Interview With Microsoft's Chief of Security

Paul Coe Clark III writes: "I interviewed Howard Schmidt, Microsoft's head of security, questioning him about, among other things, cyberterrorism and Redmond's responsibility for insecure features in the wake of many virus attacks. /. readers might find it interesting. They can find it here."

Damning with faint praise

[Tackhead]

> Q: [another expert] said his theory was "D3" - "declassify, demystify and diversify (software)." All three of those things are not things associated with Microsoft. Is that a policy you'd take issue with?
>
> A: I think any time we find any security vulnerability, we're one of the best in the industry to notify people of the details of them and give them the details to get it fixed.

Conspicuously absent is any description of Microsoft's response when someone else finds the security vulnerability in their products.

Fire this man

[CordMeyer]

Could the blame for Microsofts security issues fall on this man? Rushing products before they are fully tested.
Microsoft's closed-source mode of development guarantees that customers will continue getting cracked and Microsoft will continue pointing the finger of blame everywhere except where it actually belongs.

OS monoculture

[markj02]

If you have one predominant operating system, you have a very fertile ground for viruses. Whether Schmidt just refuses to acknowledge this or just doesn't grasp it, it's a fact of life. Microsoft itself is a major problem when it comes to security because of their size and dominance, and they would be the problem even if they were much more careful about security in their products than they actually are.

For this, as well as for many other reasons, it is essential that one operating system and one software company does not dominate the industry. The cost of dealing with cross-platform issues is the price we have to pay for a competitive market and a resilient infrastructure.

Suggestions that our salvation lies in uniformity, market dominance by one company, and bigness are more reminiscent of the central planning of the USSR than of what has made our society so successful. It's kind of funny to see that some of the most staunch conservatives and defenders of Microsoft-style laissez-faire economics seem to be falling into the same trap that the communists fell into.

software versus terrorism

[Anonymous Coward]

Why does this interviewer have to keep comparing software attacks with the September 11th terrorist attacks? About the only thing they have in common is that they are both malicious. Beyond that, it has no place in an interview about Microsoft security. Very poor taste, IMO.

- Just an AC

Typical responses?

[mac.newbold]

Isn't this the same old stuff we would expect to hear from MS? It sounds like it's just business as usual still. Someone points out that MS should feel responsable for the negligence they show in preventing errors (not to mention any negligence or undue delay in fixing them), and then MS just basically hands out excuses and changes the topic.

Anyone who knows that they're a market leader does have a responsability to see that their stuff isn't going to be the cause of the next great Internet collapse. MS is quickly becoming the leader in getting their bugs exploited, and with so much market penetration, we really could be facing quite a disaster when a better worm comes along.

Does anyone out there work for some other big company with lots of market share? What type of responsability do they assume for the security of their products?

Mac

Hard question dodging 101

[plover]

Q: But that kind of begs the question, because it wasn't completely unthinkable, like someone flying a plane into a building. At the time when all these features were being rolled out, programmers online were screaming left and right that this was inevitably going to result in these massive incidents, and, sure enough, they did.

A: If you look at the development process, and how long it takes to develop these things and get them out the door, this is not something that people started working on six months ago, and the developer community is saying this is a bad thing. This is stuff that has been in progress for years, which is why we've had to effectively retool the way we do things internally, to meet that new threat environment.

I don't know if the interviewer changed tapes in his recorder or what, but this is the single most important question he asked, and it was completely and totally unaddressed. This one question drives home the problem with Microsoft security, makes him aware that yes, we were all SCREAMING "Stop the madness" BEFORE it rolled out, and he waves his hands saying that hmm, we're meeting the new threat environment. What?

Is there any chance that anyone of importance will see or read this interview? That's the shame. I'd love it if the appropriate congresspeople and/or attorneys-general could see this nonsense made more public.

Not that I expect anyone in his position to actually answer all the questions asked, but it'd be nice if his lips moved in sync to his words, too.

John

They're trying

[--daz--]

Microsoft has been getting better. Many of the current IIS exploits aren't in IIS at all, but in ISAPI extentions like Index Server (Code Red exploited this), and HTTP Printing in Win2K. Almost all of the exploits released last year and this year could've been blocked by simply following MS' security checklist.

Needless to say, sysadmins apparently don't read checklist, follow best practices, or pay attention to alerts. I have seen real movement from MS (on their site, in comments on NT BugTraq, and in other places) that they take this security stuff seriously now, and they are coming out with some good tools (they're even subcontracting them to get them faster and by security companies who have a better track record) to help automate patch downloading and installation, scanning of network resources for missing patches, remote deployment of patches (for those 500 web servers you have in your datacenter), and various checker tools which will basically verify the security checklists for you.

Apparently MS realizes they made a wrong decision in their approach to security (trusting the sysadmin's dilligence), and they are making strong strides to change this now, and in the future.

I know many of you dislike MS, but you must give them at least that.

This Guy

[AciDive]

Sounds more like the head of Marketing at Microsoft than the Head of Security. Most of his answers were the same marketing BS that come out of Micro$oft every time you ask anyone from there a question. I just wish Micro$oft would give straight answers instead of Marketing BS.

