http://www.theage.com.au/news/soapbox/security-is-not-a-pr-problem/2005/10/21/1129775950797.html By Sam Varghese Comment October 22, 2005 (Microsoft general manager for security George) Stathakopoulos takes pride in the achievement (number of security bulletins issued), as when he notes that he has been involved in shipping more compact discs - Windows software - than the Beatles, Rolling Stones and Madonna combined. - The New York Times -=- Initially, one could well be forgiven for thinking that the sentence above was drafted by some spinmeister. It is the last bit in a tale about a meeting Microsoft held recently with independent security researchers, most of them former black hats. The meeting is called a Blue Hat briefing. This is the second such publicised meeting, part of a media offensive to spread the idea that Microsoft is taking security seriously. The reality is different. In January 2002, Microsoft announced what it called a Trustworthy Computing Initiative. The term was trademarked, a paper published and everyone was made to feel that the company would be taking steps to improve the abysmal security of its products. The years 2000 and 2001 were horror years for Microsoft, with one worm after another affecting one product or the other and users taking a beating as the malware wreaked havoc. Three years on, it doesn't look like too much has changed. There is, and has, been a lot of talk but the company still appears to treat security as a PR issue, much the same way that it did before the trademarking of TCI. Security holes continue to appear as frequently - or sometimes even more frequently - as before in Microsoft's products and the only reason large-scale disruption doesn't become visible is because those who exploit the flaws are nowadays geared towards making money. The trend now is more or less uniformly towards using vulnerabilities for pecuniary gain - for example, by creating zombies that can be used to attack targets. It is relatively safe to do this: no company which has been held ransom in this manner is going to complain. Once a company that does business of any kind online is known to have poor security, the chances of improving its business prospects often lessen dramatically. One of the more recent examples is that of Cardsystems, a US company handling credit card validation. A leak of card numbers earlier this year has hit the company badly and it is now about to be taken over. The company was running its databases on Microsoft's operating systems. Thus the extent of electronic fraud remains largely unknown. And companies such as Microsoft are able to boldly claim that flaws in their products are not known to have been exploited. Yet it is easy to find on the web - at times in password-protected sites - and in chatrooms, exploit after exploit for common vulnerabilities that have yet to be patched. eEye Digital Security has for years been informing the public [1] about holes in Microsoft's products. Right now, there are many in that list, some pending for nearly seven months. That the company will not patch these flaws is not surprising; after all, the security advisory site Secunia estimates that fully 30 per cent of 70 Internet Explorer flaws posted since 2003 remain unpatched. Security through obscurity is not possible these days so security through denial is practised instead. One way of avoiding the obvious is meeting people from the black hat community who have now gone into business for themselves and are no longer crackers - these meetings are apparently meant to indicate that Microsoft takes security seriously. The Blue Hat briefings have got their requisite publicity through largely unquestioning media outlets - but whether anything positive actually happens as a result is largely unknown. It looks like a means of getting people who could be a problem on-side. And there is of course the positive spin that publications, often so-called reputable outlets such as the New York Times (which firmly believed in the existence of WMD in Iraq) provide. The quote at the start of this piece is one such an example - it's cute. It fudges the fact - that security is precisely where it was in 2002 and, in fact, is much worse. The future direction that Microsoft will take has been indicated by its choosing executives with strong business and marketing backgrounds to head the three divisions of the company, following a reorganisation last month. The last genuine techie among the crowd, Jim Allchin, will retire next year. And the goal of the restructuring? To get products faster to market. Not better products, just those that can come off the conveyor belt faster. The next version of Windows will surely be more secure than its predecessors. And I believe strongly that Santa Claus will bring me that new laptop for Christmas. [1] http://www.eeye.com/html/research/upcoming/index.html _________________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Fri Oct 21 2005 - 13:33:07 PDT