Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Microsoft

Microsoft's Goal, Security Through Obscurity? 380

dave cutler writes "Salon has an amusing little wire article claiming that Microsoft argues that were they to provide any greater technical detail about protocols and APIs, it would make computers running their operating system far more vulnerable to cracking attacks." Update: 05/09 13:59 GMT by M : The benefit to customers of Microsoft integrating internet services into the operating system, as well as Microsoft's commitment to security, are exemplified in this article which notes yet another remote root hole in Microsoft's code.
This discussion has been archived. No new comments can be posted.

Microsoft's Goal, Security Through Obscurity?

Comments Filter:
  • WTF???? (Score:5, Flamebait)

    by user32.ExitWindowsEx ( 250475 ) on Thursday May 09, 2002 @10:16AM (#3490675)
    As a result, even non-active Messenger users, or those who access the service using a third-party product such as Trillian, should upgrade to the new MSN Chat control.

    TRILLIAN CONTAINS NO MICROSOFT CODE. THIS IS A FLAW IN MICROSOFT'S CODE, NOT THE PROTOCOL.

    WTF was the author on?? HTF can he say this? It's blatantly wrong.

    p.s. I'm a Trillian user.

    • Re:WTF???? (Score:4, Insightful)

      by MaxwellStreet ( 148915 ) on Thursday May 09, 2002 @10:18AM (#3490695)
      Makes you wonder if these things aren't being spun out to get people to use the latest version of MS's products - if for no other reason than to make their systems secure.

      Don't use 3d party stuff. Use the latest from MS. It's secure this time. We promise. Really.

      Vaguely reminds me of auto glass purveyors out in a parking lot with a bat.
      • by zpengo ( 99887 )
        the latest version of MS's products...make their systems secure.

        I'm sorry, there seems to be a typo in that sentence. Shouldn't there be a "not" or "doesn't" in there somewhere?

    • Re:WTF???? (Score:5, Informative)

      by Merlin42 ( 148225 ) on Thursday May 09, 2002 @10:32AM (#3490800) Homepage
      This is an overstatement. This bug can be triggered from a web page that references the MSN Chat ActiveX Control, so if at some time in the past you installed the control then you are vulnerable even if you use trillian. The advisory states that the chat control is not installed by default with any other software so you are probably safe. Of course a better course of action for trillian users would be to verify that the control is not installed and uninstall it if it is installed.

      This leads to a couple questions I do not personally know the answer to:
      Is there a way to uninstall ActiveX controls?!?
      Can I get a list of the ActiveX controls installed on my machine??!?
      • Re:WTF???? (Score:4, Informative)

        by Software ( 179033 ) on Thursday May 09, 2002 @10:51AM (#3490934) Homepage Journal
        Is there a way to uninstall ActiveX controls?!? Can I get a list of the ActiveX controls installed on my machine??!?
        I believe that c:\winnt\Downloaded Program Files is a fairly comprehensive list of the ActiveX controls downloaded to your machine. You can delete them from the same folder. However, ActiveX controls can also be installed by Setup programs, etc. You have to run the uninstall program and hope for the best, or do some Registry fiddling.
      • ActiveX removal (Score:2, Informative)

        by Sheetrock ( 152993 )
        Programs [4developers.com] exist to do this sort of thing, but given that ActiveX controls seem to require a GUID (globally-unique identifier) to operate you could try to track these down in the registry and remove them. You of course run a good risk of breaking things this way...

        I'm not running Windows, so I don't remember where it stashes the GUIDs for lookup. HKEY_LOCAL_MACHINE\Software\Classes might be a place to start, or you could wade through all the links an "ActiveX registry" search on Google will get you in order to find something more adequate.

      • well, it depends what you mean by "activeX". It is sometimes used as a synonym for "COM object", in which case, most of the .dlls on your avg. win machine are COM.

        But, for an actual Activex conrol (with a visual interface), most will have an OCX extension. If you dont want to patch it, search for the file msnchat40.ocx. delete. to be absolutely sure, delete the reg entry for it. There will be an entry in the CLSID section of the HKEY_CLASSES_ROOT (just search for the above file in regedit and delete the keys). Actually, if you delete the class pointers to the interface, no program could call it anyway. but deleting them both is the safest way.
      • The advisory states that the chat control is not installed by default with any other software so you are probably safe. Of course a better course of action for trillian users would be to verify that the control is not installed and uninstall it if it is installed.

        Unless you use Windows XP, in which case it's (cough) integrated. There is no uninstall option available, and even if there was I'm not sure it'd remove the chat control. There is however a workaround, you can run a command from the Run dialog that will manually trigger the uninstall routine. I can't remember it now, but it can be found on google. Doing so does not in any way harm or reduce the functionality of your system - that's how integrated it is.

