% fortune -ae paul murphy

x86 security

I, ah, blush to admit this - but when last week's revelation's about the Windows .ANI cursor hole appeared, I thought someone was pulling an April fool's joke. Apparently not, but the mess led me to wonder just how something like this could happen.

Microsoft has the best tools, endless cash, some of the brightest programmers, and full access to its own source code - but attackers playing with binaries can find buffer overflows that escape years of corrective effort at Microsoft? In what world does this make sense?

Contrast the Windows Vista record to date with that run up by OpenBSD - Microsoft is pushing two problems a week, the OpenBSD guys just tripped over their second exploitable buffer overflow since splitting from FreeBSD in October of 1995.

What makes this even more surprising is that if you did a simple functionality comparison based on what's in the box when you get it, OpenBSD would turn out to be both more capable and more backward compatible on x86 hardware than Vista.

So how can this be?

There's the obvious fact that a lot of people make a lot of money from Microsoft's bugs - and now that Microsoft owns a big chunk of the PC security business, Microsoft makes money selling people protection from Microsoft.

Money talks, but the big winners from Microsoft's insecurity are the people who get paid first to recommend Microsoft and then to protect their customers from the consequences of that decision.

You wouldn't think a smart little pig would get his building materials from the wolf's brickyard, but this kind of oxymoronic behaviour permeates the PC industry. Consider, for example, the inherent contradiction in the way PC security is thought about in larger organizations: the data center gurus sell the client-server architecture to the business on the grounds that the desktop PC empowers the user and then do everything in their power short of actually turning the thing off to limit what that user can do with it.

And nobody notices how absurd this - just as nobody seems to notice that the gear used to protect the Microsoft user from other Microsoft users exploiting errors in Microsoft's software mostly runs on Microsoft software. Unless it's from Cisco, then it's Cisco's Microsoft software - including IIS! - developed in co-operation with Microsoft that protects Microsoft users from Microsoft's errors.

Except that it doesn't - because computers keep crashing, data theft is getting to be a major underground industry, and I don't know a single Wintel devotee who hasn't blamed lost files, abandoned work, upgrade costs, and time losses on viruses or worms affecting the systems they choose to use.

There's are April fools here all right - not to mention the May through March guys. In fact, I'm starting to believe in aliens - I mean, can people really be this irrational? or are we really just talking about emperors and new clothes again?

In all seriousness, it's irrational - and I think part of the explanation goes back to the social differentiation established between thinkers and partiers in high school. I see that separation as a continuum with future scientists and developers at one end, future executives at the other, and future wintel sellers near the middle. That social distance between geeks and partiers prevents them from talking later in life - and that creates the opportunity for the guys in the middle to lead the pretty party people astray.

And why? first because they can, secondly for the money, and thirdly because it gives them an emotional win-win over both groups: letting them see themselves as both socially successful and as geeks while holding the extremal groups on both sides in deep contempt: the real geeks for letting them get away with the fakery, and the executives for being foolish enough to buy in to the pretence.


Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 25-year veteran of the I.T. consulting industry, specializing in Unix and Unix-related management issues.