@Stake's Wysopal on Bill's Bull (was re: [ISN] Security gurus welcome Microsoft's goal)

R. A. Hettinga rahettinga at earthlink.net
Fri Jan 18 06:20:43 EST 2002 

--- begin forwarded text


Status:  U
Date: Fri, 18 Jan 2002 01:18:29 -0600 (CST)
From: InfoSec News <isn at c4i.org>
To: <isn at attrition.org>
Subject: [ISN] Security gurus welcome Microsoft's goal
Sender: owner-isn at attrition.org
Reply-To: InfoSec News <isn at c4i.org>

http://news.com.com/2100-1001-817849.html

By Robert Lemos
Staff Writer, CNET News.com
January 17, 2002, 3:45 PM PT

Security experts hope that this time Microsoft really, really means
it.

A memo from Chairman Bill Gates, leaked Wednesday, exhorted Microsoft
employees to make the company's products more secure and stated that a
new initiative, which Gates called "Trustworthy Computing," is now the
software giant's top priority.

The initiative, Gates wrote, aims to make computing and the Internet
"as available, reliable and secure as electricity, water services and
telephony."

While security experts gave Gates' message high marks, they withheld
judgment on whether Microsoft--which has been pasted by a series of
high-profile security blunders over the past year--can deliver.

"This gives me more hope," said Chris Wysopal, director of research
and development for security company @Stake. "Nothing is a cure-all
solution, but when you say we have an organization focused on getting
security into different product groups, that's got to help."

Gates' message comes as Microsoft is betting its future on its .Net
effort, an attempt to give consumers secure, easy and round-the-clock
access to businesses via the Internet. Without better security, the
software titan will have a hard time convincing developers, businesses
and Web users to start using the new services, Wysopal said.

"Because of other (incidents) in the past, they have to make their
software more secure if .Net is going to make it," Wysopal said.

Recent problems with Passport, the Microsoft Network and the company's
Windows Update service--all considered embryonic versions of future
.Net services--have angered consumers and caused security experts to
wince.

And past initiatives have not delivered spectacular results, either.
Despite Microsoft's Secure Windows Initiative and its Strategic
Technology Protection Program, the company fell afoul of a major
problem with its flagship Windows XP software. Microsoft has touted XP
as its most secure operating system ever and intends to push it as the
gateway to .Net.

While the company's new focus is welcome, some in the security
community remain cautious. Microsoft--a company found to have abused
its monopoly power--isn't exactly the poster child for
trustworthiness, and some are wary of the new initiative.

"This comes from the same vendor that tried to settle an antitrust
suit by finding a market segment they couldn't penetrate and giving
their product away for free" in that market, said David Dittrich,
senior security engineer at the University of Washington, referring to
recent wrangling over the company's proposed "schools settlement."

In that instance, the company pitched its proposal as a charitable
solution that would provide free software to needy schools. But
competitors characterized the move as an effort to monopolize the
education market.

Similarly, some wonder whether the new security initiative can be
taken at face value. And even if it can, some are concerned it could
wind up having a downside.

Dittrich points to the company's initiatives to hush up the disclosure
of certain information about vulnerabilities in its products and says
that, arguably, such an attitude can aid hackers and run counter to
interests of security.

Security experts and hackers who find bugs in software usually release
the information to the public after notifying the program's creator of
the flaws. However, the security community has long argued about how
much information should be given, since malicious hackers could use
details to write tools to help them break into computers using the
flaw.

In November, Microsoft and five security companies announced they had
formed a group to create a policy for ethical disclosure of such
information.

"They should want their employees to know as much about a
vulnerability as possible," Dittrich said.

Such apprehensions aside, though, security experts said it's a welcome
signal that Microsoft is now taking security seriously enough to give
it priority over new features.

"It's about time," said Mark Maiffret, chief hacking officer for
network protection company eEye Digital Security. "This is something
that Microsoft and other companies have needed to say for a while:
Security needs to come before features."

eEye discovered the major hole in Microsoft's Web server software that
online vandals used to spread the virulent Code Red worms and a
serious hole in Windows XP that could have been exploited by Internet
attackers to gain control of any person's PC.

"Finally," Maiffret said, "there is a wake-up call out there that
security needs to come first."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo at attrition.org with 'unsubscribe isn' in the BODY
of the mail.

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list