Waiting for a plane to Austin in San Francisco airport, I sat next to a guy who had also been to the RSA conference. Comparing notes on the technologies and products we had looked at, we jointly agreed that it should be renamed the RMSA conference, where RMSA stands for Rescuing Microsoft’s Sorry Ass.

It’s true that there are technologies on display at RSA, like identity management and biometrics, that have little to do with the security disaster that is Windows. However, more than half IT security revenues are spent on fixing Windows issues, whether its AV technology, whitelisting, IPS, patch management (the most dangerous exploits are Windows exploits) or anti-spam (legions of Windows machines that are spam bots.) That would be fine if all these products (or at least some of them) were actually fixing the problem, but there’s little evidence of that.

In Praise of Vista

At the conference I listened to a presentation on least privilege. Least privilege, in case you didn’t know, is a best practice security strategy aimed at reducing the permissions available to users down to only those they need and no more. This isn’t a new idea, it’s almost as old as commercial computing. However, in order to use it, you need to have an OS with a robust permissions system for granting access to files and running executables.

You may remember that when Vista was launched, Jim Alchin of Microsoft was advocating the upgrade to Vista for the sake of security alone. That was good advice. The problem with XP was that you needed administrator capability in many trivial situations, often simply because an application or patch you were installing needed administrator capability. This made it easier simply to configure everyone with administrator capability. Vista has a much more workable systems of permissions, where setting least privilege is feasible and easy.

The presenter provided an interesting data point. He said that about 90 percent of malware will not work unless it has administrator privileges. My inclination then is to encourage people to go to Vista (or go to Windows 7 when it’s ready) rather than stay with XP. Windows security problems breed. Part of the problem lies in the fact that so many Windows PC can easily be compromised and regularly are compromised. This provides that hacker community with a huge resource and they use it to trade information as well as launch spam and virus infections.

IP Version 6

Another thing that would help everyone’s IT security is IP Version 6. In case you didn’t know, IPV6 is the next generation Internet protocol and it is a damn sight more secure than the current version (IPV4). It’s introduction would cripple the criminal cybernetworks because it would be possible to trace the source of everything. So the world is desperate to implement IPV6 – well not exactly. It can be implemented now, but at the corporate level, only if all the networking software you use is IPV6 ready – and it isn’t. So, right now, IPV6 is available with some ISPs and hosting companies and it’s mandated in some countries (Japan is an example). But it’s not anywhere close to universal.

There’s a point at which IPV4 ceases to function because it simply runs out of numbers. That is the point when there will be 4 billion Internet addresses and it arrives at some point in 2010. You’d think that governments would simply mandate it, but few have.

Why the Problems Persist

In IT, we do not act like a community. We seem to prefer to implement a patchwork of IT security solutions rather than to get things right and we don’t seem to care that a good deal of cyberspace has been ceded to criminals. Luckily the sheer momentum of Vista and Windows 7 will push most people (except those buying Windows netbooks) on to a more secure OS and, it’s just possible – it’s not guaranteed by the way – that when IPV4 runs out of addresses we will move to a secure Internet protocol.

What mystifies me is that no-one seems to be in a hurry.