Keith writes:
perhaps because they are shipped that way?
Microsoft ships servers with most security features set to low security, because
customers whine and complain otherwise. Customers buy on the basis of features
and ease-of-use, not security, no matter what they might claim to the contrary.
Put a product on the shelf that is configured secure by default, and it will
still be on the shelf ten years later.
But do you really expect a user to understand
that when he clicks on something that is apparently
(to him) an image, or even a word procesor
document, that it's going to *execute* something
that can potentially infect his system?
Yes. It only takes a few seconds to learn.
And consider this: If a user cannot understand that he should not click on an
attachment, how do you expect him to ever understand how to deal with a truly
_secure_ system? One reason customers do not buy secure software is that their
end users refuse to deal with it. People hate to type passwords and hate having
any restrictions at all on what they can or cannot do with a machine.
Microsoft deliberately ignored this advice and
chose to make their users vulnerable - not just by
making the content "executable" with a single
click, but also by bypassing the safeguards in
the content-type registration system.
Microsoft's objective is to stay in business, and to do that, it has to give
customers what they want. Companies that adhere to some noble ideal even when
this prevents them from actually selling anything aren't around for long.
If you want these standards adhered to, then I suggest you educate and persuade
users so that they demand them from vendors. Right now, it's just the opposite,
and so that's what vendors provide.
Or are you saying that Microsoft employees are
no smarter than the average user (whom you expect
should know better than to "execute" a virus)?
Microsoft employees who are not IT specialists are no smarter than the average
user when it comes to opening attachments. There are lots of non-IT people
working at Microsoft nowadays, since it is a large company. Indeed, as it grows
larger and deadwood in management accumulates, even people who should probably
no better (based on their positions within the company) start to make these
stupid mistakes. This has become apparent many times, and I'm sure that other
software vendors have exactly the same problems internally.
no, it's more like blaming automobile manufacturers
for producing cars whose brakes fail when used normally.
No, it's more like blaming automobile manufacturers for brakes that don't apply
themselves when the driver is too stupid to apply them himself.
Presumably, that includes the actions of those
at Microsoft who chose to make their customers
unnecessarily vulnerable.
It's not unnecessary. If that isn't done, nobody will buy the products.
It's convenient to blame Microsoft, but it's simplistic. All successful vendors
get that way by providing what customers want; if you don't like what they are
producing, then I suggest you look at their customer base, not at their
engineering teams.