MS Exec: 'Our products just aren't engineered for security'

Various Microsoft news tidbits contributed by numerous readers: Phoebus0 notes that Microsoft's Vice-President in charge of Windows development states flat out that Microsoft products aren't engineered for security, absolutely guaranteeing he'll have tomorrow's Ditherati quote. Many readers submitted this Knowledge Base article stating that Microsoft is mystified by a wave of successful hacks on assorted versions of Windows (there's also a news report on this). Microsoft has another security bulletin out on the digital certificate spoofing bug that has caused them so many problems recently.

MS doesn't implement snprintf()

[lprimak]

I just ported a large amount of code to windows, and I was very surprised to notice that snprintf() is _snprintf() on windows. It's like they hid it (or implemented it much later) and it's not part of "their" standard. Without widespread use of this function, god knows how many lines of their code uses regular sprintf() and insecure functions like it. And I doubt they use "%13s" or directives like this in sprintf(), or if their version even supports these constructs.

Stop picking on the engineers

[anthonyclark]

While working at Sony, Microsoft closed down a UK R&D facility. A whole department of ex-MS software engineers came to work in my department. They were the some of the best engineers I have ever worked with, designing innovative and stable code years ahead of its time.

Stop picking on MS engineers for poor products, and level the blame at the correct place - marketing and management.

Palladium, of course

[PMuse]

Step 1: Admit that current MS OS is insecure.

Step 2: Allege that problem is fundamental due to the nature of the hardware platform. Fear. Uncertainty. Doubt.

Step 3: But wait! MS has the solution that will solve this crisis -- Palladium.

Directions on Microsoft

[Captain Pooh]

directions on microsoft [directions...rosoft.com] Check out that link, it is run by I think two former Microsoft employees.

Our server has been compromised 8 times in a week

[codepunk]

We have one windows web server left that we are now converting to run on linux. Our windows web server has been compromised over 8 times in the last week. We applied every single security patch we could on the machine. We also locked every single port but 80 out at the firewall. We shut down every single service that is not necessary and stripped the site to the bare minimum, but it continues to be compromised. Yes we even reloaded from scratch 3 times still no good. Even our MCSE is now a linux convert and begging me to get it converted quick as possible.

How marketers ruin code

[yerricde]

I have not heard of any instances of marketeering guffbags and manglement ruining code, primarily because they don't code.

They ruin the code by ruining the requirements. In a firm that produces mass-market software, the marketing department generally writes each product's requirements document. If resistance to buffer overflow attacks isn't specified as a must-have in the requirements document, then it will surely get cut at the last minute in favor of other requirements such as ship date.

This worries me.

[DonkeyJimmy]

What worries me about this is not that microsoft products are not engineered for security, we've all known that for years. It's that microsoft is admitting to it openly.

In terms of marketing, Microsoft knows what they are doing, and they must believe that admitting this wont hurt their sales significantly. Has their customer base become so lowtech that the idea of insecure products doesn't bother them? Or are they simply so powerful that we (the rest of the world) can do nothing to stop them. I'm hoping that this is some kind of horrible mistake on their part, but I doubt it.

I spoke to a microsoft engineer once about .net and he told me that they were working on developing the .net virtual machines for Unix and other non-Windows OSes, but they were specifically planning on not releasing them if .net did well, as that would force developers to use Windows. I suspected as much, but the fact that they would come out and say it worries me.

MS products actually designed for insecurity?

[geoswan]

I believe that MS took a leaf from the playbook of the Tobacco industry

There is a guy recognized as a genius in the Tobacco industry. I read that twenty odd years ago he told other Tobacco industry executives that, while they could afford to hire the shrewdest, meanest, most dishonest lawyers on planet Earth, they could only fight a rear-guard action.

Eventually, he told his colleagues, even the meanest lawyers couldn't hold off lawsuits over the lethal effects of their product. Once suits go to trial, everything will start to unravel. We have no real defense. So, we need to plan ahead.

His plan? Pretend to fight against mandatory warnings, but actually let them go ahead. Keep stalling on the trials -- so that when the trials happen we have a defense.

"But, your honour, we have had to have health warnings on our products for fifteen years. The claimant can't say they didn't know our products were dangerous."

Are Microsoft executives any more ethical than Tobacco executives?

Nah.

