Slashdot Mirror
Ask Microsoft's Security VP
There's always lots of discussion on Slashdot about Microsoft's security problems, and whether Windows is or isn't more secure than other popular operating systems. In a "Let's clear the air" move, Mike Nash, Microsoft Corporate Vice President, Security Technology Unit, has agreed to answer 12 of the highest-moderated questions you submit here. (You can skip the "Microsoft and security in the same sentence?" comments we've all heard 1000 times, and ask actual questions, since Mike is answering for himself instead of having PR do it for him.) We'll post his answers next week.
Besides the same old PR scripted answers that corporations like to give in order to obscure or downplay what is really going on. What assurance can you give us that Microsoft is more focused on security and that Vista is going to be any different from the previous incarnations of Windows? What proof can you give us? Information like "We have a new team doing X" or "our process for reviewing changes has gone to X" are helpful pieces of information to answer this question. What else have you seen in the way MS is developing Vista that is different from how you've developed previous products?
From what I've heard, even though most of Vista is being rewritten from the ground up with more scrutiny on what code goes into it, it will still have major flaws generated by the way Microsoft works internally as a company.
Mr. Nash, what are the greatest differences and similarities between Microsoft Corp. and Data General Corp., your two most recent employers? Most importantly, how drastic were the changes you saw (not necessarily changes due to job function but changes in general)? What do you like the most and what do you hate the most?
My work here is dung.
What is the Windows / Internet Explorer design decision that MS does, from a security point of view, regret most?
Did the WMF Patch now set a standard that severly high risk problems will be patched out of the standard patch Cycle? How did Microsoft come to the conclusion that is was important enough to go against what it promised it's corporate customers?
My new title at the office is "Vice-President of Everything Else"
As a Microsoft product user, it has always made me wonder what the User:Bug ratio might be. Do we see more bugs found BECAUSE more users are using a product?
Has Microsoft tracked the "security bug" to user ratio on their products and found that products with fewer users seem to have fewer bugs? If that is the case, I wonder if it is the normal process of higher supply leading to more people spending time looking for bugs.
It is like the population:innovation ratio -- as a population goes up, the amount of innovators being born goes up, too, leading to more innovations.
Is there a general policy within Microsoft to help product teams make consistent security decisions? There are frequently issues where the decision has to be made between being more secure or more user friendly.
For example, file and printer sharing defaulting to off prevents people from unknowingly sharing their resources, but requires non-technical users who do wish to set up a small network to know more about the process than in previous versions.
Given that security is a major topic on IT manager's minds these days with security flaws and patches practically making front page news of some publications, What do you feel is going to be the main focus for security in 2006 for yourself and the industry as a whole?
Has open-source software such as Linux influenced the way you think about security in Windows, and if so, how?
12:50 - press return.
Does Microsoft lean more towards rigidly enforced coding standards as a way to prevent exploitable bugs, or does the company focus more on brute-force bug detection during testing?
I know the easy answer is to say "both, of course" but a 50/50 split is unlikely. So, does testing take the backseat, or does the code?
This space for rent.
Certain open source projects such as OpenBSD have routine audits of the software to search and remove potential security problems. While I understand Microsoft Operating Systems are very complex Microsoft does have an enormous amount of talent and resources at its disposal. Is it possible that Microsoft will review all new operating systems in the future with the same sort of audit performed by others? Wouldn't you think this would be worth it to prevent mistakes which could be costly to end users?
Quality Hosting e3 Servers
Time and again, I've seen average end-users-- grandmothers, "soccer mom" types, businessmen-- whose computers are positively clogged to the gills with spyware, viruses, and other sorts of malware, the overwhelming majority of which they were infected with via the exploitation of security flaws in Microsoft software. I'm often tasked with disinfecting their computers.
How often do you (and the members of your team) spend time with average end-users-- not just in large corporate settings but in small businesses and (just as importantly) in real-world home settings? I believe that if you would spend time with Joe Average and see just how badly his computer's performance (not to mention his personal privacy and the integrity of his data) is suffering from the exploitation of certain bugs and design decisions (e.g. the fact that most end-users run with Administrator privileges) in Microsoft software, it would cause a significant shift in Microsoft's security strategy.
No matter how often $LATEST_WINDOWS_VERSION is touted as more secure than its predecessors, I still keep getting called to average homes to remove countless items of spyware which infected Windows systems via holes (and/or poor design decisions, e.g. the handling of ActiveX controls and the abilities they can have to alter files on the system) in Internet Explorer, and to this day (despite the wide use of antivirus software) most end-user systems I examine do contain at least a few viruses (which entered the system via Microsoft Outlook).
What are you doing to secure Joe Average's PC? Do you have any interaction with average end-users? And if not, why not?
