Often by reading just the headings for blog posts themselves I'm amply alterted to current issues and news stories from the likes of the Australian ABC, Channel News Asia and CNET which just choose to syndicate small samples of their posts rather than the whole post. When I read that "Australian Minister for Communications is a dolt" or "Clinton chosen for Secretary of State" everything else is really just filler.
Today though while reading the headings from various news sources, I was instructed by Jon Oltsik from the Enterprise Strategy Group in my CNET news feed to "Stop blaming Microsoft for cybersecurity woes."
"Painful" would be the word I would use to describe his story, which is a shame because he starts out great with his first two paragraphs. He instructs those who are thinking of cutting back on security during these difficult economic times to read the latest CSIS report and realise that as we build more infrastructure around the internet we're introducing more vulnerabilities which are ripe for attacks. He echoes his tagline "information security is far worse than you think.". I completely agree, security is too critical an area to cut back on even during tougher times.
Unfortunately, I think he starts to slip in paragraph three:
[…] I humbly submit an additional requirement to the security community: it is time to stop blaming Microsoft for the sorry state of cybersecurity. Now, I realize that this is a rather controversial request, but I think the time has come.
It certainly is a controversial request sir! Conveniently for me he's broken up his argument into three easy bullet points, which I will address in order. Why does he think we should ease off of Microsoft?
Security through obscurity
A basic Security 101 mistake
1. It’s a numbers game. Microsoft’s success makes it a target–no other platform has nearly as many systems connected to the Internet. The fact is that if Linux, Macs, or UNIX systems dominated the Internet, they’d be under pervasive attack, too. Would we be better or worse off? Who knows?
This argument is so old and has been so thoroughly debunked so many times, it was cringeworthy reading it here. While it is true there are more Windows clients, "UNIX" machines do in fact dominate the internet: more pages are served under open source projects such as Apache from Unix-like systems than Windows servers with IIS, and yet these Unix-like servers suffer far fewer vulnerabilities, and the ones they do suffer from are generally far less destructive when taken advantage of. So much for the market share argument.
If we play along though and assume for the sake of his argument that market share is responsible for Windows being more vulnerable, doesn't that then translate into a greater responsibility for Microsoft which they've failed time and time again to deliver on? Why were they so lax about this for so many years when they knew they were a primary target?
Windows is a flawed system regardless of their market share.
Reductio ad Absurdum argument
2. It’s unproductive. I really don’t understand what anyone hopes to accomplish by blaming Microsoft. Should governments single out Microsoft for some type of special security threshold? Should Windows systems be kicked off the Internet? There is plenty of blame to go around beyond Microsoft, so singling it out accomplishes nothing.
I suspected what this point was but couldn't remember the phrase, fortunately Penguinisto mentioned it in the feedback section. Reduction to the absurd attacks are dangerously close to strawmanning and don't achieve anything.
Microsoft does deserve to be singled out because desktops and servers running their software are responsible for the single largest source of security problems online, in a higher percentage than their market share would explain away. This isn't a case of being unproductive, it's the exact opposite. Microsoft needs to be held accountable given their previous performance, just as every other major player in every other industry needs to be.
Nobody is suggesting we unplug every Windows machine online by building giant radioactive zombies to trawl through every household. See how ridicules arguments get us nowhere?
"Security isn’t claimed, it’s proved"
– Bruce Schneier
3. Microsoft is actively addressing past security shortcomings. Think what you will about the security of Microsoft products, but few other companies have done more to improve their software security development, employee training, and testing processes than Microsoft. Microsoft is also taking its Secure Development Lifecycle to others through its SDL Pro Network partners like Security Innovation. In fact, Redmond even contributed to the CSIS report, Microsoft Corporate Vice President of Trustworthy Computing Scott Charney is one of the CSIS co-chairs.
To use a colourful phrase from my grandfather, even if it took Microsoft this long to get their arses into gear, it is clear Microsoft is actively addressing security problems. Despite this though and your laundry list of examples, what they still lack is results.
I've been saving this topic for another post, but in brief what Microsoft really needs to do is admit to everyone that the Windows codebase has become unmanageable with disastrous results, and start fresh. Projects like ReactOS have shown it is possible to create a compatible system that's clean and lightweight, and Apple has proven you can emulate existing systems inside new ones while people migrate.
Instead of developing all the cruft, features nobody wants or uses and tacky eye candy, Microsoft needs to be addressing the problems of the NT architecture itself. I have every confidence that Microsoft is capable of this; what they lack is direction. In the meantime they can continue to be claiming progress, and people wise to them will continue to point out otherwise.
As for the order posed in the title by Mr Oltsik, we have sufficient needs and sufficient evidence to continue to blame Microsoft for their responsibility and failings in our current cybersecurity woes. What won't get us anywhere sir is putting our hands over our ears and pretending they shouldn't be.