Larry Osterman's WebLog

Confessions of an Old Fogey
Blog - Title

Microsoft just doesn't get Security - NOT!

Microsoft just doesn't get Security - NOT!

  • Comments 48

I was reading Robert Scoble’s post on “Longhorn Myths”, and I noticed this comment from “Dave” in his comments thread:

Most outlandish Longhorn myth? I mean this with all due respect, and say it with complete sincerity.... it will be one that MS will in fact say: that Longhorn will be a very secure sytstem.

Yes, it will be much more secure than any other verison of Windows. Yes, it will be as secure as MS can possibly make it. But try as they might, a few factors come into play that will make it next to impossible for Longhorn to be a very secure system.

(1) Longhorn, being a Microsoft product and a popular product, is destined to be targeted by hackers around the world. If there's a hole to be found, they'll find it. And nobody can make a system 100% secure.

(2) MS still places a higher emphasis on new forms of functionality/interaction than they do on security. Yes, they have a greater emphasis on security than even one year ago, but their concern - at this point in the Longhorn product life cycle - is more on getting things to work and work well than it is to play devil's advocate and find all the security holes they can find.

My response (updated and edited): Um Compared to what? Linux? Hands down, Longhorn will be more secure out-of-the-box than any Linux distribution available at the time.

There will be holes found in Longhorn, absolutely. But Microsoft GETS security nowadays. In general, Linux/Open Source community doesn't yet (The OpenBSD guys appear to get it, but I’ve not seen any indications of this level of scrutiny associated with the other distributions).

The Linux guys will eventually, but they don't get it yet.

If you're going to argue that Linux/OSX is somehow safer because they're not popular, then that's relying on security by obscurity. And that dog don’t hunt :)

Even today, I'd stack a Win2K3 machine against ANY Linux distribution out there on the internet. And Longhorn's going to be BETTER than Win2K3.  After all, Longhorn’s starting with an amalgam of Win2K3 and XP SP2, and we’re enhancing system security even beyond what’s gone into the previous releases.

 

“Dave’s” comment #2 is the one I wanted to write about though.  Microsoft doesn’t place a higher emphasis on new forms of functionality than they do on security.  Security is an integral part of every one of our development processes here at Microsoft.  This hits every aspect of a developer’s life.  Every developer is required to attend security training, starting at New Employee Orientation, continuing through annual security refreshers.

Each and every new feature that’s added to the system has to be thoroughly threat-modeled, we need to understand every aspect that any new component can be attacked, and the kind of compromise that can result from a failure of each system.  If there’s a failure mode, then we need to understand how to defend against it, and we need to design mitigations against those threats.

Every test group at Microsoft is required to have test cases written that test exploiting ALL of our interfaces, by various means.  Our test developers have all gone through the same security testing that the other developers have gone through, with an intensive focus on how to test security holes.

Every line of code in the system is code reviewed before it’s checked into the mainline source tree, to check for security problems, and we’ve got a security push built-into the schedule where we’ll go back and re-review all the code that was checked in during the lifetime of the project.

This is a totally new way of working, it’s incredibly resource intensive, but the results are unmistakable.  Every system we’ve released since we started implementing these paradigms has been significantly more secure than the previous ones, Longhorn will be no different.

I’m not saying that Longhorn will be security hole free, it won’t be.  We’re human, we screw up.  But it’ll be orders of magnitude better than anything out there. 

Edit: Added the following:

By the way, I want to be clear: I'm not trying to denegrate the entire open source community.  There ARE people who get it in the open source community.  The OpenBSD link I mentioned above is a good example of a team that I believe DOES understand what's needed these days.

I just don't see the same level of rigor being applied by the general community.  Maybe I'm just not looking in the right places.  Believe me, I'd LOVE to be proven wrong on this one.

