Re: [ISN] Microsoft developers feel Windows pain

From: InfoSec News (isnat_private)
Date: Tue Feb 12 2002 - 00:50:07 PST

  • Next message: InfoSec News: "[ISN] Linux Security Week - February 11th 2002"

    Forwarded from: Aj Effin Reznor <ajat_private>
    Apologies (well, kinda) for the length of this one.  At least a week's
    worth of mediadung have built up and the dam now bursts ;)  -aj.
    "InfoSec News was known to say....."
    > As an historical tidbit: Steve Lipner is one of the authors of the
    > Orange Book.
    That thing that MS wants people to believe that they conform to? :)
    > As a comment: Security as an imposed focus for Microsoft is heaven
    > sent, you heard me, heaven sent.  Consider, as we
    No, not really.  The concept and it's most base and *simplistic*
    level, yes.
    But, what "security" will come of it?  Will MS "embrace and extend"
    they way they have so many other things, and wind up breaking more
    protocols (Kerberos, anyone?) and further complicating integration?
    Will they allow secure, SSH based communications to remote servers,
    but only from other like-blooded servers running their /special/
    implementation of SSH?
    I've seen much discussion about this flying around since it was first
    announced by Bill The Gates, but I've seen little done to question
    exactly how MS is going to define this new security they will be
    producing, because let's face it, *we* [1] know that security is a
    process, and a procedure, and not a product.  For MS, it will be a
    feature, at least until they find some way to put security on a CD and
    slap a price tag on it. [2]
    I'm certain (as in, would put money on it) that MS is going to both
    botch and bastardize this plan of attack.  I'm very much in agreement
    with *hobbit*'s (or is it *hobbit's* ? :) mail on this subject.  I
    mean, let's look for a moment at some of the content of the original
    	"Under a new push to secure software code and convince 
    customers that security is a top priority, Microsoft is putting its
    Windows developers, testers and program managers through a crash
    course in secure programming."
    The words "crash course" don't belong in the same sentence, paragraph,
    nor entire damn article about "security".  Anyone else see humour in
    MS coders and "crash" courses?  Would this perchance decrease
    stability further? :)
    	"Over the next month, the software giant's security-assurance 
    group expects the training to pay off as more than 70 developer teams
    audit the various software components that make up Windows XP and the
    upcoming Windows .Net server operating systems."
    It would appead this "assurance group" has high expectations for...
    well, something they realistically shouldn't.  MS products are
    routinely found to be repleat with buffer overflows, among a sundry
    collection of other faults and vulnerabilities.  I know this is review
    for just about everyone here with a clue, but it seems that MS is
    missing the obvious:  Give up on fixing something which has been not
    repaired but largely constructed from gaffer's tape, and start from
    scratch.  It's the *only* way they stand a chance of getting it right,
    but even then I don't suspect they'd get it right with a complete code
    rewrite anyways....
    	"To keep the momentum rolling, after each team finished
    training, it had to draw up a plan of action for completing a review
    of any piece of software for which the group was responsible. In
    total, Howard and his group have received more than 70 plans detailing
    what teams are going to do throughout February to secure their piece
    of the Windows operating system.
    	"Every group that contributes to the CD has drawn up a plan to
    mitigate security risks," Howard said. Key to the plans is a measure
    of success--how the groups will know when they are done, he added."
    I suppose what really bothers me here is that MS is doing rapid
    security "training" and then these people, who wrote insecure software
    in the first place, are then the same ones writing their gameplan to
    fix it.  Ummmm, who's checking the homework here?  There's no mention
    of this, and I feel rather strongly that the people that are cranking
    out inherently insecure software are the ones tasked to fix it...
    chances are it won't be getting fixed too well the first few times
    around.  Curious, if this whole initiative bombs as poorly as I
    suspect it will, and MS products are still found to be rather swiss
    cheesey, how long til MS scraps the whole thing, and denounces
    "security" as being "something hyped by the media, which (we) found
    that the consumers really actually had no interest with in the first
    place" ?
    Finalizing with the original article:
    	" "Every group that contributes to the CD has drawn up a plan
    to mitigate security risks," Howard said. Key to the plans is a
    measure of success--how the groups will know when they are done, he
    Hell, either they didn't *care* if it was written to be secure in the
    first place, or they didn't know.  I refuse to accept that the apathy
    (or uneducation) that allowed MS products to devolve into what they
    are will be able to recognize and correct their own errors.  How
    *will* they know when they are done?
    > (*) Disclaimer -- I am a security guy and I could not be
    > happier for both personal and commercial reasons.
    [1]  "We" being any competent security practioners
    [2]  I often joke that the blank disc on a stack of bulk CDs is
         the book "All We Know About Security" from Microsoft Press.  
         How long til they actually have an offering?
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Feb 12 2002 - 04:46:50 PST