Slashdot Mirror
Microsoft No Longer a 'Laughingstock' of Security?
Toreo asesino writes "In a Q&A with Scott Charney, the vice president of Trustworthy Computing at Microsoft, Charney suggests that security in Microsoft products has moved on from being the 'laughing stock' of the IT industry to something more respectable. He largely attributes this to the new Security Development Lifecycle implemented in development practices nearly six years ago. 'The challenge is really quite often in dealing with unrealistic expectations. We still have vulnerabilities in our code, and we'll never reduce them to zero. So sometimes we will have a vulnerability and people say to me, "So the [Security Development Lifecycle (SDL)] is a failure right?" No it isn't. It was our aspirational goal that the SDL will get rid of every bug.'"
I have to sometimes wonder how, when security is considered so important, how Microsoft has been allowed to take so long. It's also a bit funny to consider how high the bar is set that they get credit for achieving "no longer the laughingstock..." status.
It kind of reminds me of the cell phone industry and their "high" standard where they get away with advertising braggadocio like "the provider with the fewest dropped calls". It's funny, I grew up with a phone infrastructure where I never experienced a dropped call -- granted, a less complex (wired) achievement, but had "wired" phone service been invented today, I suspect the standard would have been "less dropped calls", too... because maximized profit dominates the industries' collective motivations, not quality products.
(Case in point... if you'd ever owned the amazing Harmony() remote controls before they were bought by Logitech, they were wonderful devices -- rock solid, great feel to them... now, they're sexied up with cheap buttons, lousy feel, and questionable reliability. And get ready, Logitech just bought Slimline devices. Thought the Squeezebox was a great gadget? Better get the remaining quality ones before profit-think forges it into a cheap crappy imitation of it's former self.)
And, to save you all a little time.... mod(self, -1, offtopic);
I'm sorry, respect in security is like with all kinds of respect. It is earned, not demanded or bought.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
Now we just snicker and giggle!
Great minds think alike; fools seldom differ.
He keeps saying those words... I do not think they mean what the thinks they mean...
Inasmuch as this constitutes any sort of admission that Microsoft products were not always exemplars of good security, it should not be forgotten that Microsoft has always insisted that they were.
So really, they are not saying anything different than they have always said. "Back then" when their products were insecure, they insisted that their products were secure. Now, they are admitting that "back then" their products were not secure, and are continuing to insist that their products are secure.
Why should we believe them? Once bitten, twice shy, and with good reason.
I concede that MS is not the laughingstock that it once was, but they are a ways from the respect that some of their competitors of similar scale (cough*IBM*cough) have long since earned. Eliminating the repeat vulnerabilities such as the recent ANI vuln might be a good place to start.
I'm thinking (in part to stroke Theo's ego a bit) set OpenBSD as the security standard out there. Every OS, compare it security-wise to OpenBSD. Put a "percentage" for how secure, then we can see hard numbers for how securly an OS is out of the box.
Karma Whoring for Fun and Profit.
...now if you'll excuse me, I have to go delete the spam that was sent from a botnet of computers that are running a series of a particular OS that shall remain nameless...
So Microsoft is so secure that those botnets with hundreds of thousands of zombie computers running Windows will disappear overnight? Great!
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
I think a good example of this is how many security problems have been found in IIS in recent years. For example, go to the MS Security Bulletin site and look up bulletins for IIS 6.0 compared to IIS 5.0 -- http://www.microsoft.com/technet/security/current.aspx.
There are only two "Important" bulletins for IIS 6, while IIS 5 has almost 30 bulletins over the same inital time period. It is amazing how far IIS has come since that nightmare that was IIS 4.
ÕÕ
Shift-Right-Click -> Run-As -> The-Following-User?
I do it all the time...
Sorry, I don't see why this story is even here. Microsoft has been telling bald-faced lies about their security for at least a decade. What's different this time?
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
No longer a laughing stock?
Mate, people have stopped laughing, not because Microsoft has changed but because we've become so desensitised to the security issues it no longer brings the same attention it used to; its expected.
If Microsoft do want to correct their security issue, they need to start at the bottom and work their way up; they need to go through their product, they need to document, clean up, remove parts that are security risks, replace parts which are added because they're nice rather than needed. They need to stop the lie that 'computers are easy to use' when in reality, they're complex machines that actually might require a bit of book reading and learning (to the screams of the ignorant out there).
They also start needing to stop re-inventing the wheel and start working in groups; yes, groups are inefficient but like any brain storming, issues are raised which the original author might not have thought about - when you're an organisation all thinking along the same line, you can't adequately scrutinise the specification for every possible scenario - that is why standardisation is desirable. Issues of compatibility and security can be raised, and addressed. Microsoft on the other hand thinks because it has the cash and are a big organisation, it can address all the concerns internally.
I'm exagerating of course, but I hope you get the point, asking an uneducated user is not a security measure. And you still can't run IE under a separate user account. I think you're wrong on that point, there's no reason runas wouldn't work.
