Thursday, June 3, 2010

Microsoft Talks Back To Google's Security Claims

Recently Google have indicated they are abandoning Microsoft for desktop usage, as a result of the Aurora incident earlier this year. Microsoft look like they have something to say about this. I find myself siding with Microsoft on this. What Google are really doing is taking a knee jerk reaction to the incident and instead saying we will change operating systems thinking this will make us more secure. This is a cut and dry example of "security through obscurity" which we know DOES NOT WORK.

Frankly I am disappointed at the news. You'd think with all those PhDs that someone would point out the insanity of this move? Yes, Microsoft is more targeted but it has been 8 years since they begun down the path of Trustworthy Computing. They respond to vulnerability fixes, they have set the standard on secure application development, they supply hardening and configuration guides to everyone, etc. There are better, more sophisticated memory protections for Windows 7 than OS X. Vulnerability trends already prove that the applications are now being targeted - e.g. Adobe Acrobat, Flash and Sun (oops... Oracle) Java.  So even if somehow you aren't being hit with specific malware based attacks, there are enough issues with browsers that between Javascript and Flash, that you really don't even need to touch the operating system to do enough damage.

I am hardly a Microsoft fanboy, but there are clear industry lessons everyone can learn from them. Adobe, Oracle and Google - I'm looking directly at you.

If Google are serious, why don't they force a migration to Windows 7, have a hardened build with whitelisted apps out of the box or look at completely segregated (if not offline) dev/test environments? There are plenty of companies that do this already.

If Google think moving to Linux or Macs is going to save them or reduce the attacks against them, then as Schneier would say, they simply do not get it.

Knee jerk reactions never improve security. Thoughtful, measured, planned responses do.


- J.

4 comments:

Serg said...

Have you considered that it could be a push for other reasons, for example to use their own kit...


Serg

Jarrod said...

Entirely possible but based on the publicly stated reasons, it is a security decision. I'm simply pointing out that the rationale is flawed.

- j.

Jarrod said...

Wow... looks like Jeremiah G quoted me - word for word hahahah

http://jeremiahgrossman.blogspot.com/2010/06/microsoft-security-is-good-enough-and.html

- J.

Praful Agarwal said...

I read your post, it’s really good.I will be back to visit often.
Career Mint