sam's terrain: comment

Microsoft gives up on Windows security

April 10, 2006

Microsoft has finally given up on Windows security. A program manager from the company told an Infosec World Conference in Buena Vista, Florida, on April 4 that rather than struggle with cleaning malware infestations, businesses should instead look to invest in automated processes that would reformat hard drives and reinstall the operating system and applications.

If there is a bigger admission of defeat, then I've not seen one. Mike Danseglio's comments have gone virtually unreported apart from a detailed account in eWeek. Danseglio cited one case of an unnamed US government department which struggled with something like 2000 infected machines.

If companies swallow this advice from Microsoft without seriously considering alternatives, then one would have to conclude that they've drunk too much of the Kool-Aid that is shipped from Redmond. You know, the kind that the late Jim Jones doled out and his followers willingly drank.

Danseglio is reported as having said that for some sopisticated malware, cleaning up is just too hard. Of course, given the skill level of the average Windows admin, a great many things are hard to do. But as one who has cleaned up many a malware infestation on the PCs of friends and neighbours, after a while you don't want to mess with shit - it stinks.

And so, the biggest tech company, with something in the region of 60,000 employees, has admitted that it lacks people with the skill to come up with a solution to this problem. Windows users must get used to the three Rs of veteran admin Andrew Grygus - Reformat, Reboot, Reinstall.

There are plenty of people outside Microsoft who definitely have the skill to fix the problem - Mark Russinovich, for one. Or maybe Dave Aitel, Marc Maiffret, Bruce Schneier, Neel Mehta, Richard Forno, Oded Horowitz, Chris Eng, Kevin Dunn, or Mark Dowd could be given a contract to deal with the problem. I'm sure that any one of these people could come up with a workable solution.

Somehow, it seems that Microsoft doesn't want a solution. The reason is pretty clear. Windows Vista is being released next year. There has to be a reason - or an apparent reason - for people to buy this long overdue, bloated and unnecessary product. I can almost see the neon lights "The most secure Windows ever." Yes, that was the line used for XP but then public memory is woefully short.

How else will the upgrade be forced down customers' throats?