Microsoft's Goal, Security Through Obscurity?

dave cutler writes "Salon has an amusing little wire article claiming that Microsoft argues that were they to provide any greater technical detail about protocols and APIs, it would make computers running their operating system far more vulnerable to cracking attacks." Update: 05/09 13:59 GMT by M : The benefit to customers of Microsoft integrating internet services into the operating system, as well as Microsoft's commitment to security, are exemplified in this article which notes yet another remote root hole in Microsoft's code.

Re:WTF????

[MaxwellStreet]

Makes you wonder if these things aren't being spun out to get people to use the latest version of MS's products - if for no other reason than to make their systems secure.

Don't use 3d party stuff. Use the latest from MS. It's secure this time. We promise. Really.

Vaguely reminds me of auto glass purveyors out in a parking lot with a bat.

They are right though

[anthony_dipierro]

Salon has an amusing little wire article claiming that Microsoft argues that were they to provide any greater technical detail about protocols and APIs, it would make computers running their operating system far more vulnerable to cracking attacks.

It would. It's not a good excuse, but it is true. In the short term, Microsoft cracks would increase.

Re:They are right though

[JordoCrouse]

It would. It's not a good excuse, but it is true. In the short term, Microsoft cracks would increase.

Mod this one up insightful.

For the first, say 5 months, it would be anarchy - People would be fixing bug 24 hours a day all around the world, just to stay a few steps ahead of the crackers. Then as soon as the largest holes are patched, there willl be peace in our time. Machines would be fairly secure, and we could go back to actually using our bandwidth and machines for important things instead of 3 MB of klez and sircam worms daily.

Instead Microsoft would rather keep the bugs obscured, so they will escape slowly over a number of years. And don't get me wrong, they will escape, there is no amount of obscurity that can mask the continious onslaught of people pouring over every inch of the code looking for holes.

Which method would you prefer?

Re:yet another ROOT hole in MS Code?

[ryepup]

Yeah they have the concept of root, it is just implemented for every user.

Re:MS Security Paradigm

[mjh]

Yes, obscurity is an accepted security paradigm. However, when people talk about "security through obscurity" they're typically talking about obscurity as the only security model. And that is a very risky model.

Of course, since Microsoft's API's are still hidden, we don't know whether or not they're using obscurity as their only model. However, it seems, from the alarming number of remote root exploits available it seems evident that Microsoft's claims for obscurity of their API's as a security measure is the only measure that they're taking. Which leaves one of two possibilities:

1. They are intentionally depending entirely on obscurity as a security practice.
2. They are conveniently coming up with security as the reason for further obscurity of their API's. IOW, the real reason for obscurity is to propagate their biz model (as you say) and not for security purposes.

I tend to believe the latter. But giving them the benefit of the doubt, we can only argue against the former. Which is that trusting your business to Microsoft's security practices is a very risky proposition.

Do they read their own APIs?

[Darth]

If these security vulnerabilities are so easy and obvious from reading the APIs, then why can't Microsoft's programmers find and close the security holes before someone finds them? Don't they read and adhere to their own APIs?

If releasing the APIs means someone is going to easily figure out a way to damage the system, that just demonstrates that Microsoft isnt even trying to secure their products.

Re:Why?

[ink]

I firmly believe that software should be held accountable to liability laws and consumer rights laws.

That would kill all free software. People could personally sue Linus for bugs in the Linux kernel that caused them problems: "I'm seeking $10,000 in damages because your stupid bottom handler for my POS Promise IDE controller caused me to lose all my data!". The listings on freshmeat would be a pool of future clients for lawyers, and not software projects. Amateurs wouldn't release code for any use whatsoever.

In short: that's a realy, realy, really, really bad idea.

Re:Amok .. amok .. amok ...

[HiredMan]

"I guess it's a matter of how hard you make it," Allchin replied. "We have to work on our reputation for security in the marketplace." from Jim Allchin, who oversees the Windows operating system.

This perfectly demonstrates the M$ sekurity mindset - they approach security problems as a PR problem NOT an actual usage or safety issue. What he SHOULD be saying is, "As the dominant OS in the consumer space we need to work to make our OS the most secure for our users because they are the biggest target and the least aware of the threat."Instead he's blathering about their "reputation" instead of actual security.

Bottomline is that M$ doesn't care about security - they only care about there reputation for security. Hence to them obscurity IS security to them and it becomes policy and is encouraged.

=tkk