Gates Misses the Mark, and the Point, on Security

Bill Gates wants us to believe security is Microsoft’s new Number One

priority. He wants us to believe they have the users’ best interests at

heart.

I, personally, want to believe the moon is made of green cheese. The

problem with both of these situations is I know too much for either to

ever happen.

Until Microsoft announces a major effort to rearchitect the source code

for the Windows operating system, everything he says about security

should fall on deaf ears.

Windows machines account for somewhere between 70 and 90 percent of all

computers on the Internet — for safety’s sake, we’ll put those numbers

in the U.S. Windows’ Number One selling point is ease-of-use for the end

user. Well, that and it’s cute, too.

From the beginning, the emphasis has not been on security.

How can I make such a bold statement? Two words: Buffer Overflow.

In the very first class I took in programming (those many years ago), we

were berated class after class about proper bounds checking to prevent

buffer overflows. What this means in simple terms is that every time my

program asked the user for input, it had better check to make sure the

input fit in the place I reserved for it. If I asked for a ”Y/N” and I

got a ”yes” or a ”no”, those extra characters had to go somewhere and

I had better be prepared for them.

Buffer overflows are just the beginning of security flaws written into

the Windows operating system.

Gates states that the new IE 7.0 will fix ”most security flaws” in

Internet Explorer. That’s great, but it will only be available to

WindowsXP Service Pack 2 users. What? If you’re running Windows 2000,

that’s just too darn bad. Security isn’t for you.

But that’s kind of OK, because it really isn’t for the XP SP2 crowd,

either.

Why is that? Service Pack 2 is a package of patches, updates, and fixes

all rolled into one large executable. It’s also the size of a small

operating system (about 40Mb). And it doesn’t fix everything or we

wouldn’t currently be experiencing the revival of the MyDoom virus on

networks around the world.

According to Microsoft, there are

more than 70 security patches rolled into Service Pack 2. This doesn’t

include the ones that are listed as base operating system patches, IE

patches, RPC patches and ”other”, many of which involve that little

thing known as the Buffer Overflow, which ”could allow arbitrary code

execution”.

My favorite patch in Service Pack 2 is listed as Windows XP and Windows

XP Service Pack 1 (SP1) Kernel Rollup Hotfix Package. Do you want to know

what this fixes? It fixes a Buffer Overflow in Service Pack 1.

Yah, it’s all about the security.

The week before the recent RSA Conference in San Francisco, Microsoft

announced 14 new vulnerabilities in Windows XP. Since the first of the

year, there have been more than 20 vulnerabilities found in Windows, and

these are just the ones being tracked by the SANS Critical Vulnerability

Assessment group.

In 2001, when XP was released, it was held up as a new paradigm in

operating systems, built to withstand the foibles of the older DOS-based

OS. But Service Pack 1 came out in late 2002, the patch to the patch was

released in May 2003 and Service Pack 2 was released in November of 2004.

It’s clear they haven’t gotten it worked out yet. But they are going to

continue to throw patches and hotfixes at the problem rather than resolve

the underlying weakness in the source code.

To top it all off, there are free operating systems on the Internet that

are smaller than the latest Service Pack. Yes. They are complete

operating systems that will run on your PC, and that are smaller than

Microsoft’s latest patch rollup.

There also are free browsers that do a much, much better job of

preventing the installation of subversive code without your knowledge.

They also block all those annoying popup ads, which are the source of

much spyware. Why isn’t everyone bolting for a more secure, better

managed operating system? They don’t have the Windows-like simple

interface and plug-n-play abilities. In some cases, they aren’t even

cute.

But what about free browsers? Why wait for the latest and greatest

Internet Explorer to come out this summer? Take a look at Firefox and see

what you think for yourself.

And we can’t forget that buffer overflows are just one example of

vulnerabilities.

Windows users are under threat from privilege elevation exploits,

denial-of-service attacks, spyware and malware, which are probably the

most insidious of all vulnerabilities.

At the recent RSA conference, Gates said security is a challenging area.

”New threats are emerging all the time… but we’re working to mitigate

those problems,” he added.

But the question remains — What is being done about preventing the

threat in the first place?

If you don’t build a house made of glass, every rock-throwing little kid

won’t be a threat.

One argument that I’ve heard from various sources is that Microsoft is a

victim of it’s own popularity. Because it is the predominant operating

system in use, the bad guys target it for attack because the victim pool

is so large.

My response is phrased in a simple proverb I learned in my childhood —

”To whom much is given, much shall be required.”

Microsoft has the money and the resources, and it has an obligation to

the people who swear by Windows to do it right, and do it right the first

time. Gates wants more market share. He wants the space shuttle to run

Windows (And to be honest, it probably already DOES run Windows on some

systems. Isn’t that a scary thought?) But he never acknowledges the need

to complete a top down/bottom up overhaul of the existing code base.

If I had the money Gates does, I could write an operating system that

incorporates security, does everything Windows does for the user, and

more.

It’s never been about security for Microsoft and I don’t think it is now.

RELATED NEWS AND ANALYSIS

• Ethics and Artificial Intelligence: Driving Greater Equality

  FEATURE |  By James Maguire,
  December 16, 2020

• AI vs. Machine Learning vs. Deep Learning

  FEATURE |  By Cynthia Harvey,
  December 11, 2020

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2021

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020