Slashdot Mirror
Security Flaws May Be Microsoft's Undoing
tarpitt writes: "According to this article in the LA Times, repeated software flaws in Microsoft products has begun to raise concerns that they 'threaten the stability of a major piece of the world economy and to raise questions about Microsoft's future.' Flawed security is seen as a stumbling block to accepting Microsoft sponsored on-line services. It is also driving discussion about making software manufacturers liable for damages caused by flawed products." This piece in eWeek on troubles with XP's automatic updates is an interesting companion; releasing often doesn't seem to be enough.
Update: 01/15 15:00 GMT by J :
Bruce Schneier's
January Crypto-Gram
came out this morning, and is also topical: "Microsoft treats security vulnerabilities as public relations problems. Until that changes, expect more of this kind of nonsense..."
Slashdotters may want to hurt Microsoft by breaking it up, but we've seen that the legal process is slow and generally ineffective.
Nailing them with the FBI, IT professionals, and security experts may actually do real damage to sales.
The greatest part is, I bet most of the people challenging Microsoft are Slashdotters. Their arguments sound like +5 moderated posts, IMHO.
Such a move will further entrench software development into the hands of a few large companies.
/. is pretty anti-Microsoft. But ask yourself, out of all the companies developing software which one has the intelligence and the financial resources to react to such a change?
Is it good? I don't know, I guess it depends on what your priorities are. If what you really want is rock solid quality software, then yes it's good.
If you want rapid innovation, then probably not.
It'd definately kill off free software because you'd need to be trained, licensed and bonded in order to write software. Just like engineers who design bridges, etc.
Perhaps it is the natural progression of the market. If you look at other industries, over time they concentrated their power into the hands of a few large companies. Oil, Automobiles, Televisions, Radio, etc.
That's why it's always important to see both sides of an issue. The title of this article as posted to
The only one I can think of is Microsoft. This wouldn't be their undoing, it'd only make them stronger.
Microsoft isn't going anywhere, time to get used to that.
The more MS screws things up and has major problems the better. The more often they have them, the better.
Why? Because the more these things happen, the more the people who REALLY need to know about them will find out.
Mr dot-com who pays others to run his damn site, will think twice about paying people to host his site on such garbage.
And the end result will be one (or more) less vulnerable sites out there.
Bring it on, damnit.
-- Note: If you don't agree with me, don't bother replying. I won't read it.
Removing the limits on liability would not only affect Microsoft, but the GNU GPL. Would you want to be personally responsible for any GPL'ed code you wrote? Perhaps the solution would be to form a corporation and assign GPL copyright to it.
Anyway, at the very least, this sort of law would light a fire under the ass of the software engineering community. Maybe it cause some actual progress!
Ok, since when is Microsoft's troubles with security flaws being bad for business news? Anyway ....
/. users [those brave enough to admit they run XP on at least one box] seen these problems?
XP users said the updates cause systems to become unstable and some device drivers to stop working. [companion article]
I'll note that I haven't seen any problems recently on my XP box - in fact thanks to a BIOS update and a new video driver it's running smoother than ever (for what that's worth). Have any
Either way, I certainly always like to know what's going on in my system - so I never have it automatically install updates. For those interested in turning off the automatic downloads (highly recommended) - go to Control Panel, System, and the Automatic Updates tab. I have it set on the middle option (to notify, but not download/install automatically). Of course, I have a *legal* version of the OS, you warez kiddies will probably be a little more paranoid about any notifications. *grin*.
Groove Salad -- a nicely chilled plate of ambient grooves and beats.
I recently had to rebuild a web server after a machine crashed, and getting NT4, IIS Option pack, etc. up and running with all patches was a _very_ long task.
It's not enough that Microsoft patches their products -- they are still shipping CDs of NT4 and win2k with the original 'release' of the product, so installing it means the original install plus a dozen or more service packs, hotfixes, etc. This makes it very tempting for internal corporate PC usage to just skip most of the patches to save time, and makes the process of securing Microsoft software that much more difficult.
They should just release new 'point' versions of the OS with every service pack, and stop selling the out of date CDs! Maybe this would cut down on the useless churn of moving from NT4 to 2K to XP to whatever -- and that would have to be good.
"But actually trying to use m4 as a general-purpose langage would be deeply perverse" --ESR
The problem is more one of diversity. If you place 500 million machines out in the wild all running the same software. Then any exploits found in that software will leave all those machines vulnerable. It doesn't matter if its Windows or Linux.
