Microsoft is undergoing a major cultural shift in the way it deals with security, but it has come much later than it should have, is the consensus at the TechEd conference in Brisbane. In the meantime, web servers and corporate PCs are at risk from vulnerabilities in the popular Apache server software and in a component of Microsoft’s Windows 2000.
Can Microsoft Take the Lead in Security?
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
I remember after the plug and play hole in XP, MS released a patch to fix the hole but decided not to disable the service. I really don’t understand why MS would decide to have it default-on in the fist place. If someone needs it, they can turn it on. Currently MS does not agree with me on this point.
microsoft seems to already be taking the lead in becoming the big brother of the computer world — witness their data sharing agreements with the us government and the development of palladium.
as for macro virii, iis problems, etc., these all will be worked out via microsoft’s trusted platform initiatives. microsoft does not fix bugs, they ship new software that you need to purchase.
microsoft’s culture is still profits #1, everything else is not important. focusing on security is timely as that is a source of giant upgrade dollars as everyone will need to buy the new ‘secure’ versions of windows, especially if there is a governnment mandate to upgrade all infrastructure to some new level of ‘security’.
microsoft is settling into their monopoly. they realize if they keep doing what the government wants, they will be allowed to keep their monopoly.
so be prepared for Windows NS – national security edition.
?
Looks to me like MS is back into the Vaporware business
well ms will never ever be leading in security due to two things 1st its not secure and second it hasnt got any “serious” security philosophy.
all repeat after me security is NOT about lockdown.. its about .. dodging attacks or moreover its about making your system secure, xp isnt secure and longhorn/palladium is moreover a … big brother ; control; totalitarian operating system ive ever heard of.
and no i Do not believe that ms will ever become the security proffessionals operating system of choice!
i think we had/have a good take on this at counterpane , if it hasnt changed since i was there!
no.
I actually agree with what the rep said. Microsoft is customer driven in a way that many companies claim to be but few are. In general they very accurately measure what sorts of changes their customers: hate, love, require, like… They are absolutely correct that for years the primary issues have been in the areas of features and performance. They’ve reached an interesting point where people are satisified with the performance and features they get from their systems and now want to focus on other areas. Key among them has been security. But they face a long term problem here:
IMHO an important change has happened in business with the move to web based apps. A web based app is basically a dumb terminal app; and a whole generation of programs who had only worked on the thick client model started to see the advantages of thin client. As they stated to create and more systems of increasing performance on “servers” using a dumb terminal model they forgot that “mainframes” need to be much more secure and reliable than “servers”.
If a company loses a file share or workgroup print server its not a big deal. If a main transaction server goes down they are burning money fast. Further the quantity of data on a mainframe/webserver is much greater than the quantity of data on more traditional servers which means a security breach can be much more severe.
So if you combine the move to web based systems with the fact that features and performance aren’t driving the market the desire for greater security becomes obvious. There is a problem however. PCs aren’t really dumb terminals, more and more they are running complex services.
So really security is going to mean one of two things:
1 – Make the mainframe/webserver much more secure and the clients even thinner. That is take it for granted that some number of average PCs have fallen under hostile hands. But this will limited the features of the centralized apps. So this model probably isn’t good.
2 – Make the PCs much more secure. NT/2000/XP do a pretty good job of locking a user out unless they can get software on the system. But software runs with such high privledges under the NT model that a single piece of compromised software on a single PC with either good access or a user with good access destroys the security of the mainframe/webserver. Thus to get this to really work requires that the user and the software be controlled by the “mainframe” management.
What everyone is forgetting though is laptops and handhelds. While its fairly easy for companies to control employee desktops what I’m seeing more and more since NT came out is employees using their own laptops to use the tools they want and using the corporate desktop just to access corporate systems. Similar to the setup you saw when PC appeared and people had their PC next to their terminal. The PC ran the Wordstar/Wordperfect, Lotus 1-2-3 allowed them to print easily… while the terminal gave them access to corporate data / email / etc…
The problem with this model though is that the laptops start containing more and more business critical information; and this information is totally outside the control of the company since they are unofficial. Worse yet the data may be unusuable to the corporate system since it isn’t in the same format as the corporate file standards. Because the corporation isn’t controlling the software on the laptops (thick clients) is evolving much faster than the desktops (thin clients); and the gap in tool quality gets greater. So the company starts trying to backup these systems and also get the data share between the mainframe/webserver and the laptops.
