Cryptogram Judges MS Security 204
johnfoobar writes "The latest issue of Bruce Schneier's Cryptogram has a section entitled 'Judging Microsoft' which aims to "provide a list of measurable recommendations, so that the community can judge Microsoft's sincerity."
Required reading if you use Microsoft products." Update: 02/15 18:15 GMT by M : A better link is Schneier's first essay this month, which is about Microsoft's "Trustworthy Computing" initiative.
here goes... (Score:2, Insightful)
They are making an effort now. I firmly believe that this is a good thing. Of course, there will be the usual rebuttals:
what took them so long
why are they caring about security now, etc.
Hey who cares why or how, just consider this a good thing that they are more involved in security now. Btw, remember the last time MS went after something with a vengeance? I do.
*shudder*
Re:here goes... (Score:2)
How is this security going to be achieved, fix a few wholes and be a little more careful in the future, then throw the rest of the budget at a multi million dollar ad campaign saying Win XP is the most secure ever?
Re:here goes... (Score:4, Insightful)
why are they caring about security now, etc.
Hey who cares why or how
Microsoft cares about security becouse Microsoft cares about profit. When lack of security and stability meant lower profits, Microsoft cared.
Recall when Microsoft went after Java (the language, not the platform). Didn't work. And how's their VM compatability with 1.4 now? If "security" doesn't work out for them, what makes you think they won't switch gears and worry more about drop shadows?
Re:here goes... (Score:1)
They never went after the language, only the platform. Who restricted them from including a VM? Why exactly did they make J++? Why did they 'embrace and extend' the platform with COM specific stuff?
Why are they so keen on providing Java support for
And how's YOUR compatibility with 1.4 now??
Re:here goes... (Score:2)
What does that have to do with anything? Do you judge products on the motivations of the creator, or on their actual merit?
Re:here goes... (Score:2)
Re:here goes... (Score:2)
Without testing everything against all possible combinations, the reputation of the vendor is probably the best and maybe the only reasonable guide to future performance.
Re:here goes... (Score:2)
It seems to me that all of these contribute to the merit of the product. Patches, upgrades, new versions, etc. add value to the original product, even if they don't come in the same box.
Again, I really don't care if someone provides good support because they like their customers or because they want my money tomorrow. What difference does it make?
Re:here goes... (Score:2)
Microsoft hasn't changed (Score:3, Informative)
Re:Microsoft hasn't changed (Score:2)
But that is ok since that will be their undoing. And twenty years down the road we will say "Microsoft who?". Just like Unisys, Wang and most likely XEROX. Companies that do not address the real issues die off. IBM learned those lessons!
Re:Microsoft hasn't changed (Score:2)
Well, he didn't say it would be a better level.
Since there are already such as OpenBSD, TrustedSolaris(sp?), VMS, MVS, you have to wonder just what this whole new level really is. Scary.
Re:here goes... (Score:3, Insightful)
Btw, remember the last time MS went after something with a vengeance? I do.
Yeah, it was on slashdot yesterday. Bribing politicians with a vengence. Too bad they can't do the same thing to their customers (think "Windows is more stable...and here's your kickback to prove it!")
Re:here goes... (Score:2, Informative)
That is the question. Certainly it would be a very good thing if they are making the effort, but are they? Schneier said it better than I could:
"...I hope he's right when he says that Microsoft is committed to that challenge. I don't know for sure, though. I can't tell if the Gates memo represents a real change in Microsoft, or just another marketing tactic. Microsoft has made so many empty claims about their security processes -- and the security of their processes -- that when I hear another one I can't help believing it's more of the same flim-flam. "
Re:here goes... (Score:3, Interesting)
Re:here goes... (Score:3, Insightful)
There's a big difference between putting Company ABC out of business and producing highly secure software. The former can be accomplished by the book, or by crook. The latter can only be accomplished by the book. It remains to be seen how willing Microsoft will be to do things this way, considering how unconventional they have become.
I think Microsoft has realized that their own software needs to be addressed first and foremost if they are to win the war against Linux. Of course, like in "War Games", the game can't be "won" per se. The only victory is NOT to play. Thus, the sooner Microsoft stops trying to "beat" Linux, the better for everyone.
Some consider it irrelevant that until recently, Microsoft could have cared less about security. They have hidden behind UCITA and their monolithic EULAs, all the while reducing security by increasing programmability. Their oversimplification, while giving developers more control, also gave hackers more control.
Choose to ignore facts if you wish, but your own credibility is at stake. To say what happened a year ago doesn't matter this year is just as dumb as saying this year doesn't matter once it's over. Responding to a "usual rebuttal" with an equally "usual rebuttal" isn't the best way to discredit them... or is it? You make the call.
that would be the browser wouldn't it ? (Score:2)
I really dislike their business practices but if they make a good product...someday they might...
Re:here goes... (Score:2)
Until they actually prove themselves with a fairly secure product, I'm going to be wary of any company that employs a 'Security Assurance Director'.
trust (Score:5, Insightful)
microsoft, right now, is in that stage. people have just started discovering that they can't trust microsoft. wheather they can or not is not the issue, but the perception of trust is ruined. it will take a long period of dilligence and commitment to prove themselves worthy of trust again. on the other hand, i kind of wish many other companies would make an honest attempt to regain our trust
Re:trust (Score:3, Insightful)
The public conception of Microsoft is very far from that of the average Slashdot reader. I overheard on the subway the other day a woman raving about how much she loves Windows XP. She was telling this other woman that she added memory and upgraded to XP and it is like having a brand new machine. I felt like asking her if she downloaded the UPnP patch but I try to avoid talking to people on the subway. I also work with hundreds of people who love Windows 2000.
