Interview With Microsoft's Chief of Security 245
Paul Coe Clark III writes: "I interviewed Howard Schmidt, Microsoft's head of security, questioning him about, among other things, cyberterrorism and Redmond's responsibility for insecure features in the wake of many virus attacks.
/. readers might find it interesting. They can find it here."
Contrary to popular belief (Score:5, Interesting)
Microsoft does focus a lot of effort towards securing their products. Unfortunately the effort is more reactive than proactive. It's a basic flaw in the capitalist model that allows the Marketing and Accounting people to determine release dates--instead of the Developers. The attitude can be paraphrased like this: "As long as the app fires up, it can be released. We'll let the customers be beta testers."
If they were in the car business insted of the O/S business, a lot of people would be dead or mangled.
Re:Contrary to popular belief (Score:5, Interesting)
That's ultimately the only thing that can change the corporate machine... Death. Either the death of members of the machine or members of the public.
Look at the recent Ford/Firestone screwover: Sure, there have been reports about how unsafe SUV's were for years, but Ford was able to rationalize those deaths away as just part of the 'acceptable highway fatality level' that Americans seem to be comfortable with.
It wasn't until people were able to say with proof positive that Ford SUV's and/or Firestone tire were directly responsible for human deaths that Ford was forced to change its practices.
Microsoft is in the same boat. It won't be until the Blue Screen of Death is really, provably responsible for human fatalities (Think saftey control at a power plant, or a crash aboard a military vehicle of some kind) that Microsoft will start being more responsible about their security and program design.
Re:Mod me down please (Score:1, Interesting)
It's true. I just intentionally did it here [slashdot.org] on that lame-assed sid about LOTR nerds. The post went straight to +4 before anybody started modding it down.
--ZM, posting anonymously to stay at the karma capI Loved this bit... (Score:5, Interesting)
In some cases, it's tantamount to screaming "fire!" in a crowded movie theater.
Yeah, except there really IS a fire.
So when there is a fire in a movie theatre, he's suggesting the person who notice it just quietly go and tell the management (who will wait to see if it's really a big fire, and then assign some staff to attempt to put it out), instead of telling the people whose lives are in danger?
Yeah, GREAT analogy.
Re:Contrary to popular belief (Score:2, Interesting)
There's a huge difference, though, between games and operating systems. Letting the end users "beta test" an OS is by far, the most insane excuse for laziness I've ever heard, and its actually one of my biggest complaints against microsoft.
You can pay people to test an OS, but I can guarantee you that's even LESS exciting than testing a game. An idea comes to mind, though.. get a bunch of young *hackers* together and *PAY* them well, to build programs that test the vulnerabilities of the OS.. or heck, get some seasoned hackers that are trustworthy for such a thing and pay them even better... I dunno.. just an idea...
Re:OS monoculture (Score:1, Interesting)
It is almost this good on Unix-based systems. Almost. It could be better. It could work beyond. A model, in my mind, is Apple's Carbon-combatable programs. They run, seamlessly, on two completely different architectures. (And there is no techincal reason they couldn't run on more with just as much ease to the end user.)
There have been attempts to standardize. The flaw is usually that the intent is to standardize for programmers, not for end-users. I believe the technology exists to standardize to the point where:
It doesn't matter what OS you use.
It doesn't matter what window manager you use, on an OS that supports more than one.
It doesn't matter what language the programmer worked in. (As long as they can make the system calls correctly.)
It only matters what platform you are on if the programmer wants it too.
That is to say, it does not matter to the end user. They can buy/download a program and it works. They should not have to know any of the above to install and use the program.
What do you think? Can we create the world described?
Screaming "fire!" in a crowded movie theater (Score:3, Interesting)
But there is a fire. Its only irresponsible to shout "fire!" in a crowded movie theater if there isn't on, just like it would be irresponsible to post non-existent exploits to bugtraq.
Mr. Schmidt is suggesting:
Geez... They must have cut their spin budget recently.
Standards, "Innovation", Best Practices (Score:3, Interesting)
Classic Microsoft... standards bad, embrace and extend good... we do it for security reasons, not because we're trying to leverage our monopoly power into yet-another market. I can almost understand the "don't tell anyone about the exploit until we have a chance to fix it" stance, but this makes me sick to my stomache.
I would be in favor of government standards of security. And not just because it would force more open standards, but because it's a good idea. Yes, it will probably not be easy to implement, and it might force MS to ship a product or two late, but at least it will enforce some needed checks from a company who's concept of security is identifying problems after product release.
Re:They're trying (Score:2, Interesting)
Microsoft's approach to security has/had nothing to do with trusting sysadmins and everything to do with gaining market share. The marketing department drives development plain and simple. You really should open your eyes when you are working on them NT servers, do they look like servers?
Microsoft's products should install out of the box as secure as possible, not with a blank SA password for SQL.
I am forced to work in an NT world and I hate it. I have worked with many other server OS's like Novell and Linux distros, and MS stuff sucks.
People who NT is easy are wrong, NT is high maintenance really high.
Speaking of high...I gotta go cough cough
The only good thing I can say about MS is that Windows 2000 works better then 95/98/ME every did, but that's it.
Re:OS monoculture (Score:1, Interesting)
In one word, yes.
Ususally, viruses are written for entertainment value, bragging rights, and desire to create damage and/or chaos. The more widespread the virus, the more these goals are achieved. And to get a wide-acting virus, you hit a dominent platform. This would happen regardless of the OS.
Of course, with an open OS, the response to the core vulnerabilities can be much more timely, preventing the spread of variants, too.
