Interview With Microsoft's Chief of Security

Paul Coe Clark III writes: "I interviewed Howard Schmidt, Microsoft's head of security, questioning him about, among other things, cyberterrorism and Redmond's responsibility for insecure features in the wake of many virus attacks. /. readers might find it interesting. They can find it here."

Damning with faint praise

[Tackhead]

> Q: [another expert] said his theory was "D3" - "declassify, demystify and diversify (software)." All three of those things are not things associated with Microsoft. Is that a policy you'd take issue with?
>
> A: I think any time we find any security vulnerability, we're one of the best in the industry to notify people of the details of them and give them the details to get it fixed.

Conspicuously absent is any description of Microsoft's response when someone else finds the security vulnerability in their products.

Re:Damning with faint praise

[gazbo]

It's not like you can fix it yourself since you are not allowed to see and modify the code.

99.5% of [insert open source app here] users cannot 'fix it themselves' either, because they don't have the technical knowledge of every package in a system, or they don't have time to fix it. The more likely a person is to be able to fix a security exploit on a production machine, the more it would cost for their time.

I agree in theory that open source wins here, but in practice the vast majority of people are reliant on patches supplied by distributors.

Re:Damning with faint praise

[sholden]

99.5% of [insert open source app here] users cannot 'fix it themselves' either, because they don't have the technical knowledge of every package in a system, or they don't have time to fix it. The more likely a person is to be able to fix a security exploit on a production machine, the more it would cost for their time.

However with Open Source software there tends to be more than one distributor.

If the author of ProgramX doesn't fix a security hole, then debian might, or redhat might, or suse might, and as soon as one does the others can grab their fix and incorporate in their distribution.

So if the individual user doesn't have the time/ability to patch a hole, at least there is a reasonably large number of distributions competing to fix it (after all consistantly being first to release security patches is one way to win customers to your distribution). Rather than the one and only source not bothering for a few days/weeks/months since they know no one else can patch it first and win over their customers.

Capitalism sucks. But it sucks less than all the other systems we've tried over all of history. Open source leverages capatilism in a way that makes it humourous that people often label it as 'communist'...

Re:Damning with faint praise

[jfunk]

If the author of ProgramX doesn't fix a security hole, then debian might, or redhat might, or suse might, and as soon as one does the others can grab their fix and incorporate in their distribution.

Absolutely. I remember when a recent (not too serious) hole was found *by* SuSE's security team (I don't remember the package, sorry). One of the primary reasons I run SuSE is because of their awesome security team. They borrow a ton of stuff from OpenBSD, and that's a good thing. I also highly recommend their security mailing list no matter what distro you use, and their security scripts are deliberately distro-blind (I've installed them on critical Red Hat servers at work, and they work beautifully).

I ran YOU (YaST Online Update) manually and I looked through all of the updates. They submitted the patch to the original developers before sticking new packages on their servers. The new version of that package from the original developers (ie: they applied SuSE's patch) was released three days later.

But that's not the most important thing. Am I screwed if SuSE dies? Hell, no. My number one reason for preferring open source is that I can get *anybody* to do the work for me, including myself.

I've said it many times before: price is not the issue, control is. Sure, I can get SuSE for free all I want, but I pay for it just so their packagers and bug-fixers get to stay on board.

Contrary to popular belief

[Zen+Mastuh]

Microsoft does focus a lot of effort towards securing their products. Unfortunately the effort is more reactive than proactive. It's a basic flaw in the capitalist model that allows the Marketing and Accounting people to determine release dates--instead of the Developers. The attitude can be paraphrased like this: "As long as the app fires up, it can be released. We'll let the customers be beta testers."

If they were in the car business insted of the O/S business, a lot of people would be dead or mangled.

Re:Contrary to popular belief

[Bonker]

If they were in the car business insted of the O/S business, a lot of people would be dead or mangled.


That's ultimately the only thing that can change the corporate machine... Death. Either the death of members of the machine or members of the public.

Look at the recent Ford/Firestone screwover: Sure, there have been reports about how unsafe SUV's were for years, but Ford was able to rationalize those deaths away as just part of the 'acceptable highway fatality level' that Americans seem to be comfortable with.

It wasn't until people were able to say with proof positive that Ford SUV's and/or Firestone tire were directly responsible for human deaths that Ford was forced to change its practices.

Microsoft is in the same boat. It won't be until the Blue Screen of Death is really, provably responsible for human fatalities (Think saftey control at a power plant, or a crash aboard a military vehicle of some kind) that Microsoft will start being more responsible about their security and program design.

OS monoculture

[markj02]

If you have one predominant operating system, you have a very fertile ground for viruses. Whether Schmidt just refuses to acknowledge this or just doesn't grasp it, it's a fact of life. Microsoft itself is a major problem when it comes to security because of their size and dominance, and they would be the problem even if they were much more careful about security in their products than they actually are.

For this, as well as for many other reasons, it is essential that one operating system and one software company does not dominate the industry. The cost of dealing with cross-platform issues is the price we have to pay for a competitive market and a resilient infrastructure.

Suggestions that our salvation lies in uniformity, market dominance by one company, and bigness are more reminiscent of the central planning of the USSR than of what has made our society so successful. It's kind of funny to see that some of the most staunch conservatives and defenders of Microsoft-style laissez-faire economics seem to be falling into the same trap that the communists fell into.

Hard question dodging 101

[plover]

Q: But that kind of begs the question, because it wasn't completely unthinkable, like someone flying a plane into a building. At the time when all these features were being rolled out, programmers online were screaming left and right that this was inevitably going to result in these massive incidents, and, sure enough, they did.

