Sophos error: facts not found

Having begun my previous post with an explanation of “I have a professional disregard for …” it bubbles up again… Quite near were I live is the headquarters of Sophos, as a local company I should be well disposed to them but I’ve had occasion before now to roll my eyes at what their spokespeople have said – the pronouncements being of the “lets make the news, and never mind the facts” variety. One security blogger I talked to after some of these could be labelled “lacking professional regard for them”.  Well, Graham Cluley of Sophos has a prize example of this as a guest post on his blog, written by Sophos's Chief Technology Officer Richard Jacobs.

“Windows 7's planned XP compatibility mode risks undoing much of the progress that Microsoft has made on the security front in the last few years and reveals the true colours of the OS giant”. Says Jacobs. “XP mode reminds us all that security will never be Microsoft's first priority. They'll do enough security to ensure that security concerns aren't a barrier to sales… …when there's a trade off to be made, security is going to lose.”

That second half makes me pretty cross: I talked yesterday about the business of meeting customers’ needs and you don’t do that if security is lacking, but it’s not the only priority.

I’ve got a post Windows 7 XP mode: helpful ? Sure. Panacea ? No, where I point out that the Virtual in XP mode is not managed and I quote what Scott Woodgate said in the first sentence we published anywhere about XP mode “Windows XP Mode is specifically designed to help small businesses move to Windows 7.”   As Jacobs puts it The problem is that Microsoft are not providing management around the XP mode virtual machine (VM). It’s an odd statement because XP mode is just standard virtualization software and a pre-configured VM. You can treat the VM as something to be patched via Windows update or WSUS just like a physical PC. You install anti-virus software on it like a physical PC. To manages the VM you use the big brother of XPmode: MEDV, which is part of MDOP. But from the existence of unmanaged VM and missing other key facts Jacobs feels able to extrapolate an entire security philosophy: he could do worse than to  look up the Microsoft Security Development Lifecycle  to learn how we avoid making security trade offs the way we once did (and others still do ).

Now I’m always loathe to tell people how to do their jobs, but in post companies someone who carries the title of “Chief Technology Officer” would have a better grasp of the key facts before reaching for the insulting rhetoric. And having looked after another blog where we used many guest posts, it’s important to check the facts of your contributors, Cluley either didn’t check or didn’t know better, and let Jacobs end by outlining his idea of customers’ options.

  1. Stick with Windows XP.
  2. Migrate to Windows 7 and block use of XP mode - if you have no legacy applications.
  3. Migrate to Windows 7 and adopt XP mode.
  4. Migrate to Windows 7 and implement full VDI - there are various options for this, but don't imagine it's free.
  5. Demand that Microsoft do better

Lets’s review these

Option 2, get rid of legacy applications is plainly the best choice. There are now very few apps which don’t run on Windows Vista / 7 but if you’re lumbered with one those this choice isn’t for you

Option 1. Bad choice. (A) because if you are even thinking about the issue you know you want to get onto a better os and (B) because those legacy apps are probably driving you to running everything as administrator. Given a choice of “use legacy apps”, “run XP”, and “be secure”, you can choose any two. I hope Jacobs has the nouse  not to put this forward as a serious suggestion.

Option 3. Small business with unmanaged desktops ? XP mode is for you. Got management ? Get MEDV.!

Option 4. Full VDI: Bad choice: put the legacy app on a terminal sever if you can – but remember it is badly written, if it doesn’t run on an up-to-date OS will it run on Terminal services ? VDI in the sense of running instances of full XP desktops in VMs (just at the datacenter, not the desktop) has all the same problems of managing what is in those VMs: except they aren’t behind NAT, and they probably run more apps so they are more at risk. 

Option 5. Hmmm. He doesn’t make any proposals, but he seems to demand that Microsoft produce something like MEDV. We’ve done that.

And while I’m taking Cluley and Jacobs to task I should give mention a to Adrian Kingsley-Hughes on ZDNet It was one of my twitter correspondents who pointed me to Adrian and on to Sophos. He quotes Jacobs saying “We all need to tell Microsoft that the current choices of no management, or major investment in VDI are not acceptable”. The response is that if we thought those choices were acceptable we wouldn’t have MEDV. And Adrian should have known that too.

If people like these don’t get then some blame has to be laid at our door for not getting the message across, so for clarity I’ll restate what I said in the other post

  • Desktop virtualization is not a free excuse to avoid updating applications. It is a work around if you can’t update.
  • Desktop virtualization needs work, both in deployment and maintenance – to restate point 1 – it you have the option to update, expect that to be less work.
  • “Windows XP Mode is specifically designed to help small businesses move to Windows 7.”   As I pointed out in an earlier post still.  MED-V is designed for larger organizations with a proper management infrastructure, and a need to deploy a centrally-managed virtual Windows XP environment on either Windows Vista or Windows 7 desktops. Make sure you use the appropriate one.

Update Adrian has updated his post with quotes from the above.  He has this choice quote “XP Mode is a screaming seige to manage. Basically, you're stuck doing everything on each and every machine that XP Mode is installed on.”. Yes Adrian, you’re right. No customer who needs to manage Desktop Virtualization in an enterprise should even think of doing it without Microsoft Enterprise Desktop virtualization. Adrian calls the above the “MEDV defense” but asks “OK, fine, but what about XP Mode? That's what we are talking about here”. What about XP mode ? It’s the wrong product if you have lots of machine (with 5 you can get Software assurance and MDOP). We’re talking about customers who install the wrong product for their needs. My job as an evangelist is to try to get them to use the one that meets their needs. But I think it would help customers if  instead of saying “XP mode is the wrong product” and stopping, commentators (Adrian, Richard Jacobs, Uncle Tom Cobley)  also mentioned the right product.