The Mac Observer

Skip navigational links

Just a Thought - David Pogue Points Out The Windows Paradox

by - October 22nd, 2004

In David Pogue's latest column for the New York Times, titled The Security Paradox, he discusses the odd state of affairs Microsoft and its patch update strategy, and the virus ad worm writers who take advantage of the holes in the Microsoft products the patches are suppose to fix.

Mr. Pogue relays a story in which he was surprised to find out that virus writers usually write and release their malware into the wild only after Microsoft releases a patch for it. Because, as a Microsoft manager explained to him, it isn't the script kiddies and actual virus writers who are finding these flaws in the first place. From the article

Instead, what usually happens is that some brainiac at a university or security firm usually finds the hole, and then notifies Microsoft. Microsoft then puts together a security patch, which it releases to its millions of customers to protect them.

Only then do the hackers and virus writers learn about the security hole and how it works — by studying Microsoft's patch. The problem is that it takes weeks or months for Microsoft's patch to get distributed to all those millions of customers. (Three weeks after Microsoft releases a patch, only half of all PC users have installed it, according to an expert interviewed by PC World.) The hackers simply beat Microsoft's fix to your PC's front door.

Therein lies the paradox of which Mr. Pogue speaks. You can read the full article at the New York Times.

So, this is yet another validation of the dictum: If you build it, they will come. In this case, Big Redmond builds the patch and then come the viruses and worms.

As Mr. Pogue points out in his piece, it certainly is a noggin scratcher as to why it is that all of the brain power at the command of Bill Gates has yet to figure a way to make its products more secure.

At the same time, don't let anybody tell that it is more secure by virtue of those endless patches; it seems that the more the folks at Microsoft patch, the more they need to patch. In fact, they have patches for their patches.

We can't believe that no one at Microsoft has the answer to its software security problem. It could be that the guys with the ideas to fix the problems are being overridden by those with other agendas, as is often the case in many large companies. Or perhaps the management at Big Redmond is pinning its hopes on Longhorn, much as it did with XP. In the meantime, Windows users, and the rest of the computer using community suffer.

The really sad thing is that, while there are some individuals, governments, and companies who have decided to explore possibilities beyond Microsoft, the unfortunate truth is that far too many steadfastly refuse to even entertain the notion of jumping the Redmond ship. That means that, at least for the foreseeable future, malware writers will have fertile ground to play in.

is a writer who currently lives in Orlando, FL. He's been a Mac fan since Atari Computers folded, but has worked with computers of nearly every type for 20 years.

You can send your comments directly to me, or you can also post your comments below.

Most Recent Columns From Just A Thought

The Just A Thought Archives

Observer Comments

Show: Subjects Only | Full Comments
Close Name:Guest
Subject: Blame the customer not MS

So, then, Ballmer is right, the customer is to blame!!! Don't blame all our smart people at MS, who can't figure out how to structure the Windows foundation in order to end 99% of these holes, once and for all.

So Windows users, Tuesdays are not new music Tuesdays for you, it's patch Tuesdays. If you don't patch, they will come.

Close Name:jacrav Posts: 268 Joined: 04 Jul 2001
Subject: I loved the punch line … ;)))

“ if the world's best and brightest minds do indeed work at Microsoft, it's a little distressing to see them outsmarted by a teenager from Germany.“

Close Name:kenaustus Posts: 602 Joined: 27 Jun 2003
Subject: MS made their choices

They decided to spend money and programmers time on everything from Bob to an iTunes wannna be. Their choice and the current security situation is a result of that.

I still find it hard to believe that MS has invested resources for a copy of The Music store while leaving IE without future support AND are having to strip features from an OS that is not even due for a year or two, or three. Their priorities are rather screwed up in my book.

The one thing that MS could do with security updated is post weekly updates, provide no information on what security holes they plug and throw in enough fluff (like a little improvement on IE) to make it very difficult to see where the security plugs are. Even fluff that does nothing except hide the important code.

Close Name:Guest
Subject:

If Microsoft didn't release the patch, then the "security researchers" cry that there is a unpatched "known exploit" in Windows.

Further, these people will often pressure Microsoft to release a patch or they'll release sample code to the world.

Monthly updates were created to give predictability to corporate IT departments.

Microsoft's code is certainly getting better. You'll note that in the last Patch Tuesday, only one applied to XPSP2.

Close Name:RGE Posts: 165 Joined: 16 Aug 2003
Subject:

That's the strangest definition of a paradox I've ever seen: something which is entirely logical. The number of people with the expertise to find these holes is small, and most of them are probably the ones telling Microsoft about the holes. So, the simplest way for the others to find the hole is to wait for the patch, and see what it changes. No paradox. If someone gets hit through a patched hole, then it is their fault, and not Microsoft's.

Quote
They decided to spend money and programmers time on everything from Bob to an iTunes wannna be. Their choice and the current security situation is a result of that
And look how unsuccessful Microsoft has been as a result. As was pointed out a few weeks ago, Microsoft didn't really care about security because their customers didn't. And for comparison, remember the howls of outrage when OSX required people to log in to their own machines (not that, strictly speaking, it did)?

