So last week, as we all (should) know there was this huge controversy about the security leak in IE from version 6 and up. This leak was rather critical for security reasons and as it is always with these kind of happenings, it gives a competitor of the product the reason to show that they are better, which is of course not always true. I use multiple browsers and I personally prefer Opera and IE. I also was not too afraid of this bug that was in the web browser, and even had to give it to them; IE6 has been around since 2001, which in browser terms is like driving an old ’65 Mustang. Sure there are better ones out there, and you should upgrade if it is about safety and security… but it is there doing it’s job.
Microsoft was rather fast with updating this patch, and they had to, so kudos to them. There are many other browser builders who are not as strict with building updates for all versions that are out there still. But the biggest security threat is not IE. Or any browser. It is our laziness that is far worse.
Keep in mind, computers are absolutely not evolved yet into the next best thing. Sure, we like to think it is, but it simply is not. It is still a small thing, a calculator +, that can do some magnificent stuff and play Fallout 3 very nicely, but come on. No matter if it is a PC, Mac, or *nix machine, there is no solid working computer yet. But the hardware is one thing. Software is a much bigger issue.
As everyone knows who is working in the software branch, or it branch, every chimp can make a computer program. Every person who dragged-and-dropped a .Net application call himself a programmer. Every person who opened up MS Paint, is a designer, and everyone who has more than one computer at home is a network administrator. It is the same as how the owner of a one-man-company (sole proprietary) calls himself the CEO. And believe it or not, but most people working in IT, even the ones at the major consultancy firms, simply are not the whiz kids you hope them to be (and what you pay for). But that also goes for security and network administrator.
We have tried, for one client, to get a good network administrator, simply to monitor the online servers. I have my share of knowledge, but am not one myself. But when after one year (!) of searching and about 15 interviews, only one showed somewhat promising. But when I showed him the servers the first thing he wanted to do is opening some ports that should not be open, and install software on it that simple Googling showed was a major security threat. So we ended up still with no-one.
But that is how most security is handled. A company I worked for had it even worse. Every person’s user name was his/her first name and the first letter of their last name. The password was, in all lower-case, the first name and the initials of the company. The reason for this is that the CEO wanted to be able to log in into everyone’s computer to see what was going on. When I of course immediately reset my password when I got to work there, that was a big issue, until I told him he had a network admin account, and could sign in into everyone’s computer using his own credentials, and see the same information about the persons. But, the company’s policy is not changed yet.
And it is actually not even this. If there had been a good network administrator around in this company, he would have enforced the password policies, despite the dubious requests of the CEO. If you want to have a safe network, you have to play by some rules, and if he wanted to have a safe network, a password policy was one of them.
Also, users are usually a major issue for security. Everyone prefers to have their passwords filled out automatically because they don’t have to use it every time again. And they surf to the most insecure websites after being lured in by warez sites, illegal downloads or deals that sound too good to be true.
Also, a major problem is the updating routine. On a workstation where you as a user carry a lot of responsibility you need to at least update your computer once a week, or when your network administrator tells you to. Don’t be lazy, just do it.
Because I should really position me completely behind Microsoft here; the reason why I am not upset about the IE 6 hack is to find out that companies like Google and Adobe actually use this browser actively. How can these companies who should be front-runners in IT-security, defend still working with this outdated combination of systems??? Because, let’s face it, the hack did not take place on test-computers; test computers should run in a secure area and off the network.
Sigh. Well, let’s say the conclusion is that how people these days tend to respond to these security problems is like teaching children in the 60’s to duck under their school-benches in case of a nuclear strike. There is a lot of shouting going on, but not a lot of people are really doing anything about it. I would have loved to see the look on the faces of the hackers when they found out that these companies were still running this ancient software. It is like kicking in an open door…