Forgot your password?
typodupeerror
Security

Interview With Microsoft's Chief of Security 245

Posted by timothy
from the reserve-judgment-then-reduce-with-whine dept.
Paul Coe Clark III writes: "I interviewed Howard Schmidt, Microsoft's head of security, questioning him about, among other things, cyberterrorism and Redmond's responsibility for insecure features in the wake of many virus attacks. /. readers might find it interesting. They can find it here."
This discussion has been archived. No new comments can be posted.

Interview With Microsoft's Chief of Security

Comments Filter:
  • Insecurity (Score:3, Funny)

    by Lester67 (218549) <ratels72082@myp[ ]s.net ['ack' in gap]> on Wednesday December 19, 2001 @06:53PM (#2729095)
    Well, the way you guys constantly dog out Microsoft around here it's no wonder it is insecure. A little TLC should get them back in order in no time.
  • I wonder if he feels personally responsible/remorseful when someone using a product he helped create is screwed over because he didn't do his job of finding/repairing security holes.
  • by Tackhead (54550) on Wednesday December 19, 2001 @06:53PM (#2729097)
    > Q: [another expert] said his theory was "D3" - "declassify, demystify and diversify (software)." All three of those things are not things associated with Microsoft. Is that a policy you'd take issue with?
    >
    > A: I think any time we find any security vulnerability, we're one of the best in the industry to notify people of the details of them and give them the details to get it fixed.

    Conspicuously absent is any description of Microsoft's response when someone else finds the security vulnerability in their products.

  • by Zen Mastuh (456254) on Wednesday December 19, 2001 @06:56PM (#2729115)

    Microsoft does focus a lot of effort towards securing their products. Unfortunately the effort is more reactive than proactive. It's a basic flaw in the capitalist model that allows the Marketing and Accounting people to determine release dates--instead of the Developers. The attitude can be paraphrased like this: "As long as the app fires up, it can be released. We'll let the customers be beta testers."

    If they were in the car business insted of the O/S business, a lot of people would be dead or mangled.

    • by Bonker (243350) on Wednesday December 19, 2001 @07:08PM (#2729168)
      If they were in the car business insted of the O/S business, a lot of people would be dead or mangled.


      That's ultimately the only thing that can change the corporate machine... Death. Either the death of members of the machine or members of the public.

      Look at the recent Ford/Firestone screwover: Sure, there have been reports about how unsafe SUV's were for years, but Ford was able to rationalize those deaths away as just part of the 'acceptable highway fatality level' that Americans seem to be comfortable with.

      It wasn't until people were able to say with proof positive that Ford SUV's and/or Firestone tire were directly responsible for human deaths that Ford was forced to change its practices.

      Microsoft is in the same boat. It won't be until the Blue Screen of Death is really, provably responsible for human fatalities (Think saftey control at a power plant, or a crash aboard a military vehicle of some kind) that Microsoft will start being more responsible about their security and program design.
      • Microsoft is in the same boat. It won't be until the Blue Screen of Death is really, provably responsible for human fatalities (Think safety control at a power plant, or a crash aboard a military vehicle of some kind) that Microsoft will start being more responsible about their security and program design.

        More likely, when there are human fatalities as a result of MS bugs, thats when MS lawyers will remind the grieving families (and anyone else who complains) that they are not responsible for damages caused by their software. They'll insist it was someone else's fault (maybe sacrifice the MCSE who installed the deadly setup), and not change their wats one little bit.

        As much as I hate Microsoft, I'd be rooting for them in such a case. The reason is because a ruling against them would set the precedent that software companies are legally liable for misuse of their products. The resulting frivolous lawsuits (certainly people would figure out how to hurt themselves with other software products) would be overwhelming.
      • Microsoft is in the same boat. It won't be until the Blue Screen of Death is really, provably responsible for human fatalities (Think saftey control at a power plant, or a crash aboard a military vehicle of some kind) that Microsoft will start being more responsible about their security and program design.

        I find the USS Yorktown [sciam.com] still a pretty good example when people start thinking about using Windows in a mission-critical application.
        • Military proverb; No plan survives contact with the enemy
      • until the Blue Screen of Death is really, provably responsible for human fatalities (Think saftey control at a power plant, or a crash

        Re-read the Microsoft EULA [google.com] (in fact, the EULA for just about any off-the-shelf software). It specifically forbids use of their software in power plants, aircraft, and other systems that may endanger human lives.

        "See, it's not our fault -- they were evil pirates."
    • nobody's figured out a way to quantify software quality and automate software QA. Cars, you can crash-test with dummies, check the pressure of the fuel system with a gauge that sends a signal to a PLC that goes into the fault log if it's bad, check the horsepower with a dyno, etc.

      Software, the only people that can certify it are real-live humans. Testing software (except for games) is a tedious, boring job that nobody wants to do, therefore there's a huge gap between the QA management (who get paid big $$ to be the gatekeepers) and the peons (who get paid squat because "all they do is follow instructions"). Such an arrangement is not conducive to true quality.

      There's a reason why everything from lumber to condoms is tested by a machine - because it sucks to test it yourself (except for the condoms, but wait, what if they fail?)
      • by Howie (4244) <.howie. .at. .thingy.com.> on Wednesday December 19, 2001 @07:22PM (#2729245) Homepage Journal
        But there are also best-practice methods to avoid bugs in the first place during the coding stage. Software is not a manufacturing process where you can only test the end product. It's an engineering process which can have checks and balances all through development.



        Ironically, you can find a lot of good information about this in a Microsoft Press book: Writing Solid Code by Steve Maguire. As Maguire points out, leaving your bugfinding to the testers is folly.

        • by hughk (248126)
          Manufacturining is a continuous process of quality monitoring and assurance, you test your inputs, you train your staff and you validate your processes. That is all that ISO9000 stuff. Developing s/w isn't different.

