Monday, February 18, 2002
Overcoming the Power Curve. I've been somewhat elusive lately. Busy actually. I spent a relaxing week in Hawaii the week before last, and my sisters treated me to a mini-cruise out of San Diego for my birthday. Between much needed social activities and chipping away at a mountain of e-mail I think I'm getting to the other side of the power curve.
On My Scope. I've been paying attention to the latest security events, most of which involve Microsoft in some way (no news there).
I've been following Richard Forno's articles in infowarrior.org, among other sources, and it seems as though Microsoft cannot get out of its own way. One of the reasons I'm a Richard Forno fan is he's consistent and his news articles read like a series. Let's go back to November 2001 and read forward:
A wrap-up to the above is the news that Judge grants States access to Windows source by John Lettice, The Register dated 16 February 2002. See Richard Forno's comments in his Linux Security News article of 18 February 2002 titled, Message To Microsoft: Only The Truth Shall Set You Free.
- 10 November 2001 - he debunks .NET in The Freedom to Innovate Includes The Freedom to Obfuscate subtitled, Why Microsoft's New "Security Framework" is Just Another .NET Vulnerability. Prescient? Apparently so when you consider the 15 February ZDNET News Spat over MS 'Flaw' Gets Heated.
- Mr. Forno's 28 November 2001 article titled 'Microsoft,' No. 'Mickeysoft', Yes is more of the same when the "same" is the root cause and the "more" is a list of vulnerabilities.
- We'll fastforward to 16 January 2002 with Richard's The Gates Declaration and Microsoft Security Day, which is skeptical. None other than Bruce Schneier concurs and goes even further in his analysis of the situation, including uncovering a great deal of spin control. It's arguable whether or not Microsoft can build secure applications, but few will disagree that they have mastered spin control. If you don't know who Bruce Schneier is, he's the CTO of Counterpane Internet Security, publisher of the Crypto-Gram Newsletter and the author of Applied Cryptography and Secrets and Lies: Digital Security in a Networked World. In other words, Mr. Schneier is a highly respected expert in the field of security. As an aside, see Kate Hartshorn's 8 November and Mike's 3 January 2001 Amazon review of Secrets and Lies.
The Point. The above is in the same spirit as Mike's 9 February 2002 entry here. Yes, Microsoft gets its share of the heat. In my opinion it's well deserved because social responsibility should be part of the price of being a convicted monopoly. At a time when security is of paramount concern I don't feel that shoddy products filled with reported vulnerabilities are an indication of social responsibility.
However, this isn't about social responsibility either. It's actually a lead-in to the first layer in the Tarrani-Zarate Model that we'll be discussing in subsequent entries. The foundation of that model is business imperatives, and in the next few days you'll see how infrastructure choices should be tied to that foundation instead of being an arbitrary technical decision. Therein lies the point to this entry: had IT been closely monitoring the industry and employing risk management practices, one of two things would have happened:
Points to ponder. It's also the springboard to Mike's next entry, which will introduce business imperatives.
- Microsoft would have long ago been proactive about ensuring their products were not the security risks that have been widely reported.
- Microsoft would have not achieved the monopoly position it currently holds.