Chad Perrin: SOB

17 April 2007

Don’t forget your tinfoil hat.

Filed under: Geek,Security — apotheon @ 03:11

A while back, I posted the text of this entry elsewhere, in response to someone who suggested there is a conspiracy of antivirus software vendors. I just rediscovered it by accident, and realized that it’s close enough to a stand-alone statement in its original form as to be worth duplicating here. I have made only minor adjustments — it is otherwise identical to the original.

While it’s true that commercial security products and services are created and marketed by vendors that have a vested interest in there being a security market for what they’re selling, there’s no need for a conspiracy of commercial vendors to keep the state of PC security in such a mess. As long as the Microsoft philosophy of software creation continues to focus on features rather than good software architecture, and salable products rather than fixing problems, there will continue to be a market for security software that requires update services.

The problem is simply that Windows, and thus everything that runs on it, can never really be a very secure platform as long as its APIs and innards are kept to any degree secretive, or as long as Microsoft refuses to fix the underlying architectural problems that create the vulnerabilities exploited by malware such as viruses and malware. The software that protects you against viruses and spyware on Windows systems is definitions-based (as in: virus definitions, et cetera), and new definitions need to be generated and distributed to deal with new versions of old viruses and other malware on a constant basis, which should tell you this: Microsoft isn’t fixing the underlying problem that makes a virus, worm, or piece of spyware possible, but is instead letting security software vendors cover its tracks with definitions-based “solutions” (more like band-aids).

By contrast, basically every other OS in active development is fixed rather than definitions-patched when some piece of malware is discovered that can affect it. Rather than let some third-party piece of software deal with it by scanning for a given definition, the OS developers analyze the malware to determine what system vulnerability is being exploited and close that security hole.

Only the biggest malware protection vendors (companies like Symantec and McAfee) are in a position to affect Microsoft’s policy, and even they don’t really need to deal with Microsoft to get the latter company to keep them in business. Yes, there’s money involved in keeping things unsecured, but it’s not about the security conflict of interest for companies like Symantec as much as it is about security simply not being a business priority of Microsoft’s. Microsoft need only provide the appearance of giving a crap about security, while actual short-term profits and market dominance strategies dictate that its developers focus their effort not on fixing problems but on inventing more unnecessary bells, whistles, widgets, and slogan-worthy “enhancements” for Microsoft’s marketing campaigns. That’s where the real problem lies — Microsoft is ignoring the actual problems, producing “features” that merely seem to solve problems but, conversely, actually create more problems by adding more levels of complexity to its software.

It’s certainly not merely crass commercialism that’s motivating anti-malware products like ClamWin and Spybot S&D, both of which are available entirely free. Neither one of them provides any direct revenue streams for its maintainers and developers.

NOTE: I’ve noticed that while my Symantec series drew some attention from outside my little community of regular readers, it doesn’t seem to be drawing much feedback from my regulars. I suspect it isn’t of much interest to them. This, coupled with the burnout I felt toward the subject through all of last week, prompts me to consider abandoning the series entirely. I think my last post about the Symantec ISTR volume XI serves as a pretty good stopping point anyway.


  1. I agree completely with you. If Microsoft spent even just one year on actually fixing problems, taking the R&D budget that year and putting it toward not just patching, but actually fixing their whole product line, we’d all be better off; and with the R&D budget that MS most likely has, it would indeed only take a year of some hardcore programming to complete the task.

    Comment by Joseph A Nagy Jr — 17 April 2007 @ 04:05

  2. Consider this. Schneier reports that security is a process. The idea being we will never, ever, be able to close shop with the security department. OpenBSD is noticeably secure, but without a consistent security process it’s not secure tomorrow. Symantec will not ever be out of product to make. If MS actually fixed problems, Symantec’s software would be slimmer, less intrusive, less painful, easier to write, easier to maintain and in every way an easier sale to the public at large, at lower cost.

    Conflict of interest? Only if you believe (and I don’t) that some day a piece of software the size of an operating system and it’s attendant shells will be without exploits.

    Comment by SLR — 18 April 2007 @ 06:02

  3. Oh, I’m not saying that MS Windows could just be “fixed” entirely so that security is then “done”. I do, however, believe that by adopting a better policy toward security (and maintaining that policy faithfully) Microsoft could easily put Symantec (and McAfee) out of business — at least, out of their current line of antivirus business. That’s where the conflict of interest arises. Symantec doesn’t want to have to do more work for less revenue; it makes lots of money doing nothing much right now, as all it has to do is collect virus reports, create definitions, maintain its flagship product, and write the occasional report that tells everyone how critical its business is to their security.

    I don’t think Joseph was suggesting that Microsoft could just “fix” security once and for all, either — just that it could fix a lot of its failures over the last few years, and place itself in a better position to provide continued, effective attention to security, rather than the ridiculous security “featuritis” it’s currently trying to pass off as “security”.

    . . . but yes, you’re absolutely right: security is a process, not a goal.

    Comment by apotheon — 18 April 2007 @ 10:27

  4. I’m not 100% sure, but I think you’re underestimating the amount of money and effort Symantec has to invest in it’s anti-virus process in the current model. I think they would be doing Less Work for More Effect (probably similar amounts of money, since fear of viruses will still drive corporate buyers to buy, and who cares about the private market anyway) if Windows actually became decreasingly flaky.

    Comment by SLR — 19 April 2007 @ 07:38

  5. I’m aware that Symantec blows massive sums of cash on what it’s doing. When I say that Symantec “makes lots of money doing nothing much right now,” I’m referring to what it does that is of actual use to us, the users. Most of that money and effort that Symantec spends is spent on marketing, whiz-bang “features”, bureaucracy, proof-of-concept work designed to prove how important Symantec is to the IT industry, and plowing the competition under. All of this is designed to increase the market share and profitability of the actually useful work it does — which would lose at least 98% of its usefulness if Microsoft was willing and able to treat security the way it should be treated.

    Antivirus software, as it currently exists, would be superfluous if OS vendors and developers all actually fixed every vulnerability as it became known, and counted the vulnerabilities that make virus propagation possible among the vulnerabilities worth fixing. That’s really my point, re: Symantec’s conflict of interest. That’s why antivirus software in the MS Windows idiom really only exists on Linux- and BSD-based OSes for purposes of cleaning email that goes out to MS Windows clients — because the Linux and various *BSD developer communities actually patch the vulnerabilities that would allow viruses to propagate.

    Comment by apotheon — 19 April 2007 @ 01:49

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

All original content Copyright Chad Perrin: Distributed under the terms of the Open Works License