I thought a couple of responses would be a good springboard for adiscussion on how I approach the topics I write about. It also gives mean opportunity to further the conversation about our obligation to makesecurity our first priority.
Please remember, every column I write is first, and foremost, my ownopinion and not necessarily that of anyone else. I have a limited amountof space to convey a single concept, and support it. Using the mostpertinent data available, I want to reach the widest possible audience.Sometimes this means I have to leave out more technical arguments thatmay carry more weight but are less accessible.
I am primarily interested in getting people to think about a specificsecurity situation. Then I'd like to find a way to make an impact onthose around us in respect to the problem, whether it is practicing saferInternet habits, or educating those within our influence to be more awareof the threats that confront them from the networked world.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i It is up to us to vote with our wallets regarding vendors who don't getthe security issue. Do not recommend the purchase of a product youbelieve is insecure, simply because it costs less money up front. Thecost to the bottom line will be far greater when measured in theintangible terms of insecure systems.
One thing that really struck a nerve with most readers is that Microsofthas an obligation to take security seriously from the very foundations ofthe operating system to the implementation of their application software,such as MSSql, Office, and IIS. It may be accurate to say that othersoftware manufacturers are beset with security problems, but it isn'tthat relevant. No other organization takes such a cavalier attitude thatMicrosoft exhibits on so many fronts.
However, the responsibility for computer security does not solely residewith the manufacturers of computer software. We know we do not live in aperfect world. No matter what type of emphasis is placed on eliminatingcode vulnerabilities, unexpected things happen. Hackers use protocols inways they weren't designed for, to gain an advantage. Some things cannotbe protected against.
As consumers of these products, whether as corporate buyers, systemadministrators or end users, we have to recognize and acknowledge this.
We are all end users in some fashion. All of us have an obligation tosecurity. We must bear the responsibility for our own systems and thesoftware packages we run. There are going to be vulnerabilities and thereare going to be exploits, regardless of the software we choose. It isincumbent upon us to protect ourselves from these risks to the best ofour ability.
I can hear you now saying things like, ''I don't have time to read allthose mailing lists, and besides it's all techno-speak I don't understandabout stuff I can't relate to.'' Or maybe you're saying, ''I have asystems administrator who's supposed to take care of all of that.''
For all of you thinking these thoughts, I have two words: autoupdate.
Apple has the Software Update function that can be configured to checkautomatically for updates to all of the Apple software installed on yoursystem. Both Windows 2000 and Windows XP have automatic update featuresthat will download and install all software updates if you choose.
If you're reading this article and you're running hardware that doesn'tsupport anything later than WinNT, and you have that machine connected tothe Internet, please do yourself a favor and spring for the right tools.
Running Windows 98(SE) on the Internet is like riding a Vespa on thePacific Coast Highway. You'll get where you're going, but you're likelyto get run over doing so. What you save in costs for upgrading you payfor in the risks you take with your identity, your data, and yourprivacy. If you're dealing in corporate assets, the risks you take inliability far outweigh any argument you can make for economics.
Now, if you're reading this and you're running Linux (or any of the other*nix, as they say), you bought the erector set. You get to put ittogether. You have choices from swup to RPMs that help you collect thelatest fixes and compile and install them. You can subscribe to mailinglists associated with your specific flavor of Linux to stay informed.
With a lot freedom comes a lot of responsibility. You, my friend, havestepped up to the plate, and now, must shoulder the clue-bat.
We all have choices about what we use for computing resources.
Hardware can range from entry level, mass-produced equipment for everydesktop, to one-of-a-kind, application-specific systems. For most of us,software comes in three forms -- Mac, Win and Lin.
More and more software vendors have all three platforms covered, and makeevery effort to keep security patches up to date. They've done their jobby releasing patches for vulnerabilities. We have to do our job byinstalling them. Automated update packages make it that much simpler.
Some choices are easier to make than others. Many are predicated onconditions like economics, compatibility, availability, and even personalpreference.
Computer security is a lot like locking your car when you park. If youchoose not to lock your car, you can't be surprised when you come backand it's gone or trashed. In the same sense, you can choose to keep yourcomputer secure. By using the tools available to you, you can help createthe most secure computing environment possible, or you can beunpleasantly surprised when you learn intruders have stolen the contents.
Some choices are easier than others. Security should be one of them.