In the world of Windows, the landscape seems to seethe with viruses of every type; worms seem to undulate and multiply with ferocious speed, and the wilds teem with script-kiddies and crackers. It can be a harsh and unforgiving world; a world made more complicated by the myriad of patches, plugs, and veritable bailing wire that users of Microsoft’s many OSes must use to guard against the more malevolent creatures of the Windows World.
Overseeing it all is one William Gates, founder, and chairman of Microsoft, provider of the world’s most pervasive operating systems. From his lofty position, Mr. Gates can see the width and breadth of the Windows landscape, so who better to ask about how Microsoft is handling the latest attacks? The New York Times has posted an excerpt from a question and answer session with Microsoft’s chairman which is both revealing and puzzling. From the article Virus Aside, Gates Says Reliability Is Greater :
Q. You wrote a memo last year calling on Microsoft to focus on reliable software. Now we’ve had this series of computer-security-related events that make it appear to outsiders that you aren’t making progress. Have you in fact made progress?
A. Well, we’ve certainly made a lot of progress in terms of creating more reliable software, building tools so that people can stay up to date so that they don’t run into these problems, creating the procedures that make sure that the recovery actions get widely communicated. We’d be the first to say that we’re doing more and more on this. It was very important that we got the company focused on it, made it part of the reviews of all the different employees.
The fact that these attacks are coming out and that people’s software is not up to date in a way that fully prevents an attack on them is something we feel very bad about. We want the update process to work so automatically that in the future these problems won’t happen. The hackers are attacking not only our systems but other systems, and with the right kind of infrastructure and the right kind of work we can make sure they don’t disrupt things.
[…]
Q. The buffer overrun flaw that made the Blaster worm possible was specifically targeted in your code reviews last year. Do you understand why the flaw that led to Blaster escaped your detection?
A. Understand there have actually been fixes for all of these things before the attack took place. The challenge is that we’ve got to get the fixes to be automatically applied without our customers having to make a special effort.
Read the full article, which includes Mr. Gates’ view of how the public may be seeing Microsoft after the latest round of viruses, at The New York Times Online.
The Mac Observer Spin:
This is a very interesting session with Mr. Gates, because it shows just how out of touch with his customers he is. In the Information Technology world, jobs depend on a company’s ability to deliver systems that work as the company said it would. The development time it takes to create, test, and deliver a system is counted in man-months and tens of thousands of lines of code; at the foundation of which is the operating system.
Developers dealing with enough variables to fill several volumes don’t want to have to think about making changes to the foundation when doing so could easily have a ripple effect and cause the slippage of already tight schedules. In other areas of the IT world, IT manages are reticent to apply the infamous Service Packs or patches for fear that doing so would break a very fragile environment. An article in a recent CSO Online, titled Patch and Pray, describes the situation quite succinctly:
This unique element of software has contributed to (though is not solely responsible for) the software engineering culture, which generally regards quality and security as obstacles. An adage among programmers suggests that when it comes to software, you can pick only two of three: speed to market, number of features, level of quality. Programmer’s egos are wrapped up in the first two; rarely do they pick the third (since, of course, software is so easily repaired later, by someone else).
Such an approach has never been more feckless. Software today is massive (Windows XP contains 45 million lines of code) and the rate of sloppy coding (10 to 20 errors per 1,000 lines of code) has led to thousands of vulnerabilities. CERT published 4,200 new vulnerabilities last year–that’s 3,000 more than it published three years ago. Meanwhile, software continues to find itself running evermore critical business functions, where its failure carries profound implications. In other words, right when quality should be getting better, it’s getting exponentially worse.
Stitching patches into these complex systems, which sit within labyrinthine networks of similarly complex systems, makes it impossible to know if a patch will solve the problem it’s meant to without creating unintended consequences. One patch, for example, worked fine for everyone–except the unlucky users who happened to have a certain Compaq system connected to a certain RAID array without certain updated drivers. In which case the patch knocked out the storage array.
In other words; Microsoft cannot guarantee that the fixes they offer won’t break something on which you or your company depends. It is the very nature of software that the need to patch exists, and it seems to be the nature of Microsoft’s software that it needs to patch often: Your decision, then is whether to not patch and risk getting hit by malware -the viruses and worms that seem to appear over night and when you least can afford to deal with them-, or patch and hope something doesn’t break.
While Microsoft should be commended for its recent efforts to keep its customers informed and to make patches available quickly, it should also understand that something more basic is wrong, something patching may not be able to cure. By diligently testing before the software is offered, with an eye on security, a software maker can offer reasonably bug, virus, and worm-free software.
This is proven in the Linux world, where every line of code that makes up the free OS is scrutinized by hundreds, or even thousands of eyes monthly. Apple seems to be able to do it, too, though it is certainly true that Apple has the benefit of controlling the software and the hardware.
Mr. Gates believes that it is your fault that you have a virus problem and he feels bad about it. That should make CIO and IT managers sleep better.