Corporate Security

Windows 10: From ‘May the force be with you’ to ‘We’re forcing it on you’

So it’s happened…Microsoft have made downloading their latest operating system non-optional for most of you

It will be downloaded onto any Windows 7, 8 or 8.1 machine with automatic updates enabled, and will automatically initiate the installation (albeit with a prompt to ok or stop the install).

After dealing with daily coercion to proactively upgrade, I had a rather grumpy response to  Microsoft saying how ‘humbled’ they were by the record speed of rollout:

The pro and con discussion, for me, falls into four camps:

  1. How dare they take away my right to decide what runs on my kit
  2. Oooh, it’s far lighter weight and there’s some cool new functionality
  3. How dare they make it so damn tough to find and stop all the enticing, Cortana-ish stuff that scoops my personal data
  4. Thankfully, given consumer patching is often woefully out of date (putting everyone interacting with end users at risk), we’ll be guaranteed at least a newish baseline for Windows box functionality and security.

Culminating in this post to untangle things. Starting with a phrase that makes my blood boil:

It’s for your own good!

I’m the kind of woman who hates being told what to do “for my own good”. Anyone without a severe dose of tech ‘white coat syndrome’ likely feels the same way. Luckily I have hard won knowledge, good research skills, and trusted expert advisors. They equip me to know whether baseline ‘good’ is really, on balance, a cost, convenience, and security win specifically for me. So not swallowing that pitch for an all but forced upgrade.

Conversely, when one of those annoying red lights comes on in my car, I have to throw myself on the uncertain mercy of car makers, and car maker approved mechanics…Ugh.

That, in a nutshell, is where almost everyone else sits in this debate. Unaware, unconcerned, relying on mainstream pro vs con articles, or frozen by FUD. So here goes the attempt to work through what irks me (and please do shout if have something to correct or add).

How justified is ire at the mandatory upgrade?

7570182_lIt all comes down to how wedded you are to a particular software vendors’ wares, and how much sympathy you can muster for the design, debug, update, and support burden they bear. Companies and private individuals have become used to operating systems reaching end of life. Although the average Joe or Jane using Windows can be far more agile when it comes to upgrades, they usually aren’t. A computer or laptop is a big investment for many, as is buying operating systems and other software packages. Not to mention new peripherals and programmes to replace ones that stop working. So a new OS often only happens when they can justify buying new kit.

In a similar way, big corporates build tangled bespoke and commercial IT webs around their end user computing environments. And, when operating systems go out of support, it often isn’t cost-effective (or technically feasible) to untangle and evolve some of it. Just look at the situation with ATMs. When support for Microsoft’s 13 year old XP operating system ended in 2014, it was still reportedly running on 85% of ATMs (from NCR, largest US ATM supplier). Some were upgraded to Windows 7 and others were running the embedded version of XP that benefitted from extended Microsoft support, but this year that also ends.

So most folk, corporate or otherwise, stick with what they have for far longer than they should, and vendors understandably limit how long they will deal with implications of that renewal lag. But vendor fortunes are built upon fostered interdependence, and they can’t afford to alienate folk who’ve invested millions. As a result they have an incredible cumulative development and support burden. Shoring up software for far longer than is rational in tech evolution, functional, and security terms.

Support contract funded development

That model, where the majority of development costs are funded from support contracts, is insidious and hard to short-circuit. Customers finance the upgrade step they’ll eventually take by paying royally to shore up old software they can’t or won’t change. Standard support is supplemented by even more costly End of Life packages. That encourages release of ‘Beta-ish’ new software, because first entrants, (thanks to sweeteners, or Windows 10 type prodding), take much of the testing burden. Testing that invariably highlights bugs, vulnerabilities, and interoperability issues. Problems that support income allows firms to fix, before their big hitting corporate clients take the upgrade plunge.

But don’t take my word for it. Here’s Selena Flood, formerly a programme integrity analyst for the US government, and now an Adjunct Professor of Cybersecurity.

It is a little known fact by security and IT professionals that approximately 60-80% of software production costs are derived from software maintenance expenses…. Therefore developers recoup these backend costs by passing them on to the consumer.

The software titans already know that their pre-market testing costs will be significantly reduced if they release their ‘buggy’ product and simply wait for the consumers to report the bugs to them. The developers decide which fixes will yield the highest cost-benefit to them, not the consumer. 

Software maintenance fees pay for the product’s development (more bells and whistles), technical support and – believe it or not – the FIXES for the original defective software.  That’s why we can buy super cheap software that is accompanied by ridiculously high tech support costs. 

That’s a non-trivial culture to change, (if there’s a workable model to replace it?). for all the IT and security professionals demanding vendors do better at building-in functional stability and security.

Alternatives?

20040368_l.jpgIf a rock solid challenger arrives in the market, a real commercial competitor for the corporate OS crown, how would they survive? Where’s the income stream to finance building the business and the next release? How many would buy a support contract for a product who’s proven USPs are reliability and security?