Those who yell and scream that Microsoft should be held liable should be careful what they wish for...liability laws would kill off most all of OSS/FS faster than they would kill Microsoft.
I am no fan of M$, but it isn't accurate to say they haven't tried. Their biggest problem is that, despite their efforts, hundreds of millions of lines of code isn't fast to repair -- especially not with 10,000 or so programmers who, on a curve, are merely average.
If Linux (etc) were as widely used *by inexperienced* people as Windows, it would face just as many problems.. but at least the code would be there for patches to come out. Then again, how would Mr. Schmoe get the it without some kind of auto-update?
I fear that it will be easier for Microsoft to address most security issues (as they finally have wrt stability) than for Linux, etc. to become fairly user friendly.
That a majority of people do not trust MS is not surprising. I don't trust my government, my bankers, my customers, hell... I doubt the guy at the supermarket.
I maybe trust my mum and dad, and aunt jemima for her tasty pancakes - but a software company???
People are cynical enough that they just bumble through life looking over their shoulder bitching about stuff.
I just bought a new laptop - it came with XP pro - already I'm having problems with it. But I bitch about it over coffee and just get on with things. I had to register the software - something I bitched about. IIS won't work properly - bitch bitch bitch. Norton seems to be checking every file every 2 minutes making the thing unusable for the first hour in a day - bitch bitch bitch.
Would I buy another the same - probably.
The trust issue won't hurt MS as much as we'd like to think. And it won't help the alternatives much either.
The movie industry sucks - but a good percentage of you reading this will run out and give them 30 dollars for Tron someday soon.
The nightmare scenario.. Three hours from when a widespread bug (like the recent XP one) and having millions of windows machines trashing everything they touch.
That is the future, and it will happen someday.
Use the warhol worm spreading technique. Read it and be frightened. He claims 8 MINUTES from first infection to millions of infections.
I'm not quite as confident as he is in that number. But I'll definitely agree that 2 hours is more than enough time. (1 million vulnerable hosts, 5 scans/sec. Start with 1000 hosts, each second, 5000 probes, finding one vulnerable host. Thus, after 15 minutes, 2000 hosts, and doubling every 15 minutes.)
And, the more vulnerable hosts, the faster it spreads.
Now imagine a truly destructive payload. One which does not delete files, but corrupts them, starting with the fileservers. It restores datestamps to make it impossible to identify what files are corrupted.
Three hours from exploit to millions of computers corrupting thousands of files. Antivirus won't keep up, hell, warninsgs won't even reach most people until after its demolished their fileserver. With obfuscation techniques, the worm could survive 3 hours without being reverse-engineered.
It spreads so fast, there's no defense. It spreads so fast, you won't be aware its trashing all files until its already started. The only reason we've survived this long is that nobody really competent has worked on a worm.
Be afraid. Be very afraid. The only question is when it will occur, and whether you will be running Windows when the time comes. I hope you keep good backups.
Liability means holding someone responsible for a cost: if the failure of software that shouldn't have failed costs company X $1 million, then liability is a matter of having the responsibility for that failure taken by someone who provided a good or service that didn't meet the reasonable expectations of the consumer. One doesn't wait until the invisible hand fixes things "in the long run;" like Keynes noted, "in the long run we're all dead." (Another Keynes quote: "the market can be irrational longer than you can be solvent.")
Reports from places like cert and bugtraq show that there are just as many exploits out there for *nix based systems.
Network security of this nature is clearly not working when being applied at the OS or software levels, and a more flexible solution than the standard firewall is needed.
What would your opinion be of a 'mini-firewall' included as standard on all new network cards. The firewall would have packet filtering rules filtering out 'generic suspicious traffic' (such as bar an IP address for a day if something containing default.ida and a hell of a lot of 'N's comes through). The rules would be held on a flash ROM, which could be updated when necessary with software from a trusted source such as CERT and digitally signed by a non-trusted one such as Verisign.
Software could also be written to instruct the card to open certain ports and update the rules so that safe traffic for that software can pass through.
Unfortunately, the extra $20-30(?) would probably sink it dead in the water, not to mention the hassle of having to reprogram all network software to work with it. How does the idea stand in theory, though?
update comments set karma=-1, reason='offtopic' where sid=26315
In the "Great OSS Boom of '99" the press was all awash with Linux this, Linux that. MS stayed true to its course, kept on with the updates, and got XP out the door.
/. bias, we're nothing. An article a week like this, even as a back-page editorial, is enough to cost them how many customers?