          With software, testing starts at the requirements stage. When you have captured the requirements you then force the customer to review them. You don't just get them to sign off documents, because they will happily do that without reading them. You get them to sit through a presentation. The same applies after the functional specs and you cross check the functional specs against the requirments.

          All this before you have written one line of code!!!

          As regards exploits if you code defensively against exploits, you will produce better code. You should never trust data that hasn't come out of a checked process and only through a failure-free path.

          I also agree that Writing Solid Code by Steve Maguire is a good book. It is a pity that Microsoft seems to regard the practices described in these books as a luxury!!!!

          • by Howie (4244)
            You're right of course - all I was trying to say was that only testing the finished software product, and only then by usage testing, is a poor development methodology. I wasn't intending to imply manufacturing does do that either, just that in my mind a manufacturing process has a more concrete 'finished product' - I get the impression you might have some ties to that part of industry :)

            It's interesting to read in Writing Solid Code that before the practices in the book were made standard across MS, they had products cancelled because of runaway buglists. The book was published a few years ago now, so all current products were theoretically built using those methods, yet there are still some pretty fundamental mistakes being unearthed - use of a good libc would expose a lot of the buffer overrun problems that IIS has had, for example.
        • Software is not a manufacturing process where you can only test the end product. It's an engineering process which can have checks and balances all through development.

          I'll probably be quoting that somewhere, if you don't mind.

      • Having worked in that corporate QA environment on and off for the last 6 years, and watching what I thought was real quality QA testing deteriorate into mindless clicking and "following directions" mainly due to a change in corporate environment, I must agree with you.

        There's a huge difference, though, between games and operating systems. Letting the end users "beta test" an OS is by far, the most insane excuse for laziness I've ever heard, and its actually one of my biggest complaints against microsoft.

        You can pay people to test an OS, but I can guarantee you that's even LESS exciting than testing a game. An idea comes to mind, though.. get a bunch of young *hackers* together and *PAY* them well, to build programs that test the vulnerabilities of the OS.. or heck, get some seasoned hackers that are trustworthy for such a thing and pay them even better... I dunno.. just an idea...
      • nobody's figured out a way to quantify software quality...

        See this paper [nasa.gov] on software metrics and reliability, and John Musa [aol.com]'s work on software reliability engineering.

        Software reliability can be measured and reliability goals can be set and met with current technology. Management has to make a specified level of reliability a requirement and support a software development and testing process that can meet that requirement.

      • Knowing someone in the gaming QA arena (supervisor at a major company), I can honestly testify that gaming QA is not nearly as fun as most people think. At crunch time, when you're playing the game for 12 hours a day every day for six days a week for a month, it gets REALLY, REALLY boring. I've learned to not discuss games of any kind during said crunch periods. The initial few days, perhaps through to a full week are fun, but after that the mindless tedium of replicating bugs and testing every possible combination of commands really grates on a person. I can't imagine what testing the latest version of a major application is like.
    • When I took Marketing 101
      1. Marketing != PR
      2. Marketing != advertising
      3. Marketing != reactive

      Marketing is about Product, Price, and Position. It proactive and its scientific, what Microsoft confuses with Marketing is like confusing Socialogy with sleazy used cars salesmanship.
      What they need to do, like the vast majority of corperations is completely seperate Marketing from advertising, and accounting. Real Marketing is much closer to R & D and should have a closer relationship to product developement than any other department.

      1. Product needs work I think the real market has slipped out from under them.
      Security, Stability, Speed in that order is where the market seems to be heading. Less consern with feature creap and more attention to make basic functionality rock solid and easy to use.

      2. Price, who can beat free? that's what the consumer pays; after all it comes on the machine, very few people write a seperate check. Businesses on the other hand are kicking and screeming over liciensing costs lately. I guess they are tired of subsidising the consumer grade product. I chuckle when some suit says "open software is worth the price you pay for it." when their company is running 2K oem M$ licienses.

      3. M$ has position down pat; they're everywhere.

      • Ironically, what you're calling marketing is actually more done by a group called "Product Management" - who does the scientific "Market Research" to find out what features are needed, how the product is doing in the field, etc.

        I suspect the reason why what is now called Marketing is called Marketing, is because "Advertising" is considered a dirty word in comparison.
  • Fire this man (Score:1, Insightful)

    by CordMeyer (452485)
    Could the blame for Microsofts security issues fall on this man? Rushing products before they are fully tested.
    Microsoft's closed-source mode of development guarantees that customers will continue getting cracked and Microsoft will continue pointing the finger of blame everywhere except where it actually belongs.
    • He did coin (or I least I've never heard of it yet) the term cyberhacktivism. So that's gotta be worth something. Cheers
  • The question that will be asked by a zillion of people: what is your (personal) opinion on the full disclosure issue? Let me phrase that more specifical with an example: the latest security bug concerning the download of possibly malicious code by IE, when the download box shows a different file type. When this was originally posted on Bugtraq, the advisory was very limited in details, to quote one of his replys on this matter:

    Some details needed for reproducing and exploiting the flaw were left
    out of my posting because there is no good workaround or a patch
    available, and the flaw could be quite easily used maliciously. Using
    those details it would be relatively easy to create a worm that infects a
    system when a user "opens" a plain text file from an infected website,
    for instance. For the same reason there wasn't any test page URL included
    in my posting. That, and technical details will be published later.


    Unfortunately for those who oppose full disclosure, the issue was discussed on Bugtraq, which finally led to the details of the vulnerability. This means that the Microsoft-supported way of disclosing bugs (Do issue an advisory but do not publish any details that could be used in creating exploits) apparently didn't work out. Ofcourse, there was a (small) delay, but eventually everybody knew about it before the patch was released.

