Slashdot Mirror
Security Flaws May Be Microsoft's Undoing
tarpitt writes: "According to this article in the LA Times, repeated software flaws in Microsoft products has begun to raise concerns that they 'threaten the stability of a major piece of the world economy and to raise questions about Microsoft's future.' Flawed security is seen as a stumbling block to accepting Microsoft sponsored on-line services. It is also driving discussion about making software manufacturers liable for damages caused by flawed products." This piece in eWeek on troubles with XP's automatic updates is an interesting companion; releasing often doesn't seem to be enough.
Update: 01/15 15:00 GMT by J :
Bruce Schneier's
January Crypto-Gram
came out this morning, and is also topical: "Microsoft treats security vulnerabilities as public relations problems. Until that changes, expect more of this kind of nonsense..."
Just a thought... If they dominate the market... Most software is Microsoft... Microsoft software is buggy and insecure.... Most software is buggy and insecure! They're right on par for the course!
What's in a Sig?
Add in a Gartner analyst casting doubts on MS and raising the trust issue in terms of
A failure to execute (on security) could get Microsoft executed.
Veteran, Bermuda Triangle Expeditionary Force, 1992-1951
Insofar as it's true that software is flakier and more vulnerable than other products, the questions we might ask are the extent to which liabiliy has motivated other product manufacturers to be a lot more careful in their manufacturing processes, and the extent to which software is "inherently" impossible to get right. Is that perception that software should be exempt from the sort of standards that other goods have accurate, or has that perception been constructed by years of poor software and a lack of accountability?
A blue-ribbon panel of technology experts assembled by the National Academy of Sciences said lawmakers should consider ending Microsoft's and other software companies' special protection from product liability lawsuits, which have long forced makers of cars, medical devices and just about everything else to pay closer attention to the safety of their wares.
Interesting, but in the case of free software, what would this mean for the developers? We all want Microsoft to be held responsible in some way for their security holes and such, but would we want to be treated the same way ourselves? What would happen when an author of a piece of free software was dragged to court because the software was buggy? And what would happen if it was Microsoft who did the dragging?
"Total destruction the only solution" - Bob Marley
Has shoddy security caused Microsoft any grief so far? A month after a hole is found, they fix it, and no one seems to care after that. Sure, people that don't like Microsoft remember it and add it to their encyclopedia of Microsoft holes to whine about, but people that like Microsoft fix it and go on with life. Who do they place the blame on? The "evil hacker", not the poor software.
People are so accepting of insecurity that they are even willing to spend cash money on antivirus suite after antivirus suite every year. It's just become a part of the cost of owning a PC.
python -c "x='python -c %sx=%s; print x%%(chr(34),repr(x),chr(34))%s'; print x%(chr(34),repr(x),chr(34))"
I was talking to some folks, and we mentioned that the world is becoming more dependent on information that is ONLY stored electronically, and not on paper. Perhaps the time is coming where something (like a major filesystem eating bug in XP or the next SuperVirus (TM)) will destroy a large portion of the internet's data. (An example is , who recently lost everything in a major raid update crash.
So what we should do is plan and prepare for this eventuality. If we have the equivalent of backup generators and emergency equipment in the digital arena, we can take over when the main system stumbles. It's not going to be long until someone devises a way to seriously crash a significant portion of the machines in the world - all the recent virii have been relatively harmless - it would not take much at all to program a relatively smart virus that would do serious damage (IE hit network drives first, destroy files that are heavily used, only strike at night, morph code, etc.)
Ah, well. This is just a bunch of blathering, but we should thing about how to use the "enemy's" weakness against it. We need to make sure that linux is seen as more stable and more secure because it is BY DEFAULT - if people start using it and get burned, they'll go back to Microsoft.
Fellowship 9/11
Hard to establish liability for free software. But shareware authors who charge a small fee (and hence make a direct profit) might be easier to target should this liability idea take hold. Shareware would become enough of a liability for small-time authors that they would be forced to either give up and find a publisher with deep pockets, or else give up revenue all together and just give their software away for free. Perhaps a threshold could be established to determine when liability kicks in?
Why aren't we told when an Editor moderates our posts?
Making software developers liable for damage due to blatent, criminal negligence would seem to be a good idea on its surface, but given how money corrupts our political system, any such incipient bill being developed in Congress could be easily be turned on its head. If every software developer is held liable for *any* damage caused by their product, imagine the destruction such a law would wreak on the free source movement. Who would dare donate code, faced with such huge potential liability? Bye-bye gnu cc, bye bye Linux.