        Rant aside, this is worrying, not least because many people who don't actually use MSN but have WinXP will have MSN installed but not think to update it, as they never use it. Therefore it will sit there, leaving a hole, never to be updated (unless they use the auto-update tool).

        This leads to a couple questions I do not personally know the answer to: Is there a way to uninstall ActiveX controls?!? Can I get a list of the ActiveX controls installed on my machine??!?

        1) Sort of. You can "unregister" them, but this requires API calls and is therefore normally dealt with by the install program. If an ActiveX control is not associated with a particular program (the IE control for instance), it cannot be easily uninstalled.

        2) ActiveX is a loosely defined superset of COM. Look in the registry under HKEY_CLASSES, and look at that rather long list of GUIDS. Each and every one is a COM object, that may or may not be classified as an ActiveX object by the Microsoft marketing department. As far as I know, there isn't any easy way of figuring out (other than manually querying the interfaces) to tell if something is a necessary part of Windows or simply a piece of fluff put there to push a corporate agenda.

        • It's something along the lines of "regsvr32 /u msnchat40.ocx". The version number (40) may differ, so search for like files. After you've unregistered any you find, delete 'em.
    • Read the article (Score:4, Informative)

      by Mordaximus ( 566304 ) on Thursday May 09, 2002 @10:35AM (#3490812)
      IF you spent the time to read the article, instead of looking for sentences that outrage you, you might realise that the vulnerability affects the MSN Chat OCX.

      In an advisory today, Eeye warned that the flaw in the "MSN Chat OCX control" enables an attacker to "supply and execute code on any machine on which MSN Messenger with the ActiveX is installed."

      In other words, if those components are installed, even if you don't use them, you are at risk. You're right, it has nothing to do with Trillian.

      The author is right, completely right. Try reading next time.

    • I would presume that the flaw is such that, if you have a Messenger account and have MSN Chat (which is probably installed by default and which probably can't be gotten rid of entirely), you're vulnerable. Trillian users probably count as non-active users of the broken MS client for the purposes of this bug.
    • Re:WTF???? (Score:5, Funny)

      by Transient0 ( 175617 ) on Thursday May 09, 2002 @10:43AM (#3490869) Homepage

      ---QUOTE---
      "The attack doesn't happen through the chat client, so as long as you
      have MSN Messenger installed, if I send you a special URL, I can own
      you," said Marc Maiffret, Eeye's "chief hacking officer."
      ---ENDQUOTE---

      This kind of paraphrasing is a disgrace to journalistic integrity. I present to slahdot an exclusive direct transcription of this statement, before the WashPost mangled it.

      "M4RX M4IFFR3T d03Z n0t R007 j00 7hru 14M3 cl3n7 h4x. M4RX M4IFFR3T iz 31337-h4x0r. H3 wiLL *0WNZ* j00 W/ 1337 j00-R-3ll iF j00 hav m3$$3ng3r 0N j0r 14m3 b0x0r 47 4LL!!!!!!!!!11111111," said M4RX M4IFFR3T, Eeye's K1N6Z0r of 31337.
  • by DragonPup ( 302885 ) on Thursday May 09, 2002 @10:16AM (#3490678)
    Not quite.

    More like security through brillantly designed APIs. See, rather than letting Windows get cracked, MS cleverly designed the APIs to crash the system first. Everytime you see a BSOD, you should thank MS that they prevented a evil hacker from taking over your system. And if MS let people see their APIs, they could stop the APIs from crashing the system in response to hack attempts, leaving all Windows users vurnable with a non-crashing insecure Windows!

    -Henry
  • by gatekeep ( 122108 ) on Thursday May 09, 2002 @10:19AM (#3490696)
    Wow, now that's really something, seeing as how Microsoft doesn't even have the concept of Root.
    • by ryepup ( 522994 ) on Thursday May 09, 2002 @10:31AM (#3490787) Homepage
      Yeah they have the concept of root, it is just implemented for every user.
    • "...Microsoft doesn't even have the concept of Root."

      No, not quite true. Microsoft (Win9x at least) doesn't have the concept of any user type except root.
    • On DOS boxen (including, of course, all the non-VMS derived Windows releases, which boot COMMAND.COM and are thus DOS based) all local users are root superusers.

      Proof of concept: On a Windows 98 machine, cancel the "windows login" and start a DOS session. Now delete the entire filesystem (including hidden, system, and read-only files). Tada, it works, you are ROOT.

      On VMS-derived windows (such as all versions of Windows NT and of course Windows 2K) the root superuser account is named "Administrator" and is directly analogous to Unix "root"

      One of the reasons MS can't effectively compete against linux and the BSDs in the server market is that their systems include this same fatal weakness. At least *nix is stable!