Edit: Replaced thread-modeled with threat-modeled :)

 

  • Larry, that's all Well & Good, but you didn't seem to factor in that 2005 will be the Year of Linux ;-).
  • "My response (updated and edited): Um Compared to what? Linux? Hands down, Longhorn will be more secure out-of-the-box than any Linux distribution available at the time."
    OK thats big... and brave I'd have said "AT least as Secure, possibly more"

    and I agree that

    "(2) MS still places a higher emphasis on new forms of functionality/interaction than they do on security. Yes, they have a greater emphasis on security than even one year ago, but their concern - at this point in the Longhorn product life cycle - is more on getting things to work and work well than it is to play devil's advocate and find all the security holes they can find."

    is out of date by at least 9 to 12 months...

    funny how folks keep saying things and fail to check and see if they are still true...
  • In reference to Windows 2003: I agree. We loaded a Windows 2000 system and pushed it onto the Internet, live, without a firewall. (Forget the stupidity of the situation. I'm not laying blame here, on my guys or Microsoft.) That box was compromised 48 hours later and was consuming our entire DS3 with traffic.

    I reloaded it using Windows 2003 and since we had just been destroyed, I was curious and ran the various security measures against it. Out of the box MSBA complains about a few things, but nowhere near the number that Windows 2000 has. I want to say there was two critical updates, one being the Slammer worm fix. Windows 2000 has a slew of vulnerabilities. Age has something to do with this, but I doubt that was the sole reason for a variety of reasons, including but not limited to later security scans.

    I used eEye's Retina to scan both operating systems as well. The Windows 2000 version of the box had been Windows Updated to the hilt, all service packs had been applied (SP4 for Windows 2000 and SP3a for SQL Server 2000). Retina still reported over twenty known vulnerabilities. (Disclaimer: all of these vulnerabilities were fixed and patches were available. Lazy administrators simply had to retrieve the patches.) Windows 2003 came up clean. The only complains Retina had was in regards to the open ports (80, 1433, 110, 25).

    I configured ICF on the Win2K3 box and even those complaints went away. (Although I want to strangle the person who decided that port ranges couldn't be opened in a single swoop. ;p)

    Security auditing turned on by default inside Windows 2003 let me see the return of the attackers. The ICF connection log let me trace everything they tried. I shot a quick report off to their ISP's abuse email and we've had no trouble since.

    I think Microsoft gets security. What folks don't understand is that it requires some work on the part of your administrators as well. If I were to list my biggest complaint about Windows security it would be that almost every security patch requires a reboot. I understand they are system files, etc., but can't we find some way ala ASP.NET DLL caching to avoid this requirement? Uptime is one of the biggest reasons you hear people say "I can't patch right now!" You've got to remove that excuse.

    So if Longhorn represents as great of a stride in security as Windows 2003 did, then I say "Great. Let's get the party started."

    (Note: How many would complain if hardening the operating system required Microsoft to nullify compatibility with a large number of applications? Can you imagine the screams of "Microsoft is just trying to make more money by forcing us to upgrade?!?")
  • Those capital letters on the title should have served me as a warning..
  • so will MS ever push for people not to run under Administrator by default? but then I can see that would probably confuse all the non tech savvy users, the same people who have a billion spywares running on their machines. :)
  • Daniel, I sure hope that Microsoft will. At a minimum, I'm REALLY hoping that we're going to lock down the administrator account on Longhorn's "home" SKU.

    It's utterly stupid that every home user runs as an administrator. The reason that this was done for XP was that too many things broke (mostly games) if the user wasn't an administrator, the hope is that by now most (if not all) of this has been fixed.


  • I saw your post on Scoble's blog and figured that it was somebody else spoofing you, seeing as it seemed a tad confrontational, which is not your style. Seeing you confirm that it WAS you must mean these accusations rile you up pretty good. To me that's sign that you guys are working hard at security. Trust me, those of us using Win2K3 know it's pretty solid. Good stuff.
  • Nope, it was me. My boss likes to say that I'm "forthright", which is really nice way of saying "A pain in the neck if he's pissed off".

    People keep repeating the "Microsoft doesn't get security, they want features instead of security" meme and it just frosts me.

