Slashdot Mirror
Interview With Microsoft's Chief of Security
Paul Coe Clark III writes: "I interviewed Howard Schmidt, Microsoft's head of security, questioning him about, among other things, cyberterrorism and Redmond's responsibility for insecure features in the wake of many virus attacks.
/. readers might find it interesting. They can find it here."
Microsoft does focus a lot of effort towards securing their products. Unfortunately the effort is more reactive than proactive. It's a basic flaw in the capitalist model that allows the Marketing and Accounting people to determine release dates--instead of the Developers. The attitude can be paraphrased like this: "As long as the app fires up, it can be released. We'll let the customers be beta testers."
If they were in the car business insted of the O/S business, a lot of people would be dead or mangled.
"What is the sound of one belly slapping?"
It's true. I just intentionally did it here on that lame-assed sid about LOTR nerds. The post went straight to +4 before anybody started modding it down.
--ZM, posting anonymously to stay at the karma cap(When asked about full disclosure, and publishing of exploits)
In some cases, it's tantamount to screaming "fire!" in a crowded movie theater.
Yeah, except there really IS a fire.
So when there is a fire in a movie theatre, he's suggesting the person who notice it just quietly go and tell the management (who will wait to see if it's really a big fire, and then assign some staff to attempt to put it out), instead of telling the people whose lives are in danger?
Yeah, GREAT analogy.
This has an obvious corrolary: those who want better security/stability in the industry should work towards elluminating that domination and the barriers that keep it. This sounds obvious, especially on /., but it is not as obvious as it looks. "The cost of dealing with cross-platform issues is the price we have to pay for a competitive market" does not need to be true. Microsoft's biggest advantange is that a computer OS is not a commodity. This needs to be changed. (And it cannot be done by the Government. They do not have the power.) If the OS were a commodity, it would not matter what OS you choose, any program would run on it. That is, you load the CD, or finish the download, and it is ready to run (possibly after an installer), no matter if you are using *BSD, Linux, Windows, MacOS, or anything else. OS's would compete on stablity, ease of use, and extended feature sets.
It is almost this good on Unix-based systems. Almost. It could be better. It could work beyond. A model, in my mind, is Apple's Carbon-combatable programs. They run, seamlessly, on two completely different architectures. (And there is no techincal reason they couldn't run on more with just as much ease to the end user.)
There have been attempts to standardize. The flaw is usually that the intent is to standardize for programmers, not for end-users. I believe the technology exists to standardize to the point where:
It doesn't matter what OS you use.
It doesn't matter what window manager you use, on an OS that supports more than one.
It doesn't matter what language the programmer worked in. (As long as they can make the system calls correctly.)
It only matters what platform you are on if the programmer wants it too.
That is to say, it does not matter to the end user. They can buy/download a program and it works. They should not have to know any of the above to install and use the program.
What do you think? Can we create the world described?
But there is a fire. Its only irresponsible to shout "fire!" in a crowded movie theater if there isn't on, just like it would be irresponsible to post non-existent exploits to bugtraq.
Mr. Schmidt is suggesting:
Geez... They must have cut their spin budget recently.
Classic Microsoft... standards bad, embrace and extend good... we do it for security reasons, not because we're trying to leverage our monopoly power into yet-another market. I can almost understand the "don't tell anyone about the exploit until we have a chance to fix it" stance, but this makes me sick to my stomache.
I would be in favor of government standards of security. And not just because it would force more open standards, but because it's a good idea. Yes, it will probably not be easy to implement, and it might force MS to ship a product or two late, but at least it will enforce some needed checks from a company who's concept of security is identifying problems after product release.
Those who fail to understand communication protocols, are doomed to repeat them over port 80.
I will have to disagree with your statement, "Apparently MS realizes they made a wrong decision in their approach to security (trusting the sysadmin's dilligence), and they are making strong strides to change this now, and in the future."
Microsoft's approach to security has/had nothing to do with trusting sysadmins and everything to do with gaining market share. The marketing department drives development plain and simple. You really should open your eyes when you are working on them NT servers, do they look like servers?
Microsoft's products should install out of the box as secure as possible, not with a blank SA password for SQL.
I am forced to work in an NT world and I hate it. I have worked with many other server OS's like Novell and Linux distros, and MS stuff sucks.
People who NT is easy are wrong, NT is high maintenance really high.
Speaking of high...I gotta go cough cough
The only good thing I can say about MS is that Windows 2000 works better then 95/98/ME every did, but that's it.
LoRider
In one word, yes.
Ususally, viruses are written for entertainment value, bragging rights, and desire to create damage and/or chaos. The more widespread the virus, the more these goals are achieved. And to get a wide-acting virus, you hit a dominent platform. This would happen regardless of the OS.
Of course, with an open OS, the response to the core vulnerabilities can be much more timely, preventing the spread of variants, too.
But in the final analysis, the spread follows epidemiological curves quite nicely and monoculture in software is as fatal as it is in agriculture, regardless of how you feel about your "superior" breed...
I'm wondering why professional bodies, like SANS, Software SQA, and the Computing Societies dont pip up and tear stripes off MS for bad process, and the absence of External and independant audits.