With spending like this, exactly what are "conservatives" conserving?
Dear Microsoft Security VP:
I know a person who doesn't have his copy of Windows registered. His PC got infested by spyware, so my deduction is that his computer was probably used to send SPAM, spread viruses and whatnot. When He called me for tech support, I told him to download the Microsoft Anti-spyware from Windows update, but his answer was that it required a registered copy.
My question is this: If Windows updates make the Internet SAFER from hackers, spyware and viruses, why limit them to registered copies of Windows? (IMHO this is analogous to not giving the vaccine of the bird flu to illegal aliens)
What do you plan to do about this?
On January 17, 2002, p. 1, the New York Times reported, "Stung by Security Flaws, Microsoft Makes Software Safety a Top Goal" and quoted Jim Allchin said "Every developer is going to be told not to write any new line of code until they have thought out the security implications for the product" and that "the company was trying to change the culture of its software developers, who have been putting their emphasis on adding features to the company's software to increase its value."
In your opinion, has Microsoft succeeded in changing its culture so that every developer now considers security first, features second?
"How to Do Nothing," kids activities, back in print!
As a Service Desk manager and network guru for my organization, I am responsible for ensuring that all workstation desktops are kept up-to-date and secure. Currently, Microsoft releases patches once a month, usually on the second Tuesday of the month.
With the current advances in smart viruses and malware, that release schedule seems unrealistic. OS security threats have been addressed with emergency patches, but that does not seem like a sustainable methodology.
What is Microsoft's long-range vision on OS patches to ensure that our Server and Workstation Operating Systems are secure, safe, and patched in a timely manner?
Management is doing things right; leadership is doing the right things. - Peter F. Drucker
I'm honestly not trying to troll here, but wouldn't it be easier to rewrite IE from the ground up? Have you guys considered this and ruled it out, or have you just not contemplated it. Not to vaguely bash microsoft, but a large percentage of PC and/or Windows power users would probably consider Internet Explorer 6 a write-off. Any thoughts?
I realize that Microsoft cannot control what 3rd party software does, but will Microsoft's applications and games run under a limited account, or will they still need Admin access?
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Mr. Nash,
In regards to spyware MS has already taken some steps to try and stem the flow (asking about running exe files, the Spyware Removal Tool, etc), however as a consultant I find many of my clients are still infested with the stuff. From my perspective it appears that many users are affected still by these programs and that they are either unaware of how to prevent them in the first place, or how to get rid of them. Many times it is significantly faster and easier (and in some cases, safer) to just format the machine in question and start from a clean slate. Does MS feel that spyware is still a major problem, and if so, what new measures MS doing in order to combat it?
Regards,
Petyr Rahl
Many users still don't understand the importance of creating user accounts instead of using the default administrator account. Will Vista work "out of the box" in a manner that will encourage those who are not technically savvy to work under a user account instead of an admin account?
There are a number of industry best-practices that any system administrator will tell you are vital for proper security. I will not claim to provide a complete list, but the two that seem to have the most frequent effect on an OS's percieved security are:
Windows has been steadily improving on the first point, but the second point has long been a problem for administrators; there is no generally-used near-transparent way for a program to request higher privileges, for instance.
Worse, many third-party (and, for that matter, some Microsoft) programs will fail silently or with obtuse errors if you run them as less-privileged users because they demand the ability to, say, write to system areas - often without warning - and require heroic gymnastics by administrators to resolve (if a resolution is even possible).
Is this issue of least-privilige being difficult to acheive being addressed in future versions of Windows? What changes can we expect to come down the line soon and in the near future?
This flies in the face of science.
Why is there no way to submit easily reproducable and verifiable bugs other than by snail mail to a generic address, or worse, opening (and paying for) a support case?
And why does the phone number on this "report a bug" page:
http://support.microsoft.com/gp/contactbug
call a generic technical support & sales line, which ultimately will tell you that you must either open (and pay for) a support case, or submit your bug by snail mail to 1 Microsoft Way?
Is it Microsoft's stance that the inability of its users to report bugs makes its OS more secure?
-Tommy
"I got a half gallon of Jack, and 2 dozen Ant Traps. I'm about to get wild." -me
When Microsoft added a firewall to XP, it was a since first step; but why was the decision made to have it only work in one direction? Surely, a better solution would have been a firewall that worked for not only incoming packets, but for outgoing as well? And as a followup: why not add that functionality?
In current Windows systems, many programs will only work correctly if the user is granted administrator rights. Will MS lean on developers to write their software such, that a normal user status is sufficient? Much malware today silently installs itself without so much as a warning to the user. Will VISTA incorporate some sort of warning and ask for a password before ANY executable file can run for the first time or install itself deep in the system? Will users be told NOT to type password unless they are SURE the file comes from a trusted source?
