Slashdot Mirror
Cryptogram Judges MS Security
johnfoobar writes "The latest issue of Bruce Schneier's Cryptogram has a section entitled 'Judging Microsoft' which aims to "provide a list of measurable recommendations, so that the community can judge Microsoft's sincerity."
Required reading if you use Microsoft products." Update: 02/15 18:15 GMT by M : A better link is Schneier's first essay this month, which is about Microsoft's "Trustworthy Computing" initiative.
The trick is, as the author points out ... how honest are they being ? Is this a dog & pony show ? or do they REALLY mean to change the way they work.
.. and almost all my programming experience was on a mainframe.] It was considered a basic concept of design to keep your data abstract from your code ..
.. it wasn't as simple as clicking 'view source' back then either *grin*
.. M$ is still got everyone [cept apple .. but i dont have one] beat in the 'average american' user market.
.. and cant program her VCR .. but if she can figure out how to use AOLIM for instance, then its probally safe to say its easy.
.. and that would be great .. if it wasn't so easy to break. every time it breaks .. the 3rd tier tech support guru's at microsoft tell her to re-install the software. Not exactly instilling confidence that they know what the hell they are talking about.
..will become a much better product.
Almost all the concepts presented were ones I learned in college [I graduated a few years before windows 95 came out
of course
As much as I love *NIX for a server environmet, I have to say
I always use the "My Mom" theory when determining if something is easy to use. My mom is almost 80 years old
Windows passes the My Mom test
If M$ can get actually accomplish even these seven steps, they honestly
The real telling point would be , if they had to evolve far enough to MAKE these changes, would they grow up as a company ?
--Ne auderis delere orbem rigidum meum, non erravi pernicose!
is that MS is a corporation. in the business for making money. and anything that doesn't make money is a loss. for the longest time security was something behind the scenes and never a 'feature' that would generate any money. that hasn't changed. what has changed is that with more and more bad press MS has been getting for insecure software, 'security' has started to cost them money. people use MS software but rarely trust it. that's the only reason why they're interested in 'security'. for people to buy into .NET in all it's different interpretations people need to be able to trust it with their personal info (passport comes to mind.) without this trust, .NET would == .NOT. notice the careful use of the word 'trustworthy computing' by mister gates -- not 'secure software' or 'bulletproof agains all eveldoers' but 'trustworthy computing'. what he is doing is lining up a PR campaign to promote .NET. nothing more nothing less. it has nothing to do with a secure operating system. it has to do with a 'trustworthy computing' ala .NET.
Everything in the article is sounds advice for security minded software and not just for Microsoft. Seperation of "data" and "code". Seperation of "package" and "protocol". Extra software is bad. Etc.etc.etc.etc.
.Net then they have the embrace the possibility they'll have to delay releasing it. How many are willing to believe MS will do this?
The overwhelming point is that this stuff is often contrary to what MS has in mind for its future software development. If they are really serious about putting security 1st in
When it comes to business vs design decisions, MS has always gone for biz.
The last time they went after something with a vengeance (the net) it was just another matter of shovelling internet features into all their products, in the gonzo MS style. Like Bruce says, security *cannot* be reached using this method. It requires a radical turnaround in attitude, method and implementation, something that might be beyond the company... simply because it's contrary to their core ethos. Securing products costs money, it slows you down, and it doesn't score points with the feature-hungry consumers.
not really childish ..
.. would YOU want your bank running a windows server to keep track of your $$ ? how about one hooked up to the internet so they can communicate with their other branches ?
.. just a cold shock of reality here .. but you should be very worried, not only does microsoft WANT this to happen, they have been agressivly trying to GET it to happen for the last 2-3 years.
they are asking them to make good on the promises they have been telling the general public (and Wall street btw)
I mean
well
imagine how quickly ONE security flaw in a bank server could render you broke.
--Ne auderis delere orbem rigidum meum, non erravi pernicose!
Microsoft is going to have to say things like: "We're going to put the entire .NET initiative on hold, probably for years, while we work the security problems out."
First of all.... Microsoft said they were going to prioritize security. That doesn't necessarily mean put all new features on hold until they are 100% secure. You can make security a priority without doing the OpenBSD nothing but security route.
Analysts like Gartner have recommended that enterprises switch away from Microsoft IIS and delay installing Windows XP, both because of security concerns.
I would like to point out that the precipitating reason they changed their recommendation was due to MS's new licensing policy. Security problems are just more fuel to the fire.
MS's security policies annoys the hell out of me but lets at least hold our points to realistic ones.
-pos
The truth is more important than the facts.
-Frank Lloyd Wright
Windows NT 4.0
/q"
It crashes less than anything else Microsoft.
