Slashdot Mirror
Interview With Microsoft's Chief of Security
Paul Coe Clark III writes: "I interviewed Howard Schmidt, Microsoft's head of security, questioning him about, among other things, cyberterrorism and Redmond's responsibility for insecure features in the wake of many virus attacks.
/. readers might find it interesting. They can find it here."
>
> A: I think any time we find any security vulnerability, we're one of the best in the industry to notify people of the details of them and give them the details to get it fixed.
Conspicuously absent is any description of Microsoft's response when someone else finds the security vulnerability in their products.
Microsoft does focus a lot of effort towards securing their products. Unfortunately the effort is more reactive than proactive. It's a basic flaw in the capitalist model that allows the Marketing and Accounting people to determine release dates--instead of the Developers. The attitude can be paraphrased like this: "As long as the app fires up, it can be released. We'll let the customers be beta testers."
If they were in the car business insted of the O/S business, a lot of people would be dead or mangled.
"What is the sound of one belly slapping?"
For this, as well as for many other reasons, it is essential that one operating system and one software company does not dominate the industry. The cost of dealing with cross-platform issues is the price we have to pay for a competitive market and a resilient infrastructure.
Suggestions that our salvation lies in uniformity, market dominance by one company, and bigness are more reminiscent of the central planning of the USSR than of what has made our society so successful. It's kind of funny to see that some of the most staunch conservatives and defenders of Microsoft-style laissez-faire economics seem to be falling into the same trap that the communists fell into.
Why does this interviewer have to keep comparing software attacks with the September 11th terrorist attacks? About the only thing they have in common is that they are both malicious. Beyond that, it has no place in an interview about Microsoft security. Very poor taste, IMO.
- Just an AC
A: If you look at the development process, and how long it takes to develop these things and get them out the door, this is not something that people started working on six months ago, and the developer community is saying this is a bad thing. This is stuff that has been in progress for years, which is why we've had to effectively retool the way we do things internally, to meet that new threat environment.
I don't know if the interviewer changed tapes in his recorder or what, but this is the single most important question he asked, and it was completely and totally unaddressed. This one question drives home the problem with Microsoft security, makes him aware that yes, we were all SCREAMING "Stop the madness" BEFORE it rolled out, and he waves his hands saying that hmm, we're meeting the new threat environment. What?
Is there any chance that anyone of importance will see or read this interview? That's the shame. I'd love it if the appropriate congresspeople and/or attorneys-general could see this nonsense made more public.
Not that I expect anyone in his position to actually answer all the questions asked, but it'd be nice if his lips moved in sync to his words, too.
John
John
Microsoft has been getting better. Many of the current IIS exploits aren't in IIS at all, but in ISAPI extentions like Index Server (Code Red exploited this), and HTTP Printing in Win2K. Almost all of the exploits released last year and this year could've been blocked by simply following MS' security checklist.
Needless to say, sysadmins apparently don't read checklist, follow best practices, or pay attention to alerts. I have seen real movement from MS (on their site, in comments on NT BugTraq, and in other places) that they take this security stuff seriously now, and they are coming out with some good tools (they're even subcontracting them to get them faster and by security companies who have a better track record) to help automate patch downloading and installation, scanning of network resources for missing patches, remote deployment of patches (for those 500 web servers you have in your datacenter), and various checker tools which will basically verify the security checklists for you.
Apparently MS realizes they made a wrong decision in their approach to security (trusting the sysadmin's dilligence), and they are making strong strides to change this now, and in the future.
I know many of you dislike MS, but you must give them at least that.
(When asked about full disclosure, and publishing of exploits)
In some cases, it's tantamount to screaming "fire!" in a crowded movie theater.
Yeah, except there really IS a fire.
So when there is a fire in a movie theatre, he's suggesting the person who notice it just quietly go and tell the management (who will wait to see if it's really a big fire, and then assign some staff to attempt to put it out), instead of telling the people whose lives are in danger?
Yeah, GREAT analogy.
Howard Schmidt: I think the position has always been that you check the final product for vulnerabilities. Because there's a whole lot of open source out there that, day after day after day, there's more reports of vulnerabilities. I think it doesn't make any difference whether it is open source or closed source, it's a matter of identifying them once the product is released.
(bold added by me)
Shouldn't a company with Microsoft's resources be able to identify security holes before the product is released?
Maybe this "release-and-then-check-for-bugs" strategy explains why there are so many MS explots?
___
The way to see by faith is to shut the eye of reason. --Ben Franklin
In response to the question about MS making Good Times into reality (having scripting in email on by default), he said:
If I leave my keys in my car because it's convenient for me, and somebody steals my car, is that my fault? Ten or 15 years ago, the likelihood of that happening was very, very low. But the threat picture has changed dramatically in most places.
I don't know where he was living 15 years ago, but where I grew up (granted I didn't have a car then), there's no way you'd leave your keys in your car and act surprised when it was gone in the morning.
If your car gets stolen because you left the keys in it, its not entirely your fault because it's illegal to steal the car regardless. But it was still bloody stupid.
If it was my friend who left my keys in the car, I'd be pissed as hell. And if the manufacturer put a spare key on every car in the exact same place so it was easy to find and my car got stolen, I'd join the class-action lawsuit that would surely result.
