On Tuesday 09 April 2002 11:44 am, Barry Shulak wrote: > I enjoyed Gene Spafford's presentation at last Friday's CRIME group very > much. I've been to three meetings so far, and I'm impressed with the > cumulative knowledge and experience of the people I've met so far. > > One thing about the CRIME group strikes me as curious, however. I detect an > interesting pattern during meetings. Typically, someone makes a critical or > disparaging remark about Microsoft, and people start nodding, smiling > knowlingly, and offering comments of their own. This phenomenon ripples > like a wave throughout the room. Now, please don't misunderstand. Microsoft > has its problems, to be sure, but it's not the great Satan. I've wondered > for a while if anyone in the security industry has anything good to say > about Microsoft. Microsoft has earned their reputation through their actions. Lets look back at WHY Microsoft gets hit as hard as they do. Microsoft has a long history of treating security problems as a PR problem, not as a technical one. When a problem was discovered, instead of admiting it, fixing it, and issuing a patch, they would respond with the PR flacks. The standard answer without a working exploit was that "the flaw was theoretical". With a working exploit, the flaw "only effected a small number of users". This is assuming that they were willing to fix the problem at all. (Microsoft was warned about scripting and ActiveX problems LONG before they were routinly exploited. Many of those flaws still remain.) > Last week my boss, Andrew Plato, called my attention to an opinion piece by > ISS chief information architect Rob Graham titled "Security is a > Superstition." We know Rob quite well, because we worked with him and his > developers since before Network ICE was acquired by ISS. Rob's opinion is > very thoughtful and well-written. While acknowledging, as I have, that > Microsoft has its problems, Rob actually (gasp!) defends Microsoft. He does > a good job of putting criticisms of Microsoft into perspective. Take a > look, I think you'll find it interesting. > > http://www.robertgraham.com/journal/020210-superstition.html I don't know if I would trust the person who was responsible for IIS to instruct me on security. Actually the article is the standard hacknied list of excuses Microsoft normally puts out to defend their shoddy code. For example, he claims the reason that they get hit on Outlook is that it is popular. No. The reason it gets hit is that it is so frickin easy to exploit it! Why does an e-mail client need to execute scripts sent to it? The feature has been shown to be a problem over and over again. (Including in text based e-mail many years ago.) But Microsoft would have to remove a feature and they are unwilling to do that. (Microsoft is a company driven by marketing. Their descisions reflect that.) He also expounds the "Conspiracy Against Microsoft(tm)" theory. The people I know who hate Microsoft are the ones who have worked with the product long enough, heard all the excuses, heard the spin from the MS PR flacks, had their development libraries change on them because Microsoft APIs are a moving target, and got yet another promise about how it will be fixed "in the next version". Microsoft tried to paint its critics with "oh they just hate us" without looking at WHY. Yes, there are some invalid critisisms of Microsoft. There are also some that do not go far enough. In the security field, Microsoft has tried to say "everything has security holes, therefore you should not complain about ours". What they don't want you to think about is the numbers. Apache has MUCH less security problems than IIS because it is designed better. (It also runs under Windows. I have set it up. It runs much better than IIS.) The numbers that Dr. Stafford showed for Linux I do not believe to be accurate. (You have to seperate kernel issues, daemon issues and applications, as well as account for the redundancies of reporting via the multiple distributions.) But more importantly, the way bugs are treated is different in the open source world. When they are found, they are fixed quickly. Microsoft has a well-deserved reputation for dragging its feet. They are not the worst, however. Sun has been as slow, if not slower to fix problems. (They also insist on shipping ancient versions of tools, at least in the versions I have used.) Yes, Microsoft gets picked on because they are big. They are also picked on for how they react. Bug management by PR is not a good thing. They also have the resources to fix things quickly. Convincing them to do so in a timely manner, without the PR department getting involved has been difficult. A big part of the problem is that Microsoft's marketing department has far too much control of what goes into the product. A prime example of this was Windows ME, which was a feature for feature add from the bullet point list from the iMac. In such companies, the engeneering department is not allowed to tell Marketing that "feature X is a bad idea". You don't get promoted if you buck what marketing wants. Companies where marketing is allowed to call the shots tend to make feature rich and insecure software. (Until they get a clue that not having security bullitins issued every other day on their code is a good idea. Then they usually just try to stop the bullitens, not fix the problems.) I could go on, but hopefully you have gotten the point. Microsoft has earned the animosity in the security field by their own actions. Excuses do not cut it. We should not be seeing the same problems over and over again, but we do with Microsoft's code. When people point out the problems, they react with arogance and PR, not solutions. Lots of promises are made, but the fundimental behaviour remains the same.
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:39:49 PDT