Barney's Rubble

Security Stalemate

While Microsoft's dedication to software security should be the gold standard for others, it's a war that the company will never win.

Microsoft is about as out of the security woods as Paul Bunyan. But it isn't for not trying. The company has spent the last 10 years obsessing over every line of code, working with law enforcement to hunt down cyber criminals, cooperating with enemies to build standards for interoperability, and writing Security Essentials -- a free (gasp!) anti-malware tool that's actually pretty good.

That's just the half of it. Microsoft has the Security Response team (which should be legendary) and Patch Tuesday (which is legendary and, quite frankly, puts Apple to shame).

All this, and Microsoft still has little more than a security stalemate. That's got to be frustrating for the fine folks in Redmond.

Put simply, Microsoft is fighting a force that's getting stronger even as Redmond's software defenses likewise gain strength. It's like Ali vs. Frazier on steroids.

Some of the ongoing vulnerabilities are Microsoft's doing. Its software gets larger, which makes sense on the server but not so much on the client, where it presents a larger attack surface. And the churn creates constant new code to attack.

What Microsoft can't stop is the fact that new hackers are created every day, and many are script kiddies who take code written by those with a modicum of talent and simply tweak it and resend it -- oftentimes with success.

Criminals have found there's gold in them thar computers. Often residing overseas, thieves and rogue elements of bad governments are highly organized, and find there's no better target than the most common and best understood style of computing: Microsoft's style.

To make matters worse, authorities by and large aren't serious about hackers, don't have proper knowledge and tools, and have worse funding than Enron in its final hours.

I see Microsoft spending the next 10 years tightening security even further. With sandboxes and virtualization, we might see an exponential increase in protection. But unless governments also get serious about hunting cyber criminals and dishing out real penalties, while the war will rage on, we'll still have a stalemate.

The only game-changer could be the cloud. Google just sent me a Chromebook. This thing is all Web. I'm not sure what I think so far, but I do know there are no Windows DLLs, so there's no malware.

That could be the beauty of the cloud. Our clients are safe because they're dumb, and we don't care. Our servers are safer because we don't have as many. And the cloud should be safer because those who run it are 100 percent focused on securing the limited number of apps they control.

Am I dreaming? Straighten me out at

About the Author

Doug Barney is editor in chief of Redmond magazine and the VP, editorial director of Redmond Media Group.

comments powered by Disqus

Reader Comments:

Thu, Dec 6, 2012 Dan Mile HIgh - Mile Deep

Doug - I am not a big fan of "the cloud", currently. But I also subscribe to the centralization theory of "put all your eggs in one basket and watch it very carefully". Theoretically, "the Cloud" has a potential of being a very secure location if built and maintained properly. A single "cloud" with each water droplet (application) isolated from each other, is easier to secure than a bunch of independent servers or networks maintained by a variety of folks with wildly different levels of expertise in the total depth of their system's applications, operating environment and network. Yes, we still have the "Desktop", the "user" and the communication network problems outside the "Cloud", but those vulnerabilities exist in any current environment. Oh yes, we still need to worry about "Big Weatherman" ("Cloud" version of "Big Brother") and his minions. But again, with proper "internal controls", these could be managed.

Wed, Dec 5, 2012

While the "virtuous" cloud provider will be faithfully taking care of keeping the patches up to date, and the brick wall around the center from tumbling down, getting them to contractually taking the cost risk is an impossible task. You still have that responsibility, and probably a need to get business interruption insurance to cover the cost and reputation loss if the provider is less than virtuous in real-life. The local telephone company failed to check their generators and caused 911 service to drop out for a day. Telephone companies have been reliable for 60 years or more, so go figure.

Wed, Dec 5, 2012 DT

Going to the cloud and assuming that these devices are like fixed function terminals used in the 70 and 80s will protect anyone is a dangerous illusion. These new “smart” devices like Google’s use shared memory and rouge apps can cause harm without the users’ knowledge. Google and others are not helping by lulling users in to thinking that the cloud will be some sort of Fort Knox for their data. It may help provide an initial of defense especially for smaller companies that can’t afford an IT staff or a security expert, but are you ready to keep you medical records and financial data in the cloud? I’m not there yet.

Thu, Sep 6, 2012 Bud

It's a good dream Doug, but I don't believe it without a little help to get my head in the cloud too. So don't bogart what you're smoking, pass it on over...

Wed, Sep 5, 2012 Paul Williams Houston, Texas, USA

You're dreaming on both ends of the equation.

On the client end, poor passwords, unlocked screens, insecurely configured Wi-Fi connections, lost machines, Phishing scams and physical attacks will work just the same as before.

On the server end, oh my! As already noted by others before me, with both external and internal hacks on the menu (malicious or even bribed insider employees for example of the latter), it's just a matter of time. And when that time comes, everyone who trusts that compromised cloud to "protect" them will pay dearly, all at once.

Wed, Sep 5, 2012 Jim New York

A wise man once said "Better to remain silent and be thought a fool than to speak out and remove all doubt". Unfortunately for you Doug, you just spoke - loudly. Eventually as the computing climate changes, so will the targets of the attacks. As Microsoft hardened Windows, attacks moved towards more vulnerable targets (I got a Flash and a Javascript update this week). It's the never ending electronic counter-measures game. Bad guys find a vuilnerability and attack it - good guys fix it - bad guys look for a new vulnerability. Like the shampoo bottle says - "Lather, rinse, repeat". Making a statement like "no Windows DLLs = no malware" is INSANELY irresponsible, especially by someone with your job title. Words cannot properly express my utter disappointment that someone who should know far better wrote this article and still hit "send".

Wed, Sep 5, 2012 EdS Colorado

You're dreaming, Doug. If we abandon our rich clients and become totally dependent on "the cloud" that just makes everyone more vulnerable. There are fewer targets, but the payoff is huge to crack one. The bad guys can go after the infrastructure instead of the end users. A denial of service attack now shuts people down instead of just being a nuisance.

Wed, Sep 5, 2012 Dan Iowa

"...there are no Windows DLLs, so there's no malware" - This ignorant attitude is why everyone will be dealing with security for a long long time. Even people who should know better, are guilty of similar ignorance. I have a theory about it, and it has to do with the dumbing down of later generations, brought about by education through internet/TV marketing. Heh, Doug you should do a story on that.

Wed, Sep 5, 2012 Eric

"but I do know there are no Windows DLLs, so there's no malware" REALLY?!?! Because JavaScript, Flash, PDF, and all the other whiz-bang cross-platform technologies we rely on to make the Web cool are so secure and invulnerable to attack, right? By using your logic Barney, there are no vulnerabilities on Unix, Linux, Mac OS, iOS, Android, VMS, OS/400, and System 38 "because there are no Windows DLLs". Time to unsubscribe from your newsletter, methinks.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.