Still Waiting for a Truly Secure System

About a year and a half ago, as I was preparing for a series of Microsoft-sponsored security talks with Mark Minasi, I suggested that my talk--which was to focus on Microsoft's security road map--might be jokingly called "Finding the Humor in Security." For the record, I was serious about the title, but the attempt at humor fell on deaf ears in Redmond and we used a more staid (i.e., boring) title.

I'm not laughing anymore. On Sunday night, while preparing for a trip Monday to New York, the notebook I had planned to bring was suddenly struck by the most malicious software (malware) I've ever encountered. This Trojan horse got through my defenses despite the fact that I was running the Release Candidate 1 (RC1) version of Windows XP Service Pack 2 (SP2) with the firewall turned on. It was infuriating, and after hours of investigating, deep cleaning with various antivirus and spyware products, and consulting with my technical guru (Storage UPDATE's Keith Furman, a lifesaver), I finally gave up. As I write this commentary, I'm heading to New York by train, using a different machine, and my infected laptop is home, awaiting a complete wipeout. I never did completely clean up the machine, and I'm still frustrated by the defeat.

This isn't the first time I've been hacked. A few years ago when Nimda hit, I discovered the chilling message, "You've been hacked by the Chinese" on one of my Web servers. Fortunately, I had previously taken the simple step of moving my Web sites out of the default location (i.e., they weren't in C:\Inetput\wwwroot), so I didn't lose any data. But the episode left me with an uncomfortable feeling of violation.

As a news reporter, I write daily stories about Microsoft and the computer industry and, as you might expect, security-related topics have dominated the headlines recently in ways that no topic--even Microsoft's epic antitrust battle with the US government--ever has. Even here in Windows & .NET Magazine UPDATE, security has been an overwhelmingly popular topic: The editorials in at least 10 of the last 24 issues have dealt, at least in some way, with security. These days, the topic is almost unavoidable.

Oddly, I've actually defended Microsoft and its security record. I've written--and I still believe--that no company is doing as much work as Microsoft is right now to secure computer systems and that, ultimately, this work will benefit us all as PCs become more and more adept at dealing with electronic intrusions. Last week, in a meeting at Microsoft, XP Lead Product Manager Greg Sullivan, showed me how XP SP2 prevents a particularly nasty form of attack, in which malicious users can use chromeless (i.e., borderless) browser windows to hide warnings and make you think that you're accepting a valid bit of Microsoft code. The ingenuity in such an attack highlights the problems Microsoft faces as it seeks to secure Windows and its other products against increasingly sophisticated attackers.

But ultimately, I'm not as concerned with Microsoft's problems as I am with how the company addresses its customers' needs. One concept I've always tried to get across, whether here in Windows & .NET Magazine UPDATE or on the road during speaking engagements, is that we need to remember where we, as Microsoft customers, fit in the equation. We pay Microsoft for specific services and capabilities, and we need to start holding the company to a higher standard. And we need to demand better security--it's just not there today, not yet.

And based on my recent experience, SP2 might not be the panacea I was hoping for. Indeed, days before my unfortunate experience with the aforementioned particularly irritating Trojan horse, Sullivan intimated during our meeting that SP2 wouldn't cure all security problems. Although the company is raising the bar in this release--dramatically, in some ways, especially for next-generation PCs whose microprocessors support the No Execute (NX) security technologies--SP2, like most technologies, will be too little, too late, for some people.

That brings me to another little bit of humor that I pull out whenever something goes wrong--maybe a demo isn't working quite right or a projector refuses to cooperate with my laptop for some reason. "Technology has never failed me," I'll deadpan. It always gets laughs, but you know what? Maybe the joke is really on me. If anything, technology has done nothing but constantly fail me. And now, purposeful technological glitches are starting to bridge the gap between simple irritation and economic ruination. I'm starting to fear that the Good Guys can't keep up.

Pick your poison: Today, we have spam, browser phishing, browsing hijacking, Trojans, worms, and viruses and probably have other malware of which I'm naively ignorant. Call me a Luddite, but I long for simpler days.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.