Microsoft Lays Out the Realities of Computer Security September 6, 2011Posted by Peter Varhol in Software platforms.
I don’t care much for the burdens placed on me by the requirements of computer security. I don’t do stupid things online, but there is a part of me that relies on “security through obscurity”. Above all, I simply hope that I don’t get noticed by those seeking to wreak havoc on people’s computers or online finances.
Someone pointed out to me Microsoft’s published Ten Immutable Laws of Security, published on TechNet. I’m sure these have been online for a while, but I wanted to point them out. In general, they’re pretty good, although they are entirely too wordy.
I like to describe security as a continuum, with most secure to least secure at opposite ends. Better security puts higher demands on the user, through more complex passwords or more steps to accomplish a specific task. At the most security end is a computer without I/O, locked in a vault that doesn’t permit entry. As such, it’s completely unusable for any task involving a user. The most user-friendly computer, on the other hand, is likely to be the least secure.
So you really only need one law – Any computer intended to be used has security flaws. Deal with it.
Microsoft has always taken its share of criticism over the sheer number of viruses and other hacks that target Windows. A part of that criticism is deserved, in large part because Microsoft insists on keeping large amounts of old code in the OS for backward compatibility purposes. But another part is simply that Windows is such a big target. Hack Windows, or write a successful Windows virus, and many will be feeling the pain.
But there are no absolutes in life, and that goes double for security. It’s impossible to build a system that is provably secure from all possible attacks (formal methods do permit the building of systems with some provable aspects, but those methods can’t take the human factor into account). Whatever we are doing online, it behooves us to exercise due restraint.