    My question regarding this issue is: how do you feel about this issue? Do you really think that not fully disclosing a vulnerability will prevent exploits to be made? One of the arguments for full disclosure is that sysadmins are able to reproduce the error so that they can test if their system is vulnerable, but with limited disclosure this will only be possible for a small (and probably malicious) public.

    • Okay, wrong reply (Yes, I scanned the article and saw the words 'microsoft' 'security' 'ask' 'question' and 0 comments, started typing like a wildman to be the first to type an intelligent question ... and realised just a bit too late that it wasn't a call for questions).

      Please mod me down before to many people notice my dumbness :)
    • If you have been following this on bugtraq MS hasn't fixed the problem and it is still possible to hide the file. Click this link and a patched IE6 will tell you you're downloading a txt file but it's really an exe. http://kuperus.xs4all.nl/microsoft.txt [xs4all.nl]
      • Actually it's even worse.

        No need to discuss that point on bugtraq, everybody in the web industry knows about it.

        I found that bug (or feature, according to MS), months ago (even years maybe), when trying to generate on-the-fly pdfs as part of the web application i was working on. I think that almost any engineer or prgrammer working on web sites should know it. This is not a problem of security by obscurity, but a problem of unsecurity by stupidity (from MS).

        In fact, this is an argument to null the whole "security by obscurity" strategy. When every engineer or programmer knows about the bug, then there's no obscurity anymore. And with many of the security bugs found on MS OSes, it's what indeed happens, sooner or later. In fact, i think this is what happens with most software, not only MS', and that's why it's not responsible from them to use such a strategy.
    • "My question regarding this issue is: how do you feel about this issue? Do you really think that not fully disclosing a vulnerability will prevent exploits to be made? One of the arguments for full disclosure is that sysadmins are able to reproduce the error so that they can test if their system is vulnerable, but with limited disclosure this will only be possible for a small (and probably malicious) public."

      How people *feel* about this issue is irrelevant. Full disclosure, for all its faults, has worked better than just telling the vendor or a select few. Generally what has happened when vulnerabilities were kept quiet was that the vendor sat on the problem or took care of it at its leisure, leaving systems open for crackers who could and did silently exploit the vulnerabilities. Full disclosure 1) lights a fire under the vendor so that it actually *does* something, and 2) allows others a chance to find ways of coping with the vulnerability until a fix comes.

      This is not theory; it has been shown to work in practice.
  • USA Patriot Act (Score:3, Informative)

    by pgrote (68235) on Wednesday December 19, 2001 @06:59PM (#2729126) Homepage
    The article references this. Here are a couple of URLS on it:

    Full Bill:
    http://www.politechbot.com/docs/usa.act.final.10 24 01.html

    EFF Analysis:
    http://www.eff.org/Privacy/Surveillance/Terroris m_ militias/20011031_eff_usa_patriot_analysis.html
  • OS monoculture (Score:5, Insightful)

    by markj02 (544487) on Wednesday December 19, 2001 @07:01PM (#2729134)
    If you have one predominant operating system, you have a very fertile ground for viruses. Whether Schmidt just refuses to acknowledge this or just doesn't grasp it, it's a fact of life. Microsoft itself is a major problem when it comes to security because of their size and dominance, and they would be the problem even if they were much more careful about security in their products than they actually are.

    For this, as well as for many other reasons, it is essential that one operating system and one software company does not dominate the industry. The cost of dealing with cross-platform issues is the price we have to pay for a competitive market and a resilient infrastructure.

    Suggestions that our salvation lies in uniformity, market dominance by one company, and bigness are more reminiscent of the central planning of the USSR than of what has made our society so successful. It's kind of funny to see that some of the most staunch conservatives and defenders of Microsoft-style laissez-faire economics seem to be falling into the same trap that the communists fell into.

    • Some inside Microsoft understand this _Very_ well.

      It may have come out of thier mouths at various times as "when linux has our market share, linux will have a similar number of vulnerabilities".

      When phrased that way, people often scoff.

      However, if you accept that microsoft's installed base contributes to them being a common target of attacks (without considering the relative quality of the software), then it seems reasonable to presume that as the popularity of a system increases, the frequency of people looking for exploits on that system will also increase. If you beleive there are always more bugs and exploits to be found, then it also follows that more vulnerabilities will be discovered.

      Summary ? Part of MSes high number of security holes has to do with installed base size. (*1)
      As linux popularity increases, it seems reasonable that the number of linux vulnerabilities reported will increase as well.

      Yet when MS says "if linux were as big as us, they'd be just as insecure", some people dismiss it outright.

      You say yourself that for many reasons, one OS should not dominate the industry. I agree. How many "linux will rule the world" zealots would agree ? Are they who do not, as forward looking as you or I?

      *1 - This is not an excuse, a bigger part of MSes high number of security holes has to do with assumptions made during product design, and default configuration choices.
  • by Anonymous Coward on Wednesday December 19, 2001 @07:02PM (#2729139)
    Why does this interviewer have to keep comparing software attacks with the September 11th terrorist attacks? About the only thing they have in common is that they are both malicious. Beyond that, it has no place in an interview about Microsoft security. Very poor taste, IMO.

    - Just an AC
    • Real Threat (Score:3, Insightful)

      by Tony (765)
      If we have vulnerable systems, it is likely that terrorists will use our own weaknesses against us. As is mentioned in the interview, the cost of bringing down our communication systems is fairly small.

      Remember the Morris Worm? It brought the entire internet to its knees, and Robert Morris didn't mean to release it. What if a "virus" (more correctly, a worm or trojan) is created that destroys every MS-Windows installation? This means more than just Grandma Jane's computer-- I mean military, telecom, and hospital-controlling computer in the world.

