Security Community Reacts to Microsoft Announcement

A number of readers have collected stories concerning the change of focus by Bill Gates to security. Bruce Schneier and Adam Shostack have written a piece, while Crag Mundie of MSFT has also chimed in, along with some commentary from ZD folks. SecurityFocus has other words, as does InfoWarrior.

Security is everyone's problem

[crumbz]

It seems that the various tones of the above mentioned pieces reflect a Microsoft good or Microsoft bad attitude. Unfortunately, the problem being discussed transcends the usual polemics of such a debate. Good security, whether from Microsoft, Sun, Novell, Cisco or others, is in everyone's best interest. If Microsoft has finally awoken to this fact, good for them. Their previous security through obfusication was a travesty and insulting. If my personal information is going to be stored on a computer that is linked to a network, I want the best damn security money can buy. For that computer, for the database software, for the firewall, for the remote machine at the local insurance agency that is accessing the info, et. all.
True Names are important for a reason.

Craig's article...

[ImaLamer]

...says:

But we're still in the early years of the computer revolution, and there are many technological, social and regulatory hurdles we must overcome before computers truly become a ubiquitous--and essential--technology.


The early years? No. When you've got one person on top who can't get their sh*t together...

I mean, we could be farther along in this 'revolution' he speaks of. Why aren't we? Because the Big Guys [read:Microsoft] are doing what they want to do. Why are they now only focusing on security?

Oh! Pick me! I know! --- Because they do what they want to do, and that's it. They don't give in to customer demand; most of their product is cooked up by visions that Bill and others have.

Really good or really bad.

[st0rmshad0w]

Considering the amazing amount of interest at hammering away on MS products, this new "shift in focus" will either wind up producing one of the most sercure set of products ever(highly doubtful, IMO) or it will be a long, drawn out, yet abysmal failure as each new change becomes defeated as fast as its implemented.

Either way, its going to take quite a while to tell.

Windows needs a clean break

[Dephex+Twin]

Windows is too backwards compatible, IMO. Too much building off of old stuff. Microsoft needs to make a new version more or less from scratch, like Apple's transition from the old Mac OS to OS X. It isn't a quick or easy transition, but it will pay off in the long run.

I guess that's the problem when you are a huge software company trying to appeal to everyone. You end up supporting everything and it turns into a big mess.

mark

Re:Windows needs a clean break

[Gogl]

You are right in the sense that doing that would be the best for Windows, especially in the long run. However, that scenario terrifies me more then anything.

My box has a Linux partition and a Win2k partition. I keep Windows for games, and because in all honesty 2k isn't that bad. It's got all the stability and such of XP, but none of the Big Brother. 2k is also quite secure if you know what you're doing. And I like playing games. I have vowed to not update to XP however, as the whole embedded passport thing and such really scares me.

However, if say, 2 years from now Windows RG (Really Good edition) comes out and is NOT backwards compatible, now new games only come out for it. I'd presume that if anything this hypothetical WinRG will be worse then WinXP in terms of Big Brother-ness, ergo I'd be even more hesitant to upgrade. That and it'll be even more eye-candy and more dumbed-down and all that stuff. But if I want my games, I'll have to upgrade.

So that's why it's scaring me. I hope they keep their backwards compatibility, as I would personally like to just keep running 2k for as long as I can. Or at least if they do lose the backwards compatibility, wait until Linux gets enough market for games to be more available for it.

And yes I realize the irony in talking about Linux games in the wake of the death of Loki.

Re:Windows needs a clean break

[Monkelectric]

What if all this security talk is ... Preperation for building a DRM (digital rights management) OS? The insecurities of the current MS OS's is what makes a DRM os impossible ... Right now I get around alot of DRM stuff with my 10 channel sound card ( m-audio delta 1010), by routing sounds out the digital outs and sending a copy to its internal mixer ... then I can record the mixer (digitally) :) ... of course Im a true pirate, mostly I use this technique to save (real player) NPR broadcasts for my father :) But I think that wont be possible soon

Getting ready for the setlement

[bitty]

Someone brought this up in another article, so I can't take credit.

The settlement with the DOJ specifically allows Microsoft to exclude documentation of APIs that relate to security. This new initiative makes damn near anything in some way relate to security. Gotta love it.

DRM!

[mikeee]

What really scares me about this is the talk about taking desktop control away from users, the one thing MS has always been good about in the past.

Billg says:

"Security: The data our software and services store on behalf of our customers should be protected from harm and used or modified only in appropriate ways...It should be easy for users to specify appropriate use of their information including controlling the use of email they send."

Of course, this new "secure" email won't work on those unamerican Linux computers.

Am I the only one nervous about that?

Trust Microsoft? Who are you kidding

[Catiline]

All thoughts of their past products aside, who really is going to trust Microsoft? They are a convicted monopolist; we've seen from the evidence how their mental level does not exceed the school yard bully, beating up weaker kids for their lunch money. This attitude locks them into a win/lose philosophy (when we win, you lose).

It doesn't matter what sort of clothes they wear or how pretty they smile, when the bully comes around the next day, the kids run and sream in terror. They know the bully only wants to get them backed into a corner; what makes us treat Microsoft any different?

Am I one of the few optimists?

[JWhitlock]

Am I one of the few people here that took Bill Gates' message at face value? That they have decided to make a top-down corporate commitment to security, probably due to external and internal pressures?

Bad security practices can be expensive - I know I've lost a few hours of work due to not having an up-to-date-and-scanning virus program. This has to have a definate impact on MS's operational budget, trying to figure out how to spin the latest virus while testing solutions against the entire MS suite. On top of that, there has to be some managers and employees that still believe the old lines, that customers pay for new features, not bug fixes, that interoperability and ease of use sell, not security.

