What's really wrong with PC "security"

What's really wrong with PC "security"

Summary: Why do Wintel people defend the indefensible while spending billions on reactive "security" that never solves the problem? Stockholm Syndrome describes the behavior, and it's not hard to see who's captive to whom there.

SHARE:

It's nightmare time! Ready?

Ok: you're among millions of people lined up along an endless cliff looking down a thousand feet to raging waters and black rocks. The crowd surges, you barely cling to the edge as clouds of your fellows scream all the way down -and now you see people selling parachutes but just as you get one, the scene changes. You're on a beach with an incoming tsunami only a few hundred yards off shore. Again, you survive, barely; but the beach is covered with those who got tangled in their parachute harnesses and drowned - and now you see people selling floats but just as you get yours, the scene changes. You're on dry grassland, and through choking smoke you see wind borne flames sweeping toward you.

Wake up! that's the Windows security business as seen from the customer perspective: everything's reactive; awareness follows disaster, and retroactive remediation just increases the burdens you carry into the next failure.

Now look at it from the seller side: somebody creates a cliff and after enough people fall, you get a sellers market for parachutes; somebody creates a tsunami, you get a seller's market for life preservers; somebody creates a grass fire, you get to sell smoke scrubbers in volume.

So why do customers put up with this when Unix on SPARC or PPC offers near total immunity to all of it and even Mactel and Lintel, despite their reliance on x86, offer much more difficult targets to attackers?

Some contributing reasons are obvious: for example the moral hazard imposed on IT staff by asking people whose jobs depend on the employer's continued vulnerability to develop effective counter-measures has to be a factor - and, similarly, the typical executive assumption that computers are career killing tarpits of cost increases, public failure, and unmet expectations combines nicely with the fear of social contamination by nerdish thinking they learnt as high school's pretty party people to explain why so many leave foxes in charge of the IT hen house.

By themselves, however, these are partial, and insufficient, explanations. Overall, the industry's behavior is so utterly irrational that something more is needed - and I have a candidate: Stockholm Syndrome.

Held for long enough, or under sufficiently brutal conditions, kidnap victims start to identify with their abusers - and will often continue to defend the criminals involved long after they've been physically freed.

Thus this blog post will draw angry responses from Wintel people who will maintain worms and viruses are simply nickel and dime costs of doing business, a testimonial to the market success of their favorite architecture - and that the only reason these kinds of attacks don't pose much of a problem in the Unix community is that there simply aren't enough Unix targets to bother with.

In reality, the cost of the Windows Security illusion runs into the tens of billions of dollars per year; millions of individuals have suffered significant harm from individual attacks; companies exposing confidential data to attackers have been driven out of business; major government organizations, from the U.S. Air Force to The British National Health, have suffered embarrassing shutdowns and losses - and it's all an unending testimonial to the many points of failure built into the Wintel architecture

Stockholm Syndrome describes the relentless focus on after the fact reactivity - I mean, sure some people defend the PC security industry because their jobs depend on it; and, yes, many bosses look the other way because they lack courage or commitment, but the real bottom line is that the industry's behavior looks like Stockholm Syndrome writ large: a long term, deeply emotional, and utterly irrational continuing defense of the indefensible.

Topics: PCs, Hardware, Malware, Operating Systems, Processors, Security, Software, IT Employment

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • Explaining IT behavior, what we're missing

    Just a guess but I think it has a lot to do with what you've talked about
    earlier, the social dimension to all of this. I would add that there's a
    cultural factor.

    Having been a part of the Windows world (where I occasionally visit), I
    can say that from the developer's perspective Windows often seems
    like the ideal platform. Microsoft in the past has marketed to
    developers aggressively and won their allegiance by creating an
    environment where they could build and tinker in a friendly, inviting
    environment, and ultimately build things that make them some
    money. It didn't matter how educated you were. Developers in the
    ecosystem run the gamut from hobbyists-turned-developers to
    people with Ph.D.'s. It didn't matter. You could get something done
    that would interest somebody. Other developers differed, but they
    were seen as being in a different camp that had values antithetical to
    yours. Windows developers saw themselves as a part of a vast sea, a
    large world in which they could exist, do some interesting things,
    meet some interesting people, and make a living. I used to defend
    Windows aggressively for this reason.

