
Microsoft, Once Infested with Security Flaws, Does an About-Face - hackuser
http://www.nytimes.com/2015/11/18/technology/microsoft-once-infested-with-security-flaws-does-an-about-face.html
======
tptacek
This is a weird story, since professional security people would have told you
the same thing back in 2007.

Windows wasn't originally designed to be secure. Even NT, which is a serious
multi-user kernel, was a product of 1990s C programming style. And while
that's true of the Unices of the time as well, none of them had Microsoft's
absurd user base, and so none of them had the same terrible malware
incentives.

This all came to a head around 2001-2003, when the Internet worm phenomenon
got so bad that Microsoft was routinely on the front page of CNN, and serious
talk of congressional action began.

From what I understand, there was a dramatic top-down response, led by Gates
and Ballmer, requiring software security training for developers, giving
product managers the power to slip release dates to ensure bugs were caught,
and funding what I believe is probably the largest 3rd-party software
pentesting program in the industry. Several well-known software security firms
(my old firm, Matasano, not really among them) were basically bootstrapped out
of Microsoft contracts.

Today, Google probably does a better job on software security than Microsoft
does, but it's hard to come up with another rival. Tellingly, Google's
security efforts were also a top-down reaction to a major security incident.

~~~
ChuckMcM
Not that weird. Illustrative perhaps. So you and I would have agreed in 2007
that Windows was much better at security than they had been, but we are both
pretty tightly connected to the technology market.

Today, 8 years later, my Mom and Dad think Windows is a "secure" system as
they haven't had any issues for long enough that their opinion of it has
changed.

The final leg of this journey will be when Windows + Windows Defender is all
you need to keep your system secure. Basically once there isn't a market for
add-on security products because the base product is "good enough."

I'm curious why you mention Google though, their security record on Android is
a lot worse than either Windows phone or IOS. In many ways I feel like they
are _exactly_ Windows in 2003 with regard to "its secure if you use our APIs"
kind of security. Would love to hear your thoughts on that.

~~~
pcwalton
> I'm curious why you mention Google though, their security record on Android
> is a lot worse than either Windows phone or IOS. In many ways I feel like
> they are exactly Windows in 2003 with regard to "its secure if you use our
> APIs" kind of security.

Chrome (OS)'s security model is a lot better, and compared to Android it was
designed more in-house. Android was an acquisition and has more legacy design
baggage (though of course the vast majority of the code has been written by
Google at this point).

~~~
Justsignedup
Android's security is actaully fantastic. The problem is the inability for
google to distribute security updates. In 6.0 I now get monthly security
updates and there is even a "security update version" of like "november 2015"
in the status.

The latest junk even made it into Android 4.1 devices for security updates.
But that is neither here nor there, the fact that we have 4.1 devices is a
problem.

~~~
tptacek
Android's system security design is inferior to that of iOS.

But, iOS's superiority (a) derives in significant part from Apple's total
control over the hardware platform†, and (b) comes at the cost of a lot of
user control tradeoffs that nerds like us tend to hate.

Really, to suggest that Android's security is at parity with Apple's, you'd
have to be arguing that Apple does a _terrible job_ at exploiting their
inherent advantages of control over hardware and control over what's allowed
to run on the platform. Apple does not do a terrible job at those things.

† _Yes, Google controls some of their hardware, but they have an ongoing
support requirement for a lot of hardware they have no control over at all,
and will have that requirement forever, which limits their options._

~~~
lern_too_spel
On the other hand, I'm unaware of any automated analysis of applications on
the iTunes App Store, dynamic or static. Doing this properly isn't in Apple's
DNA. For example, when XcodeGhost apps infected some hundreds of millions of
users, it took Apple days to take down the affected apps, seemingly waiting
for third party reports instead of simply scanning the entire store for the
XcodeGhost signature themselves.

~~~
tptacek
That's true. My friend is doing a company to address that now:

[https://sourcedna.com/](https://sourcedna.com/)

------
Animats
Microsoft, after much R&D work, deployed two technologies in Windows 7 that
improved the security situation considerably. The first was the Static Driver
Verifier.[1] That's the formal proof-of-correctness system that checks the
source code for a driver for termination, bad pointers, incorrect API calls,
and anything that could result in a kernel crash. It's a symbolic path tracer
- it symbolically executes all paths through the code. All drivers must pass
that verifier. Before this was deployed, about half of Windows crashes were
due to drivers. Now, very few are.

The other technology was a classifier for panic dumps. When Windows crashes
and reports data to Microsoft, that data goes into a classifier system which
tries to cluster similar crashes together. So, when there's a crash bug, the
reports of similar crashes are all looked at by the same person at the same
time, which tends to get it fixed.

Linux lacks either technology, which is a problem.

[1] [https://msdn.microsoft.com/en-
us/library/windows/hardware/ff...](https://msdn.microsoft.com/en-
us/library/windows/hardware/ff552808%28v=vs.85%29.aspx)

------
headmelted
"Still, episodes of online hacking have become even more startling, including
the theft of personal data from millions of Target customers and terabytes of
private emails from Sony Pictures Entertainment (and both companies use some
Microsoft products)."

