What's really wrong with PC "security"
Summary: Why do Wintel people defend the indefensible while spending billions on reactive "security" that never solves the problem? Stockholm Syndrome describes the behavior, and it's not hard to see who's captive to whom there.
It's nightmare time! Ready?
Ok: you're among millions of people lined up along an endless cliff looking down a thousand feet to raging waters and black rocks. The crowd surges, you barely cling to the edge as clouds of your fellows scream all the way down -and now you see people selling parachutes but just as you get one, the scene changes. You're on a beach with an incoming tsunami only a few hundred yards off shore. Again, you survive, barely; but the beach is covered with those who got tangled in their parachute harnesses and drowned - and now you see people selling floats but just as you get yours, the scene changes. You're on dry grassland, and through choking smoke you see wind borne flames sweeping toward you.
Wake up! that's the Windows security business as seen from the customer perspective: everything's reactive; awareness follows disaster, and retroactive remediation just increases the burdens you carry into the next failure.
Now look at it from the seller side: somebody creates a cliff and after enough people fall, you get a sellers market for parachutes; somebody creates a tsunami, you get a seller's market for life preservers; somebody creates a grass fire, you get to sell smoke scrubbers in volume.
So why do customers put up with this when Unix on SPARC or PPC offers near total immunity to all of it and even Mactel and Lintel, despite their reliance on x86, offer much more difficult targets to attackers?
Some contributing reasons are obvious: for example the moral hazard imposed on IT staff by asking people whose jobs depend on the employer's continued vulnerability to develop effective counter-measures has to be a factor - and, similarly, the typical executive assumption that computers are career killing tarpits of cost increases, public failure, and unmet expectations combines nicely with the fear of social contamination by nerdish thinking they learnt as high school's pretty party people to explain why so many leave foxes in charge of the IT hen house.
By themselves, however, these are partial, and insufficient, explanations. Overall, the industry's behavior is so utterly irrational that something more is needed - and I have a candidate: Stockholm Syndrome.
Held for long enough, or under sufficiently brutal conditions, kidnap victims start to identify with their abusers - and will often continue to defend the criminals involved long after they've been physically freed.
Thus this blog post will draw angry responses from Wintel people who will maintain worms and viruses are simply nickel and dime costs of doing business, a testimonial to the market success of their favorite architecture - and that the only reason these kinds of attacks don't pose much of a problem in the Unix community is that there simply aren't enough Unix targets to bother with.
In reality, the cost of the Windows Security illusion runs into the tens of billions of dollars per year; millions of individuals have suffered significant harm from individual attacks; companies exposing confidential data to attackers have been driven out of business; major government organizations, from the U.S. Air Force to The British National Health, have suffered embarrassing shutdowns and losses - and it's all an unending testimonial to the many points of failure built into the Wintel architecture
Stockholm Syndrome describes the relentless focus on after the fact reactivity - I mean, sure some people defend the PC security industry because their jobs depend on it; and, yes, many bosses look the other way because they lack courage or commitment, but the real bottom line is that the industry's behavior looks like Stockholm Syndrome writ large: a long term, deeply emotional, and utterly irrational continuing defense of the indefensible.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Explaining IT behavior, what we're missing
earlier, the social dimension to all of this. I would add that there's a
cultural factor.
Having been a part of the Windows world (where I occasionally visit), I
can say that from the developer's perspective Windows often seems
like the ideal platform. Microsoft in the past has marketed to
developers aggressively and won their allegiance by creating an
environment where they could build and tinker in a friendly, inviting
environment, and ultimately build things that make them some
money. It didn't matter how educated you were. Developers in the
ecosystem run the gamut from hobbyists-turned-developers to
people with Ph.D.'s. It didn't matter. You could get something done
that would interest somebody. Other developers differed, but they
were seen as being in a different camp that had values antithetical to
yours. Windows developers saw themselves as a part of a vast sea, a
large world in which they could exist, do some interesting things,
meet some interesting people, and make a living. I used to defend
Windows aggressively for this reason.
My mind had been fashioned after years of existing in, practically
growing up in, the commercial computing culture into believing that I
had to pick sides. If I wanted certain qualities in my programming
experience I had to pick Vendor A's product over Vendor B's. And of
course I recognized that this would close some doors and open others
in terms of what kinds of work I could do, and what technologies I'd
interact with. I accepted this. If Windows suffered from vulnerabilities
I'd try to help to find ways to make it more secure.
