Monday, March 06, 2006

5 things Microsoft can do to secure the Internet, and why it wouldn't?

In my previous post on Internet security, I was just scratching the surface of "How to secure the Internet", and emphasized that plain text communications, insecure by design, and our inability to measure the costs of cybercrime, are among the things to keep in mind.



Now, If I were asked about monocultures, "ship it now, patch it later" attitudes or slow reactive approaches, I would quickly ask is it Microsoft you're talking about? It's a common weakness to blame the most popular or richest companies before rethinking the situation, or even worse, waiting for someone else to secure you, instead of you trying to figure out how to achieve the balance. Is Linux, or, OS X more secure than Microsoft's Windows, or they are just not popular enough to achieve the scale of vulnerabilities, even interest in exploiting their weaknesses?



Important questions arise as always :

- Are Microsoft's products insecure by default, or what is insecure in this case?
- Should Microsoft's number of known vulnerabilities act as a benchmark for commitment towards security, quality of the software, or should this be totally excluded given the tempting target Microsoft's products really are?
- Should a vendor be held liable for not releasing a patch in a timely fashion, and what are the acceptable timeframes, given how quickly malware authors take advantage, and "worm the vulnerability"?



These and many other points led me to the idea of brainstorming on what Microsoft could do to secure the Internet as a whole, and contribute to the social welfare of the society(a $100 laptop powered by a hand crank, is so much better than a smartphone, given it's education, and not entertainment you're looking for! ). This is not an anti-microsoft oriented post, they've got enough anti-trust legislations and Vista issues to deal with, yet, it's a summary of my thoughts while going through Slashdot's chat with Mike Nash VP of security, and some Microsoft's comments on today's state of the market for software vulnerabilities.



1. Think twice before reinventing the security industry



What is the first thing that comes across your mind when you picture Microsoft as a security vendor? A worst case scenario for the Internet as a whole? Just kidding, but still, with such a powerful brand, BETA products, and their legal monopoly from my point of view, is quite a good foundation besides constant acquisitions. Microsoft is a software company, software innovation is among their core competencies. Yet, today’s fast growing information security market opens up many more profitable opportunities. Though, I’d rather they stick to their current OEM licensing agreements by the time they actually come up with something truly unique. Acquiring companies indeed improves competitiveness, but is it just me seeing the irony of entering the security industry without first dealing with the idea internally? The introduction of a OS build-in firewall, and bi-directional and fully working with IPSec for Vista would immediately provide Microsoft with a great opportunity to start serving certain market segments, while it would leave them in experimental mode while MS is gaining the experience.



Why it wouldn’t?

Because the information security market is growing so steadily, that if Microsoft doesn’t take a piece of the pie, it would be a totally flawed business logic. And they want to do it as independently, thus more profitably, as possible. The recent FBI’s 2005 Computer Crime Survey indicated that the majority of security dollars are spent on antivirus, antispyware, and perimeter based security solutions, no one would miss that opportunity. While you can acquire competitive advantage, and actually buy yourself an anti virus vendor, you cannot do the same with core competencies, moreover, I once said "less branding, but higher preferences", and you might end up making the right decision for the time being. Moreover, to operate in today’s anti virus market you need a brand name and if you don’t have it, there’s a great chance you wouldn’t be able to gain any market share, of course if you you don’t somehow capitalize on a niche, and introduce innovative competitive features. The rest is all about OEM agreements and licensing technologies or the opportunity to provide a service, still, it's Microsoft's brand and market development practices to worry about. Passport, Trustworthy Computing, InfoCard it's all under Microsoft's Brand umbrella.



2. Become accountable, first, in front of itself, than, in front of the its stakeholders

What is accountability in this case anyway? Releasing a patch given a vulnerability is known within a predefined timeframe? Set, report and improve its own benchmark on a fast response towards a security threat? Overall commitment as a whole? You cannot simply say “hold on” when the entire world is waiting for you to release a patch, any excuse in such a situation should be considered as lack of responsibility. And given that no vendor has been held liable for not releasing a patch in a timely manner, why would they bother to be the benchmark? I think the problem isn’t the lack of resources, but understanding the importance of it. Microsoft is so huge and powerful that’s its clumsiness is in direct proportion with this fact, isn't it. Can Elephants Indeed Dance in this case? Microsoft’s VP of Security Mike Nash, made a lot of comments for a Slashdot interview that made me an impression, such as :



“Four years ago, I used to have to have frequent conversations with teams who would tell me that they couldn't go through the security review process because they had competitive pressures or had made a commitment to partners to ship at a certain time.” – I can argue that nothing has changed since then, can you?



Why it wouldn’t?

