Charles on… anything that comes along

Unfortunate that Joe Wilcox should use two completely flawed metaphors (well, they aren’t similes) to try to explain the flaws in Windows that lead to its being overrun by spyware.

He begins:

Yesterday, a Mac buddy found his sole Windows XP PC to be overrun with spyware, viruses and Trojan horses. Our discussion got me to thinking again about the whole Mac OS vs. Windows XP debate, and which is more secure.

His Mac buddy, it has to be said, hadn’t done such a great job in securing the Windows computer. Auto-update was off (the default in the Xmas 2003 version he bought), his antivirus had expired, he wasn’t running anti-spyware, and he didn’t have any pop-up blockers.

He started troubleshooting, with me on the phone. First, following my instruction, he downloaded Microsoft Anti-Spyware. Second, after finding out the Norton AntiVirus subscription had expired, he followed my advice to get McAfee antivirus from AOL; he’s a subscriber, and AOL offers the software for free. While trying to download the software, pop-up windows periodically opened. “What are all these popups?” he asked. I told him about how many spyware programs use popups to take users to other sites. Again, as a guy using Macs, he had never seen or even imagined such behavior before.

Microsoft Anti-Spyware turned up 413 spyware traces and eradicated them (maybe eradicated them; more on that in another paragraph). McAfee also found several viruses, including several Trojans. Since he was downloading stuff, my buddy checked Windows Update (apparently automatic update was turned off) and found Windows needed 23 critical patches. I asked if the computer had Windows XP Service Pack 2 installed. He thought so, but later found out that it had not been. Later, my buddy and I spoke about his progress with the computer. A later Ant-Spyware scan found 11 new traces of spyware, even though only he had used the computer and then to fix problems. I suggested that some spyware might be stealthily hidden and that he should just wipe the disk and reinstall Windows. He wanted to apply Service Pack 2 first. I’m waiting to hear what happened.

Now to explain how there are so many exploitable holes, Joe says (while allowing that Windows does need improvement) that “Windows is a platform through which Microsoft wants to enable commerce for its partners and convenience for its customers. Such an approach requires a certain amount of openness that also entails some risk. I gave my buddy two analogies to explain my point.”

First analogy: the shopkeeper. The ideal commerce situation for a street-side shop would be a big window to display goods and even some items placed on the sidewalk. After all, how can people buy products they can’t see? If thieves pick off sidewalk wares, the shopkeeper must move the goods inside. If someone breaks into his shop through the big window and steals lots of items, he needs to put up bars or some kind of gate. And with each security measure, the shopkeeper limits his ability to conduct business with legitimate customers, because of a few criminals. And what if the shopkeeper builds a fortress of sorts, but there is a riot and looting in the neighborhood? Is it realistic to blame the security systems company for such an unusual attack, particularly if the shopkeeper wants to keep that big window–there for commerce and convenience? The answer is no.

Trouble with this analogy is that in this one, Microsoft builds the shops. The user can change how easy the “shop” is to access from outside. But the basic design - where the windows are, how it’s laid out - is down to Microsoft. It’s beyond most “shopkeepers” to alter that very much. The trouble is that most of the defaults are rubbish (to continue the metaphor, the windows don’t have locks, nor do doors, and fitting them is hard), and even when you do those things you discover that by knocking on the door in a particular way, or posting a letter with particular words in it, the thieves can still get in. Then even when you take care not to open those letters and replace the door with one you’ve designed, you discover there are underground tunnels that thieves can use to get into the shop. Not just one tunnel. Or two. But dozens, with more being discovered all the time.

Second analogy: 9-11. Before the horrific terrorist attacks in New York and here in the Washington area, airport procedures and gate designs favored commerce and convenience. Security measures sought to protect, but they also allowed quite a lot of freedom and mobility. Dad and the kids could greet mom at the gate and pick up a bouquet of flowers along the way. But following the attacks and adoption of a new U.S. government policy on terrorism, security increased, but at a huge cost to commerce and convenience. Freedom to come and go as we please is a hallmark of American society, but criminal acts lead to greater security measures that impede some freedoms. Do people want to be free or safe? The answer is a trade off between freedom and security, whether dealing with real or perceived threats.

This is a horrible analogy, in both senses. First, remember how the Sept 11 hijackers operated: they got through the security checks because they were carrying items - box-cutter knives - that were legal to carry on in hand baggage at that time. It was nothing to do with how close to the gate Mom and Dad could get. It was a failure of the security services (and arguably those much higher than that). It was a failure of their imagination: they couldn’t conceive that people might take over a plane in that way, for that purpose. The security measure that was missing was an armoured door to the cockpit. That would have saved all the planes, and required nothing different at the gates.

Second, computer operating systems can’t have security added on post-facto, as has been done with the US transport system. For it to work, it has to be built in from the bottom. The system has to be querying the permission to do things all the time, at the most fundamental levels. You can’t say “Oh, used to let viruses through, now we don’t.”

I see Microsoft’s security situation as being like these two analogies. Windows’ design allows much commerce and convenience–and I consider the approach to be extremely sensible. The problem isn’t that Windows is less secure today than five or ten years ago, but that attacks by criminals have increased.

Well, that we can certainly agree on.

In the wake of these increased attacks, Microsoft’s challenge is how to make the operating system more secure without greatly reducing commerce and convenience. I’m sure that if Microsoft really wanted to, it could release a totally locked-down, super secure version of Windows. But it would be more akin to that shop, but with a six-inch brick facade and an iron door. The fortress approach might keep out most criminals, but most customers, too. And there are many more customers than criminals.

The weakness with this is like the 9-11 analogy: while you can add security on later with humans (because they’re intelligent, mostly, and sentient), you can’t with computer code. It’s either in there or it’s not.

I see Microsoft’s Longhorn security challenge as trying to make the operating system more secure without taking too much away from partners and customers.

Umm, I see it as writing a secure operating system. And then seeing how to make its functionality work within that security. But to imagine that such terrible metaphors somehow explain or excuse the bad, bad, bad security decisions that have been made again and again in Redmond really misses the point.

These posts might be related (the database thinks..):
• It's for your own good, dear: why Windows reboots without your permission sometimes (20 October 2004; score: 52.78%)
• On Microsoft, Longhorn and RSS (29 June 2005; score: 47.12%)
• Patch Windows XP - but get a Passport first (15 July 2004; score: 44.79%)