Microsoft's Goal, Security Through Obscurity?

dave cutler writes "Salon has an amusing little wire article claiming that Microsoft argues that were they to provide any greater technical detail about protocols and APIs, it would make computers running their operating system far more vulnerable to cracking attacks." Update: 05/09 13:59 GMT by M : The benefit to customers of Microsoft integrating internet services into the operating system, as well as Microsoft's commitment to security, are exemplified in this article which notes yet another remote root hole in Microsoft's code.

Security through obscurity?

[DragonPup]

Not quite.

More like security through brillantly designed APIs. See, rather than letting Windows get cracked, MS cleverly designed the APIs to crash the system first. Everytime you see a BSOD, you should thank MS that they prevented a evil hacker from taking over your system. And if MS let people see their APIs, they could stop the APIs from crashing the system in response to hack attempts, leaving all Windows users vurnable with a non-crashing insecure Windows!

-Henry

yet another ROOT hole in MS Code?

[gatekeep]

Wow, now that's really something, seeing as how Microsoft doesn't even have the concept of Root.

*thbppt*

[TVmisGuided]

*pauses to wipe coffee off monitor*

Three arguments against Microsoft's position:
Nimda.
Code Red.
The fact that a virus framework for .Net was released to the wild before the "official" .Net specification.
No, I don't believe them, not for a second. I'd sooner trust an armada of politicians and their attendant [strike]lackeys[/strike] lawyers.

'Nuff said.

this sounds like a pretty good business plan...

[Transient0]

hmmm... i'm think i'm going to write a book. and then, on page 156, I'm going to include my IP address and root password. And then, I'm going to make sure that every copy of the book has it's covers bound together tightly together so that it can not be opened without extreme difficulty. Then I'm going to sell the book for $50 dollars a copy(aw hell, why not make it a hundred). And then, If anyone who buys my book actually tries to open it, I'm just going to have to sue them for every penny they have because, goddammit my root password's in their(didn't they read the EULA that came on the complimentary bookmark?).

Re:this sounds like a pretty good business plan...

[delus10n0]

That is quite possibly the worst analogy I've ever heard. Congratulations for sounding like a complete tool.

Security from non-obscurity

[Reality+Master+101]

Microsoft is clearly ignoring history here. They should learn from the example of one of the oldest open-source programs out there. Clearly if there are lessons to be learned, we should learn from this piece of brilliantly designed software.

Of course, I am speaking of Sendmail.

Oops...

Windows users really shouldn't worry too much...

[reparteeist]

The computer will crash before an exploit can be used anyway, thus proving once again Windows is far more secure than that *other* OS which some people run for years at a time.

Re:WTF????

[Transient0]

---QUOTE---
"The attack doesn't happen through the chat client, so as long as you
have MSN Messenger installed, if I send you a special URL, I can own
you," said Marc Maiffret, Eeye's "chief hacking officer."
---ENDQUOTE---

This kind of paraphrasing is a disgrace to journalistic integrity. I present to slahdot an exclusive direct transcription of this statement, before the WashPost mangled it.

"M4RX M4IFFR3T d03Z n0t R007 j00 7hru 14M3 cl3n7 h4x. M4RX M4IFFR3T iz 31337-h4x0r. H3 wiLL *0WNZ* j00 W/ 1337 j00-R-3ll iF j00 hav m3$$3ng3r 0N j0r 14m3 b0x0r 47 4LL!!!!!!!!!11111111," said M4RX M4IFFR3T, Eeye's K1N6Z0r of 31337.

From the Washington Post article

[nachoworld]

"In an advisory today, Eeye warned that the flaw in the "MSN Chat OCX control" enables an attacker to "supply and execute code on any machine on which MSN Messenger with the ActiveX is installed."

As a result, even non-active Messenger users, or those who access the service using a third-party product such as Trillian, should upgrade to the new MSN Chat control.

'The attack doesn't happen through the chat client, so as long as you have MSN Messenger installed, if I send you a special URL, I can own you,' said Marc Maiffret, Eeye's 'chief hacking officer.'"


i'm sure marc actually said, "1 c4n 0wN j00," but the washington post author didn't know what the hell he was talking about.

Re:not so crazy?

[Anarchofascist]

"....frequent security flaws in Linux and Apache. To continue the analogy, there are so many holes, it looks like a golf course."

I'd rather have a golf course (18 holes per 40 hectares) than swiss cheese (18 holes per pound).

PR Issue or Design Flaw?

[Bob9113]

From Jim Allchin: "We have to work on our reputation for security in the marketplace."

Yes, that's it, it's a public relations issue. I guess the idea of FIXING THE GODDAMMED SOFTWARE hasn't occured to him.

Re:Average Consumer

[delus10n0]

Yeah, and those patches are what fix the exploits, jabroni. As do patches for any OS.

I bet you read Steve Gibson's little rants on NT security/internet flooding and believe every word he says.

Just as a side note, the regular joe-shmoe home computer user doesn't leave their machine on 24/7. (Unless some old technician/uninformed person told them that repeatedly shutting it off/on is bad for the electronics, ugh)