Fog Creek Software
Discussion Board




Security - unrealistic expectations

I see the moderators are quick at work today, dealing a death blow to a posting about MS blaming users for the virus problem.  Well, I still think it a worthy topic, considering we all develop software, and most of us run a business. 

Don't shoot me for agreeing with MS, but...
- We have operating system created to be so simple to use _ANY_ user can download and install software.
- We have a population of people that believe an "I Love You" letter with an attachment, from the Stock Broker, should be opened
- We have a group of people who complain about security, but continue to purchase insecure products.
- We have countries where releasing a virus is not even illegal.

To some extent this would be like blaming ford if people kept demanding they make the Pinto.  Sure, it blows up but when it doesn't -- wow!

Microsoft is like any other company.  They do a cost/benefit analysis and people continue to buy their products, regardless of the problems.  If we want MS to make security #1, everyone should agree to not purchase a single Window's based product, including PCs, laptops, and 3rd party software for the month of July.  One month without a single product out the door.  One month of zero revenue, not only for MS, but everyone who's business depends on MS.

Until then, MS's  responsibility is to their shareholders.  Until they start losing customers, security is #5 (or maybe #538) on the list of things Bill Gates has to worry about today.  We may not like it, but that does not matter either -- yet.

MSHack
Tuesday, May 04, 2004


"Until they start losing customers, security is #5 (or maybe #538) on the list of things Bill Gates has to worry about today. "

#539 on his list is the fear that such stupid grass-roots efforts will actually do anything.

Whatever
Tuesday, May 04, 2004

My point exactly

MSHack
Tuesday, May 04, 2004

Ford were in the (unfortunate?) position of working in an environment where product liability operated effectively. They were liable for punitive damages because they _knew_ of the Pinto design flaw and deliberately failed to address it because it didn't seem to be cost effective to do so. This was beyond mere negligence in the car's design, it was gross deceit.

I suggest that Microsoft are in the same position. They know of the _potential_ for flaws in their software, they know how to find them and it is common knowledge as to how to protect against them (e.g. avoiding buffer overruns by using safe system calls for i/o, preventing stack exploits by using techniques like the W^X page management seen in OpenBSD, ensuring that applications cannot automatically be run from e-mails etc., etc.). To me their lack of action looks equally as bad as Ford's; they are _choosing_ not to address the issue seriously because it is not cost effective.

Someday someone will, regretably, die because a software vendor took this approach, then all bets will be off.

Gaius
Tuesday, May 04, 2004

None of what you suggest would prevent those exploits (what's a "safe system call"?!).

Microsoft does NOT know about all of the exploits, but when they find one, they come out with a patch. And they ARE doing something about it by completely rewriting the OS from the ground up, with security the #1 focus (i.e. Longhorn).

Gill Bates
Tuesday, May 04, 2004

"And they ARE doing something about it by completely rewriting the OS from the ground up, with security the #1 focus (i.e. Longhorn)."

Are you DELUDED? Longhorn isn't a rewrite -- it's taking the system and kernel of XP (which is the system and kernel of 2000, but with a new jazzy explorer.exe) and putting a new, even jazzier explorer.exe. We don't need Microsoft to rewrite from the ground up (which is notoriously bad way of achieving security), we need them to actually refine the existing code base towards perfection.

Dennis Forbes
Tuesday, May 04, 2004

I shouldn't have said 'safe system calls'. I should have been more pedantic and said safe run time library services, like using strncpy() and not strcpy(). I understand there is a massive difference between finding the potential faults and fixing them, but surely it's not beyond the wit of a company with billions in the bank to somehow make strcpy() etc. aware of the memory allocation map created by malloc() et al. and not let someone copy off the end of an run time allocated buffer. I know this wouldn't catch overruns of compiler allocated buffers, but it's a start.

It may be that Microsoft _is_ doing this type of thing, but (i) if so Joe Public (like myself) isn't aware of it and (ii) the public impression is that it isn't working - else why are there more and more patches? Even worse, if they _are_ doing this sort of work and _are not_ achieving results, then the public impression is that they're not capable of fixing their own product!

Public impression is all, and public impression is moulded by the fact that in every other consumer product quality has massively improved over the past 10 to 15 years. Buy a new washing machine or a new fridge and you get a 5 year warranty. Why can manufacturers afford this? Because they know that the MTBF is _much_ longer.

I know that an OS is far more complex than a domestic appliance, but the fact is that people today buying, what are still relatively expensive, consumer products expect to do _no_ maintenance. Bring it home, plug it in and it should do what its been bought for until it physically wears out or its feature set becomes obsolete. Home PC's are sold on the premise of providing e-mail, messaging and web surfing. I don't remember seeing the caveat 'but only so long as you spend 10 hours a week downloading patches' in the Dell ads, do you?

May be the correct course of action is a product liability claim against a major manufacturer? Hmm.. I better check the Unfair Contract Terms Act and the Consumer Contract Terms Regulations again....

Gaius
Wednesday, May 05, 2004

"....but the fact is that people today buying, what are still relatively expensive, consumer products expect to do _no_ maintenance. Bring it home, plug it in and it should do what its been bought for until it physically wears out or its feature set becomes obsolete."