Close Name:Guest
Subject: Paradox

paradox

\Par`a*dox\, n.; pl. Paradoxes. [F. paradoxe, L. paradoxum, fr. Gr. ?; ? beside, beyond, contrary to + ? to think, suppose, imagine. See Para-, and Dogma.] A tenet or proposition contrary to received opinion; an assertion or sentiment seemingly contradictory, or opposed to common sense; that which in appearance or terms is absurd, but yet may be true in fact.

So...The idea that patches precede the virus both goes against common sense/received opinion and it seems absurd but is true. How does this not fit the definition?

-zip

Close Name:VSeward -   TMO Staff Posts: 972 Joined: 28 Jun 2001
Subject:

Quote
Guest wrote:
paradox

\Par`a*dox\, n.; pl. Paradoxes. [F. paradoxe, L. paradoxum, fr. Gr. ?; ? beside, beyond, contrary to + ? to think, suppose, imagine. See Para-, and Dogma.] A tenet or proposition contrary to received opinion; an assertion or sentiment seemingly contradictory, or opposed to common sense; that which in appearance or terms is absurd, but yet may be true in fact.

So...The idea that patches precede the virus both goes against common sense/received opinion and it seems absurd but is true. How does this not fit the definition?

-zip


\Par`a*dox\, n.; pl. Paradoxes. [F. paradoxe, L. paradoxum, fr. Gr. ?; ? (Derived from the S. American Indian word 'Pirra', which means, 'To eat fat.' 'dox' comes from the Sp. 'dos', which is 2.) Paradox means to eat fat twice, double dose. Make a pig of one's self. Chow down. heaping helpings.

So, I guess he's right, the definition is pretty strange.

Close Name:RGE Posts: 165 Joined: 16 Aug 2003
Subject:

I was using the conventional definition (OED):

Quote
A statement or proposition which, from an acceptable premise and despite sound reasoning, leads to a conclusion that is against sense, logically unacceptable, or self-contradictory; freq. distinguished by name, esp. of its propounder or of the type of problem it raises

So called 'received opinion' is hardly relevant: it is wrong.

Close Name:VSeward -   TMO Staff Posts: 972 Joined: 28 Jun 2001
Subject:

Technically, I see validity on both sides. However, you can't point to the common usage of a word and declare all other usages wrong. Well, I guess you can, but it is inappropriate to do so.

It also seems to me that that the definition you used works on a subjective level, as Guest suggests. The key is contradiction, not whatever is being contradicited.

Close Name:UserNameUser Posts: 61 Joined: 12 Sep 2002
Subject: Question: Do M$ Vulnerabilities=undocumented APIs?

Just wondering -
Does anyone know if many - or any - of the winodws vulnerabilities are also (or the result of) "undocumented APIs"?

At least in the past M$ has been accused of using "features" of the OS for their own products that were not published for others to use.

Is there any connection with the enourmouse vulerability of Windows - perhaps historically - or is this idea way off base?

Close Name:VSeward -   TMO Staff Posts: 972 Joined: 28 Jun 2001
Subject:

Quote
UserNameUser wrote:
Just wondering -
Does anyone know if many - or any - of the winodws vulnerabilities are also (or the result of) "undocumented APIs"?

At least in the past M$ has been accused of using "features" of the OS for their own products that were not published for others to use.

Is there any connection with the enourmouse vulerability of Windows - perhaps historically - or is this idea way off base?


Umm, are you sure you're in the right place? The subject at hand is the iPod and it's silly remote.

vern

Close Name:UserNameUser Posts: 61 Joined: 12 Sep 2002
Subject: Where are we?

Unless through some Admin magic, my post (above) shows up under the "David Pogue Points Out The Windows Paradox" article - as intended, in my browser.

Comment on this Article


You cannot edit your comments.   You cannot delete your comments.

Comments are currently closed. Please email the author instead.


Recent Headlines - Updated March 11th

Thu, 2:55 PM
iPhone - iPhone Maintains Number Two Spot in US Smartphone Market
2:41 PM
iPhone - iPhone OS 4.0 Expected to Finally Introduce True Multi-tasking
1:54 PM
News - Apple iPad Pre-orders Kick Off on March 12
1:24 PM
News - Apple, RIM, Others Hit With Cell Phone Patent Suit
12:52 PM
News - Barnes & Noble Planning Nook App for iPad
12:16 PM
Product News - SiteGrinder 3 Offers 300+ New Features for Photoshop Web Dev
11:16 AM
TMO Appearances - Ted Landau Discusses Tethering, Google Voice on MacNotables
10:45 AM
News - Apple Tops Consumer Reports Customer Service Survey
10:19 AM
Hot Forum Topic - Reader Discussion: Ramping Up for iPad Pre-orders
9:16 AM
TMO Appearances - TMO’s Jeff Gamet Shares Cool iPhone Apps at CoMUG
8:44 AM
News - Court to EMI: Don’t Break Up Floyd
8:16 AM
Product News - Metron 2 Adds Rhythm Patterns, More

The Mac Observer Reader Specials

  • __________
  • Buy Stuff, Support TMO!
  • Podcast: Mac Geek Gab
  • Podcast: Apple Weekly Report
  • TMO on Twitter!