Reasonable diligence should be exercised to protect security, but no large, complex piece of software can be bug-free. Building software ain't the same as building bridges, boy!
Last time MS security has been interviewed ( Interview With Microsoft's Chief of Security) their chief did talk rather about their physical security like locking a door at night and obfucating their product to be protected (hence word security) againts their concurrency.
-- Wanna textmode user interface for ruby? http://freshmeat.net/projects/jttui/
"Would you want to be personally responsible for any GPL'ed code you wrote?"
Absolutely... all my GPL'd software comes with a money-back guarrantee.
Why shouldn't they be held liable in certain situations?
This is supposed to be a huge world economic product - they can get this way without any consequences? No worries?
The software costs money. They push a license agreement on you when you pick the product up at the store, when you buy a computer with windows pre-loaded, you are making a contract.
Okay, so in the agreement they sneak in some language that keeps them out of trouble. The problem is before you agreed to that 'contract' you were promised certain things. The product is defective.
Data problems, in most cases, won't affect someone's well-being. But there is data at stake. Their data costs $99 and up. Is your data worth any less? They promise to provide a secure and somewhat stable operating system.
This isn't always the case. It's only becoming an issue because they make so much money in the business. Shouldn't we ask more of Microsoft?
Well, if we can't sue, the gov't does nothing, and products continue to be shipped while 'broken' then something needs to be done.
Simply say it with your pocket book. Pass up on upgrading to XP. Do what ever you think is necessary. Buy an Apple.
I know it's not easy; but don't you feel that many other M$ customers - if not yourself - feel as if Windows is needed? It is in certain situations, but does everyone need it? No.
There are options. Not every option will work for all the people, but let's start to choose something else.
OR! Hold them liable
Get your Unix fortune now!
Dare Microsoft to even think about this. Their worst fear is a world where people choose software based on quality.
Seriously, we don't need to whine about what some legislators are doing about the big bad wolf's coding practices. What we need to do is start setting the example. Say "I write good code!" and stand behind those words. Somebody who knows how should create a version of the GPL that includes appropriate warrantees for Free Software. The "Quality GPL" (GQL?). You don't have to use it, if you think your code is buggy or is a development version. Right now we just click on "Stable Branch" and that sends a message to those in the know, but how much better if you go visit a software repository and find piles of code that are stamped with a license that guarantees that the product is free from defects in workmanship (modifying the source code voids the original warranty, of course, and people who re-release modified code are under obligation to change the license to reflect that).
We want people to get the idea that software that claims to be stable yet comes with the phrase "NO WARRANTY" is probably a steaming turd. Especially if they paid good money for it.
Naturally, you can't predict how some people will use your product. "No, sir, the VCR does not function under water." Your code might not work on an SGI, either, if you developed it under HPUX. Using the product in a manner not intended will void the warranty. Sometimes it's not a bug, it really is a feature (or the lack of one). But if somebody finds a bug, you WILL fix it, won't you? Why not put that in writing? Even offer a monetary reward to the first finder (how about $2.56?) of every bug.
Note that agreeing to fix bugs, or claiming that your product is bug free, is completely different from assuming liability if the user uses your program to kill himself. That's a completely different story.
So, it is actually in their best interest to do shitty software, in order to prompt lawmakers for such a change in law. Once the law is passed, they clean up their act, and watch with glee as OSS developers get sued into oblivion by liability lawyers...
Such law should have a provision that it only applies to commercial software (i.e. software that is sold for a price, or on the base of signed license contracts). Free (as in speech) software should be excluded from such liability. Free (as in beer) software would still be covered, by considering it as promotional material to sell commercial software (i.e. give away Internet Explorter to sell Windows).
Say no to software patents.
Yet Another Microsoft Apologist
What about Apple? Are we forgetting the fact that the original Mac was relatively secure for over a decade, despite granting full root access to whoever? Yes, there were virii and trojans and whatnot (can't really be prevented) but the design of the system prevented a lot of problems for the average user. These are the same average users who are going to be affected by the XP problems, not UNIX admins.
MS-DOS and its descendants were around for even longer than the Mac, and the NT system is very mature. Why can't they match Apple's security?
