May 23rd, 2006
The real reason we shouldn't depend on Microsoft for security
There is no question in my mind that Microsoft is getting security right and that this means there’s trouble ahead for third party security providers. But is Microsoft’s technical prowess enough to justify using its security solutions in lieu of those that come other providers? Or should you forget comparing capabilities and instead focus on how a potential conflict between the needs of Microsoft’s partners and the needs of its customers could interfere with your best interests (securitywise, that is)?
About three quarters of the way into last week’s Dan & David Show, we have a sound bite of Symantec CEO John Thompson explaining why it makes sense for users to turn to third party security providers instead of relying on Microsoft to secure their systems. By the time Vista ships, Microsoft will be including in the operating system, offering for download, and offering as Internet-based services a variety of security offerings that go head to head with the offerings of companies like Symantec and McAfee thereby drawing the viability of third party offerings into question. In that sound bite, Thompson said:
When you have a monoculture, a true monoculutre, a single attack could wipe out literally millions and millions if not tens of millions things and people. And we truly have created in the desktop world, a monoculture and therefore, diversity in the security platforms that ride on top we think is of great value in protecting that infrastructure.
In a subsequent interview of Thompson, my colleague Dan Farber quotes Thompson as follows:
"Our only concern is whether Microsoft will play fairly," Thompson said. "If they deliver their classic portfolio, we can compete. However, if do something unfair, it will be difficult to compete against them. We have other venues for making our point."
Thompson is clearly on the defense and trying a variety of different messages to see which one sinks in. But, in light of recent revelations regarding the launch of MTV’s Urge and how it works hand in hand with Microsoft’s Windows Media Player 11, there’s probably a much better way to pitch the viaibility of third party security companies and it has to do with the conflict of interest that results from Microsoft’s involvement in facilitating invasive DRM techniques — techniques that Microsoft’s own anti-malware technologies are designed to stop.
Microsoft is between a rock and a hard place. In partnering with MTV to provide a nearly frictionless and pristine user experience that works across Microsoft’s digital rights management technologies, is it obligated to let that partner’s practices slip trough its own anti-malware dragnet, even if those practices are normally ones that Microsoft’s technologies would stop dead in their tracks? As fellow ZDNet blogger Ed Bott wrote, by consenting to MTV’s licensing terms, you are also consenting to let MTV do all sorts of things that you’d never let anyone else do to your PC. Things that even Microsoft says its anti-malware is designed to thwart. This is not to say that Microsoft won’t or can’t come up with some acceptable solution in the case of MTV. Perhaps some friction will be added somewhere so the end-user has to approve of any software updates that MTV sends down the pipe. I’m sure Microsoft has a lot of options.
But who would you rather rely on for your security? The company that has to some how resolve that conflict of interest between its partners and end-users, or the company that doesn’t have that conflict? Perhaps this is what Thompson was alluding to in his reference to desktop monocultures. But, if he and other security companies really want to make their case, then it’s better to give specific examples like this one.
