Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cryptogram Judges MS Security

Posted by CmdrTaco on from the who-do-you-trust dept.

johnfoobar writes "The latest issue of Bruce Schneier's Cryptogram has a section entitled 'Judging Microsoft' which aims to "provide a list of measurable recommendations, so that the community can judge Microsoft's sincerity." Required reading if you use Microsoft products." Update: 02/15 18:15 GMT by M : A better link is Schneier's first essay this month, which is about Microsoft's "Trustworthy Computing" initiative.

16 of 204 comments (clear)

  1. trust by ryusen · · Score: 5, Insightful

    a friend of mine once said, "trust is a funny thing. you never really know if you can trust someone, till you find out you can't."
    microsoft, right now, is in that stage. people have just started discovering that they can't trust microsoft. wheather they can or not is not the issue, but the perception of trust is ruined. it will take a long period of dilligence and commitment to prove themselves worthy of trust again. on the other hand, i kind of wish many other companies would make an honest attempt to regain our trust

    --

    I believe sex is highly over rated... unless it involves me
    1. Re:trust by RazzleFrog · · Score: 3, Insightful

      The question is - has the average user actually lost trust in Microsoft? I know so many average (and below-average) users who know next to nothing about the security problems. At work all the patches are delivered invisibly to them and at home they have dial up connections and don't stay on long enough to be a real target. The few people who have fallen victim to the Outlook viruses feel more embarassed at their own stupidity than they feel angry at Microsoft.

      The public conception of Microsoft is very far from that of the average Slashdot reader. I overheard on the subway the other day a woman raving about how much she loves Windows XP. She was telling this other woman that she added memory and upgraded to XP and it is like having a brand new machine. I felt like asking her if she downloaded the UPnP patch but I try to avoid talking to people on the subway. I also work with hundreds of people who love Windows 2000.

      So there in lies part of the problem. The public doesn't really know and for the most part doesn't care about the problems. Try going to an average user and explaining all of this to them and see if you don't get the look. We have to seriously root for Microsoft to fix the security holes not because they need to improve their image but because the average user doesn't care.

    2. Re:trust by ryusen · · Score: 3, Insightful
      you've got a very good point, but i was talking about the computing public.... those that are more aware of the issues... if you take the general populace i doubt many could tell you who the last 3 vice presidents of the us were (this is of course speaking about americans).
      even at my job i see a greater decreating confidence in microsoft amonst the technically inclined. there seems to be two camps.
      1. those that use ms product implicitly (even though many of them have countless problems). this camp graduated from the "no one ever got fired for buying IBM" school.
      2. those who preffer to use non-ms products when ever possible. this is a slow, but apparently growing minority
      atleast where i work that's the two camps...
      --

      I believe sex is highly over rated... unless it involves me
    3. Re:trust by RazzleFrog · · Score: 3, Insightful

      I agree that in the computing public, even those pro-Microsoft, have lost a lot of faith in them. Unfortunately, at least where I work, we have to cater to the users. Just the upgrade from NT4 to 2000 was a political nightmare even though it went without a hitch. People are paranoid as all hell about any changes.

      By the way, the last 3 VP's is not that difficult for most people because they are pretty humurous. Dick Cheney's safe location, Al Gore's internet, and Dan Quayle's potatoe [sic].

  2. Anti-innovation by October_30th · · Score: 3, Insightful
    Nothing in the article addresses the problem that you MUST have a feature-over-security attitude to make a killer application.

    Nobody wants to have a secure product in which you have to manually enable all the great features because of which you bought it in the first place! Secondly, no-one has time to keep up with all the security alerts. That's why an automatic patch system is absolutely necessary.

    Microsoft is being realistic. The author of this article is not.

    --
    The owls are not what they seem
    1. Re:Anti-innovation by c_chimelis · · Score: 3, Insightful

      Nothing in the article addresses the problem that you MUST have a feature-over-security attitude to make a killer application.

      I disagree with this. To develop a commercial application, there should be a good balance of both features and security. It's true that you may compromise on that third security code audit that you were planning to get the thing out of the door and onto a palette, but it's irresponsible (and could constitute negligence legally) to knowingly develop an insecure product just because you want to add more features.

      Also, keep in mind that the marketroids always want you, the end-user/customer, to believe that they're acting in your best interest by releasing a buggy product Right Now(TM), so of course they're going to try to convince you not only how much you really need those new features (which will go unused in somewhere around 80% of the install base), but also to imply that you would've had to wait an inordinate amount of time to receive the product if they had gone back over it with the proverbial "fine-toothed comb" known as a security audit. In reality, however, security audits should definitely NOT be the afterbirth of development...proper security programming practices should be enforced during development so that the code can be as secure as possible from the day the code is first written. Using C functions like gets() without doing overflow checking, for example, is just asking for trouble in most cases, and every competant programmer knows it...the question is, why should it be ok to not write the overflow check or to use a different call that's safer instead? I don't see the difference in time between typing gets() and typing fgets() with a few more arguments when the code is first written? Sure, you could argue that, after thousands of development hours, the few extra seconds adds up, but if it saves you millions in PR and legal expenses, why wouldn't you change your development practices?

      Up until recently, Microsoft has enjoyed an era without being held accountable for the bugs in their products (security and otherwise). That is changing now, however, and they really need to treat this as more than just a PR issue (it's becoming more of a legal issue as well). Let's face it, Microsoft is taking heat about this not because of their market position or pervasiveness...not even because their products are compiled from millions of lines of code...it's because they don't stress a proper security-oriented (read: sane) development process.

      Don't be brainwashed by them saying that security is the killer of timely/rapid innovation or release schedules because it simply isn't true unless they're development practices say that security is an afterthought rather than an integral part of their programming practices.

  3. Re:here goes... by swagr · · Score: 4, Insightful

    what took them so long
    why are they caring about security now, etc.

    Hey who cares why or how

    Microsoft cares about security becouse Microsoft cares about profit. When lack of security and stability meant lower profits, Microsoft cared.

    Recall when Microsoft went after Java (the language, not the platform). Didn't work. And how's their VM compatability with 1.4 now? If "security" doesn't work out for them, what makes you think they won't switch gears and worry more about drop shadows?

    --

    -... --- .-. . -.. ..--..
  4. Re:here goes... by Sj0 · · Score: 3, Insightful

    How do we know they are really going to make an effort? Microsoft PR has been full of shit since the first press release. From the Windows 1.0 release "just two months away"(when it was really a full 18 month development cycle from completion), MS PR makes promises it doesn't intend to keep, and often lies outright ("Windows ME is the fastest, most reliable Windows 9x ever!").

    Btw, remember the last time MS went after something with a vengeance? I do.


    Yeah, it was on slashdot yesterday. Bribing politicians with a vengence. Too bad they can't do the same thing to their customers (think "Windows is more stable...and here's your kickback to prove it!")

    --
    It's been a long time.
  5. Where to start. by Matey-O · · Score: 5, Insightful

    Hoo boy, this is a good article, but these guys are spending waaay too much time in a vacuum.

    Microsoft is already moving towards signing code files. While we recommend that Microsoft continue this practice, we also recommend that Microsoft not rely on code signing for security. Signed code does not equal trustworthy code, something the security community graphically demonstrated through the many ActiveX vulnerabilities. Microsoft should drop the code-signing security paradigm in favor of the sandbox paradigm.

    While that's nice and all, it's hard for an operating system to do operating system things from within a sandbox, and with the single exception of a guy getting a Verisign key with the name Microsoft on it (nominally a Verisign problem, not a Microsoft Problem) I haven't seen a problem lately with microsoft signed code.

    All other Microsoft features should be evaluated for resilience. Those that are too risky should be removed until they can be rewritten and secured.

    The NonM$ loving folks will LOVE that soundbite, unfortunately, it's got all the likelihood of happening as having everybody shift from IIS to Apache. In any production environment, security is balanced havily with cost of implementation. NO company with any amount of entrenched custom code is going to pitch it because a security guy say they oughta. The fact that you cannot overwrite a system DLL in XP seems to be ignored. (There's a Key library, a backup directory of DLL's and the DLL in the system folder, if any of those are mucked with, the OS reacts trying to restore a safe version of the DLL, if a safe version isn't available, it prompts for a CD.)

    We recommend that Microsoft add strong auditing capabilities to all products, both operating systems and applications software. We recommend that Microsoft provide configuration tools along with its operating system, as well as tools for an IT department to manage the configurations of its computers.

    Granular auditing exists now! The problem with enhanced auditing is the storage requirements for that auditing. I get 'the application log is full' messages NOW, what happens when every bit written generates five bits of log? Are YOU going to have a Terabyte server to store 200 mb of data and 800 mb of granular logs?

    We recommend that all protocols and interfaces used in Microsoft software be immediately published, and a one-year moratorium be placed on all non-security modifications to those protocols. We also recommend that Microsoft publish any new protocols or interfaces at least one year before implementing them in products.

    Microsoft's been in bed for YEARS with the W3C. The protocols are generated there, and Microsoft is often the first to market to implement them. Asking them to hold off a year before using a new protocol is business suicide and not something they'll be willing to do.

    --
    "Draco dormiens nunquam titillandus."
  6. Public nuisance by coyote-san · · Score: 3, Insightful

    If your application gets labeled a "public nuisance," it doesn't matter how much the users like those features. Not if they want to interoperate with others.

    This may seem like a harsh judgement, but the cost of Outlook and IIS bugs is rapidly getting to the point where a lot of admins are ready to take drastic measures to protect their own networks. That's why many sites are stripping executable attachments - and the crap like that "begin" bug discussed a few weeks ago are pushing some sites to outright Outlook bans because it's proving too costly to try to work around Microsoft's ongoing indifference to security.

