Slashdot Mirror
Microsoft vs. Computer Security
ArieKremen writes "The Slate has a piece written for the average user attempting to explain why Windows is `still` grappling with security issues. Although Gates made security and privacy top priority four years ago, not much progress has been made." From the article: "Microsoft customers haven't stopped worrying. A year later, Windows was hit with several nasty worms, including Slammer, Sobig, and Blaster. The viruses caused major traffic bottlenecks throughout the world, which cost tens of billions of dollars to clean up. Vulnerabilities deemed 'critical' have forced the company to release an almost unending stream of patches and fixes to the Windows operating system, Microsoft Office, and Internet Explorer." An interesting look at the whole issue.
i must agree: the very "constant stream of patches" is in fact great progress; to have that kind of rapid support, delivered by an automated update system that for me at least works seamlessly, is incredibly good!
Gates urged that new design approaches must "dramatically reduce" the number of security-related issues as well as make fixes easier to administer. "Eventually," he added, "our software should be so fundamentally secure that customers never even worry about it."
Fair enough, but regardless of what is happening in the way of "new design approaches", the current installed base is the problem. The best ways to show dedication to the reduction of security issues would be a) rigorous code review + pre-emptive bugfixes and b) more rapid response to issues that are found elsewhere. There have been improvements, but the sum of the successes will not outweigh the sum of the failures.
I want to drag this out as long as possible. Bring me my protractor.
Considering where they started, just getting to BAD is a tenfold increase! And to be honest, they have come a long way. They just have a VERY long way to go.
tens of billions of dollars to clean up
you know we as a tech community lambast the **AA whenever they (and the media) say a "hacker" did millions of dollars pirating
why do we not do the same when crap like this gets printed?
tens of billions? prove it, thats our job, thats what we do
The More Knowledge you have the Luckier you Get- J.R. Ewing
Perhaps more accurately, users of windows have made no progress. Quite a few of the worms that have made big headlines over the last few years are ones that make use of exploits for which patches were already available. It's long been said that people are the greatest security problem. And I believe that applies to Microsoft's security problems as well. As long as the education of Microsoft's user base is neglected (or actively refused by some), MS's efforts (feeble as they may seem at times) will have limited success.
I don't know if I'd chalk this all up to lazy sysadmins. While that's a factor, there's also the IT director at whatever firm who wants "stability." Sure, some of it is sysadmins not paying attention. But some of it is also sysadmins at war with the suits because, "that system cannot go down... not even for maintenance. I don't care if nobody uses it between 1 and 4am or on the weekends." (Yes, I've seen shops like that... those are VERY costly errors on management's part.)
Critical patches should ALWAYS be installed as soon as it is feasible. You should have a test system available where you can install them and run your regression testing, if you're in software development. If all you do is use your computers for word processing, data entry, specific applications, etc, you should, for the most part, be installing those critical patches as they come out. I tell family and friends to do that. My seldom-used windows box here at work gets done by corporate IT, and they seem to stay on top of a lot of that.
OCO is Loco
Well, some may call that progress, it's really a band-aid solution to a much larger problem Microsoft appears to be addressing already. Their codebase is OLD, not to mention poorly designed. NT was written as kind of a test bed for new technology. It wasn't originally designed to be a production system. Now, you've got a million people doing a billion different things to who the hell knows how much code. It's hard to make much in the way of progress if you're trying to swim up a waterfall. I think the only way they're going to make progress is to change directions.
the point to appreciate here is that it isn't all Microsoft's fault but they could do a whole lot more.
Actually it is all Microsoft's fault. Whether or not they deserve to be villified for it is another issue. But consider the following:
1) They don't fix bugs they know about so they don't break compatability with programs that rely on the bugs.
2) They don't submit their code for review by the public.
3) They don't follow security best practices, like turning off services by default.
4) They make their OS less secure by obfuscating design to make it difficult for competitors.
5) They use propriety data formats.
6) They alter the OS to make it work with their programs instead of designing a solid OS so that anyone can make programs run with it.
etc.
An insane amount of progress has been made on Windows security. Automatic updates ensure even the most retarded of end users has a chance of being patched, built in firewall has resulted in a significant chance of end users having a firewall, the security added to IE in SP2 has given a whole lot of protection.
It doesn't matter who the dominant OS / company is, the biggest threat to security on anyones computers is the person sitting in front of it.
You can't win a fight against ignorance, misunderstanding or plain stupidity. Microsoft has made some pretty damaging blows and that is commendable.
I think it's time the end users' took just a little bit of responsibility for their security issues. It's callous to assume (and blame) Microsoft when so many 'issues' are avoidable with a little common sense.
God help the *nix world if they ever get bundled with the masses of ill-informed, ill-prepared and irresponsible people who use Microsoft software.
The popularity argument is pure bullshit. Non Microsoft runs most of the web and anything that's mission critical. Those foolish enough to try making M$ do things live to regret it and it has nothing to do with popularity, Geeks and Nerds but everything to do with marketing and crappy software. Apple, Sun, Linux and every other kind of software works better and non have had the kind of automated worm problems M$ has.
From the above, you can imagine that the functionality and features excuse is also bogus. Operating systems robust enough to provide services over the network can also be made with pretty GUIs that are equally robust. There is nothing a Windoze user can do that I can't do better with free software and many things that I can do that they can't without lots of effort and money. I share my classwork with anyone who's interested and I share my music and movies with myself without any of the problems Windoze users suffer just connecting to a network, reading their email or browsing the web.