      Incidentally, now that linux has "capabilities" built into the kernel, and Linus wants to put a resource handle into the filesystem API, the groundwork has been laid to get rid of this stupid root superuser concept and create a real successor to Unix rather than just a clone. Hopefully linux (or perhaps the Hurd) will one day incorporate all the strengths of Unix while jettisoning ancient kludges like "root" and the primitive "rwxrwxrwx" access control system.

      --Charlie
    • Root user, no.

      Concept of root - absolutely.

      Root is basically a user that can do whatever he pleases with no restrictions (or without restrictions that can't be overridden or removed)

      non-NT based windows every has absolute access
      NT based windows, administrator has this access.

      Think of root as a metaphor :)
      • NT based windows, administrator has this access.

        Actually, NT's root user is called SYSTEM. The "Administrator" user is a crippled account that cannot do many things. This is a requirement for some security settings (mostly for auditing). It's also the reason why you can't kill the stupid printing spool service as the Administrator (you need the kill.exe or rkill.exe programs, which are SUID-SYSTEM more or less). You'll also notice that members of the "Backup" group have elevated privileges above the Administrator users for exactly the same reason.

    • The idea that you can have users that are not admins but at the same time can make some changes (i.e. power users) is a good idea.

      Using a nix system requries having absolute permissions make me nervious, even when i have the root account
    • Processes on Windows NT run in "Rings". From the MSDN knowledge base:

      The core of a Win32 operating system runs at Ring 0 (kernel or supervisor mode), which is the highest privilege level.
  • Having just spent another bad week wrangling with Win9X (wish they'd at least fund 2K upgrades) and SirCam viri, while my *nix boxes just run flawlessly - All I can say is what utter rubbish, bullocks.
  • MS Security Paradigm (Score:5, Interesting)

    by theFlux ( 449414 ) on Thursday May 09, 2002 @10:20AM (#3490706) Journal
    Yes, its true that the security through obscurity claims of MS seem like blowing smoke, but obscurity is an accepted security paradigm. Any CS course in security outta mention it, and you can read about it in "Security in Computing" by Pfleeger. Its always been my stance, however, that MS is taking the obscurity stance to propagate their business model and NOT to better security.
    • by mjh ( 57755 ) <mark@noSpaM.hornclan.com> on Thursday May 09, 2002 @10:48AM (#3490906) Homepage Journal
      Yes, obscurity is an accepted security paradigm. However, when people talk about "security through obscurity" they're typically talking about obscurity as the only security model. And that is a very risky model.

      Of course, since Microsoft's API's are still hidden, we don't know whether or not they're using obscurity as their only model. However, it seems, from the alarming number of remote root exploits available it seems evident that Microsoft's claims for obscurity of their API's as a security measure is the only measure that they're taking. Which leaves one of two possibilities:

      1. They are intentionally depending entirely on obscurity as a security practice.
      2. They are conveniently coming up with security as the reason for further obscurity of their API's. IOW, the real reason for obscurity is to propagate their biz model (as you say) and not for security purposes.

      I tend to believe the latter. But giving them the benefit of the doubt, we can only argue against the former. Which is that trusting your business to Microsoft's security practices is a very risky proposition.

    • How many disgruntled employees does it take to reveal the secrets of your obscure security features? Also, just how obscure do you have to be to keep bright people from reverse-engineering your code?
    • Oscurity is greatly overrated. It's important when you're talking about *physical* security, e.g., you don't want your data center to have a big sign announcing its presence to anyone driving down the street, but almost always worthless (or worse) when you're talking about software unless it's already protected by some measure of physical security. (E.g., armed guards with orders to "shoot to kill" anyone trying to access the crypto gear without authorization.)
      • Speaking of datacenter security, that's apt. I used GlobalCenter (before they were bought by Exodus) and had a little tiff with their security chief.

        From the front, you need to get buzzed into the lobby, where you face a guard behind a sheet of bullet proof glass. If you pass credentials, the guard lets you into a hall that has an elevator, and another secure door. You also need a cardkey to use the elevator. So to get to your locked cage, you need to go through 3 locked doors, one which uses a hand-scanner. Sound fairly secure?

        The back door to the loading dock was always wide open (a big garage door) during business hours. The single door between the datacenter and the dock (normal key only) was frequently propped open to provide that nice cool air to the loading dock worker.

        The bottom line is that you can have a facade of tight security but it's all for naught due to poor internal practices (or shoddy programming on MS's part.) If MS is truely concerned about disclosure due to security reasons, anyone running their business on Windows should really think twice. Security through obscurity doesn't work and that's been proven over and over and over.
    • The problem is that selling your software to most of the computer users in the world means it's not really obscure. Security through obscurity only works if the system doesn't give feedback to attackers. Letting people run the software themselves is like playing mastermind with your passwords: it will still take people a little while to break them, but it is by no means secure.

      Security through obscurity has a place in unique, locally developed systems which only grant access to trusted users. In a commercial product it is nearly useless.
    • obscurity is an accepted security paradigm.

