I think this article has it all sidewards. The problem is not *old* software, it's *badly designed* software and operating environments.

Given current operating systems' lack of serious protection mechanisms -- although Unix-style "user ids" and "chroot" help a lot (and Java's sandboxing helps some) -- it is *very* important to separate the inside of ones computing environment from what's outside of it. In the real world, we don't let our kids play in the street, nor do we open our living room to the shopping mall traffic: we have walls and doors (and even alarms) to enforce it. Yet modern software is more and more "integrating" one's personal computer with the Internet -- tearing down the walls, so to speak -- and then we wonder why the upsurge of worms and viruses.

Because of this, and contrary to the premise of this article, old software can easily be *more* secure than new, since it doesn't have the features which might have the flaws which can be exploited. For example, if most people used email clients that were text-only, or perhaps with minimal HTML (i.e., only "safe" tags like , and maybe ), and certainly *without* any kind of "click-here-to-execute" ability, would any email-spread viruses or worms have caused so much damage? Looking back, would people and businesses have found the lack of coolness an acceptable tradeoff?

But the larger issue is not so much "new" vs "old" products as callow vs mature judgement. Years ago, automobiles were sold solely on the basis of their chrome, tailfins, two-tone paint jobs, test-bench horsepower and newness. Now we realize that handling, braking, occupant protection and durability are equally, if not more, important. We must start designing and evaluating software by analogous criteria.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/217/24744#24744