This creates a demand for features on the thin clients to work with the same systems that being used on the thick clients. But you can’t do that since the thick client software wasn’t written with things like security in mind. So they company starts trying to at least backup these systems and
…. and the cycle continues.
The article says the apache vulnerability only affects non-unix platforms. Are there still platforms out there that are non-unix?
Seriously though, I think OSNews should take note and put it in the Our Take section that should be in the post of the article that the Apache Vulnerability has been fixed in 2.0.40 and a very easy workaround is available for people who don’t want to upgrade just yet.
I’m sorry but i fail to understand how come the apache vulnerability is news when the same vulnerability was fixed before the release of the news.
An event yes… news? Hardly… zdnet should know better… but alas we are doomed to get filthy by hype thrieving news screamers…
And anyway how in the hell is the “US’ Computer Incident Advisory Capability” of the department of energy to post security warnings?
Another department created to tackle the “terrorists” from the mind of the americans, but doing nothing in reality?
Cheers…
what was the problem?
i don’t remember reading any news about a big problem caused by a lack of personal computer “security”
microsoft isn’t getting the money going to mcafee, symantec, checkpoint,etc, maybe that is the “problem”?
if microsoft turned off scripting in outlook and office or just fixed the bugs, it would alleviate 99% of the problem.
instead we get the stalinist ministry-of-trust palladium pc?
what comes after PC?
why, PD of course. Palladium.
maybe in an open market economy, microsoft can put together their own closed pc and see if anyone buys it?
?
>Another department created to tackle the “terrorists” from the mind of the americans, but doing nothing in reality?
I hate to admit it, but this is true. There must be hundreds of these groups employed or contracted by the US government. If you think Apple overpriced you should see the bill for some of these places, huge waste of money if you ask me.
maybe in an open market economy, microsoft can put together their own closed pc and see if anyone buys it?
———-
xbox is already out
I’m sorry but i fail to understand how come the apache vulnerability is news when the same vulnerability was fixed before the release of the news.
So was NIMDA, but people just hadn’t installed the patch. How do you think the virus creator figured out the vulnerability? They just read it off the MS updates site, and assumed people hadn’t patched their machines. Guess what, they were right.
One of the most difficult problems with security is not so much fixing the flaws as it is distribution of the repaired software. People just don’t know that their systems are at risk because they don’t take the time to read every security bulletin that comes down the pipe from the software provider.
Pallidium is, it is M$FT’s attempt at making hardware do what Microsoft is too stupid to make their software do…
Anyone have a link to a paper describing how Pallidium is going to make windows secure? To this point the information I have seen has been short on details and failed to address exactly how the technology intends to separate “bad code” from “good code”.
From the notice on the apache site:
Affects: All Released versions of 2.0 through 2.0.39
Fixed in: 2.0.40
> Anyone have a link to a paper describing how Pallidium is
> going to make windows secure? To this point the
> information I have seen has been short on details and
> failed to address exactly how the technology intends to
> separate “bad code” from “good code”.
Because the chip set uses encrypted data all code has to be encrypted to run “natively” on the system. To be able to run code on the system you’ll need to be able to properly encrypt for code. To encrypt your code your code will need to be Pallidium certified.
The alternative code that can run will run inside a virtual machine and the virtual machine will be Pallidium certified. That is trusted code will execute much faster and have permissions to access hardware in a meaningful way. Untrusted code will run much slower and will lack those permissions.
so for example:
spyware programs aren’t certified so they don’t have access to any data outside the sandbox, where the important data is.
Old fashion kind of virus that took over your harddrive… won’t run because a “virus” modified application won’t pass digital security.
Further even if a virus manages to infect your data files the Palladium system will notice. Moreover a datafile can be disabled remotely so a virus can’t spread because the Palladium won’t run it after its disabled.
Once a hacker changes system .dlls they won’t be system .dlls anymore. Companies can force you to install security updates because the system won’t run if it doesn’t have the latest security patches. etc…
Some introductory articles http://stacks.msnbc.com/news/770511.asp
http://www.sfbg.com/36/46/x_techsploitation.html
http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
Just another attempt to take control away from the populace.
1. MS lives to sell new versions of Windows. What makes people buy new versions? Features, feature, features. Thus, adding features is more important than adding security.
2. An astounding number of users don’t seem to care about the security of their computers; at all. My father in law is one of many I know who have a “I have nothing to hide” attitude and won’t even apply the fixes MS makes available.
(That’s sad, in my opinion.)