It's one thing to say that MS has good security, and non-disclosure is the right way to go, etc etc. He has to. But to dismiss this question as though it wasn't their fault, without even a "Yeah, we shouldn't have done that", I think is demonstrative of the thinking that led to the problem in the first place.
The enemies of Democracy are
I think security is recognized as the number-one priority across the company.
After the interview, Mr. Schmidt realized that the question was actually about Microsoft's software products, and not about locking the doors each night at MS HQ.
The guy even works three blocks from the WhiteHouse.
The software is developed in a suburb of Seattle Washington (state) and the company's security chief works in Washington (DC), nearly as far from the software department as you can get and still be in the continental US.
THAT explains the security problems in Microsoft products!
B-)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
As of Dec. 20, 2001, the total number of published security bulletins is only 58 compared to 100 in 2000 and 60 in 1999. This year, there are 4 cumulative patches so the actual number of published security threats is around 54.
.NET server hopefully will do better than W2K servers.
The last 3 security vulnerabilities for XP relate to IE, Windows Media, and USB plug and play feature.
I should say that the products of Microsoft are just becoming mature right now. It is unfair for Linux and Unix since they I believe they have been ages before Microsoft introduced Windows. So it terms of maturity, Linux took years just as Microsoft is.
Like in service packs, the Windows 3.51 had around 13 (or more if I remember correctly.) Windows NT4.0 had 6 (the 7th was not released officially.) Windows 2000 now has 2 (and they are releasing SP3 Q1 2002.) There is WindowsXP although there is no SP around (I believe it may be in the alpha stages.) The number of service packs that is released actually decreases due to the maturity of their products. And most people even some *nix guys say that WindowsXP is actually more stable than ever.
It is also noteworthy to say that the base OS of Windows is getting more secure. It is just the apps integrated with the Internet that have most of the security threats like IE, Outlook, Office. For the servers in W2K, the services are the ones problematic and the user has the freedom to deactivate some and use an alternative. Like in Linux, the same thing applies where a server may use the services from different publishers.
I am not saying that Microsoft is good or anything but I say that comparing Windows (PRO/HOME) and Linux/Unix is like comparing apples and oranges. They are built for different purpose thus designed differently.
In the server arena, I think that it is only in Windows 2000 that they released their 1st server OS and not in Windows NT 4.0. Their Windows
Live your life each day as if it was your last.
Microsoft's head of security
Isn't that like the taliban having a minister of women's rights?
Disconnect your television. Do your own research. Draw your own conclusions. They're probably lying. Don't be a sheep.
For instance. Even with all the security patches Microsoft has provided with IIS, their FTP server is still insecure. How do I know this. Because some warez dudez managed to use my server, even though I had applied all the patches and set the FTP directory to be read only.
Now, if this ever happens to you, let me tell you, these guys play a dirty trick so you can't easily delete their directory. They name their folders with names that cannot be deleted the normal way, names like COM1 or DEL, names that are reserved somehow when you try to delete the files and folders.
The amusing thing about this is that the only way to get rid of these files is to install the posix utilities and use rm to get rid of them.
Now here's the kicker. If you use rm -r CO* to get rid of a directory called COM1 you might find out that this directory is really called "COM1\
Yes, I perform backups, so I proceeded to restore the files. But insidiously, SQL Server on the same machine refused to run, because it felt the installation had been corrupted. I basically had to figure out how to trick it into running again, because(another hideous design fault) you can't just uninstall SQL server and reinstall it and hope your data directory is OK. I had no way of doing an up to date backup of my data on this machine. So I had to trick it into believing it wasn't a corrupt installation, or I would have lost data.
Now, how many things can you count that would have never happened with an open source system. You certainly wouldn't have files with the latter part hidden. You can back up data directories to completely different servers by simply copying the directory. Its very easy to drop in other FTP servers without loss of functionality. And there is certainly nothing that will stop a program from running if all its files are there and the execute permission is set.
All, in all, I had a very frustrating experience that never would have happened with a Linux system. With Microsoft, its their way or the highway, and you can't change things or fix them when the design is bad. Rather than the user dictating what the software does, Microsoft dictates to you how their software will work. Because of that, closed source is less flexible and configureable, is less managable and nimble, and therefore cannot respond nearly as well to any number of problems, including security.
No, Thursday's out. How about never - is never good for you?
Gotta LOVE this exchange ...
...
Q: Some of the security problems with Microsoft products are things like buffer overflows. That happens in programming, and you fix it. But others seem like boneheaded decisions based on marketing. Things like enabling Windows Scripting Host by default on millions of consumer machines and making e-mail attachments executable. In these big virus attacks, doesn't Microsoft bear some responsibility for those choices?
A: I think that picture has changed. Once again, we've been developing stuff based on ease-of-use for the customer and what the customer requirements are. I think what happens now is that we've seen the threat picture change. I think it goes back to a physical analogy. If I leave my keys in my car because it's convenient for me, and somebody steals my car, is that my fault?
Okay, but what if the manufacturer ships the car with the keys attached to the steering column with a chain,because THAT way I don't have to worry about losing the keys? Now I have to find out (from someone other than the manufacturer, since the manufacturer's customer support staff is clueless) how to detach them. NOW is the manufacturer responsible, in any way, when my car is stolen?
utter rubbish