[ISN] Three Minutes With Security Expert Bruce Schneier

From: InfoSec News (isnat_private)
Date: Mon Oct 01 2001 - 03:11:37 PDT

  • Next message: InfoSec News: "[ISN] [defaced-commentary] BWI Airport website defaced"

    Kim Zetter, PCWorld.com
    Friday, September 28, 2001
    Bruce Schneier is founder and chief technology officer of Internet
    security firm Counterpane. He has written two books on cryptography
    and computer security, Secrets and Lies and Applied Cryptography, and
    is an outspoken critic of Microsoft and other software vendors that
    produce products that contain dangerous security holes. We spoke with
    him about who is responsible for software security flaws and what
    consumers can do about the growing problem.
    PCW: Are there more security holes in software, or are we just getting
    better at finding them?
    Schneier: Both. There are thousands and thousands of security holes in
    software. We are better at finding them, but there are many that we
    don't find. The problem is getting consistently worse. The basic
    reason is complexity. Complexity is the enemy of security. As systems
    get more complex, they get less secure.
    PCW: Why don't software vendors devote more time to testing products
    to find and fix security holes before delivering programs to market?
    Schneier: Because the marketplace doesn't reward security. A company
    like Microsoft could spend an extra year developing the next version
    of Windows--throw an extra 200 or 500 people at the program, testing
    it for security problems--but then the software would be a year late
    getting to market.
    PCW: Microsoft says it did this with Windows 2000. According to Scott
    Culp, program manager for Microsoft's Security Response Center, the
    company held back the operating system for so long in order to fix
    security bugs.
    Schneier: They said [Windows 2000] would be more secure than any other
    version to date. But there are more security holes in it than any
    other version of Windows.
    PCW: Why is it that hackers and security pros find security holes that
    Microsoft doesn't seem to be able to find?
    Schneier: It doesn't just happen to Microsoft. There are thousands of
    people looking for security bugs, so they're bound to stumble upon
    them. It might take days, weeks, months--there are just so many holes
    to find. I'm sure the software companies do some testing and find some
    holes, but they're not doing a lot. They'll tell you they'll do a lot,
    but they're not.
    There has to be a market incentive to provide security. Either you
    lose sales, or you get sued. But there is no such product liability in
    software. If Microsoft produces an insecure product and your data gets
    stolen, they are not liable.
    I think consumers should be livid about this. We would never stand for
    this in a stepladder or an automobile or an aircraft, yet we stand for
    this in software all the time.
    PCW: Yes, but no one's going to get killed by...
    Schneier: But people do get killed by software. It doesn't happen
    often, but there have been deaths from software bugs in medical
    devices. But usually you just read about Windows. Usually you just
    lose a lot of money. There's been an enormous amount of money lost
    because computers have failed. Where are the class-action suits
    against [companies like] Microsoft?
    PCW: But you've said that the more complex software gets, the more it
    will have flaws.
    Schneier: But there's a balance. The automobile manufacturers have
    managed to strike this balance. We get new cars every year, new
    features every year, yet there is liability. They're not going to give
    you a feature that they know isn't safe, even though it would be fun
    to have. So there is a balance, and that balance is struck over years
    through litigation, through laws and policies. The problem with
    software is that you just get one side--you just get features; you
    don't get reliability or safety or security.
    PCW: You talked about the fact that there is no forward learning in
    software; the same problems seem to be creeping up over and over
    Schneier: Buffer overflows are the poster child of why problems aren't
    getting better. They were discovered in the 1960s and were first used
    to attack computers in the 1970s. The Morris worm in 1989 was a very
    public use of an overflow, which at the time knocked out 10 percent of
    the Internet--6000 computers. Here we are 40 years later, and buffer
    overflows are the most common security problem. And that's an easy
    problem to fix. If you are a software vendor, there is zero excuse for
    buffer overflows.
    PCW: Is Microsoft good about fixing problems once they're discovered
    in its products?
    Schneier: They actually spend a lot more time paying lip service to
    security and not doing security. When a security bug is [found in a
    Microsoft products], they will deny it until it's made clear that it's
    PCW: Are you saying the Microsoft Security Response Center is not
    Schneier: If it's an easy fix, they'll fix it quickly and announce how
    good they are. If it's a hard fix, they'll tell you it's not a
    problem. That is, until they fix it, and then they'll tell you how
    good they are. Unfortunately, Microsoft treats security problems as
    public relations problems, and they'll do whatever they can do to get
    the most PR.
    PCW: Is full disclosure beneficial or harmful to security?
    Schneier: The full-disclosure movement appeared because companies were
    ignoring the problems with security holes or lying about them.
    Security professionals and amateurs would find a security flaw, alert
    the company, and the company would threaten them with a lawsuit and
    not fix the problem. Or they would send the vulnerability to an
    organization like CERT [the Computer Emergency Response Team at
    Carnegie Mellon University], which would sit on it for five months.
    So the full-disclosure movement was formed out of frustration. And by
    God it works. If you told Microsoft there was a problem a bunch of
    years ago, they would have told you to shut up. Nowadays they know
    they better fix it fast because it's going to be in the newspaper next
    In some ways full disclosure helps the bad guys, but it also helps the
    good guys. So it's double-edged. I think if we said we're no longer
    going to do full disclosure, the companies would go back to paying lip
    service and not care about it. So you need it to keep the pressure on.
    Right now what the community has settled on is alert the company, give
    them reasonable notice, and then announce the vulnerability. And that
    seems to be working.
    PCW: Many bug finders provide exploit code with their vulnerability
    announcement. Why give a warning to users about a hole and at the same
    time give hackers a tool to exploit it?
    Schneier: Because, unfortunately, many companies say, Well, that's a
    theoretical vulnerability but it doesn't actually work.
    PCW: You could just send Microsoft the exploit to prove the hole is
    not theoretical and not post it publicly where everyone can get it.
    Schneier: But then [the vendor] will lie. They'll say they never
    received it or they tested it and it didn't work. You're assuming that
    the companies are being honorable, and they're not.
    I don't like the fact that vulnerabilities get in the hands of script
    kiddies who exploit them. I would prefer if we could announce the
    vulnerability, we wouldn't explain the details, the company would fix
    it, and all would be good. But that's not always the way it happens.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Oct 01 2001 - 14:27:57 PDT