When is the big Linux worm coming? Never, thanks to the diversity of excellence that a truly free market for software provides. Free software writers also don't make the mistake of mixing content with executable code, unless they are copying someone else's bad implementation for compatibility sake. Still everyone makes mistakes but that still won't do to free software what it does to M$. As an example, imagine Firefox had a problem. It would get about 1/3 of GNU/Linux users. Why? because the rest of them are using other browsers and all of them can stop using the browser with a problem until it's resolved one or two days later. Because Free Software is all about code, binary problems don't automatically propagate across distributions. A Red Hat exploit might not work on Debian and probably won't on Gentoo and won't do anything to a BSD box. The Free Software fix is always easier too. When things go wrong on a free software box, the user downloads the latest and greatest to fix it. The worst case is a rebuild, which preserves all user data and takes less than 20 minutes. In the Windoze world, the user takes out their "original CDs" or blows a few hundred bucks at the computer store for software that's at least two years old and probably has the same problems. Things are much much more difficult for crackers outside of the M$ monoculture of binary crap.
Friends don't help friends install M$ junk.
There IS reason to believe that Mozilla's coders are that much better; The most serious hole found in Firefox in some time actually ended up being a hole in Windows.
FF has gone through more versions because they don't release incremental security patches, and because their code is subject to public review. Microsoft does release patches, meaning there are less versions, and their code is not subject to public review, meaning they fix problems only when someone finds one accidentally.
Your arguments are universally specious.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
The whole article is a troll.
n -us/dnsecure/html/sdl.asp
Its filled with 'feelings' and 'impressions' by people cited as experts, without examination of their claims - nor an inquiry to factual matters. It describes a dislike, without addressing the basis of the problem, nor posing any other solution beyond disliking Microsoft.
The fact is, you still have millions of Win9x and NT boxes, hanging their gut out on the 'Net. This is and has been the principal problem. Slammer worm? Christ, I blame the crappy network border management, that allowed a local service-discovery broadcast protocol to come in from the Internet without being blocked.
I trust Rich Forno on Unix security. To use him as a source on Windows secuity is ridiculous. He is anti-Microsoft in bias - irrationally so. Microsoft could buy OpenBSD tomorrow, stick IIS6 on it, and Forno would still rant about the thing.
The WMF problem is a legacy file format. Let's not give MS a free pass on this, but seriously. It's like the zlib problem we had across distributions, a couple years back.
There are some other gross inaccuracies claimed by 'experts' and 'analysts' in this piece. "It is still built on the same legacy code, it is still written without adhering to secure coding practices, it is still thrown to the masses without adequate security testing." That's an assertion without supporting evidence. It doesn't have a factual basis. The MS SDL is a very good security development and testing process, implemented company-wide in 2003. Don't take my word fo it. Read the damned thing. This is how to do it in commercial software.
http://msdn.microsoft.com/library/?url=/library/e
I wish I saw similar efforts from Oracle, or any of the other major commercial software vendors.
It remains to be seen if this methodology is well-executed. Server 2003 is the first full-blown OS released thouh a full SDL cycle. So far, it has been a reasonably secure system, with limited exposure of default "attack surface", and intelligent choices about vunerable service and connectivity configurations.
Vista will be the first full SDL derived client. While I may not like the policy enforcement of "Digital Rights" and whatnot in userland, as a system I expect that it will be difficult to exploit or escalate privileges - and that attacks will be localized at isolated in effect. Let's hope so.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
One thing to help would be a default account type in the Users group, and if currently an admin, switch your group to Users. Third parties need to fix their programs that requires more privileges (not necessarily admin) after the program is installed because of write access to system folders and HKEY_LOCAL_MACHINE. Vista fixes this, but if you ask me I think MS is only encouraging the bad behavior of alot of third party programs by providing this method of keeping non-compliant applications compatible with least privilege. (Keep in mind, there are a$$holes like Even Balance who purposely wrote their anti-cheat to require true admin privileges)
Sure they have a firewall... you're screwed as admin because the code that launched can also create an exception for itself via netsh command or damn it all to hell and disable the firewall via "net stop". Malware does do this today, and sad how easy it was stopped.
Don't want to run as non-admin? XP can run specified apps automatically with User privileges even if you are admin (and I am not talking about Run As with a lower privileged account). And for fuck's sake, don't take the default of "SYSTEM" for your apache or whatever server software services.
Blame the user, not the software.
Excuse me? No Progress? Including a firewall with Windows is no progress?
Of course that is progress but the real problem with Windows is the fact that it carries a burden of bad design decision at a fundamental level made for all sorts of business and marketing reasons. Why does a process like Microsoft Internet Explorer (Which is mainly a bigger gateway for malware than Firefox because it is badly written not becaue it is a Microsoft product) have to run with admin privileges? There is a reason why that is going to change in IE7 on Vista. Come to think of it, why the hell does the normal Windows user even have to have Admin privileges for day to day work to begin with? Thousands of Linux and Mac users get along just dandy with restricted user privileges apart from the occasional annoyance of having to either log in as root or in the case of OS.X feed a nag window the root password so that the occasional installation program can touch sensitive parts of the OS. You can try to write this off as *NIX evangelism but it is hard to deny that in the ancient past this sort of shoddy design work solved complicated problems for MS quickly and cheaply and for that reason it was allowed to happen without contemplating the long term effects. Unfortunately MS has since learned the hard way that thinking ahead sometimes pays but now they are also learning that back-pedaling is hard work.
Only to idiots, are orders laws.
-- Henning von Tresckow
Perhaps more accurately, users of windows have made no progress.
Perhaps even more accurately, windows application designers have made no progress. Windows has supported multiple users & permission sets for quite some time, but it's still considered acceptable for normal applications to spew garbage into the registry and write to system folders. Until its easy (not merely 'possible') to run limited accounts & control permissions, we're going to see major problems.
I was wondering why the fact that they keep releasing a "constant stream" of patches is a bad thing, since the OSS community does the same thing (Now, I'm not trying to compare the quality or the type of patch).