    My mind had been fashioned after years of existing in, practically
    growing up in, the commercial computing culture into believing that I
    had to pick sides. If I wanted certain qualities in my programming
    experience I had to pick Vendor A's product over Vendor B's. And of
    course I recognized that this would close some doors and open others
    in terms of what kinds of work I could do, and what technologies I'd
    interact with. I accepted this. If Windows suffered from vulnerabilities
    I'd try to help to find ways to make it more secure.

    I grew up with microcomputers/personal computers/PCs. I liked that
    modality. I knew the history of this modality, and that IBM's and
    Microsoft's approach had won out. I figured this had happened for
    good reason, and when most other microcomputer platforms fell
    away, I adopted the PC. I came to like Unix as well, due to my college
    experience, but I liked PCs more. They felt like computers that existed
    on a human scale, accessible, rather than something that had to be
    locked up in a room with restricted access privileges. They were
    things I could interact with on my own terms. So I had an aversion to
    anything that smacked of distancing technology from the user. The
    idea of bringing that modality into my work felt good. When I first got
    into the work world I didn't think much about the security concerns. If
    I heard about a viral/worm infection I blamed the guy who wrote it,
    not the PC. Interestingly, I experienced a time when Unix was
    considered just as vulnerable as Windows: the late 1980s and the
    Morris Worm. I was a freshman in college when that happened and I
    remember what it did to the university systems, and to the internet at
    large. I heard the complaint frequently "Unix security is an oxymoron".
    That was a different time. Unix security improved. In my mind though
    there really wasn't that much difference between PC security and Unix
    security, because i had seen both get attacked.

    What changed my mind was a culture shock. I had the experience of
    watching someone demonstrate a platform that was beyond my
    imagination in terms of what programming could be. It brought back
    old desires, ones I had forgotten from when I entered college 20 years
    ago. I realized I had to change my world view to understand what I
    saw, and so that's what I did. I chose to enter and learn about a new
    culture. It was not a switch in loyalties from Microsoft to open source,
    though now I like open source better than I used to. That wasn't the
    decision. The decision was to embrace a spirit of exploring and
    learning sophisticated ideas, to become more educated. This came
    about from a realization that only by doing that could I fulfill what I
    desired from the work I believe in doing. From that flowed an
    appreciation for good architecture, ideas that are well thought out,
    not cobbled together from spare parts, using a subsistence mentality.

    Having gone through this, I'm able to see better what you're getting at.
    Having said that, while I can see that Unix is a better platform for
    scalability, adaptability, and security, and perhaps user empowerment,
    I see ways in which it could be improved. I think some of the criticisms
    that have been leveled against it in past Talkbacks are legitimate.
    Someone asked recently, "The real question should be why hasn't
    anyone created something better?" I agree. It's about time, not to just
    create a "better Unix", but to invent a better system architecture that is
    yet unnamed.

    This is a very different mentality. It is a culture that has more to do
    with an interest in real science and real engineering than with a
    culture whose only objective is to "make the computer do what I want
    NOW". Maybe this is a mischaracterization, but I think it's a culture
    that accepts delayed gratification. Future benefits come from what
    you learn now. Progress appears slow by conventional standards, but I
    think something great and unique happens later. The reward is in
    realizing that you've participated in creating something that serves
    your needs uniquely well, services your needs with minimum effort,
    and has the feel of a work of art.

    Douglas Engelbart had a revolutionary philosophy in his NLS project in
    the 1960s, based on his idea of "augmenting the human intellect", of
    using a computer system to facilitate the gradual improvement of a
    group's abilities. As the group improved, so did the computer system
    itself, because they also used the same philosophy of gradual
    improvement with it. By the end of it they had emerged from a world
    that only knew computers that operated based on batch jobs with
    punch cards and teletypes, and created the modern computer system
    metaphor that we know today: an interactive, collaborative
    environment (even remotely collaborative, [b]complete with video
    conferencing, and a shared work environment![/b]) that responded to
    multiple user's actions immediately, and helped the group manage
    and organize information in the most efficient fashion they knew how.
    Many people in the field now know that Engelbart invented the
    mouse, but he did a hell of a lot more than that. Learning more about
    this, and the ARPA/Xerox PARC experience from the 60s and 70s, it
    feels like some very fortunate people managed to capture lightening
    in a bottle, and it has not been reproduced since. We ought to be
    trying to get back to that.
    Mark Miller
    • Yep: been there, felt that, thought the same things

      Well, pretty much anyway.