Did he really say that?

[kilgore_47]

Howard Schmidt: I think the position has always been that you check the final product for vulnerabilities. Because there's a whole lot of open source out there that, day after day after day, there's more reports of vulnerabilities. I think it doesn't make any difference whether it is open source or closed source, it's a matter of identifying them once the product is released.
(bold added by me)

Shouldn't a company with Microsoft's resources be able to identify security holes before the product is released?
Maybe this "release-and-then-check-for-bugs" strategy explains why there are so many MS explots?

Leaving keys in the car is still stupid...

[Chris Burke]

In response to the question about MS making Good Times into reality (having scripting in email on by default), he said:

If I leave my keys in my car because it's convenient for me, and somebody steals my car, is that my fault? Ten or 15 years ago, the likelihood of that happening was very, very low. But the threat picture has changed dramatically in most places.

I don't know where he was living 15 years ago, but where I grew up (granted I didn't have a car then), there's no way you'd leave your keys in your car and act surprised when it was gone in the morning.

If your car gets stolen because you left the keys in it, its not entirely your fault because it's illegal to steal the car regardless. But it was still bloody stupid.

If it was my friend who left my keys in the car, I'd be pissed as hell. And if the manufacturer put a spare key on every car in the exact same place so it was easy to find and my car got stolen, I'd join the class-action lawsuit that would surely result.

It's one thing to say that MS has good security, and non-disclosure is the right way to go, etc etc. He has to. But to dismiss this question as though it wasn't their fault, without even a "Yeah, we shouldn't have done that", I think is demonstrative of the thinking that led to the problem in the first place.

Re:Contrary to popular belief

[kilgore_47]

Microsoft is in the same boat. It won't be until the Blue Screen of Death is really, provably responsible for human fatalities (Think safety control at a power plant, or a crash aboard a military vehicle of some kind) that Microsoft will start being more responsible about their security and program design.

More likely, when there are human fatalities as a result of MS bugs, thats when MS lawyers will remind the grieving families (and anyone else who complains) that they are not responsible for damages caused by their software. They'll insist it was someone else's fault (maybe sacrifice the MCSE who installed the deadly setup), and not change their wats one little bit.

As much as I hate Microsoft, I'd be rooting for them in such a case. The reason is because a ruling against them would set the precedent that software companies are legally liable for misuse of their products. The resulting frivolous lawsuits (certainly people would figure out how to hurt themselves with other software products) would be overwhelming.

Re:Damning with faint praise

[gazbo]

It's not like you can fix it yourself since you are not allowed to see and modify the code.

99.5% of [insert open source app here] users cannot 'fix it themselves' either, because they don't have the technical knowledge of every package in a system, or they don't have time to fix it. The more likely a person is to be able to fix a security exploit on a production machine, the more it would cost for their time.

I agree in theory that open source wins here, but in practice the vast majority of people are reliant on patches supplied by distributors.

Logic fault

[The FooMiester]

Q: . . . things like . . . making e-mail attachments executable.

A: I think that picture has changed. Once again, we've been developing stuff based on ease-of-use for the customer . . . it goes back to a physical analogy. If I leave my keys in my car because it's convenient for me, and somebody steals my car, is that my fault?

No, it's not. But if the Foo Car Company set all their remote locks to open when you clap your hands thrice, for "when your hands are filled with grocery bags, to save you from searching your pockets for the key", and only allowed this to be disabled by opening the hood and clipping the red wire with the blue tracer, I'd say they would be responsible for my aunt's CDs disappearing.

Opening the hood and clipping a wire is farther than most people want to go when it comes to modifications. I'd even wager that it is more than many drivers are capable of. Searching around in the "control panel" is further than your average MS-Outlook user is likey to feel comfortable with. They are afraid of "breaking" things.

The car keys are in the user interface portion of the car, I guess my point is. It's "easy" to remove them, put them in your pocket, to provent unauthorized use. How "easy" is it to disable the trojan propigation in Outlook?

Real Threat

[Tony]

If we have vulnerable systems, it is likely that terrorists will use our own weaknesses against us. As is mentioned in the interview, the cost of bringing down our communication systems is fairly small.

Remember the Morris Worm? It brought the entire internet to its knees, and Robert Morris didn't mean to release it. What if a "virus" (more correctly, a worm or trojan) is created that destroys every MS-Windows installation? This means more than just Grandma Jane's computer-- I mean military, telecom, and hospital-controlling computer in the world.

The threat isn't that great. Although it wouldn't be expensive in the monetary sense, it would be hard to engineer. But as long as the threat *exists,* it must be considered a potential.

- Tony

Linux is just as vulnerable, just a better user

[gtaluvit]

No, this is not flame bait, but the guy points out a perfectly valid point: every other OS has the same problem in terms of vulnerabilities. The difference comes from the user base. If you look at the typical linux user vs. the typical windows user, you're looking at two different people. My grandmother could never use linux, and by the same token, could never turn stuff OFF in windows. So if IIS is turned on, or Remote Assistance, she's not going to know a darn thing on how to disable it or secure our machine. Me on the otherhand, I've got the virusscan doing daily updates, the firewall, etc. It's not that windows is any less secure than linux, its just that it COMES less secure and users can't fix it easily.