All theory is gray
When will drive letters go the way of floppy disc drives (or at least let me add or remove a drive without completely hosing my system)? .inf files (or at least keep them in an archive)?
When will we have actual symbolic links?
When will you ship with everything possible disabled until needed or manually enabled?
When will defragging a disk or some obscure network function not lock up every task?
When will you not install by default two thousand modem or other
When will you not keep asking to insert a driver disk when the files are already in c:\windows\system32\ (and will "install" if I just point the directory there)?
When will you disable autoplay features by default, or at least make them prominent in a security area (instead of editing obscure system setting panels)?
When will you get rid of, split, or otherwise do something reasonable with the trash "heap" otherwise known as the registry?
Are you ever going to allow me to change my hardware and do autoconfiguration (Both MacOS and Linux will let me boot from a disk in another system, a CD, etc. and manage to find all the necessary and most of the exotic hardware)?
Why are you adding in DRM controls to Vista that regular users are not going to want? It may come in handy for corporations wanting to control their documents, but I can't see how regular users would knowingly want a product that restricts their access to their documents or files.
Also, I think you could dramatically improve security by decoupling Internet Explorer from Windows. Have it be a separate program similar to Opera, FireFox, Safari, etc... Is there really a valid reason that Windows Explorer has to be driven by Internet Explorer?
As a windows desktop administrator since the bad old days of 95 and 98 I have to give you guys some credit for how far you've come; however there are two issues I'm faced with that continue to be problematic - user rights and security auditing.
Despite whatever SU-like features you have, on XP I still can't reliably install, or in some cases even run(!), programs under restricted user accounts, forcing me to give most of my clients admin accounts and just hoping for the best. How seriously do you treat this issue and what work is being done towards getting an OS that can be used in the real world with restricted user rights?
Auditing - finding, say, if user X has any write rights anywhere on a server, who has done what on the system in the past day, what files were modified by a program's install, etc. all these things are do-able but not easily, and not using just MS supplied tools. How about a toolset for administrators that give us (especially the part-time admins like myself who don't just live and breath security) easy access to the reporting, auditing, and security tweaking we need to do our jobs well. And no, configuring and interpreting the security logs in the event viewer doesn't count as an easy to use auditing tool.
closed minded is as closed minded does
What modern, in-use, server operating system do you consider the most secure one available today? I'm talking about one along the lines of Linux (name the distro), OpenBSD, Mac OS X, Windows, and so forth. How about a desktop operating system?
Please name a specific answer for both questions, and please don't name something useless like DOS. Your answer must be something that a sane network administrator might choose for an internet-connected server and desktop deployment.
Separately, do you think that Mac OS X is a more secure _desktop_ operating system than Windows XP? Obviously there have been far fewer worms, trojans, and viruses for OS X than Windows. Is that really solely due to OS X's lesser popularity, or is it truly a fundamentally more secure system?
If you think Windows XP is more secure, why? What security features does it have that OS X doesn't?
This space intentionally left blank.
Why hasn't Microsoft added AES to its SSL stack yet? As a Microsoft developer, it's annoying to get beaten over the head when facing competing solutions that can use the AES (128-,192- and 256-bit) encryption algorithm in their SSL implementations.
(OpenSSL - including the Mozilla browsers - and Java SSL have all had AES support for a while. Most SSH implementations have also had it for a while.)
IMHO - I find that the reason that Microsoft's products are insecure is because of the level of backwards compatibility that has been engineered into the product lines. While being able to run older applications is useful for many corporations that have difficulty in finding replacement apps, the sad state of affairs is that it is just that level of compatibility that hampers a full rewrite of the Windows core architecture. If Microsoft were to make a bold decision and create a truly new architecture that had the Windows look & feel but was based on sound secure coding practices, the possibility for exploits would be drastically reduced than with the current 'we have to make sure that the app written in Visual C ++ v2.0 still works' mentality. Backwards compatibility for older applications can be achieved with running the app(s) with a slim kernel & supporting services in a virtual machine that has very limited privileges. So my question is: Will Microsoft ever make the move to a newer, secure architecture, or can we expect Win9x compatibility with WinOS circa 2025?
By now, many of us have heard about Singularity, Microsoft's research OS with its ultimate goal of dependability (in which security plays a very large role). How does Singularity fit into Microsoft's long-term security and operating system goals? Will Microsoft eventually adopt Singularity and its inherent security? Will Microsoft adapt the concepts of Singularity to its current NT-based OS structure? Is there a third option coming down the pipe?
"Times have not become more violent. They have just become more televised."
-Marilyn Manson