      This definitely needs to be clarified - obscurity is an accepted security paradigm, as long as it is used with other methods of security. Obscurity cannot stand alone as the only means of security. I believe that Microsoft is afraid that it will be shown to the world how weak and insecure their products actually are. They are using obscurity to HIDE their insecurities.

    • I contend that any "obscure API" that is installed on however many hundreds of millions of copies of windows is not at all obscure.

      Example: I am playing around in an "undocumented" networking api through my debugger at work and have noticed that whenever I send a certain control sequence to another api, it crashes my NIC. This means that sending that control sequence on any other machine with the same API will result in similar failure. It's obscure in that I don't know the syntax of the api -- but that doesn't stop me from calling it. In fact, that makes it even more dangerous, because the repair of the API now rests in the hands of a chosen few at MS.
  • by anthony_dipierro ( 543308 ) on Thursday May 09, 2002 @10:20AM (#3490708) Journal

    Salon has an amusing little wire article claiming that Microsoft argues that were they to provide any greater technical detail about protocols and APIs, it would make computers running their operating system far more vulnerable to cracking attacks.

    It would. It's not a good excuse, but it is true. In the short term, Microsoft cracks would increase.

    • by JordoCrouse ( 178999 ) on Thursday May 09, 2002 @10:34AM (#3490810) Homepage Journal
      It would. It's not a good excuse, but it is true. In the short term, Microsoft cracks would increase.

      Mod this one up insightful.

      For the first, say 5 months, it would be anarchy - People would be fixing bug 24 hours a day all around the world, just to stay a few steps ahead of the crackers. Then as soon as the largest holes are patched, there willl be peace in our time. Machines would be fairly secure, and we could go back to actually using our bandwidth and machines for important things instead of 3 MB of klez and sircam worms daily.

      Instead Microsoft would rather keep the bugs obscured, so they will escape slowly over a number of years. And don't get me wrong, they will escape, there is no amount of obscurity that can mask the continious onslaught of people pouring over every inch of the code looking for holes.

      Which method would you prefer?
    • Microsoft argues that were they to provide any greater technical detail about protocols and APIs, it would make computers running their operating system far more vulnerable to cracking attacks.

      We'll never know for sure since MSFT refuses to even consider the alternative of releasing info for their protocols, APIs, source. And that is their fait accompli. Any good software engineer worth his salt has to consider the possibility that he is wrong. Even genius coders forget the occasional semicolon.

  • Problem Is... (Score:5, Interesting)

    by 4of12 ( 97621 ) on Thursday May 09, 2002 @10:21AM (#3490716) Homepage Journal

    ...that they are partially correct and justified in hiding certain secret keys as ways of preventing unauthorized use of products.

    But that's an oversimplification that I'm afraid the lawyers and the court won't be able to clearly pick apart. Even the Microsoft VP testimony about the issue was sprinkled with constant reminders that this was "a confusing" technology. It is confusing. But it's essential for everyone to understand what it's purpose is and how it can be misused, too.

    The part that rubs the wrong way, of course, is that the exact same arguments could be used to prevent a competitive implementation of an interface that Microsoft wants to own for themselves.

  • by ProfMoriarty ( 518631 ) on Thursday May 09, 2002 @10:23AM (#3490729) Journal
    You gotta love these quotes ...

    "I guess it's a matter of how hard you make it," Allchin replied. "We have to work on our reputation for security in the marketplace." from Jim Allchin, who oversees the Windows operating system.

    Gee ... I guess that's why theres so FEW reported news stories [washingtonpost.com] about the hacking of Windows ... and so MANY stories about the hacking of Linux.

    • There probably are more news stories about *hacking* linux than *hacking* windows (altough how many of these are news it's difficult to say). Cracking, well maybe that's a different matter :P

      For a laugh I did a quick google search and it seems there are more sites for Linux [google.com] than Windows [google.com] but I doubt you can read to much into that.
    • by HiredMan ( 5546 ) on Thursday May 09, 2002 @11:56AM (#3491420) Journal
      "I guess it's a matter of how hard you make it," Allchin replied. "We have to work on our reputation for security in the marketplace." from Jim Allchin, who oversees the Windows operating system.

      This perfectly demonstrates the M$ sekurity mindset - they approach security problems as a PR problem NOT an actual usage or safety issue. What he SHOULD be saying is, "As the dominant OS in the consumer space we need to work to make our OS the most secure for our users because they are the biggest target and the least aware of the threat."Instead he's blathering about their "reputation" instead of actual security.

      Bottomline is that M$ doesn't care about security - they only care about there reputation for security. Hence to them obscurity IS security to them and it becomes policy and is encouraged.

