Really, Microsoft? A Tax to Fight the Vulnerable Software Epidemic?

Don Tennant

That's it. Microsoft's "Trustworthy Computing" shtick has gone so far over the oxymoronic top that it's just no longer possible to give the company the benefit of the doubt.

 

If Microsoft Corporate Vice President for Trustworthy Computing Scott Charney had any credibility at all, he lost it yesterday by calling for an Internet usage tax to deal with the ramifications of security vulnerabilities in software.

 

According to a story on Computerworld by IDG News Service correspondent Robert McMillan, Charney suggested to attendees at the RSA security conference in San Francisco that a health plan to fight computer viruses could be funded through taxation:

"I actually think the health care model ... might be an interesting way to think about the problem," Charney said. With diseases, there are education programs, but there are also social programs to check people for disease and quarantine the sick. This model could work to fight computer viruses, too, he said. When a computer user allows malware to run on his computer, "you're not just accepting it for yourself, you're contaminating everyone around you," he said. "Maybe markets will make it work," Charney said. But an Internet usage tax might be the way to go. "You could say it's a public safety issue and do it with general taxation," he said.

Really, Scott? When you suggested that a tax should be levied to clean up the mess caused by your company and others that market vulnerable software, did you really think we'd all look at each other with nods of agreement, impressed by the brilliance of your epiphany? Didn't you realize that revelation might just backfire on you? A reader who commented on the Computerworld story encapsulated what many of the rest of us are thinking:

The health care analogy seems to have some merit. And the Mayo Clinic is doing some groundbreaking work where doctors get paid for WELLNESS instead of for SERVICES RENDERED. A similar healthy incentive would be created if this new tax were paid by operating system vendors on the basis of how many computers running their operating system were found to be infected!

Many Microsoft haters would love this, confident that Mr. Ballmer will pay through the nose. But Apple and Red Hat and Oracle would find new reasons to be vigilant as well!

It's unfathomable that a company with Microsoft's resources can be so clueless and out of touch. The Computerworld article also stated that according to Microsoft, there are 3.8 million infected botnet computers worldwide. Really? Then how is it that just yesterday, authorities in Spain busted the Mariposa botnet, which infected 12.7 million computers?


 

Come on. If Microsoft expects to be taken seriously as an enabler of "trustworthy computing," it needs to do a lot more than this to demonstrate trustworthiness. Taxing users who find the software they bought is non-secure is like taxing Toyota owners for finding they have faulty gas pedals.



Add Comment      Leave a comment on this blog post
Mar 4, 2010 2:16 AM Nick67 Nick67  says:

Alright Don, quit joelling.

Yes, we all know that the most secure computer is an unplugged one.  We also know that the most popular OS is the one with the most software, the most configurability and the best backward compatability.  We also know that you CAN secure your desktop OSbut you don't HAVE towhich is why big botnets come into existence.  It's not that millions of machines get sewn into botnets through zero day exploits--it's that end users don't secure their OS, don't run anti-malware software and don't care.  That isn't MS's fault.

Your snarkiness is as foolish as accusing Toyota of making a faulty product when a car thief steals a car and wraps it around a pole.  Cars have keys and door locks and garages, but they still get stolen and abused.  Some drivers leave their cars running, keys in ignition, when running in for a pack of smokes--and then their cars get stolen.  Is that the car company's fault?

The very things that make an MS OS desirable also make it abusable.  That's just the way it is, an unavoidable tradeoff.  What was discussed by MS is some sort of market mechanism to incentivize users to take care of their OS--much like insurance companies do by adding riders to your policy that costs incurred by an auto theft where the keys were left in the ignition will not be covered.

Just as all of us can be potentailly affected by auto theft, and we have worked out systems to mitigate its impact and lessen its frequency, we could consider systems to mitigate malware's impact and lessen its frequency too.

Think a little sometime.  MS OS's aren't going away--they're too useful just the way they are.  The question becomes, how do we evolve the IT ecosystem to lessen its diseases while maintaining its usefulness.  An anti-MS diatribe isn't a thoughtful answer.

Reply
Mar 4, 2010 4:04 AM Frank McGowan Frank McGowan  says: in response to Nick67

I think you are unfairly abusing the author of the piece.  The model, though not great, is at least usable while the current "Zero Day Responsibility" (TM) model is quite demonstrably broken on a profound level.