I grew up with microcomputers/personal computers/PCs. I liked that
modality. I knew the history of this modality, and that IBM's and
Microsoft's approach had won out. I figured this had happened for
good reason, and when most other microcomputer platforms fell
away, I adopted the PC. I came to like Unix as well, due to my college
experience, but I liked PCs more. They felt like computers that existed
on a human scale, accessible, rather than something that had to be
locked up in a room with restricted access privileges. They were
things I could interact with on my own terms. So I had an aversion to
anything that smacked of distancing technology from the user. The
idea of bringing that modality into my work felt good. When I first got
into the work world I didn't think much about the security concerns. If
I heard about a viral/worm infection I blamed the guy who wrote it,
not the PC. Interestingly, I experienced a time when Unix was
considered just as vulnerable as Windows: the late 1980s and the
Morris Worm. I was a freshman in college when that happened and I
remember what it did to the university systems, and to the internet at
large. I heard the complaint frequently "Unix security is an oxymoron".
That was a different time. Unix security improved. In my mind though
there really wasn't that much difference between PC security and Unix
security, because i had seen both get attacked.
What changed my mind was a culture shock. I had the experience of
watching someone demonstrate a platform that was beyond my
imagination in terms of what programming could be. It brought back
old desires, ones I had forgotten from when I entered college 20 years
ago. I realized I had to change my world view to understand what I
saw, and so that's what I did. I chose to enter and learn about a new
culture. It was not a switch in loyalties from Microsoft to open source,
though now I like open source better than I used to. That wasn't the
decision. The decision was to embrace a spirit of exploring and
learning sophisticated ideas, to become more educated. This came
about from a realization that only by doing that could I fulfill what I
desired from the work I believe in doing. From that flowed an
appreciation for good architecture, ideas that are well thought out,
not cobbled together from spare parts, using a subsistence mentality.
Having gone through this, I'm able to see better what you're getting at.
Having said that, while I can see that Unix is a better platform for
scalability, adaptability, and security, and perhaps user empowerment,
I see ways in which it could be improved. I think some of the criticisms
that have been leveled against it in past Talkbacks are legitimate.
Someone asked recently, "The real question should be why hasn't
anyone created something better?" I agree. It's about time, not to just
create a "better Unix", but to invent a better system architecture that is
yet unnamed.
This is a very different mentality. It is a culture that has more to do
with an interest in real science and real engineering than with a
culture whose only objective is to "make the computer do what I want
NOW". Maybe this is a mischaracterization, but I think it's a culture
that accepts delayed gratification. Future benefits come from what
you learn now. Progress appears slow by conventional standards, but I
think something great and unique happens later. The reward is in
realizing that you've participated in creating something that serves
your needs uniquely well, services your needs with minimum effort,
and has the feel of a work of art.
Douglas Engelbart had a revolutionary philosophy in his NLS project in
the 1960s, based on his idea of "augmenting the human intellect", of
using a computer system to facilitate the gradual improvement of a
group's abilities. As the group improved, so did the computer system
itself, because they also used the same philosophy of gradual
improvement with it. By the end of it they had emerged from a world
that only knew computers that operated based on batch jobs with
punch cards and teletypes, and created the modern computer system
metaphor that we know today: an interactive, collaborative
environment (even remotely collaborative, [b]complete with video
conferencing, and a shared work environment![/b]) that responded to
multiple user's actions immediately, and helped the group manage
and organize information in the most efficient fashion they knew how.
Many people in the field now know that Engelbart invented the
mouse, but he did a hell of a lot more than that. Learning more about
this, and the ARPA/Xerox PARC experience from the 60s and 70s, it
feels like some very fortunate people managed to capture lightening
in a bottle, and it has not been reproduced since. We ought to be
trying to get back to that.
Yep: been there, felt that, thought the same things
However.. if you work in a corporate environment all the good things the PC promised have disappeared from the menu. Now it's functionally distinguishable from the old dumb terminal only because the PC is relatively hot and noisy.
Agreed
promised have disappeared from the menu. Now it's functionally
distinguishable from the old dumb terminal only because the PC is
relatively hot and noisy.[/i]
We agree on that. That's been one of my disappointments looking back
at what has become of corporate IT.
This is "guest editorial" material
Clueless as usual.
EDIT: Corrected title from "cluessless" to "clueless" because some people just don't have anything else to contribute but pointing out spelling mistakes.
CruiseList? (link this to ye above)
Sometimes I make spelling mistakes. My apologies for being human. (nt)
Firefox doesn't let me
IE7 Pro adds spell checking. But I have to leave you...
Doesn't let you?
Obviously not, but since you gave ye a hard time on his English skills, I figured it was fair to tease you about it. :)
btw, this was typed using Firefox on a Linux system, so please don't label me as a Windows apologist...
You'd have to use Windows to actually understand Rudy
You still haven't faced up to the fact that Linux and Mac have had little to worry about because no-one uses them - well less than 1% for Linux and 5% for the Mac. Now that Windows is so secure (and that must really hurt you right?) the easier fields of Linux and Mac are starting to become targets. Well not Linux really, who wants to pwn some system in a basement held together with strings and chewing gum that spends its day running benchmarks?
The Mac crowd, on the other hand, have already proved themselves wealthy and gullible, so I think it's game on for the poor Mac users.
