Join 3,501 readers in helping fund MetaFilter (Hide)


May 21, 2002
2:01 AM   Subscribe

A senior Microsoft Corp. executive told a federal court last week that sharing information with competitors could damage national security and even threaten the U.S. war effort in Afghanistan. He later acknowledged that some Microsoft code was so flawed it could not be safely disclosed. (emphasis added.) Is this a calculated admission, or is Microsoft so completely on the ropes that they'll say anything to keep from being completely dismembered? Doesn't the fact that releasing such a shoddy product that it's a national security risk mean that Microsoft should be taken to bits in the interest of public safety? If Firestone can't sell unsafe tires, why should Microsoft be able to sell unsafe software?
posted by RylandDotNet (22 comments total)

 
Caveat Emptor. It's not as though nobody's aware of the risks. If you don't like it, use something else. And as for it's being unsafe... well, my computer isn't going to roll over and burst into flames and burn my family to death because of shoddy code.
posted by hob at 2:27 AM on May 21, 2002


They are claiming, I think, that revealing the code would reveal security flaws that aren't really flaws -- nobody will find and exploit them -- if you don't make them show the code to the world. Therefore, they argue, they need to keep the code secret. So the analogy with dangerous tires isn't quite right -- unless, say, there were some flaw in the tires that a saboteur could take advantage of only if the company revealed the formula for the rubber in the tires.

You can't blame Microsoft's legal team for trying. Everybody in the US is so sensitive about security these days, waving the flag and yelling about national security would seem the only lawyerly thing to do.
posted by pracowity at 2:33 AM on May 21, 2002


"Revealing the code would reveal security flaws that aren't really flaws -- nobody will find and exploit them -- if you don't make them show the code to the world."

That's not a bug that's allowing someone to hack your system... it's a feature! And everyone knows how hard a time hackers have finding and exploiting new "features" in Microsoft's code.
posted by insomnia_lj at 3:24 AM on May 21, 2002


> And everyone knows how hard a time hackers have
> finding and exploiting new "features" in Microsoft's code.

In everyone's code. Or do you know someone besides Nasa releasing nearly perfect code? You don't hear much about people hacking Linux or Mac systems because so many hackers worship Linux (as their own), hate Microsoft (as the big corporate meanie), and don't care about Apple (as insignificant underdog), but when Linux gets big and corporate enough, hackers will move to some other allegiance and start having great fun fucking with Linux users.

But I don't really care who hacks who or why. I'm just here to laugh at their appeal to national security. Other corporations will surely follow suit.
posted by pracowity at 4:12 AM on May 21, 2002


Well the Firestone < -> Microsoft analogy works when you think that maybe the accounting of your bank account is being done on some , uhm, well-known buggy code in Windows. Now it's not as unsafe as driving a car with tires that may explode, but I'm confident you want reliable accounting too..if you aren't in Enron :)
posted by elpapacito at 4:29 AM on May 21, 2002


pracowity, bugs in linux are being found (and exploited) all the time - but they are usually fixed in a matter of hours/days (as opposed to months/never in microsoft's case) and aren't usually of a viral nature...
posted by sawks at 4:38 AM on May 21, 2002


What is the difference between:

Is this a calculated admission,

And this:

or is Microsoft so completely on the ropes that they'll say anything to keep from being completely dismembered?
?
posted by ParisParamus at 4:47 AM on May 21, 2002


in retrospect, i should of linked this around the 'months/never' text in my above post...
posted by sawks at 4:49 AM on May 21, 2002


Pracowity has my thoughts on this one. Completely secure code is theorectical. Even if a program is secure in itself, viruses can be created to make it insecure. Microsoft does a decent job, and like hob said "my computer isn't going to roll over and burst into flames and burn my family to death because of shoddy code." Security is relative.
posted by banished at 5:28 AM on May 21, 2002


"In everyone's code. Or do you know someone besides Nasa releasing nearly perfect code?"

