Windows (in)security and open source

McAfee Inc. is worth over $5 billion and Symantec (which also does other things) is worth over $14 billion.

Both have risen to prominence based on proprietary models and deep, rare expertise. Knowledge about data security and anti-viral technology is closely guarded.

I was able to study a rival of both companies last year, and without giving anything away there's no magic here.

It takes time and money to research threats as they appear, but much of that work takes place online, in chat rooms, on mailing lists, and in e-mail connections with customers.

The myth these companies sell is that secrecy is integral to the business. If everyone knew how to write viruses everyone would, so all knowledge of this world must be kept close.

But cops-and-robbers isn't a secret game, either online or in real life. Neighborhood watches, an alert citizenry, community interaction -- these are the best tools for cutting crime in the real world. And the online world as well.

So why the Joe Friday "Dragnet" routine? Self-interest. If the community were organized to meet the security challenge, as it is other challenges, the challenge might be met.

And where would that leave the security guys? Instead of looking like heroic FBI agents or Men in Black they'd be seen as security guards, fat asses behind desks, looking at monitors all day.

They're not really Joe Friday at all, it turns out. They're Barney Fyfe.

Can't have that.

But get behind the curtain and that's what you'll see. So the best tactic, from a business sense, is to keep you from doing that, to claim that's risky, and that open source knowledge, rather than secrecy, is the real threat.

That's the only way to justify the market premium we place on closed source security, with every renewal check we write.