Re: Microsoft developers feel Windows pain

[InfoSec News <isn () c4i org>]

Forwarded from: Aj Effin Reznor <aj () reznor com>

Apologies (well, kinda) for the length of this one.  At least a week's
worth of mediadung have built up and the dam now bursts ;)  -aj.


"InfoSec News was known to say....."

> As an historical tidbit: Steve Lipner is one of the authors of the
> Orange Book.

That thing that MS wants people to believe that they conform to? :)

> As a comment: Security as an imposed focus for Microsoft is heaven
> sent, you heard me, heaven sent.  Consider, as we

No, not really.  The concept and it's most base and *simplistic*
level, yes.

But, what "security" will come of it?  Will MS "embrace and extend"
they way they have so many other things, and wind up breaking more
protocols (Kerberos, anyone?) and further complicating integration?

Will they allow secure, SSH based communications to remote servers,
but only from other like-blooded servers running their /special/
implementation of SSH?

I've seen much discussion about this flying around since it was first
announced by Bill The Gates, but I've seen little done to question
exactly how MS is going to define this new security they will be
producing, because let's face it, *we* [1] know that security is a
process, and a procedure, and not a product.  For MS, it will be a
feature, at least until they find some way to put security on a CD and
slap a price tag on it. [2]

I'm certain (as in, would put money on it) that MS is going to both
botch and bastardize this plan of attack.  I'm very much in agreement
with *hobbit*'s (or is it *hobbit's* ? :) mail on this subject.  I
mean, let's look for a moment at some of the content of the original
article:

        "Under a new push to secure software code and convince 
customers that security is a top priority, Microsoft is putting its
Windows developers, testers and program managers through a crash
course in secure programming."

The words "crash course" don't belong in the same sentence, paragraph,
nor entire damn article about "security".  Anyone else see humour in
MS coders and "crash" courses?  Would this perchance decrease
stability further? :)

Continuing:
        "Over the next month, the software giant's security-assurance 
group expects the training to pay off as more than 70 developer teams
audit the various software components that make up Windows XP and the
upcoming Windows .Net server operating systems."

It would appead this "assurance group" has high expectations for...
well, something they realistically shouldn't.  MS products are
routinely found to be repleat with buffer overflows, among a sundry
collection of other faults and vulnerabilities.  I know this is review
for just about everyone here with a clue, but it seems that MS is
missing the obvious:  Give up on fixing something which has been not
repaired but largely constructed from gaffer's tape, and start from
scratch.  It's the *only* way they stand a chance of getting it right,
but even then I don't suspect they'd get it right with a complete code
rewrite anyways....

Continuing:
        "To keep the momentum rolling, after each team finished
training, it had to draw up a plan of action for completing a review
of any piece of software for which the group was responsible. In
total, Howard and his group have received more than 70 plans detailing
what teams are going to do throughout February to secure their piece
of the Windows operating system.

        "Every group that contributes to the CD has drawn up a plan to
mitigate security risks," Howard said. Key to the plans is a measure
of success--how the groups will know when they are done, he added."

I suppose what really bothers me here is that MS is doing rapid
security "training" and then these people, who wrote insecure software
in the first place, are then the same ones writing their gameplan to
fix it.  Ummmm, who's checking the homework here?  There's no mention
of this, and I feel rather strongly that the people that are cranking
out inherently insecure software are the ones tasked to fix it...
chances are it won't be getting fixed too well the first few times
around.  Curious, if this whole initiative bombs as poorly as I
suspect it will, and MS products are still found to be rather swiss
cheesey, how long til MS scraps the whole thing, and denounces
"security" as being "something hyped by the media, which (we) found
that the consumers really actually had no interest with in the first
place" ?

Finalizing with the original article:
        " "Every group that contributes to the CD has drawn up a plan
to mitigate security risks," Howard said. Key to the plans is a
measure of success--how the groups will know when they are done, he
added."

Hell, either they didn't *care* if it was written to be secure in the
first place, or they didn't know.  I refuse to accept that the apathy
(or uneducation) that allowed MS products to devolve into what they
are will be able to recognize and correct their own errors.  How
*will* they know when they are done?

> (*) Disclaimer -- I am a security guy and I could not be
> happier for both personal and commercial reasons.

[1]  "We" being any competent security practioners

[2]  I often joke that the blank disc on a stack of bulk CDs is
     the book "All We Know About Security" from Microsoft Press.  
     How long til they actually have an offering?



-aj.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.