Barry Shulak wrote: > I enjoyed Gene Spafford's presentation at last Friday's CRIME group > very much. I've been to three meetings so far, and I'm impressed with > the cumulative knowledge and experience of the people I've met so far. > > One thing about the CRIME group strikes me as curious, however. I > detect an interesting pattern during meetings. Typically, someone > makes a critical or disparaging remark about Microsoft, and people > start nodding, smiling knowlingly, and offering comments of their own. > This phenomenon ripples like a wave throughout the room. Now, please > don't misunderstand. Microsoft has its problems, to be sure, but it's > not the great Satan. I've wondered for a while if anyone in the > security industry has anything good to say about Microsoft. > Begging to differ, but yes they are the great Satan :) Microsoft has been systematically holding back the trailing edge of technology for 20 years. Apart from their systems being generally dreadful, and their marketing practices outright illegal on many grounds, their security is especially bad. > Last week my boss, Andrew Plato, called my attention to an opinion > piece by ISS chief information architect Rob Graham titled "Security > is a Superstition." We know Rob quite well, because we worked with him > and his developers since before Network ICE was acquired by ISS. Rob's > opinion is very thoughtful and well-written. While acknowledging, as I > have, that Microsoft has its problems, Rob actually (gasp!) defends > Microsoft. He does a good job of putting criticisms of Microsoft into > perspective. Take a look, I think you'll find it interesting. > > http://www.robertgraham.com/journal/020210-superstition.html > That is the most spectacularly ill-founded article I have seen in a long time. He is essentially arguing exactly the opposite of the principles that Spaf presented last week. Bugs happen. You can use dilligence to minimize the rate of vulnerabilities in your software, but it's expensive, and never really eliminates them. Secure design is where you architect your system to minimize the potential risks when vulnerabilities (or misconfiguration, or configuration error, or intentional insider abuse) do happen. That's the problem with Microsoft systems. They have (approximately :) the same rate of software vulnerabilities as anyone else. The problem is that MS designs systems in gross violation of the Principle of Least Privilege: * The mail client (Outlook) trusts scripts attached to incoming mail . This is the most dangerous way in which viruses propagate. The #1 biggest thing you can do to secure your company is to mandate that no one can use Outlook as a mail client. Choose any other mail client, it doesn't matter which one: they are all more secure than Outlook. * Word similarly trusts documents: open a document, and the silly thing runs the macros that came with it. Poof: now all the documents that you casually exchange need to be examined to see if they contain malicious code. * Applications run as "administrator": * The really bad old operating systems (Win3.1, Win95, Win98, and WinME) had no concept of privilege at all: any program running on the box had total authority to hack anything on the system. That's why their fragile and vulnerable as hell. * The newer operating systems (NT, W2K, XP) are much better. They actually have a privilege model. The problem is that the applications don't, and so people casually run things like Office, IE, and Outlook as Administrator, again giving the application (and whatever viruses and exploits have hacked it) total authority to hack the entire system. You have just taken the security advantages of these better operating systems and thrown them all away. I'm not sure what Robert Graham has ben smoking; he's not normally this silly. He's essentially advising you to systematically do exactly the wrong thing everywhere. Yes its true that security is at odds with convenience: it must be, because it is the business of saying "no" sometimes, so it is necessarily less convenient. Good security design (the Principle of Psychological Acceptability) accounts for this, and works hard to make sure that legitimate users see the "no" answer as rarely as possible. What Graham is suggesting is to throw up your hands and just disable security because it is too annoying. If you follow that advice, you will deserve what you get. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:39:48 PDT