I'm sick of MS apologists. Microsoft makes shit. It's shit that's getting better, but it's still shit. Don't whine and say it's unfair. They have the money, the power, and the resources to make what is far and away the best software in the world. And yet we get articles like this, and we get people like you whining about how MS is being treated unfairly. Forget it.
As the market leaders who the majority of the world depend on for their computing needs they deserve heavy criticism.
As predatory monopolists they deserve heavy criticism.
As people who promise security they deserve heavy criticism.
As people who would like nothing better than to see Windows everywhere, and the GPL and Linux and Apache and SAMBA wiped off the planet they deserve heavy criticism.
So fuck whining about how MS is treated unfairly. If we complain enough then maybe they'll listen for a change.
"I may not have morals, but I have standards."
Commercial vendors are responsible for what they produce. After all they sell the work for money. Programs should work as advertised. If Win98 is advertised as faster than 95, then it must be faster. If it's better for playing DOS games, then it should be indeed better. If MS says it's secure (*snort*), then it should be secure. The vendor shall be responsible for serious security bugs, but not user stupidity. Not preventing you from doing an 'rm -rf /' doens't qualify.
GPL should remain as it is. That's logical, many GPL works are *in progress*. Open Source applications take advantage of the openess, which lets them be released early, in an incomplete state. For example, suppose I am a technician and make my own TV. A friend comes to my house.
Friend: Whoa, what's that?
Me: The TV I've been making
Friend: Can I try it?
Me: Sure, but it's not finished. Be very careful with it.
Now, should I be liable for damages if the TV that I already said is experimental catches fire? Of course not! I didn't make it as a professional work, it's just a toy I let somebody try.
An useful addition would be the QGPL (Quality GPL somebody mentioned). Standard GPL, but with additions. How about:
The software must be reasonably secure. That is, it won't let people break into computer, and won't delete all the data on your hard disk. The bug that doesn't render correctly HTML for site foo.com doesn't qualify.
All the reported bugs will be fixed in the next stable release
Perhaps as some people do, like D. J. Bernstein (the author of djbdns) offer a reward for serious bugs.
Maybe something else
Ideas? Comments?
Everyone wants to point their fingers at Microsoft for how often they release patches for their software. Has anyone looked at home? What will the media think when they see that Debian has amassed eight security-related vulnerabilities in their distribution in the past 11 days? (and speaking of "security through obscurity," which Debian denounces on their security site, why does Debian not list the glibc vulnerability as existing until January 13th, when their patch was downloadable. Suse announced the vulnerability on December 24th. Someone knew but wasn't telling. That IS security through obscurity.)
Debian Security Alerts from 2002
Exploitable software is everywhere, and common. Probably the biggest problem is, and will always be, distributing the patches. Windows Update attempts to address that, which is at least a step in the right direction. I honestly think that any desktop OS or small business solution would require such a mechanism. To Microsoft's credit, in this specific case, the first time Windows Update in Windows XP attempts to determine if there are any pending patches, it does ask the user if they want it to operate completely automatically, notify before downloading, or the user may completely disable it. This is not a forced and uncontrollable feature. Even I'm not stupid enough to have it work on it's own.
Also, the faster you pressure the vendor to fix the problem, the more likely the fix will be a problem itself. Security through obscurity isn't fun, but honestly, I'd rather Microsoft quietly hold onto a vulnerability, thoroughly test it's patch, and release it with some fanfare, hopefully before anyone managed to write the script kiddie library of the day to take advantage of it. If the vulnerability is that bad, and there is a workaround, then they should provide instructions for disabling it. With the IE bugs of late, they have; publically announcing that people should step up their internet and intranet security settings, change their MIME types, disable active scripting and ActiveX components, etc.
two hours to warn and patch. No clue what it does until it's already doing it. Nimda was a pussy!
This web page from Fairfield City should be enough to convince you that Microsoft security is good enough for storing credit cards, your e-money, financial records and anything else.
Tell your friends about xenu.net
The big problem here is that Microsoft presumes that it's interest in updating software supercedes the end-user's control of his or her machine. Why would any user want Microsoft doing anything to their machine without prior consent? The interest of a software corporation and the end-user are fundamentally different... Even local IT managers often screw up work in progress when updating software--usually timed for their convenience, not the user's. I am thankful that Microsoft is so incompetent; perhaps the ill-conceived notion that a central authority should dole out and control tools that have already been purchased by end-users will at last come under question.