Here's the flaw in that thinking.  Your appliciances aren't networked.  There's no possibility of intrusion or 'hacking' with the exception of  a short circuit/voltage spike.  Unplug your PC from the net, remove the floppy drive, cd-rom and any other input device other than the mouse and keyboard.  There.  You have your appliance.  No maintenance and all.  I've yet to have to reinstall Win2K or XP/2003 unless I did something gravely stupid.  Most users are sheltered from that kind of stuff (hidden system folders, no shortcuts to regedit, etc.)


Now, when your Fridge gets wired to the net, be prepared for patching your fridge...

GiorgioG
Wednesday, May 05, 2004


To continue the Pinto analogy, did Ford have to deal with a group of adolescents continually searching for and rear-ending any Pintos still on the road, just to see if they'd blow up? 

If that happened AFTER Ford had publicly acknowledged the problems and offered a free repair, would you still hold Ford responsible, or would you go after the wieners who maliciously sought to exploit this known problem?

Craig
Wednesday, May 05, 2004

The other flaw in the thinking is the statement that Operating Systems have not evolved over the past few years. 

Windows, specifically, has improved vastly in terms of stability.  That was the prime focus a few years back.  Everyone would gripe that windows was horribly unstable and crashed all the time (remember BSOD?).  Everyone would state that Linux was terribly stable, never crashing and rarely requiring a reboot.  With modern windows, you don't so much hear about stability problems anymore.  In fact, I can't remember the last time that the OS crashed.  I've had applications crash, but not any more frequently than Open Office and other applications crash on my linux box (I presently develop solely in Linux).

So with the stability gripe behind most users, the new topic on the plate is security.  And it is a _very_ worthwhile topic to worry about in the networked world we work in.  So everyone complains that Windows is terribly insecure and prone to viruses and all sorts of back doors. 

Unfortunately though, being able to fix 14 years worth of work[1] (and thus probably 12 years of security holes) is going to take a lot of time.  As stated a million times, Microsoft is and always has been in the features game, and thus even if security is number 1 (which it may not be) 'features' is going to be right behind it at number 2.  Thus 100% of their time is not being devoted to fixing the past 14 years worth of work.  Even if all new development is done practicing secure coding, it's not going to solve the problem.

Personally, I would love it if they dropped everything, and spent the next year or two performing a complete security review and scrub of the entire existing code base (or at least in the vulnerable sections of the OS).  Typical users don't buy software for stability or security or speed; they expect these things, but they don't buy things because of these characteristics.  It thus does not make good business sense to release a secure version of the OS with an identical feature set.  Especially when (in the business world) there are other products produced and sold by MS that deal with patch management.  Maybe the trend to only pay for additional features will change or is now changing. 

I don't condone or necessarily enjoy the current state of affairs, but I understand why they are the way they are, and why the present course has been set. 

If you aren't willing to understand these things, or don't want to deal with them, there are other OS's out there, and other jobs out there, waiting for you to adopt them.

Then again, maybe the griping is good.  If enough people yell loud enough, the corporate giant may eventually start to listen to the din coming from below it, and may change for the betterment of the company, its products, and its customers.

Until then, happy patching.

-Elephant

[1]
---------------
Windows NT was released in 1993.  This was one of the most delayed operating systems in the history of the company.  I can't find the year that development started, so I'll pick 1990 (a rough and conservative estimate).  Windows XP was released in 2002, however, I'm not going to discount the work done for existing service packs and patches, so the end date for the current OS is 2004.  That's 14 years of development to create Windows XP.
---------------

Elephant
Wednesday, May 05, 2004

"To continue the Pinto analogy, did Ford have to deal with a group of adolescents continually searching for and rear-ending any Pintos still on the road, just to see if they'd blow up? "

Analogies suck. Seriously, they seldom add anything to the conversation except diversions.

However, to explore this misguided analogy, imagine that the problem wasn't that Pintos explode when someone hits them the wrong way (which is like the classic WinNuke kind of thing), but that someone could anonymously, automatically, and in mass numbers, take over your pinto, say because of a gaping hole in the "automatic garage parking system" that was installed and forced on in every car regardless of need, and then used it to cause chaos on the roads with millions of Pintos trying to smash everyone else off the road. If you don't think the Ford corporation would be hung out to dry, REGARDLESS of offering a fix two weeks earlier, you're in denial. Initially there would be a blame the user syndrome (even if they were on vacation in Mexico for the period, or maybe were sold on the ease-of-use and bought it and forgot it), followed by a quick realization that this was gross negligence on the part of the manufacturer. They would be sued to oblivion.

Dennis Forbes
Wednesday, May 05, 2004

Most Windows security issues are due to seriously bad design decisions (or lack of any design at all).  It is possible to have real security and great usability.  Apple has just about done it.

Anonymous
Wednesday, May 05, 2004

If I bought an internet enabled fridge, I would expect it to operate flawlessly and require no regular maintenance, realizing of course the the featureset of it will slowly become obsolete, but that's fine. It is only in the software world where we are such apologists and accepting of certain practices.

I actually don't blame Microsoft. I blame consumers, big business, and government for time and time again ignoring the lessons of the past.

Dennis Forbes
Wednesday, May 05, 2004

*  Recent Topics

*  Fog Creek Home