I believe that MS planned ahead too. I believe that MS has wanted to "own" the desktop, to own our computers, all along.

Anyone could have foreseen that embedding a macro language in their data files, that was automatically executed when the file was opened, was a sure guarantee of terrible security problems.

This was not an accident. This was a design decision. They did this on purpose. I don't believe it was a mistake. I believe they knew exactly what they were doing.

I believed that they looked ahead, and planned to distribute insecure products, so that the could harness the publics anger at vandals, interlopers and spam artists to justify draconian security measures that we never wuold have agreed to otherwise.

I'd like to see Gates, Ballmer and the whole filthy crew serve serious hard time.

Brilliant tactic, almost govermental in design.

[sawilson]

This is obviously part of the groundwork to get
the public behind palladium. Microsoft has
consistently proven itself to be the masters at
porting govermental public opinion swaying tactics
for their needs. It's almost admirable. Following
tradition, they'll produce stats and figures and
submit them as "proof", and the majority of
America will say "wow, we need to do this". Or,
as demonstrated recently, they'll hint at the
existence of proof for their "cause" and that
alone will swing a majority of people to their
side and give them time to fabricate it, or
draw attention away from producing it. Microsoft
will get palladium, and Dubya will get the war
he wants that nobody a few weeks ago wanted, but
now seem too want since they keep waving the flag
hard enough and hinting at "new evidence" that
probably doesn't exist as of yet.

Step 1: Convince everyone that your selfish
agenda is in their best interests in any way
you can.

Step 2: Pursue your selfish interests.

Being manipulated this way is part of being an
American. Microsoft is the most American company
I know of.

Re:Tries to shift blame

[PythonOrRuby]

Microsoft's approach to operating systems and security has created an arms race between them and hackers(both malicious, and those legitimately testing the software).

The answer is not to make the OS more complex and create more special cases, but to streamline it, and offer a more consistent model for applications and users to interact with the operating system.

This is why pretty much everyone else these days uses some variant on Unix. More than anything else, the appeal of Unix is simplicity at a basic level.

Now, Microsoft doesn't have to ship a Unix-based or compatible OS by any means, but if they want to take security seriously, they need to take what they have now, and what they are planning on for five or ten years down the road, reduce it down to the most basic components that can still address all of those problems, and rethink how Windows is put together.

Also important is to get over their antipathy towards the open source "movement", and realize that it can be a tool. If they released a simplified, streamlined Windows kernel, they could let the world hack away at it, finding flaws, then take that work and put the components on top of it that would make it Windows. They've "borrowed" ideas from Apple and NeXT in the past, why not look at what OpenStep was, and what Darwin and Mac OS X have become and borrow that idea too?

In short, it takes more than saying to your developers, "ship bug fixes in a week rather than a month." They'll hae to really examine Windows, and where the flaws come in, and if there's some other way(and there always is) that those things could be done, then the old way has to go.

Re:Our server has been compromised 8 times in a we

[Jeppe Salvesen]

Can you run apache on your windows web server? If they keep attacking, it would be interesting to see if they are hitting IIS or something else (assuming they are shitty little script kiddies).

Another possibility is to set up a Linux box with no open ports on the same ethernet segment and sniff all traffic so that you might be able to tell how they hack you, and where they come from (at least the box they are coming from).

But - changing to Linux is also a really good alternative. Just keep in mind that Linux itself does not offer you security, only an improved possibility of security. You will need to stay rigorously patched up, with a good firewall and a good intrusion detection system. I used my IDS to tighten my firewall whenever I found monkey business in the network traffic - with good results. The box ran without external protection or upgrades for a long time, and it was port-scanned every day. Of course, they eventually hit jack-pot at first try. Then, an IDS will only alert you that something is wrong..

Also, whatever application you run on your web server will need to be secure.

Remember - one vulnerability is usually enough.

M$ and Mozilla

[GreenKiwi]

Is it just me, or is their Knowledge Base using some funky shit that doesn't let it display properly in Mozilla.

M$ Sucks. I wish that they'd use the standards instead of making their own.

Re:Experience?

[MoneyT]

Simple, brand name. Try to explain to a non tach savy person (yes they still exist, and in millions at a time) that they should buy a product that isn't Microsoft. They've probably never heard of the other company, and if it isn't microsoft "I won't work right with my computer because my computer had microsoft on it already". Believe me I've heard that hundreds of times. Now imagine that same attitude on a corporate scale, and you've got one hell of a succesful business nomattr what crap you feed these people.

