Re: CRIME Perspective on Criticisms leveled at Microsoft

From: Crispin Cowan (crispin@private)
Date: Tue Apr 09 2002 - 16:30:37 PDT

  • Next message: Steve Beattie: "Re: CRIME Perspective on Criticisms leveled at Microsoft"

    Andrew Plato wrote:
    
    >Crispin Cowen wrote:
    >
    >>Begging to differ, but yes they are the great Satan :) Microsoft has been systematically holding back the trailing edge of technology for 20 years. Apart from their systems being generally dreadful, and their marketing practices outright illegal on many grounds, their security is especially bad.
    >>
    >I think Rob's point, one that I find very compelling, is that MS
    >products were not designed or marketed to hardcore geeks. They were
    >designed for mass-market consumption. 
    >
    If that is the claim, then it is reprehensible. Mass-market consumers 
    are those users who are least able to defend themselves. Deliberately 
    handing them something that is shiny, but vulnerable as a result of 
    being shiny, is the kind of despicable marketing-based engineering 
    decision that first incited Ralph Nader.
    
    >Yes, out of the box, a default installation, Windows security sucks. But
    >honestly, there are a lot of ways to slice and dice Windows machines.
    >With a modest amount of hardening, you can turn an NT/2000 box into a
    >very secure machine. I've written a paper on this. Its not impossible,
    >but it isn't something many people know how to do. 
    >
    Ok, it is possible. But it is definitely much more difficult to do than 
    on sensible systems. Windows is marketed as being easier to use, but 
    using it securely is actually harder.
    
    >Thus the problem...many IT departments do not have the staff, education,
    >experience, or resources to do this properly. The race to get a computer
    >
    That is the security problem. It is separate from the "Does Microsoft 
    really suck that much?" question.
    
    >>The mail client (Outlook) trusts scripts attached to incoming mail . This is the most dangerous way in which viruses propagate. The #1 biggest thing you can do to secure your company is to mandate that no one can use Outlook as a mail client. Choose any other mail client, it doesn't matter which one:  they are all more secure than Outlook. 
    >>
    >That is easy for hardcore nerds like us who can handle new software with
    >ease. But for the average joe who does not understand computers very
    >well, asking them to use an unfamiliar program is a massive problem. It
    >would cause immediate and painful productivity problems for companies.
    >
    >I like to think of this as the "Mom" problem. My mom is a very
    >intelligent, well-educated person. But she is not a computer person. She
    >knows Outlook, IE, Word, a few basic programs and they allow her to be
    >very productive and surf the web, buy stuff on E-Bay, send out letters,
    >etc.
    >
    >If I sat my mom in front of a UNIX box she would scream in horror. It
    >
    I think you are misconstruing what I was saying. I know that UNIX is 
    waaay too difficult for your mom/receptionist/CEO to use. But there are 
    other mail clients that run on Windows that are every bit as easy to use 
    as Outlook (Netscape Communicator and Eudora being the leaders).
    
    Using Windows is an unfortunate necessity in many circumstances. Using 
    Outlook is reckless, and should be regarded as malpractice in the IT 
    business.
    
    >would take her months to re-learn everything. Well, most organizations
    >have a lot of "moms" working in them and therefore they simply cannot
    >just "throw away" their existing infrastructure because it has a few (or
    >even a lot) of security holes. They must adapt that infrastructure to
    >fit the needs of their users. That means patching holes as best they can
    >and implementing systems to detect and catch attempts to exploit those
    >holes. 
    >
    Outlook's vulnerability is not a "hole": it is a designed in feature. It 
    is a door guaranteed NOT to lock.
    
    >>I'm not sure what Robert Graham has been smoking; he's not normally this silly. He's essentially advising you to systematically do exactly the wrong thing everywhere. 
    >>
    >No, he is taking a middle ground between practicality and security. As a
    >person who has the inglorious job of actually making security systems
    >work in corporate environments, Rob's comments are very true. Many
    >organizations simply are not prepared to become a Fort Knox of computing
    >security. They simply do not have the resources to devote to security. 
    >
    That would be nice if it was true, but it is not. Graham is talking 
    absolute crap. He is advocating horribly insecure practices that don't 
    even approach the middle ground. He makes apologetic and disingenuous 
    excuses for some of Microsoft's most egregious design abuses, and 
    characterises that as reasonable practice. Nothing could be further from 
    the truth.
    
    >>Yes its true that security is at odds with convenience: it must be, because it is thebusiness of saying "no" sometimes, so it is necessarily less convenient. Good security design (the Principle of Psychological Acceptability) accounts for this, and works hard to make sure that legitimate users see the "no" answer as rarely as possible. What Graham is suggesting is to throw up your hands and just disable security because it is too annoying. If you follow that advice, you will deserve what you get.
    >>
    >I don't see that as what Graham said at all. In fact I challenge you to
    >point out where you feel Graham is saying that. 
    >
    How about his opening quote:
    
        "Security is mostly a superstition. It does not exist in nature, nor
        do the children of men as a whole experience it. Avoidance of danger
        is no safer in the long run than outright exposure. Life is either a
        daring adventure, or nothing." - Helen Keller 
    
    So what the hell; go ahead and use a mail client that executes content 
    mailed to you from anyone, as root, on your workstation. Because life is 
    too short to give a damn about security :)
    
    This theme continues throughout Graham's article, where time and again 
    he defends a bad security decision on the basis that it made operations 
    more convenient. While that is often true, in most cases a *different* 
    decision could have made operations equally convenient without exposing 
    the user to anywhere *near* as much risk as Microsoft did.
    
    >What Graham does say, and I whole-heartedly support as a greedy
    >capitalist pig, is that the market must decide what is appropriate. And
    >I would say the market has already decided: people want Microsoft
    >products. 
    >
    Me and Judge Jackson question whether the market was ever given a choice 
    to select anything else.
    
    >Furthermore, I can speak from direct experience that security is a
    >complex problem that is best handled with practical solutions that
    >carefully weigh cost and risk reduction. Sometimes, the cost of reducing
    >risk is simply prohibitively too high for some organizations. I have
    >numerous customers that simply cannot afford the price of expensive
    >commercial products or the time to learn and implement open-source
    >products. Therefore, they have to settle for some practical,
    >"in-between" type solutions. 
    >
    That's all true, but beside the point. Barry Shulak asked whether 
    Microsoft products were as bad as the jeers at the CRIME meeting 
    suggested, and why. I have argued that they are every bit as bad, and worse.
    
    It is true that security is complex, and that most organizations cannot 
    afford the operational costs of high security. What is hidden is that 
    most organizations are paying through the nose for either the added 
    expense of trying to secure Microsoft's broken systems, or for the added 
    expense of just being vulnerable. There are alternatives if one takes 
    off the "Microsoft only" blinders. You can buy and use many 
    non-Microsoft products (based on Linux and *BSD) that are a vast 
    improvement over Microsoft for price, performance, security, and 
    occasionally even ease of use, and definitely ease of use *securely*.
    
    >The simple fact is, the markets are deciding what is important. And that
    >has some security people upset. But in my experience, the free-market is
    >much better at deciding the fate of than centrally controlled
    >organizations. 
    >
    Where did anyone suggest a centralized authority replace the free 
    market? This is all just information to help our tiny little segment of 
    the market make a better informed decision :)
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX Communications, Inc. http://wirex.com
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:39:50 PDT