This brings an analogy that may be most accurate for comparison. Sendmail and Exchange.

SendMail hasn't had a CERT advisory in years, is very complex with the code available. Exchange, OTOH, cannot make a similar claim. Which one gets the most beating from hackers? Sendmail. Most corporations are afraid to put Exchange outside the network firewall. So, what's that argument about "security through obscurity" again?
posted by nofundy at 5:34 AM on May 21, 2002


Caveat Emptor.
this attitude is precisely the problem. i say, CORPORATE LIARS AND THIEVES BEWARE.
posted by quonsar at 5:42 AM on May 21, 2002


Pracowity and banished:

Your points do not seem to be true in practice. OpenBSD's source is totally open to the public and this OS has not had a 'remote exploit' in 4 years -- most of its history. Open Source software seeks to make systems secure by design and this indeed seems to be possible. There have been many contests with more than enough $$ and press to attract the best hackers/crackers there are to hack these systems and none have been able to.

Read up on systems security on the web to find out just how bad MS is and just how good so many others are. It has *nothing* to do with people loving/hating MS and everything to do with MS's coding practices and their obsession with integrating all their products with the OS, which is a bad idea, at least the way they are doing it.
posted by n9 at 5:46 AM on May 21, 2002


If Firestone can't sell unsafe tires, why should Microsoft be able to sell unsafe software?

Changing this immunity would also be the death of all open source software. It would likely be result in a world with no affordable operating systems and extremely expensive software since developers would charge more money in anticipation of the inevitable lawsuits. So be careful what you wish for.

As for the delay in Microsoft patches part of it is sheer negligence but you should also keep in mind that when Microsoft does patch something they try and test it before releasing it unlike linux which does most of its testing in the field.

Finally, releasing code and being broken up are two different things.
posted by srboisvert at 5:48 AM on May 21, 2002


"Microsoft has invested substantial time and resources in providing great interoperability between .Net and older technologies," Allchin said. "Sun's strategy of promoting '100 percent pure' Java applications discourages interoperability."

Bastards, bastards, bastards, bald-face lying bastards. Microsoft's strategy of making proprietary changes to open standards is what discourages interoperability.

The only reason they're claiming it would be a national security risk to release their code is that the settlement allows them to do so:

the federal settlement proposal... permits Microsoft to withhold API and protocol disclosures if such disclosures would compromise security

So naturally that's what they're going to do. If the loophole were that they could withhold APIs only by act of god, they'd be cranking up the megaphone and wind machines behind the courthouse right now.
posted by ook at 6:13 AM on May 21, 2002


The issue I have the most problem with, is that Microsoft could easily fix the problem's in thier OS simply by using the Infinite-Monkey Theorem . Hell, they have over $40 billion US cash on hand, so what are they doing with that much cash? Is Bill planning on buying a small tropical island and moving thier headquarters there? [he he he] So they could make a super-stable platform, but of course that would be againts thier product plan of release half-done products [win95/98/ME] and then release updates/patches or force upgrades to newer version is voided. To carry the tire anlogy [probably too far] this is like Firestone coming up with a new tire with a very specific way that it attaches to the frame [say 8 lugnuts] thus rendering your Ford Tempo useless after a flat and forcing you to upgrade to a new car.

Nice, huh?
posted by plemeljr at 7:35 AM on May 21, 2002


Thanks, n9. If I hear the tired argument that MS code isn't bad, it's just the biggest target again, I'll scream.

As n9 said, if you do some research into the issue, you'll see where MS has made their problems worse through really horrible code. I'm on OSX right now (not logged in as root) -- send me an attachment that will destroy my computer and send attachments to my whole address book. I dare you.

