Digg this story   Add to del.icio.us  
Does Microsoft Give a Damn?
George Smith, 2003-09-15

The software-maker's dismal security record seems to have left it immune to criticism and shame.

On August 12th, one of my network administrator pals spent the day "dealing with the MSBlast worm."

If you were like him, he e-mails raffishly, "...you probably spent a minimum of fifty dollars per PC on your time, the fruit-pickers' time, the users' time [and] stress counseling. Looks like I picked a fine day to give up amphetamines."

The work, ultimately, gave him a feeling of accomplishment.

But hold the phone.

"All was fine, until mid-day on September 10th, when Microsoft released Security Bulletin MS03-039," he continued.

The Blaster patch, it turns out, failed to fix at least three vulnerabilities in the same general part of Windows.

"Pop quiz: What are you going to do?"

"1. Install the patch for everyone and pray that nothing breaks? What about the next patch which will appear in a month when Microsoft -- or rather, the people who disassemble their code looking for bugs -- find two new vulnerabilities?

"2. Not install the patch and pray that if a virus strikes, your bosses will understand?"

He suggested three things, questions to be posed to employees of Microsoft should you bump into them.

First, depending on the number of networked PCs in an organization, "how many people does Microsoft recommend should be hired full-time to run round installing patches?"

Second, when Microsoft advertises that Windows yields the "lowest" total cost of ownership, how much of that amount factors in the cost of patching the system every week?

And third, "why does Microsoft rely on hackers and tiny security analysis firms to discover [these bugs] by reverse engineering?"

No one really expects any answers, do they?

You can't shame the shameless. And that's Microsoft.

Empty Posturing
Security Bulletin MS03-039 immediately resulted in the usual round of tut-tutting in the media.

"The news opens up corporate and home computers to the risk of a whole new round of attacks from computer viruses and deals a further blow to Microsoft's reputation for quality," wrote someone for the Financial Times. So novel, if you're a diligent keeper of news-clippings you can read about how viruses going back to 1999 "dealt a blow" to the company's reputation.

No one cares. Microsoft has been conditioned to expect the same meaningless noise over and over, and it knows there are no real penalties that come with it.

Even those raising the official stink in this matter are phonies.

Take for example, the House of Representatives Committee on Government Reform, subcommittee on "Technology, Information Policy, Intergovernmental Relations and the Census."

It was holding a hearing as news of MS03-039 arrived, a hearing in which a Microsoft flunky was testifying on how the company was just saying no to computer viruses and worms. Microsoft was toiling to strengthen its product but there could never be such a thing as "completely secure software."

Subcommittee chairman Adam Putnam (R-Florida) upbraided the Department of Justice over its performance in corralling virus-writers. Another congresswomen whined that August viruses had nearly shredded the House's e-mail system. The damage done by viruses was real, said another blowhard.

Inspiring, if empty, stuff. But you had to read it in the newspapers, because the committee's website, unlike the damage done by computer viruses, is not real. Displays on committee hearings and legislation are complete voids, as is the Contact page. One of its most recent news releases on "Federal agencies showing computer security weaknesses" dates from the end of June.

All this from a House forum allegedly devoted to making the information highway better, "to address weaknesses in security of ... computer systems and particularly the protection of information and data from the threat of cyber attacks."

"It's a piece of crap," commented Steve Aftergood of the Federation of American Scientists, a researcher very familiar with the oversight and public information efforts of Congress.

"It reflects the personality and priorities of the subcommittee chairman," Aftergood told me. It measures, in other words, how much the committee gives a damn.

"And they just don't. They don't make [any] effort," said Aftergood.

So, if they don't care, why should anyone?


