Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft's Goal, Security Through Obscurity?

Posted by ryuzaki0 on from the its-been-working-great-so-far dept.

dave cutler writes "Salon has an amusing little wire article claiming that Microsoft argues that were they to provide any greater technical detail about protocols and APIs, it would make computers running their operating system far more vulnerable to cracking attacks." Update: 05/09 13:59 GMT by M : The benefit to customers of Microsoft integrating internet services into the operating system, as well as Microsoft's commitment to security, are exemplified in this article which notes yet another remote root hole in Microsoft's code.

14 of 374 comments (clear)

  1. clearly... by jeffy124 · · Score: 1, Interesting

    clearly the rebuttal to this is the security of OSS tools. Hackers have access to their source and are able to break into systems running them, just as much as Microsoft systems can be broken into without source available.

    --
    The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
    1. Re:clearly... by Anonymous Coward · · Score: 1, Interesting

      Yeah, but keep in mind that when something opensourced gets 'cracked', fixes are not only put out quicker but also the software becomes more secure as a whole. Notice that the bugs people find in opensource software are found because they have access to the source code. Since the authors know that many eyes will be looking at their source, they tend to not cut corners like many closed-source developers fall victim to doing. I mean, imagine if you were driving a car where you weren't able to pop open the hood and look at the engine. Sure, the car runs, but is that good enough? For all we know, there could be a small army of genetically engineered, gasoline-drinking hamsters powering it. It could have a very horrible design, but we can't see it.

      Apply this to Windows. Just think how many extremely fatal bugs there are in Windows right now that nobody knows about (yet)? Kinda reminds me of the Winnuke scourge a few years ago.

      Now, I do use Microsoft products for certain things, but when I do I can't help but feel that I have an "Open" sign hanging over my ass.

  2. MS Security Paradigm by theFlux · · Score: 5, Interesting

    Yes, its true that the security through obscurity claims of MS seem like blowing smoke, but obscurity is an accepted security paradigm. Any CS course in security outta mention it, and you can read about it in "Security in Computing" by Pfleeger. Its always been my stance, however, that MS is taking the obscurity stance to propagate their business model and NOT to better security.

  3. Problem Is... by 4of12 · · Score: 5, Interesting

    ...that they are partially correct and justified in hiding certain secret keys as ways of preventing unauthorized use of products.

    But that's an oversimplification that I'm afraid the lawyers and the court won't be able to clearly pick apart. Even the Microsoft VP testimony about the issue was sprinkled with constant reminders that this was "a confusing" technology. It is confusing. But it's essential for everyone to understand what it's purpose is and how it can be misused, too.

    The part that rubs the wrong way, of course, is that the exact same arguments could be used to prevent a competitive implementation of an interface that Microsoft wants to own for themselves.

    --
    "Provided by the management for your protection."
  4. Amok .. amok .. amok ... by ProfMoriarty · · Score: 3, Interesting
    You gotta love these quotes ...

    "I guess it's a matter of how hard you make it," Allchin replied. "We have to work on our reputation for security in the marketplace." from Jim Allchin, who oversees the Windows operating system.

    Gee ... I guess that's why theres so FEW reported news stories about the hacking of Windows ... and so MANY stories about the hacking of Linux.

    --
    Karma? Karma? I don't need no stinkin' karma.
  5. A new analogy by nukey56 · · Score: 2, Interesting

    I'm going to hide a cookie in this glass cookie jar over there. If I find out that you ate it, I'll just have to put a new cookie in the jar and hide it somewhere else.

  6. Why? by crumbz · · Score: 3, Interesting

    I firmly believe that software should be held accountable to liability laws and consumer rights laws. Microsoft has repeatedly fought laws designed to provide these protections and re-written their EULAs to provide no liability whatsoever. Compare the EULA for MS Office from 1995 to todays. About ten times as long, with each additional page reducing their liability and increasing yours.
    More FUD from Microsoft. Their legal department must have more employees than their coding department by now.