      =tkk
    • "I guess it's a matter of how hard you make it," Allchin replied. "We have to work on our reputation for security in the marketplace."
      And if they released the source code, the security community would realise the full extent of the security problems. "We can't release the source, everyone would laugh at us!"
  • *thbppt* (Score:5, Funny)

    by TVmisGuided ( 151197 ) <alan.jumpNO@SPAMgmail.com> on Thursday May 09, 2002 @10:24AM (#3490732) Homepage

    *pauses to wipe coffee off monitor*

    Three arguments against Microsoft's position:
    Nimda.
    Code Red.
    The fact that a virus framework for .Net was released to the wild before the "official" .Net specification.
    No, I don't believe them, not for a second. I'd sooner trust an armada of politicians and their attendant [strike]lackeys[/strike] lawyers.

    'Nuff said.

  • A new analogy (Score:2, Interesting)

    by nukey56 ( 455639 )
    I'm going to hide a cookie in this glass cookie jar over there. If I find out that you ate it, I'll just have to put a new cookie in the jar and hide it somewhere else.
  • Why? (Score:3, Interesting)

    by crumbz ( 41803 ) <<remove_spam>jus ... o spam>gmail@com> on Thursday May 09, 2002 @10:27AM (#3490753) Homepage
    I firmly believe that software should be held accountable to liability laws and consumer rights laws. Microsoft has repeatedly fought laws designed to provide these protections and re-written their EULAs to provide no liability whatsoever. Compare the EULA for MS Office from 1995 to todays. About ten times as long, with each additional page reducing their liability and increasing yours.
    More FUD from Microsoft. Their legal department must have more employees than their coding department by now.
    • Their legal department must have more employees than their coding department by now.

      They're all salivating at that $40B in the bank ... :)

    • Re:Why? (Score:4, Insightful)

      by ink ( 4325 ) on Thursday May 09, 2002 @11:18AM (#3491146) Homepage

      I firmly believe that software should be held accountable to liability laws and consumer rights laws.

      That would kill all free software. People could personally sue Linus for bugs in the Linux kernel that caused them problems: "I'm seeking $10,000 in damages because your stupid bottom handler for my POS Promise IDE controller caused me to lose all my data!". The listings on freshmeat would be a pool of future clients for lawyers, and not software projects. Amateurs wouldn't release code for any use whatsoever.

      In short: that's a realy, realy, really, really bad idea.

      • Re:Why? (Score:3, Insightful)

        by Zathrus ( 232140 )
        IANAL, but I believe that a good bit of OSS would be exempt... why? Because it's not sold and thus does not fall into the "intended purpose" bit of product liability laws.

        Red Hat, Mandrake, and others that do sell a product would become liable though, and that'd certainly kill them.

        I think that liability with a broad brush would definitely be a bad idea. But negligence is another matter... some of the exploits could definitely be shown as negligence on the part of the software maker (e.g. - you were informed of this exploit 5 months ago and failed to remedy it). This isn't just MS either - Sun, IBM, etc. have all had times where they failed to release a security patch within a reasonable time period after being informed of a vulnerability.

        That kind of thing should definitely result in liability on the part of the software company. Similarly, applications that have destructive bugs and don't get fixed should result in liability.

        The problem becomes one of defining how long is "long enough", and what should the fines be? Realistically we don't need new laws here. We just need to apply some old ones to a new situation.
  • Microsoft is clearly ignoring history here. They should learn from the example of one of the oldest open-source programs out there. Clearly if there are lessons to be learned, we should learn from this piece of brilliantly designed software.

    Of course, I am speaking of Sendmail.

    Oops...

    • Yes Sendmail had some atrocious holes. Yes it seemingly took forever to get them fixed.

      But c'mon we are talking about a program that at best was running on tens of thousands of machines during it's worst security times. As Sendmail usage has gone up so has the security it has offered. Comparing to a hole in a client that is deployed on millions of computers really isn't fair.
    • Of course, I am speaking of Sendmail.

      Actually almost all of Sendmail's security holes are directly due to its obscurity. Just because the source code is released doesn't mean it's easy to understand.

  • by Anonymous Coward
    Somebody should maintain a list of executives at large companies and specifically bomb them with these 'sploits as soon as they become available.

    I think that the IT departments of large companies do their jobs too well -- the executive never realizes just how vulnerable they are with MS products.

    If we bring the problem home to the people that make decisions, then there will be top-down sponsorship of better computing environments.

    • the executive never realizes just how vulnerable they are with MS products.

      I think they do realize in many cases.

      I can't tell you how many times our corporating has warned everyone of the latest Outlook transported virus du jour. As a UNIX user I simply shrug it off, knowning that any ".vbs" attachment getting into my inbox won't go any further.

      But corporate IT departments look upon these things as facts of life, like jams on the freeway or catching a cold.

      Bombing them with more sploits is unnecessary and probably would be counter productive.

      Better would be to demonstrate and make cogent arguments for alternatives that would liberate them from all kinds of problems that they regard as unavoidable facts of life. They're not unavoidable!