    If we didn't care about security I wouldn't have had to spend 3 weeks last year doing NOTHING but code reviewing 15 year old multimedia code (this was NOT fun, it was written for Win3.1 and ported forward).

    If we didn't care about security, I wouldn't have had to carefully examine every one of the RPC interfaces used the audio subsystem on both XP SP2, Win2K3 SP1 AND Longhorn for potential problems.

    I can go on - but security is something I've felt passionate about for almost 10 years now, I'm ecstatic that Microsoft as a corporation feels even more strongly than I do about this.
  • "But Microsoft GETS security nowadays. In general, Linux/Open Source community doesn't yet"

    The Linux/open-source doesn't yet get security?

    A single factual example that exposes the ignorance of that statement: Only within the last few years has Windows had any kind of implementation of file permissions (one of the basics of OS security), which Linux has had since the beginning (1991).

    As I see it, it'd be more realistic to state that Windows is finally starting to catch up with Linux in terms of security.
  • Actually, Windows has had file permissions since the very first release of Windows NT. It has been there "since the beginning".
  • Tom B:

    That depends on which file system you are taking about. NTFS has been around at least that long and it has file permissions. Security goes way beyond just file permissions.
  • Tom B: Um what?

    Permissions were built into windows NT since day one. In 1989, NT had working ACLs and a robust security system.

    And NT's ACL model provides orders of magnitude finer granularity than the *nix OWG permissions.

    Please note: Win9x and it's friends are NOT real operating systems IMHO, they're toys that should never have been deployed on the internet. They weren't designed to be robust, much less secure.

    And no, the *nix development community doesn't get security in general. They won't get security until the entire community does something like the OpenBSD team has (I did say that I think they get security): Rigerous code reviews instituted as a policy against every single check in; NX (or W^X) permissions on all platforms it's possible. Stackguard if it's not.

    Removing every single instance of the C runtime libraries string handling functions from the entire *nix source code (with the possible exception of strlen) would be a good start. The existing C APIs are too dangerous for them to be used in production code. See Michael Howards articles on the C runtime library here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure03102004.asp

    If you don't want to believe a Microsoft person, try here: http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/library-c.html

    For Longhorn, we'll be doing the same thing - there will be NO C runtime library string functions in the Longhorn code base by the time we're done.
  • I just edited the article slightly to add a comment above to soften what may be perceived as a complete anti-open-source slant to the article.

    It's NOT my intent to denegrate open source people here. There are some extraordinarily talented people working in that community, and there are many people who absolutely do get security.

    I'm just trying to counter the people who seem to believe that Microsoft's still as clueless as it was two years ago before we started this whole security drive.
  • 1) And for how many years has NT been present in releases of Windows? It's not very relevant here how long NT has been around while it _hasn't_ appeared in a release of Windows.

    2) I guess our opinons differ on the meaning of "getting security."

    3) When did anyone say that I wouldn't want to believe a Microsoft person?

    4) I too believe that MS are buckling down in terms of security. What provoked my original reply was the part about Linux not getting security (written as though it's a fact, not an opinion).
  • 1) NT's been present in releases of Windows since 1993. I have the ship-it awards and boxes of packaged product on my shelves to prove it.

    2) Getting security: Putting processes in place to aggressively guard against security vulnerabilities instead of saying: "We're smarter than those idiots at Micro$oft, and besides our platform was designed with security in mind".

    4) I thought for sure I said it was an opinion above. And in general, I believe that the open source community doesn't. Linus might (I don't know), others on the kernel team might, but the open source community as a whole seems to be wholeheartedly embracing the "Many eyes make shallow bugs" fallacy (see the "Three unexpected results in software engineering" for some eye opening statistics on this one:
    http://www.vuse.vanderbilt.edu/~srs/three.unexpected.ppt) instead of facing up to the fact that there is no excuse for not engaging in rigorous engineering practices across the entire product.

    Every single line of code that goes into a *nix distro must be considered suspect, just like every piece of code that goes into Windows is considered suspect. The OpenBSD guys do this, why doesn't every *nix distro do it?

Page 1 of 4 (48 items) 1234