Gates: 'You don't need perfect code' for Security

securitas writes "ITBusiness has an interview from the Microsoft Professional Developers Conference where Bill Gates says 'You don't need perfect code to avoid security problems.' Instead he suggests that users acquire and properly configure firewalls and make sure that they keep their software patches up-to-date. Considering that Microsoft says it is focused on security, the comments from the Chief Software Architect aren't inspiring, especially beacuse the underlying attitude seems to contradict the idea of well-written, secure code. What kind of message does that send to the developers who work for Gates?"

Since when is Bill Gates a security expert?

[dtolton]

This is a typical problem, that was discussed a few days ago. People
are confusing microsoft's success in general with Technological
superiority.

I find it interesting that *anyone* would care what Bill Gate's
opinion is on security. The volume of critical problems reported, and
of actual viruses and worms that have spread across the internet
lately should've been enough to indicate that microsoft doesn't have a
good understanding of security in general.

His argument is an interesting point of view though. It sounds to me
like he's saying microsoft doesn't need perfect code because people
can just install firewalls. What if the code in the firewalls in turn
isn't perfect though? Doesn't that leave us in an insecure position
again? What about the e-mail scanning software? What if it misses a
virus? Shouldn't you have layers of protection, instead of an outer
layer of protection and a soft underbelly?

Of course he is shifting the burden back to the users of the software
again. If only they had our firewall product and a good e-mail
scanning software package, and if they kept their software up to date
none of this would've happened.

Of course if they didn't ship their software with nearly every service
turned on by default, and everyone running as root this wouldn't have
happened either, but let's not trifle with details.

I really liked the part at the end where he comments that all the
viruses and attacks on microsoft's os are really a compliment.

You keep telling yourself that Bill.

Re:Since when is Bill Gates a security expert?

[mcspock]

I dont even see why this is news. No code is perfect, especially at the OS level. If you think about it abstractly, what gates is saying is that security should be layered, so you have multiple filters protecting you.

The part about it "being a complement", which i dont really agree with, is based on the fact that windows is high visibility, so it gets the most attention from virus writers.

The whole argument is silly though - windows is what happens when you have a desktop only operating system and transition it into a network enabled system. You end up with design flaws (everyone runs as "root") and security holes.

Re:Since when is Bill Gates a security expert?

[retinaburn]

microsoft doesn't have a
good understanding of security in general.

Just because their code is bad doesn't mean they don't understand security, it may just mean it is not profitable to write perfectly secure code.....and they get money from upgrades :)

Re:Since when is Bill Gates a security expert?

[4of12]

Three parties are responsible for providing a secure computing environment:

1. The software creator or vendor: needs to code carefully, to test exhaustively, to debug, and to audit.
2. The exploit writer, releaser: ought to publicize the vulnerability by describing it and illustrating protection measures before hammering the world with a working exploit to illustrate the deficiencies of the other two parties.
3. The user hooking up his purchased system to the net. Should be listening to the other two parties about what's vulnerable, how to mitigate it in the short term and patch for the long term.

I see all three parties not wanting to fulfill their responsibilities and trying to shift blame on to the other two parties.

Until Bill Gates starts to act more like Theo de Raadt, I don't belive he's upholding his part.

Re:Since when is Bill Gates a security expert?

[00420]

Funny? Personally I think this is insightfull.

I've said it before (even though I don't like to), but Bill Gates is not an idiot. He's a pretty intelligent guy who is more than capable of understanding computer security. But, for some reason he choses not to implement it in his software.

Re:Since when is Bill Gates a security expert?

[murdocj]

Ok, where does the OS end and the application begin?

This is the core of the problem. I talked to a guy I had worked with who was at MS and was complaining about how the MS Office group was implementing all sorts of O/S features in Office because they needed them. MS has never had the concept of seperating O/S functions from application functions. As a result, you end up with holes because the core O/S is performing operations that should be in apps, and the apps are doing the work of the O/S.

Perhaps in theory Windows has now been layered to an extent that it could function similar to UNIX, but in practice MS continues to prefer lots of functionality over security. And as the interview shows, that attitude comes down right from the top.

