Vista needs safety in numbers

Locking users in a dungeon doesn't make them safe
Written by Leader , Contributor

Microsoft's brand new operating system is already attracting some very old accusations. Symantec and McAfee say they're being locked out of providing more security, because Microsoft is denying access to important parts of Vista's architecture, such as the kernel. What started as a discussion has degenerated into a slanging match, with full-page adverts in the Financial Times underlining the frustration felt by the security companies.

Microsoft is, of course, free to ask anyone to do anything. Modifying the kernel in unapproved and undocumented ways can be very dangerous, and it's good programming practice not to do it. However, if a dangerous exploit is revealed and an official patch is not forthcoming, most users would like the option to use a trustworthy third party — the market, not the marketing department of Microsoft, should decide on the best way to approach the problem.

This goes double for the Windows Security Center, the control panel for Vista's safety features. Microsoft claims that it has to lock this down against third parties altogether, otherwise it will be a target for hackers. It is foolish to imagine that there is any way to prevent such targeting — hackers have been all over Vista since the first betas were released — but equally foolish to think that restricting legitimate access is any form of security.

Quite the opposite: one of the reasons Windows has been such a boon to attackers is that it is so monocultural. More variety gives more robustness — by ensuring that 100 percent of Vista installations will be running the same security code, Microsoft is making the target as tempting as possible.

Microsoft must address directly the concerns Symantec expresses, because those concerns speak directly to Microsoft's documented history of using such restrictions to give itself a commercial advantage. In particular, the company must drop its stance of abused innocence with regard to the European rulings — we're being told not to be bad, but how can we possibly know what bad is? — if it wants to give credence to any of its other arguments. It sure looks like the same old, bad old Microsoft to us.

Microsoft says it is being serious about Vista security. If so, it must be serious about encouraging diversity, access and freedom of choice. Security by obstinacy is not an option.


Editorial standards