Once Upon a Time
Back when the computer industry was young we had proprietary systems like MVS, VM, and AS400 which were relatively closed and protected by the primary vendor. IBM owned the platform top to bottom. While there were third-party security products they were generally for point solutions that filled gaps left open by IBM’s offerings.
As UNIX and Windows came up together the two platforms took different paths. Windows was targeted at the desktop and relatively non-technical users while UNIX went to workstations and servers and a vastly more capable user base which tolerated vastly more robust security. UNIX was targeted at replacing the earlier IBM systems and had to meet the same security standards, which it actually often failed to do largely because people were learning about the new platforms.
Windows however was designed to be easy to use and very easy to access. In many cases early PCs replaced calculators and typewriters where security typically meant locking them in a cabinet or desk.
In a way it was much like building castles vs. building houses in a protected town. The castles (UNIX/Midrange/Mainframe) had to have heavy walls and moats to protect what they contained, but the houses typically didn’t get that level of protection.
While there was the occasional thief (floppy-based viruses), there was no need for heavy fortifications because the networks were generally secure and often only connected to a protected large system through a terminal interface. Kind of like having a large-walled and well-fortified town.
But much like even a walled town can have an increase in petty crime, viruses started to proliferate between machines. In respone, the industries’ version of fence builders and locksmiths developed. We called them Anti-Virus companies. Looking back this was probably a mistake but, at the time Microsoft didn’t want to be bothered with Anti-Virus and was more than happy to have someone else deal with it.
Industrialization of the PC (the Internet)
Things changed and in the mid 90s folks got connected to the Internet. This was like demolishing the wall protecting the walled city and, for the first time, PCs (which were still largely used in business) were exposed to the outside world. While many started pointing out that the existing security methods were no longer adequate, neither Microsoft nor the Anti-Virus firms changed much. There were new kinds of protections being implemented like Firewalls, and much like an improved police force, people still felt relatively safe.
Up until the end of the 90s the wall builders and the house builder, the Anti-Virus firms and Microsoft, largely led a symbiotic relationship. Unfortunately, at the end of the 90s the barbarians attacked and things changed dramatically.
Attack of the Virus Barbarians
Whether it was zealots wanting to hurt Microsoft or not, the new millennium brought broad attacks that did massive damage. Easily overwhelming the anti-virus product currently in place, it was like an attack of barbarians overwhelming the fences and locks that had been built – and Windows users worldwide were hurt badly.
Now Microsoft had been, perhaps foolishly, depending on the anti-virus companies to step up to this threat. But instead these same companies seemed to turn on Microsoft and join in blaming them for the resulting problems. Worse, they seemed to revel in broadcasting just how to penetrate Windows rudimentary security.
This would be like finding your fence builder or locksmith writing about when you weren’t home and how to build lock picks. The initial response was an attempt to harden the existing Windows offering. Kind of like putting up bars on the Windows and Doors, and just like bars attached to a house of straw, the protections helped but were less than sufficient.
Our Wall Builders, now called Security Companies, built stronger walls but even they were not adequate for what was a nearly overwhelming threat. Many of the big firms still gleefully pointed to Microsoft as the problem while selling their increasingly expensive solutions as a fix. The home owners – us – were largely caught out in the open with our pants down and, strangely enough, blamed Microsoft more than we blamed the firms we were paying to secure us.
We should have blamed both.
Eventually our house builder, Microsoft, got really upset and stopped looking at the Security firms as their protectors. Instead, Redmond started viewing them as part of the problem and redesigned their houses to more closely emulate the castles (Vista) which still existed and had better weathered the barbarian Virus attack.
Suddenly our fence builders/Security Firms are screaming foul because, if Microsoft builds castles, buyers will no longer need to buy fences. Had these firms stepped up to their duties as protectors and helped address the threat without attacking Microsoft in the process, this wouldn’t have happened. But they chose another path and, as a result, our house builder is building castles.
The strongest castle is the 64-Bit version of Vista. Configured with Microsoft’s own anti-malware offerings it is, on paper, vastly more secure than any other third-party protected earlier version of Windows.
This is a good lesson: don’t pass the responsibility for security for your products to any third party. The Romans leaned this the hard way when they used mercenaries who eventually switched sides. Microsoft repeated that mistake. We are now seeing a correction which has many of the security firms screaming.
As one of the folks who repeatedly warned them that they were breaching the implicit contract in their symbiotic relationship, and forecast of this result, it’s hard for me to feel sorry for them.
So the war, at least from my perspective, resulted not from Microsoft going after the security firms’ business but from the security firms taking the short-term lucrative path of attacking what they were supposed to protect. With the long-term result that they are no longer trusted to protect it.
As a result many may have to find another business because our new castle builder, Microsoft, has put everyone on notice that they plan to take back security, and has realized that they never should have given it up in the first place.