Barney's Rubble

Security Stalemate

While Microsoft's dedication to software security should be the gold standard for others, it's a war that the company will never win.

Microsoft is about as out of the security woods as Paul Bunyan. But it isn't for not trying. The company has spent the last 10 years obsessing over every line of code, working with law enforcement to hunt down cyber criminals, cooperating with enemies to build standards for interoperability, and writing Security Essentials -- a free (gasp!) anti-malware tool that's actually pretty good.

That's just the half of it. Microsoft has the Security Response team (which should be legendary) and Patch Tuesday (which is legendary and, quite frankly, puts Apple to shame).

All this, and Microsoft still has little more than a security stalemate. That's got to be frustrating for the fine folks in Redmond.

Put simply, Microsoft is fighting a force that's getting stronger even as Redmond's software defenses likewise gain strength. It's like Ali vs. Frazier on steroids.

Some of the ongoing vulnerabilities are Microsoft's doing. Its software gets larger, which makes sense on the server but not so much on the client, where it presents a larger attack surface. And the churn creates constant new code to attack.

What Microsoft can't stop is the fact that new hackers are created every day, and many are script kiddies who take code written by those with a modicum of talent and simply tweak it and resend it -- oftentimes with success.

Criminals have found there's gold in them thar computers. Often residing overseas, thieves and rogue elements of bad governments are highly organized, and find there's no better target than the most common and best understood style of computing: Microsoft's style.

To make matters worse, authorities by and large aren't serious about hackers, don't have proper knowledge and tools, and have worse funding than Enron in its final hours.

I see Microsoft spending the next 10 years tightening security even further. With sandboxes and virtualization, we might see an exponential increase in protection. But unless governments also get serious about hunting cyber criminals and dishing out real penalties, while the war will rage on, we'll still have a stalemate.

The only game-changer could be the cloud. Google just sent me a Chromebook. This thing is all Web. I'm not sure what I think so far, but I do know there are no Windows DLLs, so there's no malware.

That could be the beauty of the cloud. Our clients are safe because they're dumb, and we don't care. Our servers are safer because we don't have as many. And the cloud should be safer because those who run it are 100 percent focused on securing the limited number of apps they control.

Am I dreaming? Straighten me out at

About the Author

Doug Barney is editor in chief of Redmond magazine and the VP, editorial director of Redmond Media Group.


  • Industrial Control System Honeypot Illustrates Bad Security Practices

    Security solutions provider Trend Micro has published results (PDF) from running an industrial control system (ICS) "honeypot."

  • Ransomware: What It Means for Your Database Servers

    Ransomware affects databases in very specific ways. Joey describes the mechanics of a SQL Server ransomware attack, what DBAs can do to protect their systems, and what security measures they should be advocating for.

  • Windows Admin Center vs. Hyper-V Manager: What's Better for Managing VMs?

    Microsoft's preferred interface for Windows Server is Windows Admin Center, but can it really replace Hyper-V Manager for managing virtual machines? Brien compares the two management tools.

  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.