      The threat isn't that great. Although it wouldn't be expensive in the monetary sense, it would be hard to engineer. But as long as the threat *exists,* it must be considered a potential.

      - Tony
      • What if a "virus" (more correctly, a worm or trojan) is created that destroys every MS-Windows installation? This means more than just Grandma Jane's computer-- I mean military, telecom, and hospital-controlling computer in the world.
        Well, then it's a good thing there are no critical military, telecom, or hospital systems running Windows.
    • It alows microsoft to imply that releasing a virus, worm, or trogan is the same as killing thousands of inocent men, women, and children.

      Attacking M$ is analogus to Lex Luther shining Kryptonite on Superman, an attack on truth, justice and the american way.

      It also alows microsoft to imply that any vulnerablities that were discovered before 9/11, isn't applicable to the present epoch. Not to mention that it lets Howard Schmidt put the interviewer, Paul Coe Clark III, on Microsoft's friendly interviewer list.
  • Typical responses? (Score:2, Insightful)

    by mac.newbold (458837)
    Isn't this the same old stuff we would expect to hear from MS? It sounds like it's just business as usual still. Someone points out that MS should feel responsable for the negligence they show in preventing errors (not to mention any negligence or undue delay in fixing them), and then MS just basically hands out excuses and changes the topic.

    Anyone who knows that they're a market leader does have a responsability to see that their stuff isn't going to be the cause of the next great Internet collapse. MS is quickly becoming the leader in getting their bugs exploited, and with so much market penetration, we really could be facing quite a disaster when a better worm comes along.

    Does anyone out there work for some other big company with lots of market share? What type of responsability do they assume for the security of their products?

    Mac

  • by plover (150551) on Wednesday December 19, 2001 @07:03PM (#2729144) Homepage Journal
    Q: But that kind of begs the question, because it wasn't completely unthinkable, like someone flying a plane into a building. At the time when all these features were being rolled out, programmers online were screaming left and right that this was inevitably going to result in these massive incidents, and, sure enough, they did.

    A: If you look at the development process, and how long it takes to develop these things and get them out the door, this is not something that people started working on six months ago, and the developer community is saying this is a bad thing. This is stuff that has been in progress for years, which is why we've had to effectively retool the way we do things internally, to meet that new threat environment.

    I don't know if the interviewer changed tapes in his recorder or what, but this is the single most important question he asked, and it was completely and totally unaddressed. This one question drives home the problem with Microsoft security, makes him aware that yes, we were all SCREAMING "Stop the madness" BEFORE it rolled out, and he waves his hands saying that hmm, we're meeting the new threat environment. What?

    Is there any chance that anyone of importance will see or read this interview? That's the shame. I'd love it if the appropriate congresspeople and/or attorneys-general could see this nonsense made more public.

    Not that I expect anyone in his position to actually answer all the questions asked, but it'd be nice if his lips moved in sync to his words, too.

    John

    • Q: But that kind of begs the question, because it wasn't completely unthinkable, like someone flying a plane into a building. At the time when all these features were being rolled out, programmers online were screaming left and right that this was inevitably going to result in these massive incidents, and, sure enough, they did.

      A: Well, yes. You're right about that. We were given the signal loud and clear, and completely ignored it. We here at Microsoft are terrible at making software. In fact, please don't ever again buy any of our products. We are very, very bad.

      I mean, this guy is speaking on behalf of a multi-billion dollar software giant. He is not going to risk his job by embarrassing his whole company. That's why companies like MS (GM, American Airlines, Exxon) hire guys like this. For reference, consult any presidential press conference.
    • I think Howard Schmidt went to the Ari Fleischer school of question dodging and graduated with highest honors. Damn, there goes my karma--again!

    • This is Microsoft for gods sake. Think real hard, look over the last 20 or thirty things some top level MS exec said in public. Find one interview, statement, debate, press release or anything that did not contain at least one lie. I dare you.

      Every corporation has a culture. The culture MS has chosen to develop is one of lying, cheating and stealing.
  • Q: You're the chief security officer of Microsoft. Explain for us a little bit how security fits into the Microsoft corporate structure.

    A: Security?

    Q: ... yeah, security ...

    A: Oh... that......... Our policy is to blame the people who find the holes in our software...

    Q: What about the people who put the holes in the software in the first place?

    A: Yes, of course. We're currently trying to purge the Al Quida factions from our programming team.

  • They're trying (Score:4, Insightful)

    by --daz-- (139799) on Wednesday December 19, 2001 @07:09PM (#2729174)
    Microsoft has been getting better. Many of the current IIS exploits aren't in IIS at all, but in ISAPI extentions like Index Server (Code Red exploited this), and HTTP Printing in Win2K. Almost all of the exploits released last year and this year could've been blocked by simply following MS' security checklist.

    Needless to say, sysadmins apparently don't read checklist, follow best practices, or pay attention to alerts. I have seen real movement from MS (on their site, in comments on NT BugTraq, and in other places) that they take this security stuff seriously now, and they are coming out with some good tools (they're even subcontracting them to get them faster and by security companies who have a better track record) to help automate patch downloading and installation, scanning of network resources for missing patches, remote deployment of patches (for those 500 web servers you have in your datacenter), and various checker tools which will basically verify the security checklists for you.

    Apparently MS realizes they made a wrong decision in their approach to security (trusting the sysadmin's dilligence), and they are making strong strides to change this now, and in the future.

