What Bill Gates says about security

Informit.com journalist Lynn Greiner has written a piece commenting on what Bill Gates and other Microsoft staffers had to say about the security of their software at the recent Microsoft Professional Developers Conference in Los Angeles.

She didn't have to do much other than quote Bill to make an interesting article, so that's what I'm going to do!

Bill: You don't need perfect code to avoid security problems ... there are two other techniques: one is called firewalling, and the other is called keeping the software up to date.

I can just imagine Dr. Evil or Homer Simpson making quote marks with their fingers like an advertising exec while saying "firewalling". Who does he think we are? True a lot of networks are embarrasingly lacking in protection, but to use a condescending phrase like "one is called firewalling" is just plain rude.

My other favourite quote is this next one - I think I understand what he is saying, but you can never be too sure...

Bill: Actually, all the forms of Unix (as well as Linux) have had more vulnerabilities per line of code. They don't propagate as much because they're not as dense as our system is, so the things that prevent the propagation are particularly important for our world.

So is he saying that Windows is bloated and has way too many lines of code? Is he under the misapprehension that installing a Windows operating system turns the users PC into a small collapsed star? Or is he just saying that Windows is plain stupid? If Unix has less lines of code and, undeniably, similar levels of functionality, then it's code is actually more dense...

To be fair, the people employed by Microsoft because they actually know what they are talking about when it comes to security distanced themselves from Bill's "You don't need perfect code to avoid security problems" stance, with sensible stuff like:

Software should be secure by design, secure by default, and secure in deployment. ... There are two major kinds of security defects, Input trust issues, and everything else.

As Lynn suggested, I think Bill probably earned himself a few words from his security business unit. One comment on the article said "Stop Pointing Fingers at the User and Competitor". Yeah. It makes holes in the air and the Angels fall out.