Mr. Bill and the Security Sweet Spot
Good old Mr Gates. In January 2002 the richest man in the world decreed in his Trustworthy Computing memo that all Microsoft software should concentrate on security rather than features, and within a couple of months the world entered a new era of safe, secure computing.
If only ...
Mr. Gates is unquestionably bright, but he does catch on to the big ideas a little late. He was late working out that the Internet needed to be central to everything Microsoft does. And he was late figuring that security needed to be central to everything Microsoft does too.
Well, let me modify that a bit. What I think he finally figured out, back in 2002, is that Microsoft had to be seen to be putting security first. Just as vaporware has an effect on the market without actually existing, Microsoft realized that it had to say that security was paramount.
Why wouldn’t it be? Simple. Microsoft is a business, and its job is to make money. Not to make great software. Not to make secure software. Not to make software that even works. Just to make money. It’s very good at that, and since it is a very large corporation which probably makes up a part of your stock portfolio or retirement fund, what’s good for Microsoft is very probably good for you. Financially.
But in terms of providing a secure computing environment, Microsoft is not that great. If it was, it wouldn’t make so much money for Bill. That’s because Microsoft has hit the money-making sweet spot of selling buggy, not very secure software to the masses. The law of diminishing returns dictates that catching each security flaw before releasing software costs more and more, so to maximize profits it catches the low hanging fruit and leaves the rest. If the software is too buggy or insecure, no-one would use it. If it had no bugs and was totally secure, no-one could afford it.
Since 2002 Microsoft has, to be fair, spent time and money checking and updating code to make it more secure, and is making attempts to make sure that new code it produces is written securely. Even so, I reckon Microsoft likes the quality of its software pretty much as it always has been. In this, I’m not alone. “Microsoft are not in it to improve security, but were forced to by negative publicity,” says Thomas Raschke, a security analyst at IDC. “Microsoft is trying to make money and the OS is the cash cow. The security update effort is way too small,” he says.
The truth is that Microsoft only makes money when people buy its products, and when enough people decide they are not secure enough to buy, Microsoft suffers. Then the economics change, and it is in Microsoft’s interest to make convince people that Something Is Being Done. So that’s what Bill Gates’ memo was really about: making the right noises and going through enough motions to keep people buying the software. And that’s why, in Raschke’s view, not much has changed. “I don’t think the world is any more secure today than it was five years ago,” he says. “The threats increase at a similar rate to the effort put in to address the issues.”
You may well ask why it has been so hard historically to write secure code, getting us in this mess in the first place. One of the problems is that Microserfs generally write system code in C, C++ or, increasingly, C#. Most is written in the first two of these languages, and both are equally susceptible to buffer overflows and the security breaches these bring. Compiler tools and proper use of string/memory move/copy functions do minimize the risks of overflows but plenty of fundamentally insecure code has been written and is still in use.
On the positive side, Windows XPSP2 and Windows 2003 support software DEP (data execution prevention) and some processors have hardware DEP, which can help prevent code being executed in unexpected memory locations, and C# is light years ahead in terms of memory protection.
Trouble is, new security threats come along all the time. Buffer overflow errors are not the big threat that they used to be, and malicious hackers have found, and will continue to find, new holes in Microsoft’s – and indeed most – code.
A big problem for Microsoft is that Windows makes computers easy to use. Too easy to use, in fact. That’s because they are not simple at all, and nor is the software that makes them run. It just seems so. And if you don’t understand something, how can you make sure it works securely? Years ago Microsoft bundled its own anti virus utility with Windows, which, on the face of it, it solved the problem of viruses. Not many people realized that a virus scanner was only as good as its signature files. Now Microsoft’s XP security center has a firewall. So XP must be secure. Except that very few users would be able to tell you what a firewall really does, or that Windows Firewall is only one way (it can block incoming traffic, but not outgoing) or whether malicious code could disable Windows Firewall.
The fact is that Microsoft is in an almost impossible situation. With by far the largest share of the systems software market it is the obvious choice for hackers to target. To beef up the security of its code is simply not a good business decision. And even if it did, clever hackers will always be able to outwit less skilled users – who tend to be Windows users rather than users of Linux or any other OS.
There is only one real solution: to make all users – not just network admins and other IT professionals, but all users right down to the most technophobic – understand security risks, what to do to avoid them, and what can happen when things go wrong. Quite frankly I can’t see that happen any time soon. Microsoft will continue to sell software in the security sweet spot, and if the market decides the sweet spot is not very secure software, then that’s what the market will continue to get.