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
Unfortunately, Microsoft's security problems are masked, not fixed. Seriously, software firewalls should not need to exist. All software firewalls do is cripple other code running on the OS (drivers, services, programs, etc). Fix the underlying code and don't default to running services that home users will never need and, presto, no need for a firewall...
Someone at M$: "XP with IE is full of 'critical' security holes."
Someone's manager: "Let's write a firewall and we can get away with calling those security holes 'important' and not fix them."
Windows 3.1x calc: 3.11 - 3.10 = 0.00
hahahahaahahahahah! *falls over* hahaha haa lmao lol hahahahahahahahahahahahahahahahahaahahahahahaahaha ha... *breath* haha... ha ahhhhhhhh Nope, still works.
Poor security makes money for Microsoft because Corrupted PC's Find New Home in the Dumpster.
All modern operating systems are still struggling to catch up to the Atari 800.
Even now it sits impenetrable with layer one security from both the Internet and power grid in my closet!
This sig is alpha and shouldn't be viewed on production machines
The biggest problem is, of course, the HTML control.
Until Microsoft abandons the entire "security zone" model and makes the HTML control default to a secure or "closed" state completely under the management of the calling application Windows security will never be anything but a joke. The recent hole in Yahoo Instant Messenger, for example, is primarily Microsoft's fault... because the "security zones" should not be able to "fail open". Blaming Yahoo for not 'sanitizing' the input is nuts.
No other HTML rendering library works this way. The two leading alternatives... Mozilla's Gecko and KDE's KHTML (and thus Apple's Webcore)... both implement a closed sandbox. If an application wants the page to have more capability, it must explicitly install hooks to grant it that capability. This way when an application renders a page using Gecko or KHTML there's no possibility of there being prepared holes to attack. In addition, when they DO install a controlled hole in the sandbox, they know that they're the only agency doing so... there's no concerns about some insecure ActiveX control in the system becoming an avenue of attack.
Until Microsoft completely changes the API for the HTML control they won't solve their image problem, and they shouldn't expect to... because until they do this, they have a problem and the image only reflects that.
ActiveX use in the HTML control, of course, is completely insane. Given all the layers of bandaids and patches and dialogs and settings and security levels wrapped around them, it's actually less effort to explicitly install a plugin than to open IE up to the point where you can use a "trusted" ActiveX control. They need to deprecate and eventually eliminate this.
There are other problems, too. Applications have to parse command lines completely, using their own code to break them up into arguments and perform wildcard expansion. Both OS X and Linux use the UNIX "exec" call, which doesn't require the application to add this additional evaluation step. Many of the "URI" related holes found in applications on Windows... including several recent ones involving IE, Firefox, and Second Life... are due to this flaw in Microsoft's APIs.
There's a second flaw in their URI handlers, and that is the inability to separate internal handlers that may expose more powerful capabilities than a sandboxed object should have access to with the ones that are designed for use by untrusted documents. The 'patch' to fix this is to try and sanitise the list of URI handlers that each application will use. This, like any other "sanitization-based" approach, is inherently flawed. They need to create a second registry that only supposedly secure applications will use... and then they won't need to worry about web pages containing links to ".CHM" files.
(Apple, by the way, has copied this flaw from Microsoft. But at least they don't share the rest of the burden)
The lack of a standard mechanism to bind network services to specific interfaces is a third problem. In UNIX most network services have traditionally been run from inetd, so if you replace inetd with something like xinetd or tcp wrappers you can prevent services from listening to anything but the local interface "localhost". This means that a firewall on UNIX is an extra defense, where on Windows it's the only way to keep insecure protocols from accepting connections from external sources.
For Microsoft to get the same reputation for security that UNIX based systems have earned, it will have to correct these flaws. The easiest way, perhaps, would be for it to BECOME a UNIX-based system. It wouldn't take much, so much of the API is already inherited from Microsoft's one-time infatuation with UNIX, and they ship a subset of teh UNIX API with Windows in the POSIX subsystem.
Or, though it would be less desirable from the point of view of people who have to write portable code, they could implement their own secure APIs and make the existing ones a deprecated and eventually optional add-in.
But so long as they keep the current API unchanged in all details, though, they can not solve these problems they're faced with.
You are considering becoming complacent and answering yes to all security pop-ups. Accept or Deny?
GreyPoopon
--
Why is it I can write insightful comments but can't come up with a clever signature?
I love this comment. It's such an interesting insight into the mind of a Microsoft guy:
Look, that bridge in Minnesota just collapsed. How long have we been building bridges? We know how to build bridges, right? Sometimes people just have unrealistic expectations of what we can do.
I don't know anyone who thinks a major bridge in major US city in the richest country in the world not collapsing is an "unrealistic expectation". I actually DO agree that having zero security holes in any software as large as Windows (or Linux) is an unrealistic goal. Comparing that to a major bridge disaster that never should have happened is kind of a strange comparison though.
AccountKiller
They aren't a laughing stock because it just isn't funny anymore.
