The following is a short discussion of a keynote by Bill Gates on the security measures Microsoft will take during the next one or two years to improve security. Security of what? In the same month Gates made a speech at a security conference in Munich where some new cooperation between state, industry and Microsoft was announced. In the newspapers the next day you could read headlines like “ Microsoft to improve internet security ”. Did you have problems with the internet lately? Was it bandwidth? routing? Unreliable transports? If yes, then you've had an internet related problem.
But I doubt it. You've probably had security problems like viruses or trojans ON YOUR MACHINE. You may have received spam ON YOUR MACHINE. Neither of them where made by the internet. The internet does not know about security and does not impose restrictions on senders and receivers beyond what is needed to communicate. Whining about this fact is like complaining that trees don't have airbags. A statement like "MS wants to improve internet security" is like DaimlerChrysler saying that they want to improve the public roads. Both should focus on THEIR products first.
But there is a tight connection between the product and its network (just think about putting guidance systems along roads) and we will come to this intersting point later.
So let's take a look at how Microsoft wants to improve the security of your machine. And for the beginning we will naively not make a distinction whether this machine in part of an enterprise network or a simple home computer.
Gates divided secure systems into three parts:
Technology |
Customers |
Law |
Most of the talk was focussed on technology so let me just cover the other two shortly. Interaction and communication with customers is a key feature of building secure systems. Gates mentioned several times the effort Microsoft puts into talking with large scale enterprise customers about security problems. Customer guidance is seen as essential. This covers configuration help and education as well.
With respect to law Gates mentioned several activities and legal actions like taking spammers to court.
Gates divided the technology element into five parts.
Secure Coding |
Software updates |
Isolation |
Authentication and access control |
Social Engineering |
Secure coding means development standards and tools that prevent security risks like buffer overflows. A number of tools and technologies where mentionen (module relationship checking, FXCop, PREfast etc) which are probably related to buffer overflow problems. Here a question would be why then CSharp has gotten options to decrease code security like -unsafe?
He also mentioned that threat modeling has become a standard part of the development process and that every bit of coude would go through code reviews before it reaches production.
A security response center has been set up where developers can contact experts about security problems.
What are the properties of a good software update? One can probably list the following properties:
Automatic - I don't want to be bothered |
Safe - please do not break anything on my machine |
Effective - please change only what is really needed in MY case |
Immediate - as fast as possible once a vulnerability is found (not when exploits show up and certainly not after a half a year) |
No costs |
Please do not forget that every update is AFTER THE FACT that a vulnerability existed. It is always only a second class measure, no matter how good it is marketed. And if you look careful at the above list you will notice that some items conflict: A safe update requires mass testing and this goes against the immediacy in case of exploits. The update features are mentioned in Gates speech under technological innovations but to me they look more like process improvements because they do not tackle the underlying problem.
Microsoft distinguishes three customer groups which are served through different update technologies- from automatic updates for home user to customizable updates through the windows update service to the full monty of SMS driven management.
Some interesting numbers: SP2 is now installed on about 50% of all machines. This is actually quite frightning given the number of exploits against pre-SP2 systems. Gates mentioned also a Gartner statement that 75% of all security problems would be found in customer applications. That may be true but it is of little relevance: If you are broke that's not my problem. If the nations money system is broke we all got a problem. This means we need to weigh security problems with respect to affected machines.
This topic covered most of the speech. Problems covered where:
Download spoofing |
Phishing and IE |
Zones/Domains as a security concept |
More user control |
Mail scanning with several engines |
Active directory for central management |
Spyware prevention through collaborative services and tools |
Realtime detection of spyware or malware. |
IPSECT - which looked like a firewall control interface to me |
SP2 features |
Security config wizard |
Some topics are IE related and Bill Gates announced another improved version (7) for the future. Version 6 already had some improvements against tricking users by manipulating the GUI elements of the browser. Unclear to me is whether the zone/domain config (which is actually something used in large corporations) will be really used in home environments. I'd love to see some usability studies and empirical results in this area.
