|Ziya Oz||Jan 16, 2002 8:50 pm|
|List Subscriber||Jan 16, 2002 9:07 pm|
|List Subscriber||Jan 16, 2002 9:13 pm|
|Ziya Oz||Jan 16, 2002 9:20 pm|
|Andy Lee||Jan 16, 2002 9:30 pm|
|List Subscriber||Jan 16, 2002 9:40 pm|
|David Cake||Jan 16, 2002 10:19 pm|
|List Subscriber||Jan 16, 2002 10:35 pm|
|Ziya Oz||Jan 16, 2002 10:44 pm|
|steve harley||Jan 16, 2002 10:50 pm|
|Richard Forno||Jan 17, 2002 6:26 am|
|Matt||Jan 17, 2002 7:51 am|
|Matt||Jan 17, 2002 7:53 am|
|Subject:||OT: The Gates Declaration and Microsoft Security Day|
|From:||Richard Forno (rfo...@infowarrior.org)|
|Date:||Jan 17, 2002 6:26:42 am|
(But as a security professional - and Mac user - I feel obligated to share this short missive with our little community......rf)
The Gates Declaration and Microsoft Security Day Richard Forno 16 January 2002 rfo...@infowarrior.org (c) 2002 by Author. Permission is granted to quote, reprint or redistribute provided the text is not altered, and appropriate credit is given.
Summary: Analysis of the latest Microsoft foray into information security
By now, you've seen the news article. Microsoft founder and Chairman Bill Gates announced in a memo (text) yesterday that security would have the 'highest priority' in its products and that security is now 'more important' than any other part of Microsoft's work. This is the company's latest public attempt to address security concerns with its products and services.
Undoubtably, history will remember January 16, 2002 as Microsoft Security Day - harkening back to that wonderous day in 1995 when Chairman Gates announced that the Internet was to be part of all Microsoft products and services. That proclaimation produced such well-known Redmond innovations as Melissa, I Love You, Code Red, SirCam, Code Red II, BadTrans, UPnP, and VBScript, among other notables, resulting in burned-out system administrators and a flourishing information security industry.
Gates is also reported to have said that the September 11 attacks are a major reason to stress security of America's critical infrastructures, including its computer systems. Huh? Has Chairman Gates been asleep at the keyboard for the past several years, knowing that while his bloated, buggy, and exploitable products were achieving marketplace dominance - and monopoly status - they were becoming a self-inflicted vulnerability on the wired world we currently inhabit? Security all of a sudden is important to Microsoft?
Perhaps this sudden change of heart has to do with the recent BBC report that the US National Academy of Sciences is calling for laws to punish software firms that produce insecure products. Or, could Microsoft's legal team be afraid that what the company produces and sells as "products" - in actuality, shrink-wrapped denials of service and prepackaged network compromises - could contribute to electronic criminal or terrorist acts against America's critical information resources? Could it be that Microsoft is actually scared of something?
Possible, but unlikely. Remember, this is the same company (a proven monopoly) that tried to settle an anti-trust case by offering to donate software that would increase its market penetration in a class of customers (K-12 schools) that otherwise couldn't pay full price for its products!
The simple truth is that Microsoft has a serious image problem when it comes to the reliability, security, and stability of its network services and products. As a security professional and skeptic, I feel this statement - the Gates Declaration - is simply a public relations blitz. We are, after all, as Homeland Security Chief Tom Ridge constantly says, in a state of "increased security" - and Microsoft finally decided to ante up and join the popular pro-security bandwagon. (By the way, anybody seen Dick Cheney this week?)
But perhaps there's more here than meets the eye......
I'll be the first one to say that security needs to be improved in Microsoft products across the board, but let's not forget that Microsoft is staking its future on Windows XP and its .NET series of network-centric, subscriber-based ventures.
Reportedly, neither venture is selling as well as the company anticipated, despite Microsoft's claims of "7 million XP licenses sold." (Incidentially, 'licenses sold' does not necessarily translate into copies of XP actually in-use by customers - I'd be surprised if there are 1 million installed copies of XP in-use today....an amount that nowhere makes up for its development and marketing costs.)
It doesn't take a business school graduate to figure out that until Microsoft proves both XP and .NET to be secure, trustworthy environments, few if any users or corporations are going to seriously consider using them - thus, Microsoft has a vested financial interest in wooing people to the ventures it is staking its corporate future on. Microsoft's spin-meisters must believe that appearing to address security concerns with its products is not only the patriotic thing to do, but the smart one, if the company ever hopes to accomplish its corporate strategy.
We should also remember that a good part of Microsoft code is developed overseas. From a security perspective, that's a significant risk, and one that must be addressed in an effective fashion as well. Unfortunately, there's really only one way to deal with this - and other - software security problems at Microsoft.
Given the decades-old proprietary patchwork of many Microsoft products, the only way to truly certify that Microsoft's internationally-developed products are indeed 'secure' and 'trustworthy' is to release the code to the security community at large for analysis. (Otherwise, we're stuck with the status quo.....which goes back to my previously-published statements on the importance of community-based, public, and responsible full-disclosure.) However, in a small act of pennance, Microsoft could consider firing those product managers that repeatedly sacrifice security and good quality assurance for new product features, convienience, and marketshare, thus setting the example for corporate accountability instead of problem perpetuation.
According to the AP article, "compensation plans of Microsoft product engineers, such as raises and bonuses, will also be tied to how secure their products are." My questions to Microsoft is this - how can you prove a negative? Do you plan to review the number of Microsoft exploits making headlines on Slashdot, Register, News.Com, Wired, etc. and compare that with previous years? Then, do all your engineers get their bonuses? What if there's an explot discovered a year later? Do the engineers have to give some or all of their bonuses back? Next year, is the community going to have to take your word that things are better than they were? How are you going to prove it? Are you expecting us to continue accepting your statements on faith alone? This has the makings of a great Saturday Night sketch.....
Security professionals I've spoken with have shared two reactions to yesterday's news - "too little, too late" or "we'll see how well it happens....if it happens." I tend to agree with them, and am believing more and more that Microsoft Security Day is the software giant's latest attempt to cheaply use public policy concerns as propaganda for product marketing while hopefully currying some patriotic mindshare along the way from both the government and consumers.
While I am always hopeful that 'security' and 'Microsoft' will one day be seen not as an oxymoron, past observation leads me to believe the Gates Declaration is full of marketing sound and fury, but signifying nothing.
We can only hope for the best - time will tell.
Hopper & Bridis "Microsoft Announces Strategy Shift"
Forno #2001-15 "Who Needs Hackers? We've Got Microsoft!"
Forno #2001-12 "Microsoft No, Mickeysoft, Yes"
Forno Column in SecurityFocus - "Industry Fears The Red Pill" (Full-Disclosure Statement)
Forno #2001-11 "The Freedom to Innovate Includes The Freedom to Obfuscate: Why Microsoft's New "Security Framework" is Just Another .NET Vulnerability"
(HUMOR) Forno #2001-04 (Revised) "Microsoft-English Dictionary"
Copy of the Gates Memo (from El Reg)
From: Bill Gates Sent: Tuesday, January 15, 2002 5:22 PM To: Microsoft and Subsidiaries: All FTE Subject: Trustworthy computing
Every few years I have sent out a memo talking about the highest priority for Microsoft. Two years ago, it was the kickoff of our .NET strategy. Before that, it was several memos about the importance of the Internet to our future and the ways we could make the Internet truly useful for people. Over the last year it has become clear that ensuring .NET is a platform for Trustworthy Computing is more important than any other part of our work. If we don't do this, people simply won't be willing -- or able -- to take advantage of all the other great work we do. Trustworthy Computing is the highest priority for all the work we are doing. We must lead the industry to a whole new level of Trustworthiness in computing.
When we started work on Microsoft .NET more than two years ago, we set a new direction for the company -- and articulated a new way to think about our software. Rather than developing standalone applications and Web sites, today we're moving towards smart clients with rich user interfaces interacting with Web services. We're driving the XML Web services standards so that systems from all vendors can share information, while working to make Windows the best client and server for this new era.
There is a lot of excitement about what this architecture makes possible. It allows the dreams about e-business that have been hyped over the last few years to become a reality. It enables people to collaborate in new ways, including how they read, communicate, share annotations, analyze information and meet.
However, even more important than any of these new capabilities is the fact that it is designed from the ground up to deliver Trustworthy Computing. What I mean by this is that customers will always be able to rely on these systems to be available and to secure their information. Trustworthy Computing is computing that is as available, reliable and secure as electricity, water services and telephony.
Today, in the developed world, we do not worry about electricity and water services being available. With telephony, we rely both on its availability and its security for conducting highly confidential business transactions without worrying that information about who we call or what we say will be compromised. Computing falls well short of this, ranging from the individual user who isn't willing to add a new application because it might destabilize their system, to a corporation that moves slowly to embrace e-business because today's platforms don't make the grade.
The events of last year -- from September's terrorist attacks to a number of malicious and highly publicized computer viruses -- reminded every one of us how important it is to ensure the integrity and security of our critical infrastructure, whether it's the airlines or computer systems. Computing is already an important part of many people's lives. Within ten years, it will be an integral and indispensable part of almost everything we do. Microsoft and the computer industry will only succeed in that world if CIOs, consumers and everyone else sees that Microsoft has created a platform for Trustworthy Computing.
Every week there are reports of newly discovered security problems in all kinds of software, from individual applications and services to Windows, Linux, Unix and other platforms. We have done a great job of having teams work around the clock to deliver security fixes for any problems that arise. Our responsiveness has been unmatched -- but as an industry leader we can and must do better. Our new design approaches need to dramatically reduce the number of such issues that come up in the software that Microsoft, its partners and its customers create. We need to make it automatic for customers to get the benefits of these fixes. Eventually, our software should be so fundamentally secure that customers never even worry about it.
No Trustworthy Computing platform exists today. It is only in the context of the basic redesign we have done around .NET that we can achieve this. The key design decisions we made around .NET include the advances we need to deliver on this vision. Visual Studio .NET is the first multi-language tool that is optimized for the creation of secure code, so it is a key foundation element.
I've spent the past few months working with Craig Mundie's group and others across the company to define what achieving Trustworthy Computing will entail, and to focus our efforts on building trust into every one of our products and services. Key aspects include:
Availability: Our products should always be available when our customers need them. System outages should become a thing of the past because of a software architecture that supports redundancy and automatic recovery. Self-management should allow for service resumption without user intervention in almost every case.
Security: The data our software and services store on behalf of our customers should be protected from harm and used or modified only in appropriate ways. Security models should be easy for developers to understand and build into their applications.
Privacy: Users should be in control of how their data is used. Policies for information use should be clear to the user. Users should be in control of when and if they receive information to make best use of their time. It should be easy for users to specify appropriate use of their information including controlling the use of email they send.
Trustworthiness is a much broader concept than security, and winning our customers' trust involves more than just fixing bugs and achieving "five-nines" availability. It's a fundamental challenge that spans the entire computing ecosystem, from individual chips all the way to global Internet services. It's about smart software, services and industry-wide cooperation.
There are many changes Microsoft needs to make as a company to ensure and keep our customers' trust at every level - from the way we develop software, to our support efforts, to our operational and business practices. As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable. Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers' view of us as a company.
In recent months, we've stepped up programs and services that help us create better software and increase security for our customers. Last fall, we launched the Strategic Technology Protection Program, making software like IIS and Windows .NET Server secure by default, and educating our customers on how to get -- and stay -- secure. The error-reporting features built into Office XP and Windows XP are giving us a clear view of how to raise the level of reliability. The Office team is focused on training and processes that will anticipate and prevent security problems. In December, the Visual Studio .NET team conducted a comprehensive review of every aspect of their product for potential security issues. We will be conducting similarly intensive reviews in the Windows division and throughout the company in the coming months.
At the same time, we're in the process of training all our developers in the latest secure coding techniques. We've also published books like "Writing Secure Code," by Michael Howard and David LeBlanc, which gives all developers the tools they need to build secure software from the ground up. In addition, we must have even more highly trained sales, service and support people, along with offerings such as security assessments and broad security solutions. I encourage everyone at Microsoft to look at what we've done so far and think about how they can contribute.
But we need to go much further.
In the past, we've made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We've done a terrific job at that, but all those great features won't matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve. A good example of this is the changes we made in Outlook to avoid email borne viruses. If we discover a risk that a feature could compromise someone's privacy, that problem gets solved first. If there is any way we can better protect important data and minimize downtime, we should focus on this. These principles should apply at every stage of the development cycle of every kind of software we create, from operating systems and desktop applications to global Web services.
Going forward, we must develop technologies and policies that help businesses better manage ever larger networks of PCs, servers and other intelligent devices, knowing that their critical business systems are safe from harm. Systems will have to become self-managing and inherently resilient. We need to prepare now for the kind of software that will make this happen, and we must be the kind of company that people can rely on to deliver it.
This priority touches on all the software work we do. By delivering on Trustworthy Computing, customers will get dramatically more value out of our advances than they have in the past. The challenge here is one that Microsoft is uniquely suited to solve.