|
|||||||||||||
Posted on 04/01/2003 8:22:57 AM PST by Dominic Harr
SEATTLE (Reuters) - Three-fourths of computer software security experts at major companies surveyed by Forrester Research Inc. (Nasdaq:FORR - news) do not think Microsoft Corp.'s (Nasdaq:MSFT - news) products are secure, the technology research company said on Monday.
|
|||||||||||||||
While 77 percent of respondents in the information technology (IT) field said security was a top concern when using Windows, 89 percent still use the software for sensitive applications, Cambridge, Massachusetts-based Forrester said in a report titled "Can Microsoft Be Secure?"
The survey polled 35 software security experts at $1 billion companies.
Forrester analyst Laura Koetzle said that "too few firms are taking responsibility for securing their Windows systems."
Koetzle said that 40 percent of firms were not planning to make security improvements themselves and that only 59 percent of those who suffered security attacks have made changes to the way they use Microsoft software.
Microsoft, the world's largest software maker, launched a company-wide initiative over a year ago to make its software more secure and trustworthy in the face of attacks that targeted the vulnerability and wide reach of its software.
"We understand that achieving the goals of Trustworthy Computing will not be an easy task and that it will take several years, perhaps a decade or more before systems are trusted the way we envision," a Microsoft spokesman said in an e-mailed response to the report.
"We are working to address existing security concerns, including patch management .... This is only the beginning and we are confident that customers will continue to see additional progress over time."
In the most dramatic incidents, such as the Nimda and SQL Slammer worms that exploited holes in Microsoft software, patches were available from the Redmond, Washington-based company well before the attacks happened. In many cases, however, the patches were not implemented by system administrators and engineers.
Koetzle noted that while Microsoft's patches for the last nine high-profile Windows security holes predated such attacks by an average of 305 days, too few customers applied the fixes because "administrators lacked both the confidence that a patch won't bring down a production system and the tools and time to validate Microsoft's avalanche of patches."
Microsoft argues that it is doing a better job of informing customers about security holes in its software, but many customers are questioning the amount of work needed to implement additional patches and fixes to Microsoft's software.
When the SQL Slammer worm, which slowed Web traffic worldwide and shut down automatic teller machines across the United States, hit in January, Microsoft had already provided a security patch that the worm targeted in July of 2002.
But because the patch was difficult to install, Microsoft scrambled to create an installation program that would make it easier for companies to implement the patch.
"Microsoft must develop new simple, consistent tools for applying patches and mitigating security platform risks," Koetzle said.
Koetzle also said that IT professionals should work more closely with Microsoft and companies that write software for Windows to make sure computer systems are more secure, instead of blaming Microsoft for security breaches.
This is key... I worked for Microsoft and I guarantee you they have entire teams that do nothing all day but try to poke holes in Windows and monitor hacker sites for discovered vulnerabilities. Windows *IS* secure, but you have to do your part to protect yourself.
If I leave my car unlocked with the keys in the ignition, is it Ford's fault for making an unsecure car?
I'm still shocked that people are willing to expose microsoft servers to the net unprotected. You can patch your servers weekly (that is, if you don't bother to regression test the patches on production systems) and still not keep up.
If Ford made cars that, when delivered, didn't lock properly, could be turned on without the key, and made it difficult to remove the key from the ignition that could all be fixed if you only kept bringing your car in every few months for free recommended repairs announced in recall notices that look like junk mail, yeah, I might start blaming Ford.
Yes, I think that a system administrator and security expert who doesn't stay on top of these things is next to worthless. But producing an OS that requires system administrators and security experts to keep them safe and which are difficult enough to maintain that even companies with system administrators and security experts mess things up is more like producing a car that the manufacturer claims is perfectly reliable and safe IF you hire a mechanic and a security guard to ride with you no matter where you go.
And, yes, I realize that no OS is perfect in this regard.
Being big and successful is a problem to envious toads.
Microsoft is an American success story, the target of far more frequent attacks because of its high installation ratio.
So anyone who wishes is free to go Linux or Mac, and enjoy.
For the record, Microsoft is less of a monopoly than Apple. Think hardware. Just far more successful, and hence the problem.
An interesting theory, but one that is well-discounted.
Sendmail is the most prevalent MTA in use today, yet Exchange has more security problems.
Apache is the most prevalent web server, yet IIS has more security problems.
The size of the installed base has little to do with the ability of said base to be exploited. It seems, rather, that the quality of the code has more to do with it.
Why?
A target-rich environment. Why waste your time writing code to fight an obscure system?
In the specific case of Microsoft, the ease-of-installation permits laypersons unfamiliar with protection schemes to do quite advanced implementations, increasing the potential for significant gaps and holes.
But I get it. You don't like Microsoft.