Linux distros FTW? Well it certainly shifts the support and dev burden away from vendor HQ, but where to? To the Linux skills market, that’s where. A situation that naturally cycles round to firms paying top dollar to ring fence Linux SMEs. Taking on the infrastructure, security, HR, finance, and marketing burden associated with attracting investment and establishing market share. But it’s not an immature market. Linux servers already underpin most of the internet, and there are undeniable functional and security benefits associated with a Linux powered end user world (here TechRadar take a detailed look at Linux Vs Windows). But that will be outweighed for a long, long time by OS renewal lag and the legacy rejig burden in messy corporate IT estates.

The only people who can avoid that trap are folk who never wrangle an availability-focused, distributed, deathly-interconnected, and depreciating 10,000 endpoint estate. Folk who rarely have the motivation and skill to move away from what they know.

The associated data land grab

No wonder the big hitters are looking to nail their future USPs and/or diversify into data analytics enabled complimentary markets. The data land grab is raging and won’t end any time soon, and one thing the big OS vendors have over many competitors are huge captive populations of data generating users. It’s not whether it’s morally right, it’s whether it’s economically necessary, and within legal bounds.

And for Windows 10 it is (of course?) within legal bounds. You are told about Cortana collecting data to ‘improve your user experience’, why MS Edge + Bing ping your local and web search data back to HQ, and all the other performance and usage data shared to help you out. You said ‘ok’ to that when you clicked the box to accept terms and conditions during install. You’re not stuck with most of that. If you are happy to forego some of the Cortana-esque bells and whistles, most of it can be switched off…or can it:

Here’s Gordon Kelly in Forbes reporting on Microsoft’s initial admission that more data was getting shared than initially thought.

Microsoft Admits Windows 10 Automatic Spying Cannot Be Stopped 2nd November

Screen Shot 2016-02-14 at 13.43.34

Then a follow up, also by Gordon Kelly in Forbes, discussing a developer thread where the scale of alleged abuse was called out:

Windows 10 Worst Secret Spins Out Of Control 9th February

Screen Shot 2016-02-14 at 13.46.21

Prompting a riposte from ZDNet challenging those findings in no uncertain terms:

When it comes to Windows 10 privacy, don’t trust amateur analysts 11th February

Screen Shot 2016-02-14 at 13.49.02

All require technical knowledge to properly assess, but it’s clear the debate will rage on. And in the meantime BGR published a list of tools that help you disable easier to find data collecting functionality.

But that’s mainly pitched at the IT and security community, the subset of people most likely to care and act. If you are one of the folk who seeks and disables things that fire your data into the ether, you’re in a tiny minority. Consumers (see hand over fist app installation and app privilege granting for details), largely don’t know the implications, or don’t care.

So, regardless of the technical ins and outs, there’s lots of data changing hands. Between the offensively persistent ‘Install Windows 10, Install Windows 10, Install Windows 10’, digital prodding, and the ‘Never mind, we’ll install it for you’ eventual upshot, Microsoft are in the process of acquiring a gigantic ocean of our data.

From a strategic development point of view, that was a no-brainer move. ‘Collect data or die’ is an almost ubiquitous market mantra. Whether that serves to evolve Windows 10 into the ‘best OS yet’ or helps them diversify to establish pre-eminence in other software markets is yet to be seen.

But it’s ok, big vendors take your security and privacy very seriously

So, as I said when Selena originally agreed to let me publish her quote: “Quis Custodiet Ipsos Custodes?” or “Who watches the watchmen?“.

It would be wrong to say the big software houses don’t care about robust design or security. They care as much as money markets and customers care. They spend billions making sure they ship something folk will spend hard earned cash on, and they employ many deathly talented and principled staff. Security (a.k.a ‘Cyber’) focus has never been more intense, and there’s Snowden and legislation fuelled awareness of privacy implications. But where’s the ultimate sanction for poor solution design, permitted overkill for data collection/use, and lack of due diligence treating identified risks?

Right now it’s nowhere. Here’s a quote from Veracode’s, CEO Bob Brennan, published by SC Magazine last year.

To highlight how big an issue this is, nine out of 10 third-party applications get an F when they are independently audited for security threats. A model system would enable an enterprise to – at a glance – understand which of its vendors is not systematically addressing the cybersecurity of their products and prioritize them for further inspection and remediation.

untitled-article-1429794386.pngThe solutions Bob proposes all hinge on customers upping their audit and code review game (not surprising given the business he’s in). If we’re talking outsourced website design, bespoke software development, or small software vendors, sure, he’s got a point… but Microsoft? We all know how that conversation would go…even if we asked really nicely.

Risks are being transferred to us, the consumers. Few of us are equipped to understand and manage them (even when we are aware of them and they are within our power to mitigate). Local limitations and legacy mess stops us from being nimble. And prevailing economics in the software market means there are few alternatives for anyone upset enough to vote with their feet. So all that’s left is hope. Hope that the giants, pulled by costs, and pushed by market conditions, get it right.

If you are now feeling like a helpless victim of the money gods, shaking your fist and shouting at clouds, you are not alone.

 

 

 

 

 

 

 

Want to add to the discussion?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s