Dear Microsoft: What Trumps Security as Job #1?
In my darker, cynical moments, I doubt that security and safety will ever make it to Job #1 at Microsoft. On the other hand, I think they have the greatest opportunity and commitment to having it work. Especially against clueless scoffers.
{tags: orcmid Microsoft software safety software security dependable computing}
I’m looking for a serious corporate cultural shift to have security and safety for the customer be the dominating context of every action by a customer-facing employee, including every developer, web site/service designer, and manager of every stripe. Knowing how much it is in our nature to skip steps that don’t satisfy our immediate wants, I must remind myself that this is a rare quality in any software provider and producer. Since Microsoft asserts their commitment, I think we can hold them to account and also expect them to provide the model for others to follow.
Microsoft seems determined. Yet all too often other factors trump security. That clash between words and deeds is unsettling. For this commitment to work, nothing must trump security. For the journey to succeed, there need to be signs of pro-active bar-raising in how the commitment to Job #1 is reflected in the experiences of customers in every interaction with Microsoft and its products.
Here are some of the ways that security as theater and/or producer paternalism has been distracting me of late:
- Urging Visual Studio 2005 SP1 as a high-priority download. Microsoft Update (takes longer, widens my threat surface for defective downloads, and is strongly urged if I don’t install it) does find more updates than the narrower Windows Update. So I drank the Cool-Aid and accept update advice for more products, but high priority? This reminds me of pushing out the Genuine Advantage call-home feature as a high-priority security (whose?) update when it was apparently in beta. Fortunately, my OneCare Firewall detected it and blocked it and it stays that way. I’m not aware of any security alert against VS 2005. Did I miss the memo? Who decides what’s high-priority, anyhow?
- Demanding Automatic Updates. Speaking of Microsoft Live OneCare, it really frosts me that it declares anything short of fully-automatic downloading and installation as Condition Red. My not backing up regularly is only Condition Yellow? What bozo made that decision for me? I feel bullied into turning on automatic updates so that the Condition Red doesn’t mask every other problem that might be noticed (like an actual detection of a virus, worm, or spyware). Of course, my computers are never left running idle overnight and so the install time rarely arrives. I usually do get to review the updates before they are installed after all [;<).
I’m also annoyed that I can’t condition the OneCare firewall (or even learn that there has been blocking) when a newly-installed application reaches out to the Internet for the first time. Well, I can get around this by letting Daddy OneCare consult its list of what is considered a safe application. I grudgingly did that on Vicki’s computer, because she doesn’t want to have to think like an administrator. But what happened to informed consent as a customer-care principle? I want to be advised and have the option to block, since I don’t want anyone but Microsoft to be installing automatic updates for me. I want something more like what ZoneAlarm Pro permitted (very much like the Vista UAC approach), but I don’t want to go back to ZoneAlarm.
To be clear, I love the OneCare approach. Where it works seamlessly, it is super. It is the unexpected discontinuities in a quality product that throw me. I doubt that I will ever go back to Symantec. I will probably need Microsoft Home Server to conquer my backup negligence and I’m waiting to see product announcements. It’s the paternalistic daddy-knows-best part that frosts me.
- Insisting on Installing under the Administrator Account. We all know that you have to be an administrator to install most software. Unfortunately, the installers for too much software sets up its software to configure and operate in every account on the machine, including the administrator accounts. If there’s an option to configure for a single account, unfortunately it is always the account (an administrator) being used to do the install. Duh?
My workaround for this is to always install under my everyday least-privilege user (LUA) account by elevating that account to administrator just long enough to do the install. I religiously avoid installing anything but administrative software under my administrator account. No development software, no games, no commonly-attacked productivity software, not anything that I might be tempted to foolishly run while in my administrator account. For generic-installing software, I will move the shortcut, startup, and all-programs items out of “all users” to my solo everyday account profile and delete everything else I can that shows up in the administrator-account profile. I would remove Internet Explorer from the administrator account if I could, but it is needed for Microsoft/Windows Update (see above).
