Microsoft's New Security Mojo
Opinion Recently, Microsoft announced a program to offer rewards in exchange for information leading to the arrest and conviction of those who exploit its flagship Windows product through viruses, worms, and other forms of malicious code. Yet, despite the software giant's own executives saying publicly over a year ago that their products "weren't designed for security" the company continues to point fingers at third parties, hackers, and crackers as the source of the many problems plaguing the Windows-based portions of the Internet. It also demonstrates the ineffective organized chaos that remains Microsoft's response to the marketplace demands for better-developed, better-tested products.
Security (or lack thereof) in Microsoft's products has adversely impacted corporate profits for years, and finally is beginning to affect Microsoft's future profit potential as well. As a result, Microsoft suddenly is committed to improving security, despite its years of sitting idle. Hence the company's mad rush to inject "security" into every product, speech, and statement to reassure its customers that Windows is still a worthy operating environment to spend money on. It's even sponsored an upcoming report critical of Linux security to help spread fear, uncertainty, and doubt about Microsoft's chief competitor and underscore why Windows is a better product. Sadly, rather than address its own problems, the company is content to use creative marketing as a substitute for good security and software development.
The problem isn't that virus-writers are exploiting Windows, it's that Microsoft makes Windows easy to exploit by anyone with a modicum of programming know-how -- and instead of accepting responsibility, the company is trying to pass the blame for such problems off onto others. Creating a rewards program is a clever, low-cost way of diverting public attention away from the many problems resulting from its history of exploit-friendly programming practices so it doesn't have to address the root causes that forced the creation of the rewards program in the first place. It also allows the company to portray itself taking the moral high ground (albeit illusory) in its approach to proactive product security.
The rewards program builds on the company's recent announcement to convert its traditional as-necessary security bulletin and patch-release process into a predictable monthly one. Interestingly, Microsoft's October 2003 white paper discussion of the new security release process says this will make it easier for customers to stay current through a single cumulative monthly patch that fixes reported problems in Windows. That sounds perfectly reasonable until one reads that "Microsoft will make an exception to the above release schedule if we determine that customers are at immediate risk from viruses, worms, attacks or other malicious activities. In such a situation Microsoft may release security patches as soon as possible to help protect customers."
Given that the majority of Microsoft security bulletins deal with these very problems, one wonders if this new policy really makes a difference by improving security or if it means that to reduce the number of security bulletins (and associated negative media coverage) Microsoft will be more selective in what it deems an "immediate risk" to customers. It's likely that the company will seldom release a bulletin-patch outside of its assigned monthly schedule, since it would not only undermine its new policy but put it in the unfortunate position of having to defend what makes one problem "more critical" than another and warrant a special release.
Admittedly, a monthly patch-release schedule may make it easier for customers to stay current, but also means that a potential adversary knows exactly when to release his next malicious code or exploit technique to the world. Network administrators likely will resent being kept in the dark between monthly patches, never knowing if their networks are endangered or being compromised until the next security bulletin is announced.
Patching aside, it's more interesting - and seems very convenient - that the company responsible for the majority of digital problems in cyberspace in recent years is now offering a remedy for these recurring problems in the form of Trustworthy Computing and the next version of Windows code-named Longhorn. Of course, to receive this much-desired increase security, users must pay for it via a product upgrade. Unless I'm mistaken, this sounds a bit like the Mafia offering "protection" services to local neighborhood businesses to protect against security problems it creates (or tolerates) as a form of revenue. Pay for your "protection" or be "at-risk" (wink-wink) until you do.
Microsoft has an established history of such sneaky practices to get what it wants from its customers. Remember that over a decade ago, the company intentionally caused early versions of Windows to display error messages if installed on anything other than the Microsoft version of DOS - once users installed MS-DOS, the error messages disappeared. More recently, to fix a series of critical vulnerabilities in the Windows Media Player last year, Microsoft forced users to accept the imposition of new and controversial digital rights management (DRM) software as part of the security "fix." Of course, users were free to not install the fix if they didn't want the DRM software on their systems, but would remain at-risk to attack and exploitation from any number of criminals on the Internet as a result.
This brings up the question of how the definition of "security" is changing to fit marketplace needs. The MSDN website shows DRM is a core 'security' function of Longhorn that runs in what Microsoft calls the Secure Execution Environment. The very fact that an operating system - the engine that runs our computers and touches everything we do on them - is based on a DRM foundation (with "hooks" for third parties including Microsoft to determine what may be done with what information on a computer) is frightening. Ask any objective security professional -- DRM should not be viewed as a function of security but rather an add-on function of revenue protection for those industries based on digital content.
Home and business users alike should not be forced into a Mafia-like protection agreement to be secure in cyberspace. Nor should the fundamental definition of security be extended - or twisted - to include invasive mechanisms of profit-protection for industries unable to adapt their business models for the Information Age. Until Microsoft takes a realistic view of security and defines effective real-world ways of improving product security in the present day - such as cleaning up the existing Windows code instead of greedily forcing mass upgrades - its existing customers will be reluctant to adopt a newer version of the Windows product line no matter what the speeches and marketing material promise.
Microsoft chairman Steve Ballmer recently said the company's rewards program makes it clear that Microsoft is "taking security seriously." What he meant to say was that it's clear that Microsoft is taking its security reputation seriously. That's a big difference.
Copyright (© 2003 by author. Permission granted to reproduce in entirety with credit to author.
RRichard Forno is consulting, lecturing, and writing in the Washington, DC area. His areas of expertise include information security program development and management (emphasis on incident response & security awareness,) information operations, trend analysis, and critical infrastructure protection. More biog here.