Slashdot Mirror
Security Community Reacts to Microsoft Announcement
A number of readers have collected stories concerning the change of focus by Bill Gates to security. Bruce Schneier and Adam Shostack have written a piece, while Crag Mundie of MSFT has also chimed in, along with some commentary from ZD folks. SecurityFocus has other words, as does InfoWarrior.
It seems to me like MS are doing this just to counteract the recent bad press they have got in the security area.
I have said it in the past, and I'll spew it backup now for those who missed it, MS do not make the best software - bu they do have the best marketing department and business sense.
Let's wait and see, announcement are just words, let's see how they will react when there's going to be another big security hole (because there always are going to be, and that on just about any platforms, but especially with Microsoft), if they've really changed philosophy, they will react more quickly (as in programmer-wise and not PR-marketting-wise), and not handle this as a press release taking their customers for complete idiots and reacting immaturely blaming people that finds the bugs as "terrorists".
And anyways, for those of us that are on some security mailing lists like NTbugtraq, we'll see how the people got their discovery handled by Microsoft, if they change for real, maybe we won't read as many "We notified microsoft 3 weeks ago about this matter and nothing was done, now it's time to bring it public" and then having the Microsoft PR and legal team on their back.
I think they are starting to feel the heat of people that are really not satisfied and claiming that buisness damage due to insecure OS should be fined to the creator of the OS, especially when they claim it's secure. Heh.. good thing.
--- Metamoderating abusive downgraders since my 300th post.
I would look for MS to make at least two major acquisitions in order to shore up their security offerings - they have used acquisitions in the past to shore up problem areas.
Of course the caveat is that they are not so much concerned with security as an intrinsic value but in the selling of security, and there is an important distinction here. As with any growing software market, you can't underestiamte Microsoft's efforts, and I think it is largely naive for the readership here to snicker and write off MS in this regard.
I once heard a story about the Denny's restaurant chain. I'm not sure if it's true but the moral is. The story goes like this.
Apparently, Denny's had intended to be a 24x365 operation, never closing its doors. Therefore, when they built the restaurants, they didn't bother putting locks on the doors.
One year, they decided to give their employees Christmas day off. In order to close the restaurants, they needed to be able to lock the doors. Therefore, they had locksmiths go out to all of the stores and install locks.
Now, instead of having spent about $10 per door when the store was built to have locks installed, they needed to send locksmiths to all of the stores and pay them for a couple of hours work resulting in a cost of a few hundred thousand dollars to give their employees a day off.
The moral: It's a lot easier to design security into a system in the first place than to try to add it on later.
Microsoft has their work cut out for them.
Step 1: Embrace some technology.
Step 2: Extend it in proprietary ways, locking the users in to Microsoft.
How long before we hear,
How long before the security protocols used are known only to Microsoft (for security reasons, naturally)?Three months—at the most!
Are you saying they *shouldn't* be doing what they want to do? Should they do what you want them to do?
If he's a Microsoft customer, yes.
Microsoft is very unusual in the sense that it doesn't follow the adage that the customer is always right. If any normal (read -- business that doesn't have a monopoly and can rest on the fact that >95% of the home users and >40% of businesses will buy their products because they see no alternative) business employed Microsoft's attitude, they'd soon be out of business.
Say you went down to your local grocery store to buy some Extra-Triple Fudge Fatty Ice Cream and they said "no, we're only going to let you buy plain Neopolitian -- and by the way, we're going to be changing the policy here, if you want ice cream, you'll take it whenever we want to sell it to you and we'll be instituting annual billing for 52 Gallons of ice cream a year. Oh, and if you want to give your kids some, you'll have to buy extra containers for them, only one user per container. Oh, and our profit margins are below what our shareholders are used to, so we'll be raising the price every few months and thinking of new ways to require that you only buy Microsoft Ice Cream."
How long would you remain a customer? In effect, this is what M$ is doing and as a customer you can't do a damn thing about it as long as you continue using Windows.
It isn't normal for the majority of a businesses customers to hate the product that make, but have to accept it anyway.
Security and stability are things that Microsoft's customers have been screaming for for years, so yes -- they should be doing it whether it's something that they want to do or not.
Unfortunately, the main focus of their development has been to add features that lock people into the Microsoft platform.
Security is only becoming a focus now because the biggest potential Microsoft lock-ins won't be adopted unless Microsoft can convince the public that they are secure. I don't think this is a genuine effort, except on the part of the PR department -- it's a sincere effort to convince everyone that they're going to be more secure, but I don't believe that it's going to happen -- well, they may become *more* secure, but that won't take much.
"...they've helped transport people to the moon and back safely, they manage critical aircraft systems for thousands of flights every day, they support business operations at companies of all sizes, and they move trillions of dollars around the world to keep the global economy"
It's a shame that none of these run Microsoft software. MS didn't exist in the 60's (moon landing), has nothing to do with aircraft systems (most still in use run on late 70's mainframes and mini's), and god help the bank/brokerage who runs their mission critical software on an Wintel platform. End flame.
