Truth About Computer Security Hysteria
Because the Pentagon & the mass market don't care, that's why!
Rob Rosenberger, Vmyths co-founderFriday, 24 August 2001
| WHY DOESN'T MICROSOFT sell a secure operating system? | |
 | Because the Fortune 500 and the U.S. government keep demanding functionality with little or no regard to security. When they want to secure their Microsoft operating systems, they turn to third-party security vendors. |
|---|---|
| Okay then, why does Windows need so many security updates? | |
| The folks in Redmond publish very few security updates compared to antivirus firms. | |
| That's not a fair comparison! | |
| Yes it is, but I'll give you a different comparison anyway. The folks in Redmond publish about as many security updates for Windows as security firms publish for anti-hacking products. | |
| Look, I just want to install a secure operating system on my computer and be done with it. | |
| Then install OpenBSD. It's free, it's powerful, it's feature-rich, it's easy to install, its slogan is "four years without a remote hole in the default install," and you can easily duplicate the power & functionality of the entire Microsoft Office suite. | |
| I need professional product support. | |
| Then go down to the nearest business supply store and buy Red Hat Linux. It comes with better support than Microsoft provides for Windows. | |
| I don't want to switch from what I've grown accustomed to. | |
| Aha! Now the real issue comes to light — you'll only settle for a secure Microsoft operating system. | |
| Yes! Exactly. | |
| Then buy third-party security products & services like everyone else. A hardware firewall with a built-in hub goes for a couple of hundred bucks. Antivirus "update subscriptions" cost very little. If you're lazy, you can subscribe to an MX-record email scanning service with a 100% virus detection guarantee. If you're really lazy, you can ask a firm to regularly test your network for security flaws. You don't need to lift a finger for security if you pay the right price. | |
| But I don't want to spend the extra bucks. | |
| Hmmm. Did I mention OpenBSD? | |
| Yeah. Did I mention I don't want to switch from what I've grown accustomed to? I want a Microsoft operating system to come out of the box, at no extra charge, with the same kind of security as OpenBSD. | |
| You did take an economics class with me in high school, right? | |
| Yes, and this is simple economics. I'm the one with the wallet. | |
| You said you didn't want to spend the extra bucks! You can't motivate Bill Gates with an empty wallet. | |
| My wallet isn't empty. I'm just going to withhold money from Microsoft. | |
| How do you plan to do it? Every computer you've ever bought came pre-installed with an unsecured Microsoft operating system. | |
| I won't let my firm buy any more copies of Microsoft Office. I'll tell our CIO to ban it as a security risk. | |
| Stop deluding yourself with shallow thinking. You might as well forbid email attachments while you're at it. Go on, tell the CIO to ban them, too. | |
| I thought about banning email attachments for security reasons, you know. | |
| Security doesn't yet concern your employees enough to change their computing habits, and they don't want to switch from what they've grown accustomed to. They'll install pirated copies if you ban Microsoft Office — and they'll use Hotmail accounts to send & receive files if you ban attachments. | |
| Exactly. I need to protect them from themselves. But I don't want to pay for it. I think Microsoft has an obligation to protect its customers from others who compute recklessly. | |
| You gotta stop deluding yourself. Chevrolet has no obligation to protect its customers from others who drive recklessly, and Microsoft has no obligation to protect its customers from others who compute recklessly. | |
| Chevrolet can't stop others from driving recklessly, but they do install safety devices in their cars to protect customers when accidents occur. | |
| They do now, you mean. It took decades of horrible deaths before governments around the world mandated safety devices for automobile occupants. | |
| Well, then, I think governments should force Microsoft to sell secure operating systems. | |
| Even our paranoid U.S. military doesn't care enough to demand a secure operating system — and they're one of Microsoft's biggest clients. Computer security doesn't yet influence Pentagon spending habits, let alone the mass market's spending habits. Why do you think governments should mandate it? | |
| Governments should mandate operating system security because it is important! | |
| I told you to stop deluding yourself. You don't want to spend the money, nor do you want to spend the effort, to secure your operating system. You and the U.S. military just want it to magically happen. Face it: computer security is not that important to you. | |
| Well, what about you, Mr. Smarty Pants? Why don't you switch to a secure operating system? | |
| My computers are secure. I started using Microsoft operating systems in 1985, and I upgraded to all the major versions since then, yet I never suffered from a virus or worm or Trojan in all those years. It'd take a serious case of road rage to knock me off the information superhighway. | |
| That's because you're a virus expert. The world expects you to be secure from the average reckless computer user. | |
| Being an expert has nothing to do with it. You don't hear about secretaries spreading Sircam at Symantec, do you? You don't hear about secretaries spreading SubSeven at Sophos, do you? Those non-experts prefer Microsoft operating systems, yet their choice doesn't seem to contribute to global security problems. It'd take a serious case of road rage to knock a Symantec secretary off the information superhighway. | |
| Yeah, but those firms would suffer horrible notoriety if they screwed up. The secretary who lets it happen might even get fired as a result. | |
| Oh, I agree! Computer security firms pay dearly for any lax security. But society at large doesn't hold people accountable for their reckless computing. The mass market will demand a secure operating system only when they begin to pay for their recklessness. | |
| And then they'll all switch to OpenBSD. | |
| No, they won't. The mass market doesn't want to switch from what they've grown accustomed to. They'll just start securing Microsoft operating systems like the antivirus vendors do. | |
| It'll never work. The users at my firm aren't as smart as antivirus experts. | |
| Oh, I'll agree with you on that point... |