Re: MS
Originally posted by davy the bunny
I don't think that this statement [about Microsoft] is entirely true. . . with all of the recent big name virii (nimda, Code Red and whatever that even more current was called) it was due to bad practice of users and admins not updating their software. I should just hope that we mac users are able to trust Apple a bit more than they can trust MS and that maybe we're just a little smarter than those who choose not to update. . .
Certainly it is not entirely true, but your statement is just as misleading.
- Consider that the last virus (Slammer) exploited a known vulnerability that had been patched by Microsoft in SQL server 2000 (point in your favor). However "bad practice of users and admins" is Microsoft FUD. Why? Microsoft was one of the (many) companies guilty of not applying their own patches which allowed the worm to infect. It's nearly impossible for most IT departments to keep up with the flood of patches because they introduce instability in the platform. Also consider this is Micrsoft SQL Server we're talking about, now imagine IT trying to control who opens what e-mails and what features are enabled in what e-mail readers of every notebook and desktop computer used by their employees. Hmm...
- Consider SQL server leaves this vulnerability (and many others) in the default install. This is common with Linux and Windows installations in which their default install in highly promiscuous. Apple's Security Update patch involves an application that is default off, and hard to turn on so most users are protected from attack even if they don't apply the patch. Note: Apple could go a bit further in terms of security in areas where they feel that the extra security causes confusion to the user (i.e. the fact that any member of the staff group can install in /Applications).
- Consider that Apple's core code where most of these remote and local vulnerabilities are found (Darwin/BSD/Unix apps) is open-source. Microsoft offers a highly restrictive "shared-source" license in which if you are among the lucky few who can view it, you cannot announce any vulnerabilities you find (at all), nor can you patch them and recompile on your own computers.
- Consider the numerous reports of various Windows IE vulnerabilities (and others) that weren't addressed for months after they were reported. Some were never addressed until the reporter went public many months later. Possibly some will never be addressed. We don't know
- Consider the turnaround time for the sendmail vulnerability being found to when the patch was available was one day. (Not because Apple developers are all that, and Microsoft "sux", but because the core code had already been patched by the sendmail developers and Apple simply ran ported and recompiled.)
- Consider in the two cases you mention (Code Red and Nimda) and the one I did (Slammer), the affected machines are Windows not Unix. That even though a Mac user (say) is immune, their internet service dropped off the planet in all three cases because of infected Windows machines clogging the bandwidth and taking down peering points across the world.
- Consider no administrator running a public web server can go a day without a scan occuring on their machine by Nimda or Code Red. Yet, that administrator is paying for that bandwidth (to their colocation/ISP/whatever).
- Consider that over a year ago, Bill Gates declared security the top priority at Microsoft. Security of Windows hasn't increased one bit (because that might mean sacrificing some of the developer-centric conveniences of the OS). Instead we've gotten by this initiative is Palladium DRM. In other words the word "security" is being co-opted to mean "security for us (and the media conglomerates), not you."
I'm not saying Microsoft "sux", I'm saying that Microsoft could do a little more to ensure their operating system (Windows) and their products (IIS, SQL Server, Outlook, Word, Excel, etc.) are a bit more secure. Whenever Microsoft had to choose between security and something else (say extensibility), security has gotten the shaft.
Critical data gets destroyed, public websites pay for others to do a distributed denial of service attack on them, internet transactions fail, websites fail or get defaced, workers site idle while their machines are being repaired, sysadmins waste time rebuilding machines, draconian IT policies hinder productivity, money is spent on worthless Virus checkers (don't believe me? When was the last virus on the Mac?). That's a lot of wasted money and serious stuff!
Until Microsoft's attitude changes, their products represent a disporportionate danger to users of its products as well as (unfortunately) any internet-connected user or internet-enabled machine. :-(
Even if I were to forswear Microsoft products (silly) and work at keeping my machines "secure" (costly), I'll still get smashed by the "second-hand smoke" coming out of less secure machines out there. Due to a quirk of licensing, the manufacturer of software not liable for things that they would be if the product wasn't software creating a negative externality in our economic system, because a developer (of an operating system, application, website, whatever) has no legal incentive to think about security (which can end up being very costly). But that doesn't mean we should blame the customer. Nor does it mean that we should allow developers to be so cavalier with our computers, our information, our livelihood.
Those of us who are Microsoft customers as well as those of us who aren't should demand better and not give into
myths that the current level of viruses "simply bad practice of users or admins" or believe it when Microsoft advertises "99.999%" reliability or "security is a top concern".
Take care,
terry
