Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
Microsoft's most successful failure
Mark Burnett, 2005-06-06

Someone once asked Pable Picasso which one of his many paintings was his favorite. His reply: the next one. Ask Steve Ballmer which version of Windows is the most secure and guess what his answer will be?

I noticed that Microsoft is ready to release Security Rollup 5 for Windows 2000. It's not a service pack, it's more of a convenience pack -- all the hotfixes since SP4 rolled up into one big install. This precedes the end of mainstream support for Windows 2000, which runs out the end of this month.

Five years. Has it really been that long already? It doesn't seem that long ago that I was so eager to abandon NT4 and install the flashy new 2000. But a lot happened in those five years. The Internet changed, security has changed, and the world has changed.

I think that Windows 2000 has probably been one of Microsoft's greatest sources of bad press in the entire history of the company. But it also defined the company into what it is today. Windows 2000 was meant to be their most secure operating system ever but it turned out to be an absolute security disaster. Somehow Microsoft managed to not only recover from that disaster but also to turn security into one of their greater assets. It turns out, then, that Windows 2000 was their most successful failure so far.

Things were different in the year 2000. Programmers felt vindicated that the Y2K bug didn't turn out to be that big of a deal. We made it past January 1st, and then it was time to move on. Windows 2000 came out that first quarter, just as security was becoming more interesting to more people -- and Windows was a good place to start. It was also seemed to be the start of a new breed of Windows hackers.

That year went on with a flood of vulnerabilities found in Windows 2000, many of them affecting IIS. It got to the point where any pen-tester (or hacker) knew they were pretty much guaranteed to find a way in once they saw they were attacking an IIS-based web site. In other words, you could go to nearly any company, no matter how big they were, and break in to their IIS server within minutes. It went that way well into 2001.

How bad was it? It was really bad. Unfortunately, many break-ins went unnoticed, and those that were noticed were kept very quiet. Banks, government and military sites, e-commerce sites -- rest assured, they all got hacked.

But could you really blame Microsoft? Most of the hacks weren't anything fancy, just the same old exploits that Microsoft had already fixed. People just weren't installing the patches. And no matter how hard we tried, no one seemed to get it. It was nearly impossible to sell preventative security at that time. I remember once asking another consultant, "What do we have to do, hack everyone to get them to understand?"

Things changed that summer.

It all started in May of 2001. I began getting calls from companies I had tried selling security services to in the past but were never interested. Now they needed my help because something happened. It seemed like dozens of people had their web sites defaced with the words: "fu*k USA Government, fu*k PoizonBOx." It was the first time many companies had ever experienced a worm. And it would certainly not be the last.

Story continued on Page 2 

Mark Burnett is an independent researcher, consultant, and writer specializing in Windows security. He is the author of Hacking the Code: ASP.NET Web Application Security (Syngress), co-author of the best-selling book Stealing The Network: How to Own the Box (Syngress), and co-author of Maximum Windows 2000 Security (SAMS Publishing). He is a contributor and technical editor for Special Ops: Host and Network Security for Microsoft, UNIX, and Oracle. Mark speaks at various security conferences and has published articles in Windows IT Pro Magazine (formerly Windows & .NET Magazine), Redmond Magazine, Information Security, Windows Web Solutions, Security Administrator and various other print and online publications. Mark is a Microsoft Windows Server Most Valued Professional for Internet Information Services.
    Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
Comments Mode:
Microsoft's Most Successful Failure 2005-06-07
Anonymous (1 replies)
Microsoft's Most Successful Failure 2005-06-07
Wybnormal (1 replies)
Microsoft Apologist 2005-06-07
Anonymous (1 replies)
Re: Microsoft Apologist 2005-06-12
Microsoft's Most Successful Failure 2005-06-08
Eagle Creek
Microsoft's most successful failure 2005-06-20
Chris Grove
The line that launched save2000.ca 2008-03-09
Gordon Fecyk


Privacy Statement
Copyright 2010, SecurityFocus