

Windows and Security: Setting the Record Straight - px
http://windowsteamblog.com/windows/b/bloggingwindows/archive/2010/06/01/windows-and-security-setting-the-record-straight.aspx

======
tptacek
It's going to be _very_ hard for people here to take, especially after wading
through the tone of this article or the bogus reference to the Yale GMail
story, but this guy is right. Hold your nose and suck it up, Microsoft is in
fact doing a better job with software security than any other large company in
the industry.

~~~
alecco

      > Microsoft is in fact doing a better job with software security
      > than any other large company in the industry
    

No.

They did some good changes with Vista+, sure. But their code base for most of
their products is still a huge pile of crap, security-wise. IIS, Exchange,
Outlook, and even Windows itself. Not all remote exec bugs are mitigated by
the new OS features.

Also, with typical Microsoft attitude, usability is neglected and many users
just end up opening security settings permanently after being hassled dozens
of times. That's counter-productive.

A great example recently on their legacy of bad code is Hernan Ochoa's
vulnerability find:

Vulnerable systems practically every Windows OS including 2000, XP, Vista, and
7.

<http://www.hexale.org/advisories/OCHOA-2010-0209.txt>

    
    
      > Impact: An unauthenticated remote attacker without any kind of
      > credentials can access the SMB service under the credentials
      > of an authorized user. Depending on the privileges of the authorized
      > user, and the configuration of the remote system, an attacker
      > can gain read/write access to the remote file system and execute
      > arbitrary code by using DCE/RPC over SMB.
    

EDIT: Formatting.

~~~
alecco
Would the down-voters at least state why? Is it forbidden to have a different
opinion with examples?

Sure, the "pile of crap" was a bit juvenile. But that doesn't invalidate my
point.

~~~
shin_lao
Unless you have access to the said source code, you don't have a point.

I can actually tell you that Windows NT source code is everything but "a pile
of crap". I can't tell for exchange or IISS, but I would be very surprised
that it's crap.

Security is extremely difficult. It's even more difficult for a consumer
product.

Even OpenBSD had remote exploits in the default install.

~~~
alecco
Really? I know several guys who did security auditing for Microsoft on-site (a
few years ago.) One (famous researcher) said the concepts were very good, but
implementation was just terrible. Also they expressed disappointment when
their findings mostly fell into deaf ears (another sec audit guy.)

Also I happen to know more than one (grey?) hat who makes/sells 0day of
Microsoft products. Microsoft opened Pandora's Box pissing off security
researchers a few years back, there are many wounds to heal.

And on your OpenBSD bashing, they have a very good security record. Sure, Theo
had a short temper, but they always worked very hard on security and most of
his rants were related to drivers (and IMHO, he was almost always right.)

Edit: very minor clarifications.

~~~
tptacek
Hey, alecco? I _am_ one of several people who has done code auditing for
Microsoft.

I simply do not believe your unattributed story about security advice at
Microsoft "falling on deaf ears". For the past several years, a large subset
of "famous security experts" have been falling over themselves to present at
Microsoft's private internal Blue Hat conference.

Incidentally, before you decide to call me a Microsoft apologist, you might be
interested to know that I worked on the original OpenBSD security audit (back
when the company I worked at, SNI, started the audit), and for several years
wrote the OpenBSD security advisories. I also spent 4 years working at Arbor
Networks, then largest commercial OpenBSD security product company in the
world.

Also, if you're wondering why people are downmodding you, start by considering
that 'shin_lao _didn't_ bash OpenBSD.

~~~
alecco
This argument is getting ridiculous. I didn't question your credentials. I
only questioned your _absolute_ statement. I didn't say you are a "Microsoft
apologist", and about shin_lao's OpenBSD statement I probably misread it (it
was late last night for me.)

    
    
      > Microsoft is in fact doing a better job with software security
      > than any other large company in the industry
    

[ __IMHO __] Google does a much better job and Microsoft still needs to
rewrite a lot of their code base to be safe. And their bad usability record
also counts against them, as stated on my original response.

