Gates: 'You don't need perfect code' for Security

securitas writes "ITBusiness has an interview from the Microsoft Professional Developers Conference where Bill Gates says 'You don't need perfect code to avoid security problems.' Instead he suggests that users acquire and properly configure firewalls and make sure that they keep their software patches up-to-date. Considering that Microsoft says it is focused on security, the comments from the Chief Software Architect aren't inspiring, especially beacuse the underlying attitude seems to contradict the idea of well-written, secure code. What kind of message does that send to the developers who work for Gates?"

As an SSL developer

I couldn't agree more.

Majority of security issues come not from buffer overflows in the application code or similar stuff, but from dumb users clicking on e-mail attachments and downloading wicked screensavers.

Ever ran Spybot through a typical home user computer? Middle-aged women seem to be the worst offenders, Spybot and Ad-aware have pages and pages of stuff that the user usually isn't aware about.

Re:As an SSL developer

[16K+Ram+Pack]

Just because you don't want to have a rental-type service doesn't mean that others don't.

And you (like me) probably know a lot of the tricks of hackers and how to protect yourself with Firewall, Anti-virus, not downloading .exes sent in the mail, patching, whatever.

A huge number of people who don't work in the computer industry or have office jobs don't.

The following could all be delivered via Java Applets within a web page: email, office, games, small business accounts, graphical design, instant messenging, video playback, games, project management software. Database software could just run as server side websites. Outside of those applications, I can't think of much else that tens of millions of home users use. And what's left could be easily built.

The only thing I would struggle with from an applet POV would be digital camera upload where you'd have to interface with the USB port (and there's probably a way around that).

Perfection

[mukund]

I don't want to sound like a troll :-). If Bill Gates said "perfect software" isn't necessary, he's somewhat on the lines we are at today because no software out there can be declared perfect or bug free. There is no such thing. But whenever bugs are found, it is good practise to patch software. We do this under Linux, Mac OS X and Windows. And having a good firewall configuration helps keep out the dirty world.

Right an Wrong

[chill]

"You don't need perfect code to avoid security problems. There are things we're doing that are making code closer to perfect, in terms of tools and security audits and things like that. But there are two other techniques: one is called firewalling and the other is called keeping the software up to date. None of these problems (viruses and worms) happened to people who did either one of those things."

The first sentence is correct -- or moot. The last is pure bullshit.

"Perfect" code is probably unattainable in complex applications. This is why things like firewalls, IDS, backups, etc. exist. Code should be made as good as possible, but dwelling on perfection will only pull your focus from other issues.

However, no virus or firewall in the world is gonna stop a cluleless user from clicking on an attachment and screwing their system. Virus scanners are mostly reactionary -- if it isn't in their list of malware, they can't find it. If it is a new way to screw users, and they click it...

EVEN if users have to jump through hoops like not executing from inside the mail program, saving it to the desktop, unzipping, scanning -- they'll screw something up. It is the nature of the beast.

Even with sandboxing -- good luck getting a user to execute the code in a sandbox first, every time.

And the real funny part is...

[Tenareth]

How much trouble their products have when seperated by stateful firewalls. I mean, it wasn't until after AD was out for a bit that they realized you couldn't put a firewall between them and for large corporations, that wasn't acceptable. Now there is a bogus work-around, but ultimately W2K is horrible at dealing with firewalls inside the enterprise.

And the whole idea of a protected shell, soft middle has been destroyed by the likes of Nimbda, Nachi, etc. Eventually, someone gets past the outer shell.

We like to keep all of our satallite locations seperated by Firewalls, but as we started moving to W2K3 we found out Microsoft won't support our infrastrucure with internal firewalls...

Real nice Bill, thanks for the help.

this is their subscription business model

[bigpat]

"make sure that they keep their software patches up-to-date"

They are pursuing a subscription based model which the regular release of software patches supports. Now users see regular patches for scary new security holes downloaded on a regular basis... I expect now that most people are getting used to it, that Microsoft will shorten its supported lifecycle for OS releases and require full upgrades... which of course you can get downloaded to your machine directly using a credit card.

Funny how Bill is using the Open Source community to help spread FUD about its own products which will then be used to help force regular costly upgrades on people.

Security concerns might cause some people to start using Linux Desktops, but the majority of people will just buy into a system of regular updates from Microsoft.

This is a no win issue for the Open Source community.

The evil is too strong to resist, the only way to win is to deny it battle.

Transference of Responsibility

[sfhc]

"Instead he suggests that users acquire and properly configure firewalls and make sure that they keep their software patches up-to-date." Bill Gates is sending the message that in his opinion, security is not the responsibility of the software author, but of the end user. This is an obviously flawed point of view. Just as if a car manufactor knowingly released a car with faulty breaks, they would take the initiative to launch a recall, and would most likely face civil/crimial consequences for their actions. However, MS has been able to knowingly release a defective product and escape consequence. They are even so arrogant as to say that it is up to the end user to secure their system. Bill is clearly stating that MS does not take security seriously.

Security is a process not a state

[DeadSea]

There is no such thing as being secure.
There is no such thing as software without bugs.
There is no such thing as an operating system without vulnerabilities.
No scan will find all the holes.
No firewall will protect you from all attacks.
No patch will fix all your systems.
No intrusion detection system will catch all breakins.
No employee screening process will weed out all the criminals.
No employee training program will eliminate all employee mistakes.
Security cannot be purchased.
Security cannot be achieved.

The security process is a checklist of items that should be evaluated and expanded periodically.
Continuously and actively search for vulnerabilities. If the cracker knows about the hole before you do, you have a problem. Run scanners, hire people to test your security.
Read security advisories, keep systems up to date with the latest patches, consult others who also try try to keep their security bar high.
Take preventative measures: install a firewall, train employees to use secure practices, implement stricter checks and balances.
Detect problems with intrusion detection systems. Put up honeypots and tripwires. Enable logging.

It scares me, but Microsoft is right.

Re:Read into it what you want

[Jeff+DeMaagd]

I don't expect perfect code but I also don't expect that car door locks to be defeatable by toothpicks or that a "master" remote unlocker unlocks every car in a parking lot in a second with one button press.

I think security should be important in _all_ phases of product usage, not just the user. It should be important in design, coding, testing and actual use. Any weakness in those four reaps a weakness in the entire product.

It is important for the user to take proper steps but that doesn't releave any product maker from their end of the responsibility of properly designing and producing secure code. Yes, the user should take steps but then being a user of any particular piece of software shouldn't be a "kick me" sign.

Re:Since when is Bill Gates a security expert?

[SirNAOF]

With proper setup, even NFS can be 'transparent and secure'. It's not the technology, it's the admins.

To a point, Billy boy is right. The users (and/or admins) need to know how to set things up in a secure manner. But this is only half the problem. The other half is having a platform that is designed with security in mind, and having tools that are properly designed as well.

I have personally setup remote file system access securely under unix. But I'm sure you don't care about that, I'm not an 'average' user.

gates may be right

I believe he may in fact be right.

I'm sure microsoft has reviewed linux's code many times over, and have found exactly what all intelligent people find - a REALLY crap code base.

the code of the linux kernel is laughable that it astonishes many intelligent people, like me, how linux has still survived.

Gates is right, in part.

[argent]

You don't need perfect code, you need a secure design. If you have a design that fails "closed", that defaults to not allowing access and requires an exception handler to function correctly for access to be granted, then most bugs will result in a denial of service rather than a security failure.

The problem that Gates isn't dealing with is that Windows has traditionally used security mechanisms that "fail open". For example, Internet Explorer used the same file type - application bindings as the desktop, and then added a bunch of rules to prevent insecure apps from being opened. Internet Explorer, again, allows local objects full access and then has exceptions to cover objects that aren't really local (like attachments in cache directories).

So, on the one hand, Bill is right that if you have a good design you don't need perfect security. On the other hand, he's selling a system with a lousy design. So where does that leave us? Well, it doesn't leave me with any warm fuzzies about Longhorn...

Re:Since when is Bill Gates a security expert?

[evilpenguin]

There's a famous quote, wish I could remember who said it (someone leap in with attribution!) (and I'm quoting from memory, so I'm sure I'm misquoting...)

"It is axiomatic that every program contains at least one bug and can be reduced in size by at least one instruction, therefore, every computer program can be reduced to a single instruction which does not work."

There's the singularity on your asymptotic curve ;-)

Re:Since when is Bill Gates a security expert?

[Jeremy+Allison+-+Sam]

Windows has root in *exactly* the same sense that UNIX does.
Do you think Administrator or LOCALSYSTEM on a box can't do
anything root can ? Change ownership of files to an arbitrary
SID (that's a lie in the Microsoft docs, claiming that can't
be done, I wrote a Win32 program to do just that about 11 years
ago :-). They *are* root. No, difference.

What you are complaining about is NFS, not UNIX.

Stop comparing *one* of the remote file system protocols in
the UNIX world with UNIX itself. And stop claiming that Windows
is architectured any differently. You're simply repeating
Microsoft propaganda, and people who know better will point
out you're lying. You're lying btw.

Jeremy.

From the Windows XP "Getting Started" book

[AllenChristopher]

"Another way to make your computer more secure is to assign a password to the Administrator account, which is blank by default."

There's a line between convenience and leaving the whole system completely open. This is on the wrong side of that line.

Re:Since when is Bill Gates a security expert?

I think he is saying that you can run insecure, buggy Windows code as long as you use non-microsoft products for your security (i.e. a linux-based firewall) or anywhere else where security or reliability actually matter.

Isn't that exactly what we have been trying to say for many years?

Re:patch size

[Artifakt]

One 98 IE specific patch I installed reinstalled stock files for solitare (I was running a hacked copy that had custom card backs or I wouldn't have spotted it quickly enough to be sure it was the patch). Why in the lower plane of your choice would solitare contain any code that could be a vulnerability? No wonder patches are bulky, they are apparently either a shotgun approach to the problem, or they are fixing lots of things besides what they claim to fix.

If Gates isn't/wasn't a coder, few of us are

[mactari]

even calling gates a coder is a stretch

I couldn't google the link up quickly, but I started giving Gates credit as a coder when I read how his BASIC interpreter worked. I've done just a touch of assembly programming as a hobby, and Gates apparently, to save space, was able to cleverly reuse bits of the interpreter when newly written portions of his code matched previously written portions closely.

That is to say that he scoured the code he'd already written to see if there was any place he could JSR to reuse code -- essentially using functions in a language where there wasn't any such thing.

Sure, perhaps this was common practice then, but the point is that he got the concepts. And he, along with Allen, wrote something usable and sellable, and didn't shoot any blanks before becoming profitable. If you can't call Gates a programmer without stretching, people like John Carmack (afaict) are probably the only fellows that deserve the title around here. Which means not very many of us.

(Now this fact, of course, makes Microsoft's attitude towards security even less forgivable; it's not like they have some naive corporate exec running the ship. And, like I said, this makes Gates' comment about "perfect code" even worse. I don't think he's talking about "Code a la Plato's Forms". Rather, he seems to be justifying the security issues his reused, legacy code that didn't have networking in mind has when used in today's world! That's lazy and fairly irresponsible.)