Now it seems things have changed: more and more, I am seeing articles that are negative of MS. "XP isn't stable", "too many updates", "XP isn't secure", "W2k was fine, why did they change it?" is what I see more and more of. Red Hat gets decent nods, and now even Apple of all people is selling a Unix operating system, albeit one that is packaged in a lamp.
Is MS at risk of losing the press?
Articles like this must drive them absolutely BONKERS. Forget the
How many of the system integrators like the guy in the article will just give up and stop dealing with XP, or worse yet, call Big Blue?
If MS loses the appeal of the popular press - promoting every new release as stable and secure - then they're screwed, even without the class action suits and liability claims. Any more FBI warnings will serve as months of fodder for the rags to hammer on them.
ZOMG I WOULD LOVE TO KNOW ABOUT YOUR FEELINGS ON MACINTOSH VERSUS WINDOWS, VI VERSUS EMACS, AND HOW YOU'RE NOT A DORK
First of all, its not IMPOSSIBLE to get software right. No more difficult than it is to build a car or a housse correctly, and while on occasion they break down, generally speaking they function as they're supposed to with minimal failures.
You've heard the joke about the first woodpecker destroying civilization if buildings were built the way that software was written. There's a fundamental truth here. Coders, for the most part, are sloppy. Why? Because they CAN be. However, there are examples of cases where software was done correctly the first time. It takes careful planning and controls and peer review, and in most cases the end result is clean code in less time than it would have taken to do it sloppy and spend lots of time cleaning up bugs.
There SHOULD be accountability here. But people don't hold Microsoft accountable. And I don't blame the monopoly factor either. People have just been brainwashed to believe that its NORMAL that computers crash. Its NORMAL that there are viruses. These things are just a part of life, and there can't be anything done about it. And as long as they believe that, they will keep buying into Microsoft.
These things generally don't bother the individual. They bother a large corporation as a whole that has to deal with the cleanup after one of the messier outlook viruses goes around. But, the corporation, run by people, simply look past the problem. The sys admins might be screaming bloody murder about it, but everyone else just considers it to be the status quo and goes on with their lives as best they can while the servers are being reloaded.
In my opinion, Sircam was the first windows virus/worm that had the potential to have a real effect on how people looked at Microsoft. If the virus was somewhat more malicious and made the data that was being sent out easily readable (as well as passing along a virus) and a few big corps had a lot of confidential internal memos sent all over the world.... THEN maybe people would start to reconsider the value of Microsoft
brand products, as soon as it is made clear to them, that its Microsoft and their software that made all this possible.
-Restil
Play with my webcams and lights here
So, having the source is not a panacea..The damage could already be done before you have a chance to fix it, even with an OSS/FS solution.
Hmmm, we've been building permanent dwellings for thousands of years. We've been building software for fifty, and doing so on a large scale for about thirty.
Not to mention that the complexity and novelty of the average piece of software dwarfs that of all but the most unique and large-scale building projects.
And you think that planning, control, and peer review comes free, and without a lot of pain getting it wrong first?
Software is still relatively new, and the most complex design task humanity undertakes. It's no wonder we haven't perfected the engineering of it.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
This perception is only apparent in the PC industry. There are a whole range of areas where software has to be 'good quality', and the consequences of failure are huge. For example:
The trouble is, the PC industry has come to accept the usual disclaimers ("No liability for any damage
You would expect increasing reliability as the market moves more to (dumb) consumers - but, of course, everything is slightly screwed by one company having a monopoly
(Just noticed - should the subject of this post be 'Re:Liability' or 'Reliability'?)
I will admit readily that I haven't read many of the comments here, but I have to say this:
/. crowd, this may come down on you a hell of a lot more - do you carry terribly expensive Omissions and Errors insurance? I didn't think so.
Many of you should think twice before hailing Microsoft's downfall should it happen to stem from software fault liability.
Read the article - part of the major point is that a legal precedent could be set that would allow for far greater liability on the part of software developers that deliver flawed code.
Think about that for a second - all of the software that *you* have developed for clients that have pushed the boundaries on budgets and timelines is *totally free of bugs*? Even totally free of bugs that might eat their data one day? Myself, I occasionally lose sleep thinking about a bug that I *know* is in code that I delivered to a client that has no more funding to pay me with to clean up the system.
I personally feel that I have legitimate protection from liability for loss in those situations given that I expose the problem to the client, honestly tell them how much it will cost for me to fix it, and explain that the coverage for corner cases wasn't there given the budget they provided.
Are you ready to stand in court against precedent that you are liable for the business cost of a bug in your code? I'm not.
