Microsoft's New Security Mojo


Opinion Recently, Microsoft announced a program to offer rewards in exchange for information leading to the arrest and conviction of those who exploit its flagship Windows product through viruses, worms, and other forms of malicious code. Yet, despite the software giant's own executives saying publicly over a year ago that their products "weren't designed for security" the company continues to point fingers at third parties, hackers, and crackers as the source of the many problems plaguing the Windows-based portions of the Internet. It also demonstrates the ineffective organized chaos that remains Microsoft's response to the marketplace demands for better-developed, better-tested products.

Security (or lack thereof) in Microsoft's products has adversely impacted corporate profits for years, and finally is beginning to affect Microsoft's future profit potential as well. As a result, Microsoft suddenly is committed to improving security, despite its years of sitting idle. Hence the company's mad rush to inject "security" into every product, speech, and statement to reassure its customers that Windows is still a worthy operating environment to spend money on. It's even sponsored an upcoming report critical of Linux security to help spread fear, uncertainty, and doubt about Microsoft's chief competitor and underscore why Windows is a better product. Sadly, rather than address its own problems, the company is content to use creative marketing as a substitute for good security and software development.

The problem isn't that virus-writers are exploiting Windows, it's that Microsoft makes Windows easy to exploit by anyone with a modicum of programming know-how -- and instead of accepting responsibility, the company is trying to pass the blame for such problems off onto others. Creating a rewards program is a clever, low-cost way of diverting public attention away from the many problems resulting from its history of exploit-friendly programming practices so it doesn't have to address the root causes that forced the creation of the rewards program in the first place. It also allows the company to portray itself taking the moral high ground (albeit illusory) in its approach to proactive product security.

The rewards program builds on the company's recent announcement to convert its traditional as-necessary security bulletin and patch-release process into a predictable monthly one. Interestingly, Microsoft's October 2003 white paper discussion of the new security release process says this will make it easier for customers to stay current through a single cumulative monthly patch that fixes reported problems in Windows. That sounds perfectly reasonable until one reads that "Microsoft will make an exception to the above release schedule if we determine that customers are at immediate risk from viruses, worms, attacks or other malicious activities. In such a situation Microsoft may release security patches as soon as possible to help protect customers."

Given that the majority of Microsoft security bulletins deal with these very problems, one wonders if this new policy really makes a difference by improving security or if it means that to reduce the number of security bulletins (and associated negative media coverage) Microsoft will be more selective in what it deems an "immediate risk" to customers. It's likely that the company will seldom release a bulletin-patch outside of its assigned monthly schedule, since it would not only undermine its new policy but put it in the unfortunate position of having to defend what makes one problem "more critical" than another and warrant a special release.

Admittedly, a monthly patch-release schedule may make it easier for customers to stay current, but also means that a potential adversary knows exactly when to release his next malicious code or exploit technique to the world. Network administrators likely will resent being kept in the dark between monthly patches, never knowing if their networks are endangered or being compromised until the next security bulletin is announced.

Patching aside, it's more interesting - and seems very convenient - that the company responsible for the majority of digital problems in cyberspace in recent years is now offering a remedy for these recurring problems in the form of Trustworthy Computing and the next version of Windows code-named Longhorn. Of course, to receive this much-desired increase security, users must pay for it via a product upgrade. Unless I'm mistaken, this sounds a bit like the Mafia offering "protection" services to local neighborhood businesses to protect against security problems it creates (or tolerates) as a form of revenue. Pay for your "protection" or be "at-risk" (wink-wink) until you do.

Microsoft has an established history of such sneaky practices to get what it wants from its customers. Remember that over a decade ago, the company intentionally caused early versions of Windows to display error messages if installed on anything other than the Microsoft version of DOS - once users installed MS-DOS, the error messages disappeared. More recently, to fix a series of critical vulnerabilities in the Windows Media Player last year, Microsoft forced users to accept the imposition of new and controversial digital rights management (DRM) software as part of the security "fix." Of course, users were free to not install the fix if they didn't want the DRM software on their systems, but would remain at-risk to attack and exploitation from any number of criminals on the Internet as a result.

This brings up the question of how the definition of "security" is changing to fit marketplace needs. The MSDN website shows DRM is a core 'security' function of Longhorn that runs in what Microsoft calls the Secure Execution Environment. The very fact that an operating system - the engine that runs our computers and touches everything we do on them - is based on a DRM foundation (with "hooks" for third parties including Microsoft to determine what may be done with what information on a computer) is frightening. Ask any objective security professional -- DRM should not be viewed as a function of security but rather an add-on function of revenue protection for those industries based on digital content.

Home and business users alike should not be forced into a Mafia-like protection agreement to be secure in cyberspace. Nor should the fundamental definition of security be extended - or twisted - to include invasive mechanisms of profit-protection for industries unable to adapt their business models for the Information Age. Until Microsoft takes a realistic view of security and defines effective real-world ways of improving product security in the present day - such as cleaning up the existing Windows code instead of greedily forcing mass upgrades - its existing customers will be reluctant to adopt a newer version of the Windows product line no matter what the speeches and marketing material promise.