No Nyarlathotep, No Chaos
Know Nyarlathotep, Know Chaos
is that MS is no longer a laughingstock. The bad news is, now we're crying instead.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
There also seems to be a disconnect here-- if pirated Windows machines are presenting a problem that everyone has to face, why do we blast Microsoft for its desire to see these machines taken offline? Moreover, why are we putting "stolen software" in quotes when we're talking about people who're actually willfully using unlicensed software?
Is the idea here that pirates are "good" because they're not playing the "evil" Microsoft's game? Is Microsoft still more "evil" because they aren't improving the security of machines that are already well out of the bounds of their support model?
Yes, they had.
But the problem was that that port was left OPEN on machines that DID NOT NEED IT OPEN.
With security, you CANNOT rely upon the end user to keep current on patches. Your system HAS to be able to defend itself WITHOUT those patches.
And the simple way to do that is to not have ANY open ports by default.
Security is a process. You are arguing about the high end, theoretical levels
I actually DO agree that having zero security holes in any software as large as Windows (or Linux) is an unrealistic goal.
That's not what they're being asked for. What they're being asked for is for systematic holes to be eliminated, so they don't have to keep being patched over and over again. I've listed some of the systematic holes in the design that they keep getting bit by in the message I posted just before yours.
The thing that really bothers me is that people are accepting the argument that holes Microsoft created are not Microsoft's fault. People are blaming applications that didn't sanitize untrusted content before passing it to insecure APIs, rather than blaming Microsoft for not providing a secure API they could use instead.
My girlfriend recently called me because the wireless internet connection on her laptop stopped working. After screwing around with it for awhile, updating the drivers, etc, I noticed a small notation on the latest driver that it would only work if the actual firmware on your card was greater than version XX. After updating the firmware, the wireless worked again.
The apparent cause of the problem? Windows update happily auto-updated the wireless driver, neglecting to check that the firmware was compatible, and neglecting to also offer a firmware update. MS Security might have improved, but I don't think their reliability has. Many big corps tread carefully with update patches for this very reason.
Here's what it is. The desktop icon for IE's right click brings up IE properties, not, IE the process properties. But, if I do the icon for IE's shortcut on the taskbar, then yeah, I can run as another user. Not too shabby MS.
This is my sig.
You know, the little things, like always remembering your </i>, and never forgetting to preview your work.
Glass houses.
Projectile stones.
Whatever.
I don't think that Microsoft actually can solve this problem so long as piracy exists. As I'm not actually anti-pirate, I'd suggest that a community response would likely be necessary to resolve this issue on pirated machines...Pirate-spun patches, etc, would be helpful. I don't like the virus idea for the same reasons other benevolent viruses are generally a bad thing...They frequently have unintended consequences.
...the first to admit then that all other operating systems and vendors have said the same thing time and time again, including yours truly "Linux".While I certainly wouldn't say that the three have perfect security (and certainly not WRT dumb admin/user mistakes), I can say with confidence that they can rightfully be claimed as being among the most secure out there. Windows cannot, not has ever been, able to credibly claim that. Whether it can do so in the future remains to be seen.
Quo usque tandem abutere, Nimbus, patientia nostra?
What's really funny is that 20 years ago, wired long distance carriers were waging advertising battles over who had the clearest call. Sprint's "Pin Drop" ads probably set the bar in this respect.
So, while you take the wired phone service for granted, it hasn't been that long since call quality was a very important part of a consumers purchasing system.
Go back another 20 years to the '60s and you still had a significant portion of the phone network that was manually switched by human operators.
"One of the things I talk about often is my mom, because she is 78 and she's found e-mail .. You have to educate consumers not to make mistakes like clicking on attachments from unknown sources and not following links and all of that"
..
...
No, all you have to do is build a Desktop System that can't be compromised by opening an e-mail attachment or clicking on a URL
"more people are like, 'Microsoft got its act together, and others should follow their lead,' technologists say, 'OK, our job is done -- what next?'"
"What I explain to people is that this isn't actually a technology problem we are solving; it's a crime problem"
Self serving imaginary made up quotes and a nonsensical opinion expressed. Making it a twenty year felony crime for hacking Windows isn't going to make Windows any more secure
davecb5620@gmail.com
Wait a sec. Don't project your own values onto a group that may not share them, nor assume a causal relationship where no data has been shown to indicate one.
So the claim is that it's no longer a laughing stock in the realm of security. All right then. Let's pretend for a moment that claim is true. The next question is why?
There are at least two possible answers:
We can see from the systems affected by vulnerabilities that the former has not happened, no redesign. Maybe it's the latter, better PR.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
It seems kind of funny to me to hear someone from Microsoft admit that they were a laughingstock, and that they're looking for kudos for not being a laughingstock.
This is classic Microsoft MO: as soon as a Windows version has been released for a few months, start badmouthing the previous versions. They did the same with XP to 2K/ME, ME to 98, NT4 to NT 3.5, etc.
Just Vista marketing. Nothing to see here, move along.
Maybe I am confused, but how do you explain this?