      However.. if you work in a corporate environment all the good things the PC promised have disappeared from the menu. Now it's functionally distinguishable from the old dumb terminal only because the PC is relatively hot and noisy.
      murph_z
      • Agreed

        [i]if you work in a corporate environment all the good things the PC
        promised have disappeared from the menu. Now it's functionally
        distinguishable from the old dumb terminal only because the PC is
        relatively hot and noisy.[/i]

        We agree on that. That's been one of my disappointments looking back
        at what has become of corporate IT.
        Mark Miller
    • This is "guest editorial" material

      I hope ZD invites Mark Miller to adapt this into a guest article or blog-posting.
      bswiss
  • Clueless as usual.

    At least you're consistent.

    EDIT: Corrected title from "cluessless" to "clueless" because some people just don't have anything else to contribute but pointing out spelling mistakes.
    ye
  • CruiseList? (link this to ye above)

    I believe that your English proficiency shows the same consistency.
    Roger Ramjet
    • Sometimes I make spelling mistakes. My apologies for being human. (nt)

      .
      ye
      • Firefox doesn't let me

        The spellchecker in FF is a great feature - but it doesn't seem to work in the "Subject" area - only in the "Body" - so I guess it wouldn't have helped you in this case. You should check it out!
        Roger Ramjet
        • IE7 Pro adds spell checking. But I have to leave you...

          ...something on which to build a valid counter argument. Spelling and grammar errors are about the only valid counter arguments ABMers appear to have.
          ye
        • Doesn't let you?

          So you're saying if you wanted to intentionally misspell a word for effect that Firefox would prevent you from doing that?

          Obviously not, but since you gave ye a hard time on his English skills, I figured it was fair to tease you about it. :)

          btw, this was typed using Firefox on a Linux system, so please don't label me as a Windows apologist...
          brble
  • You'd have to use Windows to actually understand Rudy

    Haven't had a malware attack either virus or trojan for years, Every month and occasionally more, MS updates my work and home systems automatically. My AVG also updates automatically.

    You still haven't faced up to the fact that Linux and Mac have had little to worry about because no-one uses them - well less than 1% for Linux and 5% for the Mac. Now that Windows is so secure (and that must really hurt you right?) the easier fields of Linux and Mac are starting to become targets. Well not Linux really, who wants to pwn some system in a basement held together with strings and chewing gum that spends its day running benchmarks?

    The Mac crowd, on the other hand, have already proved themselves wealthy and gullible, so I think it's game on for the poor Mac users.

    So forget about the cliff Rudy, think instead about you sitting on the beach trying to stop the tide coming in, when it's already up to your neck - get ready to hold your breath.

    I'm still wondering who has the "courage" to employ you considering your lack of experience with the global OS and your obvious desire to leave a trail of wreckage (but ideologically pure wreckage) behind you.

    Perhaps you could point out one of your major projects where everything worked out great. Just one example of a smooth move from Windows to *nix (that YOU supervised) where the company actually got a return on investment and is still on good speaking terms with you. In other words Rudy, put up or shut up. No, I'm not interested in another googled Windows disaster or your theoretical beliefs - give me an example that I can follow up. Surely if you alone have the one path to truth, you can provide some evidence we could look at?



    tonymcs@...
  • What is the definition of insanity?

    Doing the same thing over and over again expecting different results.

    So said Albert Einstein.

    It's what I hear and see every day in these blogs.

    Again, and again, relentlessly, I hear how bad Windows is and how good the other guys are. Every day, the story is the same, and yet the horizon never changes. The outlook is still the same.

    Blah, Blah, Blah. When will there be something new to be said? When will Unix, or Linux, or Apple build a computer OS that the masses will want to use?

    They say that the new Macs are great, but did you ever try to use a mouse with one button?

    They say Unix is so secure, but I do not see it running the high end software, CAD, design, or game programs.

    Linux is a failure when it comes to any of the above, except for its security. Try to run Photo Shop or a high end CAD program and see how far you get. And what about drivers for the high end printers or plotters you want to use for those programs, good luck finding a driver for those. As for games, forget it. If it wasn't written specifically for Linux, 9 time out of 10 it will not run.

    So, for all the decrying about how great these other solutions are, they do not cater to the masses.

