lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <402C1FEF.32001.3E97934@localhost>
From: rslade at sprint.ca (Rob, grandpa of Ryan, Trevor, Devon & Hannah)
Subject: Security Watch Essay 

From:           	"roberta bragg" <freouwebbe@....com>
Date sent:      	Thu, 12 Feb 2004 01:05:30 -0600

>  What gets published in any publication is usually an
> editorial decision.  Then again,
> they have to have something to choose from.  If no one writes anything, then
> the editors have to scramble. No telling what they'll do. No telling what
> they'll publish.  

Oh, a thrust!  A palpable thrust!  We are cut to the quick!  If we do not fall in line 
with this exercise in cheap fodder-feeding, then there is no telling *what* they 
might say!  They might [*shudder*] say that we all *trust* Microsoft!

> Long before I became a writer I spent a couple of decades paying dues:  I
> was a keypunch operator, FORTRAN, Cobol, C, C++, LISP, Delphi, dbase, VB,
> Prolog, etc. programmer, project leader, systems analyst, computer
> salesperson, teacher, consultant, network admin, systems admin, graduate
> student in computer science, whatever. Was doing computer security before it
> was kool.  You?  

Oh, come, Roberta!  Surely you can do better than that!  *My* bio includes such 
irrelevant fluff as paper boy (sorry, paper small person), cook, and hovercraft 
skirt repair technician.

> No, my comment "if you believe ... Is a pro MS publication"  was not meant
> to claim that it was an anti ms publication,, or even a neutral one..but to
> ask that anyone who saw it as a publication that would only publish pro-MS
> content --- take the opportunity to write something anti-MS and see it
> published. 

Very well, then.  In debating terms, we have been asked to defend the statement 
that, as Keith put it, "Microsoft just doesn't "get it" when it comes to security."  
The reasons are many and varied.  It is probably impossible even to state them 
within the restricted scope of a thousand words (the insecurity that launched a 
thousand essays?), let alone present the necessary structure, framework, flow, and 
supporting backup.  But let us commence, at the very least.

You will, of course, expect me to parrot the recent paper on monolithic culture.  
"Least common mechanism" and "separation of duties" are standard security 
principles, and "requisite variety" is a maxim of ecology, so lets just take that as 
read, and say it's old news.

Security is currently a bit of a fad, in the market-place, and definitely within 
Microsoft.  Microsoft is rather big on following fads.  This is easy enough to see 
when you are extremely old.  I remember "Bob."  I remember OS/2, and when MS 
and IBM were best buds.  I remember Microsoft Anti-Virus.  I remember Windows 
1.  I have seen the Trusted Computing Platform initiative (a hardware based PKI 
with no provision for certificate revocation) and Palladium.  I have seen fads 
come and go at Microsoft.  I have very little expectation that Microsoft has the 
sticking power necessary to do the long, hard, boring work required to produce 
programs, mindset, and corporate culture central to real security.

Security isn't a "one-off" deal.  It takes time.  And when you are retrofitting, it 
takes exponentially greater time.  I'm not just talking about retrofitting products 
and systems, although that is true as well.  I'm talking about retrofitting the 
company itself: the practices, procedures, the mindset, the attitudes, the official 
policies, and the unofficial and unwritten ones that actually rule what goes on.  I 
am reliably informed that Microsoft has had an official policy, for at least the 
past eight years, stating that all input buffers must be crafted in such a way that 
the dread buffer overflow is a thing of the past.  (It can be done.)  And yet we see 
buffer overflow conditions being introduced time after time.  These are not old 
buffer overflows inherited from legacy code, either.  Just this week we have seen 
the release of a patch for yet another buffer overflow.  Actually, I don't have to 
install this patch.  Dinosaur that I am, I am using a really old version of Windows.  
The vulnerability was introduced in a file that was released (irony of ironies) as a 
security patch that was developed long *after* my version of Windows.  (After 
the last service pack for my OS, come to that.)

(There has been much discussion, in regard to the latest ASN.1 buffer overflow, 
about the delay of six months in releasing the patch.  Unconciously borrowing a 
line from John Calvin, a Microsoft apologist has said that this delay proves 
Microsoft is committed to security: look at how long they took to test the patch! 
It took that long to fix because every part of Windows, and every application, 
affects every other part.  Excuse me, but that is yet another nail in the Microsoft 
security coffin.  Simplicity is security.  Least common mechanism is security.  
Complexity, obscurity, and labyrinthine structure are problems.)

Let's go back to retrofitting.  Security is really an add-on to Microsoft products.  
Yes, in the operating systems based on NT (2K, XP, 2003) you can see the traces 
of the VMS security core (as well as increasing accretions of UNIX ideas).  But 
there isn't the central security framework that there was in VMS and is in UNIX.  
Secure operating systems (and secure systems, come to that) have a clearly 
recognizable and identifiable security structure, simple and elegant.  Windows, and 
other Microsoft products, have an ad-hoc collection of security-related gizmos 
and gadgets.  This includes, strangely enough, the various security management 
tools.  The simple fact that there are so many tools for managing security is 
rather telling.

Which leads to a rather major point.  Security is a people issue: always has been, 
always will be.  The Microsoft user interface with regard to security, on pretty 
much every product, is a nightmare.  Important settings are buried in a bewildering 
variety of locations.  Explanations available in regard to the effect of various 
settings are incomplete at best, and frequently misleading.  Products are 
configured, and patches are issued, with a "trust us, we know best" attitude.  To be 
most charitable about the ultimate outcome of this position, it completely ignores 
the fact that people have different needs with regard to security.  More 
realistically, some of the choices defy any kind of reasonable explanation.  A 
while back, Microsoft's answer to an early version of the "iframe" vulnerability 
was not to disallow auto-execution of programs, but to delete, without reference to 
the user, any file with an executable extension.  More recently, the response to 
malformed or obfuscated URLs was not to inform the user, but to disallow the 
"username:password" structure that had become commonly used--and then, 
without much fanfare, to reinstate the capability.  The tortured logic underlying 
these decisions has to relate, in some way, to the interface design that seems to 
completely ignore any studies in human factors engineering.

Can Microsoft products be made absolutely secure?  No.  But then, neither can 
anything else.  Can Microsoft products be made secure enough?  Yes.  Is it 
difficult?  Yes indeed!  Is Microsoft working on security?  Currently, indications 
are that Microsoft is.  Does Microsoft "get" security?  History and current actions 
demonstrate that Microsoft has made, and is making serious and basic errors in 
regard to security design and practice, and, overall, one has to say that Microsoft 
still hasn't got it.


Finally, in keeping with my total lack of talent, and even literary knowledge, 
excuse me while I butcher at least two famous poems:

How do I distrust Microsoft security?  Let me count the ways:
Thou art constant, in thine affections, as an anopheles mosquito.
Thou art bigger and more uncaring than the government.
Thou art clear as mud ...


======================  (quote inserted randomly by Pegasus Mailer)
rslade@....bc.ca      slade@...toria.tc.ca      rslade@....soci.niu.edu
You see things; and you say, 'Why?' But I dream things that never
were, and I say, 'Why not?'                    - George Bernard Shaw
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