I am not a MS loyalist in the least (yes, I'm posting this from Win2k, my work platform for clients that I do Win work for) - in fact I wish to see serious stipulations on their bundling and BIOS issues mainly - but I don't think this is the right angle to crucify them on because it will come down and affect me.
From what I understand of the current
-astro
Maybe I do, but is your compiler equally well written? How about the port of glibc to your hardware platform?
Application software sits on an operating system and depends on OS libraries. Open source software is often compiled from scratch, and you do not have control over which compiler is used or which build of the libraries.
I would never make a guarantee that my software would operate as I expected 100% of the time, unless I had control of the deployment environment.
For example, look at the stability of games console software compared to most PC-based games. It is a genuine shock if your console game hangs on you - I can count the number of times its happend to me on the fingers of one hand, going back to my SNES-using days. The reason is that the developer is able to test in the exact environment the software will be used. This is a luxury not available to most, and I believe stability (unavoidably) suffers as a result.
Cheers,
Ian
In a previous comment on another article, I noted that Unix has spent its time "in the trenches". Infosec history is full of Unix and its exploits... and its eventual improvement. But it is too easy to look at this history and learn the wrong lesson.
Unix's history of security flaws is less about Unix and more about infosec awareness. Unix changed as the understanding of infosec and security principles changed. While time has allowed more of these flaws to be discovered and removed from the Unix code base, the process over the years has been more about knowing what to look for (or even to bother looking). And as this understanding of infosec principles, concepts, and procedures has increased entirely new chunks of unix code has materialized - sometimes to fill a void, but often to replace another project's functionality with a new design that has taken security issues in consideration during its inception.
In short, Unix does benefit from its maturity. But the greater lesson is the infosec mind set. The tao of security, if you will. And these are concepts that can be applied to any project / OS.
The claims that Microsoft will "get there" with maturity are misleading. Microsoft may indeed improve. But its not maturity of their code base that's at issue. The issue is whether Microsoft will begin to understand Security and design systems based on that understanding.
Microsoft has shown signs of improvement with a sudden handful of security tool offerings. But unfortunately, these are really superficial afterthoughts to an already flawed environment.
Microsoft's problem is not technical; its cultural. Microsoft is a technology company that excels at marketing. Articles by Microsoft coders talk about the push from Marketing to add additional features at the cost of bug-hunting and resolution.
This kind of environment clashes with two infosec concepts. The first is that vulnerabilities are bugs - something malfunctions in an unexpected way, leaving the system vulnerable to intentional manipulation of this bug. The second is that there is an inverse relationship between functionality and security. Increasing the number of features, and the ease of using these features, often threatens a system's security.
Marketing at Microsoft will first have to care about infosec issues (this may be happening as Microsoft gets more and more negative press). Then Microsoft will have to strive to design secure systems even at the cost of features (and possibly even abandoning or severely restructuring current systems).
It will take a maturity of a different kind.
To really implement tight security (the only kind that will prevent 95% of viruses) means a drastic change in microsoft's entire line of products. The fact is most people know better, but when they sit down at a computer their brains turn off and click everything. Only way microsoft can prevent all these email viruses isn't to turn off "launch attachment", because people will turn it on the first time they get an attachment. It's to require users save the file, scan the file and limit user account in windows. That means users have to login as the administrator to install programs and do updates. I'm sure people are saying, "just like unix."
Will people put up with less convienance after they've had it for 8 years? My guess is probably not. In the best case scenario, people will slowly get used it and take 25 years to replace all the old software. Short of giving away their software, microsoft will have a huge headache of replacing all the outdated version with hacker friendly features.
- level-0 is the software provided as-it-is or whith disclaimers that nullify any liability (that is 99% of today commercial and free software)
- other levels could be defined for software which promises (and therefore is liable for) a well-specified level of accuracy/data integrity/security.
Companies would price their software accordingly with the quality level they warrant, and people and company could make their own cost/quality/risk trade-off analysis and freely use whathever they want.Note that in theory an open-source redistributor could achieve quality level > 0 by submitting the products it distributes to rigorous qualification tests and patching the software accordingly. A problem could be that they should publish their patches, making easier for the competition to do the same. But this is nothing new, being the same dilemma that open-source distributors already face for the works which goes in packaging/integrating the free software.