Again, sure, Microsoft beats Apple/Sun/Oracle/Cisco. I agree 100% with you
there. (As stated before.)

~~~
tptacek
You keep saying "Google does a much better job". But I'm _specifically
rebutting that point_. I gave _specific reasons_ why I think that. You keep
offering _no specific responses_. Why do you think this is an effective way to
make a point?

I'm sorry you feel like this is getting ridiculous, but what I think is
happening is that you've once again bumped into someone on Hacker News that
isn't simply going to concede the point to the person with the greater zeal
for the issue. I get it. You like OpenBSD. You prefer open source. You prefer
Google to Microsoft. This is all understandable. Unfortunately, your ideology
doesn't change the facts on the ground.

~~~
alecco
About Google: I really like their security approach for Chrome/V8, and NaCL
looks amazing (in particular the upcoming LLVM version.) Chrome OS isn't here
yet but the concept looks very interesting for security (not so much for
privacy and other aspects, though.)

    
    
      > what I think is happening is that you've once again bumped
      > into someone on Hacker News that isn't simply going to concede
      > the point to the person with the greater zeal for the issue.
    

I hold a very slightly different view from yours (e.g. I think Microsoft is
doing a lot about security and other giants should take note, as in the
original reply.)

It is sad people look for absolute right and wrong. Why can't we have both
different views and not necessarily be wrong? In particular on a difference in
opinion.

    
    
      > I get it. You like OpenBSD. You prefer open source.
    

I like some things about OpenBSD, in particular their code auditing, but of
course it's far from perfect. If I remember well, more than once Theo argued
against something and later on it became a major feature of the project.

About projects, I consider myself a bit of a sad agnostic lately. In
particular I haven't used OpenBSD in a long time.

    
    
      > You prefer open source.
    

Yes. But I happen to use closed source everyday and don't have problem with
that. I use iWork to create PDFs and slides, sometimes. Hah, I'm even OK with
crappy proprietary software (iTues+iPod), nothing I can't handle.

Apple, and in particular OS X and Safari, in the security side are a disgrace.
But I can live with it (e.g. use Chrome with JS/Flash disabled by default, use
TrueCrypt and other encryption software as much as possible, and be very
careful where I plug my notebook and what I authorize in it.)

    
    
      > Unfortunately, your ideology doesn't change the facts on the ground.
    

What ideology? You just did a (bad) guess at my stance. And even if you were
right, it was just ad-hominem.

Counter example: I hate Google's anti-privacy hypocrisy. Same for their
server-side services, and [also for] removing power from the users. Microsoft
always empowered users with tools, it's their business model. I liked them a
lot [back then] when things changed from server-side borderline authoritarian
systems [to empowered Wintel PCs]. And now the world is coming back to
[centralized systems], sadly.

------
wooster

      With Windows 7, we added improvements to BitLocker 
      for disc encryption (we also introduced BitLocker-to-Go
      for external USB devices), and added enhancements to the 
      built in Windows Firewall for better protection.
    

OS X equivalent is encrypted disk images and FileVault (and the firewall, but
whatever).

    
    
      Windows 7 has Parental Controls built in that can be 
      combined with Windows Live Family Safety to create a 
      safer experience on the PC for children.
    

Yeah, OS X has that too. I wrote large parts of it.

His most compelling point is ASLR. It'd be nice if OS X had that.

~~~
Niten
> OS X equivalent is encrypted disk images and FileVault

Calling FileVault an "equivalent" of BitLocker is too generous. BitLocker
provides several important things currently lacking from OS X's built in disk
encryption facilities:

* Strong encryption: If you use FileVault, you're essentially gambling that your hypothetical attacker can't break a 1024-bit RSA key. That isn't such a good bet these days.

* Trusted boot path in conjunction with a TPM; defense against the "evil maid" attack

* Support for full disk encryption, not merely encryption of home directories

* Enterprise key management and recovery, so that full disk encryption can conceivably be used within a large organization

You'll want to buy PGP or similar if you're on a Mac and you want good disk
encryption. (But that still won't give you anything like BitLocker's boot path
verification.)

But yeah, the whole parental controls thing is not only a moot point (didn't
OS X actually have that first?), but pretty much irrelevant to security in the
sense intended in this discussion...