    I know many of you dislike MS, but you must give them at least that.
    • This is exactly what gets me about MS...

      trusting the sysadmin's dilligence

      Yeah, thats why they have system files hidden and an explanation of what the Start Menu does on Windows 200 Advanced Server

      The point of MS's software, pure and simple, is that the user doesn't have to even think to be able to use it... which is totally contradictory to a the idea of a productive yet secure system...

      thoughts of desperation follow...
    • Re:They're trying (Score:5, Informative)

      by (H)elix1 (231155) <slashdot.helix@nOSPaM.gmail.com> on Wednesday December 19, 2001 @08:12PM (#2729518) Homepage Journal
      Apparently MS realizes they made a wrong decision in their approach to security (trusting the sysadmin's dilligence), and they are making strong strides to change this now, and in the future.


      You think they are making strides to clean this up? Looks like patching the PR to me. Take a look at this...
      MS rolls out security obscurity bribe program [theregister.co.uk]

      [microsoft.com]
      Code of Conduct:
      Microsoft Gold Certified Security Solutions Partners are leaders in the security industry, not only in their products and solutions, but also in their standards of behavior. All Microsoft Gold Certified Security Solutions Partners shall follow a code of conduct regarding the responsible handling of security vulnerabilities. This code of conduct is intended to allow a product vendor to address any individual vulnerability and issue a patch, workaround or other response to the public. Microsoft Gold Certified Security Solutions Partners shall take reasonable steps to ensure that they do not publicly disclose details that would directly allow an outside party to develop or execute an attack exploiting the vulnerability.
    • Re:They're trying (Score:2, Interesting)

      by LoRider (16327)
      I will have to disagree with your statement, "Apparently MS realizes they made a wrong decision in their approach to security (trusting the sysadmin's dilligence), and they are making strong strides to change this now, and in the future."

      Microsoft's approach to security has/had nothing to do with trusting sysadmins and everything to do with gaining market share. The marketing department drives development plain and simple. You really should open your eyes when you are working on them NT servers, do they look like servers?

      Microsoft's products should install out of the box as secure as possible, not with a blank SA password for SQL.

      I am forced to work in an NT world and I hate it. I have worked with many other server OS's like Novell and Linux distros, and MS stuff sucks.

      People who NT is easy are wrong, NT is high maintenance really high.

      Speaking of high...I gotta go cough cough
      The only good thing I can say about MS is that Windows 2000 works better then 95/98/ME every did, but that's it.
  • This Guy (Score:2, Insightful)

    by AciDive (543624)
    Sounds more like the head of Marketing at Microsoft than the Head of Security. Most of his answers were the same marketing BS that come out of Micro$oft every time you ask anyone from there a question. I just wish Micro$oft would give straight answers instead of Marketing BS.
  • Tyops? (Score:2, Funny)

    by Steve G Swine (49788)
    Is there some sort of steganography going on in the typos of this interview?
  • I Loved this bit... (Score:5, Interesting)

    by schon (31600) on Wednesday December 19, 2001 @07:19PM (#2729225)
    (When asked about full disclosure, and publishing of exploits)

    In some cases, it's tantamount to screaming "fire!" in a crowded movie theater.

    Yeah, except there really IS a fire.

    So when there is a fire in a movie theatre, he's suggesting the person who notice it just quietly go and tell the management (who will wait to see if it's really a big fire, and then assign some staff to attempt to put it out), instead of telling the people whose lives are in danger?

    Yeah, GREAT analogy.
    • I read that a little differently.

      My take was that he was saying that EVERYONE vulnerable should be notified in the most efficient way possible, but no one else really needs to know. I think that is the theoretical goal from his point of view. ie: if everyone in an apartment building has a security issue, you tell them. You do not post it on fliers in front of the building, or broadcast it to criminals.

      That being said, he, and Microsoft, are acting INCREDIBLY ignorant with respec to the way people use computers. People do not maintain computers, by and large. Paid administrators do, but home users work on it until something works, and then do not touch it out of fear that it will become a time sink. Eventually a bug is found, and they get remote rooted.I am still being attacked by computers on my subnet that have had IIS rooted and do not know about it. And that was puslished MONTHS ago.

      ANY operating system serving ports on the Internet has to be watched and maintained. Until Microsoft realizes this, and actively provides for it, their products will continue to be the least secure around.
  • by kilgore_47 (262118) <kilgore_47@yahoo.cREDHATom minus distro> on Wednesday December 19, 2001 @07:19PM (#2729227) Homepage Journal
    Howard Schmidt: I think the position has always been that you check the final product for vulnerabilities. Because there's a whole lot of open source out there that, day after day after day, there's more reports of vulnerabilities. I think it doesn't make any difference whether it is open source or closed source, it's a matter of identifying them once the product is released.
    (bold added by me)

    Shouldn't a company with Microsoft's resources be able to identify security holes before the product is released?
    Maybe this "release-and-then-check-for-bugs" strategy explains why there are so many MS explots?
    • by Frogg (27033)
      A wise man once told me: "You can't retrofit quality to a product"

      ..and 10+ years of software engineering have shown me that this does indeed appear to be true.
    • errrrrrmmmmmm ... yeah, like:

      cd src
      grep -r gets( *

      would prevent a LOT of buffer overflows. Despite the following:
      Never use gets(). Because it is impossible to tell with out knowing the data in advance how many characters gets() will read, and because gets() will continue to store characters past the end of the buffer, it is extremely dangerous to use. It has been used to break computer security.
      Use fgets() instead.

      -- man -S3 gets()

      This nugget of easy-way-to-enhanced-security knowledge has been known for YEARS, yet C programmers blithely ignore it. I'm sure there's something equivalent in C++ too.
  • by Chris Burke (6130) on Wednesday December 19, 2001 @07:22PM (#2729243) Homepage
    In response to the question about MS making Good Times into reality (having scripting in email on by default), he said:

    If I leave my keys in my car because it's convenient for me, and somebody steals my car, is that my fault? Ten or 15 years ago, the likelihood of that happening was very, very low. But the threat picture has changed dramatically in most places.

