Ask Microsoft's Security VP

There's always lots of discussion on Slashdot about Microsoft's security problems, and whether Windows is or isn't more secure than other popular operating systems. In a "Let's clear the air" move, Mike Nash, Microsoft Corporate Vice President, Security Technology Unit, has agreed to answer 12 of the highest-moderated questions you submit here. (You can skip the "Microsoft and security in the same sentence?" comments we've all heard 1000 times, and ask actual questions, since Mike is answering for himself instead of having PR do it for him.) We'll post his answers next week.

Will you ever sort and modularize Windows?

[tz]

The XP Embedded version can be created with or without IE or WMP, but I don't know how many DLLs have chunks of code designed to launch or provide IE or other MS product functionality (designed to give Netscape Users "a jarring experience" in the words of a Microsoft person). Is Microsoft ever going to sort and layer things so that there will be an isolated kernel, application layer, GUI, device drivers, (and if so, when), or is "Windows" going to continue to integrate things, e.g. "The Spreadsheet and Editor are now 'part of the operating system'"?

Rationale: Many security problems are due to everything running as Administrator, with privileges, or as part of the OS. One thing I like about GNU/Linux is that each part is separate, so Firefox runs on X which runs using services, which runs using the kernel, with only the kernel having privileges. Generally a buffer overflow problem in X, or Apache doesn't let someone format my hard drive. Also you can put something to analyze or intercept things between such layers - even things like ltrace or strace.

OpenBSD

[hahiss]

How is it that OpenBSD is able to be so secure by design with so few resources and yet all of Microsoft's resources cannot stem the tide of security problems that impact everyone, including those of us who do not use Microsoft programs?

Is it really a secure system?

[The_Crowder]

Does the creation of an antispyware tool by Microsoft mean that your team has failed in their role of creating secure software?

Re:Usability and Security

[kafka47]

(Re-post, with formatting.)

The revised mantra of Microsoft application security has been "Secure by default", a strategy that was applied with varying degrees of success to many of your products in recent memory. In security circles, this might seem like a no-brainer, but for consumer-level applications the strategy can be a nightmare. For a company that spends so much on usability and ease-of-use for end-users, the act of explicitly prohibiting certain operations or features seems to fly in the face of that investment. The users get what is perceived as a broken product, and the administrators get the headache of decreased security (say, after they install a patch that break "secure by default"). For various reasons, these two contradictory approaches seem to serve neither usability nor security.

In that vein, what other effective strategies have been considered? For years, the NSA has provided a unique service to the users of various products, including Microsoft Windows operating systems. They produce "hardening" guides for these products in an effort to ensure their continued security and viability in the wilds of the Internet. Has Microsoft ever considered producing guides like these, seeing as how they're the authors of their own products? In that vein, has Microsoft considered redacting the secure by default to enhance usability, yet instead produce tools or wizards that electorally enable hardening for your applications and OS'?

/K

MSFT employee here

Hi, Mike,

I have just one question for you. Why do we STILL ship products with KNOWN security issues?

I'll even tell you how it works in the trenches. Folks build the product. At the end of it all a "Security Push" gets declared. For two to three weeks people pretend they care about security by coming up with potential security issues and assigning DREAD+VR scores to them. Then management arbitrarily sets the "bar" below which we don't fix potential and real security issues. This bar is usually very high, sometimes at around 8, because hardly anyone has time in the schedule to fix all issues found. Now, DREAD score 8 means that flaw will affect a ton of customers and cost Microsoft significant litigation. Some of very severe bugs slip under the bar just because they don't affect more than 10% of customers. Now, even this exercise is a joke, because most developers don't know what DFD is and how to put one together.

This wasn't even the most ridiculous part of the exercise. The most ridiculous part is security "code reviews". It's when feature owners walk into a room with a huge stack of printouts and pretend they can be reviewed in a couple of hours they've allocated for this. You can barely glance through this much code in this much time, 90% of security issues remain unnoticed during this "code review".

After all is said and done, product is only slightly more secure (SOME of the most ridiculous things have been fixed), and management gets delusional saying that product is now Fort Knox secure.

If you ask me, that's abomination, not a proper security process. Are there any plans to change it?

If you had to store your Credit Card Number ?

[DrSkwid]

If you had to store your Credit Card Number, SSN, etc. on your computer, where would you put it/them ?