Memo to Microsoft: Stay Secretive, Please, 2002-05-15
Unix and Linux security owes much to openness and public disclosure, but Microsoft is too far gone for sunshine to do any good.
“
The open source development model is not a panacea when it's the design and not the implementation that suffers from bugs.
”
Of course, even with these details kept secret today, there's no shortage of attacks against Microsoft operating systems containing these features. But this "security through obscurity" argument is as natural to Microsoft as it is anathema to open source types like me.
But I'm now ready to throw in the towel on this debate. Maybe Allchin is right: Microsoft's security record would be a whole lot worse if they were forced to disclose too much.
I know... It's tempting to think that more disclosure would make Microsoft more secure. After all, the strongest security records in the open source community are clean by comparison to Microsoft's. If it works for us, why not for them?
But the open source development model, with full disclosure of known vulnerabilities and extensive peer review, is not a panacea, and can't necessarily be used to fix flaws while retaining backwards compatibility -- especially in cases, like Microsoft's, where it's the design and not the implementation that suffers from bugs.
Perhaps the best example of open source security is OpenBSD. But in recent years there have been exploits against OpenBSD's FTP daemon, against core system utilities, and (less surprisingly) unfortunate interactions between popular third-party packages shipped with the operating system.
OpenBSD's once-grand claim of no root exploits in so many years has been reduced to "no remote root exploits in the default installation." Given that virtually nothing is enabled in a default installation, this claim is certainly likely to stand.
The OpenBSD team is pretty much the best there is, but security is difficult. It's difficult even when you have a small, well-disciplined team chock-full of smart people working closely from well-written specifications and dedicated to security above most other goals, including commercial success.
Now, think of Microsoft.
Moreover, one the major security advantages of open source development will always be out of reach of Redmond. I don't mean the "many eyes makes all bugs shallow" argument that Eric Raymond makes in The Cathedral and the Bazaar, and which I'm not sure I believe, but rather one of the subsidiary arguments which receives less attention: that open source code is less likely to have major flaws because programmers are substantially more careful when they know that other people will be reading their code.
Microsoft coders will never find this a motivator. As a public company, Microsoft is driven by the bottom line. They have thousands of programmers scattered across the globe working to produce large, monolithic applications that must ship on time and integrate with every other Microsoft application.
The applications themselves are driven at least as much by strategic corporate initiatives designed to maintain industry hegemony as by customer needs or internal design considerations. Witness the Windows Server family's feature set, which has for years oscillated between trying to put Novell out of business, trying to put Sun out of business, and being a platform for building business applications that run over the Internet.
It's a virtual certainty that all of Windows' internal APIs and protocols suffer from confusion and bloat. Even their publicly documented bits are a mess that the Microsoft Foundation Classes can't really hide.
In all likelihood, the most serious Windows exploits are not the buffer overflows we've grown accustomed to patching. Instead, they're more fundamental flaws, like the password hashing weaknesses that L0phtcrack exploits, or the PPTP design flaws that Counterpane
Just as it would be a dreadful idea for Microsoft to release Windows source code in its current form, it would be disastrous for them to release the Windows specifications. The current specifications are, clearly, no basis for a secure system.
Until Windows has been redesigned from the ground up, complete with peer review of all core architecture, not much can be done to stop Redmond's gaping, oozing security flaws from festering like wounds.
Jim Allchin is right. Microsoft's designs should be kept under wraps... not for their protection, but for ours.