Microsoft chairman Steve Ballmer recently said the company's rewards program makes it clear that Microsoft is "taking security seriously." What he meant to say was that it's clear that Microsoft is taking its security reputation seriously. That's a big difference.

Copyright (© 2003 by author. Permission granted to reproduce in entirety with credit to author.

RRichard Forno is consulting, lecturing, and writing in the Washington, DC area. His areas of expertise include information security program development and management (emphasis on incident response & security awareness,) information operations, trend analysis, and critical infrastructure protection. More biog here.


Other stories you might like

  • Screencastify fixes bug that would have let rogue websites spy on webcams
    School-friendly tool still not fully protected, privacy guru warns

    Screencastify, a popular Chrome extension for capturing and sharing videos from websites, was recently found to be vulnerable to a cross-site scripting (XSS) flaw that allowed arbitrary websites to dupe people into unknowingly activating their webcams.

    A miscreant taking advantage of this flaw could then download the resulting video from the victim's Google Drive account.

    Software developer Wladimir Palant, co-founder of ad amelioration biz Eyeo, published a blog post about his findings on Monday. He said he reported the XSS bug in February, and Screencastify's developers fixed it within a day.

    Continue reading
  • FTC urged to protect data privacy of women visiting abortion clinics
    As Supreme Court set to overturn Roe v Wade, safeguards on location info now more vital than ever

    Democrat senators have urged America's Federal Trade Commission to do something to protect the privacy of women after it emerged details of visits to abortion clinics were being sold by data brokers.

    Women's healthcare is an especially thorny issue right now after the Supreme Court voted in a leaked draft majority opinion to overturn Roe v Wade, a landmark ruling that declared women's rights to have an abortion are protected by the Fourteenth Amendment of the US Constitution.

    If the nation's top judges indeed vote to strike down that 1973 decision, individual states, at least, can set their own laws governing women's reproductive rights. Thirteen states already have so-called "trigger laws" in place prohibiting abortions – mostly with exceptions in certain conditions, such as if the pregnancy or childbirth endangers the mother's life – that will go into effect if Roe v Wade is torn up. People living in those states would, in theory, have to travel to another state where abortion is legal to carry out the procedure lawfully, although laws are also planned to ban that.

    Continue reading
  • Zuckerberg sued for alleged role in Cambridge Analytica data-slurp scandal
    I can prove CEO was 'personally involved in Facebook’s failure to protect privacy', DC AG insists

    Cambridge Analytica is back to haunt Mark Zuckerberg: Washington DC's Attorney General filed a lawsuit today directly accusing the Meta CEO of personal involvement in the abuses that led to the data-slurping scandal. 

    DC AG Karl Racine filed [PDF] the civil suit on Monday morning, saying his office's investigations found ample evidence Zuck could be held responsible for that 2018 cluster-fsck. For those who've put it out of mind, UK-based Cambridge Analytica harvested tens of millions of people's info via a third-party Facebook app, revealing a – at best – somewhat slipshod handling of netizens' privacy by the US tech giant.

    That year, Racine sued Facebook, claiming the social network was well aware of the analytics firm's antics yet failed to do anything meaningful until the data harvesting was covered by mainstream media. Facebook repeatedly stymied document production attempts, Racine claimed, and the paperwork it eventually handed over painted a trail he said led directly to Zuck. 

    Continue reading
  • Florida's content-moderation law kept on ice, likely unconstitutional, court says
    So cool you're into free speech because that includes taking down misinformation

    While the US Supreme Court considers an emergency petition to reinstate a preliminary injunction against Texas' social media law HB 20, the US Eleventh Circuit Court of Appeals on Monday partially upheld a similar injunction against Florida's social media law, SB 7072.

    Both Florida and Texas last year passed laws that impose content moderation restrictions, editorial disclosure obligations, and user-data access requirements on large online social networks. The Republican governors of both states justified the laws by claiming that social media sites have been trying to censor conservative voices, an allegation that has not been supported by evidence.

    Multiple studies addressing this issue say right-wing folk aren't being censored. They have found that social media sites try to take down or block misinformation, which researchers say is more common from right-leaning sources.

    Continue reading
  • US-APAC trade deal leaves out Taiwan, military defense not ruled out
    All fun and games until the chip factories are in the crosshairs

    US President Joe Biden has heralded an Indo-Pacific trade deal signed by several nations that do not include Taiwan. At the same time, Biden warned China that America would help defend Taiwan from attack; it is home to a critical slice of the global chip industry, after all. 

    The agreement, known as the Indo-Pacific Economic Framework (IPEF), is still in its infancy, with today's announcement enabling the United States and the other 12 participating countries to begin negotiating "rules of the road that ensure [US businesses] can compete in the Indo-Pacific," the White House said. 

    Along with America, other IPEF signatories are Australia, Brunei, India, Indonesia, Japan, South Korea, Malaysia, New Zealand, the Philippines, Singapore, Thailand and Vietnam. Combined, the White House said, the 13 countries participating in the IPEF make up 40 percent of the global economy. 

    Continue reading

Biting the hand that feeds IT © 1998–2022