(WARNING: long rant ahead; circa May 2004 - dates change, corporate behavior doesn't)

<rant topic="Microsoft" style="frustrated">

So it looks like the latest Microsoft security hole (get the patch if you're unfortunate enough to be responsible for a Windows box) is going to, once again (and again), wreak havoc on the entire Internet due to a nice combination of entirely clueless end-users and poorly-written, bug-ridden software in which security is a distant third to bells and whistles and time to market. This one affects every version of Windows since Win95 that hasn't been patched in the past two weeks. Oh, and for bonus points, the worm that exploits this hole attempts a DDoS of windowsupdate.com, effectively preventing any of the systems that might otherwise automatically patch themselves from doing so. It was about two weeks between the public announcement of this hole and the appearance of the worm to exploit it (which is about what I predicted; I also predicted, jokingly, that it would be especially evil if the worm DDoS'ed windowsupdate so that users couldn't patch. Maybe I should stop making predictions, or only make pleasant ones, or else start up my own prophecy business.)

For my next bold prophecy, I predict that Microsoft will suffer no damage whatsoever from this incident. There will be no lawsuits filed, no measurable loss of business, no public outcry (aside from the usual pundits on tech websites and the slashdot crowd), no demands that MS live up to their "Trustworthy Computing" marketing slogan. This corporation, with its vast market share and nearly complete saturation of the world's computer networks, has been so negligent for so long that the majority of computer users, whether business or personal, have been conditioned to think that this kind of experience is not only normal, but to be expected. Expectations have been so lowered by this pattern of behavior that bloated software full of security holes, released by a company in which security takes a backseat to bells and whistles (read: additional new "features" in every release which, rather than fixing the bugs in the previous release, only serve to introduce NEW problems and incompatibilities with previous versions - how else would MS get anyone to upgrade? It's certainly not for bug fixes or security patches available in newer versions of their OS or apps). This has become the norm for computer users and administrators. People think that this is the way that computing is supposed to be, that having your servers raped and your network swamped with zombie traffic from the worm-of-the-week is just the way things are. They don't know to expect any better - and worse still, when someone tries to introduce a superior replacement for a Microsoft product (be it Linux, BSD, Apache, sendmail/exim/postfix, PostgreSQL, etc. etc.), they are quickly pooh-poohed by those with a financial interest in maintaining the status quo, or else by so-called "system administrators" not worthy of the title, that can't function without a mouse and a point-and-click interface and installation wizards. I realize that there is currently no desktop alternative to Microsoft (except possibly Apple, which has its own problems (price being chief among them)) that's ready for prime-time (and by this, I mean ready to replace Windows and MS software, while maintaining compatibility with such, on the desktops of millions of AOL users and corporate drones that think THE INTARWEB consists of Outlook, Internet Explorer, Powerpoint/Excel/Word documents, and whatever trojan-ridden filesharing software they've managed to sneak onto their computer to create havoc for the MIS help desk this week).

That said, I would be happy if we could just eliminate Microsoft and their horrid software, which is a nightmare for administrators, from the server room. If we could relegate Windows and Windows software to the desktop, where it belongs (and occasionally, where it actually does a decent job), a very large portion of the problem would disappear. Anyone running any public-facing, unfiltered service on a Microsoft platform is just plain irresponsible. Especially if that service is httpd or smtpd. There just aren't any excuses for that anymore - MS Exchange and IIS (not to mention their client counterparts, Outlook and MSIE) have the worst track records of any software that performs their respective functions. Not only that, they cost a fortune, are terrible resource hogs, need to be rebooted at least weekly for stability, and are no longer the only options for ease-of-administration (why you'd want somebody administering your network who's so unskilled he/she can't manage without a mouse is a whole other rant, but anyway). There are now point-and-click GUIs for UNIX systems running server software like postfix and apache that have PROVEN track records with regards to not just security, but _correctness_ and ability to easily handle large loads with relatively few resources. All software has bugs - but many eyes make for fewer bugs, which is why most modern UNIX software (Linux, *BSD, apache, etc.) has fewer bugs, and when they're found, they're typically fixed promptly and publicly. Moreover, anybody can find such bugs, and patch them. No expensive development kit or NDA or license needed. Just time and a text editor.

I'm sure I will get many protests from MS supporters, people who think I'm being unfair, and those just playing devil's advocate. My generic response to all such objections is this: there are exceptions to every rule. IN GENERAL, the track record of Microsoft in client apps, server software and operating systems, is abysmal; the really irritating part is, it shows little sign of improvement over time. This is an irresponsible attitude for a company to hold whose software is in use on such a large percentage of network-connected devices (of course, it's irresponsible for governments and others who manage critical infrastructure to choose such an unreliable platform, but that's another rant). You may say "If {Linux|BSD|Apache|etc.} had the market penetration of Windows, we would be seeing worms for those systems instead." Sure we would - but I doubt very much that we would be seeing worms exploiting the SAME HOLES and classes of vulnerabilities (and I'm not talking about language/logic flaws like buffer overflows or stack smashing in a general sense) month after month, year after year. MS products are consistently vulnerable time and again to the exact same vulnerabilities they patched with the previous service pack, just located in a different section of their bloated code base. This happens because when a vulnerability or bug is disclosed, they don't do the right (and more expensive) thing, and scan the entire codebase for that app looking for every instance of that bug and patching them all. Instead, they merely patch that particular hole and move on. After all, paying engineers to pore over thousands of lines of code looking for bugs is time-consuming, and thus expensive. Who has time for fixing bugs when we're busy adding needless new "features" to the upcoming next release of our OS/app? Thus, they wind up being hit again, with the same hole in a different location or app, over and over. Take a look at the last ten outlook worms to see what I'm talking about; the RPC DCOM hole is different than usual, but also more destructive. That's the great thing about software for which the source code is freely available - holes can be found by anyone, true, but they can also be fixed by anyone. And frequently are.

There is no longer any excuse for running Microsoft in the server arena (with the possible exception of Outlook's calendaring functionality, which will soon be available in a work-alike free software product for UNIX systems). The sooner businesses realize that running Microsoft software is _the_ main factor in rising IT costs (not to mention liability for business and customer data), the better off we will all be. Microsoft is hardly the only vendor out there putting profits ahead of security, but they're certainly the most egregious offender. And their market saturation means that a small mistake from them costs the rest of us dearly.

It is certainly possible to produce secure software that is still functional (take a look at the OpenBSD project if you don't think so) - Microsoft just doesn't care to. Their attitude is unlikely to change until it starts losing them money.

Additional food for thought (or for the CFO):


Summary:

</rant>