Michael Howard's Web Log : Rant

Kim Cameron on GOOGs single sign on design vulnerability

michael_HOWARD — Mon, 15 Sep 2008 16:25:00 GMT

I spoke with Kim Cameron a few days ago about Google's single sign-on (SSO) design bug. I wanted his take on the bug because he's one of the best in the area of identity, single sign-on etc etc... his response can only be described as scathing.

The First Step on the Road to More Secure Software is admitting you have a Problem

michael_HOWARD — Thu, 21 Feb 2008 17:31:00 GMT

I just wrote an article over on the SDL blog about my observations from the industry to Jeff Jones' vulnerability analysis and the lack of security progress by our competitors.

"Open-source projects certified as secure" – huh?

michael_HOWARD — Fri, 11 Jan 2008 04:35:00 GMT

I really got a chuckle out of this news item, especially this line:

“Coverity, which creates automated source-code analysis tools, announced late Monday its first list of open-source projects that have been certified as free of security defects.”

So we finally have the security silver bullet!

Run this tool on your code, fix the bugs, and you’re secure (and maybe unbreakable?!) I don’t think so.

There are three big problems with this line of thought:

First, the security bugs found are only the security bugs found by the tool, and that list is always smaller than the list of all bugs.
Second, it assumes that any new code or code changes are bug free. Which may or may not be true. In my experience, it is rarely true that new code is utterly bug free if you don’t take a holistic, process-oriented view to security.
Third, and this is probably the most important, at best the tool understands a subset of today’s vulnerabilities; that could all change tomorrow when a new class of vulnerability or a subtle variant is found.

The last point is important; security is a constantly evolving environment, and that's why we update the SDL regularly, to improve the process as we learn of new threats and design new defenses and mitigations.

Tools are very useful, we build a lot of tools, and use them all the time here at Microsoft. Some of those tools have found their way into our SDKs and Visual Studio so our customers can use them too. But I would never claim that these tools make code "free of security defects."

Common Criteria: Is it Safe?

michael_HOWARD — Fri, 21 Dec 2007 00:02:00 GMT

My colleague, Eric Bidstrup, has posted a thought provoking commentary about the Common Criteria. I think it's fair to say Eric is simply voicing what a great many people think about the (lack of) value of CC.

Recent CRN Article comparing Windows XP SP2 and Windows Vista

michael_HOWARD — Sun, 03 Jun 2007 16:04:00 GMT

Jeff has a post about the recent CRN and Ars Technica articles comparing XPSP2 and Vista security.

One thing I love about Jeff is he's blunt. Damned blunt.

Security Education v. Security Training

michael_HOWARD — Fri, 04 May 2007 06:49:00 GMT

David Ladd, a partner in crime, has just made a post on the SDL blog about Security Education. He starts:

"There has been a lot of hoopla lately around "secure programming skills" – with not-so-thinly veiled condemnations of academicians and the role of the university in addressing the IT security problem."

It's a very interesting, and thought provoking post.

My Take on Windows Vista Security “Vulnerabilities”

michael_HOWARD — Sat, 17 Mar 2007 03:04:00 GMT

I love looking at and analyzing security bugs, but I also enjoy observing how people react to knowledge of security bugs. Over the last few weeks, I’ve seen a number of interesting articles about Windows Vista security that made me smile. So I thought I would paraphrase the articles and re-write them with an opposing and cynical view! Here goes.

If there was no new TCP/IP stack in Windows Vista.

In Windows Vista, Microsoft ~~rewrote~~ retained the ~~entire~~ TCP/IP networking stack that is built on the existing networking stack found in Windows NT 3.51, some of which dates to the original TCP/IP add-on for MS-DOS. While ~~this is probably a good thing long-term~~, improvements have certainly been made to this code, the shaky security foundations of this code ensure ~~because~~ ~~this is new code,~~ we can continue to expect a host of new vulnerabilities ~~as the code is tested~~.

If we had never done UAC

In Windows Vista, Microsoft has not done anything ~~introduced User Account Control (UAC)~~ that helps users recognize when they’re taking administrative actions on their system. Because of this, ~~While this is a step in the right direction in fostering limited privileges, UAC doesn’t work because it raises too many prompts: users will just get used to clicking OK and~~ malicious code will continue to be loaded on user’s systems.

A little more context about the Sticky Keys ‘vulnerability’ article

In Windows Vista, it’s possible for a user with administrator privileges to replace the executable for “Sticky Keys” sethc.exe with another file and call it at the logon screen when they’re at the system’s console. Vista’s Trusted Installer makes this more difficult, but you can get around this by running commands on the system as a user with administrator privileges and change the permissions on the file. However, Aa user with administrator privileges who is at the system’s console could also log on and ~~could use this to~~ add a new user to the system and add them to the local administrators group.

Perhaps I’m just getting old and grumpy!

UAC BS

michael_HOWARD — Fri, 09 Feb 2007 00:30:00 GMT

Howdy once again from RSA. It's raining. So much for sunny California!

Jeff and I just gave our talk about Windows Vista Security Engineering. It was a packed room. In fact, when we got to the room we saw a bunch of people milling around outside. We went to the door to enter and we were told we could not enter because the room was full. We thought the previous talk had yet to finish, but we were wrong, it was filled with people attending our talk. We asked if we could enter because we were the speakers, and again we were told, "NO" Then Jeff said, "seriously, we're the speakers." So they let us in. So much for security!

