Slashdot Mirror
Security Community Reacts to Microsoft Announcement
A number of readers have collected stories concerning the change of focus by Bill Gates to security. Bruce Schneier and Adam Shostack have written a piece, while Crag Mundie of MSFT has also chimed in, along with some commentary from ZD folks. SecurityFocus has other words, as does InfoWarrior.
...says:
But we're still in the early years of the computer revolution, and there are many technological, social and regulatory hurdles we must overcome before computers truly become a ubiquitous--and essential--technology.
The early years? No. When you've got one person on top who can't get their sh*t together...
I mean, we could be farther along in this 'revolution' he speaks of. Why aren't we? Because the Big Guys [read:Microsoft] are doing what they want to do. Why are they now only focusing on security?
Oh! Pick me! I know! --- Because they do what they want to do, and that's it. They don't give in to customer demand; most of their product is cooked up by visions that Bill and others have.
Get your Unix fortune now!
Cringley has a good piece up on this as well.
Separate Data and Control Paths
Use Secure Default Configurations
Separate Protocols and Products
Choose for Security over Features
Make it Transparent and Auditable
Give advance notice of Protocols and Designs
Engage the community
All that stuff sounds great, but I can say the same thing in far fewer words:
Start from scratch. Do it right this time.
The first thing Microsoft is going to do under their new "security first" paradigm will be to announce that due to security concerns, they can't tell us what any of their security upgrades actually are.
Let's wait and see, announcement are just words, let's see how they will react when there's going to be another big security hole (because there always are going to be, and that on just about any platforms, but especially with Microsoft), if they've really changed philosophy, they will react more quickly (as in programmer-wise and not PR-marketting-wise), and not handle this as a press release taking their customers for complete idiots and reacting immaturely blaming people that finds the bugs as "terrorists".
And anyways, for those of us that are on some security mailing lists like NTbugtraq, we'll see how the people got their discovery handled by Microsoft, if they change for real, maybe we won't read as many "We notified microsoft 3 weeks ago about this matter and nothing was done, now it's time to bring it public" and then having the Microsoft PR and legal team on their back.
I think they are starting to feel the heat of people that are really not satisfied and claiming that buisness damage due to insecure OS should be fined to the creator of the OS, especially when they claim it's secure. Heh.. good thing.
--- Metamoderating abusive downgraders since my 300th post.
Someone brought this up in another article, so I can't take credit.
The settlement with the DOJ specifically allows Microsoft to exclude documentation of APIs that relate to security. This new initiative makes damn near anything in some way relate to security. Gotta love it.
I would look for MS to make at least two major acquisitions in order to shore up their security offerings - they have used acquisitions in the past to shore up problem areas.
Of course the caveat is that they are not so much concerned with security as an intrinsic value but in the selling of security, and there is an important distinction here. As with any growing software market, you can't underestiamte Microsoft's efforts, and I think it is largely naive for the readership here to snicker and write off MS in this regard.
Bottom line is, words are easy. I'm going to wait to see the action.
Chris Beckenbach
Well, duh!
It's the timing that gets me. They made the announcement shortly after a major OS release. So whenever somebody points out a bug in existing software (XP or earlier), they can shrug and say "That was the old Microsoft, the new Microsoft no longer makes those mistakes."
And since it'll be sometime before they release another highly-vulnerable product, nobody will be able to contradict them.
I once heard a story about the Denny's restaurant chain. I'm not sure if it's true but the moral is. The story goes like this.
Apparently, Denny's had intended to be a 24x365 operation, never closing its doors. Therefore, when they built the restaurants, they didn't bother putting locks on the doors.
One year, they decided to give their employees Christmas day off. In order to close the restaurants, they needed to be able to lock the doors. Therefore, they had locksmiths go out to all of the stores and install locks.
Now, instead of having spent about $10 per door when the store was built to have locks installed, they needed to send locksmiths to all of the stores and pay them for a couple of hours work resulting in a cost of a few hundred thousand dollars to give their employees a day off.
The moral: It's a lot easier to design security into a system in the first place than to try to add it on later.
Microsoft has their work cut out for them.
Step 1: Embrace some technology.
Step 2: Extend it in proprietary ways, locking the users in to Microsoft.
How long before we hear,
How long before the security protocols used are known only to Microsoft (for security reasons, naturally)?Three months—at the most!
SOAP is designed to use HTTP/HTTPS as the most common implementation of transport and protocol underneath. Schnier and Shostack touch on how poor a decision this is. I think this goes a lot further than many developers and companies are realizing.
You just removed your firewall.
