I frequently have people write to me to discuss how much Windows sucks and how great open source is. They say it as if Windows is my only security problem and Linux, Apache, and Firefox are our saviors.
I often write back that I use Windows and Linux on a daily basis -- and any of them can be secure or insecure. They then somehow take that to mean I'm a Windows zealot because I have the audacity to stand up for Microsoft every now and then.
Here's the plain truth: Malicious mobile code has been around since before Microsoft was a company, and it will be around long after they are a historical footnote. If Microsoft disappears, that won't stop mischievous hackers from writing rogue programs.
Real security solutions aren't as easy as replacing Windows with another alternative. Real security means persuasive authentication, loss of anonymity, less functionality, peer code review, and programmers learning security along with their first GOTO statement. End-users will have to accept that security means slower development times and more expensive products.
Yes, there are plenty of security problems to blame on Microsoft, but it's becoming harder to find new problems to point out. Remember when Gates missed the Internet, but a year later every Microsoft product around could talk to the Internet? The same thing appears to be happening with security now.
Two years ago, Microsoft made all their programmers stop programming and get secure code training. Secure coding and bug hunting are being built in to every programming process at Microsoft, from start to finish. And the results are showing: If you look at the statistics against XP Pro, Server 2003, SQL, and IIS, exploits are way down and security is up. How else do you explain that IE had fewer exploits this year than Firefox? How is it that only two of the top five most active exploits on the Internet are Windows-based? How many years has it been since a Windows worm did as much damage as Code Red, Nimda, or Slammer?
What about Apache 2.0 vs. IIS 6? Since March 2003, Apache has had 25 announced vulnerabilities; IIS 6 has had two or three. Does that mean IIS 6 is more secure? I don't know, but most of the difference in vulnerability levels probably comes from the fact that Apache is running on 79 percent of the Internet Web sites in the world versus IIS' 19 percent market share. If the difference isn't from the popularity, it has to be because Apache is weaker. Which is it?
Want a good database program without frequent security problems? Maybe Microsoft SQL is the answer. Do you remember the date of the last Microsoft SQL exploit? MySQL and Oracle are fairly worse these days, not better.
Can anyone do security better than Microsoft? I'm not sure. Mac OS X is gaining its fair share of patches on a regular basis. I may complain about Microsoft's patch Tuesday, but trying to keep my Linux and FreeBSD systems patched is becoming even more painful.
Free software proponents often say that open source code review guarantees that open source code will be more secure. Baloney! I love to read code, too, but how many of us have the time to review tens of thousands of lines of code? Plus, the really good people are already working 80 hours a week on projects for their bosses.
What about the open source review initiative that started last year -- and folded because of the lack of participation? What about one of the Linux kernel maintainers saying he thinks one of the biggest threats to Linux is the lack of good review?
If you think open source review is the answer, then explain why dozens of open source software bugs are found in open source code years after its initial release? What about the recent TCP/IP vulnerabilities that have been present for more than twenty years -- and found just last year? Don't get me wrong: Open source code review is good, but it doesn't guarantee good security any more than closed source does.
Still, I'm not letting Gates and company off the hook completely. Microsoft deserves a lion's share of the blame for its long-overdue security stance revamp; security over functionality should have been a lesson learned back in the DOS days. But I blame Microsoft more for system lock-ups, the need for original installation discs for Office patches, and the crappy font used to print product ID keys. At least those problems are completely Microsoft's fault.
I like Windows because it is a relatively stable operating system with a lot of features and functionality and a million software programs. I like open source because it's free, it often has features Windows doesn't, and it's faster. I hope open source and other alternatives always stay around and become competitive. I just don't spend my time falsely thinking that if Microsoft and Windows go away, so too do my security problems.