Mundie does have one idea right though; make it ubiqutous (sp?). He indicates computers should have the same reliability that requires no thought. I agree whole-heartedly. However I don't believe MSFT can do it without rewriting the whole damn thing over. I cannot count the amount of times an NT server had to be manually power cycled because a service hung and wouldn't restart. This wasn't some oddball, third party service; this was IIS ("WWW Publishing Service" I believe) Until simple things like the separation between kernel and application (EVERY application, no exceptions for the ones you need to tweak for benchmarks) is complete, NT will have problems
Toodles
Toodles D. Clown
I thought that looking at these two articles provided an interesting comparison. Mundie's idea of "trustworthy computing" is a world in which people don't think about the technology that makes their computing devices work. This seems to me to be pretty much the same philosophy that Microsoft has followed for a while now, ie lowering the level of knowledge required to operate computers.
By constrast, in the Schneir article, the viewpoint expressed seems to me to advocate people getting involved in the operation of technology. More configurability, plus more modular components, more transparent auditing/logging of OS functions etc. In the author's view, users should be aware of what their computer is doing.
This is the fundamental problem with Microsoft's view of security. Their focus on making things transparent to the lowest common denominator is at the root of all the architectural problems from lack of logging to Outlook viruses arising from scriptable email. They need to change their view that people should just view their computers as mysterious black boxes before their security record will ever improve.
Three words: Removable drive racks.
As long as IDE exists (which should be good for another 2-3 years), if you must use Windows, keep an old '98, W2K, or Linux/FreeBSD install on separate a hard drive with your data and applications, and install Windows RG on another drive.
Wanna work? Use the main drive. Wanna play the l33t new game? Yank it out and boot RG. No Gatesian DRM tech or spyware will ever be capable of corrupting or leaking data stored on an unpowered hard drive that's been physically disconnected from your machine.
The problem is that an alarmingly large number of people cannot distinguish between the following:
What has happened to the software industry in general is exactly what has happened to the American political process. If you make promises and then cash the check, it doesn't really matter if you deliver. The reason is that people are gullible.
So you think, "gosh, wouldn't it be great if they've finally decided to do it right." But they haven't done it; they've just said that they are going to do it. Any support for mere words on the hope that it might come to pass will remove any incentive for actually doing it.
Most people get off so much on the hope and the promises that they don't realize how they're encouraging integrity-challenged behavior with their actions. It takes a real cynical bastard not to get caught up in this, and then we get told, "Oh, you Microsoft Bad Religious Types."
This one kills me. From Craig Mundie:
"Many people today are still reluctant to trust computers with their personal information, such as financial and medical records, and few people would knowingly entrust their lives to them"
Every time you fly on a plane your life is in the 'hands' of computers. Every time someone gets an x-ray or a CT scan or any one of many now normal medical procedures you are entrusting your life and health to computers. Most (if not all) medical and financial records are entrusted to computers.
We do it everyday and the reason we do it is because these devices are designed and built by companies that have earned our trust by building quality products to very strict specifications for safety. These companies have good track records of safety and if they have problems then they are reported.
What Mr. Mundie should have said is:
"Many people today are still reluctant to trust Microsoft with their personal information, such as financial and medical records, and few people would knowingly entrust their lives to Microsoft."
--
-- Hofstadter's Law: It always takes longer than you expect, even when you take into account Hofstadter's Law.
It would be good if the people who spend so much time attacking Microsoft's security issues considered that UNIX generally and Linux in particular are not exactly fault free.
How can anyone who runs sendmail throw stones at Microsoft? sendmail is a textbook case in how to write software that can never be secure. The program breaks every single one of the rules Bruce and Adam set out. There are plenty of better alternatives, yet sendmail remains the default through sheer inertia (you might want to route some bang path UUCP or OSI mail sometime you know).
UNIX only became secure as a result of trial and error. There never was a security architecture worth a damn. For many years the main contribution to the security world from the UNIX security architecture folk was discouraging people from using shaddow password files.
The security model of all modern operating systems is based on the security model of MULTICS and comes from the age of the Multiple Access Computer. The security problem is defined in terms of a single machine that has multiple concurrent users. The addition of the network is an afterthought.
What this means is that very few of the security features in a modern O/S are actually of the slightest relevance to a machine running a Web server. In effect we end up with two parallel permissions structures, the one managed by the O/S and the one managed by the Web server.
Win2K and XP have Kerberos and PKI integrated into their core. The standard condfiguration supports IPSEC, S/MIME, SSL, Kerberos, Smartcard login, Encrypted File system. Measuring security in terms of cryptographic features Microsoft wins hands down (Microsoft are good on features).
Linux on the other hand is not in anywhere near such a good position. Security packages are available but it is left to the end user to integrate them. Linux also lacks anything that resembles the 'Security Administration Guide' mentioned in the rainbow series books.
Security is not a binary condition. The problem I see for Linux is complacency. There are too many weenies out there whose knowledge of security is actually minimal who tell people Linux is secure because that is what they have been told. None of the O/S on the market are particularly secure. Windows has a great security architecture that the crappy applications completely bypass. UNIX has a crappy architecture and some very well tested applications whose security bugs have been largely eliminated by trial and error.
People in the OSS community can go arround telling each other that Linux will always be more secure than Windows if they like, but that won't make it true. Gates has essentially served notice that Microsoft is going to be upping the ante here. That does not mean that they will win, but a lot of work is going to have to be done if Linux is going to keep up. Fotunately it is not necessary to integrate PKIX into Linux as Microsoft did with Windows, the OSS community could skip a PKI generation and move straight to using new technology such as XKMS and SAML.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/