In the six years since Microsoft stopped pelting us with security fixes willy-nilly and implemented a monthly bulletin format, home and enterprise customers have been entombed by fixes for a soul-crushing 745 vulnerabilities, nearly half rated as "critical" by Redmond.
So laments Jaikumar Vijayan, writing in the
Security Smart section of Network World.
The number of announced flaws in the last two years is double what it was in 2004 & 2005, which would seem to suggest that Microsoft's
Trustworthy Computing initiative has done more to repair a leaky ship in motion than to build a seaworthy vessel in the first place. That flies in the face of the highly-publicized security mission, which promised a more secure computing environment out of the box.
Who remembers when Redmond shut down development in an effort to educate their architects and developers in the ancient practice of secure coding? I do. Made for some late software launches, as I recall, honking off people with certain licensing agreements, but it was an easier pill to swallow if the result was a modicum of protection from the forces of evil.
And there are some barely-used bridges in Washington state available for pocket change, too.
It's a perfect storm - Microsoft has created a monster in the form of feature-laden, highly-usable ubiqitous software offerings, which has led them to two parallel issues: Any security hardening will inevitably break the free-flow of usability consumers have come to expect, and maintaining depth in feature sets (and securing them) invariably leads to an increase in coding complexity that makes trusted computing all the more daunting a task.
When Vista first launched, one of the more trumpeted security features - UAC - also became one of the most hated. Microsoft attempted to add a thin layer of security into the computing experience, and it was obvious that they also tried to match it to existing usability and customer experience paradigms. It didn't work, because it was a jolting interruption of the seamless Windows pillow-ride that Microsoft had been marketing to us for years.
Linux and UNIX users don't whine much when prompted for admin credentials or root anytime they try to do anything that messes with the core operating system because it's basically been there from the beginning. Plus, it makes sense - a simple step to validate that some chunk of malware isn't trying to make an unauthorized system change. It's a small price to pay for avoiding the horrors of malicious code.
Redmond has essentially hoisted themselves on their own petard. It's like a parent that feeds their child a steady diet of junk food and sugar, and when the kid turns out a tad portly, the dinner plate is suddenly filled with quinoa and Brussels sprouts. What's a chunky lad to do?
This quandry is soon to be faced by the Apple crowd, too. As Macs begin to pick up market share, users will begin to be targeted by the bad guys as they are identified as a target-rich environment. With roughly 10% of computers sold, it's still not as attractive to craft exploits for Mac code as it is for the dominant Windows environment that garners more than 80% of the pie, especially given the ongoing security struggle the 745 vulnerabilities represents.
As Microsoft hopes and prays that XP users shut down forever and the world becomes populated with Vista and Windows 7 users biding time until they convert to Windows 8, their only salvation will be their ability to move users to a more secure environment one tiny step at a time.
The great unknown is whether people are willing to walk that path, and as John Hodgman learns in the newest Mac vs. PC commercials, there's a lot to be said for making a clean break to a new OS if there's going to be pain involved anyway.
Image via Wikimedia Commons
If that isn't enough to make you ponder an existence as an internet hermit, then perhaps the concept of fake anti-virus software will push you over the edge.
Less than 5 months later, Nohl is claiming success. Imagine what groups motivated by financial gain, such as Russian organized crime syndicates or Chinese hackers, will do with this ability.
Would you install an alarm system in your house and write the passcode on the outside wall? Or would you give the code to someone who called or emailed you, claiming to be from the alarm company demanding that you validate your code for them or they would cut off your access?
This is good news for people who are engaged in forensic examination of computers, but bad news when you consider that bad people will also have access to it, which means losing your data could happen more quickly and easily than before. 
The Maryland Zoo spent a cool half-million dollars constructing an escape-proof habitat for a group of prairie dogs, and the ungrateful land rodents broke out in less than 10 minutes, leaving the zoo's Terry Benedict fuming.
Glancing at the T-Mobile website, their slogan is now Stick Together. I shit you not. 
It's hard to not don a Chicken Little outfit and run around the city warning people of the computer apocalypse developing right before their eyes. Geez, don't you people read the news for free on the Internets?
When The Wall Street Journal reported this week that Chinese, Russian, and myriad other groups of foreign nationals had been able to penetrate the electrical infrastructure of the United States and leave behind chunks of software code that might allow them to disrupt or destroy the grid remotely, there was a certain amount of panic generated as mainstream media picked up the story and flogged it for all it was worth. 
This should be filed under "duh". 
L0phtCrack, the tried & true password cracking tool used by black hats and white hats alike, is poised for a comeback. Yay! 
