I was originally going to post about this last week, when I first saw it.
I backed off from posting about it for two reasons:
- What I saw was a quote from a telephone conference, which may have been off-handed and jocular.
- I know I'm perceived as anti-Microsoft out there by some people.
The first reason was more important, really. A snippet from a transcript is hardly a press release. This didn't seem like fair game, no matter who said it.
It's unfortunate that someone so high-up in Microsoft said it, and it was thought as news by enough people that we've seen a Storm in a teacup over it. But I was waiting for repetition or clarification before I waded in.
[Editor's Note: Is this still Phil? Has he been captured and replaced by something... else?]
The second reason is somewhat self-explanatory. I work in an arena where Microsoft's sales and marketing messages have frequently been, shall we say, debatable. They have sometimes been outright deception. And in calling a spade a spade, I will seem biased somewhat.
So I waited.
Jim Allchin posted a clarification shortly afterwards, which I have mulled over.
He said something without establishing context. Fair enough.
But I don't think he's gone far enough in his response.
Here's the facts, as I see them: If the machine is connected, then you need antivirus. Full stop. Anything else is just reckless. More than that, it's socially irresponsible.
I don't care if your browser runs in a special sandbox and the account using it is locked down on the machine. (You need antivirus.)
I don't care if you whitelisted which websites can be visited. (Sites can be hacked. You need antivirus.)
I don't care if new software can't be installed on the machine. (How many viruses come with a Windows Installer package? Viruses aren't designed according to platform programming guidelines. You need antivirus.)
I don't care if the only things that can be run are trusted programs you've whitelisted. (Data files can - and have been - used to deliver executable code via buffer over-runs. You need antivirus.)
You. Need. Anti. Virus.
There is one situation where I would accept a complete lack of antivirus. And only one:
If the machine is not on a network or otherwise connected to other machines; has no removable storage devices; is completely secured in its configuration to prevent configuration change, application installation/removal or other forms of undesirable change; and is not used except by users known to be safe and nonthreatening.
For instance, the idea of a pre-configured kiosk with a secured configuration and a pre-loaded, verified data set that is used by just one certified application. And that's not a machine type you'll see very often.
The closest you ever saw to it was probably in a lobby or at a trade show on a stand, so it hardly fits the "safe and nonthreatening users" criteria anyway.
An invulnerable machine that doesn't require antivirus is, in almost all situations, a fairly useless machine.
But all technical reasons aside, you need antivirus because you need to be a socially responsible citizen. Viruses are not your problem or my problem, they are everyone's problem. And they will be until they're nothing but interesting historical examples in a variety of virus vaults for researchers and historians to look at.
Here's a thought experiment to help get my point across...
Imagine you are given a radical new treatment which boosts your immune system massively. You're now immune to pretty much everything. So you go on your merry way, expecting to never fall ill.
And you visit some friends in a hospital. In doing so, because you're running late, you d ecide to dash through a ward rather than stick to the corridors. Aren't shortcuts wonderful?
And in doing so, you wander past someone with something horrible. I don't know what. Ebola. A very nasty strain of flu. Smallpox. Actually, let's say smallpox. That's been wiped out, so hopefully nobody will accuse me of mocking the afflicted here...
Just because you're not going to catch the disease, should you dash past the disinfection showers? After all, it doesn't affect you.
Or should you show some due caution and respect for others, and wash down anyway? Just in case?
A machine without antivirus but with a network connection/removable media is in exactly the same situation. It needs antivirus, so that it will not become a distribution vector as the person in our experiment will.
In fact, just like the person in our thought experiment, the machine is now the very worst kind of possible distribution vector - because it's never going to be affected by the malware. It will continue distributing digital smallpox for a very long time, unaware of what it is doing and untroubled by it too.
You owe it to your friends and family to install and keep up-to-date antivirus.
And the moment Jim Allchin's son gets a USB key or access to some kind of network storage or email, he needs antivirus. Otherwise, he's just going to be prolonging the pain for everyone else.
So if anyone you know doesn't have antivirus, ask them if they'd scrub down after meeting someone highly infectious. Point out that they're prolonging the lifetimes of viruses, and could even now be passing them on to other people. No matter how safe they may feel now, they're being reckless and irresponsible. And that they may not be safe anyway. (Remember what I said about data formats and buffer overruns?)
You. Need. Anti. Virus.
Comments (0)
philipstorry November 13th, 2006 20:55:00
Discussion for this entry is now closed.