Microsoft knows that it has won the Desktop OS wars, that it's closest competators are Apple's OSX (only runs on expensive hardware, so it will have a minimal impact on business sales) and Linux (still playing catch-up with MS). Now it needs to figure out how to sell upgrade units to existing customers, and has to think about the eventual multi-computer households with home servers, where it is currently losing to Linux. Most reviewers that tried XP loved it's stability, and I've even been tempted to upgrade my 98 desktop (which runs fine once you get all the programs working together).

Extra bells and whistles aren't doing it anymore - customers are tired of gaining ease of use at the cost of patches and bugs. Customers want an invisible operating system, which makes easy things easy, and they almost don't care about making hard things possible. This will require MS to transition from a company focused on beating competators by innovation (by whatever means) to beating competators by having a better product (more stable, less supprises, better cooked).

To make a change in basic philosophy requires a redirection of management. The Gates memo is the first step, and I think we can take it at face value. Sure, it's a strategy to further MS's competative edge, but I really don't think that there's anything underhanded going on here. I think Bill is giving the lowest guy on the totem pole a weapon to tell his boss - Here, I want to work this bug out before we release it; if you have a problem, take it up with Bill. That a Good Thing, and I'm planning to be suprised by what the folks at MS can do when they have the will to make a secure product.

The usual press response...

[DrCode]

If the past is any indication:

MS will do a barely useful job of improving security, and the press will proclaim that they invented it.

It will be just like multi-tasking in Windows 95 (i.e., "Users can now run two or more programs at the same time!!").

Re:SOAP and the MSFT way

[Zeinfeld]

The idea of SOAP is to allow IT services to be exposed as remotely addressable and usable procedures. Essentially with every web service or SOAP receiver, you have written a brand new server that parses XML protocol messages to decide on action.

FUD

What you, Adam and Bruce appear to miss is that firewalls are rarely configured to allow incomming HTTP requests. If they are the requests are typically handled by a server located in a DMZ between two firewalls.

The firewall bypass problem is for outgoing requests. There is not actually a whole lot of difference in the security implications of an HTTP client posting a form in URL encoding and posting an XML document.

But that's a big part of MS's assets

[JMZero]

Backwards compatibility sells MS products. Losing it will open the floodgates. MS won't do it.

Apple is a very different animal. They can sell anything. Just not to everybody.

In any case, "going back and rewriting everything" always sounds like a good idea, but seldom is.

"Going back and rewriting the worst stuff" is probably a much better idea.

Security Focus gets it right. I doubt M$ will

[CodeShark]

Having done an amount of C++ coding back in the early years of Win9x, I have extreme doubts that M$ has the commitment or the ability to do anything more than "patch the leaky tires". Here's why: IMO the code structure upon which most MS apps are built (MFC classes) has some deep down design flaws which can't be rectified without introducing serious compatibility issues with any other MFC apps already out there.

As an example, we wrote a test app with a different foundation class library that was bug- and memory-leak free in all of the major WinXX OS's up through 98 and NT 4), and even compilable and bug free back into Win 3.XX. The whole app was a total of 123K: the Microsoft Foundation Class (MFC) [version 3.2, IIRC] test app as created by the wizard came in at just over 1 Meg, riddled with memory leaks, logical errors, etc. Our determination was that it wasn't just a bad wizard -- the MFC itself was causing many of the leaks and problems.

Now then, if you look at the Win API set now (Y2002), it is just that much more massive than when I last actively coded to it -- but the underlying code classes look much the same. [I haven't done a diff, so I can't prove it.]

So accurate or inaccurate, I don't think Microsoft has the corporate will to change from a company built on FUD (fear uncertainty doubt) to a company whose software is something I can trust because it doesn't even look to me like they have fixed all of their original problems in the foundational code classes from the early days of Windows 95.

Re:Jesus H. Fucking Christ

[irix]

Except a lot of times (in NT 4 anyways) when you kill the web service with the 'kill' utility from the reskit, you are unable to restart the service. You go to the Services control panel applet and the "start" button is greyed out.

I'll never understand why 'end process' in the task manager won't work and the 'kill' utility which you have to get from another CD only sorta works. You'd think that the desingers of NT might have thought to include the ability to properly terminate a rogue process.

Re:SOAP and the MSFT way

[Zeinfeld]

I really think you need to examine SOAP, especially as it relates to RPC. When you make a request to SOAP, it's an incoming request over HTTP. Coming from an outside party to your ticket selling system to reserve a flight. That's the whole idea of published web services.

Any you would put a machine of that type providing an external service in your internal network???

You entirely miss the point, for every service there is also a client. The port 80 / firewall issue has nothing to do with the server end. It is when the client is behind a firewall that you have a problem.

There is no firewall bypass issue at the service end, a company that is providing a published dotnet service will modify its firewall configuration to deploy its product. The problem with firewalls comes when the IT dept refuses to modify the firewall configuration to allow use of services provided externally.

If you think Adam and Bruce are offbase on security, you obviously have no concept of the capabilities, experience or dedication of either individual.

I know Adam and Bruce very well, they know me very well. I don't think either of them would claim that they had greater expertise or experience than I do, and in particular not on this particular topic. Certainly neither would expect the automatic deference to their views you appear to think due.

On this point they happen to be mistaken. Bruce is very rarely 'wrong' about security, that is I do not recall an instance of him calling a system secure when it was not, he is however quite frequently mistaken in describing a system as insecure when it is in fact secure. If he could learn to discuss them in private with the relevant designers before launching public attacks his reputation inside the security industry might match that outside.

The point in question is a sngle sentence paragraph tacked onto the end of a section. I suspect that it was an afterthought that they had not thought through in great detail. If they want to call me up and discuss it I can go through the detailed analysis I have.