On Jun 9, 2010, at 12:26 AM, Steven Bellovin wrote: >> Problem is there's no financial liability for producing massively >> exploitable software. >> No financial penalty for operating a compromised system. >> No penalty for ignoring abuse complaints. >> Etc. >> >> Imagine how fast things would change in Redmond if Micr0$0ft had to pay the >> cleanup costs for each and every infected system and any damage said >> infected system did prior to the owner/operator becoming aware of the >> infection. >> > > It isn't Microsoft. It once was, but Vista and Windows 7 are really solid, > probably much better than Linux or Mac OS. (Note that I run NetBSD and Mac > OS; I don't run Windows not because it's insecure but because it's an > unpleasant work environment for me.) > > Microsoft is targeted because they have the market. If Steve Jobs keeps > succeeding with his reality distortion field, we'll see a lot more attacks on > Macs in a very few years. It's also Flash and Acrobat Reader. It's also > users who click to install every plug-in recommended by every dodgy web site > they visit. It's also users who don't install patches, including those for > XP (which really was that buggy). There's plenty of blame to go around > here.... > > A liability scheme, with penalties on users and vendors, is certainly worth > considering. Such a scheme would also have side-effects -- think of the > effect on open source software. It would also be a lovely source of income > for lawyers, and would inhibit new software development. The tradeoff may be > worth while -- or it may not, because I have yet to see evidence that > *anyone* can produce really secure software without driving up costs at least > five-fold.
I agree the miscreants go for the bigger bang for the buck. That said, earlier versions of Windows really were soft targets. I don't know enough about Win7 to comment, but I respect Steve and will accept his opinion. Let's hope MS keeps up the good work - I do not want to bash Windows (no matter how fun it is :), I want to stop being attacked. But it is not -just- market share. There are a lot more Windows Mobile compromises, viruses, etc., than iOS, Symbian, and RIM. I think combined. Yet Windows Mobile has the lowest market share of the four. So unless that is spill over because Windows Mobile & Windows Desktop have the same vulnerabilities, it shows that market share is only one piece of the puzzle. All that said, the biggest problem is users. Social Engineering is a far bigger threat than anything in software. And I don't know how we stop that. Anyone have an idea? -- TTFN, patrick