A: If you look at the development process, and how long it takes to develop these things and get them out the door, this is not something that people started working on six months ago, and the developer community is saying this is a bad thing. This is stuff that has been in progress for years, which is why we've had to effectively retool the way we do things internally, to meet that new threat environment.

I don't know if the interviewer changed tapes in his recorder or what, but this is the single most important question he asked, and it was completely and totally unaddressed. This one question drives home the problem with Microsoft security, makes him aware that yes, we were all SCREAMING "Stop the madness" BEFORE it rolled out, and he waves his hands saying that hmm, we're meeting the new threat environment. What?

Is there any chance that anyone of importance will see or read this interview? That's the shame. I'd love it if the appropriate congresspeople and/or attorneys-general could see this nonsense made more public.

Not that I expect anyone in his position to actually answer all the questions asked, but it'd be nice if his lips moved in sync to his words, too.

John

I Loved this bit...

[schon]

(When asked about full disclosure, and publishing of exploits)

In some cases, it's tantamount to screaming "fire!" in a crowded movie theater.

Yeah, except there really IS a fire.

So when there is a fire in a movie theatre, he's suggesting the person who notice it just quietly go and tell the management (who will wait to see if it's really a big fire, and then assign some staff to attempt to put it out), instead of telling the people whose lives are in danger?

Yeah, GREAT analogy.

Did he really say that?

[kilgore_47]

Howard Schmidt: I think the position has always been that you check the final product for vulnerabilities. Because there's a whole lot of open source out there that, day after day after day, there's more reports of vulnerabilities. I think it doesn't make any difference whether it is open source or closed source, it's a matter of identifying them once the product is released.
(bold added by me)

Shouldn't a company with Microsoft's resources be able to identify security holes before the product is released?
Maybe this "release-and-then-check-for-bugs" strategy explains why there are so many MS explots?

Leaving keys in the car is still stupid...

[Chris+Burke]

In response to the question about MS making Good Times into reality (having scripting in email on by default), he said:

If I leave my keys in my car because it's convenient for me, and somebody steals my car, is that my fault? Ten or 15 years ago, the likelihood of that happening was very, very low. But the threat picture has changed dramatically in most places.

I don't know where he was living 15 years ago, but where I grew up (granted I didn't have a car then), there's no way you'd leave your keys in your car and act surprised when it was gone in the morning.

If your car gets stolen because you left the keys in it, its not entirely your fault because it's illegal to steal the car regardless. But it was still bloody stupid.

If it was my friend who left my keys in the car, I'd be pissed as hell. And if the manufacturer put a spare key on every car in the exact same place so it was easy to find and my car got stolen, I'd join the class-action lawsuit that would surely result.

It's one thing to say that MS has good security, and non-disclosure is the right way to go, etc etc. He has to. But to dismiss this question as though it wasn't their fault, without even a "Yeah, we shouldn't have done that", I think is demonstrative of the thinking that led to the problem in the first place.

Re:They're trying

[(H)elix1]

Apparently MS realizes they made a wrong decision in their approach to security (trusting the sysadmin's dilligence), and they are making strong strides to change this now, and in the future.

You think they are making strides to clean this up? Looks like patching the PR to me. Take a look at this...
MS rolls out security obscurity bribe program


Code of Conduct:
Microsoft Gold Certified Security Solutions Partners are leaders in the security industry, not only in their products and solutions, but also in their standards of behavior. All Microsoft Gold Certified Security Solutions Partners shall follow a code of conduct regarding the responsible handling of security vulnerabilities. This code of conduct is intended to allow a product vendor to address any individual vulnerability and issue a patch, workaround or other response to the public. Microsoft Gold Certified Security Solutions Partners shall take reasonable steps to ensure that they do not publicly disclose details that would directly allow an outside party to develop or execute an attack exploiting the vulnerability.

comparing Microsoft's performance over the years

[john_uy]

As of Dec. 20, 2001, the total number of published security bulletins is only 58 compared to 100 in 2000 and 60 in 1999. This year, there are 4 cumulative patches so the actual number of published security threats is around 54.

The last 3 security vulnerabilities for XP relate to IE, Windows Media, and USB plug and play feature.

I should say that the products of Microsoft are just becoming mature right now. It is unfair for Linux and Unix since they I believe they have been ages before Microsoft introduced Windows. So it terms of maturity, Linux took years just as Microsoft is.

Like in service packs, the Windows 3.51 had around 13 (or more if I remember correctly.) Windows NT4.0 had 6 (the 7th was not released officially.) Windows 2000 now has 2 (and they are releasing SP3 Q1 2002.) There is WindowsXP although there is no SP around (I believe it may be in the alpha stages.) The number of service packs that is released actually decreases due to the maturity of their products. And most people even some *nix guys say that WindowsXP is actually more stable than ever.

It is also noteworthy to say that the base OS of Windows is getting more secure. It is just the apps integrated with the Internet that have most of the security threats like IE, Outlook, Office. For the servers in W2K, the services are the ones problematic and the user has the freedom to deactivate some and use an alternative. Like in Linux, the same thing applies where a server may use the services from different publishers.

I am not saying that Microsoft is good or anything but I say that comparing Windows (PRO/HOME) and Linux/Unix is like comparing apples and oranges. They are built for different purpose thus designed differently.

In the server arena, I think that it is only in Windows 2000 that they released their 1st server OS and not in Windows NT 4.0. Their Windows .NET server hopefully will do better than W2K servers.