What does the Code Red worm tell us about the state of
information security in the world today?
Richard Forno, in an essay recently published on
SecurityFocus, holds that Code Red's success indicates that we have become far too tolerant of
dodgy products from
software vendors, particularly
Microsoft. He suggests that only the force of legal
liability -- possibly even charges of
criminal negligence -- will compel software authors to produce secure products.
The following is my letter to M. Forno in response:
M. Forno --
Thank you for your excellent article on the implications of the world's responses to Code Red. Microsoft has for too long gotten away with releasing seriously flawed software, and passing the costs of insecurity off to the consumer.
However, I must take issue with the idea that holding Microsoft legally liable for security holes is the best way to prevent future damage. Every software distributor -- from Microsoft to Red Hat to Cisco to OpenBSD -- has released software with holes. The precedent of holding software authors up for civil or even criminal (negligence) penalties would cast a chilling effect on all programmers, even those who are more careful.
Furthermore, Microsoft software is the focus of attacks not just because it contains more holes, but because it is so very popular. Take the example of viruses on desktop systems: For years, Macintosh users have poked fun at Windows for its susceptibility to viruses. In fact, Mac OS systems are just as susceptible -- it's just that there are fewer Macs in the world than Windows PCs, so virus authors do not bother writing viruses for them.
To put it bluntly: It's true that Microsoft code sucks, and that it sucks more than most of its competitors' code. It's also true, though, that when one platform takes on the role of monoculture (or monopoly) it will come under much greater examination by the black hats. Yes, Microsoft has used the "we're so popular that everyone wants to crack our systems" line to misdirect attention away from its systems' inherent poor security. However, no major OS today -- of the many better designed than Windows -- would make a secure monoculture.
IT folks are legendary for taking personal preferences -- favored operating systems, languages, even text editors -- as matters of religious writ. Large installations commonly "standardize" on single platforms such as Windows for "ease of maintenance", i.e. the convenience or preferences of the IT department. Yet when a worm comes to town, it is diversity -- or, in management-speak, "market fragmentation" and "incompatibility" -- which could save the day.
That, it seems to me, is the true lesson of Code Red.