(WARNING: long rant ahead; circa May 2004 - dates change, corporate behavior doesn't)
<rant topic="Microsoft" style="frustrated">
So it looks like the
latest Microsoft security hole (get
the patch if you're unfortunate enough to be responsible for a Windows
box) is going to,
once
again
(and
again), wreak havoc on
the entire Internet due to a nice combination of
entirely clueless end-users and poorly-written, bug-ridden software in which
security is a distant third to bells and whistles and time to market. This
one affects every version of Windows since Win95 that hasn't been patched in
the past two weeks. Oh, and for bonus points,
the worm
that exploits this hole attempts a DDoS of windowsupdate.com, effectively
preventing any of the systems that might otherwise automatically patch
themselves from doing so. It was about two weeks between the public
announcement of this hole and the appearance of the worm to exploit it (which
is about what I predicted; I also predicted, jokingly, that it would be
especially evil if the worm DDoS'ed windowsupdate so that users couldn't patch.
Maybe I should stop making predictions, or only make pleasant ones, or else
start up my own prophecy business.)
For my next bold prophecy, I predict that Microsoft will suffer no damage
whatsoever from this incident. There will be no lawsuits filed, no measurable
loss of business, no public outcry (aside from the usual pundits on tech
websites and the slashdot crowd), no demands that MS live up to their
"Trustworthy Computing" marketing slogan. This corporation, with its vast
market share and nearly complete saturation of the world's computer networks,
has been so negligent for so long that the majority of computer users,
whether business or personal, have been conditioned to think that this kind
of experience is not only normal, but to be expected. Expectations have been
so lowered by this pattern of behavior that bloated software full of security
holes, released by a company in which security takes a backseat to bells and
whistles (read: additional new "features" in every release which, rather than
fixing the bugs in the previous release, only serve to introduce NEW problems
and incompatibilities with previous versions - how else would MS get anyone
to upgrade? It's certainly not for bug fixes or security patches available in
newer versions of their OS or apps). This has become the norm for computer
users and administrators. People think that this is the way that computing is
supposed to be, that having your servers raped and your network swamped with
zombie traffic from the worm-of-the-week is just the way things are. They
don't know to expect any better - and worse still, when someone tries to
introduce a superior replacement for a Microsoft product (be it Linux, BSD,
Apache, sendmail/exim/postfix, PostgreSQL, etc. etc.), they are quickly
pooh-poohed by those with a financial interest in maintaining the status quo,
or else by so-called "system administrators" not worthy of the title, that
can't function without a mouse and a point-and-click interface and
installation wizards. I realize that there is currently no desktop alternative
to Microsoft (except possibly Apple, which has its own problems (price being
chief among them)) that's ready for prime-time (and by this, I mean ready to
replace Windows and MS software, while maintaining compatibility with such, on
the desktops of millions of AOL users and corporate drones that think THE
INTARWEB consists of Outlook, Internet Explorer, Powerpoint/Excel/Word
documents, and whatever trojan-ridden filesharing software they've managed to
sneak onto their computer to create havoc for the MIS help desk this week).
That said, I would be happy if we could just eliminate Microsoft and their
horrid software, which is a nightmare for administrators, from the server room.
If we could relegate Windows and Windows software to the desktop, where it
belongs (and occasionally, where it actually does a decent job), a very large
portion of the problem would disappear. Anyone running any public-facing,
unfiltered service on a Microsoft platform is just plain irresponsible.
Especially if that service is httpd or smtpd. There just aren't any excuses
for that anymore - MS Exchange and IIS (not to mention their client
counterparts, Outlook and MSIE) have the worst track records of any software
that performs their respective functions. Not only that, they cost a fortune,
are terrible resource hogs, need to be rebooted at least weekly for
stability, and are no longer the only options for ease-of-administration (why
you'd want somebody administering your network who's so unskilled he/she
can't manage without a mouse is a whole other rant, but anyway). There are
now point-and-click GUIs for UNIX systems running server software like
postfix and apache that have PROVEN track records with regards to not just
security, but _correctness_ and ability to easily handle large loads with
relatively few resources. All software has bugs - but many eyes make for
fewer bugs, which is why most modern UNIX software (Linux, *BSD, apache,
etc.) has fewer bugs, and when they're found, they're typically fixed
promptly and publicly. Moreover, anybody can find such bugs, and patch
them. No expensive development kit or NDA or license needed. Just time and a
text editor.
I'm sure I will get many protests from MS supporters, people who think I'm
being unfair, and those just playing devil's advocate. My generic response to
all such objections is this: there are exceptions to every rule. IN
GENERAL, the track record of Microsoft in client apps, server software
and operating systems, is abysmal; the really irritating part is, it shows
little sign of improvement over time. This is an irresponsible attitude for a
company to hold whose software is in use on such a large percentage of
network-connected devices (of course, it's irresponsible for governments and
others who manage critical infrastructure to choose such an unreliable
platform, but that's another rant). You may say "If {Linux|BSD|Apache|etc.}
had the market penetration of Windows, we would be seeing worms for those
systems instead." Sure we would - but I doubt very much that we would be
seeing worms exploiting the SAME HOLES and classes of vulnerabilities (and
I'm not talking about language/logic flaws like buffer overflows or stack
smashing in a general sense) month after month, year after year. MS products
are consistently vulnerable time and again to the exact same
vulnerabilities they patched with the previous service pack, just located in a
different section of their bloated code base. This happens because when a
vulnerability or bug is disclosed, they don't do the right (and more
expensive) thing, and scan the entire codebase for that app looking for every
instance of that bug and patching them all. Instead, they merely patch that
particular hole and move on. After all, paying engineers to pore over
thousands of lines of code looking for bugs is time-consuming, and thus
expensive. Who has time for fixing bugs when we're busy adding needless new
"features" to the upcoming next release of our OS/app? Thus, they wind up
being hit again, with the same hole in a different location or app, over and
over. Take a look at the last ten outlook worms to see what I'm talking about;
the RPC DCOM hole is different than usual, but also more destructive. That's
the great thing about software for which the source code is freely available -
holes can be found by anyone, true, but they can also be fixed by anyone.
And frequently are.
There is no longer any excuse for running Microsoft in the server arena (with
the possible exception of Outlook's calendaring functionality, which will
soon be available in a work-alike free software product for UNIX systems).
The sooner businesses realize that running Microsoft software is _the_ main
factor in rising IT costs (not to mention liability for business and customer
data), the better off we will all be. Microsoft is hardly the only vendor out
there putting profits ahead of security, but they're certainly the most
egregious offender. And their market saturation means that a small mistake
from them costs the rest of us dearly.
It is certainly possible to produce secure software that is still functional
(take a look at the OpenBSD project if you don't think so) - Microsoft just
doesn't care to. Their attitude is unlikely to change until it starts losing
them money.
Additional food for thought (or for the CFO):