So there in lies part of the problem. The public doesn't really know and for the most part doesn't care about the problems. Try going to an average user and explaining all of this to them and see if you don't get the look. We have to seriously root for Microsoft to fix the security holes not because they need to improve their image but because the average user doesn't care.
Re:trust (Score:3, Insightful)
even at my job i see a greater decreating confidence in microsoft amonst the technically inclined. there seems to be two camps.
- those that use ms product implicitly (even though many of them have countless problems). this camp graduated from the "no one ever got fired for buying IBM" school.
- those who preffer to use non-ms products when ever possible. this is a slow, but apparently growing minority
atleast where i work that's the two camps...Re:trust (Score:3, Insightful)
By the way, the last 3 VP's is not that difficult for most people because they are pretty humurous. Dick Cheney's safe location, Al Gore's internet, and Dan Quayle's potatoe [sic].
Re:trust (Score:3, Interesting)
it's kind of like that line in "Fight Club," where he explains that his company doesn't do safety recals unless the cost of the recal would be cheaper than the cost of the law suits when x amount of people die, because of faulty manufacture...
yes i know it's wishful thinking but as long as those coperations know that we will hound them to the end of their days, they might actually conceede some of their profits for quality... even if just for some good publicityRe:trust (Score:2)
two words: Ford Pinto. Ford was harmed for years after the public lost trust in Ford due to the Pinto.
For those who might not know. The Ford Pinto was a cheap poorly designed car of the 70s that had a nasty tendancy to burst into flames when struck from behind in minor collisions. Ford execs knew of this problem but decided against a recall as the cost was greater then the cost of a few lawsuits. see the internal Frod memo [motherjones.com] and more information [motherjones.com]
recursive story? (Score:2)
Anti-innovation (Score:3, Insightful)
Nobody wants to have a secure product in which you have to manually enable all the great features because of which you bought it in the first place! Secondly, no-one has time to keep up with all the security alerts. That's why an automatic patch system is absolutely necessary.
Microsoft is being realistic. The author of this article is not.
Public nuisance (Score:3, Insightful)
This may seem like a harsh judgement, but the cost of Outlook and IIS bugs is rapidly getting to the point where a lot of admins are ready to take drastic measures to protect their own networks. That's why many sites are stripping executable attachments - and the crap like that "begin" bug discussed a few weeks ago are pushing some sites to outright Outlook bans because it's proving too costly to try to work around Microsoft's ongoing indifference to security.
Re:Anti-innovation (Score:3, Insightful)
Nothing in the article addresses the problem that you MUST have a feature-over-security attitude to make a killer application.
I disagree with this. To develop a commercial application, there should be a good balance of both features and security. It's true that you may compromise on that third security code audit that you were planning to get the thing out of the door and onto a palette, but it's irresponsible (and could constitute negligence legally) to knowingly develop an insecure product just because you want to add more features.
Also, keep in mind that the marketroids always want you, the end-user/customer, to believe that they're acting in your best interest by releasing a buggy product Right Now(TM), so of course they're going to try to convince you not only how much you really need those new features (which will go unused in somewhere around 80% of the install base), but also to imply that you would've had to wait an inordinate amount of time to receive the product if they had gone back over it with the proverbial "fine-toothed comb" known as a security audit. In reality, however, security audits should definitely NOT be the afterbirth of development...proper security programming practices should be enforced during development so that the code can be as secure as possible from the day the code is first written. Using C functions like gets() without doing overflow checking, for example, is just asking for trouble in most cases, and every competant programmer knows it...the question is, why should it be ok to not write the overflow check or to use a different call that's safer instead? I don't see the difference in time between typing gets() and typing fgets() with a few more arguments when the code is first written? Sure, you could argue that, after thousands of development hours, the few extra seconds adds up, but if it saves you millions in PR and legal expenses, why wouldn't you change your development practices?
Up until recently, Microsoft has enjoyed an era without being held accountable for the bugs in their products (security and otherwise). That is changing now, however, and they really need to treat this as more than just a PR issue (it's becoming more of a legal issue as well). Let's face it, Microsoft is taking heat about this not because of their market position or pervasiveness...not even because their products are compiled from millions of lines of code...it's because they don't stress a proper security-oriented (read: sane) development process.
Don't be brainwashed by them saying that security is the killer of timely/rapid innovation or release schedules because it simply isn't true unless they're development practices say that security is an afterthought rather than an integral part of their programming practices.
Re:Anti-innovation (Score:2)
In my experience, five minutes spent on overflow checks initially will save an hour in debugging. Unless you get _unlucky_ and the flaw isn't discovered in debugging. But then, I take bugs more seriously than an MS coder has to. When I release a program, I wrote it all by myself for internal company use. I'm going to get yanked out of my office to _look_ at any bugs that pop up, and have three senior managers breathing down my neck while I fix it. Microsoft programmers are insulated from that by sheer organizational size -- tech support gets the bug calls, not the programmers, and tech support probably won't be able to track down the lazy bastard responsible for the bug and make him fix it himself. Beyond that, MS shuffles most tech support off to the OEM's...
Re:Anti-innovation (Score:2)
Microsoft itself would now supposedly disagree with that point. As part of their new security effort, they are reviewing all parts of their code, including default configurations.
As part of the security initiative, every manager has to justify not only the group's programming decisions, but how the software is configured as a component of Windows.
Program managers are being asked, "Are 90 percent of your users using this feature? If not, then you better have a good reason for enabling that feature by default," Howard said.
The goal is to make an everyday user's computer secure by default, he said. "Not everyone needs IIS (Microsoft's Web server) by default," he said. "Not everyone uses Index Server by default. So today, those features are turned off by default."
Quoted from this article [com.com].
Re:Anti-innovation (Score:2)
Re:Anti-innovation (Score:2)
IS is installed (and running) by default on Windows 2000. Anything post Windows 2000(including
Not on Windows 2000 Pro (workstation). It does install on Server versions (personally, I think it should install on server version but turn the services off by default, but that's just me).
MS02-005 cumulative patch (Score:4, Flamebait)
This was the first I'd heard of it, though I've gone to microsoft.com and asked to be put on Microsoft's mailing list for security alerts. About three hours later, the email finally arrived from Microsoft, four days late:
What Microsoft didn't mention was that, before I got its security alert, someone had posted to bugtraq this assessment of their patch:
Re:MS02-005 cumulative patch (Score:4, Insightful)
This is vendorspeak; "previously discussed" means "confirmed by the vendor" and not "discussed on BUGTRAQ". The phrase "all known security defects" means "all the defects we have admitted so far", and so on.
Morons....uh I mean OxyMorons..... (Score:1, Redundant)
That said it is much easier to innovate wihtout regard to security even at a basic level, MS has been doing just this for quite sometime, and it looks like it may finally be catching up to bite em in the ass.
MS has made great strides in interface usablitiy, and some disasters, some minor security annoyance, and some bungles of a scale unseen before. Quantity, not Quality has been the MS creed for a long while, blowind the doors off their prior interface and capablities of 3.1 to win95 was a major leap, and they ran like a thief with it.
Its easy to innovate and produce LOTS of stuff fast if security isnt a concer, unfortunatley for MS that mindset became standard at MS, Bill's Memo is proof in itself,
Re:Morons....uh I mean OxyMorons..... (Score:2)
I remember when we said the same thing about their commitment to the web. "But IE 2 sux!, they'll never be serious about it!" When MS decides something is Important, watch out.
Re:Morons....uh I mean OxyMorons..... (Score:2)
1) Purchase a technology leader in security. (Maybe RSA. Hey, maybe Schneier's outfit!)
2) Cannibalize their product and incorporate it into Windows.
3) Screw it up royally.
Re:Morons....uh I mean OxyMorons..... (Score:2)
The big, heavy, impressive door to the vault.
Adding stuff won't help if the side windows are open or broken.
Text only e-mail (Score:2, Insightful)
"Originally, e-mail was text only, and e-mail viruses were impossible. Microsoft changed that by having its mail clients automatically execute commands embedded in e-mail. This paved the way for e-mail viruses, like Melissa and LoveBug, that automatically spread to people in the victims' address books. Microsoft must reverse the security damage by removing this functionality from its e-mail clients and many other of its products. "
Amen. Give me pine anyday and get rid of the crappy HTML formatted e-mails with pics and crud, If I want to see that send me a link to a web page and I'll look at it if I feel like it. Don't send me huge bloated e-mails that look like shite when I read em on pine.
Re:Text only e-mail (Score:2, Insightful)
Re:Text only e-mail (Score:2)
shame it's not true
Buffer overflow in MS Outlook & Outlook Express Email clients (Date parsing) [iss.net]
Re:Text only e-mail (Score:2)
The point being that it's isn't just MIME mail that can carry a nasty payload and that it isn't just MUA's that purposely execute atatchments that are vulnerable. The article was trying to imply a plain text only world was a safe from harm world.
The post I replied to quotes from the article "Microsoft changed that by having its mail clients automatically execute commands embedded in e-mail. This paved the way for e-mail viruses"
and then states "Give me pine anyday"
but pine and other text only MUA's are not invulnerable to exploitation, the buffer overrun could have been in any of them, it just so happened that the one I remembered was in Outlook.
Did you know that not all comments including the word Microsoft are rants or bashing for the sake of it?
Re:Text only e-mail (Score:2)
Re:Text only e-mail (Score:4, Interesting)
Back in the text-only e-mail days I was quite confident in telling to my users "text e-mail can't hurt you"...until a friend at a neighboring site (uucp) showed me what they'd found: An e-mail that ended with embedded escape sequences to program a key with a long string of commands, clear the screen, and then the something like "Mail file corrupted--press (whatever the key was) to continue."
The commands, which went back to the mail reader (or would have, if the user had followed the directions) would then 1) write the body of the message to a file, 2) exit the mail reader, 3) compile the source code it just saved, and 4) run the program.
There were a few bugs in the creature, so it hadn't worked as intended, but from then on I wasn't so sure about things being safe just because I couldn't see how to exploit them.
-- MarkusQ
Re:Text only e-mail (Score:2)
The commands, which went back to the mail reader (or would have, if the user had followed the directions) would then 1) write the body of the message to a file, 2) exit the mail reader, 3) compile the source code it just saved, and 4) run the program.
Then the e-mail reader was not treating the e-mail as plain text. If the only escape sequences it recognizes are end of message and start of attachment, the only thing that can hurt you is the attachment -- if you are dumb enough to run an executable attachment.
Re:Text only e-mail (Score:2)
That had been roughly my thinking as well. But the point is that the e-mail reader (either pine or elm, IIRC) was just treating the body as plain text, and happily dumping it (escapes and all) to the terminal.
The terminal (VT100 or some such [databeast.com]) was seeing the escape sequence and obligingly reprogramming the specified key to do the dastardly deed. Then it would just as obligingly clear the screen, so that all the user saw was the message telling them to hit the booby-trapped key.
The mail reader was oblivious to all of this.
-- MarkusQ
Re:Text only e-mail (Score:2)
I still use a textmode email program that dates back to the BBS-messaging era, and it's immune because it doesn't do ANSI at all. (It says it does, but it doesn't.) It sees ESC sequences as raw text, so does nothing.
Telnet apps that grok ANSI may still be vulnerable to this trick -- dunno for sure, but it's a thought.
Re:Text only e-mail (Score:2)
Re:Text only e-mail (Score:2)
ANSI.SYS? (Score:2)
How odd. *smile* Given all her talk about VT-xxx terminals, pine/elm, and scads of users on each box, I would never have guessed that my friend's site was running MsDos.
-- MarkusQ
Re:ANSI.SYS? (Score:2)
[Walter Brennan] You young'uns just ain't old enough to remember BBSing. Terminal apps emulating VT-xxx, textmode mail, and scads of users on every box. [/Walter Brennan]
But AFAIK there's no rule that the same basic principle couldn't be applied to ANY vulnerable system that speaks ESC sequences, which I gather come from way back in prehistoric times when we carved our PCs out of wood.
Re:ANSI.SYS? (Score:2)
Reziac::ARealMcCoy: You young'uns just ain't old enough to remember BBSing. Terminal apps emulating VT-xxx, textmode mail, and scads of users on every box.
*laugh* Ah, now you'd be talking about my site. But I don't think I ever had more than a half dozen or so users on a PC at once (dial up that is--on site we had about thirty, but each had their own PC & pooled "connections" for file transfer).
BTW, thanks; I haven't been called a "young'un" for...well let's just say it's been quite some time. Our first dial-up box was a NorthStar Advantage that could only support two remote users at a time (plus one sitting at it).
-- MarkusQ
Re:ANSI.SYS? (Score:2)
[goes to look] I did, I did, I DID see a NorthStar System Software Manual, revision 2.1, copyright 1979, 1980. Calls the OS "Northstar DOS v2" tho it looks more like interpreted BASIC to me. Used a whopping 3.25kb of RAM. Such bloat!
Now where did I stash the punch cards from my high school's IBM-1620?
Re:Text only e-mail (Score:2)
Things are bad enough with mere oversights on MS' part. When they deliberately build poor security, it all goes straight to hell.
It sounds like (Score:2, Insightful)
very good read (Score:2, Interesting)
Almost all the concepts presented were ones I learned in college [I graduated a few years before windows 95 came out
of course
As much as I love *NIX for a server environmet, I have to say
I always use the "My Mom" theory when determining if something is easy to use. My mom is almost 80 years old
Windows passes the My Mom test
If M$ can get actually accomplish even these seven steps, they honestly
The real telling point would be , if they had to evolve far enough to MAKE these changes, would they grow up as a company ?
what we're forgetting... (Score:2, Interesting)
Re:what we're forgetting... (Score:2)
I think most of us do realize this. But really, M$ is a very greedy and childish entity that has, to this date, followed through on only a very few of their promises, no matter how bad it may be for them. The Cryptogram article outlines a few things they'll have to do to become more 'Trustworthy', points out that many of them are fundamentally against the grain of M$'s behavior thus far, and then proceeds to ask, "Will they actually do this?". Placing release dates ahead of product completion, creeping featuritis, claiming that their bugs are their own concern and the world had better shut up about them. These are all things that they have continually done in the past and are well known to be extremely naughty, yet despite the multitude of spotlights on their actions and the sheer dependence of so many people on their software, they ignored all suggestions to do otherwise. Will they start using some well proven secure programming techniques or instead try to 'Embrace and Extend' them, blazing a bold new Public Relations trail into the world of security, in the process dooming themselves and the precious data of millions before they are given up as a bad job?
Stay tuned, updates at eleven...
Analysis Is Good (Score:3, Interesting)
The overwhelming point is that this stuff is often contrary to what MS has in mind for its future software development. If they are really serious about putting security 1st in
When it comes to business vs design decisions, MS has always gone for biz.
Re:Analysis Is Good (Score:2, Insightful)
API access from untrusted code is maybe a more useful thing to be taken care about (read : animated gifs ARE code, but limited to
Re:Analysis Is Good (Score:3, Interesting)
That's true, and I think that a lot of these security holes are a direct result of MS making bad design decisions for technical reasons.
They're not stupid -- they know that "leveraging" one product by including hooks for another creates security problems, but they know it also creates business opportunities. That's they they did it.
But I also think we're seeing a realization from MS that they're going to take some hits on the business side if they don't address security concerns.
The question that Schnier rasies, implicitly, is this:
How much disruption of their current business strategies is MS willing to tolerate for the sake of security?
In the end, I suspect it will come down to a cost benefit analysis. Let's hope the numbers come down on the side of security.
Where to start. (Score:5, Insightful)
Hoo boy, this is a good article, but these guys are spending waaay too much time in a vacuum.
While that's nice and all, it's hard for an operating system to do operating system things from within a sandbox, and with the single exception of a guy getting a Verisign key with the name Microsoft on it (nominally a Verisign problem, not a Microsoft Problem) I haven't seen a problem lately with microsoft signed code.
The NonM$ loving folks will LOVE that soundbite, unfortunately, it's got all the likelihood of happening as having everybody shift from IIS to Apache. In any production environment, security is balanced havily with cost of implementation. NO company with any amount of entrenched custom code is going to pitch it because a security guy say they oughta. The fact that you cannot overwrite a system DLL in XP seems to be ignored. (There's a Key library, a backup directory of DLL's and the DLL in the system folder, if any of those are mucked with, the OS reacts trying to restore a safe version of the DLL, if a safe version isn't available, it prompts for a CD.)
Granular auditing exists now! The problem with enhanced auditing is the storage requirements for that auditing. I get 'the application log is full' messages NOW, what happens when every bit written generates five bits of log? Are YOU going to have a Terabyte server to store 200 mb of data and 800 mb of granular logs?
Microsoft's been in bed for YEARS with the W3C. The protocols are generated there, and Microsoft is often the first to market to implement them. Asking them to hold off a year before using a new protocol is business suicide and not something they'll be willing to do.
Re:Where to start. (Score:2, Insightful)
How could this train not eventually lead to that?
Re:Where to start. (Score:2)
Can't add your own chicken wire even if you know how.
Beginning to smell like a disaster brewing.
Re:Where to start. (Score:2, Interesting)
Re:Where to start. (Score:2)
In retrospect, I also don't think the big issue is with the OS...it's pretty secure. When needs to be changed are the things that software is allowed to do with the OS. (Like inserting itself in the RunOnce and OnStart registry keys.)
Re:Where to start. (Score:5, Interesting)
I haven't seen a problem lately with microsoft signed code.
Lately is a poor excuse to keep a bad idea....
The NonM$ loving folks will LOVE that soundbite, unfortunately, it's got all the likelihood of happening as having everybody shift from IIS to Apache. In any production environment, security is balanced havily with cost of implementation. NO company with any amount of entrenched custom code is going to pitch it because a security guy say they oughta.
No, but with Gartner telling them to pitch IIS also, it seems MicroSoft was worried enough to at least make a press release....
Granular auditing exists now! The problem with enhanced auditing is the storage requirements for that auditing. I get 'the application log is full' messages NOW, what happens when every bit written generates five bits of log? Are YOU going to have a Terabyte server to store 200 mb of data and 800 mb of granular logs?
You REALLY don't understand granular auditing do you? You only turn it on when investigating a problem, or preforming an audit... it seems to work really well in *NIX systems. And since when does 200mb + 800mb equal a Terabyte. What kind of systems do you think people put Linux on????
Microsoft's been in bed for YEARS with the W3C. The protocols are generated there, and Microsoft is often the first to market to implement them. Asking them to hold off a year before using a new protocol is business suicide and not something they'll be willing to do.
The author was speaking of more than just internet protocols, but you did sum up the article pretty well in your last sentence. MicroSoft has made a public commitment for security. To follow thru will take more of a financial commitment then just offering employee bonuses, and it seems that both you and the author agree that it is highly unlikely that MicroSoft will follow thru on their pledge.
Be careful what you ask for (Score:5, Insightful)
Software liability would be a disaster for free software, right? Okay, everyone wants Microsoft to have to pay for Nimda/CodeRed/Melissa/ILOVEYOU, but I don't suspect that the authors of Sourceforge (for example) would want to be liable for someone losing his code due to a buffer overflow. Schneier is right on many things, but he is 100% wrong on this one.
Re:Be careful what you ask for (Score:2, Interesting)
I think that's the most you'll ever see in terms of liability. "If this software doesn't do what it's supposed to, can I return it and get a full refund?"
You think that the makers of space heaters are getting sued? After all, place a space heater near some curtains and you'll burn down your house.
Of course not.. they slap a warning sticker on the box and they've covered their ass. Slap a warning sticker on software... "This software is presented AS-IS", and you're fine (yes, even Microsoft)
But money-back guarrantees if the software fails to perform as advertised could be a more common occurrance (even if the company doesn't provide a money back guarrantee, you may be entitled to one in the future).
Re:Be careful what you ask for (Score:2)
Most OSS performs better than advertised. Even without recourse to the sources.
Typing redhat.com/errata in my browser (IE on NT) takes me where I want to go. I'm sure a bunch of other guesses would also work. Other than something willful and malicious, which would be rather hard to escape notice and a very fast fix, I'd say they were off the hook for whatever the system would do. The've done more than just take reasonable precautions. Anything that surfaces later is readily accessable to someone who doesn't really even know where to start.
Merchantability, Fitness for Purpose, etc. (Score:2)
When you purchase software, there's an automatic warranty involved. Namely, that the software doesn't suck. That it's not going to be an open invitation to haX0rs. That using it isn't going to expose you to enormous risk, unless the seller has first advised you of specific enormous risk and you choose to buy it anyway.
When you license software... well, that's not a sale, is it? And hence, the legal protections that you get when you buy things don't apply to you. I can count on one hand and have fingers leftover all the times I've seen shoddy software be held accountable in court.
So this push to software-liability law is more of a push to make software a sold good, not a licensed one. The theory being, if I plunk down $200 for Windows XP, it shouldn't have a UPnP back-door in it. Software-liability laws would permit affected users to sue manufacturers to recover lost damages.
However, common law says that if you pay a nickel for something and it breaks, you can't make twenty million bucks off a lawsuit over it. Twenty bucks, maybe, twenty million, no way. There is an implicit limitation on the assumption of risk, and this implicit limitation is related to the price paid.
If I pay Red Hat $50 for Red Hat Linux and there's a horrible bug that makes my Linux box an inviting target for 1337 haX0rz, then Red Hat's liability is a factor of the $50 I paid them.
If I pay you $0 for a piece of GPLed software you wrote, and there's a horrible bug, your liability is a factor of the $0 I paid you.
Err... wait. I didn't pay you. I got something for nothing--I literally received a good at no price whatsoever above the price of media. The courts would not look favorably upon me suing you for $20 million because you gave me something, for free, out of the goodness of your heart, and made it clear to me that it was a work in progress and might not work as I expect it to.
