,
The software-maker's dismal security record seems to have left it immune to criticism and shame.
On August 12th, one of my network administrator pals spent the day "dealing with the MSBlast worm."If you were like him, he e-mails raffishly, "...you probably spent a minimum of fifty dollars per PC on your time, the fruit-pickers' time, the users' time [and] stress counseling. Looks like I picked a fine day to give up amphetamines."
The work, ultimately, gave him a feeling of accomplishment.
But hold the phone.
"All was fine, until mid-day on September 10th, when Microsoft released Security Bulletin MS03-039," he continued.
The Blaster patch, it turns out, failed to fix at least three vulnerabilities in the same general part of Windows.
"Pop quiz: What are you going to do?"
"1. Install the patch for everyone and pray that nothing breaks? What about the next patch which will appear in a month when Microsoft -- or rather, the people who disassemble their code looking for bugs -- find two new vulnerabilities?
"2. Not install the patch and pray that if a virus strikes, your bosses will understand?"
He suggested three things, questions to be posed to employees of Microsoft should you bump into them.
First, depending on the number of networked PCs in an organization, "how many people does Microsoft recommend should be hired full-time to run round installing patches?"
Second, when Microsoft advertises that Windows yields the "lowest" total cost of ownership, how much of that amount factors in the cost of patching the system every week?
And third, "why does Microsoft rely on hackers and tiny security analysis firms to discover [these bugs] by reverse engineering?"
No one really expects any answers, do they?
You can't shame the shameless. And that's Microsoft.
Empty Posturing
Security Bulletin MS03-039 immediately resulted in the usual round of tut-tutting in the media.
"The news opens up corporate and home computers to the risk of a whole new round of attacks from computer viruses and deals a further blow to Microsoft's reputation for quality," wrote someone for the Financial Times. So novel, if you're a diligent keeper of news-clippings you can read about how viruses going back to 1999 "dealt a blow" to the company's reputation.
No one cares. Microsoft has been conditioned to expect the same meaningless noise over and over, and it knows there are no real penalties that come with it.
Even those raising the official stink in this matter are phonies.
Take for example, the House of Representatives Committee on Government Reform, subcommittee on "Technology, Information Policy, Intergovernmental Relations and the Census."
It was holding a hearing as news of MS03-039 arrived, a hearing in which a Microsoft flunky was testifying on how the company was just saying no to computer viruses and worms. Microsoft was toiling to strengthen its product but there could never be such a thing as "completely secure software."
Subcommittee chairman Adam Putnam (R-Florida) upbraided the Department of Justice over its performance in corralling virus-writers. Another congresswomen whined that August viruses had nearly shredded the House's e-mail system. The damage done by viruses was real, said another blowhard.
Inspiring, if empty, stuff. But you had to read it in the newspapers, because the committee's website, unlike the damage done by computer viruses, is not real. Displays on committee hearings and legislation are complete voids, as is the Contact page. One of its most recent news releases on "Federal agencies showing computer security weaknesses" dates from the end of June.
All this from a House forum allegedly devoted to making the information highway better, "to address weaknesses in security of ... computer systems and particularly the protection of information and data from the threat of cyber attacks."
"It's a piece of crap," commented Steve Aftergood of the Federation of American Scientists, a researcher very familiar with the oversight and public information efforts of Congress.
"It reflects the personality and priorities of the subcommittee chairman," Aftergood told me. It measures, in other words, how much the committee gives a damn.
"And they just don't. They don't make [any] effort," said Aftergood.
So, if they don't care, why should anyone?