George Smith is a Senior Fellow at GlobalSecurity.org, a defense affairs think tank and public information group. He also edits the Crypt Newsletter and has written extensively on viruses, the genesis of techno-legends and the impact of both on society.
    Digg this story   Add to del.icio.us  
Comments Mode:
Does Microsoft Give a Damn? 2003-09-15
Anonymous (6 replies)
Does Microsoft Give a Damn? 2003-09-15
Anonymous (1 replies)
Does Microsoft Give a Damn? 2003-09-18
Anonymous (1 replies)
Does Microsoft Give a Damn? 2003-09-23
Anonymous
One problem w/ SUS: 2003-09-16
Penguinisto (1 replies)
One problem w/ SUS: 2003-09-18
Anonymous (1 replies)
One problem w/ SUS: 2003-09-19
penguinisto
Does Microsoft Give a Damn? 2003-09-16
Anonymous
Does Microsoft Give a Damn? 2003-09-17
Anonymous
Does Microsoft Give a Damn? 2003-09-17
Anonymous
Make that Two problems with SUS 2003-09-23
Anonymous
We Must Do Our Job 2003-09-15
Sean M. Lynch (2 replies)
Patch, reboot, patch, reboot.... 2003-09-16
Anonymous (1 replies)
Patch, reboot, patch, reboot.... 2003-09-17
Anonymous (2 replies)
Patch, reboot, patch, reboot.... 2003-09-18
Anonymous
Patch, reboot, patch, reboot.... 2003-09-18
Anonymous
We Must Do Our Job 2003-09-16
Anonymous (2 replies)
We Must Do Our Job 2003-09-17
Mark Kovacic
We Must Do Our Job 2003-09-17
Anonymous (1 replies)
Yes and no... 2003-09-18
Penguinisto
Useless rhetoric 2003-09-15
Anonymous (2 replies)
Useless rhetoric 2003-09-16
Anonymous (2 replies)
Useless rhetoric 2003-09-16
Anonymous
Useless rhetoric 2003-09-17
Anonymous
Useless rhetoric 2003-09-17
Anonymous (1 replies)
Useless rhetoric 2003-09-17
Anonymous (2 replies)
Useless rhetoric 2003-09-20
Anonymous
Useless rhetoric 2003-09-21
Anonymous
Does Microsoft Give a Damn? 2003-09-16
Anonymous
Does Microsoft Give a Damn? 2003-09-16
Gary K (1 replies)
Does Microsoft Give a Damn? 2003-09-16
Anonymous
Does Microsoft Give a Damn? It doesn't matter 2003-09-16
Anonymous - Jerk (1 replies)
Does Microsoft Give a Damn? 2003-09-17
Anonymous (1 replies)
Does Microsoft Give a Damn? 2003-09-17
Anonymous
We Must Do Our Job 2003-09-17
Sean M. Lynch
Does Microsoft Give a Damn? 2003-09-17
Anonymous
Does Microsoft Give a Damn? 2003-09-17
Anonymous
Does Microsoft Give a Damn? 2003-09-17
E(Ces)
Does Microsoft Give a Damn? 2003-09-18
Anonymous
Does Microsoft Give a Damn? 2003-09-18
Anonymous (1 replies)
Does Microsoft Give a Damn? 2003-09-20
Anonymous
Does Microsoft Give a Damn? 2003-09-18
Anonymoose
Does Microsoft Give a Damn? 2003-09-18
Anonymous (1 replies)
Does Microsoft Give a Damn? 2003-09-19
Anonymous
Of Course They Dont::Does Microsoft Give a Damn? 2003-09-18
Linux, Torvald. Mr. Linux Torvald to you. (1 replies)
Stop the whining, George! 2003-09-18
Anonymous (1 replies)
Stop the whining, George! 2003-09-20
Anonymous
Shut Up !!! 2003-09-18
Anonymous (1 replies)
Does Microsoft Give a Damn? 2003-09-19
Anonymous (1 replies)
Only two Suse patches?!? 2003-09-19
Anonymous (1 replies)
Only two Suse patches?!? 2003-09-21
Anonymous (1 replies)
Only two Suse patches?!? 2003-09-23
Anonymous
Does Microsoft Give a Damn? 2003-09-19
Anonymous
How Interesting 2003-09-20
Sigmund Einstein
Does Microsoft Give a Damn? 2003-09-20
haloflightleader at yahoo dot com
Does Microsoft Give a Damn? 2003-09-21
Anonymous
Does Microsoft Give a Damn? 2003-09-26
penfold
Shrill 2003-09-26
Anonymous
Should Microsoft Give a Damn? 2003-09-26
mr_jinx


 

Privacy Statement
Copyright 2010, SecurityFocus