On most modern PCs, the BIOS is flashable. The control chips on the IDE drives are flashable. The CPU has flashable instructions. These are all there to deliver upgrades in case of a bug.
Now, imagine a virus that destroys the IDE control chips on each drive (no accessing the data again, short of mechanically removing the platters), destroys the BIOS (no booting again short of physical replacement of the BIOS chip), and destroys the CPU (instructions are broken, starting with the ability to update the instructions).
Cross this with Warhol propogation techniques. While you're at it, delay the payload long enough to maximize propogation rates, but not long enough to allow antiviral reaction.
This could lead to *hardware kill rates* on the order of 10%-50% (or more) of the computers on the Internet. None of those computers would ever work again, and data stored on them could not be easily recovered.
All of this is doable from publicly documented information, crossed with the Microsoft wormhole-of-the-week.
Are you frightened? I am.
Hand me that airplane glue and I'll tell you another story.
In reply to all those "Software is IMPOSSIBLE to secure" posts:
By comparison, so are pharmaceuticals.
(intravenous drugs for example: it only takes a few bacteria to cause a potentially lethal infection in the patients)
Yet scandals are rare. Why? Because of control.
Everything is controlled in incredible detail. Look at the production lines in the pharma industry (I've personally visited a few), and you'll immediately become aware of the safety.
Saftey starts *long* before production, even before the factory is built they're planning and designing for product safety. The routines of the staff are tightly controlled. Quality assurance staff are everywhere, continuously probing production. Basically, safety is a fixation, it permeates the industry from the start to the end.
Why? Because they have to. It's the most tightly regulated business in the world, if the ventilation in that clean room isn't up to code, (which means replacing the air completely in 2 minutes) the FDA will shut 'em down immediately.
Now I doubt we need this kind of regulation for software, after all, Microsofts customers don't die when MS screws up. (Thank god- what a holocaust that'd be.)
But they definetly need to get security into their heads. As usual, money provides the best incentive. Hold 'em liable.
As for OSS companies, heck, I thought Quality Management was what they did? When I buy RedHat Linux, I want a kernel that is stable and safe, packages that work together, etc. That's why I'm paying for it isn't it?
If they support a product, they should take full responsiblity for it.
As to whether it actually meets said standard -- yes, it would be good to have an independent testing team, but who's going to fund it? Do you only get to have a rating if you can afford to help support the test process?
That being the case -- I'd suggest a twofold system: a rating the software author agrees to meet, and a number assigned by independent review when that is available. So if I claim a 3 rating but actually manage a 4, I get a 4/3 rating. Consumers have caught onto similar systems quickly in the past (such as gas mileage ratings on new vehicles).
To extend the idea another step, the penalties for failing to meet said standard should also be set on the same scale, so there will be no question how heavily any breach of performance standards will be penalized. Frex, if you claim to produce grade 5 software, but it's actually only grade 4, you get one increment worth of penalty. If you claimed grade 4 but it was really grade 1, you get 3 increments worth of penalty. And so on. That way someone who tries but didn't quite get it right doesn't get penalized as much as someone who really screws up and doesn't care.
If you can't afford the liability, then don't claim the reliability. Simple.
Occurs to me that liability insurance for software (both individual and corporate products) could quickly become reality under such a scenario, with premiums set apace with the reliability claimed for said software.
Perhaps it could start as a voluntary system, which develops coercive force on the software industry as consumers become accustomed to the concept and as more funding for independent testing becomes available -- the system would make it in the publishers' best interest to support it, perhaps with some charity testing for free software.
Anyone else have ideas for how to extend the concept?
~REZ~ #43301. Who'd fake being me anyway?
--
"I'm not sure exactly what an AS/400 is, however, I'm pretty certain I wouldn't want one up my ass"
Not like we haven't heard this one before. Comes up about every 3 years or so.
Believe me, reports of Microsoft's imminent demise because of security concerns are greatly exaggerated.
Actually most flashable cards have a backup non-flashable ROM, mainly in case the power goes during a BIOS flashing or similar. Also, chips can't turn off write access to themselves so if you just have a valid ROM to boot it, you can overwrite the BIOS again with a working version. When there was this BIOS-overwriting virus some years ago, there were a few laptops that didn't have a backup chip, probably to save space, and they choked permanently. The remaining ones were just to reflash, problem solved. After that, they've learned.
Kjella
Live today, because you never know what tomorrow brings