Re:Since when is Bill Gates a security expert?

[AKnightCowboy]

I dont even see why this is news. No code is perfect, especially at the OS level.

Of course that's only true for varying degrees of "no". There is perfect software that has no bugs, but it's extremely expensive and difficult to produce. You need integrity checks at every single layer of development to ensure that nothing added compromises the code already in place. IMHO Windows should be scrapped and a completely new code base developed from the ground up with security in mind. Security is not something you can tack on as an afterthought, it MUST be implemented at the earliest stages of planning an application or you've already lost the battle.

Re:Since when is Bill Gates a security expert?

[rifter]

His argument is an interesting point of view though. It sounds to me
like he's saying microsoft doesn't need perfect code because people
can just install firewalls. What if the code in the firewalls in turn
isn't perfect though? Doesn't that leave us in an insecure position
again? What about the e-mail scanning software? What if it misses a
virus? Shouldn't you have layers of protection, instead of an outer
layer of protection and a soft underbelly?

This in and of itself proves that Mr. Bill does not have a clue, not only about security but about how the recent worms propogated. Firstly, firewalls are not a panacaea. They only protect from extenral threats. They do not protect against internal threats or trojans/viruses/worms which are brought inside. They do not protect you when you have a worm/virus infected computer connecting to your network via VPN remotely or which is brought inside after being infected. They also do not help you if there is a vulnerability in a core world-facing service like, say, IIS.

These things should be intuitively obvious to the meanest of minds, but are beyond Bill Gates' understanding. Further, he has put the lie to his earlier promise of better software. Now that security firms have been paid off not to report Microsoft holes that they do not deign to fix, Microsoft seems to be ditching the whole idea of writing secure code. It's not as though it was anything more than a marketing ploy in the first place, but now he has pretty much told us that Microsoft will write crappy software on purpose because they don't believe that software has anything to do with security.

If you continue to use Microsoft products after this, well, I guess you get what you deserve.

Re:Since when is Bill Gates a security expert?

[Spoing]

His argument is an interesting point of view though. It sounds to me like he's saying microsoft doesn't need perfect code because people can just install firewalls. What if the code in the firewalls in turn isn't perfect though? Doesn't that leave us in an insecure position again? What about the e-mail scanning software? What if it misses a virus? Shouldn't you have layers of protection, instead of an outer layer of protection and a soft underbelly?

More importantly; A firewall -- depending on the situation -- prevents access to some ports, and allows access to others.

When data can be transfered through the firewall, you now depend on the program servicing the port to be secure. If it's not, the fact that there is a firewall in place won't matter since it's out of the picture.

Re:Since when is Bill Gates a security expert?

[Dark+Fire]

Both Windows and Unix are based on 20 year old ideas. The similarities between VMS and Windows are quite astonishing. There was an article on /. a while back about it.

I agree that many security problems in both unix and windows come from poor application design.

Compare designs between qmail and sendmail. qmail is a properly constructed unix application that takes advantage of all the facilities unix provides. sendmail is a blob. bind also suffers from being a blob. sendmail and bind alone account for a good portion of unix related vulnerabilities.

Bind and sendmail are applications in the unix world.

Unix and Windows may bother be at heart very solid designs. Remember though that microsoft isn't just responsible for the operating system, but for many of the most popular windows applications as well. IIS, Office, file/print services, exchange, etc.

Microsoft goal has always been integration. Integration and Security are opposing goals.

Single sign-on is a good example. To prevent someone from entering their password each time they want to utilitize a secure resource, you ask them for their username and password once and then cache the username/password. By doing this, you have sacrificed security for integration. The cache acts as an integrated security service that transparently lets any program that runs act with your full authority on all security resources that you are permitted to utilize for as long as your credentials remain in effect.

We don't need perfect code for security

[grasshoppa]

and he's absolutely right. We could just unplug our computers and leave them in a cold, dark room all by themselves, with no power.

For the rest of us, however, security starts with the code.

What about the Firewalls?

[sapped]

If we are not going to rely on perfect code but expect firewalls to catch the problems, then what do we do if the code in the firewalls aren't perfect?

Do we string together a series of firewalls in the hope that the code problems don't overlap?

