Microsoft Security Whitepaper

An anonymous reader writes "Microsoft last week published a document on its Web site that describes how the company manages security on its own 300,000 node corporate network. The document is basically a dry discussion of IT risk management strategy, with lots of references to 'asset classes' and 'stakeholders,' and about five, nearly identical 'cycle of life' type diagrams showing how one risk management strategy leads to the next and so on, in a never-ending process. However, the document does open a window on how the biggest, richest software company in the world does security: from the deployment of 65,000 smart cards (let's see, at $50 a piece, that comes to....?), to MS's admission that 'there is a medium to high probability that within the next year, a successful attack will occur that could compromise the High Value and/or Highest Value data class.' According to the document, that includes things such as source code or human resources data."

Keep laughing, moron.

[duffbeer703]

Perhaps you forgot about the compromise of kernel development servers and the Debian website?

Microsoft's concerns regarding source code are likely less about preventing someone from SEEING it (you can pay them money to look at code) and more about modifiying it.

Open Source is a wonderful thing -- but it isn't a silver bullet. Sophisticated programmers with access to any source repository, open or closed can create all sorts of havoc.

The Emperor's New Clothes, by George Orwell

[rice_burners_suck]

Doublespeak. That's what this document is. To quote George Orwell:

Here is a well-known verse from Ecclesiastes:

"I returned and saw under the sun, that the race is not to the swift, nor the battle to the strong, neither yet bread to the wise, not yet riches to men of understanding, not yet favour to men of skill; but time and chance happeneth to them all."

Here it is in modern English:

"Objective considerations of contemporary phenomena compels the conclusion that success or failure in competitive activities exhibits no tendency to be commensurate with innate capacity, but that a considerable element of the unpredictable must invariably be taken into account."

All you need to do is add, "By leveraging innovative Microsoft technologies, content providers streamline compelling enterprise solutions," and you have something very similar to this security whitepaper.

To make a long story short, this document is an "Emperor's New Clothes"-style piece of PHB-speak/business-speak/market-speak/PR-speak that nobody really understands, but every business IT strategist that reads it will pretend that its meaning is very profound, like the emperor pretends to see his nonexistant clothes, to avoid appearing stupid to colleagues.

Microsoft. Where do you want to go today?

This is the same company

[DAldredge]

This is the same company that said, under oath, that reveling the windows source code would harm the National Security of the United States, then they gave the source code to China.

Isn't that perjury?

Re:This is the same company

This is the same company that said, under oath, that reveling the windows source code would harm the National Security of the United States, then they gave the source code to China.

Isn't that perjury?

Or treason?

A new low, even for Slashdot

[duffbeer703]

Did any of the idiots commenting on this story with sophmoric (hehe, M$ security sUx045!) even start to read the Whitepaper?

If they did, they would probaly notice that the paper describes a methodology of security management, including dealing with operating system & application security issues.

Information security is more reliant on process than using x product or y product. If you have established methods to classify what needs protection, identify vulnerabilities & intrusions and rectify the situation, you have a secure IT shop.

Re:Smart cards $50???

[nick_davison]

from the deployment of 65,000 smart cards (let's see, at $50 a piece, that comes to....?)

Either way, the implicit statement's invalid (that buying 65,000 x $n is wasteful).

Microsoft has, what, $40 billion in cash floating around? I work for a company that is lucky to have $40 million in cash floating around - does that make 65 smart cards wasteful? If your company has $4m, are 6.5 smart cards wasteful? If you have under a half a million in readily available assets, should you not use smart cards at all?

It's a simple scale thing. Microsoft is stupidly large when compared to most other companies. 65,000 of anything sounds like a big number, and it is. Still, relative to the size of their business, it's bordering on frugal, not wasteful.

See, I have so much Karma I can even occasionally support Microsoft on something. ;)

Re:Whoa, all joking aside...

[duffbeer703]

The whitepaper simply presents the dirty little secret that highly technical IT people have always known -- there is no such thing as a totally "secure" system.

Sophisticated hackers identify exploits before they get mentioned on bugtraq and before a fix or patch is even looked at. Those people are a big threat to a company like Microsoft.

Instead of being horrified at Microsoft, you should be pleased. They are taking a remarkably straightforward tack by highlighting the industry's dirty little secret. That is an about face from typical Microsoft FUD.

more of the same, over and over and over

[kuzb]

It amazes me that most of you really can't be constructive at all any time 'security' and 'microsoft' are uttered together.

What's more, the moderators encourage this lack of constructive talk by modding up things purely because they decry microsoft. How many days in a row are we going to hear the same old tired MS jokes?

Just because you run linux/bsd doesn't mean you're safe. Hell, by being connected to the internet at all you're at risk. Anyone with enough time, education and willingness to exploit you is going to eventually find a way in.

Anyone running any operating system can be attacked and comprimized. Security is only as good as the people who maintain the machines. You people sometimes seem to forget that despite MS's faults, they do employ some of the best and brightest in the world. I imagine some of you may not believe that, but I do.

Personally, I think that if linux were a home desktop platform that had enough popularity to be a significant enough player in that market you'd be seeing a whole lot more hackers focusing specificly on linux. Realisticly, what is the point of trying to exploit linux? Why exploit the little guy when you can go after the big fish? Especially when the majority of people running the big fish's stuff couldn't secure _any_ box to begin with, regardless of what it was running.