- My Latest Admin-Configuring Horror is Microsoft LiveCam VX-6000. I applied all of my practices for keeping consumer software out of the administrator account, but I have not been able to put a stake through the heart of this baby. Every time I log into my administrator account, the configuration dialogs for LiveCam setup pop up. I cancel them every time. I cannot find where this on-startup crap is installed so I can kill it. With the privileges this puppy has to operate on my computer, I have to declare it to be spyware. Hmm, I guess I should report it through Windows Defender.
I chose to get a webcam after seeing how well a Logitech device worked on Vicki’s new Media Center PC. I’ve gotten a little tired of Logitech’s semi-spyware craplets and call-home for updates automation, so I figured that Microsoft probably doesn’t do that (although I worried that the coupling with Windows Live Messenger might make Skype integration problematic, but Skype hooks it up just fine). But the Logitech software does play far nicer installed under Vicki’s everyday LUA account. That’s a welcome surprise.
Yes, I’m keeping the webcam too. I will probably upload a video about how much I like the parts I like. And another on how to have it installed safely, once I find out how that is done.
- Web Security Changes. Just to make my morning complete, the overnight tune-up with OneCare said it was unable to download high-priority updates. I was in my LUA account and it couldn’t fetch updates from there because it needs an administrator, of course.
I logged into the administrator account and ‘lo! Microsoft Update was failing in IE7 after working for months. I was informed that my IE 7 settings weren’t allowing Microsoft Update to do its ActiveX and scripting magic. Hmm, so I followed the advice on the failure page about adding some URLs to my trusted-sites list. On closing IE7 and re-trying Microsoft Update from scratch, I still reached the failure-advice page. OK, maybe my trusted-site settings are set too high in the aftermath of some previous ActiveX and JavaScript exploit panic. So I set trusted-site security to the default. Nope. I’m still getting the failure-advice page.
Oh, lookie! The failure-advice page has a URL for a domain that is not in the list it gives me. Maybe I need to trust that (non-https) site too? Ahh.
It could have been worse. The greatest difficulties around web security measures, redirection for Passport/WindowsLive sign-on especially, arise when a Microsoft application is using the Internet under the covers and I can’t freakin’ see the URLs that the failures are about. Windows Media Player is a great example. For several months I couldn’t buy anything from MSN Music because I couldn’t figure out the various Passport redirects that were suddenly failing to log me in to purchase and download songs. I saved a lot of money, and now MSN Radio Plus is no more. I really liked the ease of purchasing individual tracks and even complete albums on that service. I did not switch to Real and I did not subscribe to URGE after the free trial (though I buy URGE tracks from time-to-time). PS: I don’t expect to ever own a Zune or an iPod but I would consider a Plays-for-Sure device. I really like Pandora and I’ll like it better when I can run it in Media Player (you can show me the ads there, I’m fine with that) instead of a browser window.
So there’s my current litany of Microsoft security ills. I feel better now. How about you?
In many ways, Microsoft’s security arrangements lead the way. But I’m never quite sure whose security and convenience it is all about. I don’t even mind, considering the nature of end-user security practices and all of our tendencies to expedient behavior, that the default let-daddy-take-care-of-it paternalistic option is available. What I don’t like is having no choice in the matter when I am perfectly willing to take responsibility for the security of my own systems. When some Microsoft developer, project management, and product marketing review process makes inconsistent choices that trump security, it justs tells me that security isn’t Job #1 after all. And, frankly, as a customer I don’t give squat whatever that trump card is. And I don’t want to hear any “Well, security is Job #1 but … .” Job #1 is supposed to be Job #1 with no buts about it.
I’m waiting. I appreciate that this is probably one of the most difficult challenges any corporation has had to face. Microsoft says they get it. There is no question in my mind that Microsoft does address software quality and security. For a mega-corporation like Microsoft, it takes a serious cultural challenge to transform the corporate persona that is experienced in each-and-every customer engagement. The paternalistic tendency and mixed agendas are undermining Job #1. There’s more to be done.
I’m still waiting. I’m very patient because I don’t want to give up the joys of computing that are now available to me. I understand that most Microsoft detractors don’t know what they are talking about and don’t match Microsoft quality in the products that matter to me. But nobody waits forever.
posted by orcmid
at 2/10/2007 12:29:25 PM
