Uh oh. Has the zero-day exploit tipping point finally arrived?

By way of linkage from Doc Searls comes this tale of woe from Mike, an IT guy in the trenches who, up until now, felt as though he was doing a pretty good job beating back the bad guys from the networks and users that he supports.  Says Mike of the Windows installation he oversees:

So, here it is in Mid-2005, we've got a continous stream of system patches, and a continous stream of virus definitions, most of our spam is gone, and we're behind a continously updated firewall. This interlocking system of patches does a good job of hiding the complexity and plugging the holes so that the users can go about their business. However, it's not perfect, but hey, that's why we get paid the big bucks, right? We fix the little issues that pop up, then go back to doing our other work. This system addresses the growing volume of threats in a fairly straightforward and efficient manner. It's not perfect, but it's amazing that it works as well as it does. However, I'm not happy. In fact, I'm starting to get very worried. 

Why is Mike worried? He goes on to discuss how, despite the various previously effective layers of defense he has in place, his end users are beginning to see things like spam, virii, and phishing attacks that they theoretically shouldn't be seeing.  Not only are the bad guys apparently starting to seep through the cracks, they're doing it in record breaking time (Mike discusses zero-day exploits) and Mike can't keep up.  Has the proverbial tipping point come where the digital transgressors have finally raced ahead of most if not all state-of-the art defenses?  Could "polyculture" go along way towards mitigating your risk?  Searls thinks so saying:

The problem, I think, is less about Microsoft than it is about monoculture. What we have on desktops today is monocultural to an extreme that makes massive unprotectable vulnerabilities inevitable, regardless of the responsible company's motivations.My recommendation to companies like Mike's is to start introducing polyculture to corporate desktops. Start using other desktop operating systems and applications that are compatible with, though not identical to, Microsoft's.

But is one man's corporate standard another man's monoculture? Polycultures have their downsides too.  Hardly a day goes by where I don't receive a pitch from some security vendor that it has miraculously come up with some sort of breakthrough security technology that can do what no other technology can do in terms of keeping systems safe from evildoers.   Today is no different, particularly with Zotob on the loose. When new virii or worms surface, many of the security vendors are quick to point out that, had ZDNet's readers had their solutions in place, they would have been protected against the new exploit.  However,  this week's first security pitch (on the heels of Zotob) was less about a breakthrough and more about an annoucement that security solution provider Cenzic had ported the open source vulnerability scanner Nessus to Windows NT.  Did they say Windows NT?  Yes they did.  

It doesn't seem like we're moving in the right direction.  I tracked Mike down via e-mail to see what he thought.  He sees the polyculture approach as a patch because "Linux hasn't been shot full of holes yet" and thinks it'll be at least 15 years before we have truly secure systems. Mike has since blogged that he thinks such security must be based on capability rather than access control lists.  Being that he's a Windows guy, one can only wonder that says of his and others' expectations of the next, supposedly much more secure version of Windows that's currently codenamed Vista.  My hope is that we won't have seen "the movie" before.  But maybe that's wishful thinking.  Even though it's beta (and we should always be super careful about judging beta), Vista has already turned up with what I'll call a case of bad judgement on its developers' behalf.  Apparently, there's a peer-to-peer networking feature in Vista Beta 1 that's turned on by default -- one that uses a new version of Microsoft's peer name resolution protocol (PNRP) and connects to other beta machines as soon as an Internet connection is available.  Ironically, the acronym PRNP refers to a gene that's connected with the non-contagious Bovine Spongiform Encephalopathy (aka "Mad Cow Disease") and the similar, but contagious kissing cousin of BSE in sheep known as scrapie (contagious to other sheep that is, not humans). Time for a new acronym?