  • The computer will crash before an exploit can be used anyway, thus proving once again Windows is far more secure than that *other* OS which some people run for years at a time.
  • Just how much easier can they make it? You can already walk right in the front door whistling Dixie with the way things are currently. It's scary - they're admitting that their API's are so full of holes that it can be that much worse than it already is. It's not like they're trying to make crackers work for it - they sneeze and a new crack is born. At least with open API's the public will be exposed to how atrociosly bare bellied Microsoft really is and perhaps either:
    A. Put serious legal pressure on Microsoft to fix them.
    B. Switch to Linux, FreeBSD or MaxOSX.
    C. Dump computers altogether and move to Tibet.

    >>
    Jim Allchin, who oversees the Windows operating system, said that disclosures sought by the states "would make it easier for hackers to break into computer networks, for malicious individuals or organizations to spread destructive computer viruses and for unethical people to pirate" Microsoft's flagship software.
    >>

  • by FearUncertaintyDoubt ( 578295 ) on Thursday May 09, 2002 @10:32AM (#3490798)
    Hasn't MS claimed for years that it doesn't have secret APIs that only MS developers get access to? Haven't they always claimed that there is a level playing field for developers to create, oh, say, office suites for Windows? Now they say they can't turn over their secret APIs which they denied existed for security reasons?

    Bill Gates can't be a borg. Nothing that is part machine could tolerate such inconsistency. Only humans can say that 1=0 and believe it.

    • Now they say they can't turn over their secret APIs which they denied existed for security reasons?

      You can certainly be sure that, now Microsoft has kicked up this fuss, there will be plenty of black hats looking for these APIs.
  • Am I missing something here? How is it that opening up the API creates a security flaw? I can maybe see them saying that giving away their source will, but how is an API going to? The API is just how to talk to the machine. Unless their API contains something like "let me do anything I want on the target machine", how does this cause a security breach?
  • by burgburgburg ( 574866 ) <splisken06.email@com> on Thursday May 09, 2002 @10:39AM (#3490850)
    The antitrust remedy proposed by a number of states would weaken the security of Microsoft's operating systems according to Jim Allchin, Microsoft's senior vice president for Windows. He warned that too much disclosure of technical information in the wrong areas would benefit hackers and create more opportunity for virus attacks.

    "The more creators of viruses know about how antivirus mechanisms in Windows operating systems work, the easier it will be to create viruses or disable or destroy those mechanisms," Allchin testified.

    Allchin also warned that if Microsoft were compelled to disclose all the APIs and technical information the states are asking for, digital rights management would be compromised.

    From Tuesday, news.com http://news.com.com/2100-1001-900905.html [com.com]

  • It may sound silly and idiot, but I wonder what could happen if some open-source company or just any individual buys windows source code. Or just the APIs. Or whatever they sell (because they DO sell their source code, obviously under heavy NDAs).

    Now, what would happen if this individual releases it in the wild? Surely he will get fined, blah blah blah. But it would be too late - he will be a martyr, and the entire world will know about the windows source code.

    ...anyone wants to donate me 1 euro cent? :)

    crazy cheers

    • Interesting thought ... but instead of an individual doing the releasing of the source code, why not the corporation itself ... and then fold the corp once it gets sued into oblivion.

      That would hopefully shield the individuals from any damages ...

      IANAL, and I don't recommend attempting this ... :)

  • by Quixadhal ( 45024 ) on Thursday May 09, 2002 @10:44AM (#3490879) Homepage Journal
    ...is that their code is buggy in so many places, that hackers will have a field day for the next year or two because Microsoft can't fix their code to BE secure fast enough to beat the hackers.

    Security through obscurity is the last resort of people who KNOW they have a buggy system, and can't fix it without a major rewrite.

    M$ isn't willing to take the step that Apple did. They had a buggy, old, single-threaded OS design too, and instead of continuing to twiddle it in the hopes that it'd work better, they finally bit the bullet and redesigned their GUI and API layers to fit atop a known-stable core (which happend to already exist in the form of BSD).

    Sure, you'd have to give up a few FPS for your games for the next year or two's worth of revisions... but look at how far the Wine project has come *without published API's* Imagine if M$ were to actually help.

    Oh well, it's a nice alternate universe where 40 Billion in savings is enough to make a company start thinking of the future instead of the EULA... not in this one though!
  • Sure.. The "security through obscurity" argument is crap,
    and any programmer will know this..

    The point is.. these are lawyers.. and they'll argue anything
    that may help MS out of this mess..

    And since the people deciding are lawyers as well,
    (unfortunately) it might just work.

    On the other hand, the states' lawyers seem to have
    enough technical expertise to expose these bogus claims..
  • ..were they to provide any greater technical detail about protocols and APIs, it would make computers running their operating system far more vulnerable to cracking attacks.

