Two new stories on the radar this morning, one from the LA Times, one from The Register, both about Microsoft’s atrocious security standards.
In the LA Times article, Joseph Menn reports that some members of Congress and others are finally starting to pay attention to what Microsoft has been up to. Meanwhile, The Register reports that Microsoft’s own infrastructure for fixing security holes has been broken since Thursday.
What security issues, you ask? Long story short, many of the worst breaches in information security over the past few years haven’t been due to brilliant hackers breaking down brick walls, they’ve been due to random hackers wandering through holes left in the walls. And most of the holes that caused the viruses you’ve heard the most about—Code Red, NIMDA, Melissa (and a few dozen variants)—were put there by Microsoft.
That in and of itself isn’t so bad; buggy or insecure software gets released all of the time. The problem with Microsoft is that they don’t fix their software until it gets public airplay. Quoting from the LA Times:
“Microsoft treats security problems as public relations problems,” said Bruce Schneier of Counterpane Internet Security in Cupertino, Calif. “They’ll fix a security problem insofar as it gets made public.”
Microsoft’s general way of dealing with security threats is to make legal maneuvers to prevent the world from finding out about them. You want to get their information about how to fix the problems they’ve saddled you with? You have to sign a non-disclosure agreement with them promising not to tell anyone if you find a new one.
This runs counter to the standard means of fixing problems: if a security hole is found on dozens of other Internet systems, the hole is publicized and a fix is released through the collective brainpower of the ‘Net, sometimes within hours. Microsoft, on the other hand, can take weeks or months to address an issue, and you can be sure that in that time the world’s computer crooks know about the problem. The one left in the dark is you.
Last year, the Code Red virus brought huge swaths of the Internet to its knees, leading to the following solution: tens of thousands of users (including me) had their ability to run a web server shut down by their Internet service providers.
I’ll repeat that. Even though most of us deliberately chose not to run Microsoft software on our web servers, and were therefore invulnerable to the virus, our web servers were shut down en masse. It’s the equivalent of having your phone service shut off because someone 100 miles away is making obscene phone calls.
But the big reason this is an issue is that the whole reason the Internet exists in the first place—the way it continues operating at all—is still due to a great deal of collective contributions. The web page you’re reading is based on a technology that was invented in 1992 and donated for free to the world. The means that web data uses to move from my server to your computer is also based on free technology. And so on.
The rules of this game are simple. You’re welcome to invent new stuff, and you’re welcome to keep it to yourself and try to make money off of it. But you don’t poison the well for everyone else.
Microsoft has written some decent software; I’m running two of their applications right now. But they’ve also been dumping big bags of arsenic into the public pool for a long time.
This is the stuff that runs police 911 networks, military response communications systems, financial systems, and dozens of crucial government networks, let alone the businesses and services that you depend on daily. Microsoft has made billions off of their monopoly, and they’ve wielded that monopoly to shield themselves from blame.
It’s time to call them to task, to force them to live up to the standards set for them by the people who built the network they profit from. If they can’t be shamed into accepting this responsibility, then let’s do it through the courts.