[ISN] Microsoft, Terrorism, and Computer Security

From: InfoSec News (isnat_private)
Date: Sun Dec 16 2001 - 23:02:29 PST

  • Next message: InfoSec News: "[ISN] Charges Dropped Against Sklyarov."

    Forwarded from: Aj Effin Reznor <ajat_private>
    By Oxblood Ruffin
    Posted: 14/12/2001 at 17:22 GMT
    Since 11 September the world has changed immeasurably, but some things
    remain the same. The single greatest threat to Internet security is
    still Microsoft -­ not the soon to be Osama Haz Bin.
    Microsoft is not, of course, a terrorist organization. But its
    ubiquity on the desktop coupled with its poor track record in network
    security is a tested formula for international disaster.
    Security, from the structural perspective, is negative -- it's about
    denying actions or access or direct contact. Like a prophylactic, it
    prevents certain bad things from happening while preserving most of
    the benefits of interaction.
    At the heart of the security debate are two competing approaches:  
    'security through obscurity,' in which it's hoped that concealing an
    exploitable defect will prevent exploitation, and 'full disclosure,'
    which works on the premise that forewarned is forearmed, and which
    most professionals now prefer.
    First, let's look at Microsoft's preferred way of dealing with
    vulnerabilities: security through obscurity.
    That was the norm during the early days of networks and computers. As
    researchers discovered problems they would alert the vendors without
    fanfare, and in the best of all possible worlds, the vendor would fix
    them before anyone got hurt. Microsoft became a big fan of this model
    because it was quiet and discreet and didnšt contradict its marketing
    propaganda. However, there was little incentive for them to actually
    fix anything so long as it could all be kept quiet. No public
    pressure, no repercussions. Consequently, many serious vulnerabilities
    lingered for years.
    Increasingly frustrated by Microsoft's complacency, researchers began
    opting for the public-humiliation approach. As they discovered flaws,
    they began to make them known. Microsoft's PR department went into
    full gear, denying that problems existed, or suggested that they were
    merely hypothetical, but often there was more stalling.
    Finally researchers began what is known as full disclosure by
    publishing exploit code to prove that the vulnerabilities they caught
    were in fact real. Unable to continue sweeping its mistakes under the
    carpet, Microsoft initiated PR campaigns against "hackers", which it
    subtly equated with "criminals".
    Today, Microsoft prefers to brand full-disclosure proponents
    "information anarchists," and has even equated them with terrorists in
    an attempt to manipulate public anxiety after the 11 September attack.
    Microsoft continues to argue that by publishing exploit code the bad
    guys are given free attack tools. But this assumes that the bad guys
    didnšt already know the exploit. Perhaps they did, perhaps they
    didn't. But when everyone knows, the playing field is leveled, secure
    computing best practices are elevated, and patches must be issued
    Quite simply, full disclosure forces vendors to fix their products.  
    It's a pity that they need this sort of prodding; but the historical
    record illustrates that they do.
    Sadly, many average users have suffered. Over the past several years
    Microsoft's security model has cost governments, the enterprise
    community, and home users anywhere from five to twenty-five billion
    dollars depending on whose tally one accepts. The ILOVEYOU virus,
    Melissa, Code Red, and a host of others have been the agents of this
    burden. As a result, millions of users have either lost entire hard
    drives or valued files, or worse, stood by helplessly as account
    passwords, private information, and personal images have been stolen
    from their computers and passed around by the Net's bottom feeders for
    pleasure or profit. If there were such a thing as data rape, this
    would be it.
    Corporations have spent incalculable sums purging their systems of
    bugs they should never have been susceptible to in the first place,
    while staff productivity plummets in a connected office whenever the
    machinery is off line. And downtime is serious money for any company,
    large or small, that earns its living only while connected to the Net.
    So why don't product liability laws apply to the software industry?  
    How is it that one set of rules applies to the auto industry, for
    instance, but not to the information superhighway's largest purveyor
    of digital 'lemons'?
    Bear in mind that most, if not all, of this virtual mayhem was not the
    work of elite computer criminals. It was committed by bored teenagers
    who cobbled together attack scripts that continue to be traded around
    the Internet like baseball cards. And regardless of the misery they
    have caused and continue to cause, and despite the profane amounts of
    money they've cost their victims, Microsoft's spin has always been the
    same -- a sort of smile and dissimulate medley that exonerates
    Microsoft, blames 'hackers,' and promises a brighter tomorrow.
    But not everyone is disoriented by this smokescreen. In fact, the
    majority of security professionals are astounded that Microsoft has
    chosen to sacrifice security concerns to its marketing goals. Taken to
    a comic extreme, a real-world illustration of the software leviathan's
    modus operandi would play out thus: the next time a crazed junkie
    dives through your window looking for money or worse, skip the police
    and call a help desk staffed with minimum-wage dunderheads. Find that
    the frustration of this futile exercise overshadows entirely the
    emotional impact of your original complaint.
    If 11 September taught us anything, it's that everything is
    vulnerable, and often in the most blunt and simplistic ways. The
    massive Internet disruptions launched via Microsoft bugs over the past
    few years have been executed primarily by pimply amateurs. Does anyone
    actually believe there are no computer scientists who wouldn't love to
    find a place in heaven by exploiting the Great Satan's favorite
    software company? Microsoft's security through obscurity will only
    give these guys an exclusive advantage, because they'll find and use
    the holes that no one is expecting to be found.
    The virgins are calling....
    Oxblood Ruffin is Foreign Minister for the Cult of the Dead Cow (cDc),
    a well-known group of computer enthusiasts.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Dec 18 2001 - 04:14:42 PST