Mainly because of the actual commitment, though I feel Microsoft could evolve if it manages to find the balance between being a software company with ambitions in the security industry. First, the clear benefits should be understood, and they obviously aren’t. I greatly feel that until a customer, or a legal party doesn’t start questioning various practices, this self-regulation is not getting us anywhere. Gratefully, the are independent researchers out there that have a point way faster than the vendor itself. I think exchanging information in a way that satisfies both parties would be the best thing to do. Employees training without successful evaluation of the progress is useless, and while seeking accountability from a programmer has been greatly discussed, I feel that outsourcing the auditing is always an option worth keeping in mind. Would confidentiality of the ultra-secret Microsoft’s code be breached? I doubt so given they implement close activities monitoring and the Manhattan project style operations and cooperation between teams.



Don’t get me wrong, Microsoft’s software will always be blamed for being insecure, but instead I feel its defacto position as an OS turns it into an exciting daily research topic, whereas its anti-trust compliance practices such as sharing technical details so that competitors could – puts them in a very unfavourable $279.83B market capitalization position. Security shouldn’t be something to live with as if it’s normal, instead it should be provoked by means of active testing and proactive solutions. I feel what they are missing is a legal incentive to promptly comply with patch releases, while on the other hand can you picture the outcome of a minor tax deduction in case a milestone in the release of proactive security vulnerabilities is reached, and watch them securing!



3. Reach the proactive level, and avoid the reactive, in respect to software vulnerabilities

Have you even imagined Microsoft releasing proactive patches to fix 0day vulnerabilities it has managed to find out though third-party code auditing practices, or within its internal quality assurance departments? Sounds too good to be true, but reaching the proactive level is an important step, so hold your breath, the did it with Vista already! Still, their practices with dealing with the reactive response are questionable, and as it often happens, the window of opportunity due to their efforts to testing and localizing the patches for all their customers(the entire world) is causing windows of opportunities that I could argue drive the security industry.



Why it wouldn’t?

Resources and commitment, though the first can be successfully outsourced. What I greatly feel the company is missing is a clear strategy towards understanding the benefits, and eventually the commitment to do it. Microsoft isn’t insanely obsessed with the idea to provide bugs free software, but features rich one. And the way MSN is not going to get more allocated budget compared to MS Office, it’s going to take a while by the time they realize the importance and key role they play as being on the majority of PC and servers worldwide. Some comments again :



"I often get asked the question, "who has been fired for shipping insecure code at Microsoft?" My usual answer here is that we are still learning a lot about security at Microsoft and that most of the security issues that we deal with don't come as a result of carelessness or disregard for the process, but rather new vectors of attack that we didn't understand at the time."



4. Introduce an internal security oriented culture, or better utilize its workforce in respect to security

Google’s 70/20/10 rule is an example, and while Microsoft tends to position itself as THE software company, to some it may be competing with other major software vendors, or the Open Source threat, it actually competes on IQ basis. Flame them, talk whatever you want, they are still able to attract the smartest people on Earth to work for them. My point is, that introducing a Google style culture, where engineers and anyone from their employees spend 10% of their time on personal projects, this time towards security, it would inevitable make an impact on finding the balance between usability and security on any of its products. Devoting any percentage of work time towards security related projects and initiatives would.



Why it wouldn't?

They pretend they have their own corporate citizenship methods, and moreover, they hate Google with a reason. Or is it about the culture, spending time on security/hacking cons to find out that's driving the industry, or basically stop shipping products with the majority of features turned on by default with the idea to "show off" their features?



5. Rethink its position in the security vulnerabilities market



Would this mean there would be more monopolistic sentiments? I’m just kiddin’ of course though it’s still questionable. Would a Microsoft’s initiative to recruit outstanding vulnerability researchers and actually purchase their research have any effect at all? It would definitely help them I cannot actually imagine Microsoft paying for 0day IE vulnerabilities, but I can literally see them catching up with week delay on the WMF vulnerability. But the usefulness and the potential of this approach are enormous, and the intelligence gathered will provide them with unique business development opportunities, given they actually take advantage of them.



Microsoft has stated numerous time that it doesn’t agree with the practice of buying security vulnerabilities, and while I also don’t agree that commercializing the current state of the process of discovering, exploiting, and patching is the smartest thing to do, picture a $250k bounty for information leading to the arrest of virus writers being spent on secure code auditing, or push/pull software vulnerabilities approach with reputable researchers only – it would make a change for sure.



Why it wouldn't?

Because the biggest problem of a 800 pound gorilla is its EGO with capital letters. We are not interested in pulling intelligence from you, we are interested in pushing you the final results branded with Microsoft’s logo. Is it profitable? It is. Is it realistic in today’s collective intelligence dominated Web? It isn’t, and the whole concept has to go beyond Live.com from my point of view. Until, then, let’s still say a big thanks for playing such a vital role in our society’s progress, but no one seems to tolerate the security trade-offs anymore, that’s a fact.



To conclude, as I’ve said I think it isn’t the lack of resources, but understanding the importance of the issue. What do you think, what else can Microsoft do, and why it wouldn’t? :)



Technorati tags :
,