That said, I do not favor a tax to deal with the situation, particularly because I suspect the proposed tax would raise money to be dispensed to MS for security research.  No thanks.

However, we can still use the PH model.  People have been prosecuted for spreading AIDS by continuing to have unprotected sex after being notified they were HIV-positive.  An earlier example is "Typhoid Mary" who was committed to an institution for life because she was contagious though there was nothing she could do about it at the time.

Let's apply that model.  OS vendors, including MS, already do the "public vaccination" campaign sort of thing and only a relative few people participate. 

If you are notified your PC is infected - or contagious - you get 3 choices: "cure" it by applying all the patches, disconnect it from any network or you get prosecuted...

How useful do you think people will find Windows if their $500 (unpatched) PC suddenly costs them at least that much in fines? 

How popular do you think Windows will be after the first few such cases?

Which OS do you think will suffer the greatest market loss under similar rules?

Will this also cure the Windows "piracy" problem???  I think it might.  If you can't patch your copy of Windows because it isn't licensed, you can't stay connected after you receive notification of infection... making the fine for spreading infection more than the retail price of Windows should approach a total "cure" for the unlicensed Windows epidemic.

But... 

There are many Win9x boxes out there and more than a few Pre-XP NT boxes for which all support has been terminated.  What do we do about those?

Well, how old does Granny need to be before Public Health can stop giving her flu shots?  Hmmm... there is no such age, is there?

Maybe OS vendors shouldn't get to discontinue security updates, either, unless they automatically update your OLD OS to a NEW OS... 

I have only heard of one OS even contemplating automatic kernel updates without all those annoying reboots... 

It isn't Windows.

Reply
Mar 5, 2010 3:42 AM Nick67 Nick67  says: in response to Frank McGowan

I personally have Win2K boxes in production.  They still get security patches.  I can't phone MS for support.  Big deal, I have never made that call yet.  I know of absolutely no 9x boxes still in useand I doubt that anyone is enough of a glutton for punishment to be running NT 4.0but you never know.

I take issue with blaming MS, when the reality is that end-users like MS products just the way they are.  The drumbeat of 'poor, bad, insecure' has been ongoing for more than a decadeand Windows is STILL 95% of the market.  That has to tell you something.  MS's business model is NOT brokenand the 'fix everything regardless of what it breaks' crowd is NOT on the right side of the economics of the issue.

Scott Charney's musings are similar to what must have gone on at the beginning of the automotive age.  "These devices are expensive, they can be abused, there is high incentive for theft, and we need rules for how we will all operate them, so that it can be done safely.  We need to license people to operate them, uniquely identify the operators and the devices so that rule-breaking can be punished and deterred, and we need to devise a system to cover the cost of all this."  Sound thoughts.

We are only just now coming to the realization that the information superhighway needs a regulatory infrastructure just as much as the highways did.  AT&T claims that 'road-hogs' chew up 80% of their 'highway.'  We have spam jamming up 40% of the 'parking spots' in our inboxes.  We have botnets 'stealing' our machines.  We have browser hijackers 'joyriding' our machines.  It's time to sit down with ALL the stakeholders and work out the rules of the 'road' and how to pay for the 'traffic cops' and 'DOT.'

To heap scorn on MS because they created, arguably, an ecosystem as important and as complex as the automotive transport system, without being able to control it in its entirety is both unfair and naive.  The IT ecosystem is now a heck of a lot bigger than MS--and to try to claim that MS must be its police officer and nanny is ludicrous.  It is naive in the extreme to think that, even if EVERY single piece of MS software was put out of commission today, that the problem would just magically go away.  There is money to be made in abusing the IT infrastructure.  The crooks will just move on to the next target of opportunity.

And as for how popular Windows would be after the first few prosecutions for bad behavior--just as popular as ever.  People would turn on automatic updates, install some antivirus, and run some antimalware and be done. It's not like 93% of people don't do that already.

Did you decide not to drive a car when you found out you'd need to get a driver's license, register your car and insure it?  Of course not.

Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 
Resource centers

Business Intelligence

Business performance information for strategic and operational decision-making

SOA

SOA uses interoperable services grouped around business processes to ease data integration

Data Warehousing

Data warehousing helps companies make sense of their operational data