The guy has a clear conflict with public interest and public relations, and there is no evidence he has independant authority, or a mandate to make radical changes. remember the bit about auditors being independant and being seen to be independant taught in accounting 101. same for security.
Bruce Schiner and others have made comments about this before, and have offered to help in the past. Very arrogant to assume the company (MS) can do it better internally.
This guy is a public relations front.
Were I him, I would have released every damm secret/obsure registry setting, and how to disable active extensions, and undo the 'speed' boosters improperly inserted into supervisor spaces.
Looking at BSD, or Qmail, where processes have been chrooted and protected by design, and Solaris and AIX have cleaner security models. They have moved up the security ladder, whilst MS has remained stationary.
Code repetition.
Parsing a url, traversal should be on one bit of code only, not in 20 -30 spots . This tells you plenty about internal structures and standards. need to rationalize duplicate or near duplicate function calls .
in defence of the security guy, he has inherited an insecure model, and is probably chipping away. I wont be impressed until I see code metrics , and audit statistics being posted.
Taking the source code and publishing the word count, and alphabetically sorted symbol tables would be a good start.
I say that Linux and Windows cannot be directly compared (IMHO)
.doc files to contain machine level code. They're paying the price for that now. Many email services just outright BLOCK .doc files now. I bet that interferes with functionality.
I never compared the two. I just made a simple anology, much akin to the one posted in the interview. I just happen to think mine is more correct.
But nevertheless, in terms of functionality, Linux is not very user friendly (you have to do lots of steps) in order to reduce the faults in the system (whether security or stability.)
Strictly speaking, your average Linux OOB(out of box) experience is safer than your average Windows OOB experience. I recieve daily trojan emails, but see nothing in my ftpd logs.
Microsoft on the other hand wants every user will be able to use a PC even though it is their first time to use one. In the process of doing that, if you disable all features (because of security) then nobody will buy their OS since I believe their support call center will be full 100% of the time.
Be able to, be forced to, what's the difference, right? There has to be a certain expectation of knowledge.
Also, there's a difference between useful and secure. M$ may have done a bad thing when they allowed
It's funny you mention that nobody would buy their OS if it were secure.
The previous has been a secret message to my comrades.
Absolutely. I remember when a recent (not too serious) hole was found *by* SuSE's security team (I don't remember the package, sorry). One of the primary reasons I run SuSE is because of their awesome security team. They borrow a ton of stuff from OpenBSD, and that's a good thing. I also highly recommend their security mailing list no matter what distro you use, and their security scripts are deliberately distro-blind (I've installed them on critical Red Hat servers at work, and they work beautifully).
I ran YOU (YaST Online Update) manually and I looked through all of the updates. They submitted the patch to the original developers before sticking new packages on their servers. The new version of that package from the original developers (ie: they applied SuSE's patch) was released three days later.
But that's not the most important thing. Am I screwed if SuSE dies? Hell, no. My number one reason for preferring open source is that I can get *anybody* to do the work for me, including myself.
I've said it many times before: price is not the issue, control is. Sure, I can get SuSE for free all I want, but I pay for it just so their packagers and bug-fixers get to stay on board.
1) As Multics taught us, security with significant hardware support is significantly easier to do than without. A result of this is that we need to be asking Intel (etal) about help (like tagged memory blocks) in hardware. It really is time that we got away from just the stale VonNeuman ideas that Mr Cray graciously gave us in the 1960s and 1970s.
2) Once the hardware exists, then we can move to implement better O/Ses that are significantly more robust. Everyone will win, even MS.
-- Multics
For instance. Even with all the security patches Microsoft has provided with IIS, their FTP server is still insecure. How do I know this. Because some warez dudez managed to use my server, even though I had applied all the patches and set the FTP directory to be read only.
Now, if this ever happens to you, let me tell you, these guys play a dirty trick so you can't easily delete their directory. They name their folders with names that cannot be deleted the normal way, names like COM1 or DEL, names that are reserved somehow when you try to delete the files and folders.
The amusing thing about this is that the only way to get rid of these files is to install the posix utilities and use rm to get rid of them.
Now here's the kicker. If you use rm -r CO* to get rid of a directory called COM1 you might find out that this directory is really called "COM1\
Yes, I perform backups, so I proceeded to restore the files. But insidiously, SQL Server on the same machine refused to run, because it felt the installation had been corrupted. I basically had to figure out how to trick it into running again, because(another hideous design fault) you can't just uninstall SQL server and reinstall it and hope your data directory is OK. I had no way of doing an up to date backup of my data on this machine. So I had to trick it into believing it wasn't a corrupt installation, or I would have lost data.
Now, how many things can you count that would have never happened with an open source system. You certainly wouldn't have files with the latter part hidden. You can back up data directories to completely different servers by simply copying the directory. Its very easy to drop in other FTP servers without loss of functionality. And there is certainly nothing that will stop a program from running if all its files are there and the execute permission is set.
All, in all, I had a very frustrating experience that never would have happened with a Linux system. With Microsoft, its their way or the highway, and you can't change things or fix them when the design is bad. Rather than the user dictating what the software does, Microsoft dictates to you how their software will work. Because of that, closed source is less flexible and configureable, is less managable and nimble, and therefore cannot respond nearly as well to any number of problems, including security.
No, Thursday's out. How about never - is never good for you?