Hey! The High-Tech Emperor Has No Clothes
eSecurityPlanet columnist Linda LeBlanc responds to the loads of emails she received last month when she said Microsoft misses the point when it comes to security.
I thought a couple of responses would be a good springboard for a discussion on how I approach the topics I write about. It also gives me an opportunity to further the conversation about our obligation to make security our first priority.
Please remember, every column I write is first, and foremost, my own opinion and not necessarily that of anyone else. I have a limited amount of space to convey a single concept, and support it. Using the most pertinent data available, I want to reach the widest possible audience. Sometimes this means I have to leave out more technical arguments that may carry more weight but are less accessible.
I am primarily interested in getting people to think about a specific security situation. Then I'd like to find a way to make an impact on those around us in respect to the problem, whether it is practicing safer Internet habits, or educating those within our influence to be more aware of the threats that confront them from the networked world.
One thing that really struck a nerve with most readers is that Microsoft has an obligation to take security seriously from the very foundations of the operating system to the implementation of their application software, such as MSSql, Office, and IIS. It may be accurate to say that other software manufacturers are beset with security problems, but it isn't that relevant. No other organization takes such a cavalier attitude that Microsoft exhibits on so many fronts.
However, the responsibility for computer security does not solely reside with the manufacturers of computer software. We know we do not live in a perfect world. No matter what type of emphasis is placed on eliminating code vulnerabilities, unexpected things happen. Hackers use protocols in ways they weren't designed for, to gain an advantage. Some things cannot be protected against.
As consumers of these products, whether as corporate buyers, system administrators or end users, we have to recognize and acknowledge this.
We are all end users in some fashion. All of us have an obligation to security. We must bear the responsibility for our own systems and the software packages we run. There are going to be vulnerabilities and there are going to be exploits, regardless of the software we choose. It is incumbent upon us to protect ourselves from these risks to the best of our ability.
I can hear you now saying things like, ''I don't have time to read all those mailing lists, and besides it's all techno-speak I don't understand about stuff I can't relate to.'' Or maybe you're saying, ''I have a systems administrator who's supposed to take care of all of that.''
For all of you thinking these thoughts, I have two words: auto update.
Apple has the Software Update function that can be configured to check automatically for updates to all of the Apple software installed on your system. Both Windows 2000 and Windows XP have automatic update features that will download and install all software updates if you choose.
If you're reading this article and you're running hardware that doesn't support anything later than WinNT, and you have that machine connected to the Internet, please do yourself a favor and spring for the right tools.
Running Windows 98(SE) on the Internet is like riding a Vespa on the Pacific Coast Highway. You'll get where you're going, but you're likely to get run over doing so. What you save in costs for upgrading you pay for in the risks you take with your identity, your data, and your privacy. If you're dealing in corporate assets, the risks you take in liability far outweigh any argument you can make for economics.
Now, if you're reading this and you're running Linux (or any of the other *nix, as they say), you bought the erector set. You get to put it together. You have choices from swup to RPMs that help you collect the latest fixes and compile and install them. You can subscribe to mailing lists associated with your specific flavor of Linux to stay informed.
With a lot freedom comes a lot of responsibility. You, my friend, have stepped up to the plate, and now, must shoulder the clue-bat.
We all have choices about what we use for computing resources.
Hardware can range from entry level, mass-produced equipment for every desktop, to one-of-a-kind, application-specific systems. For most of us, software comes in three forms -- Mac, Win and Lin.
More and more software vendors have all three platforms covered, and make every effort to keep security patches up to date. They've done their job by releasing patches for vulnerabilities. We have to do our job by installing them. Automated update packages make it that much simpler.
Some choices are easier to make than others. Many are predicated on conditions like economics, compatibility, availability, and even personal preference.
Computer security is a lot like locking your car when you park. If you choose not to lock your car, you can't be surprised when you come back and it's gone or trashed. In the same sense, you can choose to keep your computer secure. By using the tools available to you, you can help create the most secure computing environment possible, or you can be unpleasantly surprised when you learn intruders have stolen the contents.
Some choices are easier than others. Security should be one of them.