Like a bad horror flick sequel, the argument keeps getting dredged up, propped into position, and sent out on it's merry way to cause senseless death and destruction. The initial arguments of 'My OS is better than your OS' were bad - now they're just getting ludicrous. And, much like the junk that Hollywood churns out to continue movie franchises that never should have made it past the first movie, the battle just moves to more unbelievable territory.
The Linux Camp will have you believe that Linux, by default, by design, by golly, is more secure. It's not subject to worms, virus attack, Act of God, or bad hair days. If you mess it up - it's your fault. Now, that's a way to win friends and influence people. But, we're going to get to that - it's an endemic problem.
Similarly, the Windows Camp would have you believe that Windows is now 'Secure by Default', is a strong contender in the secure OS arena, and is just the victim of bad publicity by folks that just don't like the idea that a publicly held company wants to protect its intellectual property to make money. I really hate it when capitalism and the American Way creates a roadblock to progress.
Two articles, point and counter-point, (I wonder if these folks will get sued by 60 Minutes? I mean, why not? I'm sure that 60 Minutes is just as litigious as the rest of America, and it just seems chic these days to sue a computer company or computer people in general.) present good arguments either way.
One proposes that Microsoft's Windows is a festering pool of code, waiting to be infected by worms, virus, demons, and should be spewing pea soup anytime soon. The other defends the Windows OS by proposing that Windows is not the only OS that has issues with exploits and exposures - in fact, Linux has 3 to 5 times the number of vulnerabilities as Windows. In both articles, the browser seems to come under direct fire, and rightly so. IE (Internet Exploder) in this corner, Mozilla (Bugzilla) in this corner. Freddy vs. Jason.....
All in all, the articles present compelling evidence that, regardless of which OS you choose, it's probably a good idea to be security aware. Wow - like this is some kind of earth-shaking revelation. Anyone who has spent more than 3 days supporting an OS in a business setting is aware of this. It's like watching that horror flick and really being surprised that the villain has to be killed 5 different times at the end of the film just so the one lone heroine can walk proudly (though drenched head to foot in water, mud, blood, etc) out of the house at dawn. Yawn.
The mantra that Microsoft put out as the initial rally cry, even in advance of the now famous Bill Gates memo on the 'Trusted Computing Initiative', is 'Get Secure, Stay Secure'. I've been critical of this particular stance in light of the fact that illegal software cannot be patched in the primary methods that Microsoft proposes to make the task easier, but the stance of getting and staying secure is a correct one. The challenge is how do you get all of those 600 million copies of Windows secure? And, to that same point, how does one keep those uncounted numbers of Linux secure? Again, putting on the OS agnostic hat, an insecure system is an attack platform just waiting for the launch orders to be given.
Should all computers have a smart card reader (non-removable - unless however, you don't mind destroying the system) attached - and the OSs made aware of the requirement and refuse to work if a valid smart card is not available? Think about it - if a smart card is REQUIRED to operate the PC, then we can start treating this like a Driver's Exam. Show us that you can Safely and Securely operate your PC, and that you know HOW to update the system - then a smart card will be issued to you. If you go out of security compliance, or you operate your PC in a manner which harms others - Zap! Certificate revoked, thanks for playing.
Yes, I know - literally impossible to implement. Plus, the technical challenges are far from trivial, or even manageable. It's also impossible to enforce. If I can't get Porn Mongers out of my Library, how the heck am I ever going to convince anyone that 'Certified Computer Operator' is a good idea?
So, barring this - let's just blame the OS. Clearly the OS must be the problem. Obviously, the code is faulty (and, yes - in some cases it is - I've said this before, Get over it. People write code. People err. Any questions?) I'd suggest a different tact. Stop blaming the OSs and start attacking the real problem. Educate People. Last I checked, someone still had to set up and operate the computer. Or, did I really miss something, and the machines have taken over and I just haven't been put into my little pod in the 'energy collection tower'?
I guess if that happens, the fight over the OS is going to end. It's about time.
Rick Kingslan
Microsoft MVP - Active Directory
Posted
Oct 16 2003, 05:11 AM
by
rickking