Same thing with the mac. I love it when macos users say "I never get viruses/worms!" well, who would write a virus/worm for such a miniscule percentage of computer users? The whole point of a virus/worm is to propigate, and if you don't have the userbase for it to propigate well, what's the point?

I apologise if I've offended people here, but I really felt this needed to be said. This persistant catscrap between linux and windows users doesn't help anything, or anyone.

Linux/BSD ARE good operating system
MacOS/OSX ARE good operating systems
Windows IS a good operating system

and they ALL have faults.

Re:more of the same, over and over and over

[mao+che+minh]

We are always scarcastic when it comes to Microsoft's relationship with security because of the many unpaid hours of overtime it has cost us.

I, like many here I would imagine, have to manage a lot of computers. In any common enterprise environment systems tend to range from old Windows 95 systems whom's only purpose is to drive some old piece of software with a very specific function, to Windows 98 and 2000 workstations, to Macintosh boxes for the marketing folk, to Linux servers running enterprise anti-virus solutions, to Netware servers running ZENworks, to 16 processor HP-UX beasts for databases, to OS/2 servers that run physical security systems (like magnetic card readers that grant access to the NOC for certain people/staff).

Of all of these operating systems that we people manage, a disturbing trend of insecurity has always plagued the Windows operating system(s) and the applications that Microsoft pushes for it. For years. Email clients, mail servers, web servers, core OS compenents, or just plain bad OS design that leads to the easy proliferation of things like viruses and worms. ANd worst of all: there is no escape from it. Everyone uses it, the management only wants stuff that is "supported" and/or "warrantied", and let's face it, it gives us job security.

So, when we relax, unwind, and gripe, we tend to end up taking a stab at the shitty software that has absorbed so many of our hours - time that could have been better spent having fun, or with our families, or responding to morons on web forums. You know.

Re:more of the same, over and over and over

[Tony-A]

It amazes me that most of you really can't be constructive at all any time 'security' and 'microsoft' are uttered together.

A minor password incident at Debian and it's front-page news.
Similar incidents at Microsoft, we'll never hear about it.

Security is only as good as the people who maintain the machines.
There are many factors affecting security. The people maintaining them are one factor, and probably far from being the most important factor. Making a system inherently insecure and then blaming the people maintaing them does not make for credible security.

Re:Smart cards $50???

[swillden]

Where does the $50 figure come from?

I can't answer that, but I can tell you what smart cards cost.

The costs depend heavily on both volume and capabilities. At the low end, there are cards available in large volumes for substantially less than $1. At the high end, programmable cards with both contact and RF capability, lots of fancy printing, etc., plus some loaded and personalized applications can be up to $10, in large volumes, and over $50 each in developer quantities.

So, in general, $50 each for 65,000 cards is ludicrous.

However, in this case the figure may actually be accurate. The numbers I mention apply to "stock" cards, where the R&D investment is spread over hundreds of thousands, or even millions, of cards.

Microsoft, however, may very well have used Windows for Smart Cards cards, from their brief flirtation with the smart card business. These cards are based on a 32-bit processor from Atmel, which is itself significantly more expensive than many of the more common cores. In addition, the cards run a custom smart card operating system developed by Microsoft. They're high-end programmable cards that interpret (what else?) Visual Basic bytecodes (eeeeewww).

So the cost of these specialized, low-volume chips, plus the cost of developing a smart card operating system, building tools to construct, load and manage applications, implementing the card applications, implementing the workstation and server software, implementing the key management systems, issuance systems, etc... Yeah, $3.25M is not only believable, it's impossibly low.

I suspect that the $50 per card figure is accurate, but that it includes more than just the cost of the cards.

Some people at Microsoft are smart.

And don't you forget that. Microsoft DOES have people with considerable technical skill and knowledge. I'm guessing that the probability of a security breach was calculated by the people who know what they're doing.

The problem is that you don't get to be the biggest software company in the world without selling products. (And Microsoft is arguably the most important software company - although I think overall Linux is more important in it's potential as an equalizer - there is no one single Linux company).

Selling products implies marketing. This is where it goes wrong. The second that product development is driven by marketing telling customers what features they want - things explode. I mean, really - half the crap in Windows and Office was never wanted by customers in the first place.

I'd still prefer to be using BeOS (I loved 5.0, but lack of support for new hardware meant I had to move on), so Windows 2000 is a pretty good compromise for my needs.

Microsoft is its (only) good customer

[Saint+Stephen]

Nobody uses Microsoft technology like Microsoft. Unfortuately, nobody uses Microsoft technology like Microsoft.

The reason? Only Microsoft has the source code and "really understands" Windows. Everybody elses corporate networks running Windows are dogshit -- but Microsoft really does just use the crap the way they tell you to use it, and it works wonderfully. Unfortunately, they are the *only* example of such a user on the planet!

Re:Microsoft is its (only) good customer

[The+Bungi]

You are the proverbial man chained in the cave only seeing shadows cast on the wall.

That's nice, but first off, I have no way to verify that you ever worked at MSFT. Or for that matter, that you've played chess with the Dalai Lama. Second, I've had SIE (maybe you'll know what that is) do evaluations on existing systems and come off impressed, actually interested in seeing some of the stuff we'd done with some of their own technologies.

That *some* companies are handicapped by the lack of skilled employees and have substandard setups as a result is not something I'd argue. But to claim that Microsoft has some sort of occult knowledge about their own systems that nobody else has access to is ridiculous. If I have the time, money and resources, I can do as well, if not better, than them. And no, I don't need to "see the code" for that.