NetSec Letter #29, 28 September 2003
The Microsoft Factor

Fred Avolio, Avolio Consulting, Inc., http://www.avolio.com/

A few weeks ago I got e-mail from someone from domain ccianet.org. The subject of the mail was “Dan Geer sent me.” He was looking for an independent security expert to attend a meeting at there offices with folks from the Department of Homeland Security in reference to a report by seven security experts entitled “CyberINsecurity: The Cost of Monopoly.” He wanted to discuss, with the DHS, why it was better for computer and network security and survivability to diversify rather than having all critical systems in a critical agency running the same software from the same vendor. They issued a press release entitled, “Microsoft Monopoly Represents National Security Risk, Say Internet Security Experts.”

That was not my moment in the spotlight. Dan had recommended a couple of us, and I was not required at the meeting. Tropical storm Isabel showed up the morning of the meeting, so I don’t know if it ever happened. Fast-forward a week. Reuters reports “AtStake CTO loses job after Microsoft report.” (http://www.forbes.com/technology/newswire/2003/09/25/rtr1092228.html) Dan Geer was their CTO. I’ll not restate their report; I encourage you to download ( http://www.ccianet.org/papers/cyberinsecurity.pdf) and read it yourself. I am just going to state some truths that are self-evident to anyone who knows even a little about computer and network security. But first, let me make some things clear about Microsoft products:

Microsoft

So, here we have the tension. Users want more and more, and fancier and fancier. Multiply that by a million users, and they end up with a word processor (just to use one example) with many, many features, of which any individual user uses only a small percentage. But there it is, using up memory, disk space, and CPU cycles. In a word (no pun intended), it is complex.

Emphasizing usability leads to a decision such as this one: a software engineer tinkering with an e-mail program thinks about how to make it even more readable. “People want to mail fancy looking e-mail. They can do that with HTML. This e-mail software should create HTML e-mail. And since no user will ever want to actually read the mark-up language, it will display HTML also.” It is only a small step to, “What the heck. Might as well do that with Visual Basic scripts also. No one wants to read it, so let’s make the e-mail run (execute) the script.” And a whole bunch of attacks later, users now have the option of turning off this dangerous usability feature.

Microsoft has designed its software to interoperate and others follow suite. So the program that shows me files and folders is the same software with which I browse the web. And a misconfiguration in a web browser causes my anti-virus update software to fail because it is using that same browser code. Tying together of functions into complex subsystems also leads to strange things like buffer overflows leading to arbitrary code execution in Windows MediaPlayer. What is something that plays music and video files doing launching programs? Oh, right: it also downloads, and updates, and manages your media, and sends reports on how you use it, and … is really complex.

True Truths

“Security and complexity are inversely proportional.” Sometimes stated in other words, this is a well-known security axiom, as is, “usability and security are inversely proportional.” ( http://www.avolio.com/papers/axioms.html.)

There is another principle of good security that comes into play here: security mechanisms should be diverse and synergistic. In other words, they should be different and “cover for” each other. There should be no single point of failure. And security systems should “fail safe.” This makes sense, even to the non-expert in security. So, in a hotel, all the keys are different, and if the system fails, it fails such that 1) you can still get out of your room even if you might not be able to get back in. It must not fail such that all the doors are unlocked. We build networks with layered firewalls of different types from different vendors. We do this so that if there is a vulnerability in one, the other still stands in defense of the network.

Is it insecure to have an all-Microsoft shop? It could be. It could be dangerous to have an all-Sun or all-IBM network. In the movie, “Independence Day,” a single computer virus quickly brought down the invading forces. Is it possible? Of course. How probable is it? I don’t know. Geer et al. make a compelling case. And I’ll make a confession here: I’ve gone from using other browsers (Netscape, Opera, or Mozilla) rather than IE for the simple reason that on my Windows machines I cannot get the other browsers to open a new browser rather than reuse the old one. See, I often like to leave a web site or document displayed as I do other things and hate to “lose” it by clicking on a URL in some e-mail and having that action redirect my open browser window. But, I think I will go back and try harder… Maybe getting Opera to work with RealAudio is worth the struggle.

Promotions, Self and Otherwise

VARBusiness Magazine reprinted NetSec Letter #29.
( http://www.varbusiness.com/sections/news/breakingnews.asp?articleid=43845)

David Strom comments on “Yet Another Worm called Bl*ster” in his August 19 Web Informant. Find it at http://strom.com/awards/339.html

My September, “Just the Basics” column in Information Security Magazine is called, “Debunking the Firewall Hype.” It is at ugly and long URL http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss81_art179,00.html.

The recent Swen worm was burying me. I guess my e-mail addresses are out there. I briefly write about it in my weblog at: http://www.avolio.com/~fred/weblog/2003/09/27#swen.