Even an experienced troublemaker wouldn't know where to start.
posted by jragon at 7:36 AM on May 21, 2002


You don't hear much about people hacking Linux or Mac systems because so many hackers worship Linux (as their own), hate Microsoft (as the big corporate meanie), and don't care about Apple (as insignificant underdog), but when Linux gets big and corporate enough, hackers will move to some other allegiance and start having great fun fucking with Linux users.

actually, most script kiddies couldn't give a fuck what computer you use as long as they are allowed to abuse.
posted by moz at 8:16 AM on May 21, 2002


This was discussed over at slashdot yesterday and one of the more interesting points was that: A basic rule of cryptography is to use published, public, algorithms and protocols. "Any system that tries to keep its algorithms secret for security reasons is quickly dismissed by the community, and referred to as "snake oil" or even worse. " The article was not exactly about this issue, but the discussion of peer review vs. security through obscurity seems to be useful in this case.
posted by eckeric at 9:13 AM on May 21, 2002


my computer isn't going to roll over and burst into flames and burn my family to death because of shoddy code.

That's the obvious, but wrong, response. In fact, Windows is used to operate many systems throughout the world that can have demonstrable and even disastrous results in cases of software failure.
posted by rushmc at 9:20 AM on May 21, 2002


Microsoft does a decent job, and like hob said "my computer isn't going to roll over and burst into flames and burn my family to death because of shoddy code." Security is relative.

Actually the article plainly states that MS is doing a substandard job. No one is asking for theoretical perfect security as much as we're asking for decent security or at least having security a priority when designing software.

I think the firestone analogy works. In the end this is a product and the manfucturer must meet certain standards. MS admits they are not even meeting a security standard where they can begin to secure their existing software with patches. That's pretty low.

Hob wrote "Caveat Emptor." I agree to a point. The government should not be buying crap for their secure systems. Although I'm certain that sensitive information probably doesn't reside on some IIS server, but MS does control the desktop end of things. Realistically, this is a failure for the government, akin to buying cheap tires that burst in normal conditions.

Considering the government represents the people perhaps we should be questioning why they're buying insecure products. Imagine how many people would be fired if the military bought a brand new line of tanks with easy to find armor vulernabilities. If MS is correct about their crappy code, assuming this isn't just an excuse, then they should be in deeper water than just an anti-trust suit.
posted by skallas at 3:23 PM on May 21, 2002


I think there is an analogy to be made between Microsoft and open source in terms of security. For example while sendmail has not had a security alert since 1997, a part of my job as the person answering postmaster messages at my organization involved forwarding messages to the security team about yet another department that installed an off-the-shelf Red Hat Linux system with all of the old sendmail misconfigurations included. This of course was quickly discovered by just about every spammer in existence turning my university into one of the premier spam mail relays in the U.S.. In fact, the fact that Red Hat and Mandrake continued to ship new versions that were inherently insecure rather spoiled my view of the security of the Linux community.

As n9 said, if you do some research into the issue, you'll see where MS has made their problems worse through really horrible code. I'm on OSX right now (not logged in as root) -- send me an attachment that will destroy my computer and send attachments to my whole address book. I dare you.

On the other hand, this is comparing a bug in a specific application to the operating system. (A relatively well-known bug that requires quite a bit of user stupidity to exploit) there certainly are a fair number of bad programs in the UNIX world including rsh and ftpd that are notorious for allowing an outside user to trash your machine. sshd even has its own problems.

Certainly, Microsoft does have some serious problems in terms of security. However this attitude that simply switching operating systems will fix the problem actually makes the problem quite a bit worse. I trust my paranoid implementation of Windows quite a bit more than I trust any off-the-shelf UNIX distribution.
posted by KirkJobSluder at 7:57 AM on May 22, 2002


I am just waiting for the Microsoft infomercials, akin to the War on Terrorism's appeal for youngsters not to use drugs:

"If you use an open source or competing operating system, you are funnelling money into terrorist organizations that threaten the safety, liberty, and downright hegemony of Western corporate values."
posted by adampsyche at 8:09 AM on May 22, 2002


« Older Good news!...  |  Killer to be executed... Newer »


This thread has been archived and is closed to new comments