Windows (in)security and open source

Windows (in)security and open source

Summary: But cops-and-robbers isn't a secret game, either online or in real life. Neighborhood watches, an alert citizenry, community interaction -- these are the best tools for cutting crime in the real world. And the online world as well.


Dragnet and Barney Fife, from buyersmlsWindows security is a good gig. (Picture from BuyersMLS, which has many other old TV mash-ups.)

McAfee Inc. is worth over $5 billion and Symantec (which also does other things) is worth over $14 billion.

Both have risen to prominence based on proprietary models and deep, rare expertise. Knowledge about data security and anti-viral technology is closely guarded.

I was able to study a rival of both companies last year, and without giving anything away there's no magic here.

It takes time and money to research threats as they appear, but much of that work takes place online, in chat rooms, on mailing lists, and in e-mail connections with customers.

The myth these companies sell is that secrecy is integral to the business. If everyone knew how to write viruses everyone would, so all knowledge of this world must be kept close.

But cops-and-robbers isn't a secret game, either online or in real life. Neighborhood watches, an alert citizenry, community interaction -- these are the best tools for cutting crime in the real world. And the online world as well.

So why the Joe Friday "Dragnet" routine? Self-interest. If the community were organized to meet the security challenge, as it is other challenges, the challenge might be met.

And where would that leave the security guys? Instead of looking like heroic FBI agents or Men in Black they'd be seen as security guards, fat asses behind desks, looking at monitors all day.

They're not really Joe Friday at all, it turns out. They're Barney Fyfe.

Can't have that.

But get behind the curtain and that's what you'll see. So the best tactic, from a business sense, is to keep you from doing that, to claim that's risky, and that open source knowledge, rather than secrecy, is the real threat.

That's the only way to justify the market premium we place on closed source security, with every renewal check we write.

Topics: Open Source, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It is "Fife", not "Fyfe"

    Despite the link you posted to an article discussing "Barney Fyfe Syndrome", per IMDB the character's last name was "Fife".

    As to the topic, I do think the security folks want us to pay no attention to the man behind the curtain!
    • Get a lyfe

  • Funny you should mention that

    [i]But get behind the curtain and that???s what you???ll see. So the best tactic, from a business sense, is to keep you from doing that, to claim that???s risky, and that open source knowledge, rather than secrecy, is the real threat.[/i]

    So, lo and behold! the next big villain in the [i]Iron Man[/i] comics is that lowest of the low, someone who wants to let Dangerous Knowledge out to the world at large. Only our Intrepid Hero (and, in his day job, head of a giant technology corporation) Tony Stark (aka Iron Man) can keep these secrets safe in hands that can be trusted with them: his.
    Yagotta B. Kidding
  • Who's working on the anti-virus?

    "Quicksilver, Mordred, and Abercrombie."

    "Anyone know their real names?"

    "No. But I think Abercrombie works for a security company that produces proof of concept code on the net for script kiddies."

    "And Mordred is a broker for the flaw-sales market."

    "I don't know anything about Quicksilver, except that he's very rich and writes Bu Wah-Hah-Hah every time someone asks him where his money comes from."

    "Well, at least they're all experienced people."
    Anton Philidor
    • Ah yes, of course.

      Because that's exactly what happens with FOSS too, no-one knows anyone's real names and there's no vetting of code by trusted parties at all.

      Course not.

      That'll be why Linux is so full of back doors.
      • Sarcasm? <nt>

      • Remember FireFox?

        When a large number of people began to use it, security flaws were discovered.

        That's not a criticism. Software is a human product, so flaws will exist. No matter how many pairs of eyes stare at it (uncomprehendingly).

        The same applies to proprietary security software, which has itself sometimes proven flawed. The only advantage of proprietary is that staff can be better vetted. Though even then fraud is possible.

        Foolish to claim too much for a development method. Any development method.
        Anton Philidor
        • You forget to mention that...

          Studies have found that OSS has a lower error rate than proprietary. Or did that slip your mind?
          • ... that OSS software has a higher error rate...

            ... in some studies and a lower error rate in others. Depends on how the problems are measured and the sort of problems being sought and maybe the ability or bias of the investigators.

            Then there's the greater attention paid to software in wider use.

            If the error rate is high enough to leave the software vulnerable, then is a difference from other software significant?

            And because social engineering has proven less expensive and time consuming and more effective than finding and exploiting software flaws, it's reasonable to question whether error rates have any importance.

            When an involuntary web survey finds that the most common passwords are Password and Enter password, errors appear superfluous.
            Anton Philidor
          • Stop picking cherries

            Overall, OSS has a far far lower error rate, especially on the major projects that have active communities.

            And for what it's worth, there's numerous low-visibility attack strategies that do work and do not require social engineering. The most obvious and least sensitive to mention being slow-motion brute force login attacks. That and there are for all intents and purposes extremely large numbers of unpatched, unsecured machines out there.
          • You picked well.

            Especially the reference to "large numbers of unpatched, unsecured machines out there." The vulnerability to automated attacks not based on flaws is also a good point.

            The definition of "error rate" is ambiguous and findings about the numbers of them are arguable. But one certain point is that there are many means used to infect computers which are not affected by software flaws, no matter their number.
            Anton Philidor
          • Typical passwords across systems?

            I'd be interested to know typical passwords for typical users of all mainstream OS's.

            Do password strength indicators actually encourage stronger passwords, or do many see them as a nuisance, or just a pretty bar?

            "Let me in", "Let me in 123", "Open sesame" etc used to be the order of the day. In fact, any change to the default password was pretty much assumed to be secure. What a laugh in this day and age ...
          • I think the main issue is how long before the FIX is out. (nt)

  • Why not do some research?

    Then you'd find that Windows IS security and the OSS second hand, passionate rather than skilled approach is so far behind it's laughable. Thank God most of OSS is developed on and for Windows, otherwise we'd be in real trouble.
    • Why not do some non Microsoft research?

      You might find all of those white papers you've been consuming are *a little biased* towards those that fund such "research".

      So why not do some research of your own?
    • What security is that?

      Even the "mighty Vista" got hacked at the lame hack to own contest. And that was for folk that didn't mind showing what they knew, not the other more secretive kind.

      And for Windows security, you do know that the botnet zombies are almost exclusively Windows boxes. Windows secure? Nah.
      • He won't believe it

        unless he reads it in a press release with Microsoft written all over it.

        Yup, we've got a few years of nonsense from these PR Consuming Monkeys yet ....
      • All sections of software has bugs. That is why it is so

        important to fix them as soon as possible. Patch-tuesday way of doing it is often much too late.
        Consider the difference between IE and Opera.
        IE-6 har security-holes that is still not fixed several YEARS after they were discovered. IE-7 has holes from last year UNFIXED.
        Opera on the other hand, usually gets the fix out within a week of discovery.
        Being as these apps do pretty much the same thing for the same purpose, I think this IS a fair to compare them on this.