Windows update makes data safer, but not safe

By Dan Gillmor

Mercury News Technology Columnist

In the insular world of technology, the release of a new Microsoft operating system or major update is always a big event. But the arrival of Windows XP ``Service Pack 2'' has more meaning than usual.

It represents Microsoft's most serious effort yet to deal with an endemic situation, namely the company's generally woeful record on security. But it also highlights the enduring and more fundamental reality of modern computing, including the risks that accompany our mostly captive allegiance to a monopoly product.

I haven't installed Service Pack 2 (SP2) yet on my Windows computer. I always wait a few days or weeks before installing any major update of this kind, whether for Windows or my Mac. There are just too many potential gotchas, and I'd rather let someone else stumble over them.

Details coming Monday

My colleague, Mike Langberg, will tell you a lot more Monday about SP2's nuts and bolts. My purpose today is to look at some of the more global issues, such as what this software means to the overall computing firmament in small and large ways.

Microsoft made noises about security in Service Pack 1, and with Windows XP when it was first released several years ago. The promises have had a hollow sound, in part because ever since those products were released, Microsoft has been issuing one ``critical update'' after another, plugging this security hole and that security hole.

But there's no question that the company with an operating-system monopoly is finally confronting the scandalous quality -- at least in terms of safety -- of its products, a reality that has been a constant pain to users and threatened to have an impact on the bottom line. (I, for one, keep wondering why the trial lawyers haven't noticed the target Windows must surely represent.)

Unfortunately, due to the basic nature of Windows -- even XP, which is definitely sturdier than its predecessors -- Microsoft's efforts to make it safer remind me of the old days when I owned a car in snow country. You can't paint over rust and expect the car to last.

Safety is not Job One

One of the biggest problems is Microsoft's business strategy, a constant pushing of computer users toward its own products, period. To keep its monopoly, Microsoft has opted for a software architecture that sometimes combines products even when they should remain separate, or at least modular. When Microsoft made Internet Explorer a nearly inextricable part of the operating system, for example, it put new vulnerabilities into people's computers. ``ActiveX,'' a competitor to the much safer Java environment, has been a horrifyingly open-to-hacking technology. Moreover, Outlook, the e-mail software, has a history of user-friendliness for the scum who use it to spread viruses and worms by, say, hijacking your address book to e-mail the latest malevolent software to everyone you know.

As time has passed, Microsoft has given its customers more options to turn off the dangerous settings. But users tend not to change the ``default'' settings: the way programs are set up out of the box.

That's why I'm glad to see that SP2 will turn on the XP

firewall automatically. The XP firewall isn't perfect, but it's a lot better than nothing.

Of course, not even Microsoft's wildest partisans will claim that SP2 will turn the safety switch to ``on'' in an all-encompassing way. But it's safe to assume that users' computers will be somewhat safer than they were before installation.

This is one reason why I continue to prefer my Macintosh computer, which is my primary machine for everyday use. The Mac operating system, OS X, is based on a form of Unix. It's relatively secure but not absolutely safe, either. But Apple has been more careful to make the default settings less open to troublemakers.

Mac users have suffered several security scares recently -- nowhere near the number that afflict Windows but nonetheless serious enough to be worrisome. Apple's responses haven't always been as timely or as reassuring as I'd like. Still, unlike my Windows machine, my Mac hasn't been infected with mal-ware of various kinds behind my back.

There's little doubt, of course, that if Macs suddenly had Windows' market share, the malevolent hacker community would turn to the Mac for their nasty kicks. But for basic architectural reasons, it seems at least probable that the bad guys would have a somewhat more difficult time making trouble if the Mac was the target.

A deeper issue here is Microsoft's fundamental belief in monopoly, which means a computing monoculture. Biologists know that monocultures are dangerous, that diversity in any ecosystem is almost always preferable, because it spreads risk.

Personal computers are part of a larger ecosystem. Digital data is increasingly part of our lives, and it lives in all kinds of systems that increasingly are connected to each other. Whatever good SP2 will do, it won't have an impact on the much wider issue, namely lip service being paid to security while the doors are being blown wide open by people we would prefer to trust.

Governments and companies are shredding our privacy on a routine basis. All the security we can get on our individual devices will be meaningless if the information is available by other means. This is going to be a much more difficult issue than the admittedly difficult problem of making PCs and other devices safer.

Article continued at: http://www.mercurynews.com/mld/mercurynews/business/9406910.htm?1c