Microsoft, terrorism, and computer security
Commentary by cDc's Oxblood Ruffin
Since 11 September the world has changed immeasurably, but some things remain the same. The single greatest threat to Internet security is still Microsoft - not the soon to be Osama Haz Bin.
Microsoft is not, of course, a terrorist organization. But its ubiquity on the desktop coupled with its poor track record in network security is a tested formula for international disaster.
Security, from the structural perspective, is negative -- it's about denying actions or access or direct contact. Like a prophylactic, it prevents certain bad things from happening while preserving most of the benefits of interaction.
At the heart of the security debate are two competing approaches: 'security through obscurity,' in which it's hoped that concealing an exploitable defect will prevent exploitation, and 'full disclosure,' which works on the premise that forewarned is forearmed, and which most professionals now prefer.
First, let's look at Microsoft's preferred way of dealing with vulnerabilities: security through obscurity.
That was the norm during the early days of networks and computers. As researchers discovered problems they would alert the vendors without fanfare, and in the best of all possible worlds, the vendor would fix them before anyone got hurt. Microsoft became a big fan of this model because it was quiet and discreet and didn't contradict its marketing propaganda. However, there was little incentive for them to actually fix anything so long as it could all be kept quiet. No public pressure, no repercussions. Consequently, many serious vulnerabilities lingered for years.
Increasingly frustrated by Microsoft's complacency, researchers began opting for the public-humiliation approach. As they discovered flaws, they began to make them known. Microsoft's PR department went into full gear, denying that problems existed, or suggested that they were merely hypothetical, but often there was more stalling.
Finally researchers began what is known as full disclosure by publishing exploit code to prove that the vulnerabilities they caught were in fact real. Unable to continue sweeping its mistakes under the carpet, Microsoft initiated PR campaigns against "hackers", which it subtly equated with "criminals".
Today, Microsoft prefers to brand full-disclosure proponents "information anarchists," and has even equated them with terrorists in an attempt to manipulate public anxiety after the 11 September attack.
Microsoft continues to argue that by publishing exploit code the bad guys are given free attack tools. But this assumes that the bad guys didn't already know the exploit. Perhaps they did, perhaps they didn't. But when everyone knows, the playing field is leveled, secure computing best practices are elevated, and patches must be issued quickly.
Quite simply, full disclosure forces vendors to fix their products. It's a pity that they need this sort of prodding; but the historical record illustrates that they do.
Sadly, many average users have suffered. Over the past several years Microsoft's security model has cost governments, the enterprise community, and home users anywhere from five to twenty-five billion dollars depending on whose tally one accepts. The ILOVEYOU virus, Melissa, Code Red, and a host of others have been the agents of this burden. As a result, millions of users have either lost entire hard drives or valued files, or worse, stood by helplessly as account passwords, private information, and personal images have been stolen from their computers and passed around by the Net's bottom feeders for pleasure or profit. If there were such a thing as data rape, this would be it.
Corporations have spent incalculable sums purging their systems of bugs they should never have been susceptible to in the first place, while staff productivity plummets in a connected office whenever the machinery is off line. And downtime is serious money for any company, large or small, that earns its living only while connected to the Net.
So why don't product liability laws apply to the software industry? How is it that one set of rules applies to the auto industry, for instance, but not to the information superhighway's largest purveyor of digital 'lemons'?
Bear in mind that most, if not all, of this virtual mayhem was not the work of elite computer criminals. It was committed by bored teenagers who cobbled together attack scripts that continue to be traded around the Internet like baseball cards. And regardless of the misery they have caused and continue to cause, and despite the profane amounts of money they've cost their victims, Microsoft's spin has always been the same -- a sort of smile and dissimulate medley that exonerates Microsoft, blames 'hackers,' and promises a brighter tomorrow.
But not everyone is disoriented by this smokescreen. In fact, the majority of security professionals are astounded that Microsoft has chosen to sacrifice security concerns to its marketing goals. Taken to a comic extreme, a real-world illustration of the software leviathan's modus operandi would play out thus: the next time a crazed junkie dives through your window looking for money or worse, skip the police and call a help desk staffed with minimum-wage dunderheads. Find that the frustration of this futile exercise overshadows entirely the emotional impact of your original complaint.
If 11 September taught us anything, it's that everything is vulnerable, and often in the most blunt and simplistic ways. The massive Internet disruptions launched via Microsoft bugs over the past few years have been executed primarily by pimply amateurs. Does anyone actually believe there are no computer scientists who wouldn't love to find a place in heaven by exploiting the Great Satan's favorite software company? Microsoft's security through obscurity will only give these guys an exclusive advantage, because they'll find and use the holes that no one is expecting to be found.
The virgins are calling.... ®
Oxblood Ruffin is Foreign Minister for the Cult of the Dead Cow (cDc), a well-known group of computer enthusiasts.
Sponsored: Becoming a Pragmatic Security Leader