Tuesday, April 27, 2010

Windows Security: is Microsoft innocent?

Closeup of a stone sign bearing the Microsoft ...Image via Wikipedia
How many times have you read about a worm spreading through an enterprise network, or some malware or other compromising personal data, or computers being used to build a DDoS or spammer botnet and either shouted BLOODY WINDOWS at the screen or seen someone else lay the blame squarely on Microsoft? Chances are, rather a lot I would imagine. After all, it has become almost de rigueur in geek circles, especially amongst the non-Windows using Mac and Linux crowd, to blame every security mishap on Microsoft.

Windows password recovery software
I am always looking for good reasons not to vent my spleen in the direction of the Redmond Microsoft Campus, so I was intrigued to come across a piece over at last week entitled 10 Reasons You Shouldn't Blame Microsoft for Windows Security Issues. These could, however, pretty much be bundled together into two distinct groups: stupid user syndrome and stupid developer syndrome.

The stupid user should not open any old attachment, should not visit dodgy sites, shouldn't use weak passwords, shouldn't forget to apply software patches and security updates, and certainly shouldn't run in admin mode. The stupid developer, on the other hand, shouldn't produce applications with vulnerabilities.

Now while there is some merit to all of those things as being reasons for compromises happening, and if taken on board as best practise advice for consumers make good sense as well, I don't see how any of them actually gets Microsoft off the responsibility hook to be fair.

Before I go any further, let me declare an interest: I am a hardened Windows user and have been all my adult life since the very first version in fact. I moved from an Amiga to a PC, and while I do own Apple products and have got a machine running Linux here, it is the Windows boxes that are my day-to-day workhorses. So please so not think I have a fanboy axe to grind, it's actually just as an observer of the impact of IT security compromises that my tree felling tool starts sparking a tad.

So, back to the plot, how does blaming the user and the third party developer get Microsoft off the big hook of responsibility? The answer is it doesn't, all it does it mitigate the blame a teensy weensy fraction of a percent (to use a McAfee measurement). Microsoft, as developer of the most successful and popular operating system out there, has to be where the buck stops. In fact it is where billions of bucks stop, to be fair. So is it too much to expect that it should be taking every possible step to ensure that whatever flavour of Windows we are talking about today is secured up the wazoo? Is it too much to ask that the risk of compromise should be reduced to the n'th amount and the stupid user protected from the consequences of being stupid or using stupid applications?

Until it can stand tall and proclaim it is doing just that, and perhaps more importantly the end user can believe as much, in the same way that they believe Apple and the various flavours of Linux, I am afraid that I cannot actually think of a single reason why I shouldn't blame Microsoft until the cows come home.

Reblog this post [with Zemanta]

No comments:

Post a Comment


Related Posts Plugin for WordPress, Blogger...