Wednesday, October 01, 2003

Security Steve

Well, as I was telling you the other day: I’m more and more on the hand of MS. But lo and behold… - well, don’t say that, the phrase is so popular there days that it becomes just noise in the background- now I just read this article above, where Microsofts’s CEO Steve Ballmer compares hackers to skyscraper destroying terrorists showing absolutely no morale.

“Hackers are criminals," Ballmer says, plain and simple.

and another quote about the ‘criminals’:

"There's no way to way to look these people as anything other than what they are: malicious people who are violating the law"

Unfortunately, this leaves no room at all to the interpretation that at least *some* so-called ‘criminals’ serve the general public by announcing security holes. In the end, making software errors public, just forces software manufacturers to addressing security issues promptly, thereby preventing the exploitation in the future. Let’s make a comparison: some
In the end this will make software more secure. I can draw no other conclusion that Mr. Ballmer must be a big fan of the principle of security by obscurity (correct me if I’m wrong). Well, there’s an abundance of information about why this is a bad thing. For starters, read what Bruce Schneier has to say about this in his famous Cryptogram newsletter, or in his book Secrets and Lies. It just does not work, and it is a dangerous way to just hide something secret in this digital age (thought added: well it will not work *in the end*, as there’ll can / will always be someone reading your mind someway – and figuring out your cmd.exe resides in c:\mytools instead of the systemdir…). I will not go into it any further, as I’ll only do that when I’d have something new to tell you. Repeating what others have already said is only boring and not attributing anything to the discussion.

But we were talking about Microsoft. When they take the issue of security seriously, that is: are trying their best to make software more secure, they can only be happy with so many people finding security holes in their products. What I don’t mean is that you should just write an exploit, release it on some hacker ftp site, and not tell the manufacturer about the issue. A reasonable amount of time should be given to them to fix the hole and subsequently release a patch to the general public

(whatis: reasonable. I have no distinct opinion about the time that should be given, other people are more capable of deciding this. I guess a complicated problem could need more time to fix than some minor thing. But on the onther hand, it shouldn’t *too* long, given that knowledge about the issue will spread on the net, giving others the possibility to make their exploits). I still think the Thrustworthy Computing Initiative from Microsoft is a serious one. And maybe it’ll really (link??) take a substantial amount of time before improvements will show.

(whatis: general. Patches should always be available to the general public, and not just the manufacturers list of clients. Everyone should have the option to download them somewhere from the web. I know people are using illegal software, but what’s the use of excluding them from patches? It will only keep their machines vulnerable to attack, and no one is served with that. The use of illegal software is a bad practice, no doubt about that, but other measures must be taken to handle this)