So somewhere in Sony and Target's organisations there are one or more Windows
computers?

This is just lazy reporting NYT. Do better.

~~~
mcintyre1994
Agreed - I bet they use Google search every day and their execs have iPhones
too.

~~~
tim333
Of mild interest, in the Sony hack: "The hack, which was launched Nov. 24,
only affected computers with Microsoft Corp's (MSFT.O) Windows software, so
Sony employees using Apple Inc (AAPL.O) Macs, including many in the marketing
department, had not been affected." IMHO Microsoft still have a fairly ho hum
attitude. If you want to hack a company like Sony the easiest way is to target
employees still using old systems like XP and they could have mopped a lot of
that up by offering free upgrades to 10 when they offered them to users of 7
and 8 but nah.

~~~
jerf
By the time of the Sony hack, any machine still using XP is a machine that
would be using XP even if Microsoft did exactly what you suggest. There's been
no lack of opportunities to upgrade and the cost of a Windows license is
generally trivial next to the labor expense, training expense, and monetized
risk of "my critical software doesn't work" of the upgrade of these systems.

------
mikestew
Though many comments here speak of engineering flaws, but to me it was a
cultural flaw. The most outstanding anecdote I have to illustrate this is when
I told my manager that "I can't <note that I say "can't", not "won't"> run
that internal test tool (the insect farm thing, for those that were in DevDiv
around 2003-ish) that runs 24/7 with complete network access because it
requires <but did not _need_ > admin privileges."

That nearly got me fired. You read that right: when I point out that a
sloppily written application that someone wanted the entire developer division
to run was insecure, my manager basically told me to run it or else. If the
dev can't even be bothered to not write to PROGRAM_FILES (which is the only
reason it needed admin privileges), what other holes does it have? Well, I'm
not about to find out on my dev box that's hooked to the corpnet. Running on
an internal-only alpha version of the early .NET runtime to boot; what could
possibly go wrong? (And as it turned out, nothing went wrong, but still...)

And this was _after_ Valentine's mail was sent. SQL Slammer had already
happened. What, you thought the whole company just jumped on the security
bandwagon? Yeah, I thought a new day had dawned, too. You can make 'em quit
blindly using _strcpy_ , but you won't change their minds with an email even
after Valentine asks the whole company to come in and take Slammer support
calls.

------
loginusername
"Microsoft was once the epitome of evrything that is wrong with security in
technology."

Certainly they have improved over the last decade, but who hasn't? Not to
mention they have boatloads of cash to throw at the problem.

But the fact^W opinion remains Windows is still the easiest target of any OS.
A user can configure any OS to be less secure, and other OS can become as
popular a target as Windows but there's something about Windows that makes it
a far greater liability than all the rest.

It's closed source.

How are you ever going to assess the quality of this software in terms of
security? By reading the New York Times?

Boatloads of cash also buys PR.

~~~
raesene4
That's an interesting opinion... what makes you think it's the easiest OS to
target? Do you have any data to back up the claim that a modern Windows OS is
less secure than it's major competitors (OSX and, in some circumstances,
Linux)

My feeling would be that Microsoft have done a lot in the security line and
have also given a lot back to the security community (their SDL documentation
which is freely avaiable for example) and that they are one of the better
examples of security in the software industry these days

~~~
loginusername
The "security line" is not simply a question of "doing a lot" and "giving a
lot back", ex post facto, or setting an "example" in the "security industry".

It also has to do with design goals and priorities. Layer upon layer of cruft,
with an OS weighing in at multiple GB, is not a confidence builder in the
"security line". It also includes default configurations.

There are reasons that so many Windows instances have been and are now part of
botnets. There are reasons why the security updates have increased in quantity
and frequency over the years and appear to be neverending.

Some of those reasons have to do with design and priorities. Others with
default configurations that Redmond assumes no user will ever change.

No amount of PR can change reality (e.g., massive botnets of Windows users),
although it might change people's perception of reality.

Also, I never said "major competitors". I said "other OS". For example, the OS
I use is probably not a "major competitor". It is much smaller and open
source. That is what is important to me.

~~~
raesene9
Sure design goals, well I'd argue that Windows has had "improving security" as
a design goal for some time now, and that this has had measurable impacts on
the security of their products.

For example take SQL server as a good example, compare the number of RCE
issues that it's had with say.... Oracle's Database server, another well
funded company with loads of "PR" money. You'll find the SQL server has many
fewer security issues than the competition, and I would suggest this is
evidence of Microsofts improved attention to security...

MS default configuration are really very good. I'd compare to your OS of
choice, but you don't choose to disclose it :)

So on the server-side I'd say that when I test modern default installs of
windows based products they tend to have a good security posture out of the
box.

Security Updates, well everyone has a load of those, are you suggesting the MS
is worse than their competition? Counting OS vulnerabilities is notoriously
difficult to it's hard to get an Apples to Apples comparison here.

