Someone once asked Pable Picasso which one of his many paintings was his favorite. His reply: the next one. Ask Steve Ballmer which version of Windows is the most secure and guess what his answer will be?
Five years. Has it really been that long already? It doesn't seem that long ago that I was so eager to abandon NT4 and install the flashy new 2000. But a lot happened in those five years. The Internet changed, security has changed, and the world has changed.
I think that Windows 2000 has probably been one of Microsoft's greatest sources of bad press in the entire history of the company. But it also defined the company into what it is today. Windows 2000 was meant to be their most secure operating system ever but it turned out to be an absolute security disaster. Somehow Microsoft managed to not only recover from that disaster but also to turn security into one of their greater assets. It turns out, then, that Windows 2000 was their most successful failure so far.
Things were different in the year 2000. Programmers felt vindicated that the Y2K bug didn't turn out to be that big of a deal. We made it past January 1st, and then it was time to move on. Windows 2000 came out that first quarter, just as security was becoming more interesting to more people -- and Windows was a good place to start. It was also seemed to be the start of a new breed of Windows hackers.
That year went on with a flood of vulnerabilities found in Windows 2000, many of them affecting IIS. It got to the point where any pen-tester (or hacker) knew they were pretty much guaranteed to find a way in once they saw they were attacking an IIS-based web site. In other words, you could go to nearly any company, no matter how big they were, and break in to their IIS server within minutes. It went that way well into 2001.
How bad was it? It was really bad. Unfortunately, many break-ins went unnoticed, and those that were noticed were kept very quiet. Banks, government and military sites, e-commerce sites -- rest assured, they all got hacked.
But could you really blame Microsoft? Most of the hacks weren't anything fancy, just the same old exploits that Microsoft had already fixed. People just weren't installing the patches. And no matter how hard we tried, no one seemed to get it. It was nearly impossible to sell preventative security at that time. I remember once asking another consultant, "What do we have to do, hack everyone to get them to understand?"
Things changed that summer.
It all started in May of 2001. I began getting calls from companies I had tried selling security services to in the past but were never interested. Now they needed my help because something happened. It seemed like dozens of people had their web sites defaced with the words: "fu*k USA Government, fu*k PoizonBOx." It was the first time many companies had ever experienced a worm. And it would certainly not be the last.