    You keep your "bulletproof" OS systems, and I'll keep my USEFUL machine with my weekly updated software that doesn't require I leap through 6 hoops,and walk on fire to rewrite the kernel every time I want to do a security update, or patch, or add a driver for a printer that may or may not work because there is no Hardware Quality Lab testing this stuff.

    brianmilke@...
    • What a lovely, recursive, demonstration of ignorance

      1) the 1 button mouse business is a bit out of date (like a decade or two) and wrong anyway;

      2) all really high end graphics, cad, and engineering software is Unix. The PC stuff is middle of the road and lower.

      3) if the definition of insanity is doing the same things and expecting different results - and i think that makes sense - lets talk about those weekly patches you do to achieve security- or how about your upgrades from one wintel generation to the next? The patches don't produce security and the upgrades don't produce upgrades.. but you continue doing them, don't you?

      5 it's true most games developers don't write for Unix - but games are for kids, Unix is for adults...
      murph_z
      • One button mouse and such...

        Actually, the one button mouse is still in use today on MACs. I have 4 at school.

        Frustratingly annoying to try and use one of those when you have used a two button mouse with scroll feature for years...

        And as for your comment about children and adults, and which uses what, games are here to stay. There are more and more adults using their computers as gaming machines each year. As for the push for faster video cards, processors, and such, if video games were not so prevalent in our society, we would not have the advances in processor, memory and video cards that we do today. We would still be using 286SX processors with 32 MB of ram and a 16 bit video card. That will run a UNIX system, but won't even hold the start-up files for a modern OS.

        As far as I can tell, this trend will continue, and PCs will continue to dominate the market until there is no need for them.

        We will no longer be using an OS then, either.

        And if you think high end CAD programs only run on UNIX systems, so be it. I am not here to tell you what to believe. Every man is entitled to his opinions. In this I will agree to disagree, and allow you your thoughts.

        brianmilke@...
        • Some perspective

          [i]Actually, the one button mouse is still in use today on MACs. I have
          4 at school.[/i]

          Yes, Apple still sells the one-button mice, BUT it's possible to plug in
          a PC mouse (two buttons), and the Mac will use it just fine with no
          need to install additional software. You can right-click with such a
          mouse and get context menus. I have not tried the scroll wheel yet
          with one, but it wouldn't surprise me if that worked, too. The Mac also
          works with many printers, scanners, and monitors you can get at any
          electronics store. The Mac used to be in its own proprietary universe
          10 years ago. That changed several years ago. Apple recognized it
          needed to "play nice" with people's PC hardware.

          I think you're right about video advances on PCs/Macs, etc. being
          linked to games, but processor advances would've happened on their
          own. There's always been a demand in business for faster processing
          speeds, and more memory, particularly when graphical UI's came
          along.

          PM didn't say that CAD only runs on Unix. He said that the [i]best[/i]
          CAD systems run only on Unix.
          Mark Miller
          • No one-button mouse

            The only Apple branded rodents that you can by from their web-site
            have 4 buttons. You can right-click, left-click, use the side buttons
            (squeeze) and click the central scroll wheel. The scroll wheel also scrolls
            up, down, sideways and diagonally.

            You can, as you say also use a standard two button/scroll wheel mouse
            if you don't mind losing some functionality in standard Apple programs.
            Tim99
      • Actually...

        ...what I remember is that the first application written for Unix was a
        game. Was it a version of Space War? I forget.
        Mark Miller
  • RE: What

    I clearly understand the Windows Security Issue, but I didn't
    catch the Intel issue.

    I'm not exactly an expert on Intel, PPC or SPARC assembly
    languages or internal architecture, but know enough to get
    puzzled about your affirmation: I don't see why one of these
    (recent) chips could do better than other on these issues.

    Lisias Toledo
  • Stockholm syndrome?

    Not quite -- but I do think you're on the right track...
    bswiss
  • Security and Market Share

    The perceived insecurity of an operating system is directly proportional to its market share. The reason that OTW (other than windows) Operating Systems are seemingly more secure is due mostly to their relative rarity when compared to Windows. If some other OS were dominant, it would be the target of all those hacks and malicious code and would be perceived to be just as insecure as Windows is perceived to be. Black hats are not going to waste their time trying to exploit the vulnerabilities of an OS that is on 5% or less of the computers in the world, when their efforts can exploit the other 95%.
    Fire-1