You have to hand it to Microsoft for chutzpah. Although its operating system and apps are so buggy that new vulnerabilities are discovered with frightening regularity, it now wants Internet users to pony up to cover the cost of cybersecurity.
The idea was put forth by Scott Charney, Redmond’s vice president for trustworthy computing, during a speech at the RSA Conference 2010 security convention in San Francisco earlier this week.
His argument is that PC users who don’t run antivirus apps or back up their computers or patch their systems regularly are like cigarette smokers who poison other people with second-hand smoke.
After the U.S. Environmental Protection Agency came out with regulations to restrict second-hand cigarette smoke, second-hand smoke was banned everywhere, Charney pointed out.
“You have a right to infect and give yourself illness, you don’t have the right to infect your neighbor,” he said.
Extending that argument to PC users, he said that if you don’t run antivirus apps or patch their systems or back up their data, you’re “contaminating everyone around you, right?”
Wrong, Scott, old chap, utterly wrong. It’s software vendors with their lackadaisical programming practices who are contaminating everyone around them, right? When vendors turn out buggy code with lots of vulnerabilities, the fault has to be laid at their door.
And, I’d like to add, Microsoft is one of the biggest culprits in this area.
Test, Test, Test
Let me take you on an amble through history to prove my case. Back in the early days of the PC, software developers’ motto, as set by IBM, which was the gold standard, was test, test, test your software before you unleash it on the public.
Microsoft came along with the argument that good enough is good enough — and with its clever ploy of putting out betas so users could test its software and give it feedback for free. Most other software vendors went along, although seasoned executives at IBM and other Big Iron vendors did not.
The result? We’re inundated with buggy software. Vendors are selling the sizzle and not the steak, and the poor end user gets hacked, loses his personal data — and often his identity — at considerable financial and emotional cost.
On the topic of buggy software, take, for example, the Internet Explorer zero-day attack through which hackers attacked Google and at least 20 other major American businesses — the one that sparked a row between Google and China. That was launched through an invalid pointer reference that could impact IE versions 6 through 8.
How is it a programmer left an invalid pointer reference in the code? Did he delete an object and fail to modify the pointer so it still pointed to the memory space formerly occupied by that object? Or was the pointer used prior to initialization to some known state?
It really doesn’t matter; what’s important is that this is faulty programming. Someone should have double-checked and triple-checked before the app was issued for general release.
Use the Force
All this didn’t prevent Charney from beating up on PC users. Torquemada-like, he urged the use of force on PC users to ensure they adhere to the holy trinity of updating, patching and backing up their PCs.
“We do this in other areas like vaccinations,” he fulminated. “If you have kids who go to public schools, they get vaccinated or they don’t go. We do those under enforcement.”
Enforcement, eh? Well, how’s about applying those standards to Microsoft and other vendors? Let’s take the big stick to them and force them to abandon just-in-time testing and black box app development.
Let’s force them to hire programmers who actually know how to code in machine language and understand the basic structure of software so that first, they write good programs, and second, they understand that if you change a line of code, it may have a ripple affect that might impact the functioning of other code elsewhere in the program.
When vendors wheeple and wail about how that impacts their competitiveness, let’s give them the backs of our hands and point out that what’s really impacting their competitiveness is their inability or unwillingness to ensure that software was properly coded in the first place.
What Were You Thinking, Scott?
Not satisfied with blaming and seeking to punish the victim, Charney then went on to suggest the imposition of a tax on Internet users to ensure cybersecurity.
“You could say it’s a public safety issue and do it with general taxation,” he said.
Really, Scott? Why should we the users pay for the ineptness of software vendors? And please, don’t give me that tired routine about the bad guys being out there always looking for flaws.
Let’s take an analogy from real life. When you’re a kid your parents tell you the rules for living safely. Don’t talk to strangers or take candy from them. Look both ways before you cross the street. Don’t walk down dark streets or alleys at night. Never walk between a parked van and the wall, especially at night. Keep your doors locked.
Do these rules work? Most of the time. Do we still sometimes get mugged or robbed or worse? Yes, but that’s usually bad luck, known colloquially as being in the wrong place at the wrong time.
Sure, the bad guys look for flaws in real life — people who keep their heads down when they walk down the street, or who make themselves vulnerable in other ways, either by not following the rules for living safely or by flouting them. However, the vast majority of us remain fairly safe.
Why can’t software vendors follow the rules of good software development? That would minimize the number of flaws the bad guys can exploit.
Speak to us, Scott. Tell us you were having a bad day. Tell us you misread the TelePrompTer. Tell us software vendors are going to agree to be held accountable. Or forever hold your tongue.
TechNewsWorld writer Richard Adhikari loves technology but is concerned about its effect on society as a whole. His gods include Blish, Tiptree and Heinlein.