Internet Explorer doesn't have install on demand turned on by default, doesn't have default searching through MSN (Shyeah! like I trust Microsoft to give me information back if I do a search that isn't skewed towards them or their affiliates) and it doesn't have MSN as the default web page or check for new frigging updates every time you run it by default. Microsoft must know exactly when certain company's employees log in and out. Useful stuff! Your average AOL graduate with a new PeeSee isn't going to turn this crap off! Hell are Joe Regular and his workmates even going to. Hell! Does IT even know that these are the defaults ?
XP is just a joke. I can't wait for somebody to get past the driver signing auto-update nonsense and auto-update everyone running XP with Sub7 or "echo y | format c:
*sigh*
REDMOND, WA - Today in a press conference Microsoft Corp. unveiled the
latest version of its Windows operating system, Windows(R)
XPSecure(TM) "It is the easiest to use and most secure version of
Windows ever to be released," touted the former chairman Bill Gates.
At the press conference the company performed a live installation of
XPSecure(TM) to demonstrate the simplicity of installation. "Our
customers have let us know that security is a foremost concern," said
Gates. "We have listened to their concerns, and we have designed our
software to fully and securely reinstall their favorite operating
system." Windows(R) XPSecure(TM) also features a Secure Live
Update(TM) option that will automatically connect customers' computers
to the internet to download late-breaking security updates. "We
realize there is much confusion out there about which security
features are truly secure. We have taken care of that with our
customers in mind," Gates continued. Windows(R) XPSecure(TM) is
scheduled to retail at $249.99 and is expected to begin to ship to
vendors in North America as early as next week. "We highly recommend
that customers of any previous version of Microsoft(R) Windows(R)
install this version to obtain an unprecedented level of user
experience in performance and reliability."
To-do List: Receive telemarketing call during a tornado warning. Check.
Semi-off-topic?
An equally interesting article in Mr. Schneier's newsletter this month concerns Oracle's "Unbreakable" Database.
It seems Oracle put forth a good faith (albeit flawed) effort to secure Oracle9i. They enlisted the services of TCSEC, ITSEC, Common Criteria, Russian Criteria, and FIPS
140-1 to test for security holes. None of them detected a simple buffer overflow problem.
These security companies are a sham (or at least should be ashamed).
Remember... ZG9uJ3QgZm9yZ2V0IHRvIGRyaW5rIHlvdXIgb3ZhbHRpbmU=
If it'll make you feel better, everyone on sourceforge can offer a money-back guarrantee. :)
I think that's the most you'll ever see in terms of liability. "If this software doesn't do what it's supposed to, can I return it and get a full refund?"
You think that the makers of space heaters are getting sued? After all, place a space heater near some curtains and you'll burn down your house.
Of course not.. they slap a warning sticker on the box and they've covered their ass. Slap a warning sticker on software... "This software is presented AS-IS", and you're fine (yes, even Microsoft)
But money-back guarrantees if the software fails to perform as advertised could be a more common occurrance (even if the company doesn't provide a money back guarrantee, you may be entitled to one in the future).
MS is in a very hard position.
They've already gotten a reputation for putting security and stability last. New features, fluff always come first. Virtually everyone knows that MS lives by marketing, marketing, marketing.
Now MS realizes that Security is becoming "the issue." "It's the security stupid."
Now consider the difficulites.
MS has an enormous codebase to now fix - after the fact. Adding in security is WAY hard after the fact. Things break, testing must be redone etc. It's a whole lot easier to put in anything if it was part of the origional design. Super costly and painful afterward.
MS has "integrated" all of its' products. So, now they have to not only test the separate products, but also in every combination. Ouch!
From Firewalls and Internet Security (the God book of security IMHO)
- All programs are bugy
- Large programs are even buggier than their size would indicate.
- If you do not run a program, it does not matter whether or not it is buggy.
- Exposed machines should run as few programs as possible; the ones that are run should be as small as possible.
Now MS has what most would consider code bloat, and not only that integration. That's going to be an ugly task (securing the code)
MS has always fudged the truth before. Marketing before substance. So people will be very skeptical about MS's claims about anything.
MS's stance about security was always lax. Combine this with the prior point, and we have skeptical^2.
MS can't really use this as a marketing tool - or at least not until they can prove they've done something significant. This will be hampered by points 1 + 2, and continuing security lapses, when trying to secure that code and missing things.
MS can't really make money off security - again, at least not until it has serious results to show. Thus this will become a massive cost center without any revenue. Ouch^2. That will have the bean-counters breathing down the throats of the development/QA people to keep costs down. You're not producing new products, and thus revenue - salary will suffer etc.
