A while back, I posted the text of this entry elsewhere, in response to someone who suggested there is a conspiracy of antivirus software vendors. I just rediscovered it by accident, and realized that it’s close enough to a stand-alone statement in its original form as to be worth duplicating here. I have made only minor adjustments — it is otherwise identical to the original.
While it’s true that commercial security products and services are created and marketed by vendors that have a vested interest in there being a security market for what they’re selling, there’s no need for a conspiracy of commercial vendors to keep the state of PC security in such a mess. As long as the Microsoft philosophy of software creation continues to focus on features rather than good software architecture, and salable products rather than fixing problems, there will continue to be a market for security software that requires update services.
The problem is simply that Windows, and thus everything that runs on it, can never really be a very secure platform as long as its APIs and innards are kept to any degree secretive, or as long as Microsoft refuses to fix the underlying architectural problems that create the vulnerabilities exploited by malware such as viruses and malware. The software that protects you against viruses and spyware on Windows systems is definitions-based (as in: virus definitions, et cetera), and new definitions need to be generated and distributed to deal with new versions of old viruses and other malware on a constant basis, which should tell you this: Microsoft isn’t fixing the underlying problem that makes a virus, worm, or piece of spyware possible, but is instead letting security software vendors cover its tracks with definitions-based “solutions” (more like band-aids).
By contrast, basically every other OS in active development is fixed rather than definitions-patched when some piece of malware is discovered that can affect it. Rather than let some third-party piece of software deal with it by scanning for a given definition, the OS developers analyze the malware to determine what system vulnerability is being exploited and close that security hole.
Only the biggest malware protection vendors (companies like Symantec and McAfee) are in a position to affect Microsoft’s policy, and even they don’t really need to deal with Microsoft to get the latter company to keep them in business. Yes, there’s money involved in keeping things unsecured, but it’s not about the security conflict of interest for companies like Symantec as much as it is about security simply not being a business priority of Microsoft’s. Microsoft need only provide the appearance of giving a crap about security, while actual short-term profits and market dominance strategies dictate that its developers focus their effort not on fixing problems but on inventing more unnecessary bells, whistles, widgets, and slogan-worthy “enhancements” for Microsoft’s marketing campaigns. That’s where the real problem lies — Microsoft is ignoring the actual problems, producing “features” that merely seem to solve problems but, conversely, actually create more problems by adding more levels of complexity to its software.
It’s certainly not merely crass commercialism that’s motivating anti-malware products like ClamWin and Spybot S&D, both of which are available entirely free. Neither one of them provides any direct revenue streams for its maintainers and developers.
NOTE: I’ve noticed that while my Symantec series drew some attention from outside my little community of regular readers, it doesn’t seem to be drawing much feedback from my regulars. I suspect it isn’t of much interest to them. This, coupled with the burnout I felt toward the subject through all of last week, prompts me to consider abandoning the series entirely. I think my last post about the Symantec ISTR volume XI serves as a pretty good stopping point anyway.