A blog about computers, open source, software and other perceptions gained over the years as a sysadmin.

Wednesday, February 10, 2010

Why do security suck in Windows?

The biggest problem as i see it is not the technical aspect of Windows per see. Its the way the Microsoft management seem to view security. There are just to many ways in wich statistics seems to be more important than real security.

UAC is an excellent example of this. UAC works by asking the user before doing sensitive tasks. At first look this can seem smart but if you think some more about it, not so much. First of all, who should be best equipped to answer a tough security question. Is it the developer of the application or the user? Which one of those has the best knowledge about security? I would say that if the developer cant answer, neither can the user.

The biggest impact UAC has on security is that whatever happens, a user has to press an OK button to make the computer overtaken by someone. Security wont highten much but all the blame is put on the user. That way, most security issues can be marked as insignificant since they require user "consent". Viola, instant virtual security.

Another thing of great grievance for security is the bad habit of not patching holes until they are sufficiently exploited.

This is how it goes. First some hacker or group of professional hackers discover an exploit they use for corporate espionage, economic crimes and card frauds etc. Many times Microsoft already know about this hole but are only fixing it in the next major version of the software. Then in time that exploit sips out to others or are sold away for spammers, botnet herders, hacking tool resellers and the likes. When this happens Microsoft decides its time to start patching. Problem is, this hole has been in use for sometimes years by professionals. The reason? Well Microsofts statistics looks better than the rest since they only patches used exploits while others patches all their holes, used or unused.

For Microsoft security are nothing more than a tick on a sheet, a PR issue.

No comments:

Post a Comment