Phil Karn has ranted about Microsoft's lack of security.
He doesn't use Microsoft OS's but Microsoft used some of his public domain code in XP so his e-mail address was included in the local License. If anyone doesn't remember what the Klez (and other) worm(s) does, part of it scans the local hard drive for e-mail addresses to use in the "To:" and "From:" lines of infected messages. The end result, Phil and the three other guys who wrote "free" code have been pounded on by just about every infected XP user.
I'd be pissed, too. Actually, after two arguments at work about this, I'll go stand on Phil's side of the line. Someone actually said that "Microsoft is the source of all this malicious code because of their market share". They're the victim?!??!
#*@:!!!! <--- replace with your favorite multi-syllable expletive
Market share is only part of the reason, possibly a small part of the reason. The major part of the reason is that Microsoft has tied all of their software together and have done it so insecurely that it's like dog poop on the sidewalk. Leave it there long enough and you'll get crawly things in it.
(Don't believe me. Okay, MS SQL doesn't have that big of a market share. Why hasn't an Oracle worm prevented me from getting money from an ATM and hopping on a plane?)
For the rest of my rant, keep this paradigm in mind: security depends on simplicity.
The more complicated a software product is, the more likely it is that the product contains exploitable bugs. Adding features, even if they're security features, only makes the code more complicated and, past a certain point, may seriously affect how code works in other portions of the program. (What, no one has installed a MS patch and was suprised by a registry setting change or a failure in some other program?)
(In my opinion) Any claims that Microsoft makes about increasing security by taking a month off to review code and then returning to churning out new features is totally bogus. To increase security, they're also going to have to take a look at how their code interacts! If the OS was a house, it would have slid off of its foundations long ago.
Why am I pissed? Why "hate"? Try two solid weeks of Blaster/Welchia/SoBig side effects combined with the usual inter-org politics and under-caffienated moodiness. No the NOC doesn't use MS but 90% of the customers do.
I hereby curse Alexander Graham Bell for commercializing the telephone (I don't want to get into the argument about who actually invented it.)
No comments:
Post a Comment