    I don't know where he was living 15 years ago, but where I grew up (granted I didn't have a car then), there's no way you'd leave your keys in your car and act surprised when it was gone in the morning.

    If your car gets stolen because you left the keys in it, its not entirely your fault because it's illegal to steal the car regardless. But it was still bloody stupid.

    If it was my friend who left my keys in the car, I'd be pissed as hell. And if the manufacturer put a spare key on every car in the exact same place so it was easy to find and my car got stolen, I'd join the class-action lawsuit that would surely result.

    It's one thing to say that MS has good security, and non-disclosure is the right way to go, etc etc. He has to. But to dismiss this question as though it wasn't their fault, without even a "Yeah, we shouldn't have done that", I think is demonstrative of the thinking that led to the problem in the first place.
    • Leave their keys in their cars, I mean. Is it stupid? Maybe, but so long as they don't get stolen (hint: after twenty odd years of this, they haven't) then you can say that in their situation it works.

      Really, this parallels the whole trust on the Internet thing. I don't leave mail relays open anymore, I don't run ftp or telnet services; hell, I don't even let my computer respond to ping or finger.

      Microsoft should have fixed their default settings problem a couple years ago. I wouldn't blame them for having it like that, though. Most Linux distributions come somewhat secure out of the box now, but a year ago most didn't.
  • Did someone interview the Security Chief at Microsloft and seriously expect to get somthing besides a politician? The guy even works three blocks from the WhiteHouse.
    • AHA! (Score:4, Troll)

      by Ungrounded Lightning (62228) on Wednesday December 19, 2001 @08:34PM (#2729596) Journal
      The guy even works three blocks from the WhiteHouse.

      The software is developed in a suburb of Seattle Washington (state) and the company's security chief works in Washington (DC), nearly as far from the software department as you can get and still be in the continental US.

      THAT explains the security problems in Microsoft products!

      B-)
  • by dica (27151) on Wednesday December 19, 2001 @07:52PM (#2729413)
    > What we're relating to is responsible reporting, and there's a difference. In some cases, it' tantamount to screaming "fire!" in a crowded movie theater.

    But there is a fire. Its only irresponsible to shout "fire!" in a crowded movie theater if there isn't on, just like it would be irresponsible to post non-existent exploits to bugtraq.

    Mr. Schmidt is suggesting:

    • If you see a fire start in a movie theater, the responsible thing to do is:
      1. don't inform anyone at risk.
      2. get up quietly.
      3. report the fire to the movie theater's manager.
    • If the fire is due to negligence of of it is irresponsible to tell people how the fire really started.
    • You have no moral authority to call the fire department, even if the manager refuses to evacuate the theater.

    • Geez... They must have cut their spin budget recently.

  • Logic fault (Score:3, Insightful)

    by The FooMiester (466716) <goimir@endlesshi[ ].org ['lls' in gap]> on Wednesday December 19, 2001 @07:52PM (#2729415) Homepage Journal
    Q: . . . things like . . . making e-mail attachments executable.

    A: I think that picture has changed. Once again, we've been developing stuff based on ease-of-use for the customer . . . it goes back to a physical analogy. If I leave my keys in my car because it's convenient for me, and somebody steals my car, is that my fault?

    No, it's not. But if the Foo Car Company set all their remote locks to open when you clap your hands thrice, for "when your hands are filled with grocery bags, to save you from searching your pockets for the key", and only allowed this to be disabled by opening the hood and clipping the red wire with the blue tracer, I'd say they would be responsible for my aunt's CDs disappearing.

    Opening the hood and clipping a wire is farther than most people want to go when it comes to modifications. I'd even wager that it is more than many drivers are capable of. Searching around in the "control panel" is further than your average MS-Outlook user is likey to feel comfortable with. They are afraid of "breaking" things.

    The car keys are in the user interface portion of the car, I guess my point is. It's "easy" to remove them, put them in your pocket, to provent unauthorized use. How "easy" is it to disable the trojan propigation in Outlook?
    • How do you clap your hands when they're filled with grocery bags? I don't think that product will ever take off. Sorry.
  • by Relic of the Future (118669) <dales@nOsPaM.digitalfreaks.org> on Wednesday December 19, 2001 @07:58PM (#2729447)
    Standards don't drive [development efforts], because what happens, you wind [up] in a situation where standards may turn around and inhibit the ability to innovate...

    Classic Microsoft... standards bad, embrace and extend good... we do it for security reasons, not because we're trying to leverage our monopoly power into yet-another market. I can almost understand the "don't tell anyone about the exploit until we have a chance to fix it" stance, but this makes me sick to my stomache.

    I would be in favor of government standards of security. And not just because it would force more open standards, but because it's a good idea. Yes, it will probably not be easy to implement, and it might force MS to ship a product or two late, but at least it will enforce some needed checks from a company who's concept of security is identifying problems after product release.

  • "My server got rooted, and all I got was assurance from Howard Schmidt that we have a special obligation to improve security"

  • by Dr. Awktagon (233360) on Wednesday December 19, 2001 @08:14PM (#2729534) Homepage

    I think security is recognized as the number-one priority across the company.

    After the interview, Mr. Schmidt realized that the question was actually about Microsoft's software products, and not about locking the doors each night at MS HQ.

  • I think security is recognized as the number-one priority across the company. That goes not only to operational security and securing our assets, but also to product development. (emphasis mine)

    Anyone else find his priorities in terms of security, shall I say, interesting?

    • Actually, no.

      The security officer in most companies is primarily responsible for the security of the company, its assets and employees. Not its customers, and not the quality of its products.

      The product managers should have primary responsibility for their products being secure and bug free, perhaps in consultation with the company security officer.

