Not that the software giant has been drinking too much. But it is only recently that the Microsoft has got religion when it comes to security. The Trustworthy Computing Initiative, the Security Development Lifecycle, and all the other initiatives that MS has undertaken to assure us that, as they state on their website, “The security of our customers' computers and networks is a top priority, …” are most welcome, but the lateness of this conversion comes at a price.
Anyone who follows computer security news is aware that the Wall Street Journal recently published a story asserting that the systems that control our nation’s electrical grid had been found to be undermined by malware.
Less well publicized, but equally disturbing is a story about the Conficker worm invading medical devices.
Rodney Joffe…told a panel of the House Energy and Commerce Committee …that he and another Conficker researcher identified at least 300 critical medical devices from a single manufacturer that have been infected with the computer virus.As a side note, most renditions of this story state that device manufacturer claim FDA rules require a 90-day notice before the machines can be patched. The ZDNET version headlines, “Red tape keeps Conficker on medical devices” However, this writer could not find any such regulation. In fact, one FDA advisory document (here): says specifically that that “premarket review” is “usually not…required prior to the implementation of a software patch to address a cybersecurity vulnerability.” It’s hard enough to comply with actual government regulations let alone imaginary ones.
Microsoft’s indulgence has not been demon rum, but complexity and performance. Originally versions of Windows NT (for those of you who remember that far back) boasted a ring architecture, which segregated essential OS functions like memory management into a central “kernel”. Non essential functions like graphics rendering were relegated to a less trusted, peripheral area, and had to request memory management functions from the “outside” like everybody else. But at some point, complaints about performance took precedence over robust security design, and things like graphics were moved into the kernel, so that applications could run faster. Or, more properly, the distinction between the kernel and non-kernel eventually dissolved. The result we are living with today is seen in things like the perennial updates to applications like the Adobe Acrobat reader. What should be a forgettable utility has the potential to subvert the integrity of your laptop because the graphics routines that should be powerless to affect the operating system are part of its core. The sad thing is that hardware speeds are now so good that if MS had stuck to the NT design model, no one would notice any performance hit.
One positive glimmer of hope: The advent of a BIOS based operating system called Hyperspace . The marketing pitch on the website is focused on the benefits to the end user. (Performance, ironically). Hyperspace can run a browser and an email client, and mirable dictu, it boots up in seconds. It can also run side-by-side with Windows, so when you need to load all those clunky drivers, add ons, and bloated Adobe readers, you can do so. While the product is geared toward the laptop user market, I see no reason why it can’t be used as the platform for say, ATM machine software. In which case, maybe this wouldn’t happen:
Automated Teller Machine (ATM) Malware Analysis
Sheesh....pretty soon, some dingbat will decide it’s a good idea to use XP as the basis for voting machine software…Oh, wait…
Microsoft’s conversion is, as I said, welcome. But the damage is done. It’s time for a liver transplant.
1 comments:
brain transplant, too?
Post a Comment