Anyway, back to the topic at hand.

There is a great deal of FUD about UAC. Yeah, it was very chatty in beta 2, but we really made a great deal of progress for the final release of Windows Vista. In general, it's a little chatty at the start, but once you settle in, install the apps you need, and the printer drivers and so on, it's pretty quiet.

But there is a perception that it's still very chatty. Here's a case in point. I bumped into a guy I haven't seen in a couple of years (let’s call him Xx) , here’s how the conversation went.

Me: How’s things?
Xx: Good, you?
Me: Kids doing well?
Xx: Growing up! How are Blake & Paige?
Me: Getting into my computers, read my blog.
Xx: What's new? Things going well with you?
Me: Excellent, we shipped Vista. Yay!
Xx: It’s ok.
Me: Waddya mean?
Xx: Too ‘noisy’?
Me: Waddya mean?
Xx: too many pop-ups.
Me: Like what?
Xx: UAC stuff
Me: When do you see the pop-ups?
Xx: all the time
Me: When?
Xx: When I do stuff
Me: Like what?
Xx: everything!
Me: like when? I probably get two prompts a day – and that’s only ‘coz I do geeky stuff. Gimme specifics
Xx: like right when I logon
Me: we suppress prompting on logon/startup, and fail the app load, you will see no prompts as you logon.
Xx: oh.

At this point Xx had a sheepish look...

Perception != Reality.

What is it that makes security hard?

michael_HOWARD — Sat, 03 Feb 2007 03:20:00 GMT

I’ve been asked this question numerous times, often in the guise of a question like, “why can’t you guys simply fix the security problem?” or “reliability and scalability problems are understood and solvable, why can’t you do the same with security?” or my favorite variant, “what the heck keeps you interested in security when it seems you’re fighting a ‘no-win’ battle?”
First, there is little agreement around what constitutes a “security bug” so I’ll leave that subject for another day!
Next, I’m no expert on the science behind reliability or scalability, so I’ll take it at face value that when people say these issues are “understood and solvable” and they are being honest.

So what is it that makes security hard?

It’s simple:

Scalability and reliability issues are man-vs-machine and machines are stupid.
Security is man-vs-man and humans are intelligent.

This security stuff is an ongoing arms race and chess game, and each side is constantly trying to outwit the other. We raise the bar, and the attackers then spend time trying to defeat that bar. So we raise the bar again, and so on. With reliability and scalability, we can understand the “adversary” and that’s that. The "enemy" won’t adapt to defeat you!

To be honest, it’s this on-going intellectual battle that keeps me coming back to security, but it also means that no-one will ever build 100% secure computer products and this why we update the Security Development Lifecycle (SDL) twice a year as we learn new attack and defense techniques.

A couple of interesting security blog posts

michael_HOWARD — Sat, 20 Jan 2007 01:09:00 GMT

Jeff has an uncanny ability to dig into details that most folks gloss over: Exposed? : Examining Secunia Unpatched Warnings - Part 3

I have to concur with Kai: People like this just frost me: Security considered a burden for users

My Take on Visual Studio 2005 SP1 and Windows Vista

michael_HOWARD — Fri, 05 Jan 2007 01:51:00 GMT

Over the last couple of days, many people have asked for my take on the fact that Visual Studio 2005 SP1 requires admin privileges to run on Windows Vista, and pops up a dialog saying so when it starts up.

So, here’s my take, and I don't work for the Developer Division!

VS2005SP1 was developed while Windows Vista was being developed, and because of potential late-breaking regressions in the OS (which can happen), the VS team decided to simply do what most service packs do – fix bugs that stop people doing their jobs. Now that Vista has shipped, the VS team is working on an SP1 that works better as a non-admin on Windows Vista, and this is goodness.

Now to the pop-up that recommends you run as an admin. In my opinion, the VS team was simply being very conservative, because some scenarios simply do not work well as a non-admin. For example registering a COM control, installing or debugging a service, or performing admin tasks against SQL Server and so on all require elevated capability, as they very well should!

I probably spend 75% of my time writing and debugging C++ code, 20% of the time using C# and 5% doing SQL, and I always run as a non-admin. In fact I ran as non-admin for prior versions of Visual Studio on Windows XP! 99% of what I do works perfectly well. For the 1% of the time I need to do some admin task, I run an elevated VS.

In closing, the dialog is a little alarming, just do what I did – uncheck the option to display the dialog box and get on with life :-)

One more thing, the VS team has provided a list of known issues with VS on Windows Vista.

NNNNNOOOOooooo......!

michael_HOWARD — Thu, 24 Feb 2005 05:28:00 GMT

From "Making Windows XP Start Faster" at http://www.pcmag.com/article2/0,1759,1768883,00.asp

Two of the services listed under "Stopping Unneeded Startup Services"

Automatic Updates: This service enables Windows XP to check the Web automatically for updates. If you don't want to use Automatic Updates, you can disable the service. You can always check for updates manually at the Windows Update Web site.

Windows Firewall/Internet Connection Sharing: If you do not use these features, you can disable them.

NNNNOOOOOoooooo....!