Microsoft, terrorism, and computer security

Commentary by cDc's Oxblood Ruffin

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Since 11 September the world has changed immeasurably, but some things remain the same. The single greatest threat to Internet security is still Microsoft -­ not the soon to be Osama Haz Bin.

Microsoft is not, of course, a terrorist organization. But its ubiquity on the desktop coupled with its poor track record in network security is a tested formula for international disaster.

Security, from the structural perspective, is negative -- it's about denying actions or access or direct contact. Like a prophylactic, it prevents certain bad things from happening while preserving most of the benefits of interaction.

At the heart of the security debate are two competing approaches: 'security through obscurity,' in which it's hoped that concealing an exploitable defect will prevent exploitation, and 'full disclosure,' which works on the premise that forewarned is forearmed, and which most professionals now prefer.

First, let's look at Microsoft's preferred way of dealing with vulnerabilities: security through obscurity.

That was the norm during the early days of networks and computers. As researchers discovered problems they would alert the vendors without fanfare, and in the best of all possible worlds, the vendor would fix them before anyone got hurt. Microsoft became a big fan of this model because it was quiet and discreet and didn't contradict its marketing propaganda. However, there was little incentive for them to actually fix anything so long as it could all be kept quiet. No public pressure, no repercussions. Consequently, many serious vulnerabilities lingered for years.

Increasingly frustrated by Microsoft's complacency, researchers began opting for the public-humiliation approach. As they discovered flaws, they began to make them known. Microsoft's PR department went into full gear, denying that problems existed, or suggested that they were merely hypothetical, but often there was more stalling.

Finally researchers began what is known as full disclosure by publishing exploit code to prove that the vulnerabilities they caught were in fact real. Unable to continue sweeping its mistakes under the carpet, Microsoft initiated PR campaigns against "hackers", which it subtly equated with "criminals".

Today, Microsoft prefers to brand full-disclosure proponents "information anarchists," and has even equated them with terrorists in an attempt to manipulate public anxiety after the 11 September attack.

Microsoft continues to argue that by publishing exploit code the bad guys are given free attack tools. But this assumes that the bad guys didn't already know the exploit. Perhaps they did, perhaps they didn't. But when everyone knows, the playing field is leveled, secure computing best practices are elevated, and patches must be issued quickly.

Quite simply, full disclosure forces vendors to fix their products. It's a pity that they need this sort of prodding; but the historical record illustrates that they do.

Sadly, many average users have suffered. Over the past several years Microsoft's security model has cost governments, the enterprise community, and home users anywhere from five to twenty-five billion dollars depending on whose tally one accepts. The ILOVEYOU virus, Melissa, Code Red, and a host of others have been the agents of this burden. As a result, millions of users have either lost entire hard drives or valued files, or worse, stood by helplessly as account passwords, private information, and personal images have been stolen from their computers and passed around by the Net's bottom feeders for pleasure or profit. If there were such a thing as data rape, this would be it.

Corporations have spent incalculable sums purging their systems of bugs they should never have been susceptible to in the first place, while staff productivity plummets in a connected office whenever the machinery is off line. And downtime is serious money for any company, large or small, that earns its living only while connected to the Net.

So why don't product liability laws apply to the software industry? How is it that one set of rules applies to the auto industry, for instance, but not to the information superhighway's largest purveyor of digital 'lemons'?

Bear in mind that most, if not all, of this virtual mayhem was not the work of elite computer criminals. It was committed by bored teenagers who cobbled together attack scripts that continue to be traded around the Internet like baseball cards. And regardless of the misery they have caused and continue to cause, and despite the profane amounts of money they've cost their victims, Microsoft's spin has always been the same -- a sort of smile and dissimulate medley that exonerates Microsoft, blames 'hackers,' and promises a brighter tomorrow.

But not everyone is disoriented by this smokescreen. In fact, the majority of security professionals are astounded that Microsoft has chosen to sacrifice security concerns to its marketing goals. Taken to a comic extreme, a real-world illustration of the software leviathan's modus operandi would play out thus: the next time a crazed junkie dives through your window looking for money or worse, skip the police and call a help desk staffed with minimum-wage dunderheads. Find that the frustration of this futile exercise overshadows entirely the emotional impact of your original complaint.

If 11 September taught us anything, it's that everything is vulnerable, and often in the most blunt and simplistic ways. The massive Internet disruptions launched via Microsoft bugs over the past few years have been executed primarily by pimply amateurs. Does anyone actually believe there are no computer scientists who wouldn't love to find a place in heaven by exploiting the Great Satan's favorite software company? Microsoft's security through obscurity will only give these guys an exclusive advantage, because they'll find and use the holes that no one is expecting to be found.

The virgins are calling.... ®

Oxblood Ruffin is Foreign Minister for the Cult of the Dead Cow (cDc), a well-known group of computer enthusiasts.

Choosing a cloud hosting partner with confidence

More from The Register

next story
Bladerunner sequel might actually be good. Harrison Ford is in it
Go ahead, you're all clear, kid... Sorry, wrong film
Euro Parliament VOTES to BREAK UP GOOGLE. Er, OK then
It CANNA do it, captain.They DON'T have the POWER!
Musicians sue UK.gov over 'zero pay' copyright fix
Everyone else in Europe compensates us - why can't you?
I'll be back (and forward): Hollywood's time travel tribulations
Quick, call the Time Cops to sort out this paradox!
Megaupload overlord Kim Dotcom: The US HAS RADICALISED ME!
Now my lawyers have bailed 'cos I'm 'OFFICIALLY' BROKE
Forget Hillary, HP's ex CARLY FIORINA 'wants to be next US Prez'
Former CEO has political ambitions again, according to Washington DC sources
prev story


Seattle children’s accelerates Citrix login times by 500% with cross-tier insight
Seattle Children’s is a leading research hospital with a large and growing Citrix XenDesktop deployment. See how they used ExtraHop to accelerate launch times.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.