Wednesday, December 27, 2006

Whole New Security Vista? There's a target painted on new Microsoft OS

"Hi-tech criminals are looking forward to the consumer release of Windows Vista, say security experts." BBC News. Why? Because it is presents new opportunities, new possibilities for abuse.

"What?" you say, "surely this is the 'most secure version of Windows yet.'" (As proclaimed by Microsoft.) According to the BBC article, if new features won't get you to upgrade to Vista, security enhancements should, according to the co-president of Microsoft's platform, products and services division, Jim Allchin,. Vista will still be worth getting, thanks to its better defenses against phishing attacks, spyware and other malicious code, Allchin told the BBC. "Safety and security is the overriding feature that most people will want to have Windows Vista for."

Unfortunately, lack of historical perspective is widespread in the marketing sector of the IT industry, and too often it spreads to the media that covers IT. Where are the articles that compare and contrast the claims for Vista with those made for Windows NT, which was also claimed to be the most secure version of Windows yet, as was XP Professional? (Notice a pattern here?)

Believe it or not, I have some sympathy for Microsoft at this point because it is faced with a three-pronged dilemma (and we all know those three-prongers can be painful). Here are the three in play at the moment:
  1. Claiming that something is the "most secure ever" is like painting a target on it. I recall arguing against the launch of a web security certification program back in about 1996 for this very reason. Hackers were big into defacing web pages at the time and locking down a site was pretty difficult with the tools available. So putting a "Certified Secure" sticker on the home page would have been a red rag to a herd of hackers.
  2. But Microsoft had to claim Vista wasthe most secure ever because there don't seem to be enough other new things in the OS to warrant paying the asking price for the upgrade.
  3. But Microsoft is a huge company and [IMHO] it is hard for huge companies to achieve excellence in anything, particularly where there are competing goals.
And writing secure code is a major case of competing goals. The whole thrust of computing over the last 25 years has been broader, faster, smoother access to data, often using cutting edge tools. Security is all about tried and tested tools and roadblocks, not for the sheer joy of being obstreperous--for example, in the manner of Dilbert's 'Mordac the Preventer' character--but due to the classic dichotomies between "free & open" versus "safe & secure," and so on.

At the turn of the year it is always interesting to consider what the future holds. Will Vista be a boon or a boondoggle? Developments on the security will likely be the deciding factor.

No comments: