UK SECURITY IS MICROSOFT'S NUMBER ONE PRIORITY Security is Microsoft's number one prioritySecurity is Microsoft's number one priority

Nashing of teeth


By N. Alex Rupp: Tuesday 12 July 2005, 11:52

ACCORDING TO Mike "Security Czar" Nash, who addressed a crowd of several thousand before handing the mic over to softly spoken Steve Ballmer at the Worldwide Partner Conference, security is Microsoft's "number one priority".
That appears to be no more the case than it was in June 2004 in San Diego, when I attended Microsoft's TechEd 2004 event. The conference centre in San Diego sported one wireless network with no e-mail access for laptop users, but only for users on the house machines. This year in Minneapolis there were a dozen wireless drops and cleartext passwords flying over the network like SSL never even happened. I have no doubts about Microsoft making a business advantage out of its customers' and its partners' security woes, but I'm not certain that calling security its "number one priority" means much at all.

In May 2003, the U.S. Federal Trade Commission "estimated the number of consumer victims of identity theft over the year prior to the survey at 4.6% of the population of U.S. consumers over the age of 18, or 9.91 million individuals with losses totaling $52.6 billion." [1]

Let me restate that. Identity theft is a $52.6 billion annual industry in the United States. The U.S. reported 10 million cases in 2002-2003, and the numbers appear to be growing.

Statistics can be misleading, though. Nash remarked about a colleague in a partner company who drilled him in April 2005 about the apparent rise in number of Microsoft security bulletins over previous years. Nash's response--that as Microsoft ships more software products, they'll have more security bulletins--was fair but hardly reassuring.

But Nash pulled a twisted about face and applied different logic when comparing Microsoft Windows Server 2003 with RedHat Server Edition. He had a couple of blokes up on the stage holding outstretched hands while he dumped candy "Red Hots" (hyuck, hyuck) into their hands to represent the monthly number of reported security bulletins from each platform. The RedHat customer's hands overflowed with candies that poured onto the floor, while the Windows customer easily cupped their candies.

Though entertaining, this display of PR spin did nothing to reassure me, an overinformed customer on the front lines of security, about the future direction of the Microsoft platform. Under scrutiny, the Windows customer might find his candies to be bitter pills. For one thing, Linux distros include scores, if not hundreds, of features that aren't available in the Windows server edition. Like, for example, an ssh terminal. Or an scp terminal. I mean, come on. This is kid's stuff we're talking about here. By the standard of Nash's earlier comparison, the feature gap alone excuses the differential in two platforms, more than excuses it.

Let's bring things back into reality, Mr. Nash. We're talking about _quantity of bulletins_ here, a conveniently misleading metric at best.

To convince me that Windows is safer than Linux, I'd want to see those numbers cross-referenced with time-to-repair statistics for each individual bulletin, threat levels relative to the degree of system control granted by the vulnerability, the number of implemented exploits for each reported vulnerability, and data on the install base for the two platforms, beginning with metrics on the 7,000 teenaged home users on my network. I can tell you with absolute certainty that I'd happily trade 100 minor security bulletins on the linux platform for a single major security vulnerability found in Internet Explorer (like the yet-to-be-repaired PNG vulnerability reported on July 1st).

Because I know my users are committed to Windows, I want to know for certain that today's security outlook on Windows is better than yesterday's, and that tomorrow's will be even better. I want to see results on Windows, but I'm afraid I don't. I see the rise in prevalence of rootkits and IRC bots. Nash's keynote lingered on Sasser and Blaster, and only skimmed the surface of the IRC bot plagues that brought my users to tears in the last academic year. I see the Layered Service Provider in Microsoft's TCP/IP stack as a minefield that practically begs criminals to invade the privacy of users on my network.

I am by no means unappreciative of Microsoft's efforts in this arena, but I think the problem is larger than they cared to admit on the stage today. Overall, the tenor of Nash's keynote came off like a feelgood PR roadshow that served up jelly beans and warmed-over exhortations to install Service Pack 2.

As Nash went on, those Gavin DeGraw lyrics kept elbowing their way to the front of my mind. What I began to notice was an emphasis on corporate networks and security on server platforms, but it doesn't mesh with the statistics coming out of the FTC and the FBI. Nash didn't venture into discussion of Windows XP Home Edition, and although he spent a good while comparing Windows Server and RedHat Server editions, his absolute silence on Mac OSX spoke volumes. What I was looking for--and what Nash failed utterly to address today, was the fact that home users are the ones paying in flesh for security vulnerrabilities.

For instance, I spoke with a regular from the local coffee shop today, one of the "walking around folks", if you will, who suffered an ID theft attack last year. The man had a lot to say about his experience. "My credit card information was stolen last year. It was pretty bad. There are too many ways you can do it--in my case, the problem was due to physical access on the same computer that I had used, and somehow the [credit card] inforrmation was still there. It wasn't even on my computer. It was on a computer in a hotel in Japan."

When asked what he thought could have prevented the problem, the conversation took on a rather dark tone. "It seems that this whole system of having a credit card number that you can use to get into your account, it's just too easy. It used to work, but it just might not work anymore. It's like we just created this new technology, and then slapped our old system onto it, and there's no way to make it secure."

Now, when Average Joe tells me his confidence in the insitution of the credit card system as a whole is slipping (and I don't consider this an unusual or extreme sentiment among my users), that tells me a long term and very real problem of confidence (I'll stop short of calling it a 'crisis') is brewing.

In the final analysis, I'd like to counterbalance Microsoft's responsibility for the overwhelming frequency of computer-security related crimes with the that of individual computer users. In defense of Microsoft, no amount of gadgetry will protect Ma and Pa Main Street from confidence scams and social engineering attacks. No amount of local, state, federal or international legislation is going to solve the problem either--we cannot afford to turn these skirmishes against cybercrime into a "world wide war". That means individual computer users are going to have to get serious about issues of online privacy and security.

On the other hand, Microsoft hasn't yet shown that they're willing to go all the way to place security concerns at the center of their system architectures. Windows OneCare, firewall, antivirus and antispyware technologies sound great on stage, but are all still in their infancy. I don't expect Longhorn to be the magic bullet it's often billed to be. Don't get me wrong--I'm a Windows user, and plan to continue on in that vein, but I also teach classes on safe computing practices at a Big 10 uuniversity. Monthly webcasts on security are admirable in sentiment, and hunting down virus authors might go over well in the Red States, but I don't think hosting talk shows and paying a quarter of a million dollar reward for the identity of every new virus author is a scalable solution to today's virus threat.

And no amount of jellybean rhetoric is going to change that. µ