    --
    For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
  7. Be careful what you ask for by sulli · · Score: 5, Insightful
    Also give credit to the increasingly loud calls for software liability. More and more experts and industry groups and advisory panels are supporting the notion that software be held to the same liability rules as any other consumer product. It makes no sense that Firestone can produce a tire with a systemic flaw and be liable, while Microsoft can produce an operating system with a new systemic flaw discovered every week and not be liable. I think Gates sees this liability juggernaut on the horizon, and is doing his best to dodge it.

    Software liability would be a disaster for free software, right? Okay, everyone wants Microsoft to have to pay for Nimda/CodeRed/Melissa/ILOVEYOU, but I don't suspect that the authors of Sourceforge (for example) would want to be liable for someone losing his code due to a buffer overflow. Schneier is right on many things, but he is 100% wrong on this one.

    --

    sulli
    RTFJ.
  8. Security through Monopoly by stevenj · · Score: 5, Insightful
    A point that doesn't seem to be raised much, but which I think requires the vigilance of consumers, is that Microsoft may use "security" as an excuse to further entrench its monopoly.
    • Want to install a non-Microsoft program?
    • Send an attachment in an open format (as opposed to MS Office)?
    • Buy something from a website that doesn't use Passport?

    You'll get:

    Warning: this program/file/site is INSECURE and may contain a virus. We recommend consulting two programmers, a lawyer, and a priest before opening it.

    Of course, Microsoft won't make it too hard to have third-party software (as long as it doesn't compete with Office). You'll just have to pay a small fee for a MS-certified crypto signature. (Oops, free software can't pay the fee? Gee.)

    --
    If a thing is not diminished by being shared, it is not rightly owned if it is only owned & not shared. S. Augustine
  9. Re:I hav my own theory... by McSpew · · Score: 3, Insightful

    Look, as much as I hate Microsoft, it's not easy to write secure code, and it's impossible to write bug-free code. Because they're not currently generating revenue with bugfixes, I have a hard time believing they're intentionally writing crappy code just to reap the bugfix revenues. Yes, they always claim every new version of Windows is more stable and secure than the last, but almost nobody ever believes them anymore..

    Their business model requires them to get people like us to upgrade our existing products to the latest versions every couple of years. Since you're not really getting a more stable product when you upgrade, and since features aren't the upgrade-enforcers they used to be, MS is trying to find a way to force you to upgrade. Witness their newest licensing/protection racket: Upgrade to the current version, or when the next version comes out, you'll pay full price to upgrade to it.

    Until they change their business model to allow them to generate revenue for producing secure, stable code, they will never succeed in generating secure, stable, well-architected products.

  10. Re:here goes... by Ixohoxi · · Score: 3, Insightful

    "Remember the last time MS went after something with a vengeance?"

    There's a big difference between putting Company ABC out of business and producing highly secure software. The former can be accomplished by the book, or by crook. The latter can only be accomplished by the book. It remains to be seen how willing Microsoft will be to do things this way, considering how unconventional they have become.

    I think Microsoft has realized that their own software needs to be addressed first and foremost if they are to win the war against Linux. Of course, like in "War Games", the game can't be "won" per se. The only victory is NOT to play. Thus, the sooner Microsoft stops trying to "beat" Linux, the better for everyone.

    Some consider it irrelevant that until recently, Microsoft could have cared less about security. They have hidden behind UCITA and their monolithic EULAs, all the while reducing security by increasing programmability. Their oversimplification, while giving developers more control, also gave hackers more control.

    Choose to ignore facts if you wish, but your own credibility is at stake. To say what happened a year ago doesn't matter this year is just as dumb as saying this year doesn't matter once it's over. Responding to a "usual rebuttal" with an equally "usual rebuttal" isn't the best way to discredit them... or is it? You make the call.

    --
    What's a second? An hour? A day?
    It has much more to do with
    the Earth's rotation than with cesium.
  11. Re:Covered previously by ScumBiker · · Score: 3, Insightful

    How can you laugh at that? Obviously a feature needs to be secure all by itself and also be secure in the way it interacts with other features. Having a feature not be installed at all simply makes it even more secure. In fact, a feature that isn't installed is by default 100% secure. It can't be used, accesed, smurfed, or kidnapped for nefarious purposes. Thus, it's completely secure. Microsoft's practice of installing everything under the sun is probably it's biggest insecurity. Yes, you can choose not to install some stuff, but how many Joe Users install their own operating system?

    --
    --- Think of it as evolution in action ---
  12. Re:MS02-005 cumulative patch by Florian+Weimer · · Score: 4, Insightful
    This is a cumulative patch that, when installed, eliminates all previously discussed security vulnerabilities

    This is vendorspeak; "previously discussed" means "confirmed by the vendor" and not "discussed on BUGTRAQ". The phrase "all known security defects" means "all the defects we have admitted so far", and so on.