Slashdot Mirror
Microsoft's Goal, Security Through Obscurity?
dave cutler writes "Salon has an amusing little wire article claiming that Microsoft argues that were
they to provide any greater technical detail about protocols and APIs, it would make computers running their operating system far more vulnerable to cracking attacks." Update: 05/09 13:59 GMT by M : The benefit to customers of Microsoft integrating internet services into the operating system, as well as Microsoft's commitment to security, are exemplified in this article which notes yet another remote root hole in Microsoft's code.
Yes, its true that the security through obscurity claims of MS seem like blowing smoke, but obscurity is an accepted security paradigm. Any CS course in security outta mention it, and you can read about it in "Security in Computing" by Pfleeger. Its always been my stance, however, that MS is taking the obscurity stance to propagate their business model and NOT to better security.
...that they are partially correct and justified in hiding certain secret keys as ways of preventing unauthorized use of products.
But that's an oversimplification that I'm afraid the lawyers and the court won't be able to clearly pick apart. Even the Microsoft VP testimony about the issue was sprinkled with constant reminders that this was "a confusing" technology. It is confusing. But it's essential for everyone to understand what it's purpose is and how it can be misused, too.
The part that rubs the wrong way, of course, is that the exact same arguments could be used to prevent a competitive implementation of an interface that Microsoft wants to own for themselves.
"Provided by the management for your protection."
"I guess it's a matter of how hard you make it," Allchin replied. "We have to work on our reputation for security in the marketplace." from Jim Allchin, who oversees the Windows operating system.
Gee ... I guess that's why theres so FEW reported news stories about the hacking of Windows ... and so MANY stories about the hacking of Linux.
Karma? Karma? I don't need no stinkin' karma.
I firmly believe that software should be held accountable to liability laws and consumer rights laws. Microsoft has repeatedly fought laws designed to provide these protections and re-written their EULAs to provide no liability whatsoever. Compare the EULA for MS Office from 1995 to todays. About ten times as long, with each additional page reducing their liability and increasing yours.
More FUD from Microsoft. Their legal department must have more employees than their coding department by now.
Bill Gates can't be a borg. Nothing that is part machine could tolerate such inconsistency. Only humans can say that 1=0 and believe it.
I wonder if it is a coincidence? The poster of this article. There is a Dave Cutler at Microsoft who used to be the lead designer of NT who used to be the lead designer of VMS. There is an interesting Urban Legend about that too.
This is a boring sig
"Remember when the one compression lib had problems a month or so ago?"
Yes I do.
And I have yet to see patches for the mentioned MS programs that use that library according to that news.com page: Microsoft Office, Internet Explorer, DirectX, Messenger and Front Page.
But in Debian, the patch was applied and the fixed debian package distributed on the same day that the vulnerability was discovered.
What was your point?
--- Hindsight is 20/20, but walking backwards is not the answer.