Slashdot Mirror
Cryptogram Judges MS Security
johnfoobar writes "The latest issue of Bruce Schneier's Cryptogram has a section entitled 'Judging Microsoft' which aims to "provide a list of measurable recommendations, so that the community can judge Microsoft's sincerity."
Required reading if you use Microsoft products." Update: 02/15 18:15 GMT by M : A better link is Schneier's first essay this month, which is about Microsoft's "Trustworthy Computing" initiative.
I think one major thing that will be lost in all the flaming about how MS sucks and is so unsecure is this:
They are making an effort now. I firmly believe that this is a good thing. Of course, there will be the usual rebuttals:
what took them so long
why are they caring about security now, etc.
Hey who cares why or how, just consider this a good thing that they are more involved in security now. Btw, remember the last time MS went after something with a vengeance? I do.
*shudder*
Sent from your iPad.
a friend of mine once said, "trust is a funny thing. you never really know if you can trust someone, till you find out you can't."
microsoft, right now, is in that stage. people have just started discovering that they can't trust microsoft. wheather they can or not is not the issue, but the perception of trust is ruined. it will take a long period of dilligence and commitment to prove themselves worthy of trust again. on the other hand, i kind of wish many other companies would make an honest attempt to regain our trust
I believe sex is highly over rated... unless it involves me
Nobody wants to have a secure product in which you have to manually enable all the great features because of which you bought it in the first place! Secondly, no-one has time to keep up with all the security alerts. That's why an automatic patch system is absolutely necessary.
Microsoft is being realistic. The author of this article is not.
The owls are not what they seem
From the article :
"Originally, e-mail was text only, and e-mail viruses were impossible. Microsoft changed that by having its mail clients automatically execute commands embedded in e-mail. This paved the way for e-mail viruses, like Melissa and LoveBug, that automatically spread to people in the victims' address books. Microsoft must reverse the security damage by removing this functionality from its e-mail clients and many other of its products. "
Amen. Give me pine anyday and get rid of the crappy HTML formatted e-mails with pics and crud, If I want to see that send me a link to a web page and I'll look at it if I feel like it. Don't send me huge bloated e-mails that look like shite when I read em on pine.
he's asking Microsoft to undo most of their desktop / system intergration. Isn't all that intergration what the general public likes about Windows(tm)? I don't see this happening, they will just patch around or disable by default all / most of the problem areas.
Hoo boy, this is a good article, but these guys are spending waaay too much time in a vacuum.
While that's nice and all, it's hard for an operating system to do operating system things from within a sandbox, and with the single exception of a guy getting a Verisign key with the name Microsoft on it (nominally a Verisign problem, not a Microsoft Problem) I haven't seen a problem lately with microsoft signed code.
The NonM$ loving folks will LOVE that soundbite, unfortunately, it's got all the likelihood of happening as having everybody shift from IIS to Apache. In any production environment, security is balanced havily with cost of implementation. NO company with any amount of entrenched custom code is going to pitch it because a security guy say they oughta. The fact that you cannot overwrite a system DLL in XP seems to be ignored. (There's a Key library, a backup directory of DLL's and the DLL in the system folder, if any of those are mucked with, the OS reacts trying to restore a safe version of the DLL, if a safe version isn't available, it prompts for a CD.)
Granular auditing exists now! The problem with enhanced auditing is the storage requirements for that auditing. I get 'the application log is full' messages NOW, what happens when every bit written generates five bits of log? Are YOU going to have a Terabyte server to store 200 mb of data and 800 mb of granular logs?
Microsoft's been in bed for YEARS with the W3C. The protocols are generated there, and Microsoft is often the first to market to implement them. Asking them to hold off a year before using a new protocol is business suicide and not something they'll be willing to do.
"Draco dormiens nunquam titillandus."
If your application gets labeled a "public nuisance," it doesn't matter how much the users like those features. Not if they want to interoperate with others.
This may seem like a harsh judgement, but the cost of Outlook and IIS bugs is rapidly getting to the point where a lot of admins are ready to take drastic measures to protect their own networks. That's why many sites are stripping executable attachments - and the crap like that "begin" bug discussed a few weeks ago are pushing some sites to outright Outlook bans because it's proving too costly to try to work around Microsoft's ongoing indifference to security.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Software liability would be a disaster for free software, right? Okay, everyone wants Microsoft to have to pay for Nimda/CodeRed/Melissa/ILOVEYOU, but I don't suspect that the authors of Sourceforge (for example) would want to be liable for someone losing his code due to a buffer overflow. Schneier is right on many things, but he is 100% wrong on this one.
sulli
RTFJ.
