Tim Anderson's ITWriting

August 21, 2004

SP2 debate exposes deeper problems

I am getting asked by non-technical friends whether they should install SP2. They've heard on the BBC or read in the papers that it's got security issues, might cause other problems, and that IBM recommends against it.

Part of the difficulty here is simplistic reporting of complex issues. I don't blame my journalistic colleagues for this - the finding of the first few bugs in SP2 makes a good quick story. At the same time it's frustrating for those of us who'd like to see security tightened up, since the articles often forget to mention that a PC with SP2 installed is most likely a lot more secure than one without, or that many of the compatibility issues are actually no bad thing, since they are the consequence of a somewhat hardened operating system. It is also really hard to convey why some security issues are more likely to cause real-world problems than others, or the importance of things like NAT routers versus direct cable modems, or reading email in plain text, or which web browser you use, or how you respond to dialogs thrown up by web pages. Ordinary people argue, quite rightly, that they should not have to know about such things; they just want to get on with their work (or play). At the same time, many of the problems which arise when you connect the whole world to one network are entirely predictable, especially when you consider that a large number of the network clients are effectively unmanaged, since they belong either to home users or to small businesses with no IT staff.

SP2 does not go far enough, but it remains a must-have upgrade in my view. Of course it is a major system update and should be treated as such, which all that implies in terms of cautious rollout. But it doesn't address the deeper problem facing the IT industry, which is what to do about all these unmanaged users. Nobody can dismiss the issue, even if your own network or home PC is very nicely managed thank-you-very-much. We are all on the same network, called the Internet. Infected and insecure machines out there are bombarding us with spam and malware, and giving criminals every opportunity to steal money or secrets from our friends and colleagues. I think the world will gradually realise that the industry has to be more proactive in managing these systems on behalf of its users. That means more stuff locked down by ISPs, no doubt to the fury and frustration of technically savvy users, and operating systems that make it hard for users to make bad choices. I don't mind whether that's a properly hardened Windows, rather than one where everyone runs with admin permissions, or whether it's something else. But it has to happen.