    Wow, so releasing APIs and protocols would give too much inforamtion about how the system works so people can hack into it. Thank god no operating systems take this a step further release their entire source code or people would be hacking into them like an axe through butter!
  • by Darth ( 29071 ) on Thursday May 09, 2002 @10:49AM (#3490917) Homepage
    If these security vulnerabilities are so easy and obvious from reading the APIs, then why can't Microsoft's programmers find and close the security holes before someone finds them? Don't they read and adhere to their own APIs?

    If releasing the APIs means someone is going to easily figure out a way to damage the system, that just demonstrates that Microsoft isnt even trying to secure their products.

  • by nachoworld ( 232276 ) on Thursday May 09, 2002 @10:50AM (#3490924) Homepage
    "In an advisory today, Eeye warned that the flaw in the "MSN Chat OCX control" enables an attacker to "supply and execute code on any machine on which MSN Messenger with the ActiveX is installed."

    As a result, even non-active Messenger users, or those who access the service using a third-party product such as Trillian, should upgrade to the new MSN Chat control.

    'The attack doesn't happen through the chat client, so as long as you have MSN Messenger installed, if I send you a special URL, I can own you,' said Marc Maiffret, Eeye's 'chief hacking officer.'"



    i'm sure marc actually said, "1 c4n 0wN j00," but the washington post author didn't know what the hell he was talking about.
  • by Seth Finkelstein ( 90154 ) on Thursday May 09, 2002 @10:52AM (#3490953) Homepage Journal
    For some more technical coverage of Microsoft's views, take a look at

    Microsoft Reveals Anti-Disclosure Plan [securityfocus.com]

    (emphasis in original)

    Five computer security firms join Microsoft to set an official standard for limiting disclosure of software security holes

    By Kevin Poulsen, Nov 9 2001 3:04AM

    MOUNTAIN VIEW, Calif.--Microsoft and five major computer security companies rounded up the three-day Trusted Computing Forum on Thursday by formally announcing a coalition against full disclosure of computer vulnerability information, ending a week of intense speculation, and immediately sparking controversy.

    ...

    A chief objective of the group is to discourage 'full disclosure,' the common practice of revealing complete details about security holes, even if publication might aide attackers in exploiting them.
    'If it becomes hard to release vulnerabilities, that's a good way for Microsoft to get rid of some embarrassment.'
    -- Marc Maiffret, eEye Digital Security

    Sig: What Happened To The Censorware Project (censorware.org) [sethf.com]

  • Dave Culter? (Score:3, Interesting)

    by Marillion ( 33728 ) <ericbardes@gmai3.14l.com minus pi> on Thursday May 09, 2002 @10:54AM (#3490966)
    I wonder if it is a coincidence? The poster of this article. There is a Dave Cutler [microsoft.com] at Microsoft who used to be the lead designer of NT who used to be the lead designer of VMS. There is an interesting Urban Legend [urbanlegends.com] about that too.
  • Its a good thing OpenBSD [openbsd.org] doesn't provide a good amount of detail about their protcols and API's. Otherwise, it might become vulnerable to crackers real quick.
  • It really irks me to no end that every piece of software you every seem to get off the shelves seems to follow the same thought as a downloaded product that you can patch it up as you go.. (take windows-update for example) and I always end up feeling like I am endlessly beta-testing everything, down to my OS (luckily I run windows under vmware, so at least it reboots faster).. So as far as security goes in MS products, because I treat it as an endless "beta" and the fact that off the shelf, windows seems to barely work, I am not surprised as each new security hole comes up. In all reality, the fact that they obscure everything seems to make people all the more interested in digging around in it. just my 2-cents..
  • From Jim Allchin: "We have to work on our reputation for security in the marketplace."

    Yes, that's it, it's a public relations issue. I guess the idea of FIXING THE GODDAMMED SOFTWARE hasn't occured to him.
  • Any large corporation can tell you where true security lies:

    Security through obesity

    Sure, they'll say they are fit and nimble - they can change their direction quickly, squash bugs in their code in record time, etc. But the truth is that only corporations large enough to squash evildoers, such as those who find bugs, can truly be considered 'secure'. You'd be surprised at how much more information would be out now if certian people didn't have that 800lb gorrilla breathing down their neck...

    -Adam
  • Think about your average consumer who goes into a store to buy a computer. This person goes in thinking that buying a computer is like buying a TV or stereo. Basically, plug it, turn it on, and it works fine. It's another appliance to them. Little does this person realize that they have just bought themselves a piece of Systems Administrator Hell! What with the barrage of upgrades (read patches) to Windows and IE. Now couple that computer with Broadband and its always on connection to the internet. Now they have to worry about Viruses, SPAM and the script kiddie down the street trying to use their PC in an attack on EBAY or Yahoo. So much for the PC and the internet making life easier!