Lastly, it will be a unglamorous job, and project. It will be hard work. You'll be unappreciated. You'll be expected to be a miricle worker, and double quick too. When you miss something, you'll get lots of heat, and few kudo's (Provided this _really_ _is_ somthing MS is _really_ serious about - if not the heat won't be there, but that's the point.)
Thus, to summarize.
- MS has a MASSIVE task to fix - both in size and complexity.
- MS has integrated all these things together. I would bet that the mutual distrust model between different modules/products hasn't been used, adding to the difficulty/complexity.
- MS has a reputation for producing fluffy software with lots of features, but not much security - it's always an afterthought. Ship early fix bugs later.
- MS has never been known for its' honesty and plain talk, thus making the credibiltiy of its' proclaimation that much more doubtful.
- This strategy won't be done quick, or cheap. The task will be difficult both technically and politically.
- MS won't be able to milk this decision for extra revenue anytime soon.
- The very fact that this effort exists, tends to point out a problem in the first place.
My conclusions are these.
MS may really intend to do this. I don't really believe it, but I'll give them the benefit of the doubt. But even if they are committed, how long will they remain committed. They won't be able to show results for some time. They will certainly have failures. These will undermine the confidence of both internal staff, and the public they're "selling" it to. It will cost a massive amount. It won't generate revenue.
It's going to be really easy to just splash it out there, and crow about it. Later, when the trench warfare sets in, it's going to be tempting to forget about it. It's out of the limelight, and we can just let it go quietly into the night.
We'll see - I don't doubt that MS _could_ do it. I just don't think they will for many reasons. And there will be _so many reasons_ no to.
Cheers!
You forget that MS is saying they want to up security. The author is just providing a list of what they need to do. "Oh no, they won't like that because it would cost money!" is stupid, because if they're serious about making security top priority, they're should expect to take the profit cuts associated with making secure software. And MS in bed with W3C, MS came in and told them that they were going to do things MS's way, and made thier own standard. W3C got fucked over by MS.
Matey-O:
I haven't seen a problem lately with microsoft signed code.
Lately is a poor excuse to keep a bad idea....
The NonM$ loving folks will LOVE that soundbite, unfortunately, it's got all the likelihood of happening as having everybody shift from IIS to Apache. In any production environment, security is balanced havily with cost of implementation. NO company with any amount of entrenched custom code is going to pitch it because a security guy say they oughta.
No, but with Gartner telling them to pitch IIS also, it seems MicroSoft was worried enough to at least make a press release....
Granular auditing exists now! The problem with enhanced auditing is the storage requirements for that auditing. I get 'the application log is full' messages NOW, what happens when every bit written generates five bits of log? Are YOU going to have a Terabyte server to store 200 mb of data and 800 mb of granular logs?
You REALLY don't understand granular auditing do you? You only turn it on when investigating a problem, or preforming an audit... it seems to work really well in *NIX systems. And since when does 200mb + 800mb equal a Terabyte. What kind of systems do you think people put Linux on????
Microsoft's been in bed for YEARS with the W3C. The protocols are generated there, and Microsoft is often the first to market to implement them. Asking them to hold off a year before using a new protocol is business suicide and not something they'll be willing to do.
The author was speaking of more than just internet protocols, but you did sum up the article pretty well in your last sentence. MicroSoft has made a public commitment for security. To follow thru will take more of a financial commitment then just offering employee bonuses, and it seems that both you and the author agree that it is highly unlikely that MicroSoft will follow thru on their pledge.
I have come to a conclusion that one useless man is a shame, two is a law firm, and three or more is a congress -J Adams
Back in the text-only e-mail days I was quite confident in telling to my users "text e-mail can't hurt you"...until a friend at a neighboring site (uucp) showed me what they'd found: An e-mail that ended with embedded escape sequences to program a key with a long string of commands, clear the screen, and then the something like "Mail file corrupted--press (whatever the key was) to continue."
The commands, which went back to the mail reader (or would have, if the user had followed the directions) would then 1) write the body of the message to a file, 2) exit the mail reader, 3) compile the source code it just saved, and 4) run the program.
There were a few bugs in the creature, so it hadn't worked as intended, but from then on I wasn't so sure about things being safe just because I couldn't see how to exploit them.
-- MarkusQ
it's kind of like that line in "Fight Club," where he explains that his company doesn't do safety recals unless the cost of the recal would be cheaper than the cost of the law suits when x amount of people die, because of faulty manufacture...
yes i know it's wishful thinking but as long as those coperations know that we will hound them to the end of their days, they might actually conceede some of their profits for quality... even if just for some good publicityI believe sex is highly over rated... unless it involves me