Spit and dirty socks, I said, upon learning of Microsoft Corp.'s new plan to reduce the number of critical security patches for Windows and other software.
Unsurprisingly, Microsoft's solution to the security problem doesn't involve writing cleaner and more secure code; it is instead an exercise in perception management. Currently, vulnerabilities are described by the company as "critical," "moderate," and "low." What's going to change is that the critical group will be split in two: flaws that really are critical and those that are merely important. I assume that the patches on Windows Update will be reclassified in a similar manner, thus foiling my simple nose count.
So what do I do now? Combine the new "important" category with the announced critical patches to get the final number or restate the line? I'm probably going to do the former, since the bookies' easy way out of declaring "no line" is also no fun.
I'm also confused by the distinctions between recommended updates, important updates, and critical patches (but then again, I don't have a graduate degree in semantics). As usual, I have a suggestion that's going to enrage a lot of you: Windows users would be better served by introducing a new category of mandatory updates, where you have 60 or so days to apply the patch, and if you don't, the computer's networking functions will be disabled. Savage, yes, but effective.
Of course, finding a way to get that functionality onto the millions of Windows desktops already out there might take some doing. Microsoft would have to disguise it as porn to achieve the widest possible distribution, if my understanding of human nature is any guide.
I'm not going to claim credit for this modest proposal; after all, it's been around in demo software and shareware for ages, and it shows up from time to time in big-ticket software packages as a way of enforcing a payment agreement.
To give proper credit, I should mention that Jon Lasser's column on Security Focus has repeatedly called for time bombs to be built into software from the beginning. However, in the most recent installment, he was thinking of applying this idea to something far more important than Windows: BIND (Berkeley Internet Name Domain), the software that supports DNS (Domain Name System), which is a foundational Internet technology.
To be fair, I'll point out that I can't name a vendor that produces 100 percent bug-free software or even comes close. That's the nature of the software business, where ship schedules are more important than quality. So I promise that I won't pick on Microsoft next week. Instead, I'll ponder whether software vendors should be held to the same degree of liability as other industries.