Re:Damning with faint praise

[sholden]

99.5% of [insert open source app here] users cannot 'fix it themselves' either, because they don't have the technical knowledge of every package in a system, or they don't have time to fix it. The more likely a person is to be able to fix a security exploit on a production machine, the more it would cost for their time.

However with Open Source software there tends to be more than one distributor.

If the author of ProgramX doesn't fix a security hole, then debian might, or redhat might, or suse might, and as soon as one does the others can grab their fix and incorporate in their distribution.

So if the individual user doesn't have the time/ability to patch a hole, at least there is a reasonably large number of distributions competing to fix it (after all consistantly being first to release security patches is one way to win customers to your distribution). Rather than the one and only source not bothering for a few days/weeks/months since they know no one else can patch it first and win over their customers.

Capitalism sucks. But it sucks less than all the other systems we've tried over all of history. Open source leverages capatilism in a way that makes it humourous that people often label it as 'communist'...

Re:Did he really say that?

[Frogg]

A wise man once told me: "You can't retrofit quality to a product"

..and 10+ years of software engineering have shown me that this does indeed appear to be true.

Keys left in the car?

[ninewands]

Gotta LOVE this exchange ...

Q: Some of the security problems with Microsoft products are things like buffer overflows. That happens in programming, and you fix it. But others seem like boneheaded decisions based on marketing. Things like enabling Windows Scripting Host by default on millions of consumer machines and making e-mail attachments executable. In these big virus attacks, doesn't Microsoft bear some responsibility for those choices?

A: I think that picture has changed. Once again, we've been developing stuff based on ease-of-use for the customer and what the customer requirements are. I think what happens now is that we've seen the threat picture change. I think it goes back to a physical analogy. If I leave my keys in my car because it's convenient for me, and somebody steals my car, is that my fault? ...

Okay, but what if the manufacturer ships the car with the keys attached to the steering column with a chain,because THAT way I don't have to worry about losing the keys? Now I have to find out (from someone other than the manufacturer, since the manufacturer's customer support staff is clueless) how to detach them. NOW is the manufacturer responsible, in any way, when my car is stolen?

What were you expecting?

[Malcontent]

This is Microsoft for gods sake. Think real hard, look over the last 20 or thirty things some top level MS exec said in public. Find one interview, statement, debate, press release or anything that did not contain at least one lie. I dare you.

Every corporation has a culture. The culture MS has chosen to develop is one of lying, cheating and stealing.

MS Security cannot be fixed quickly

[Kirruth]

For all Howard's no-doubt genuine enthusiasm, the truth is that because of short-term commercial pressures, Microsoft's priorities have always been:

Number 1. Adding new product features
Number 2. Getting products on the shelves
Number 3. Security

The reason for this is that people can't tell whether a product is secure by looking at reviews or even trying it out (and they sure as hell can't tell by looking at a shrink wrapped box). So, there are very few dollars in it short-term.

Longer term, issues of reputation kick in - and Microsoft are finding that their poor reputation in this area is now biting them, especially as they move into net services.

Unfortunately, turning an entire corporate culture around on a dime is not possible. Even if it was, there's way too much legacy software around, requiring compatability. It will therefore be some time before their product security is all it should be.

Re:MS Security cannot be fixed quickly

[hbo]

Can't resist some MS bashing.

Your list is incomplete:

1. Adding new product features
2. Getting products on the shelves
3. Getting competitor's products off the shelves
4. Getting competitors
5. Blaming competitors for security flaws

Seriously, though, Microsoft is a victim of it's own success in at least two ways. It is true, as they so defensively claim, that their position as the number one OS and applications vendor makes them a huge target for hackers. It is also true that their legacy of subordinating software design to world domination has resulted in architectures that are much harder to secure than those that have had less interference from marketing. They may or may not have finally woken up to this truth. But in any event, as you say, it will take many years to recover from the poor design decisions that have resulted in their current security troubles. In the meantime, while they (presumably) work at incorporating security awarness into their design and development processes, and struggle to find ways to patch the holes in their huge installed base, they must work to limit the damage these flaws can inflict on their reputation. Thus we see them trying to muzzle those who publish flaws on full-disclosure lists like bugtraq. (I know the full-disclosure debate is more complicated than that, and so is Microsoft's relationship to the various security communities.) It is helpful to their cause that software design is esoteric and incomprehensible to most folks not directly connected to the industry. However, that was true of the issues in the anti-trust trial, and that didn't save them from a conviction, ultimately.

Unfortunately, turning an entire corporate culture around on a dime is not possible.

Well, now, remember that this is the company that realized that they had missed the Internet phenomenon in 1995, turned on a dime, and crushed Netscape in four years. It doesn't work to underestimate these guys. Besides, getting this security mess cleaned up (or at least improved) will make the World a Better Place (tm). for all of us. (At least all of us sysadmins.)