One would think that wanted to put solid security into a product would not be an act of "marketing spin" or " profit ", but as an act of "pride". It make me wonder if M$ has lost that important development value... Maybe that is what keeps opensource alive...the ideal of creating something truly useful and something of a high quality...
just some thoughts..
--rpr
except that Code is SOME form of data : either through a security hole or a kindof scripting function.
... uh ... displaying images at a certain time)
API access from untrusted code is maybe a more useful thing to be taken care about (read : animated gifs ARE code, but limited to
You'll get:
Of course, Microsoft won't make it too hard to have third-party software (as long as it doesn't compete with Office). You'll just have to pay a small fee for a MS-certified crypto signature. (Oops, free software can't pay the fee? Gee.)
If a thing is not diminished by being shared, it is not rightly owned if it is only owned & not shared. S. Augustine
Security doesn't necessarily play along with getting an edge over competitors, which is (and will always be) a primary goal of any company.
You just outlined the primary reason that Open Source is the superior method of software design. A programmer crafting software because it scratches his personal itch will ensure that it is stable, secure, and reliable. A company will put lots of flashy glitz on it and get security/reliability up to "good enough" and ship.
-- When a fool hears of the Tao, he will laugh out loud.
Look, as much as I hate Microsoft, it's not easy to write secure code, and it's impossible to write bug-free code. Because they're not currently generating revenue with bugfixes, I have a hard time believing they're intentionally writing crappy code just to reap the bugfix revenues. Yes, they always claim every new version of Windows is more stable and secure than the last, but almost nobody ever believes them anymore..
Their business model requires them to get people like us to upgrade our existing products to the latest versions every couple of years. Since you're not really getting a more stable product when you upgrade, and since features aren't the upgrade-enforcers they used to be, MS is trying to find a way to force you to upgrade. Witness their newest licensing/protection racket: Upgrade to the current version, or when the next version comes out, you'll pay full price to upgrade to it.
Until they change their business model to allow them to generate revenue for producing secure, stable code, they will never succeed in generating secure, stable, well-architected products.
How can you laugh at that? Obviously a feature needs to be secure all by itself and also be secure in the way it interacts with other features. Having a feature not be installed at all simply makes it even more secure. In fact, a feature that isn't installed is by default 100% secure. It can't be used, accesed, smurfed, or kidnapped for nefarious purposes. Thus, it's completely secure. Microsoft's practice of installing everything under the sun is probably it's biggest insecurity. Yes, you can choose not to install some stuff, but how many Joe Users install their own operating system?
--- Think of it as evolution in action ---
This is vendorspeak; "previously discussed" means "confirmed by the vendor" and not "discussed on BUGTRAQ". The phrase "all known security defects" means "all the defects we have admitted so far", and so on.
If Microsoft truly means what they say, and that they really are going to try to develop products and services that are "available, reliable, and secure", then this is a Good Thing. But, in order for them to achieve "Trustworthy Computing" (something that various other people already do, IMHO), it seems to me that Microsoft needs to do two things:
/.er, and possibly the average techie in general. However, I don't believe that this changes what MS needs to do to be trustworthy. On the other hand, if MS is only interested in looking trustworthy (rather than being trustworthy), then that's a different story.
*) develop trustworthy products and services
*) become a trustworthy company
And that will be no easy task. I agree that security in their products is something that they need to improve, but I think becoming trustworthy will require much more than that. If I were to describe all of the things that I think Microsoft needs to do to accomplish these things, I'd be here all day. So, I'll describe only a few examples not related to security.
1) Improve the quality of their products. In my current job, I have the singular pleasure of developing applications in MS Access 2000. Unfortunately, the documentation provided with the software is poorly indexed, incomplete and (in some cases) inaccurate. For example, in one place in the documentation, it claims that the maximum number of levels of nested forms allowed is 3. Elsewhere it claims the limit is 10. Both are wrong. It's difficult to trust software when its own documentation is incorrect. This doesn't mean that their products have to be perfect. But right now, it often feels like they're not even trying.
2) Abandon the new licensing strategy, which essentially dictates when companies need to upgrade their software. Having to go through a massive upgrade because of licensing is no different than having to go through a massive upgrade because of a bug or security vulnerability. The end result is the same, and I do not consider such software to be "available" or "reliable".
3) Adopt more ethical business practices. A number of the comments posted here speculate on what Microsoft true motives are. Given MS's history of Machiavellian business practices, it's not surprising that people don't believe Microsoft, even if they are telling the truth. And I'm one of those people. I tend to believe the adage that you can't build a straight house with crooked boards. So, if Microsoft really wants to promote trustworthy computing, then they must become a trustworthy company first.
Some folk have noted that the General Public's view of MS is much different than the average
Anyway, if MS is serious about this new directive, then good for them (and it's about time!). But I'll believe it when I see it (and maybe not even then).
</soapbox>
-- D