Case Study: Security? What does Microsoft know about security?
A week in the life of an IT manager
By David Charles | Techworld | Published: 00:00, 13 May 2004
Welcome to this week's blog, which will appear monthly, funnily enough.
Two new starts next week, so two new desktops to get ready. Usually, this is simply a matter of copying a disk image of the OS and a few company-standard applications to the new machines and soak testing them for a couple of days. But I'm a bit behind with patches and our current disk image needs updating. Not a major problem, just another couple of extra hours' work to be scheduled in.
I shouldn't really have to do this, though. Our PC vendor could ship out products without all the OS flaws that allow viruses, worms, Trojans, et al to spread. Manufacturers could add all the latest security patches before selling their machines.
Our vendor's standard response to these points is "certainly, we could offer you secured PCs with all the updates installed, but in a 'commodity' market, your buyer would just go to a cheaper supplier and get PCs with an older version of the OS.' On the face of it, this seems like a reasonable argument.
However, it's nonsense. Ten years ago, I worked for a PC vendor that daily prepared thousands of machines by creating a single master image that was copied to a large number of other drives before assembly. The master image was constantly updated, yet this vendor's products were considerably cheaper than almost everyone else's. No, the reason our current vendor won't do what I want is more likely to be that we have nowhere else to go. No-one else does it, so there's no market imperative.
If the IT industry's marketing departments weren't so devoid of any talent, maybe one of the PC vendors would break the mould. But I'm not holding my breath.
Despite the constant stream of new OS patches, I've been feeling quite well disposed towards Microsoft lately. After all, it's on our side now, isn't it?
However, the company's continual finger pointing about security is beginning to grate. Its product evangelists sound more and more like those reformed smokers who turn into complete health fascists as soon as they've kicked the habit. While Microsoft's recent conversion to best security practices is of course broadly welcome, I find its hectoring tone increasingly irritating.
Take Jonathan Perera, senior director of what Microsoft laughingly calls its "security business technology" unit, which we can only assume is a branch of marketing. At today's otherwise fairly dull Infosecurity show, Mr. Perera effectively says that if people like me don't do a better job of promptly applying Microsoft's patches, as well as training users in safe computing practices, the consequences are our own stupid fault. Back here on planet Earth, Mr. Perera, people like me have only so many hours in the day to patch all your employer's gaping vulnerabilities and you're pretty hopeless at supplying us with the information we need to determine priorities.
Try getting some education yourself.
Apparently, Microsoft plans to use more dialogue boxes and warning messages in future Windows and Office releases to "educate" users on safe computing practices. This conjures up a mental picture of some equivalent to its loathsome little paperclip asking us if we "really want to do that" and offering to automatically configure our security settings. This nightmarish vision comes courtesy of the same irksome Jonathan Perera who blames me and my team for not doing enough about security. He's quoted as claiming his employer can use software to teach users about security.
Clearly this man has never met our users.
The idea of educating them about anything is too funny for words. And I doubt our users are untypical. When are Microsoft's marketroids going to "get real" or "wake up and smell the coffee" or whatever else it is they're constantly urging IT managers to do?
There's some brouhaha in the media about Microsoft's readiness to deal with the deluge of technical support calls expected when it releases its much-vaunted new service pack for Windows XP. Never mind Microsoft's readiness, what about mine? I suspect the reality is that Microsoft will get fewer support calls while mine go through the roof. SP2 will deal with a lot of the external security issues that have been bugging its users for years, so Microsoft's support calls may well go down.
It'll be different for us, though. If we install SP2, we run the risk of all our applications falling over; we're going to have some brainless animated icon constantly prompting users to set up firewalls, block pop-up ads and update the antivirus; and if that weren't enough, IT will be inundated with calls from irate users who'll no longer be able to connect to the games servers and file sharing services they seem to find so fundamental to their everyday working lives.
This week has turned into one of those "let's all get obsessed with security" weeks. I suspect it's some sort of conspiracy hatched by the security vendors to drum up a bit of interest in the Infosecurity show. All right guys, I went to your show - now will you make it stop?
You see, I've got loads of patches to catch up with and I want to get home before two o'clock tomorrow morning. But I keep getting interrupted by emails from users wailing and gnashing their teeth about the automated bounce messages they receive every day from anti-virus software installed at firms they've never even heard of.
Now I issued a general warning to our users about such messages when Netsky first appeared. My warning went something like this: "You will probably start receiving a lot of emails claiming you sent out a virus. Don't worry, someone else will have sent the virus using your forged email address in the 'from' field and you are just being notified by some brain-dead antivirus program that assumes you are the sender. It's okay. Just delete these messages and get on with your life."
Like so many of the important but boring emails that go out from management here, this one probably went straight into most people's trash folder unread. Strangely, this doesn't happen to the pointless AV bounce messages. Each one is read avidly and discussed ad nauseum. First, the recipients work themselves into a lather of self-righteous indignation about the injustice of it all; then they demand to know what IT is going to do about these slurs on their character.
Now the show's over, maybe the AV vendors could arrange to stop their products sending us all these dumb responses?
David Charles is IT manager for a UK recruitment agency.