Oh, we are...we are.
| do not think Microsoft Corp.'s products are secure
What these guys are really saying is that they are not going to do squat about making their systems secure. They are leaving it up to Microsoft to make that happen by magic. It hasn't happened yet, so they are grousing. But there is no sign that they are going to actually do anything about it except "wait for the vendor to fix it." This is a wonderful thing for the guy whose market position is, "Yeah, it costs more up front, but it's worth it." By their actions, these IT types are ceding to Microsoft the role of making their systems secure. They are not so stupid as to think they are going to get that for free, so they are essentially agreeing that they would rather pay the vendor to make this go away than deal it with it themselves. This is also good news for the linux distro guys, because it validates their business model, which turns on making money from post-installation support services instead of license fees on the basic OS. The kind of guy who will pay Microsoft to maintain his Windows installation will pay Red Hat to maintain his linux installation... good news for Red Hat. In fact it's especially wonderful news for Red Hat, because this is an area where economies of scale are a big deal. Less popular distributions have no way to sell a linux update service as cheaply as Red Hat can. So this becomes a market share accelerator by which Red Hat slowly creams the other linux distro guys. The fact that Microsoft is a much larger company doesn't matter that much, because in the "advanced server" segment where this action is taking place, the two aren't that far apart. The guy to watch here is IBM. If they allow Red Hat to become the big linux service-provider to IT shops, they will have made the same mistake they made when they put a rocket under Microsoft by adopting PC-DOS. They should have bought Microsoft right then. I bet they've learned that lesson. |
An interesting theory, but one that is well-discounted.
Just because you know that Sendmail and Apache are huge factors in the market, that doesn't mean that people outside the business know that. The FUDsters are depending on the ubiquity of Windows on consumer desktops to fool the average Joe into thinking that Microsoft has the same kind of dominance everywhere. Every time they get into one of these deals about what's happening with linux, they haul out their desktop market share and wave it around as though it means something in a discussion about server software. Some people don't know any better so they fall for it. The FUDsters know that, and that's why they do it. It's dishonest as hell, but when did that ever slow down the Microsoft marketing department? |
Once again, this is false. My previous comment presented two cases where this is proven to be not true.
If you have evidence supporting your claim, I'm sure we'd all like to see it.
Otherwise, you need to re-examine your assumptions.
In the specific case of Microsoft, the ease-of-installation permits laypersons unfamiliar with protection schemes to do quite advanced implementations, increasing the potential for significant gaps and holes.
And this is okay why? Why do otherwise professional computer people depart from reality and give major computer software companies a pass on this? This kind of behavior has been long ago established in the real world as negligent.
If I dig a deep hole in my front yard and the mailman falls into it, it's my fault for not doing something to prevent it. If Microsoft builds software with settings that allow malicious users to take advantage and do nothing to prevent it, it's ok by you.
But I get it. You don't like Microsoft.
I don't like Microsoft's current or previous activities. When Microsoft starts behaving with some corporate ethics, I'm prepared to forgive them.
I know, I know. But it's like a car wreck, man. You just have to stop and look.
Over a year ago in one of these tech threads I made a comment that my postings are not an attempt to convert those that I respond to, rather my postings are an attempt to ensure that those perusing the thread get something other than the FUD of the Nothing But Microsoft crowd.
I'll just go on telling the truth and the rest will have to take care of itself.
Raging against Microsoft, McDonalds, etc. is an interesting use of your time, but ask yourself: Why do people support their products?
In the case of fast food, you, like most people, can probably make a better hamburger, but that isn't the whole story, is it.
Porsche too makes a very fine car, but it will never be General Motors, and that seems to suit the needs of the marketplace in balanced proportions.
Are you a purist, wanting to pay more for security protection, wanting the comfort of a weasel-protected environment, but willing to work a little harder and smarter to make it all work?
Congratulations. Apparently the marketplace can accommodate your needs.
Microsoft is a wonderful American success story, with many contributions to the current technology landscape, and perhaps you can one day admit, and even admire, them for that achievement.
My "admission" was that I disapprove of Microsoft's unethical and anti-competative practices. How kind of you to rewrite my statement so that it fits your agenda.
Raging against Microsoft, McDonalds, etc. is an interesting use of your time, but ask yourself: Why do people support their products?
In Microsoft's case, it's because they have worked very hard to eliminate any other choice.
In the case of fast food, you, like most people, can probably make a better hamburger, but that isn't the whole story, is it.
You are correct, there is more to the story. Notably, McDonald's doesn't shoot cows to keep the price up, nor threaten ranchers if they sell to Burger King. Nor do they get up in public forums and rant against people who cook hambugers in their own kitchen and swap recipes.
Porsche too makes a very fine car, but it will never be General Motors, and that seems to suit the needs of the marketplace in balanced proportions.
Porsche and it's mother company Volkswagon have the greatest marketshare of auto manufacturers in Germany. Instead of trying to compare a high-priced import to cars like the Ford Focus or the Saturn, let's try a better analogy. Wouldn't it bother you if the only car manufacturer in the US was GM, and they had used some rather nasty tactics to push their competition out of the market?
Are you a purist, wanting to pay more for security protection, wanting the comfort of a weasel-protected environment, but willing to work a little harder and smarter to make it all work?
I have no idea what you are trying to say here. Are you implying that it's good that Microsoft makes software that is full of security problems? Are you suggesting that software that does exactly what it supposed to do is bad?
Microsoft is a wonderful American success story, with many contributions to the current technology landscape, and perhaps you can one day admit, and even admire, them for that achievement.
Microsoft is a success story like Stalin was a fatherly benefactor for his people. The propaganda sure sounds good, but if you examine the facts it gets ugly quickly.
Well, it really doesn't matter. They're not all that concerned about system security in India.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.
This is portrayed as some kind of knock on Microsoft, but in fact it's the best news Microsoft could get. It's also the best news Red Hat could get.