Alex Payne writes online here.

See also the archive, books & talks.

An individual post follows.

We’re Fucked

Microsoft has been chosen as the exclusive Homeland Security supplier of desktops and servers, to the tune of $90 million. I’m not sure there’s a more succinct illustration that American officials making security decisions are, indisputably, putting us on the same expensive, bureaucratic, and massively insecure course towards disaster we were on pre-9/11. I say this not because “well obviously the government should be using Linux or Open Source software, it’s just so much more secure!” You’ll hear that a lot, and it’s crap. The argument between open and closed software security is all but moot; some software is secure, most software isn’t, and the development model that got them there is fairly irrelevant as long as support and long-term viability aren’t a procurement concern. So I could give a rat’s ass if the g-men wanted to buy from some other proprietary, closed-source vendor, as long as said vendor’s products are actually secure.

But Microsoft has a positively horrific track record for security, and has consistently abused its position as market leader to dally on bug fixes and patches, instead dangling the carrot of security in front of its customers. Security isn’t a feature or a later-date improvement, it’s a bare-minimum requirement. If software isn’t designed securely it’s flawed from the get-go, and the entire Windows/MS architecture is, by even Microsofts’ own accounts, a teeming mess of bugs and potential exploits. Perhaps users can tolerate a poor user interface on an otherwise solid product in hopes that it will improve later, but security isn’t the sort of thing anyone, particularly the people protecting the “homeland,” can afford to wait for.

The article mentions that “Microsoft will provide the standard e-mail software for the entire department.” Have these people been living under rocks for the last three years?! Lovebug, anyone? How about any of the other scores of vulnerabilities exploited in Microsoft’s historically insecure mail software? I know I’m looking forward to getting that “Somebody likes you!” message from Tom Ridge. We’re fucked.

UPDATE: Think I’m just making shit up? Brent points out a USA Today article, “Microsoft Admits Critical Flaw in Nearly All Windows Software.”

Totally, totally fucked.