So forget about the cliff Rudy, think instead about you sitting on the beach trying to stop the tide coming in, when it's already up to your neck - get ready to hold your breath.
I'm still wondering who has the "courage" to employ you considering your lack of experience with the global OS and your obvious desire to leave a trail of wreckage (but ideologically pure wreckage) behind you.
Perhaps you could point out one of your major projects where everything worked out great. Just one example of a smooth move from Windows to *nix (that YOU supervised) where the company actually got a return on investment and is still on good speaking terms with you. In other words Rudy, put up or shut up. No, I'm not interested in another googled Windows disaster or your theoretical beliefs - give me an example that I can follow up. Surely if you alone have the one path to truth, you can provide some evidence we could look at?
What is the definition of insanity?
So said Albert Einstein.
It's what I hear and see every day in these blogs.
Again, and again, relentlessly, I hear how bad Windows is and how good the other guys are. Every day, the story is the same, and yet the horizon never changes. The outlook is still the same.
Blah, Blah, Blah. When will there be something new to be said? When will Unix, or Linux, or Apple build a computer OS that the masses will want to use?
They say that the new Macs are great, but did you ever try to use a mouse with one button?
They say Unix is so secure, but I do not see it running the high end software, CAD, design, or game programs.
Linux is a failure when it comes to any of the above, except for its security. Try to run Photo Shop or a high end CAD program and see how far you get. And what about drivers for the high end printers or plotters you want to use for those programs, good luck finding a driver for those. As for games, forget it. If it wasn't written specifically for Linux, 9 time out of 10 it will not run.
So, for all the decrying about how great these other solutions are, they do not cater to the masses.
You keep your "bulletproof" OS systems, and I'll keep my USEFUL machine with my weekly updated software that doesn't require I leap through 6 hoops,and walk on fire to rewrite the kernel every time I want to do a security update, or patch, or add a driver for a printer that may or may not work because there is no Hardware Quality Lab testing this stuff.
What a lovely, recursive, demonstration of ignorance
2) all really high end graphics, cad, and engineering software is Unix. The PC stuff is middle of the road and lower.
3) if the definition of insanity is doing the same things and expecting different results - and i think that makes sense - lets talk about those weekly patches you do to achieve security- or how about your upgrades from one wintel generation to the next? The patches don't produce security and the upgrades don't produce upgrades.. but you continue doing them, don't you?
5 it's true most games developers don't write for Unix - but games are for kids, Unix is for adults...
One button mouse and such...
Frustratingly annoying to try and use one of those when you have used a two button mouse with scroll feature for years...
And as for your comment about children and adults, and which uses what, games are here to stay. There are more and more adults using their computers as gaming machines each year. As for the push for faster video cards, processors, and such, if video games were not so prevalent in our society, we would not have the advances in processor, memory and video cards that we do today. We would still be using 286SX processors with 32 MB of ram and a 16 bit video card. That will run a UNIX system, but won't even hold the start-up files for a modern OS.
As far as I can tell, this trend will continue, and PCs will continue to dominate the market until there is no need for them.
We will no longer be using an OS then, either.
And if you think high end CAD programs only run on UNIX systems, so be it. I am not here to tell you what to believe. Every man is entitled to his opinions. In this I will agree to disagree, and allow you your thoughts.
Some perspective
4 at school.[/i]
Yes, Apple still sells the one-button mice, BUT it's possible to plug in
a PC mouse (two buttons), and the Mac will use it just fine with no
need to install additional software. You can right-click with such a
mouse and get context menus. I have not tried the scroll wheel yet
with one, but it wouldn't surprise me if that worked, too. The Mac also
works with many printers, scanners, and monitors you can get at any
electronics store. The Mac used to be in its own proprietary universe
10 years ago. That changed several years ago. Apple recognized it
needed to "play nice" with people's PC hardware.
I think you're right about video advances on PCs/Macs, etc. being
linked to games, but processor advances would've happened on their
own. There's always been a demand in business for faster processing
speeds, and more memory, particularly when graphical UI's came
along.
PM didn't say that CAD only runs on Unix. He said that the [i]best[/i]
CAD systems run only on Unix.
No one-button mouse
have 4 buttons. You can right-click, left-click, use the side buttons
(squeeze) and click the central scroll wheel. The scroll wheel also scrolls
up, down, sideways and diagonally.
You can, as you say also use a standard two button/scroll wheel mouse
if you don't mind losing some functionality in standard Apple programs.
Actually...
game. Was it a version of Space War? I forget.
RE: What
catch the Intel issue.
I'm not exactly an expert on Intel, PPC or SPARC assembly
languages or internal architecture, but know enough to get
puzzled about your affirmation: I don't see why one of these
(recent) chips could do better than other on these issues.
Stockholm syndrome?
Security and Market Share