Ten Tech Blunders: Whoops, We Stepped in It!: Page 6

The blunder:

Over many years and many releases, Microsoft software has proven vulnerable to a plague of viruses, worms, Trojans, malware and other security snafus, the extent of which would boggle any reasonable mind.

What happened:

You know what happened – or rather, what happens. Microsoft puts out a new release and, like clockwork, fresh security problems are announced. Go to eSecurityPlanet and you’ll see a constantly refreshed list of Windows viruses – it’s about five to ten per day.

Pity the poor Windows user whose system is not enclosed in a fortress of the latest, greatest, extra-strength security software. Remember the “I Love You” worm? A single Trojan crafted by a lowly computer student brought down email systems from the CIA to the British Parliament.

In fairness, some security experts note that any OS with a user base as big as Windows’ would necessarily have problems. Its large market share makes it a fat target for legions of script kiddies worldwide (and worse, the fraudsters who make money selling knowledge of vulnerabilities).

But regardless of whether it’s Microsoft’s fault, is there not some way to find virtually all of a program’s holes before it’s released to the public?

Here’s an idea. Prior to release, Microsoft could hire fifty of the world’s top hackers, give them $10,000 a week and all the pizza and Red Bull they can consume. Set them up in a big warehouse in Redmond and turn them loose on the beta version. For every hack they find, give them a $50,000 bonus. At the end of three months, the hacker who’s found the most vulnerabilities gets a $1 million grand prize and is allowed to throw a cream pie at Bill Gates. (Okay, maybe you leave out the cream pie bit – it might not fly with senior management.)

Sure, the scheme would cost Microsoft a few million, but when the software was done being punished, it’d be reasonably close to bulletproof. If, for example, Vista had been put through this trial by fire, this hack likely wouldn’t have been discovered post release. Why is it that an obscure Russian hacker can find something that all the talent in Redmond can’t find?

Moral of the Story:

It’s not enough to ask company programmers to test your software. It’s not even enough to release a beta version to well-regarded professionals. If you want really tough software, you have to allow some real-world poking and prodding prior to release.