Bill gets religion
Well, OK, maybe not. While it was refreshing when Microsoft Chairman Bill Gates announced that Microsoft would make security a priority, that didn't actually mean that anything had changed. Worse, it's no sure thing that anything will ever change, at least in a meaningful manner. In fact, the only real change is that Gates has finally realized that the many Microsoft security problems are beginning to cut into potential sales.
Microsoft's security problems have become the stuff of legend. It's no longer a question of whether the next virus will target Microsoft's e-mail clients, but rather when, how badly, and by what means. It's not an issue whether there will be a worm that affects IIS, but rather, in what manner it will arrive. You don't have to ask whether there will be another security update for Windows when you run your weekly Windows Update application, but rather how many updates there will be.
So it's no wonder that companies are looking elsewhere for their server software and some applications. In fact, it's the very applications that Microsoft wants to be part of its Internet strategy that seem to suffer the worst.
Windows NT Server and Windows 2000 Server are good examples of Microsoft's security woes. Both have the potential to be excellent server platforms, but both were shipped with vast security lapses that were fixed only incrementally. While the fixes were eventually delivered, each of these critical updates required that the server be taken off line, the patch installed, and the server rebooted. Sure, it only takes a few minutes, but you have to do it for each server that runs one of these operating systems, meaning that your servers are offline a meaningful amount of time each month. Other server operating systems, from NetWare to Linux, don't require such downtime, because they rarely need such updates.
Likewise, Microsoft's Web server software and its e-mail software suffer from similar problems. Internet Information Server was listed by both the SANS Institute and the FBI as last year's biggest Internet security vulnerability. Outlook seems to be a virus and worm magnet.
At least with those applications, you can run something besides Microsoft's software. There's a version of Apache for Windows, and if you want to be even more secure, a version for Linux (meaning you'll have to also run Linux, not a bad thing for stability). There are any number of corporate e-mail packages out there, ranging from Lotus Notes and GroupWise to Eudora. All those packages work at least as well as Outlook (with or without Exchange) and don't have the vulnerabilities. Of course, none of these products is impossible to hack. But they're all designed for better security than what Microsoft had in mind. Notes, for example, encrypts everything, and that, combined with the fact that much of Notes is probably beyond human knowledge, helps there. Groupwise is designed to be very secure, and security is something that Novell understands much better than Microsoft. In short, it's not that these products couldn't have a worm that targeted them, it's that it would be much more difficult. From a hacker perspective, why expend the effort when Microsoft's products are open and inviting on every machine?
So while it's nice to know that Microsoft may start doing better with security sometime in the future, your needs are probably now. This means that as nice as Bill Gates' revelations might be, they're pretty irrelevant to you right now. So protect yourself responsibly by avoiding what is now avowed by Gates himself to be less than stellar security in Microsoft's products. Use products that work as well, cost no more, and don't have holes. Then it won't matter if Microsoft ever solves its problems.