This week, the 20-city Microsoft Security Summit tour stopped off in Boston, where many customers of the software company grumbled about the security of its products, yet admitted Microsoft is doing a better job in this area than in the past. Some, however, argued that software vendors such as Microsoft would work harder to create secure products if they were held legally accountable for defects.
It's an interesting concept, but one that is totally impractical and which relies on a system that ultimately shifts the financial burden to the customer. First, if a company sued a software maker because that vendor's technology led to a security breach, how could they prove it? There are so many mitigating circumstances that it would be nearly impossible to assign blame. (Poorly configured firewalls and reckless remote workers come to mind.) And in the unlikely event that a jury would see it that way, how would you determine the dollar value for damages? Even when a corporate giant is hit with a major financial sanction -- and Microsoft has had its share through antitrust cases -- it's more than likely they'll just pass those costs on through higher prices.
So, while a legal approach
Spammer gets the slammer
One legal decision everyone can cheer is the sentencing of Howard Carmack, the so-called "Buffalo Spammer." Carmack, who sent 850 million -- that's million -- pieces of spam by ripping off people's identities, drew a 3½-7-year prison term for fraud and other crimes. Interestingly, at least one legal expert thinks that if Carmack had been charged under the new federal Can Spam Act, he may have walked. Marvin Benn, an attorney with Chicago-based Much Shelist P.C., said that's because the Buffalo Spammer didn't have an established presence in the states where he was accused -- a term known in legal circles as "minimum contacts." If it takes the use of jaywalking laws to convict spammers, so be it. Prosecutors should use whatever means they have at their disposal.
In the U.K. this week, Symantec CEO John Thompson slammed and defended Microsoft in the same presentation. Speaking at the Prince's Trust, Thompson said he isn't worried about Microsoft's entry into the antivirus market. He pointed to his company's long history in the business, Microsoft's short history in the business and Redmond's other interests. "We don't do game boxes and we don't do operating systems," he was quoted as saying. "We do security." But on the subject of OS security, he said it is a "myth" that Linux is more secure than Windows. He made an argument often used by Windows proponents that Microsoft's OS is a more attractive target for rogue elements because of its vast installed base.
One of the soon-to-be-released products Microsoft touted at its recent TechEd conference is the newest version of its software firewall product, Internet Security and Acceleration Server 2004. Among the details that have come out about the new ISA Server is that it will go for $1,499 per processor, it should be available later this year and a number of hardware vendors plan to incorporate it in their hardware appliances. Among those who've publicly committed to that so far are Hewlett-Packard Co., Celestix Networks Inc. and Network Engines Inc.
Get the patch
In a new security warning, SearchSecurity.com reported that users of Windows XP and 2000 should be on the lookout for multiple strains of the W32.Korgo worm, which exploits a Windows LSASS buffer-overflow vulnerability. Microsoft released a patch for this flaw after earlier worms tried to exploit it, so at least one security expert was astonished that Korgo has spread. "Anyone who is being infected by Korgo must have slept through the Sasser, Dabber and Cycle worms, which all exploited the same Microsoft vulnerability," said Graham Cluley, senior technology consultant at Sophos Antivirus.
And in a bit of hacking history in the making, the bad guys have proved that they can now attack 64-bit systems. Symantec researchers called the fairly innocuous W64.Rugrat.3344 a "proof-of-concept virus" that targets 64-bit Windows executables on IA64 systems.