Re:Stop picking on the engineers - I'm one

[Anonymous Coward]

I'm an ex-Microsoft employee and when I was there last (~1999) the discussion was why the per-programmer productivity was the lowest in the business. Several design descisions were severly flawed: the deisgn of COM, the threading architecture, lack of documentation and, of course, security.

Emphasis was on getting the job done as quickly as possible with frantic finger pointing when things went wrong. Being a good programmer meant having connections with people in other development groups who could send you code examples that you cut-and-pasted into youe own code (usually without any real understanding of the functionality). These connections were based on give-and-take with the default response being "why should I do this for you?"

Since leaving, I've focussed almost entirely on Java and have been in heaven with it's culture of well-defined software contracts. Performance issues has been addressed by writing small amounts of code in C++ using JNI.

I wouldn't blame the individual engineer, but the whole software process. I wouldn't call it badly designed, because it wasn't designed - it just accumulated.

Finally! They admit it!

[nenolod]

It's been a well known fact that microsoft products are not engineered for security, and here's why...

Microsoft is a company that wants to be the first to offer a product, instead of throughly testing their products like a responsible software company.

Also, it's well known because if you ever check Windows Update, you will see at least 3-5 new security patches and updates at least once a month. That's why Microsoft made Service Packs.

Every time a service pack is released, it contains a large collection of security related patches and fixes to other discovered bugs. And, it's so big because they include every fix since the initial release of the software.

Also, because their software is insecure, they have a Limitation of Liability clause in their EULA. How do I know this you ask? Because I actually read the Microsoft EULA once, because I was truthfully bored.

Windows XP has had more patches released for it than any other product so far. At least 40 fixes and an actual service pack has been released since the initial release of Windows XP.

So, I'm just surprised that they have admitted it now.

You *can* write secure software

[Anonymous Brave Guy]

Sure, you can't make anything 100% secure (short of keeping it turned off)

Sure you can. You start by disabling all contact with the outside world by default. If I'm not listening, they can't tell me what I don't want to hear. You then, slowly and with rigorous testing, implement a small set of interfaces that let you talk where you need to, e.g., by reading and drawing a body of text. Bingo, you just covered most of e-mail, Usenet, web browsing and the rest in one go.

The problem is MS' approach: every application should do everything. For goodness' sake, Office 2002 apps that I use to write my letters and do my accounts have several dozen hooks that try to access the Internet in them. Why? That's just silly, and it's not surprising that in such an environment, people get careless.

Writing basic interfaces to support e-mail, ftp, web browsing, Usenet, time sync'ing and such is not hard. Writing them to be secure requires a modest amount more effort. It shouldn't be beyond the average CS grad, though, and it certainly shouldn't be beyond a group with the resources that Microsoft has at its disposal.

People have been telling me for years that since I program in C++ and don't use a GC, my programs must have memory leaks. I've told them no, because I use good basic practices. They claim I'm wrong. I claim I have rigorous, objective diagnostic tools that back me up on this. That's not hard, either, but most of the programming world would tell me it can't be done. So it is with security.

Re:Experience?

[Qrlx]

Simple, brand name

This is correct. Microsoft's genius lies in the marketing. Not that their products are all terrible, and thrive ONLY because of marketing, but marketing got them and keeps them where they are today.

Microsoft's corporate sales pitch deliberately glosses over the technical side of things. The corporate execs aren't technical people anyway, so why try to explain the benefits of a product in technical terms that only a select few understand? No, Microsoft invented the term "TCO" (Total Cost of Ownership) and sold the concept that Microsoft was the less costly way to go. Execs understand the concept of money very well. Everyone responds to emotional sales pitches (unless they are Noam Chomsky or something). Through a combination of $$$ claims about lower TCO and carefully placed FUD, they have established a dominant position on the LANs they were merely clients on ten years ago.

Another thing Microsoft realized is that computers would be everywhere, and they wouldn't always be under the control of UNIX admins with pocket protectors and advanced CS degrees. There just aren't enough uber-geeks to go around for all the offices in the world. Billiant foresight. It might be the CFO who suddenly finds the company has grown and now they need to bring the network back under control. Microsoft has hands down the slickest sales materials I've seen in the computer field.

