The media gleefully went Microsoft-bashing again last week, and again it was complete rubbish.
It started when an industry columnist noted that someone with physical access to a Windows XP system could use a Windows 2000 Recovery Console to gain access to the system for limited purposes without an administrator password. The item spread like wildfire, and most articles reported it as a Microsoft problem, typical of the “security holes” in Windows products.
Only a few responsible journalists noted the truth: if you have physical access to a computer running any operating system – Windows, Linux, Unix, or Apple – there is always a way to access the files on that computer.
Here’s an article by a security expert at www.securityfocus.com responding to the Microsoft-bashing spin on the news. It’s well worth reading in its entirety, but I can’t resist quoting some of the better parts.
”[The reported use of the Recovery Console] is the exact behavior one who administers a Windows installation would expect, and the same functionality one would get upon booting any other alternate operating system.
“This has nothing to do with Win2k or XP. It has to do with not allowing un-trusted users physical access to your assets. This is a basic security postulate, like death and taxes.
“Yet the media went out of its way to make this another Microsoft “exploit.” Wired reported that security experts call this a “genuine threat.” I’ll tell you this — if a “security expert” tells you that this is a Microsoft vulnerability, they’re not a security expert. I mean, if I wanted to hork data off of a system I had full physical access to, I’d just grab the drive, stick it in my pocket, and walk out whistling “Jimmy Crack Corn and I Don’t Care.”
“This kind of thing damages overall security. It clouds the issue, and rains on the wrong parade. The media should give its readers all the information– not slant it in an effort to make Microsoft look like the bad guy every time.
“Instead of wasting space on functions that are not even vulnerabilities, they should be covering issues like Oracle’s “unbreakable” applications having yet another series of remote buffer overflows that took six months to fix. They should be covering the fact that in order to get the patches for Oracle, you have to pay for them under a service contract. If Microsoft tried something like that, angry mobs of protesters would pull Bill Gates from his own home like a group of crazed Colombian soccer fans and bind him to a whipping post.”