Site Search


Monday, 12 May 2008

Microsoft and security.

Don't laugh please at the back. I know that those are two words that do not go together in any meaningful way.

Still, for we Linux users it is amusing watching Microsoft (MS) continue to plug security holes in their
Operating Systems (OS) commonly known as Windows. As well as these security hole plugs they are doing other things in an effort to secure their OS's in other way, such as separating the administrator user from a normal user (something we Linux platform users have been doing for years) and trying desperately to ensure every system user abides by this rule. Sure WindowsXP had this option 7 or 8 years ago but with that particular OS it was easier for the user to by pass this and make their everyday user an administrator too. The users did this because they found entering their administrator password was a chore they were best without. Plus it stopped various programs, and the OS itself, from putting up nagging requesters which said things like "you do not have the privileges to do this operation" and other such.

According to this msn blog post IE8 will finally attempt to address the gaping security weakness called ActiveX. Not before time either. ActiveX is a known exploitable hole in MS's flagship browser that has seen many Windows users systems compromised many times. They apparently are going to do with ActiveX controls what Firefox has been doing for years. Firefox needs to do it because the userlaying OS it was created for, Linux, demands it works that way. MS browsers on the other hand are created for an OS platform that was built upon a single user system. Bolt on after bolt on after bolt on until the system is a mishmash of separate entities glued together, and only slightly held together at that, by the kernel.

MS have not been innovative in the OS arena ever. They have copied other OS's best features, rehashed it, so it sits within the OS, and inexplicably created security holes whilst doing so. Windows 95 was the "most secure Windows ever". Windows 2000 was the "most secure Windows ever", Windows Vista is the "most secure Windows ever" and so it goes, but in fact each incarnation of Windows while being more secure than the previous version were in fact as weak on security in reality than just about every alternative OS platform available.

MS tells its users, those unaware that alternatives exist or if they know alternatives exist then MS creates Fear, Uncertainty and Doubt (FUD) about that OS so that in the minds of those users MS Windows is secure, that Windows innovates in this area and that area when in reality they have never innovated on anything. Multiple users was not MS's idea. Fancy graphical displays, Aero, was not MS's idea. Securely encryped file systems was not MS's idea and so on.

99% of all viri are spread via MS's OS's. 94% of all spam emails originate via MS's OS's and so on. These are not my figures but figures provided by people who depend on this continuing so they can sell their product "to protect the customer" and other such rubbish. The real truth is that if MS's made their OS's secure in the first place, which they will never do because other software houses depend on Windows being insecure, there would be no need for these software houses product at all. MS had the chance to create from scratch a new OS with security as the foremost requirement after WindowsXP came out. It took them 7 years to create a new OS that was really just WindowsXP with a shiny new interface (Aero) and within those 7 years they paid mere lip service to security. Sure Vista is ever so slightly more secure than previous MS OS's but it did not go nearly far enough. It had the chance and it blew it. Now, with users more aware of the security threats out there that target MS systems MS are falling from grace. Sure they still dominate the OS market but that dominance is being attacked on all sides from alternative OS's that are secure at their very core. Another thing is that in their efforts to make the user aware of things happening on their systems they throw up requester warnings time and time and time again to the point of annoyance. This 'feature' can be turned off and most all savvy users do so but that in itself creates yet another security hole in the making.

MS flagship OS may not go away tomorrow but it is on the decline and it will stay on the decline until such a time as MS get rid of the current code base and start from scratch with a totally new OS that starts with security and builds on that. Even then I am not convinced MS will totally halt, let alone reverse, the current decline. Time will tell on that.

For what it is worth in this blog post I have been a Linux user since 1991 and in that time I have seen it grow and grow with real innovation after innovation but, and it hurts me to say this, I do not honestly think the Linux OS's are ready for prime time, even with the likes of Ubuntu suite of OS's and (open)SuSe creating a GUI that everyones grandmother could use. Well, the Linux OS's may be ready for prime time but I am not sure the (ex-)Windows users are ready for the Linux OS's simply because of how Linux works. In this i am thinking of the need to have a root user and a totally seperate user for everyday tasks. MS are trying to get Windows users to work in this manner without much success from what I have seen so I cannot see them liking how the Linux OS's do things even if, like Ubuntu and friends, they start abusing the sudo command. Sure, a relatively new thing called PolicyKit is gaining traction that alleviates things in this area so again, time will tell.

No comments: