Microsoft, terrorism, and computer security

Commentary by cDc's Oxblood Ruffin

  • alert
  • submit to reddit

5 things you didn’t know about cloud backup

Since 11 September the world has changed immeasurably, but some things remain the same. The single greatest threat to Internet security is still Microsoft -­ not the soon to be Osama Haz Bin.

Microsoft is not, of course, a terrorist organization. But its ubiquity on the desktop coupled with its poor track record in network security is a tested formula for international disaster.

Security, from the structural perspective, is negative -- it's about denying actions or access or direct contact. Like a prophylactic, it prevents certain bad things from happening while preserving most of the benefits of interaction.

At the heart of the security debate are two competing approaches: 'security through obscurity,' in which it's hoped that concealing an exploitable defect will prevent exploitation, and 'full disclosure,' which works on the premise that forewarned is forearmed, and which most professionals now prefer.

First, let's look at Microsoft's preferred way of dealing with vulnerabilities: security through obscurity.

That was the norm during the early days of networks and computers. As researchers discovered problems they would alert the vendors without fanfare, and in the best of all possible worlds, the vendor would fix them before anyone got hurt. Microsoft became a big fan of this model because it was quiet and discreet and didn't contradict its marketing propaganda. However, there was little incentive for them to actually fix anything so long as it could all be kept quiet. No public pressure, no repercussions. Consequently, many serious vulnerabilities lingered for years.

Increasingly frustrated by Microsoft's complacency, researchers began opting for the public-humiliation approach. As they discovered flaws, they began to make them known. Microsoft's PR department went into full gear, denying that problems existed, or suggested that they were merely hypothetical, but often there was more stalling.

Finally researchers began what is known as full disclosure by publishing exploit code to prove that the vulnerabilities they caught were in fact real. Unable to continue sweeping its mistakes under the carpet, Microsoft initiated PR campaigns against "hackers", which it subtly equated with "criminals".

Today, Microsoft prefers to brand full-disclosure proponents "information anarchists," and has even equated them with terrorists in an attempt to manipulate public anxiety after the 11 September attack.

Microsoft continues to argue that by publishing exploit code the bad guys are given free attack tools. But this assumes that the bad guys didn't already know the exploit. Perhaps they did, perhaps they didn't. But when everyone knows, the playing field is leveled, secure computing best practices are elevated, and patches must be issued quickly.

Quite simply, full disclosure forces vendors to fix their products. It's a pity that they need this sort of prodding; but the historical record illustrates that they do.

Sadly, many average users have suffered. Over the past several years Microsoft's security model has cost governments, the enterprise community, and home users anywhere from five to twenty-five billion dollars depending on whose tally one accepts. The ILOVEYOU virus, Melissa, Code Red, and a host of others have been the agents of this burden. As a result, millions of users have either lost entire hard drives or valued files, or worse, stood by helplessly as account passwords, private information, and personal images have been stolen from their computers and passed around by the Net's bottom feeders for pleasure or profit. If there were such a thing as data rape, this would be it.

Corporations have spent incalculable sums purging their systems of bugs they should never have been susceptible to in the first place, while staff productivity plummets in a connected office whenever the machinery is off line. And downtime is serious money for any company, large or small, that earns its living only while connected to the Net.

So why don't product liability laws apply to the software industry? How is it that one set of rules applies to the auto industry, for instance, but not to the information superhighway's largest purveyor of digital 'lemons'?

Bear in mind that most, if not all, of this virtual mayhem was not the work of elite computer criminals. It was committed by bored teenagers who cobbled together attack scripts that continue to be traded around the Internet like baseball cards. And regardless of the misery they have caused and continue to cause, and despite the profane amounts of money they've cost their victims, Microsoft's spin has always been the same -- a sort of smile and dissimulate medley that exonerates Microsoft, blames 'hackers,' and promises a brighter tomorrow.

But not everyone is disoriented by this smokescreen. In fact, the majority of security professionals are astounded that Microsoft has chosen to sacrifice security concerns to its marketing goals. Taken to a comic extreme, a real-world illustration of the software leviathan's modus operandi would play out thus: the next time a crazed junkie dives through your window looking for money or worse, skip the police and call a help desk staffed with minimum-wage dunderheads. Find that the frustration of this futile exercise overshadows entirely the emotional impact of your original complaint.

If 11 September taught us anything, it's that everything is vulnerable, and often in the most blunt and simplistic ways. The massive Internet disruptions launched via Microsoft bugs over the past few years have been executed primarily by pimply amateurs. Does anyone actually believe there are no computer scientists who wouldn't love to find a place in heaven by exploiting the Great Satan's favorite software company? Microsoft's security through obscurity will only give these guys an exclusive advantage, because they'll find and use the holes that no one is expecting to be found.

The virgins are calling.... ®

Oxblood Ruffin is Foreign Minister for the Cult of the Dead Cow (cDc), a well-known group of computer enthusiasts.

5 things you didn’t know about cloud backup

More from The Register

next story
BBC: We're going to slip CODING into kids' TV
Pureed-carrot-in-ice cream C++ surprise
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
Twitter: La la la, we have not heard of any NUDE JLaw, Upton SELFIES
If there are any on our site it is not our fault as we are not a PUBLISHER
Facebook, Google and Instagram 'worse than drugs' says Miley Cyrus
Italian boffins agree with popette's theory that haters are the real wrecking balls
Sit tight, fanbois. Apple's '$400' wearable release slips into early 2015
Sources: time to put in plenty of clock-watching for' iWatch
Facebook to let stalkers unearth buried posts with mobe search
Prepare to HAUNT your pal's back catalogue
Ex-IBM CEO John Akers dies at 79
An era disrupted by the advent of the PC
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?