  • I recently saw this here: MicroSoft_and_friends [ao.com] and thought it applied to Microsoft's NEED for security by obscurity....

    "Luckily for Microsoft, it's difficult to see a naked emperor in the dark."

    --- Ted Lewis, (former) editor-in-chief, IEEE Computer

    LoB

  • Take a look back in the coverage of the trial (CNN/Money will probably suffice).

    When asked about opening up the Windows API, a Microsoft VP testified that doing so would be bad, since it would allow folks to clone Windows.

    Now, out of the blue, Salon decides that opening up Windows would also make it more vulnerable to attacks (is that anything like "more pregnant", btw?).

    Can't you just picture the guy leaving the courtroom and saying, "D'oh! I shoulda said that it'd lead to more viruses, too! (Dials Phone) Hello? Salon editor's desk?" ...

  • For those who don't know yet, VBA virii exists just due to a single function. Something called CopyFunction (or something like this), that copies a function from a document to another. If MS removes this function no VBA virii will ever exist againg.

    Note that this function is very well documented and is not hidden anywhere, all you need to do is search at VBA documentation.

    Now is MS insecure due to obscurity or is it insecure anyway? Maybe that conspiracy theory that MS owns Antivirus software companies is right.

  • by tz ( 130773 ) on Thursday May 09, 2002 @12:01PM (#3491452)
    And Microsoft still crashes a lot.

    You are running some program and do something interesting, like accidently pasting a text document onto a URL and something crashes. Ah. Try it again. OK, if it is over 4800 or so bytes it crashes, bring up the debugger. Ah, at 4894 is the stack where the IP...

    Here is the specific difference between closed and open models.

    If I find it on Microsoft, about the only thing I can do is write a sploit for the skript kiddiez. Of course I can contact Microsoft, but they won't respond for the shorter of 4 months, or when the skript kiddiez get going. Even then it usually takes two weeks for a hotfix that breaks half the software on the server, and then another two weeks for a fix for the fix that I can apply. [Don't worry, I haven't run anything from Microsoft for several months and hope to stay Microsoft Free as much as possible].

    If I find it on GNU/BSD/Linux, I pull up the source, add a test or whatever I deem appropriate and send a patch with a description of the problem and fix to the maintainer along with a little chiding about how embarrassing it should be to have such a hole. And the minor version is incremented the next day, so everyone doing apt-get regularly won't be affected, and in a few days every distribution will have it added to the security update section.

    Even if I had the source to Micros... I probably wouldn't have enough to recompile or fix things. I could find the line of code causing the problem, but anyone who can write a sploit can read disassembly.

    Microsoft's integration makes the problem worse since any problem with what should be middleware runs in the OS. A Netscape flaw on Linux wouldn't get you root (at least not directly - you would have to find a suid flawed program). But any problem with Outlook and/or IE gives you more than enough to cause problems.

    Again, and to summarize, any software defect has a good potential to be exploited, without the source, so simply running something until it crashes (at least on MS) is a much more productive way to mine for exploitable security holes than reading through the source. The integration within MS software (the browser is part of the OS) makes the OS vulnerable because it includes the middleware, making it much larger and more complex (a flaw in IE thus *IS* a flaw in the OS), and as such cannot be sand-boxed easily.
  • Essentially Valid (Score:3, Insightful)

    by n3bulous ( 72591 ) on Thursday May 09, 2002 @12:08PM (#3491494)

    Microsoft argues that were they to provide any greater technical detail about protocols and APIs, it would make computers running their operating system far more vulnerable to cracking attacks.


    I'm not sure about the depth of the State's API and protocol information requests, but this is a perfectly valid statement if you assume detail means code, and it applies to OSS as well. By providing your source code, you provide black hats with an easily accessible opportunity to find your mistakes and use them against you. This is a fact you cannot avoid.

    Of course, just describing how your protocols or APIs work should not be a security risk in most cases, unless MS has cut too many corners. As to whether we would see a noticeable increase in MS exploits, your guess is as good as mine.
  • Again.. if they weren't a monopoly, it would be a non-issue. Could you imagine an embedded systems OS company refusing to reveal their APIs? I mean, the API *IS* the product.

  • From the article:
    "I guess it's a matter of how hard you make it," Allchin replied. "We have to work on our reputation for security in the marketplace."

    Why yes, yes you do. You have to work on the fact that you have a reputation for not having any security. There is a two step plan which is the only effective way to build that reputation in today's world:

    • Become secure. Windows is clearly not secure now.
    • Open your APIs (at least) and possibly your source (best) to prove that you are secure.

    Anything else is just masturbation, which I enjoy, but not when we're talking about securing systems and networks.

  • but if they don't they shouldn't be allowed to market products that get an unfair advantage by using the undisclosed information.

After a number of decimal places, nobody gives a damn.

Working...