The idea of SOAP is to allow IT services to be exposed as remotely addressable and usable procedures. Essentially with every web service or SOAP receiver, you have written a brand new server that parses XML protocol messages to decide on action. Thus every web service you create may have overrun, DoS and other exploits inherent in it, in your code, as you are executing paths based on a message from the outside. Just like a web server, ftp server or any other available server.
So now, everyone has to become better at security, to the point that the web services are safe. Ideally they should all run within a sandbox environment with restricted permissions, but considering SOAP authentication is based on HTTP authentication, the models may or may not match up properly.
Most importantly is that the SOAP specification team, including MSFT and the .NET portions pertaining to web services have basically increased the difficulty of every network administrator's job by stuffing all this over port 80.
Now if there is a vulnerability in a web service, the network admin has to take out port 80, probably taking down the web service, the web server, and who knows what else that's been tunnelled through there. They can't simply block a set port. UDDI could have advertised a port for the service as well, and stateful inspection could be implemented at some level on each service port to increase security and leverage off of the firewalls. Instead, a rat's nest of information is getting funnelled through http/https. The firewalls aren't designed for this, and the inspection task is only going to get more difficult as SOAP grows in popularity.
MSFT is always looking at first to market, and I can almost assure you that for that reason, SOAP was designed around port 80 and into the web server engines. I can also say with a fair bit of confidence that the first time MSFT gets beat to market due to a security review, that the security priority is going to get thrown right out the window of the executive windows at Microsoft if it causes the stock to slip.
That is, to put it politely, complete bunk.
Microsoft's biggest problem is not buffer overflows. You don't need to sneak a virus through the basement window when you can drive it in through the front door, waving merrily as you go. Many of Microsoft's biggest security problems have been with viruses that simply take advantage of what they're explicitly allowed to do. Most Outlook viruses don't exploit low-level coding errors, they exploit the high-level error of allowing arbitrary foreign executables free access to the system. Ditto with Office macro viruses. I wouldn't call that solid coding. Solid coding means preparing for the eventuality that your users are naive and making it as hard as possible for them to shoot themselves (or their neighbours, in the case of Melissa, et. al.) in the foot.
I'm not saying that Sun or IBM are any better, but saying that Microsoft writes solid code is absolutely ludicrous.
As an example, we wrote a test app with a different foundation class library that was bug- and memory-leak free in all of the major WinXX OS's up through 98 and NT 4), and even compilable and bug free back into Win 3.XX. The whole app was a total of 123K: the Microsoft Foundation Class (MFC) [version 3.2, IIRC] test app as created by the wizard came in at just over 1 Meg, riddled with memory leaks, logical errors, etc. Our determination was that it wasn't just a bad wizard -- the MFC itself was causing many of the leaks and problems.
Now then, if you look at the Win API set now (Y2002), it is just that much more massive than when I last actively coded to it -- but the underlying code classes look much the same. [I haven't done a diff, so I can't prove it.]
So accurate or inaccurate, I don't think Microsoft has the corporate will to change from a company built on FUD (fear uncertainty doubt) to a company whose software is something I can trust because it doesn't even look to me like they have fixed all of their original problems in the foundational code classes from the early days of Windows 95.
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
The problem is that an alarmingly large number of people cannot distinguish between the following:
What has happened to the software industry in general is exactly what has happened to the American political process. If you make promises and then cash the check, it doesn't really matter if you deliver. The reason is that people are gullible.
So you think, "gosh, wouldn't it be great if they've finally decided to do it right." But they haven't done it; they've just said that they are going to do it. Any support for mere words on the hope that it might come to pass will remove any incentive for actually doing it.
Most people get off so much on the hope and the promises that they don't realize how they're encouraging integrity-challenged behavior with their actions. It takes a real cynical bastard not to get caught up in this, and then we get told, "Oh, you Microsoft Bad Religious Types."
This one kills me. From Craig Mundie:
"Many people today are still reluctant to trust computers with their personal information, such as financial and medical records, and few people would knowingly entrust their lives to them"
Every time you fly on a plane your life is in the 'hands' of computers. Every time someone gets an x-ray or a CT scan or any one of many now normal medical procedures you are entrusting your life and health to computers. Most (if not all) medical and financial records are entrusted to computers.
We do it everyday and the reason we do it is because these devices are designed and built by companies that have earned our trust by building quality products to very strict specifications for safety. These companies have good track records of safety and if they have problems then they are reported.
What Mr. Mundie should have said is:
"Many people today are still reluctant to trust Microsoft with their personal information, such as financial and medical records, and few people would knowingly entrust their lives to Microsoft."
--
-- Hofstadter's Law: It always takes longer than you expect, even when you take into account Hofstadter's Law.