[ISN] Security gurus welcome Microsoft's goal

From: InfoSec News (isnat_private)
Date: Thu Jan 17 2002 - 23:18:29 PST

  • Next message: InfoSec News: "Re: [ISN] Italian Police Nab Hacker Group"

    http://news.com.com/2100-1001-817849.html
    
    By Robert Lemos 
    Staff Writer, CNET News.com
    January 17, 2002, 3:45 PM PT
    
    Security experts hope that this time Microsoft really, really means
    it.
    
    A memo from Chairman Bill Gates, leaked Wednesday, exhorted Microsoft
    employees to make the company's products more secure and stated that a
    new initiative, which Gates called "Trustworthy Computing," is now the
    software giant's top priority.
    
    The initiative, Gates wrote, aims to make computing and the Internet
    "as available, reliable and secure as electricity, water services and
    telephony."
    
    While security experts gave Gates' message high marks, they withheld
    judgment on whether Microsoft--which has been pasted by a series of
    high-profile security blunders over the past year--can deliver.
    
    "This gives me more hope," said Chris Wysopal, director of research
    and development for security company @Stake. "Nothing is a cure-all
    solution, but when you say we have an organization focused on getting
    security into different product groups, that's got to help."
    
    Gates' message comes as Microsoft is betting its future on its .Net
    effort, an attempt to give consumers secure, easy and round-the-clock
    access to businesses via the Internet. Without better security, the
    software titan will have a hard time convincing developers, businesses
    and Web users to start using the new services, Wysopal said.
    
    "Because of other (incidents) in the past, they have to make their
    software more secure if .Net is going to make it," Wysopal said.
    
    Recent problems with Passport, the Microsoft Network and the company's
    Windows Update service--all considered embryonic versions of future
    .Net services--have angered consumers and caused security experts to
    wince.
    
    And past initiatives have not delivered spectacular results, either.  
    Despite Microsoft's Secure Windows Initiative and its Strategic
    Technology Protection Program, the company fell afoul of a major
    problem with its flagship Windows XP software. Microsoft has touted XP
    as its most secure operating system ever and intends to push it as the
    gateway to .Net.
    
    While the company's new focus is welcome, some in the security
    community remain cautious. Microsoft--a company found to have abused
    its monopoly power--isn't exactly the poster child for
    trustworthiness, and some are wary of the new initiative.
    
    "This comes from the same vendor that tried to settle an antitrust
    suit by finding a market segment they couldn't penetrate and giving
    their product away for free" in that market, said David Dittrich,
    senior security engineer at the University of Washington, referring to
    recent wrangling over the company's proposed "schools settlement."
    
    In that instance, the company pitched its proposal as a charitable
    solution that would provide free software to needy schools. But
    competitors characterized the move as an effort to monopolize the
    education market.
    
    Similarly, some wonder whether the new security initiative can be
    taken at face value. And even if it can, some are concerned it could
    wind up having a downside.
    
    Dittrich points to the company's initiatives to hush up the disclosure
    of certain information about vulnerabilities in its products and says
    that, arguably, such an attitude can aid hackers and run counter to
    interests of security.
    
    Security experts and hackers who find bugs in software usually release
    the information to the public after notifying the program's creator of
    the flaws. However, the security community has long argued about how
    much information should be given, since malicious hackers could use
    details to write tools to help them break into computers using the
    flaw.
    
    In November, Microsoft and five security companies announced they had
    formed a group to create a policy for ethical disclosure of such
    information.
    
    "They should want their employees to know as much about a
    vulnerability as possible," Dittrich said.
    
    Such apprehensions aside, though, security experts said it's a welcome
    signal that Microsoft is now taking security seriously enough to give
    it priority over new features.
    
    "It's about time," said Mark Maiffret, chief hacking officer for
    network protection company eEye Digital Security. "This is something
    that Microsoft and other companies have needed to say for a while:  
    Security needs to come before features."
    
    eEye discovered the major hole in Microsoft's Web server software that
    online vandals used to spread the virulent Code Red worms and a
    serious hole in Windows XP that could have been exploited by Internet
    attackers to gain control of any person's PC.
    
    "Finally," Maiffret said, "there is a wake-up call out there that
    security needs to come first."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Jan 18 2002 - 08:30:22 PST