GAMBIA-L Archives

The Gambia and Related Issues Mailing List

GAMBIA-L@LISTSERV.ICORS.ORG
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
FWD: Microsoft, Terrorism, and Computer Security (o-:) huh
From:
Mr Makaveli <[log in to unmask]>
Reply To:
The Gambia and related-issues mailing list <[log in to unmask]>
Date:
Sat, 15 Dec 2001 00:31:08 -0600
Content-Type:
text/plain
Parts/Attachments:
text/plain (131 lines) 
Microsoft, terrorism, and computer security
By Oxblood Ruffin
Posted: 14/12/2001 at 17:22 GMT


Since 11 September the world has changed immeasurably, but some things
remain the same. The single greatest threat to Internet security is still
Microsoft -­ not the soon to be Osama Haz Bin.

Microsoft is not, of course, a terrorist organization. But its ubiquity on
the desktop coupled with its poor track record in network security is a
tested formula for international disaster.

Security, from the structural perspective, is negative -- it's about
denying actions or access or direct contact. Like a prophylactic, it
prevents certain bad things from happening while preserving most of the
benefits of interaction.

At the heart of the security debate are two competing
approaches: 'security through obscurity,' in which it's hoped that
concealing an exploitable defect will prevent exploitation, and 'full
disclosure,' which works on the premise that forewarned is forearmed, and
which most professionals now prefer.

First, let's look at Microsoft's preferred way of dealing with
vulnerabilities: security through obscurity.

That was the norm during the early days of networks and computers. As
researchers discovered problems they would alert the vendors without
fanfare, and in the best of all possible worlds, the vendor would fix them
before anyone got hurt. Microsoft became a big fan of this model because
it was quiet and discreet and didnąt contradict its marketing propaganda.
However, there was little incentive for them to actually fix anything so
long as it could all be kept quiet. No public pressure, no repercussions.
Consequently, many serious vulnerabilities lingered for years.

Increasingly frustrated by Microsoft's complacency, researchers began
opting for the public-humiliation approach. As they discovered flaws, they
began to make them known. Microsoft's PR department went into full gear,
denying that problems existed, or suggested that they were merely
hypothetical, but often there was more stalling.

Finally researchers began what is known as full disclosure by publishing
exploit code to prove that the vulnerabilities they caught were in fact
real. Unable to continue sweeping its mistakes under the carpet, Microsoft
initiated PR campaigns against "hackers", which it subtly equated
with "criminals".

Today, Microsoft prefers to brand full-disclosure proponents "information
anarchists," and has even equated them with terrorists in an attempt to
manipulate public anxiety after the 11 September attack.

Microsoft continues to argue that by publishing exploit code the bad guys
are given free attack tools. But this assumes that the bad guys didnąt
already know the exploit. Perhaps they did, perhaps they didn't. But when
everyone knows, the playing field is leveled, secure computing best
practices are elevated, and patches must be issued quickly.

Quite simply, full disclosure forces vendors to fix their products. It's a
pity that they need this sort of prodding; but the historical record
illustrates that they do.

Sadly, many average users have suffered. Over the past several years
Microsoft's security model has cost governments, the enterprise community,
and home users anywhere from five to twenty-five billion dollars depending
on whose tally one accepts. The ILOVEYOU virus, Melissa, Code Red, and a
host of others have been the agents of this burden. As a result, millions
of users have either lost entire hard drives or valued files, or worse,
stood by helplessly as account passwords, private information, and
personal images have been stolen from their computers and passed around by
the Net's bottom feeders for pleasure or profit. If there were such a
thing as data rape, this would be it.

Corporations have spent incalculable sums purging their systems of bugs
they should never have been susceptible to in the first place, while staff
productivity plummets in a connected office whenever the machinery is off
line. And downtime is serious money for any company, large or small, that
earns its living only while connected to the Net.

So why don't product liability laws apply to the software industry? How is
it that one set of rules applies to the auto industry, for instance, but
not to the information superhighway's largest purveyor of digital 'lemons'?

Bear in mind that most, if not all, of this virtual mayhem was not the
work of elite computer criminals. It was committed by bored teenagers who
cobbled together attack scripts that continue to be traded around the
Internet like baseball cards. And regardless of the misery they have
caused and continue to cause, and despite the profane amounts of money
they've cost their victims, Microsoft's spin has always been the same -- a
sort of smile and dissimulate medley that exonerates Microsoft, blames
'hackers,' and promises a brighter tomorrow.

But not everyone is disoriented by this smokescreen. In fact, the majority
of security professionals are astounded that Microsoft has chosen to
sacrifice security concerns to its marketing goals. Taken to a comic
extreme, a real-world illustration of the software leviathan's modus
operandi would play out thus: the next time a crazed junkie dives through
your window looking for money or worse, skip the police and call a help
desk staffed with minimum-wage dunderheads. Find that the frustration of
this futile exercise overshadows entirely the emotional impact of your
original complaint.

If 11 September taught us anything, it's that everything is vulnerable,
and often in the most blunt and simplistic ways. The massive Internet
disruptions launched via Microsoft bugs over the past few years have been
executed primarily by pimply amateurs. Does anyone actually believe there
are no computer scientists who wouldn't love to find a place in heaven by
exploiting the Great Satan's favorite software company? Microsoft's
security through obscurity will only give these guys an exclusive
advantage, because they'll find and use the holes that no one is expecting
to be found.

The virgins are calling.... ®

Oxblood Ruffin is Foreign Minister for the Cult of the Dead Cow (cDc), a
well-known group of computer enthusiasts.



Gambians Online " Designed With The Gambian People In Mind"
               http://www.gambiansonline.com

<<//\\>>//\\<<//\\>>//\\<<//\\>>//\\<<//\\>>//\\<<//\\>>

To view archives of postings, go to the Gambia-L Web interface
at: http://maelstrom.stjohns.edu/archives/gambia-l.html
To contact the List Management, please send an e-mail to:
[log in to unmask]

<<//\\>>//\\<<//\\>>//\\<<//\\>>//\\<<//\\>>//\\<<//\\>>

ATOM RSS1 RSS2