Forwarded from: Richard Forno <[EMAIL PROTECTED]>

Microsoft's New Security Mojo
Richard Forno
12 Nov 2003
Copyright (c) 2003 by author. Permission granted to reproduce in entirety
with credit to author.

Recently, Microsoft announced a program to offer rewards in exchange
for information leading to the arrest and conviction of those who
exploit its flagship Windows product through viruses, worms, and other
forms of malicious code.  Yet, despite the software giant's own
executives saying publicly over a year ago that their products
"weren't designed for security" the company continues to point fingers
at third parties, hackers, and crackers as the source of the many
problems plaguing the Windows-based portions of the Internet.  It also
demonstrates the ineffective organized chaos that remains Microsoft's
response to the marketplace demands for better-developed,
better-tested products.

Security (or lack thereof) in Microsoft's products has adversely
impacted corporate profits for years, and finally is beginning to
affect Microsoft's future profit potential as well. As a result,
Microsoft suddenly is committed to improving security, despite its
years of sitting idle. Hence the company's mad rush to inject
"security" into every product, speech, and statement to reassure its
customers that Windows is still a worthy operating environment to
spend money on. It's even sponsored an upcoming report critical of
Linux security to help spread fear, uncertainty, and doubt about
Microsoft's chief competitor and underscore why Windows is a better
product. Sadly, rather than address its own problems, the company is
content to use creative marketing as a substitute for good security
and software development.

The problem isn't that virus-writers are exploiting Windows, it's that
Microsoft makes Windows easy to exploit by anyone with a modicum of
programming know-how -- and instead of accepting responsibility, the
company is trying to pass the blame for such problems off onto others.
Creating a rewards program is a clever, low-cost way of diverting
public attention away from the many problems resulting from its
history of exploit-friendly programming practices so it doesn't have
to address the root causes that forced the creation of the rewards
program in the first place.  It also allows the company to portray
itself taking the moral high ground (albeit illusory) in its approach
to proactive product security.

The rewards program builds on the company's recent announcement to
convert its traditional as-necessary security bulletin and
patch-release process into a predictable monthly one.  Interestingly,
Microsoft's October 2003 white paper discussion of the new security
release process says this will make it easier for customers to stay
current through a single cumulative monthly patch that fixes reported
problems in Windows. That sounds perfectly reasonable until one reads
that "Microsoft will make an exception to the above release schedule
if we determine that customers are at immediate risk from viruses,
worms, attacks or other malicious activities. In such a situation
Microsoft may release security patches as soon as possible to help
protect customers."

Given that the majority of Microsoft security bulletins deal with
these very problems, one wonders if this new policy really makes a
difference by improving security or if it means that to reduce the
number of security bulletins (and associated negative media coverage)
Microsoft will be more selective in what it deems an "immediate risk"
to customers. It's likely that the company will seldom release a
bulletin-patch outside of its assigned monthly schedule, since it
would not only undermine its new policy but put it in the unfortunate
position of having to defend what makes one problem "more critical"
than another and warrant a special release.

Admittedly, a monthly patch-release schedule may make it easier for
customers to stay current, but also means that a potential adversary
knows exactly when to release his next malicious code or exploit
technique to the world. Network administrators likely will resent
being kept in the dark between monthly patches, never knowing if their
networks are endangered or being compromised until the next security
bulletin is announced.

Patching aside, it's more interesting - and seems very convenient -
that the company responsible for the majority of digital problems in
cyberspace in recent years is now offering a remedy for these
recurring problems in the form of Trustworthy Computing and the next
version of Windows code-named Longhorn. Of course, to receive this
much-desired increase security, users must pay for it via a product
upgrade.  Unless I'm mistaken, this sounds a bit like the Mafia
offering "protection" services to local neighborhood businesses to
protect against security problems it creates (or tolerates) as a form
of revenue. Pay for your "protection" or be "at-risk" (wink-wink)
until you do.

Microsoft has an established history of such sneaky practices to get
what it wants from its customers. Remember that over a decade ago, the
company intentionally caused early versions of Windows to display
error messages if installed on anything other than the Microsoft
version of DOS - once users installed MS-DOS, the error messages
disappeared. More recently, to fix a series of critical
vulnerabilities in the Windows Media Player last year, Microsoft
forced users to accept the imposition of new and controversial digital
rights management (DRM) software as part of the security "fix."  Of
course, users were free to not install the fix if they didn't want the
DRM software on their systems, but would remain at-risk to attack and
exploitation from any number of criminals on the Internet as a result.

This brings up the question of how the definition of "security" is
changing to fit marketplace needs.  The MSDN website shows DRM is a
core 'security' function of Longhorn that runs in what Microsoft calls
the Secure Execution Environment.  The very fact that an operating
system - the engine that runs our computers and touches everything we
do on them - is based on a DRM foundation (with "hooks" for third
parties including Microsoft to determine what may be done with what
information on a computer) is frightening. Ask any objective security
professional -- DRM should not be viewed as a function of security but
rather an add-on function of revenue protection for those industries
based on digital content.

Home and business users alike should not be forced into a Mafia-like
protection agreement to be secure in cyberspace. Nor should the
fundamental definition of security be extended - or twisted - to
include invasive mechanisms of profit-protection for industries unable
to adapt their business models for the Information Age. Until
Microsoft takes a realistic view of security and defines effective
real-world ways of improving product security in the present day -
such as cleaning up the existing Windows code instead of greedily
forcing mass upgrades - its existing customers will be reluctant to
adopt a newer version of the Windows product line no matter what the
speeches and marketing material promise.

Microsoft chairman Steve Ballmer recently said the company's rewards
program makes it clear that Microsoft is "taking security seriously."  
What he meant to say was that it's clear that Microsoft is taking its
security reputation seriously.  That's a big difference.

# # # # #

Brian Valentine Statement on Windows Insecurity

White Paper: Revamping the Security Bulletin Release Process

# # # # #

Security technologist Richard Forno is the former Chief Security
Officer at Network Solutions and author of "Weapons of Mass Delusion:
America's Real National Emergency." His home in cyberspace is

ISN is currently hosted by

To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn'
in the BODY of the mail.

Reply via email to