      For instance, at my company, the security officer has a big interest in how good the locks on the server room door are. He has a high level contribution to make about firewall policy and employee RAS access. He has no concern with what solaris patches are currently installed at our customer's sites, any more than he cares what door locks are used at our customer sites.
      • Thanks for the insight! From the way the article was written, it really looked like Howard Schmidt was in charge of security matters in Microsoft products above everything else. Things are kinda clearer that way.

  • A: I think security is recognized as the number-one priority across the company. (In reference to Microsoft)

    'Nuff said...

  • In some cases, it's tantamount to screaming "fire!" in a crowded movie theater. Responsible reporting means if you find a vulnerability, you contact the person in the best position to fix it,

    Bob, decided to be a responsible reporter, silently walk out of the movie theater when he found the toilet was on fire. He then dialed 911 across the street for somebody to fix the problem "Hi, are you sure you are the person in the best position to put the fire off? I wouldn't report until I get to this guy."
  • by john_uy (187459) on Wednesday December 19, 2001 @10:32PM (#2730030)
    As of Dec. 20, 2001, the total number of published security bulletins is only 58 compared to 100 in 2000 and 60 in 1999. This year, there are 4 cumulative patches so the actual number of published security threats is around 54.

    The last 3 security vulnerabilities for XP relate to IE, Windows Media, and USB plug and play feature.

    I should say that the products of Microsoft are just becoming mature right now. It is unfair for Linux and Unix since they I believe they have been ages before Microsoft introduced Windows. So it terms of maturity, Linux took years just as Microsoft is.

    Like in service packs, the Windows 3.51 had around 13 (or more if I remember correctly.) Windows NT4.0 had 6 (the 7th was not released officially.) Windows 2000 now has 2 (and they are releasing SP3 Q1 2002.) There is WindowsXP although there is no SP around (I believe it may be in the alpha stages.) The number of service packs that is released actually decreases due to the maturity of their products. And most people even some *nix guys say that WindowsXP is actually more stable than ever.

    It is also noteworthy to say that the base OS of Windows is getting more secure. It is just the apps integrated with the Internet that have most of the security threats like IE, Outlook, Office. For the servers in W2K, the services are the ones problematic and the user has the freedom to deactivate some and use an alternative. Like in Linux, the same thing applies where a server may use the services from different publishers.

    I am not saying that Microsoft is good or anything but I say that comparing Windows (PRO/HOME) and Linux/Unix is like comparing apples and oranges. They are built for different purpose thus designed differently.

    In the server arena, I think that it is only in Windows 2000 that they released their 1st server OS and not in Windows NT 4.0. Their Windows .NET server hopefully will do better than W2K servers.
  • Q: Capacity issues...

    A: Right.


    Howard failed to see the sarcasm in Paul's response - he's being totally irrelevent in answering Paul's question. Paul asked you security in telecom not freaking capacity issue!!!

    Talking about we ain't got enough clueless people to run the security....
  • We've all been saying that Microsoft should improve their security, but all the time Microsoft has! Here, have a look at what he says:

    I think security is recognized as the number-one priority across the company. That goes not only to operational security and
    securing our assets, but also to product development.

    I added the emphasis, but look at it! They are securing their assets. He lists security in product development is an afterthought.

    So now you know why they are so anti-piracy: they are securing their products.

  • by infinite9 (319274) on Wednesday December 19, 2001 @11:25PM (#2730214)

    Microsoft's head of security



    Isn't that like the taliban having a minister of women's rights?

    • ok yours was funny...

      ...that goes not only to operational security and securing our assets, but also to product development. In my role, I report to the CTO,...

      More somthing like the first thing below the minister. It is like saying "this is the most important thing", then "I am in charge of it" , then "I am not the most important person at MS".
  • by Multics (45254) on Thursday December 20, 2001 @12:20AM (#2730368) Journal
    I'll make two un-MS remarks just so there is some content down here in the least-read section of these comments.

    1) As Multics taught us, security with significant hardware support is significantly easier to do than without. A result of this is that we need to be asking Intel (etal) about help (like tagged memory blocks) in hardware. It really is time that we got away from just the stale VonNeuman ideas that Mr Cray graciously gave us in the 1960s and 1970s.

    2) Once the hardware exists, then we can move to implement better O/Ses that are significantly more robust. Everyone will win, even MS.

    -- Multics

  • by Pinball Wizard (161942) on Thursday December 20, 2001 @12:57AM (#2730463) Homepage Journal
    ...as an open source system. There's more to it than just "lots of eyeballs".


    For instance. Even with all the security patches Microsoft has provided with IIS, their FTP server is still insecure. How do I know this. Because some warez dudez managed to use my server, even though I had applied all the patches and set the FTP directory to be read only.


    Now, if this ever happens to you, let me tell you, these guys play a dirty trick so you can't easily delete their directory. They name their folders with names that cannot be deleted the normal way, names like COM1 or DEL, names that are reserved somehow when you try to delete the files and folders.


    The amusing thing about this is that the only way to get rid of these files is to install the posix utilities and use rm to get rid of them.


    Now here's the kicker. If you use rm -r CO* to get rid of a directory called COM1 you might find out that this directory is really called "COM1\ /" The command line actually hides the last three characters. And rm gets fed the first directory, and then the "/" separately. Yeah. You do the math. Needless to say, it wiped out quite a few of my files before I killed it.


    Yes, I perform backups, so I proceeded to restore the files. But insidiously, SQL Server on the same machine refused to run, because it felt the installation had been corrupted. I basically had to figure out how to trick it into running again, because(another hideous design fault) you can't just uninstall SQL server and reinstall it and hope your data directory is OK. I had no way of doing an up to date backup of my data on this machine. So I had to trick it into believing it wasn't a corrupt installation, or I would have lost data.