Botnets, well there are botnets on linux for sure, and OSX has had it's share
of malware to as has Android.

If you like a small open source OS then that's fine, but it doesn't
necessarily make another entirely different OS have bad security.

now I know there's a reasonable chance you're thinking I'm an MS "fanboy" or
similar at this point, but I'm not. I use OSX/Linux and Windows (as well as
some iOS and Android) where they work best for me.

------
loginusername
Would anyone agree that complexity provides a foundation for insecurity while
simplicity makes audits easier? Large software with many parts have more
potential for flaws. Small software with few parts have less potential for
flaws because they are easier to find and fix. Implausible? Well, I happen to
believe this.

If Microsoft ever released the Windows source code, what would we find?
Simplicity?

How easy would it be to audit?

Bias disclosure: I like small software. Windows and most all other software
released by Microsoft is large, or packaged in such a way as to necessitate a
large download/install.

~~~
kabdib
> If Microsoft ever released the Windows source code, what would we find?
> Simplicity?

Depends on where you look. Much of the NT kernel is "simple", but it's not
easy stuff to get right. There's a bunch of legacy code in the Win32 layers,
especially dealing with user input, that is just frightening (comments like
"This stupid hack makes the utterly broken Compaq XYZ-3000 keyboard not crash
the system"). The COM stuff is just complex and arcane and top-heavy with
architecture astronautics. The build system is, or was, a soul-destroying,
radioactive and rotting cesspool of Perl; doing Windows builds sucked real
hard.

So it's a mix of really quite good code, and really quite awful code (that
they're dealing with, I think), and code that makes you want to quit, every
day.

(Soapbox: You should _never_ have code in your project that you are scared of
touching. Never. If you do, get rid of it and replace it. Don't layer over it,
don't give it to some intern to maintain, just face the problem and deal with
it, or it will be the most costly code in your product).

~~~
loginusername
If the code were ever released in a form that I could compile myself, and I
could omit the parts I did no want... then I might be interested in Windows.

Given that MS is a very successful company that got to where it is today based
on closed source and copyright, I am not expecting that to happen, ever.

I appreciate your candor.

------
wsxcde
At least part of the secret is formal verification. MSR throughout the last
decade made some big advances in software verification technology. These
resulted in more than just academic papers, they were used to find tons of
real bugs in MS and external (as part of the driver development kit) source
code. There was a point at which all of the biggest names in software
verification were either academics or at MSR or at both.

SLAM, Z3, DART were all tools that came out of MSR and have been incredibly
influential on the whole field of software verification.

------
Artemis2
I wouldn't say that they are "the best in class". I have recently (~3 months
ago) reported a pretty important security flaw in outlook.com (including its
Office 365 version). They have only found the issue a week ago or so (and it
isn't fixed yet!). I like Microsoft, but their awful responsiveness doesn't
make me want to use their products, or to work again for them.

------
renownedmedia
> company’s co-founder, Bill Gates, once ordered all of Microsoft engineers to
> stop writing new code for a month

Source?

~~~
mikestew
Valentine actually dictated it, but it did actually happen. Brian's mail was
something along the lines of, "I'm tired of reading about the latest security
vulnerability in the NYT, so...". And I think it was six weeks, not a month.

Source: me, who worked there (in VS, not Windows) at the time.

EDIT: oh, yeah, forgot about the Gates mail. References are buried in this
link:
[http://www.microsoft.com/security/sdl/story/#chapter-1](http://www.microsoft.com/security/sdl/story/#chapter-1)

I stand by the B. Valentine version, just can't find a link.

------
briffle
Not sure 10 years is an about face?

~~~
biot
It takes Saturn 15 years to do an "about face" so that it's on the opposite
side of the Sun. Perhaps Microsoft's code base, when printed out, is as
massive as a planet.

------
ZenoArrow
"Microsoft’s latest version of its operating system, Windows 10, has a feature
called Windows Hello that allows people to log in to a PC with a scan of their
finger, iris or face instead of using a password — weak versions of which are
a common cause of data breaches."

Is that more secure in practice?

[http://hackaday.com/2015/11/10/your-unhashable-
fingerprints-...](http://hackaday.com/2015/11/10/your-unhashable-fingerprints-
secure-nothing/)

------
mtgx
Too bad it's doing the opposite on the privacy front, trying to collect more
data than ever about Windows users, by default.

~~~
vox_mollis
This is the salient point. What good is platform security when the platform is
keylogging and shipping telemetry to a third party not in your control?

~~~
caskance
Which third party is this?

------
loginusername
"All software is large."

FALSE.

But this statement does not surprise me. It is this distorted view of programs
that is a large part of the "security" problem, in my opinion.

~~~
dang
Since this subthread turned into an off-topic flamewar, we detached it from
[https://news.ycombinator.com/item?id=10588972](https://news.ycombinator.com/item?id=10588972).

------
clamprecht
So Microsoft hired a PR firm.

