Monday, August 18, 2003

I'm thinking of starting a list of things I'm undecided yet - as I think about stuff more and more, the list gets bigger and bigger. Whilst reading Richard Forno's "Forget California, It's Time to Recall Microsoft" piece, and ignoring capitalism vs security issues beside (maybe another time :), I found myself trying to work out who to blame for such matters as worms and widespread network insecurity.

It used to be the company, but generally because that company was always Microsoft. Then it was the lusers, and the whole structure that put insecure products into their incapable hands. Interestingly, at no real point have I really blamed worm authors. While I certainly don't agree with their methods, I think it's better for someone who can do something about it to take responsibility - after all, their wouldn't be worms if the products were secure. Maybe I just grew up with viruses, and accept them as an inevitability...

Now though, I tend to split where the responsibility lies - yes, people should patch patch patch, and people that don't (because there's little chance of being infected, or not enough time, or whatever lame excuse they come up with) infuriate me. If you're driving a car, you take responsibility for locking it. If you have a networked computer, you should understand the risks of an unpatched system, and hitting that little "update" button should become second nature.

But that's utopian. There are billions of people using networked, insecure technology around the world, and expecting the majority of them to understand this when they have been sold something as a product (even though it's not, it's a lend) that doesn't need any updating is just ridiculous. And software companies need to understand this. They are the central origin of the software, they are the most sensible place to put in measures that help curtail the spead of insecurity. If people aren't patching, then the company should make it automatically update, either by default, or by throwing up a big alert box on install asking if you want to disable it. That way, those with critical systems can turn it off, and test patches (while they're behind firewalls), but at least they know what they're doing. And the vast majority of users, for whom the patch won't break, stay updated.

That's my current standing, anyway...

No comments: