Slashdot Mirror
Microsoft Security Whitepaper
An anonymous reader writes "Microsoft last week published a document on its Web site that describes how the company manages security on its own 300,000 node corporate network. The document is basically a dry discussion of IT risk management strategy, with lots of references to 'asset classes' and 'stakeholders,' and about five, nearly identical 'cycle of life' type diagrams showing how one risk management strategy leads to the next and so on, in a never-ending process. However, the document does open a window on how the biggest, richest software company in the world does security: from the deployment of 65,000 smart cards (let's see, at $50 a piece, that comes to....?), to MS's admission that 'there is a medium to high probability that within the next year, a successful attack will occur that could compromise the High Value and/or Highest Value data class.' According to the document, that includes things such as source code or human resources data."
Well, all the dangers aren't in looking at the source code. If you have access you could *change* things, like backdoor every Windows installation. And besides, with the GNU and Debian servers getting rooted (and probably other high profile linux projects i forgot), the security record isn't great on either side.
Perhaps you forgot about the compromise of kernel development servers and the Debian website?
Microsoft's concerns regarding source code are likely less about preventing someone from SEEING it (you can pay them money to look at code) and more about modifiying it.
Open Source is a wonderful thing -- but it isn't a silver bullet. Sophisticated programmers with access to any source repository, open or closed can create all sorts of havoc.
Conformity is the jailer of freedom and enemy of growth. -JFK
To make a long story short, this document is an "Emperor's New Clothes"-style piece of PHB-speak/business-speak/market-speak/PR-speak that nobody really understands, but every business IT strategist that reads it will pretend that its meaning is very profound, like the emperor pretends to see his nonexistant clothes, to avoid appearing stupid to colleagues.
Microsoft. Where do you want to go today?
This is the same company that said, under oath, that reveling the windows source code would harm the National Security of the United States, then they gave the source code to China.
Isn't that perjury?
Boy, is there any Microsoft-related posting on /. where the comments aren't only modded as "funny"? And you call some of these off-repeated insults funny?
I think the whole world would take the Linux vs. Windows religion more seriously (and less religiously) if there was some real debate, not the obstandard trolling-bordering-on-mildly-funny.
Obtroll: You would think the world's biggest DOJ-sanctioned illegal monopoly would have the money to better secure their own network. Maybe Oracle or Sun or IBM would like to describe how their networks are far-better protected, given that they're secured by industry-leading, open-source Linux that has never had a security bug of any kind, and simply can't be hacked. That would be a far better source of information than this "crap" put out by Bill Gates' mindless minions in Redmond.
Did any of the idiots commenting on this story with sophmoric (hehe, M$ security sUx045!) even start to read the Whitepaper?
If they did, they would probaly notice that the paper describes a methodology of security management, including dealing with operating system & application security issues.
Information security is more reliant on process than using x product or y product. If you have established methods to classify what needs protection, identify vulnerabilities & intrusions and rectify the situation, you have a secure IT shop.
Conformity is the jailer of freedom and enemy of growth. -JFK
Ok without putting in some microsoft bashing statement I have to say Im horrified at the idea that Microsoft admits in their own white-paper that they might be compromised on the highest level. Screw source code, what about automatic "updates" (They have been in the past few months especially promoting their automatic-update software, and it is expected within the next few years to be a binding part of their EULA, but even now I know for a fact most users will chose to let windows download selected updates automatically)? The same company millions are trusting to push updates unknown to them to their computer is admitting they will probably be compormised within the next year??? Does this not shock anyone? It would take next to nothing with access to their automatic update ability to wreck havoc on millions of users, imagine delete IE, and then their update system (after uploading the update itself) and 99.99% of all the users would be toast! this is serious stuff, we're talking millions of users potential take over at the hands of a script kiddie....and its glossed over in some security white paper? You have to be kidding me, where is the whole Homeland Security Department? NSA? DoD? who always seem to want to stick their noses in everything else done in the IT world? A company convicted of monopolizing the OS business now without skipping a beat making statements in a security white paper such as "There is a medium to high probability that within the next year, a successful attack will occur that could compromise the High Value and/or Highest Value data class." and "robability: High. Even with current controls, attacks have occurred and will likely happen again."
What's another word for Thesaurus?
-Steve Wright
from the deployment of 65,000 smart cards (let's see, at $50 a piece, that comes to....?)
;)
Either way, the implicit statement's invalid (that buying 65,000 x $n is wasteful).
Microsoft has, what, $40 billion in cash floating around? I work for a company that is lucky to have $40 million in cash floating around - does that make 65 smart cards wasteful? If your company has $4m, are 6.5 smart cards wasteful? If you have under a half a million in readily available assets, should you not use smart cards at all?
It's a simple scale thing. Microsoft is stupidly large when compared to most other companies. 65,000 of anything sounds like a big number, and it is. Still, relative to the size of their business, it's bordering on frugal, not wasteful.
See, I have so much Karma I can even occasionally support Microsoft on something.
It amazes me that most of you really can't be constructive at all any time 'security' and 'microsoft' are uttered together.
What's more, the moderators encourage this lack of constructive talk by modding up things purely because they decry microsoft. How many days in a row are we going to hear the same old tired MS jokes?
Just because you run linux/bsd doesn't mean you're safe. Hell, by being connected to the internet at all you're at risk. Anyone with enough time, education and willingness to exploit you is going to eventually find a way in.
Anyone running any operating system can be attacked and comprimized. Security is only as good as the people who maintain the machines. You people sometimes seem to forget that despite MS's faults, they do employ some of the best and brightest in the world. I imagine some of you may not believe that, but I do.
Personally, I think that if linux were a home desktop platform that had enough popularity to be a significant enough player in that market you'd be seeing a whole lot more hackers focusing specificly on linux. Realisticly, what is the point of trying to exploit linux? Why exploit the little guy when you can go after the big fish? Especially when the majority of people running the big fish's stuff couldn't secure _any_ box to begin with, regardless of what it was running.
Same thing with the mac. I love it when macos users say "I never get viruses/worms!" well, who would write a virus/worm for such a miniscule percentage of computer users? The whole point of a virus/worm is to propigate, and if you don't have the userbase for it to propigate well, what's the point?
I apologise if I've offended people here, but I really felt this needed to be said. This persistant catscrap between linux and windows users doesn't help anything, or anyone.
Linux/BSD ARE good operating system
MacOS/OSX ARE good operating systems
Windows IS a good operating system
and they ALL have faults.
BeauHD. Worst editor since kdawson.
Where does the $50 figure come from?
I can't answer that, but I can tell you what smart cards cost.
The costs depend heavily on both volume and capabilities. At the low end, there are cards available in large volumes for substantially less than $1. At the high end, programmable cards with both contact and RF capability, lots of fancy printing, etc., plus some loaded and personalized applications can be up to $10, in large volumes, and over $50 each in developer quantities.
So, in general, $50 each for 65,000 cards is ludicrous.
However, in this case the figure may actually be accurate. The numbers I mention apply to "stock" cards, where the R&D investment is spread over hundreds of thousands, or even millions, of cards.
Microsoft, however, may very well have used Windows for Smart Cards cards, from their brief flirtation with the smart card business. These cards are based on a 32-bit processor from Atmel, which is itself significantly more expensive than many of the more common cores. In addition, the cards run a custom smart card operating system developed by Microsoft. They're high-end programmable cards that interpret (what else?) Visual Basic bytecodes (eeeeewww).
So the cost of these specialized, low-volume chips, plus the cost of developing a smart card operating system, building tools to construct, load and manage applications, implementing the card applications, implementing the workstation and server software, implementing the key management systems, issuance systems, etc... Yeah, $3.25M is not only believable, it's impossibly low.
I suspect that the $50 per card figure is accurate, but that it includes more than just the cost of the cards.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
and the interface that only a 3 year old Teletubbies addict could navigate through, Microsoft Windows XP!
:)
Oh get over it already. It doesn't take 20 scripts and ten screens of typing to make an OS powerful or functional. Some 'power users' actually like the idea of using a couple of clicks to print photos or play music with the OS UI model.
This reminds of DOS/UNIX people bashing all GUI interfaces in the 80's.
Are we really back to the days of using words like WIMP and telling everyone that GUI's are inherently bad, or are we just saying that ones that are easy to use are bad?
The open source world needs to learn a little about UI consistency and try to make things easy to use if any Open Source OS is ever going to be taken seriously on the desktop or in the home.
(And don't bring OSX into this as a champion of Open Source usability - it is not Open Source.)
PS *cough* Windows95 was NEVER designed to be a secure OS, it has NO inherent security, just like Mac System software did not as well. People forget it was a consumer OS and was designed in a time of the early internet where massive consumer connectivity via the internet was not something that was happening in the home markets.
Back then, there were things like CompuServe, AOL, and the new MSN, and at the time AOL had just recently added the ability to browse HTML, MSN was a folder based browsing service, and CompuServe was a text system with a new GUI that made it look pretty to interpret the text interface.
Most people had no clue about ISPs, especially when Win95 was being designed in 1993-1994.
If you want to talk about Microsoft's security track record, pick on something like NT, which in 1996 was far more stable and secure than even Linux of 1996. (With both being about the same age)
Oh, and by the way, have you ever heard of cars being recalled? Almost EVERY Model and Make of car has had at least one type of recall that has required dealer service. Don't believe it, go look up whatever you are driving, there will be a list for what has been a 'required' and a 'requested' recall for your car. - At least if Windows fails it doesn't kill you. (And if you are driving a Ford Truck or a Pinto, you REALLY might want to take a look at your vehicle recall list)
And don't you forget that. Microsoft DOES have people with considerable technical skill and knowledge. I'm guessing that the probability of a security breach was calculated by the people who know what they're doing.
The problem is that you don't get to be the biggest software company in the world without selling products. (And Microsoft is arguably the most important software company - although I think overall Linux is more important in it's potential as an equalizer - there is no one single Linux company).
Selling products implies marketing. This is where it goes wrong. The second that product development is driven by marketing telling customers what features they want - things explode. I mean, really - half the crap in Windows and Office was never wanted by customers in the first place.
I'd still prefer to be using BeOS (I loved 5.0, but lack of support for new hardware meant I had to move on), so Windows 2000 is a pretty good compromise for my needs.
Nobody uses Microsoft technology like Microsoft. Unfortuately, nobody uses Microsoft technology like Microsoft.
The reason? Only Microsoft has the source code and "really understands" Windows. Everybody elses corporate networks running Windows are dogshit -- but Microsoft really does just use the crap the way they tell you to use it, and it works wonderfully. Unfortunately, they are the *only* example of such a user on the planet!
But security through obscurity is alive and well at Microsoft. Tell me, when you select "store password using reversible encryption" in Active Directory, what algorithm is used to (reversibly) encrypt the user passwords? Where are the published specifications for PPTP? For MS-RDP? Obscurity goes hand-in-hand with closed source.
Note that, especially for corporate security, obscurity is a legitimate component of "defense in depth." I might mandate standards-based encryption; maybe even open-source firewalls based on an open-source OS. But it's none of yer business what kind of firewall or IDS or smart cards I'm using. That's for me to know, and you to try to find out.
What is unfortunately obscure in this white paper is the name(s) of the author(s). I know a few people involved with security at Microsoft. I was curious whether any of them had a hand in this. But there's no indication of authorship at all. I suppose it was written by the collective. How's that for obscure?
...of a High Value attack being reality instead of taking the pompous approach that your software is hack-proof. I can find 10 ignorant Linux users who think their system impregnable for every Microsoft user who thinks the same. At least Microsoft is willing to admit that yes, sometime in the future, shit is bound to happen.
Nothing serious happened because there were eyes looking at the code.
Luck plays out in closed source, when the consumer never finds out about the holes until the " new version fix" is ready for shipping.
Back to work, Microsoftie!
No, win95 was never meant to be secure and, almost 10 years later, win 2k3 server is almost as insecure *cough* buffer overrun! Buffer overruns have been well understood for years, are easy to automate tools to search source code for and any that leak through are easily tested for. Microsoft obviously did none of that! And if you think thi is the last buffer overrun problem, stay tuned!
Objections to the XP GUI do not run to it's functionality (although there are lotsa problems there as well) most of the objections I've heard (and mine) are about the damned cartoonish color scheme and the total waste of screen space in each and every window that dosn't add any functionality to the GUI itself.
Look at this way; if they did such a damned good job, why do you feel the need to act as apologist?
"Microsoft Security Whitepaper"
Seriously, what is a "whitepaper"? This is not a troll. I have no idea what it is. Is it an article? I know what a "paper" is; what is the significance of it being white? Are there blackpapers?
Oh Great Slashdot Oracle, I, your humble follower, bow before you, please hear my question.
What is the difference between the kind of ideas that are in a whitepaper, and the kind of ideas that are in a paper? Are the whitepaper ideas whiter? When you are having white ideas do you consciously avoid negative thoughts?
If there were a "Microsoft Security Blackpaper", what would it say? "Ohmygod, we've had years of pushing out product before the programmers are really finished with it. Now we a sitting on a mountain of sloppy code. We have no hope of finding all the vulnerabilities."
Unless Microsoft has implemented MLSA, which is atmittedly tough to do, or they have implemented a physically separated network for their high-value stuff (without internet access!!), they will indeed at some point see a compromise that touches their high-value stuff. Unfortunately for the rest of the slashdot-crowd, this equally applies to them as well :)
Also, I don't see any references to a document classification level system, plus the proper controls to implement them. We know for the halloween documents that they must have something like that. (The halloween documents are labelled microsoft confidential).