Microsoft sells a culture, a lifestyle, in which you don't have to worry about computer problems because there are teeming millions of MCSEs and phone support and etc. to hold your hand through whatever problems may arise. And in fact this is true. Microsoft will smile and nod and politely empty your wallet.

A few months ago, there was a story on Slashdot about MS sending the BSA after school districts in the Northwest. After the admins got into a tizzy and threated to install Linux everywhere, Microsoft had the Come to Jesus meeting. "The themes for today are friendly and flexible," the sales lady said. It's the classic good cop/bad cop routine, a pure psychology play, and Microsoft knows their shit in this regard. Geeks, being socially stunted and sexually frustrated, are putty in Microsoft's hands, especially when the nice woman in the business suit shows up to put down the rebellion.

That is how Microsoft has achieved their monopoly. Unlike the other computer companies, they don't try to sell the technology itself. Instead they sell the REWARDS of implementing a Microsoft solution, they sell a warm fuzzy bundle of love, a pre-made community of smiling, personable non-geeks who are there to ease your assimilation into the Collective.

Microsoft was the first to bring big-time Madison Avenue marketing psychology to an exponentially growing computer market, that's why they're on top now.

This T-shirt I saw said it best:

Political <---------- You are here
Presentation
Session
Application
Transpor t
Network
Data link
Physical

At least it made Infoworld, including the MS FUD

[NZheretic]

Lead Windows developer bugged by security [infoworld.com]. Which includes the statements...

It is not only Microsoft that is to blame for the creation of faulty software, said Chandra Mugunda, a software consultant with Dell Computer in Round Rock, Texas, who attended Valentine's presentation here. "It's an industry-wide problem, it's not just a Microsoft problem," he said. "But they're the leaders, and they should take the lead to solve these problems"

Valentine, too, took the opportunity to point out the widespread bugs that have been discovered in competing operating products such as Linux and Unix.

"Every operating system out there is about equal in the number of vulnerabilities reported," he said. "We all suck."

However, the "Every operating system out there is about equal in the number of vulnerabilities reported" statement of Valentine's fails to take into consideration that in most cases Unix, open source and free licensed software has been designed [eweek.com] from the outset with at least the issue of security in mind. [dwheeler.com]. Whereas, some Microsoft systems such as their embedded scripting systems [pivx.com] have not.

The result is that is far easier to exploit an easy, scriptable vulnerability in a Microsoft system, that has no patch for months, than to exploit a difficult, binary hole in a LInux/BSD system that has a patch within days.

Re:The big Question..

[untulis]

Are you kidding me? The general public may not care about it, but CIOs and other people who make purchasing decisions will. You don't that every sales guy at IBM, Sun, HP/Compaq (the non-MS sides), RedHat, and anyone else who competes with MSFT in the enterprise space isn't going to end their presentations with, "And if you don't believe me about Microsoft security, believe Microsoft" ?

Will the Government say MS is not C2 compliant

[vortoxin]

Can this statement from mr vice president be used as a statement of guilt stating that systems are not C2 compliant? Does this mean another slap on the wrist for MS or will some meaningful result actually come out of this.

Also will other businesses be able to press for some sort of compensation or can we all be expected to buy a new version of "windows secure" in the future? This, as they pare down their support in security just because Microsoft has admitted they cannot write secure code for an operational product.

Re:I hate to say it but...

[Bryan K. Feir]

Windows, OTOH, has always addressed security via add-on programs. (Well, NT made some attempt at security, e.g., it created users that it could be difficult to get into. And admin priviledges. I admit I don't know what they were...)

Well, sort of. The underlying core of Windows NT is, in theory, considerably more secure than your average Unix. The built-in ACL and 'capabilities' models are actually fairly sophisticated, and allow for finer grained control than most versions of UNIX.

Then Microsoft decided to slap the Windows 95 UI on top of it to make it 'user friendly', and made accessing the low-level capabilities difficult. Then they decided to move all the video drivers into kernel space in NT4.0 because they weren't fast enough when running in user space, so a video driver bug could trash the system. And things like Office would require you to shut off important parts of your file system security because of lazy design that assumed it could play in the /SYSTEM/ directory just like on Windows 95.

NT actually had the chance to be a truly secure system from the ground up. Then marketing started to override engineering decisions again...

-- Bryan Feir