Read into it what you want

[stratjakt]

It makes sense to me. Don't rely on someone else to keep your computer secure. Take steps yourself.

Look at me, I'm just going to get the latest debian iso and install it and not worry about anything!

Look at me, I'm just going to go buy a car and not worry about locking the doors or using a club, because I expect that the ignition system is tamper proof.

Don't blame the architect when someone comes through an unlocked window in your home and steals your stereo.

No, you don't need perfect code. Linux has no "perfect code". If it did, Linus et al would be finished and have moved on to other things.

I dont rely on Linus for security, I don't rely on Bill Gates for security. At the end of the day, it's my system, and it's up to me to take steps to protect it.

Re:Read into it what you want

[Tsali]

So Joe SixPack is going to secure every pager, phone, wireless access point, and hell, even a car because he is self-reliant?

Joe SixPack either does nothing or sues someone.

Re:Read into it what you want

[DeltaSigma]

I'm not disagreeing with you, or trying to dampen your point.

You might be a college graduate, hell a professor when it comes to security. You might have an understanding of every open cryptic algorithm in use today. You just might have learning and experience which has engraved security processes onto your heart.

But then, there's the rest of us. I'm a simple web/graphics designer. I don't even know how to compile a program. The most complicated things I produce are script. In the technical arena my contributions are child's play. As a long-time windows user, I had no concept of security. It was accepted fact that I had to patch and run process sapping virus scanners to prevent what was inevitable anyways, the infection and subsequent re-install of my operating system.

In the last year, I switched to Linux. Debian, first, now RedHat 9.

It's Linux that taught me security. It's Linux that gave me a better understanding of how ports work, how services can be hijacked and used to tamper with your machine, how random programs can degrade my security, how running as root is like volunteering my machine to be a DOS attack zombie.

Linux isn't inherantly secure due to superior code (don't get me wrong though, I strongly believe Linux utilizes superior code). It's inherantly secure because it conditions its user to consider security. Debian and RedHat taught me where vulnerabilities can exist in my operating system, and how to account for them.

Thanks to Debian and RedHat, my Windows box is more secure as well.

I may not have the safest internet-connected box on the face of this earth, but I can rest assured I'm in the top 10% when I'm using my Linux-based operating systems.

Re:Read into it what you want

[Zelet]

Your arguement is flawed. A better analogy would be:

I have a car. Even though I locked the door... it fell off.

Basically what I'm saying is that the basic of security that the manufacturer should provide isn't functioning. Of course I could always use 'the club' but the door shouldn't fall off the hinges.

Of course if you wanted a true analogy of what Windows security is like:

You can lock the doors - but the door locks are hidden and my mom couldn't figure out how to do it and the doors come unlocked by default. Even if you lock the doors the windows are always open - and there is no way to close them without buying the windows rollers yourself. If somebody gets into your car not only can the ignition be turned by any basic screw driver but they could blow up the entire car - including the engine by using easy to use functions from within the cabin of the car.

Now take OS X (I haven't used Linux in a while so I'm more familiar with OS X)

Your car comes with the doors locked by default. The windows are all rolled up. If somebody DOES get into the car - they can trash the cabin but can't destroy the engine.

Re:Read into it what you want

[poot_rootbeer]

Look at me, I'm just going to go buy a car and not worry about locking the doors or using a club, because I expect that the ignition system is tamper proof.

But would you buy a car that didn't even come with locks on the doors, and instead of needing a key to start the ignition you just had to press a big red button on the dashboard that says CAR GO NOW?

Microsoft isn't 100% responsible for making sure your Windows installation is secure. But at the same time, MS isn't ZERO percent responsible, either. They need to do their share.

Transfer of blame

[nurb432]

Blame the user, not the developer, is the message.

Its not the users responsibly to compensate for poor design, regardless of the product. Be it an unsafe car, or insecure OS.

Not only that

[siskbc]

His argument is an interesting point of view though. It sounds to me like he's saying microsoft doesn't need perfect code because people can just install firewalls. What if the code in the firewalls in turn isn't perfect though? Doesn't that leave us in an insecure position again? What about the e-mail scanning software? What if it misses a virus? Shouldn't you have layers of protection, instead of an outer layer of protection and a soft underbelly?

