The Static PageThe Static Page
main pagelatest static pagearchives
It bugs me to see yet another security risk in yet another Microsoft product. The specific one I have in mind is Media Player 7 and VB Scripting (again). It's tempting to whine "When will they learn?". But that is not terribly productive. Slightly more useful would be "How can we make them learn?"
Effective security has long been a compromise between Risk and Functionality. Sometimes it is described as Policy meets Practice. Much of my expertise is experience in making security policy practical. It can be difficult work. To take a tired yet familiar example: passwords. Policy in many security-aware corporations dictate that passwords are not to be shared, not to be written down, not to be easily-guessed and often a whole host of other restrictions. And an audit of the practical effects of such a policy reveal... managers who share their passwords with their PAs, users who write down "difficult" passwords on Post-It notes and users who use months of the year as passwords. It becomes a game of "how much will we let slip through?" When a employee has access to several systems, security is often viewed as a hindrance. One password for the LAN, one password for email, one password for the Unix host down the hall, one password for the Mainframe it talks to, one password for the Internet firewall... By dint of effort, a co-ordinated, synchronised password regime is possible though the more you add to the whole, the more fragile it becomes. If this is not possible or not in place then you get irritated users as they find ways around so many passwords. It is, after all, inconvenient to have so many.
Ah, convenience. Microsoft could be said to excel at that. Given a choice between better security and better convenience, you can bet they'd pick the latter and win most of the time. Even when they open the same hole again and again. That's what brought us the arguably too powerful WordBASIC and it's AutoOpen macros: hello "Concept". That's also what brought us VB Scripts that sport Outlook/Word integration: hello "Melissa".
This brings me back to "How can we make them learn?" Short of beating some sense into certain senior executives with a 2"x4", possibly the only thing that will get Microsoft's attention is failing marketshare. This means choosing other, more secure products over MS's offerings. Declining Outlook. Disabling IE integration (e.g. HTML in Eudora). Picking something other than Windows Media Format. Ditching Office, even. Such actions tend to be uphill actions, especially in the world of the network. It requires standing firm when you request people to stop sending you HTML in email. It requires making people aware of why you won't install the latest Windows Media Player.
Possibly the biggest hassle is explaining that you're making a consciencious objection to Microsoft's attitude to security. This will be hard to explain. People will not understand this. Be prepared to point out that Microsoft consistently choose function over security and this means they make the same (security) mistakes again and again. You're sacrificing functionality (by not using their products) partly because you disagree with this, but also because it's one more person telling Microsoft that security should matter.
It's a hard sell. But somebody's got to do it.
Wade Bowmer, aka Static
Comments? Email me at static dash page at yceran dot org.