 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
Making a mockery of security
This column originally ran in ComputorEdge on September 26, 2003
(Issue 2139, Mo' Money, Mo' Money, Mo' Money)
If you own a Mac or Linux box, you may have missed the excitement over the summer as a series of viruses and worms written to infect Windows-based computers wreaked havoc on corporate America.
Actually, given the extent of security holes in Windows, even Mac and Linux users were affected – because the SoBig virus infestation and blaster worm both generated so many fake e-mails that it actually slowed down the Internet for everybody.
Given that reality, you might think that the powers that be would take the situation seriously.
Instead, while the rest of us were steaming that we couldn't get online to conduct our business or just have fun – and spent much of the time we did get online deleting bogus e-mails with attached viruses or trying desperately to install the latest security fix from Microsoft – the FBI managed to nab some poor 18-year-old "hacker" responsible for almost none of the problems.
This is the best our vaunted law enforcement can do?
Granted, the FBI has other tasks on its hands these days besides trying to catch computer hackers, who, after all, don't fly airplanes into skyscrapers or blow up mosques.
Still, the arrest of Jeffrey Lee Parson seems particularly pathetic in that he didn't write a virus or worm – he merely modified the existing blaster worm, a modification that infected only about 7,000 computers.
Compare that to the official admission that the main blaster worm infected more than half a million Windows-based computers, and one gets the unshakeable feeling that the arrest of Parsons was meant more to deflect attention away from law enforcement's inability to catch the main perpetrator than to actually stop the flow of viruses and worms.
Who's really responsible?
Well, and to deflect attention from Microsoft's continuing ineptitude at designing secure computer systems.
Bill Gates always did put more emphasis – and money – into marketing Windows, and before that, DOS, than into making those products actually work as advertised. He's also been quite effective at getting Congress and the states to provide software manufacturers with a remarkable level of legal wiggle room when it comes to liability for product defects.
If GM or Ford sold cars that are as buggy as Windows has proven itself, they'd be shut down by lawyers coming after them with consumer lawsuits.
Windows or any other piece of software doesn't work?
Tough luck.
A class-action lawsuit waiting to happen
Now, I'd be among the first to agree that our society could use a lot fewer lawyers and a bit more "buyer beware" attitude in the marketplace.
But Microsoft's hubris in strong-arming its way into market dominance in the operating system arena while never doing the basic homework to ensure that its software really lived up to its promises of security ought to cause some lawyers somewhere to take a look a liability law.
Even if that doesn't work, even the legal loopholes the software industry has gotten legislators to provide it are upheld as constitutional, what about taking a look at good, old-fashioned fraud law? False advertising and marketing are still illegal – and Microsoft's behavior in how it promotes Windows, combined with the reality of the many and repeated Windows security flaws, at least call for looking at such a legal strategy in order for businesses to recoup their losses from the viruses and worms that brought down so many over the summer.
Because again and again, some pimple-faced adolescent manages to find a backdoor into Windows and use it to create havoc. If Windows is as secure as Microsoft says in its advertising and marketing pieces, then it shouldn't be that easy for amateurs to keep finding holes in that security.
And arresting some pathetic kid on trumped-up charges can't deflect attention from that reality forever.
True enough, hackers shouldn't be hacking.
But then again, perhaps Microsoft shouldn't be touting Windows as a secure environment.