstering its defense against Internet security threats through the Microsoft Security Response Center (MSRC), a world-class service and support organization. The MSRC has a dedicated team, and a large network of ISP and anti-virus partners, to respond quickly to security issues and better protect customers. MSRC evaluates and analyzes security issues, creates and tests updates, and distributes security bulletins and associated updates. The MSRC also works with law enforcement agencies worldwide to shut down malicious attacks and prosecute the criminals behind them."
You would be mistaken if you think that means this is something new. Microsoft's own history of the MSRC [warning: it is hard to get back to Groklaw from that site by hitting the back button, but persistence or ingenuity wins the day] says it has been in existence since 1996, although under a different name. This is the unit that identifies bugs and comes up with patches. So, I think it's fair to judge them by their track record. But let's let them tell you about that themselves:
"Since its creation, the MSRC has eliminated over 150 vulnerabilities affecting roughly 40 Microsoft products. People frequently argue about what this number means. Does it mean that Microsoft products are full of security holes? We're admittedly biased, but we don't think so.
"Instead, we think this number reflects how aggressively we scrutinize our own products, and how openly we discuss vulnerabilities when they're found. Statistics from independent security experts back us up on this score—they show that security vulnerabilities are found in all vendors' products at roughly the same rate. What sets Microsoft apart is the fact that we tell the world about them, so our customers can apply the fixes we provide and eliminate them."
It's impossible not to be struck dumb by this claim, so I'll use sign language and just point your eyes north, to the beginning of this article for statistics that contradict this silly claim. A lot of money is now wrapped up in the MS malware industry, that's clear. Mike Dalton, President of McAfee in Europe, the Middle East and Africa, put it plainly at a security conference last October:
"'Microsoft is clearly not doing a good job at security,' said McAfee's Dalton. 'Most people in this room who work in security have their jobs because of Microsoft.'"
And end users must hold up their end in this struggle, with tutorials to bone up on. Here is a list of articles CastleCops recently ran, a 10-step program for Windows users to deal with all the various threats in that environment.
Whatever the inspiration, here is the cartoon Doug Pike just drew for Groklaw:
Doug Pike is a 13-year member of the National Cartoonists Society specializing in business and financial cartoons. Some of his prominent clients have included CNNfn, CNBC-anchorman Ron Insana, book publisher John Wiley & Sons, and Standard & Poor's. Doug's work draws upon his experiences as a business owner, investor and MBA graduate from the University of Chicago.
Here's his website, where I found he also has a couple of books, one with what I think may be my favorite title,
Invest Like a Cartoonist. A collection of his cartoons are also on the website. I like the last one scrolling down, with the caption,
"I believe I said sell my American Dental stock and buy me $50,000 worth of their debentures."
Doubtful Accounts Cartoon © Copyright 2005 D. Pike