Ciao
----
FB
Yeah, that sounds nice but if you look at reality, the reason there are so many MS problems is because if wordpad has a flaw it's on the front page of every paper and web site on the planet. If apple, AOL, Linux, or anyone else has a problem you don't hear about it. Why? Because it's not big news. If a big actor gets arrested for indecent exposure you hear about it everywhere. If the local drunk is walking down the street with their dork hangin' out no one really cares. Another interesting question though is how many security flaws has Linux had since it first came out? How many in the Kernel? How many in the different distros? You people are such a bunch of misguided fools sometimes. You whine and cry and moan about any government action, but then BEG for the government to make more laws thinking they will only apply to MS. Then when your own stupidity comes back to get you, you cry. What would happen if the gov't said Linux is illegal because it allows for hackers to easily infiltrate networks and thus is a terrorist tool? You would all jump up and down, pound your chests, cry, whine, moan, and loose in the end. So why bring down more gov't than you have to? Talk about biting off your own nose to spite your face. I guess that's what happen when you let children get involved in things that are bigger than them. They don't know how to create, only destroy.
But the liability could potentially fall on the user, not the developer.
You have the source code. Did you audit it? No? You didn't do due diligence, so out the case goes.
With MS you MUST trust what they say, there is no other option.
When a coffee maker makes bad coffee, can you sue the manufacturer? We've heard about people sueing Mr. Coffee for burining down their house or maybe even squirt boiling hot water at their faces, but what about for bad coffee? What if your business depends on the quality of that coffee? How about televisions? Can a bar owner sue Samsung because their TV is fuzzy during a football game, which many of their patrons come to watch?
What happened to testing out and researching what you buy?
(from an article on fastcompany.com)
"...the last three versions of the program -- each 420,000 lines long-had just one error each. The last 11 versions of this software had a total of 17 errors."
It's not that humans can't get software right, it's that we don't choose to get it right. We're too sloppy, as another poster pointed out.
Price, Quality, Time to Market. Choose any 2.
And you think that planning, control, and peer review comes free, and without a lot of pain getting it wrong first?
No, he doesn't. The previous poster stated, IMO correctly, that *including* the time it takes to do proper planning, controls and peer review, you get clean code for less time *in total* than it takes to create and subsequently clean up sloppy code. Or do you think cleaning up bugs comes free and involves no pain for the coders? (Nobody's even considering the end users at this point, who are also experiencing pain and cost).
See Dave Parnas, Software Fundamentals, for some of the classic papers behind this analysis.
Plan it properly, do it properly, document it properly, and you have saved a whole *load* of wasted time and effort. "An ounce of prevention is worth a pound of cure." And so on.
Software liability will be a tricky because of a domino-like effect: you may want to "guarentee" the code you wrote, but how can you do that unless you also guarentee the operating system it runs on? A bug in the OS may ruin your program. Oh, did you write the compiler you used? Maybe the compiler has a bug and introduced an optimization bug. Did you build the hardware? Do you really know if it works properly under all circumstances?
That is to say, some limited liability would be very useful. It would force vendors to feel some pain when they unleash buggy code.
For example, if Hailstorm/Passport/whatever has a security problem that leaks user credit card info, who is liabile for the fradulent charges? Hint: not Microsoft. If by law MS had to back the faulty charges out of its bank account, I predict Passport would be immediately withdrawn for a couple years of "redesign".
I see. So it's OK for people to run around advocating Linux or Apache as a serious alternative to WinXP or IIS, but the former are not to be subject to the same liability and the contributors not subject to the same incentives? Realistically, these two claims are not compatible.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Destroying a computer is not the worst you can do.
Corrupting the data on the computer is MUCH worse.
Think of a database for an ecommerce server. A virus that understands the database format, and turns every 7 into a 3 in the database. Credit card numbers (I'm sorry, sir, your card has been declined), prices, product IDs, addresses, zip codes, telephone numbers (hope this doesn't happen to your phone company), social security numbers. Everything on that database.
Then it transmits itself to another host, and removes itself from that machine, attempting to cover its tracks.
Destroying the computer is *nice* compared to letting it run for the next month with incorrect data. You just corrupted the next 7 million transactions that system processes. And how much does it cost to correct that? Restoring a nuked server is cheap by comparison.
Which would be worse for a serious ecommerce business? Being down for a day? Or having to check every transaction that was processed for the last 30 days, and dealing with mischarged customers, fraud charges from CC#s billed incorrectly, incorrect products shipped, lost packages that were misaddressed...
Destroying a system is bad for a home user... corrupting it can be deadly for a business.
This is my sig. There are many like it but this one is... Oops. Frank, I've got your sig again! Where's mine?