Re: Microsoft and Security

[Radoslav Dejanović <radoslav.dejanovic () opsus hr>]

On Friday 25 June 2004 20:53, http-equiv () excite com wrote:
> What's happening here. Where is the Microsoft representative
> explaining all of this to the shareholders and "customers" they
> so dearly wish to protect.  This is unacceptable.  Someone must
> be held accountable.

Although I do agree on most of your words, I hardly find this list 
appropriate for such rants. You're talking to people who already know 
this, and do not forget that Microsoft doesn't play security game like 
Open Source people do. It is two different worlds, really. While OS people 
might just sit down, write a patch and publish it, MS people would have to 
write patch, submit it to QA, see that it doesn't break something else, 
see that it doesn't make the end-user experience less comfortable, and 
only then release it to the public (takes time, doesn't it?).

The latter is a really good discussion point: while OS people in most cases 
do care about making end-users life easier, in cases like that it is 
always "shut up and patch up" stance coming from OS developers, which does 
turn some end-users away from using OS software, but improves in overall 
security. However, MS would think twice if they have to do something that 
would make end-users uneasy because it would force them to change the way 
they do with their computers - XP service pack 2, if it is true that it 
might break a lot of existing applications due to severe changes in the 
kernel, is a good example. Customer satisfaction plays a great role for MS 
(this is just how it should be in any business), but it seems that they're 
willing to sacrifice a lot to keep customers belive they're using the most 
comfortable software in this part of Universe. 

Technically, it wouldn't be too hard to do very few steps that could 
eradicate worms/viruses issue as it is present today: if MS would stop 
shipping MSIE and OE to force people to use third party software, and if 
they disable some of the features of scripting language used in MS Office, 
they would disintegrate this monoculture and provide harsh ground for new 
malware. It isn't so hard to do, but there's this question of end-user 
experience. People do love to have all those nifty features, although they 
use 10-20% of them (but "let it just sit there, you never know..."); take 
most of that unneeded features away, and your customer satisfaction starts 
to slip. They might be more secure, but they wouldn't like it. End-users, 
that is. You have to keep them happy, in one way or another. 
Now, why MS failed to fix this problem is beyond my comprehension, but it 
isn't first time it took them a lot of time to provide a fix. However, it 
seems that this doesn't hurt their sales. This might be because all that 
customers care about is if they can do something with some tool, not how 
secure (and reliable) it is. If it wasn't that way, we would talk about 
majority of people using Linux or MacOS and OpenOffice, wouldn't we?

Ah, and apropos your accountability question - haven't you read your 
EULA? ;-)


-- 
Radoslav Dejanović
founder and director
Operacijski sustavi d.o.o.
http://www.opsus.hr