  7. not so crazy? by tps12 · · Score: 1, Interesting
    As many of us here in the slashdot community, I have long been a skeptic of so-called "security through obscurity" (the topic of the above article). The principle argument made by its supporters is that hackers cannot exploit security flaws that they don't know about. In other words, what you don't know can't hurt you. My objection has always been that almost all of the most popular viruses, hacks, and backdoors have been discovered or created by accident. A prime example is the ubiquitous "page widening post" here on slashdot.

    People aren't digging security holes; they're falling into them.

    Now that I've done a little research, I see this as a naive view. For one thing, it doesn't explain the frequent security flaws in Linux and Apache. To continue the analogy, there are so many holes, it looks like a golf course. Also, a wealth of evidence suggests that at least 85% of exploited bugs in Microsoft products (discounting IIS and Windows 2k and later) are from well-documented public APIs. This suggests that it is far more harmful to publish this info (which really isn't helpful to users anyway) than to keep it secret, where it can do no harm.

    --

    Karma: Good (despite my invention of the Karma: sig)
  8. Target Executives At Large Companies by Anonymous Coward · · Score: 2, Interesting

    Somebody should maintain a list of executives at large companies and specifically bomb them with these 'sploits as soon as they become available.

    I think that the IT departments of large companies do their jobs too well -- the executive never realizes just how vulnerable they are with MS products.

    If we bring the problem home to the people that make decisions, then there will be top-down sponsorship of better computing environments.

  9. MS can't have it both ways by FearUncertaintyDoubt · · Score: 5, Interesting
    Hasn't MS claimed for years that it doesn't have secret APIs that only MS developers get access to? Haven't they always claimed that there is a level playing field for developers to create, oh, say, office suites for Windows? Now they say they can't turn over their secret APIs which they denied existed for security reasons?

    Bill Gates can't be a borg. Nothing that is part machine could tolerate such inconsistency. Only humans can say that 1=0 and believe it.

  10. Dave Culter? by Marillion · · Score: 3, Interesting

    I wonder if it is a coincidence? The poster of this article. There is a Dave Cutler at Microsoft who used to be the lead designer of NT who used to be the lead designer of VMS. There is an interesting Urban Legend about that too.

    --
    This is a boring sig
  11. patches.. always patches.. by joeldg · · Score: 2, Interesting

    It really irks me to no end that every piece of software you every seem to get off the shelves seems to follow the same thought as a downloaded product that you can patch it up as you go.. (take windows-update for example) and I always end up feeling like I am endlessly beta-testing everything, down to my OS (luckily I run windows under vmware, so at least it reboots faster).. So as far as security goes in MS products, because I treat it as an endless "beta" and the fact that off the shelf, windows seems to barely work, I am not surprised as each new security hole comes up. In all reality, the fact that they obscure everything seems to make people all the more interested in digging around in it. just my 2-cents..

    --
    anime+manga together at last.. in real time.
  12. Re:Every crash is probably another exploitable hol by delus10n0 · · Score: 2, Interesting

    Of course I can contact Microsoft, but they won't respond for the shorter of 4 months

    Obviously you have never really contacted Microsoft, because they take security issues very seriously, and usually respond back to you within 24 hours (if you've discovered a real security problem)

    Even then it usually takes two weeks for a hotfix that breaks half the software on the server, and then another two weeks for a fix for the fix that I can apply.

    I don't know about you, but I've never had a hotfix on XP/2k/NT4 break anything. Follow the directions and it works fine.

    --
    Not All Who Wander Are Lost
  13. Re:Not necessarily by jelle · · Score: 3, Interesting

    "Remember when the one compression lib had problems a month or so ago?"

    Yes I do.

    And I have yet to see patches for the mentioned MS programs that use that library according to that news.com page: Microsoft Office, Internet Explorer, DirectX, Messenger and Front Page.

    But in Debian, the patch was applied and the fixed debian package distributed on the same day that the vulnerability was discovered.

    What was your point?

    --
    --- Hindsight is 20/20, but walking backwards is not the answer.