All the stupid people. Where do they all come from?

The Register ^ | 11/03/03 | Tim Mullen

[Salo]

All the stupid people. Where do they all come from? By Tim Mullen, SecurityFocus Posted: 03/11/2003 at 15:13 GMT

Opinion Microsoft's best chance for regaining the revenue lost to security concerns isn't in eliminating bugs, writes SecurityFocus columnist Tim Mullen.

Two years ago I wrote about how security would become critical to the success of Microsoft, and how the challenge of combining "simplicity and security" would represent the highest costs in IT.

For what is apparently the first time in Microsoft's financial disclosure history, the company has reported that security issues, or more appropriately insecurity issues, have directly affected their balance sheet in a negative way. Though quarterly stock earnings were up from last year (and above industry projections), Microsoft has identified losses of approximately $700 million in unearned revenue from non-renewed contracts in product futures. This was primarily attributed to industry concern over recent product vulnerabilities and other security-related problems.

Microsoft bashers will be quick to say things like: "All of Microsoft's revenue is unearned!" But that's just because they don't know any better. The truth is that from a business perspective, Microsoft does an excellent job in their support of customers and partners.

Even so, revenue has been lost, and it is due to customer perception. It isn't a critical hit -- most companies do not get to enjoy unearned revenue; they're lucky if the earned revenue is enough to keep them in business. But this is significant because it marks a time when businesses are finally taking security into account when making their purchases. It shows that the industry is maturing -- that it's ready to hold someone accountable for bad security.

Now that they've grown up, all we have to do is educate the corporate masses to point their fingers at the right places: Not at Microsoft or other vendors, but at themselves.

That's right: education -- not some software Manhattan Project to eliminate buffer overflows -- is what's needed here. The reason most vulnerabilities become issues is because the products are used by people who don't know what they are doing.

Village Idiots

This may get the ire up on some anti-Microsoft zealots, but to be honest, I really don't care. After my last column about the CCIA report, I received many an email from Linux aficionados telling me how fatally flawed the architecture of Windows was. I was amazed at how totally ignorant some of these people are to what the Microsoft reality is -- it seems that many still think the Windows operating system is synonymous with Windows 95. News Flash: It's 2003, time to grow up and get a place of your own.

But Microsoft is not trying to win these people over. In fact, some of the company's worst enemies are the ones who are already their clients.

A case in point comes from a notice in the latest SANS NewsBites. It seems a buddy of Stephen Northcutt's works for a company who has a "C-Level executive" mandating that RPC and NetBIOS not be blocked at the border routers or firewalls. (The editor's note says "between organizations," but the full memo shows that this is the desired configuration over the Internet.) This is so Exchange servers at different sites can communicate over RPC and executives can easily use file sharing. SANS is soliciting solutions for this quandary.

Here's mine: Fire the dolt.

For one thing, you don't block ingress ports on firewalls -- they should all be blocked by default already. You allow them when you have to, and only when you have to.

But regardless of the default firewall policy, any executive who mandates that RPC and NetBIOS be opened at the gateway in order to make file sharing easy needs to find a village missing an idiot, and move there.

And this is probably the same guy who did not renew his contract with Microsoft because his company got hit with Blaster.

Microsoft isn't the problem. The problem is the executive who doesn't want to pay for security to be implemented properly, who mandates ridiculous policies, and who ultimately refuses to do anything that provides any real level of security. These are the people don't take the time or commit the resources to ensure that the products they use -- the ones they have become dependent upon -- are being administered by those with security training. Then they blame all their woes on the vendor, while making their staff suffer through the effects of their poor judgment.

This is why the next big step for Microsoft should be in the arena of security education -- right behind patch management. Look for this shift soon, as this time, right or wrong, security is hitting Microsoft's bottom line.

If this kick in the Microsoft wallet has the end result of increasing security, then it's ultimately a good thing. Even if we have to lose a clueless executive or two along the way.

SecurityFocus columnist Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation.

[Salo]

Another great security article.

[Salo]

Pinging Dr. Penguin.

[Salo]

Tech Ping.

[ShadowAce]

I keep saying that the worst security holes are due to ID-10-T errors at the keyboard.

[chance33_98]

I keep saying that the worst security holes are due to ID-10-T errors at the keyboard.