But in the final analysis, the spread follows epidemiological curves quite nicely and monoculture in software is as fatal as it is in agriculture, regardless of how you feel about your "superior" breed...
Re:Contrary to popular belief (Score:2, Interesting)
Re:Basics of security (Score:1, Interesting)
The guy has a clear conflict with public interest and public relations, and there is no evidence he has independant authority, or a mandate to make radical changes. remember the bit about auditors being independant and being seen to be independant taught in accounting 101. same for security.
Bruce Schiner and others have made comments about this before, and have offered to help in the past. Very arrogant to assume the company (MS) can do it better internally.
This guy is a public relations front.
Were I him, I would have released every damm secret/obsure registry setting, and how to disable active extensions, and undo the 'speed' boosters improperly inserted into supervisor spaces.
Looking at BSD, or Qmail, where processes have been chrooted and protected by design, and Solaris and AIX have cleaner security models. They have moved up the security ladder, whilst MS has remained stationary.
Code repetition.
Parsing a url, traversal should be on one bit of code only, not in 20 -30 spots . This tells you plenty about internal structures and standards. need to rationalize duplicate or near duplicate function calls .
in defence of the security guy, he has inherited an insecure model, and is probably chipping away. I wont be impressed until I see code metrics , and audit statistics being posted.
Taking the source code and publishing the word count, and alphabetically sorted symbol tables would be a good start.
Re:Logic fault (Score:2, Interesting)
I never compared the two. I just made a simple anology, much akin to the one posted in the interview. I just happen to think mine is more correct.
But nevertheless, in terms of functionality, Linux is not very user friendly (you have to do lots of steps) in order to reduce the faults in the system (whether security or stability.)
Strictly speaking, your average Linux OOB(out of box) experience is safer than your average Windows OOB experience. I recieve daily trojan emails, but see nothing in my ftpd logs.
Microsoft on the other hand wants every user will be able to use a PC even though it is their first time to use one. In the process of doing that, if you disable all features (because of security) then nobody will buy their OS since I believe their support call center will be full 100% of the time.
Be able to, be forced to, what's the difference, right? There has to be a certain expectation of knowledge.
Also, there's a difference between useful and secure. M$ may have done a bad thing when they allowed
It's funny you mention that nobody would buy their OS if it were secure.
Re:Damning with faint praise (Score:5, Interesting)
Absolutely. I remember when a recent (not too serious) hole was found *by* SuSE's security team (I don't remember the package, sorry). One of the primary reasons I run SuSE is because of their awesome security team [suse.com]. They borrow a ton of stuff from OpenBSD, and that's a good thing. I also highly recommend their security mailing list no matter what distro you use, and their security scripts are deliberately distro-blind (I've installed them on critical Red Hat servers at work, and they work beautifully).
I ran YOU (YaST Online Update) manually and I looked through all of the updates. They submitted the patch to the original developers before sticking new packages on their servers. The new version of that package from the original developers (ie: they applied SuSE's patch) was released three days later.
But that's not the most important thing. Am I screwed if SuSE dies? Hell, no. My number one reason for preferring open source is that I can get *anybody* to do the work for me, including myself.
I've said it many times before: price is not the issue, control is. Sure, I can get SuSE for free all I want, but I pay for it just so their packagers and bug-fixers get to stay on board.
a non-MS bash (just this once) (Score:3, Interesting)
1) As Multics taught us, security with significant hardware support is significantly easier to do than without. A result of this is that we need to be asking Intel (etal) about help (like tagged memory blocks) in hardware. It really is time that we got away from just the stale VonNeuman ideas that Mr Cray graciously gave us in the 1960s and 1970s.
2) Once the hardware exists, then we can move to implement better O/Ses that are significantly more robust. Everyone will win, even MS.
-- Multics
Closed source can never be as secure (Score:4, Interesting)
For instance. Even with all the security patches Microsoft has provided with IIS, their FTP server is still insecure. How do I know this. Because some warez dudez managed to use my server, even though I had applied all the patches and set the FTP directory to be read only.
Now, if this ever happens to you, let me tell you, these guys play a dirty trick so you can't easily delete their directory. They name their folders with names that cannot be deleted the normal way, names like COM1 or DEL, names that are reserved somehow when you try to delete the files and folders.
The amusing thing about this is that the only way to get rid of these files is to install the posix utilities and use rm to get rid of them.
Now here's the kicker. If you use rm -r CO* to get rid of a directory called COM1 you might find out that this directory is really called "COM1\
Yes, I perform backups, so I proceeded to restore the files. But insidiously, SQL Server on the same machine refused to run, because it felt the installation had been corrupted. I basically had to figure out how to trick it into running again, because(another hideous design fault) you can't just uninstall SQL server and reinstall it and hope your data directory is OK. I had no way of doing an up to date backup of my data on this machine. So I had to trick it into believing it wasn't a corrupt installation, or I would have lost data.
Now, how many things can you count that would have never happened with an open source system. You certainly wouldn't have files with the latter part hidden. You can back up data directories to completely different servers by simply copying the directory. Its very easy to drop in other FTP servers without loss of functionality. And there is certainly nothing that will stop a program from running if all its files are there and the execute permission is set.
All, in all, I had a very frustrating experience that never would have happened with a Linux system. With Microsoft, its their way or the highway, and you can't change things or fix them when the design is bad. Rather than the user dictating what the software does, Microsoft dictates to you how their software will work. Because of that, closed source is less flexible and configureable, is less managable and nimble, and therefore cannot respond nearly as well to any number of problems, including security.