    Now, how many things can you count that would have never happened with an open source system. You certainly wouldn't have files with the latter part hidden. You can back up data directories to completely different servers by simply copying the directory. Its very easy to drop in other FTP servers without loss of functionality. And there is certainly nothing that will stop a program from running if all its files are there and the execute permission is set.


    All, in all, I had a very frustrating experience that never would have happened with a Linux system. With Microsoft, its their way or the highway, and you can't change things or fix them when the design is bad. Rather than the user dictating what the software does, Microsoft dictates to you how their software will work. Because of that, closed source is less flexible and configureable, is less managable and nimble, and therefore cannot respond nearly as well to any number of problems, including security.

  • by ninewands (105734) on Thursday December 20, 2001 @01:04AM (#2730482)
    Gotta LOVE this exchange ...

    Q: Some of the security problems with Microsoft products are things like buffer overflows. That happens in programming, and you fix it. But others seem like boneheaded decisions based on marketing. Things like enabling Windows Scripting Host by default on millions of consumer machines and making e-mail attachments executable. In these big virus attacks, doesn't Microsoft bear some responsibility for those choices?

    A: I think that picture has changed. Once again, we've been developing stuff based on ease-of-use for the customer and what the customer requirements are. I think what happens now is that we've seen the threat picture change. I think it goes back to a physical analogy. If I leave my keys in my car because it's convenient for me, and somebody steals my car, is that my fault? ...


    Okay, but what if the manufacturer ships the car with the keys attached to the steering column with a chain,because THAT way I don't have to worry about losing the keys? Now I have to find out (from someone other than the manufacturer, since the manufacturer's customer support staff is clueless) how to detach them. NOW is the manufacturer responsible, in any way, when my car is stolen?
  • For all Howard's no-doubt genuine enthusiasm, the truth is that because of short-term commercial pressures, Microsoft's priorities have always been:

    Number 1. Adding new product features
    Number 2. Getting products on the shelves
    Number 3. Security

    The reason for this is that people can't tell whether a product is secure by looking at reviews or even trying it out (and they sure as hell can't tell by looking at a shrink wrapped box). So, there are very few dollars in it short-term.

    Longer term, issues of reputation kick in - and Microsoft are finding that their poor reputation in this area is now biting them, especially as they move into net services.

    Unfortunately, turning an entire corporate culture around on a dime is not possible. Even if it was, there's way too much legacy software around, requiring compatability. It will therefore be some time before their product security is all it should be.

    • Can't resist some MS bashing.

      Your list is incomplete:

      1. Adding new product features
      2. Getting products on the shelves
      3. Getting competitor's products off the shelves
      4. Getting competitors
      5. Blaming competitors for security flaws

      Seriously, though, Microsoft is a victim of it's own success in at least two ways. It is true, as they so defensively claim, that their position as the number one OS and applications vendor makes them a huge target for hackers. It is also true that their legacy of subordinating software design to world domination has resulted in architectures that are much harder to secure than those that have had less interference from marketing. They may or may not have finally woken up to this truth. But in any event, as you say, it will take many years to recover from the poor design decisions that have resulted in their current security troubles. In the meantime, while they (presumably) work at incorporating security awarness into their design and development processes, and struggle to find ways to patch the holes in their huge installed base, they must work to limit the damage these flaws can inflict on their reputation. Thus we see them trying to muzzle those who publish flaws on full-disclosure lists like bugtraq. (I know the full-disclosure debate is more complicated than that, and so is Microsoft's relationship to the various security communities.) It is helpful to their cause that software design is esoteric and incomprehensible to most folks not directly connected to the industry. However, that was true of the issues in the anti-trust trial, and that didn't save them from a conviction, ultimately.

      Unfortunately, turning an entire corporate culture around on a dime is not possible.

      Well, now, remember that this is the company that realized that they had missed the Internet phenomenon in 1995, turned on a dime, and crushed Netscape in four years. It doesn't work to underestimate these guys. Besides, getting this security mess cleaned up (or at least improved) will make the World a Better Place (tm). for all of us. (At least all of us sysadmins.)
  • From Microsoft Digital Rights Management Operating System patent abstract:

    digital rights management operating system protects rights-managed data, such as downloaded content, from access by untrusted programs

    To protect the rights-managed data resident in memory, the digital rights management operating system refuses to load an untrusted program into memory

    If the untrusted program executes at the operating system level, such as a debugger, the digital rights management operating system renounces it's trusted identity (it lobotimizes itself)

    To protect the rights-managed data on the page file, the digital rights management operating system prohibits raw access to the page file, or erases the data from the page file before allowing such access.

    operating system also limits the functions the user can perform on the rights-managed data and the trusted application

    provide a trusted clock used in place of the standard computer clock

    It's good to see Microsoft finaly getting tough on security!

    -

  • BIND
    wu-ftpd
    Open-SSH
    TUX HTTPD
    lpd
    SYNcookies
    Lion
    Ramen
    Torn
    Adore
    etc...
    We get several attacks from compromised LINUX boxes every fucking day of the week!

    gee, that Microsoft software sure does suck...

    Some guy once said "Let him who is without sin cast the first stone."
    Do you see what I'm getting at here?
  • Hey, I got this brilliant firewall from Microsoft. Evrytime I do anything important, the screen turns blue and shows me lots of random garbage!!!!!

    Nobody can access my computer then - pretty neat, eh?

    Seriously, 2K is much better than NT was but I wonder whether Microsoft actually knows what computer security is? We were taught the initials C.I.A. That is Confidentiality, Integrity and Availability.

    It doesn't matter how a product fits into these categories as long as the customer knows what it is being provided. If you are selling a system and application to a customer and telling them that they can bet their business on it, then it had better not go down every other day or let the whole world and their dog every time you connect to the Internet.

For every bloke who makes his mark, there's half a dozen waiting to rub it out. -- Andy Capp

Working...