Re:Be careful what you ask for (Score:2)
But used car sellers don't have such responsibility. And it would seem rather nuts to try to make non-commercial coders or distributors responsible for defects in a free product. IANAL, but I don't think that's a problem.
However, what I really want to see, is not government restrictions on a company's right to write sales contracts as it pleases, but rather fraud prosecutions when fine print in the contract, warranty, or EULA contradicts specific promises in the advertisements. E.g., MS's ads about the servers running unattended. It's not that it's impossible to have an OS stable enough for that -- Novell and Unix servers have become physically lost for years, but kept right on doing their job over the network. It's just that MS's software is not that stable -- and if they publicly claim it is, you should be able to sue for all losses due to downtime, no matter what disclaimers are in the EULA.
Do they have no pride (Score:2, Insightful)
just some thoughts..
--rpr
Re:Do they have no pride (Score:2)
Microsoft makes mediocrity an aspiration.
Wait a minute.... (Score:3, Interesting)
First of all.... Microsoft said they were going to prioritize security. That doesn't necessarily mean put all new features on hold until they are 100% secure. You can make security a priority without doing the OpenBSD nothing but security route.
Analysts like Gartner have recommended that enterprises switch away from Microsoft IIS and delay installing Windows XP, both because of security concerns.
I would like to point out that the precipitating reason they changed their recommendation was due to MS's new licensing policy. Security problems are just more fuel to the fire.
MS's security policies annoys the hell out of me but lets at least hold our points to realistic ones.
-pos
Security through Monopoly (Score:5, Insightful)
You'll get:
Of course, Microsoft won't make it too hard to have third-party software (as long as it doesn't compete with Office). You'll just have to pay a small fee for a MS-certified crypto signature. (Oops, free software can't pay the fee? Gee.)
Re:Security through Monopoly (Score:2)
New OS (Score:2, Interesting)
latest version of its Windows operating system, Windows(R)
XPSecure(TM) "It is the easiest to use and most secure version of
Windows ever to be released," touted the former chairman Bill Gates.
At the press conference the company performed a live installation of
XPSecure(TM) to demonstrate the simplicity of installation. "Our
customers have let us know that security is a foremost concern," said
Gates. "We have listened to their concerns, and we have designed our
software to fully and securely reinstall their favorite operating
system." Windows(R) XPSecure(TM) also features a Secure Live
Update(TM) option that will automatically connect customers' computers
to the internet to download late-breaking security updates. "We
realize there is much confusion out there about which security
features are truly secure. We have taken care of that with our
customers in mind," Gates continued. Windows(R) XPSecure(TM) is
scheduled to retail at $249.99 and is expected to begin to ship to
vendors in North America as early as next week. "We highly recommend
that customers of any previous version of Microsoft(R) Windows(R)
install this version to obtain an unprecedented level of user
experience in performance and reliability."
Oracle's "Unbreakable" Database (Score:4, Interesting)
An equally interesting article in Mr. Schneier's newsletter this month concerns Oracle's "Unbreakable" Database.
It seems Oracle put forth a good faith (albeit flawed) effort to secure Oracle9i. They enlisted the services of TCSEC, ITSEC, Common Criteria, Russian Criteria, and FIPS
140-1 to test for security holes. None of them detected a simple buffer overflow problem.
These security companies are a sham (or at least should be ashamed).
FIPS 140-1 (Score:2)
FIPS 140-1 is Federal Information Processing Standard 140-1. It's a document describing how the U.S. Government requires itself to do things. Read it here [nist.gov] You can be certified compliant, but the process is done by independent labs, not NIST (home of FIPS).
TCSEC is also not a company. TCSEC, or Trusted Computer System Evaluation Criteria, is a book. "The Orange Book", to be specific. It can be found here [ncsc.mil] as well.
The orignal poster's point is well taken, though. Whichever companies provided the certification might consider examining their process.
Examination Process (Score:2)
I haven't read these books/standards, so feel free to ignore me.
But, before you complain about how these companies should examine their processes, consider that they might be doing exactly what is required by the standards.
Schneier was mostly complaining about buffer overflows in 9i. Before you go complaining about the security review process, check if these standards actually say "code should have no buffer overflows." If they do say that, check how they say it. No use no "known-insecure" functions? Bounds checking on all inputs? Only on user inputs? (Is there such a thing as a trusted input?)
I suspect you can pass these 5 standards completely, and still be insecure.
Re:Examination Process (Score:2)
Your suspicions are certainly accurate. Programs which are "excessively" vulnerable to denial of service attacks are considered to have security flaws (see the Microsoft advisory on the UPnP problems for a recent example of this). Also, there are many, many other routine security flaws which can arise in programs, and in particular, programs which require root/System/Administrator privilages to run.
As an example here, suppose program XYZ wants to modify the file .xyz in the user's home directory if it exists. Suppose also that program XYZ needs to be run SUID root. If the program gets the user's home directory from the HOME environment variable. This opens up a security problem, because the user could have set the HOME environment variable to anything. It is also possible that a malicious user could make .xyz a symlink to another file that they normally would not have permission to modify. Both these things allow a user to modify a file that they shouldn't be allowed to touch, and hence are security flaws.
There's a good FAQ on this (the Secure UNIX Programming FAQ) at http://www.whitefang.com/sup/ [whitefang.com], if you're interested.
Security is awful hard to make a profit from... (Score:5, Interesting)
They've already gotten a reputation for putting security and stability last. New features, fluff always come first. Virtually everyone knows that MS lives by marketing, marketing, marketing.
Now MS realizes that Security is becoming "the issue." "It's the security stupid."
Now consider the difficulites.
MS has an enormous codebase to now fix - after the fact. Adding in security is WAY hard after the fact. Things break, testing must be redone etc. It's a whole lot easier to put in anything if it was part of the origional design. Super costly and painful afterward.
MS has "integrated" all of its' products. So, now they have to not only test the separate products, but also in every combination. Ouch!
From Firewalls and Internet Security (the God book of security IMHO)
- All programs are bugy
- Large programs are even buggier than their size would indicate.
- If you do not run a program, it does not matter whether or not it is buggy.
- Exposed machines should run as few programs as possible; the ones that are run should be as small as possible.
Now MS has what most would consider code bloat, and not only that integration. That's going to be an ugly task (securing the code)
MS has always fudged the truth before. Marketing before substance. So people will be very skeptical about MS's claims about anything.
MS's stance about security was always lax. Combine this with the prior point, and we have skeptical^2.
MS can't really use this as a marketing tool - or at least not until they can prove they've done something significant. This will be hampered by points 1 + 2, and continuing security lapses, when trying to secure that code and missing things.
MS can't really make money off security - again, at least not until it has serious results to show. Thus this will become a massive cost center without any revenue. Ouch^2. That will have the bean-counters breathing down the throats of the development/QA people to keep costs down. You're not producing new products, and thus revenue - salary will suffer etc.
Lastly, it will be a unglamorous job, and project. It will be hard work. You'll be unappreciated. You'll be expected to be a miricle worker, and double quick too. When you miss something, you'll get lots of heat, and few kudo's (Provided this _really_ _is_ somthing MS is _really_ serious about - if not the heat won't be there, but that's the point.)
Thus, to summarize.
- MS has a MASSIVE task to fix - both in size and complexity.
- MS has integrated all these things together. I would bet that the mutual distrust model between different modules/products hasn't been used, adding to the difficulty/complexity.
- MS has a reputation for producing fluffy software with lots of features, but not much security - it's always an afterthought. Ship early fix bugs later.
- MS has never been known for its' honesty and plain talk, thus making the credibiltiy of its' proclaimation that much more doubtful.
- This strategy won't be done quick, or cheap. The task will be difficult both technically and politically.
- MS won't be able to milk this decision for extra revenue anytime soon.
- The very fact that this effort exists, tends to point out a problem in the first place.
My conclusions are these.
MS may really intend to do this. I don't really believe it, but I'll give them the benefit of the doubt. But even if they are committed, how long will they remain committed. They won't be able to show results for some time. They will certainly have failures. These will undermine the confidence of both internal staff, and the public they're "selling" it to. It will cost a massive amount. It won't generate revenue.
It's going to be really easy to just splash it out there, and crow about it. Later, when the trench warfare sets in, it's going to be tempting to forget about it. It's out of the limelight, and we can just let it go quietly into the night.
We'll see - I don't doubt that MS _could_ do it. I just don't think they will for many reasons. And there will be _so many reasons_ no to.
Cheers!
no need to rewrite everything (Score:3, Informative)
"Security works best when it's designed into the system from the beginning, so a lot of what they've already done is going to have to be rewritten."
This is false. XP, based on NT, has security built in. The vulnerabilities discovered so far basically seem to be in two camps:
1) Buffer overflows left in the code -- rewriting won't help these, it will likely just introduce more. They just need to be found and fixed. Microsoft is in fact going over all its code line-by-line, but I can't imagine that glassy-eyed developers spending a month doing that is actually going to find all the overflows.
2) Bad design, in particular allowing foreign code to execute. I.e. the various Outlook email viruses. These need to be removed, which is a basic change in how Microsoft thinks (security over nifty features) but again you don't need to rewrite Outlook to stop if from executing scripts by default.
Methinks Schneier might be fantasizing a bit about Microsoft *having* to do this, of saying, as he puts it, "We're going to put the entire .NET initiative on hold, probably for years, while we work the security problems out." It seems like he would like to see Microsoft fall behind in the market because they have to throw all their current code away. Plus he hates SOAP (since it sneaks past firewalls inside HTTP), which is one of the technologies .NET is based on.
Personally I think this is basically more marketing hype from Microsoft. Because they are still not going to penalize developers who write insecure code (something that was bandied about but not adopted) -- it will still be, "Oops, we did it again". So with no real connection between good code and stock options, developers at Microsoft won't change.
- adam
Re:no need to rewrite everything (Score:2)
This is false. XP, based on NT, has security built in.
Eh, not quite. Did you read all of the article?
One of the big issues I have with Windoze is that it's not easy to disable and remove the parts I don't want, which is what Bruce talks about.
On a server connected to the Internet, I'd want to remove anything that's not strictly needed for running the application, like the web browser. Microsoft's attitude is: "Opps, sorry, that's part of the OS now, live with it." However, with other operating systems, I do have a choice.
Sure, you can argue that I'm being paranoid, and what possible harm could come from having some extra software installed. Maybe you're right. And maybe some dumbass junior admin (that I didn't get a chance to interview) needs to surf the web to look up an answer while he's putzing with the server. Maybe because there's a browser (which can't be gotten rid of) on the red-zone server, and he uses that, rather than the one on his desktop computer. Maybe the security permissions are still the default (lax), and he downloads a virus or worm. Maybe it infects the system, because he was logged in as Administrator.
And if there's no browser on the red-zone server, he'd haul his lazy ass back to his desk to look up the answer, thus preventing, or at least containing, a whole host of problems.