I'd say two things to him. First, the only completely effective firewall is the one where I unplug my computer. Assuming you leave a port open, that's a possibility for an attack. Second, all a hacker needs is a proper buffer-overflow in a user program that employs that port, and it's fun time. I'm sure Internet Exploder etc wouldn't apply there. No, not at all.

He has a point in that firewalls have to be a large part of the solution. However, the idea that I can write the world's shittiest code and this is OK because I have a firewall is ludicrous.

Naturally, all this assumes you don't buy your firewall software from MS. That would be pretty funny.

Re:As an SSL developer

[RatBastard]

Middle-aged women seem to be the worst offenders

Of course they are. They tend to be trusting and don't realize that perfect strangers are more than willing to screw them into the ground. But the OS doesn't need to be a welcome mat for these problems. There are some very basic things that MS could have done to make Windows secure enough that being a trusting user doesn't put the entire system at risk.

To make a analogy that fits users of this level and background, your point is like saying that cars are less likely to get stolen if the doors are locked and blaming said car owners for because their Fnords are getting stollen because they haven't locked the doors that Fnord didn't bother to install in the first place.

A pat on the back

[jonhuang]

For an out of context quote. This whole article is clearly just a biased "ooo ooo they suck omg" sort of thing. The line could have been just as easily phrased: "you can't rely on perfect code for security". Note that (IRTFA) the next line is along the lines of "but while we're working toward pefect code..."

seriously.

patch size

[rakerman]

I don't understand why no one raises the patch size issue. To fix a buffer overflow, you've got to need what, 2K of modified code, tops? But the patch is like 2MB? Or 20MB?

In the US, where most people are still on dialup, how can anyone reasonably expect that people are going to download tens of megabytes of patches?

Microsoft should be mailing out free CDs with the latest patches.

Re:Right and Wrong

[chill]

I can't agree with that. If the default behavior of all common mail programs so discourages people from executing attachments, I think the worm problem (at least as it exists today with things like sobig) would be effectively solved.

That's not to say that nobody will find a way to execute such a program. The problem with sobig, though, was that so *many* people ended up running it, because of how easy it is to do in mail programs.

Except many worms are spread through more than one means.

A real case I dealt with: the I LOVE YOU virus.

The ILY virus spread through local network shares and e-mail attachments. The parent office of a corp I worked for (2,000 PCs) was hammered with it. It took them two days to clean up.

Then, the next day, some idiot who originally *thought it was a real love note and saved the attachment to his desktop* executed it again -- out of the context of an e-mail attachment.

The shame and humiliation heaped upon him was enough to ensure he wouldn't ignore IT memos again. However, it brought the e-mail servers down a second day while it was fixed. Again.

In a LAN environment, all it takes is one idiot.

Re:Unix is difficult, Windows is easy to use

[cayenne8]

"Unix may be secure but it is arcane and difficult to learn and use."

That a computer system's administrator should be fairly intelligent, able to read and learn how to do new and complex things and stay up to date with technology.

What the hell were we thinking....??

...sarcasm mode off...

Re:Security is a process not a state

[DeadSea]

Nothing microsoft or any other programer can do is going to be able to stop me if I grab pair of mac-10s and just go after their physical computer

Your thinking is one of the reasons that security is often breached. It is not possible to think about computer security without securing the computer physically. The security process requires holistic thinking. You cannot just dismiss ways to bybass security with a "well, of course somebody could do that". A cracker may find it easiest to get in via the wire, but a determined cracker won't stop at that. Unless you are thinking of every way to break in, just like an attacker would, you have vulnerabilities.

There are other ways around the wire as well. What if your mother (child, significant other, friend, employee) were using your computer (you let them while you aren't home), and somebody calls you and impersonate you or claims to be a friend calling on your behalf. The attacker has her go to a website, download a program, and run it. The program reads your private data and sends it. Do you expect Microsoft to prevent this type of attack? There are some things you can do to lock a system down so users can't install and run software, or upload to the internet, but it is a hard problem to solve.