Would have to agree. If you don't put into place well thought out and planned security procedures patches won't help at all anyway. Not to say Microsoft couldn't do better, Bugfest! Win2000 has 63,000 'defects' ....

[fire_eye]

No, I think they're PEBKAC bugs...

Regardless, this guy is clueless (and he's a "Software Architect?). All of Micro-Nano-Pico-Femtosoft's software is a cluge job starting from DOS. Unix/Linux/***x, etc., by contrast were designed from the top down as a multitasking OS.

Frankly, I never thought that even Unix, as originally represented by the Bell Labs and Berzerkeley versions *or* in any of the future incarnations - was all that great, although I've got to admit Sun did clean it up quite a bit when they came through with Solaris. But there have been many other more solid OS's throughout history, which have been assimilated by Unix - the Borg - because they were not platform-independent.

But by comparison with *all* of them, *all* of Femtosoft's successive incremental (per)versions of Windows are junk... OS design is a well-documented discipline which none of Femtosoft's poofters and potheads have ever bothered to study. Instead, they leave it to their marketing people (who appear to be more capable than the programmers - which says a lot) to try to stave off the various Unixes in the marketplace.

But Gates will lose... Windoze will be assimilated by the Borg. Apple has fallen, and he's the last remaining holdout. You have to hand it to him for being able to fight it this long (see above comment on Femtosoft marketing...) - but he knows the handwriting is on the wall... I'll bet he's got a skunkworks somewhere dedicated to coming up with a Linux-based Windows layer, so he can at least try to contain the problem with a pre-emptive strike when someone else tries to port his family jewels - the office utilities - to Linux...

[stainlessbanner]

The real point is MS products have trouble working when locked down (ie. secured).

[Tax-chick]

If you don't put into place well thought out and planned security procedures patches won't help at all anyway.

And if you allow employees to ignore the *well thought out and planned security procedures* with impunity, then it's your own stupid fault if you have constant security problems and huge expenses.

I would say a large majority of security breaches, whether systems security or physical access problems, are due to deliberate violations of policy, not to mention failures of basic common sense. Every nerd has an excuse for why the rules don't apply to him ...

[Tax-chick]

then it's your own stupid fault if you have constant security problems and huge expenses.

That was a generic, rhetorical "you," not a "you-personally" you.

[Question_Assumptions]

The problem is that Microsoft's default settings and applications allow stupid users to maximize their damage. If a Mac user opens up an email containing a VB virus and double-clicks on it -- nothing happens. If a Linux user opens up an email containing a VB virus and double-clicks on it -- nothign happens.

[HAL9000]

For one thing, you don't block ingress ports on firewalls -- they should all be blocked by default already.

Ditto for servers and workstations. Of course, Microsoft leaves them wide open by default.

Microsoft isn't the problem.

The problem is the customers. They should switch to better operating systems that are secure out of the box.

[Nick Danger]

We can now add "security zealot" to our growing list of objectional zealots in the computer industry.

The best quote in this article is "how the challenge of combining 'simplicity and security' would represent the highest costs in IT." That's a fact, and we're not a whole lot smarter now than we were five years ago about how to go about balancing those two.

The apochryphal "C-level executive" who wants the Exchange Servers open to the world did not issue such an edict for fun. That probably happened because some deadline was missed, or a trade show was ruined, or a proposal was late, because some guy on the road could not get to his files and no one could fix it in time.

Yeah, computer security is important. So is keeping food on the table. When the computers are so secure that the employees can't do their jobs, then it's time to flick the security experts out of the way.

They will then write articles like this, calling the executive who did that an idiot. Maybe they will even get lucky and there will be a horrible security breach, and then they'll get to say they told us so. But at least we will not again lose a $300 million deal because the account rep couldn't get past the Sacred Firewall to print the proposal in time.

Life is a balancing act, and this guy has signed up to be one of the weights at the far end of the bar. That's a thankless task, but it's a necessary one so I forgive him for being a jerk. We need his kind of jerk to remind us that there are Bad Guys out there and that Bad Things can happen. But we can't let him run the place, because in keeping the Bad Guys out he will make life Hell for the people who are trying to get their jobs done.

This is no more or less than the problem faced by retailers with shoplifting. We can eliminate shoplifting totally by eliminating the customers. We can reduce it to near-zero by strip-searching the customers on their way out the door. Or we can have a successful business that makes money, but loses some percentage of stuff to shoplifting.