~~~
tptacek
I think your argument about 1024-bit RSA being too weak is pretty much
nonsense, and nothing defends against the "evil maid" attack, which kind of
misses the point of full disk encryption anyways.

TPM support would be nice, though.

~~~
Niten
You're wrong on both counts. Even back in 2007, NIST deemed 1024-bit RSA too
weak:

[http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-P...](http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf)

And BitLocker's trusted boot path _does_ defend against the evil maid attack:

[http://theinvisiblethings.blogspot.com/2009/01/why-do-i-
miss...](http://theinvisiblethings.blogspot.com/2009/01/why-do-i-miss-
microsoft-bitlocker.html)

Even if you want to make some semantic argument that this doesn't strictly
fall under the mantle of "disk encryption", it still proves the point that
FileVault is no substitute for BitLocker.

~~~
tptacek
I'm wrong on neither count. The likelihood that anyone's disk encryption is
going to be broken by a brute force attack on an RSA key of any size is _nil_.
There remain attacks on Bitlocker regardless of whether it boots from a static
trusted root. And, again: the whole notion of "evil maid" attacks does miss
the point of disk encryption; if you lose control of your computer, it's no
longer trustworthy no matter what.

------
shadowsun7
Scenario: Google runs Microsoft software, is attacked by hackers. Google has
to wait on Microsoft for knowledge/patches to security holes, even though
Windows has great security. Logical reaction: move away from Microsoft
products due to nature of platform.

That I get.

Google runs Linux, is able to patch things up whenever holes occur due to the
open source nature of the OS. A move to Linux makes sense to me. What I don't
get, however, is the bit where OSX is allowed.

My theory is that Google made the switch not because OSX and Linux have better
security per se (that is, as compared to Windows - because tctacek _is_ right,
Windows is rather good with security) but because having a userbase of so many
different flavours of Linux and a spattering of OSX is going to be hell for
future hackers. Does this make sense?

------
grandinj
Microsoft started from a point of having such terrible security that was
practically impossible __not__ to improve.

The point is that, despite all of the work they have done (and they have done
a lot) they still have a very long way to go to make up for 20 years of
completely ignoring security engineering.

~~~
sid0
They're ahead of Apple, and Google isn't stopping you from using OS X,
therefore Google's view is inconsistent with reality.

------
motters
> The facts don’t support the assertion.

Unfortunately, the facts do support the assertion. I've been involved with
computers since the early days of Windows 3.1, and if I tally up the number of
times I've had to deal with Windows security flaws compared to security flaws
on Linux or Macs there's really no doubt at all that Windows is less secure by
design, and also more expensive and complex to maintain an adequate level of
security.

~~~
sid0
Windows 3.1 (or 9x or XP) is quite irrelevant to the discussion. Do you say
the same about modern Windows (Vista/7)? Many people will disagree with you if
you do.

~~~
seabee
Even NT is a better starting point, being a separate kernel to the 3.1/9x
days.

------
norswap
Windows is less secure than other OS. But windows is better secureD than other
OS. The only difference is that having 95+% market share, they are targeted by
an awful lot more attacks.

------
peter01
Hey this peter.Would the down-voters at least state why? Is it forbidden to
have a different opinion with examples?

Sure, the "pile of crap" was a bit juvenile. But that doesn't invalidate my
point. ================= peter011 <a
href="<http://in.linkedin.com/in/croissancesystems1rishiagarwal> "
rel="dofollow">CROISSANCE SYSTEMS</a>