As for SOAP, from a network administrator's point of view, it's easy to hate it, seeing as how it was expressly designed to evade the firewall. If someone's got a new RMI protocol, I should damn well be able to easily block it, if that's the policy.
Now with SOAP, instead of simply blocking a port, which just about any stupid firewall can do, you need a firewall that can look inside HTTP requests to see which ones are from browsers, and which ones are SOAP requests. More processing power, and therefore less throughput on the firewall. And probably a more expensive firewall to boot.
Wearing my enterprise application developer hat, I think SOAP is pretty cool. Wearing my network administrator hat, I would like to kick in the nuts of whoever thought it up.
Yes, I realize that I'm paranoid, it comes with the job. If you don't believe me now, check back with me in 5 years. If you last that long.
www.trustworthycomputing.com (Score:2)
Mean while, Microsoft has started a public marketing campagn and even plans to have
Trustworthiness requires more than security (Score:2, Insightful)
*) develop trustworthy products and services
*) become a trustworthy company
And that will be no easy task. I agree that security in their products is something that they need to improve, but I think becoming trustworthy will require much more than that. If I were to describe all of the things that I think Microsoft needs to do to accomplish these things, I'd be here all day. So, I'll describe only a few examples not related to security.
1) Improve the quality of their products. In my current job, I have the singular pleasure of developing applications in MS Access 2000. Unfortunately, the documentation provided with the software is poorly indexed, incomplete and (in some cases) inaccurate. For example, in one place in the documentation, it claims that the maximum number of levels of nested forms allowed is 3. Elsewhere it claims the limit is 10. Both are wrong. It's difficult to trust software when its own documentation is incorrect. This doesn't mean that their products have to be perfect. But right now, it often feels like they're not even trying.
2) Abandon the new licensing strategy [slashdot.org], which essentially dictates when companies need to upgrade their software. Having to go through a massive upgrade because of licensing is no different than having to go through a massive upgrade because of a bug or security vulnerability. The end result is the same, and I do not consider such software to be "available" or "reliable".
3) Adopt more ethical business practices. A number of the comments posted here speculate on what Microsoft true motives are. Given MS's history of Machiavellian business practices, it's not surprising that people don't believe Microsoft, even if they are telling the truth. And I'm one of those people. I tend to believe the adage that you can't build a straight house with crooked boards. So, if Microsoft really wants to promote trustworthy computing, then they must become a trustworthy company first.
Some folk have noted that the General Public's view of MS is much different than the average
Anyway, if MS is serious about this new directive, then good for them (and it's about time!). But I'll believe it when I see it (and maybe not even then).
</soapbox>
-- D
Re:Covered previously (Score:2, Informative)
Re:Covered previously (Score:2)
Yes, it was discussed! (Score:2)
Yes, Counterpane just came out, but this article previously appeared in SecurityFocus.
Re:Covered previously (Score:3, Insightful)
Ummmm, No (Score:1)
Re:Covered previously (Score:3, Informative)
Security Community Reacts to Microsoft Announcement [slashdot.org]
by Hemos with 471 comments on Friday January 25, @11:25AM
The Counterpane article is the same as the earlier Security Focus article.
Re:childish (Score:2, Interesting)
they are asking them to make good on the promises they have been telling the general public (and Wall street btw)
I mean
well
imagine how quickly ONE security flaw in a bank server could render you broke.
Re:childish (Score:2, Insightful)
You just outlined the primary reason that Open Source is the superior method of software design. A programmer crafting software because it scratches his personal itch will ensure that it is stable, secure, and reliable. A company will put lots of flashy glitz on it and get security/reliability up to "good enough" and ship.
Re:I hav my own theory... (Score:3, Insightful)
Look, as much as I hate Microsoft, it's not easy to write secure code, and it's impossible to write bug-free code. Because they're not currently generating revenue with bugfixes, I have a hard time believing they're intentionally writing crappy code just to reap the bugfix revenues. Yes, they always claim every new version of Windows is more stable and secure than the last, but almost nobody ever believes them anymore..
Their business model requires them to get people like us to upgrade our existing products to the latest versions every couple of years. Since you're not really getting a more stable product when you upgrade, and since features aren't the upgrade-enforcers they used to be, MS is trying to find a way to force you to upgrade. Witness their newest licensing/protection racket: Upgrade to the current version, or when the next version comes out, you'll pay full price to upgrade to it.
Until they change their business model to allow them to generate revenue for producing secure, stable code, they will never succeed in generating secure, stable, well-architected products.
Re:I hav my own theory... (Score:2)
My main gripe is that they really don't seem to be trying to offer even moderately secure systems. Here's one recient nasty example;
This level of security is implicit in Unix-style systems and has been for decades. I can't even imagine how they missed this. What other things did they miss that are infinately more obscure?
Re:I hav my own theory... (Score:2)
Re:I hav my own theory... (Score:2)
Re:I hav my own theory... (Score:2)
Can anyone explain to an old hardware engineer why "it's impossible to write bug-free code", but we design bug-free hardware all the time.
I wouldn't be so sure.
A) Take a look at the errata list for any microprocessor sold in the last 20 years. It's quite an eye-opener. However, most/all the problems are worked around by the compiler writers and kernel developers, so you never hear about them.
B) With cars, they only issue recall notices for show-stopping, car-catches-on-fire design bugs. There's lots of minor bugs with cars all over the place. Things like the front suspension design on my '92 Mazda. I've had the mounting plates on top of the struts replaced 3 times now. You can stop by your dealership to look at all the notices that have been issued for your car model over the years.