Do you want spyware to fight spyware? You better do because a surprising nubmer of security problems will be solved in the future using collaborative technologies. MS software will report incidents to a central service (called SpyNet) where security experts will investigate. Gates hopes to detect attacks by spy-software and viruses or worms very early. Individual machines can then be made to stop downloading malware. Microsoft wants to use this pattern also to detect phishing attacks. It is a combination of technology and organisation and begs asking one question: when will this service cost something?
A whole bunch of new tools (including new anti-virus software) for security management was announced as well. They can e.g. replicate a central security policy defined in active directory against a large base of machines. Only the spynet stuff will be included at no cost.
Here the two important statements where that passwords will be replaced by smartcards and again a couple of new tools for identity and system management. The goal is to centralize identity management AND policies and be able to put these rules in place everywhere. A reverse proxy (called web listener) will be included which does authentication before handing over the requests to applications. Secure configuration of applications and services is made easier through tools and templates.
Digital restriction management is another topic and here some efforts where made to avoid the server callback in some cases.
According to Gates phishing is now much more critical than e.g. spam. He agreed that browser work was needed (probably to reduce GUI manipulation and to improve feedback for the user) and mentioned vaguely that other sources of authenticity could be used to validate mails but provided no details.
Microsoft wants to use the same collaborative techniques as in the case of spyware to fight spam and phishing. That means global databases, services and experts at Microsoft which collect the data and create a verdict on mails.
The speech is about 20 pages in print and that means it contained a lot of information some of which I tried to concentrate on above. Here now comes the final conclusion and what I learned from the paper.
Even the term was missing in the talk. And when we look at where MS is putting the money it is all about centralized management and control (federated directories, replicated policies). In general - stuff for the enterprise with its full-time admins. So what happens to the home computer? It will not really be hardened through the introduction of a trusted computing base. This is probably still far away and cannot be done on the current platform anyway.
So what do you do if all your security technology needs a central management and you have machines which do not belong to an administrative zone? You have to create one and this is what we are seeing: Distributed computing and larege service centers with databases on vulnerabilities and attacks need to help the single PC at home. But there are two things to recognize. First, all this is AFTER THE FACT and does not prevent new attacks immediately. It does not strengthen the computing base. It can only react. And second: this comes at a price. Nobody can run free data centers equipped with expensive hardware and security specialists forever.
But this could easily be the final business model anyway: Pay for the service to get a secure system. Security then is no longer a property of a system but a service to buy. As a property of a system it is under legal constraints (warranties etc.). As a service it can be charged for.
Technically the current windows platforms are unable to provide secure computing when used in home environments (or any environment without central control and management). The platforms are not designed to withstand new attacks. All effort goes into mitigating the results of attacks across machines.
And even the best and most expensive update options provided (full SMS with advance warning by MS) cannot protect companies from new and rapidly spreading malware.
When we look at the classic security troika of prevention, detection and response most of the efforts now go into detection and response. Prevention would probably need fundamentally new architectures - perhaps including capability technology. What can be done on the current platforms is e.g. to program 50 ceckpoints into IE which can be used to warn users in case malware was downloaded. But this is only a small segment that can be secured - programmatically - and will always be a patchwork security solution.
The number of new tools and products for security is amazing (ISA2, MOM, AV, SpyNet, DRM, IPSECT). But again, this comes at a price. Securing the Microsoft infrastructure is getting more and more expensive - even for enterprises which have to buy all this stuff. One consequence at least in my opinion is that Microsoft needs to kill the Open Source competition simply because of the ever increasing cost structure which will make MS installations more and more a costly exercise. It would not surprise me to see the EU software patent law initiative here as a means to achieve this.
I have to admit that I did not understand all the improvements in the area of secure coding that are supposedly built into Visual Studio. The talk only mentioned product names and not what they do.
"Browsing definitely is a point of vulnerability" - is that really so? One of the terms that Gates and his employees frequently used in the talk is "richness". Meaning e.g. that for different customer groups different solutions are provided and that in general the solutions need to be feature rich. But wasn't it exactly this "richness" that MADE browsing a dangerous experience? I have seen no indications in the talk that MS would recognize the feature-richness as one major source of vulnerabilities. Even though most of IE security problems are caused by extensions.
Usability and its connection to security are a hot topic. Unfortunately the talk did not say a lot about it. The problem of making home computers that let their users communicate safely by offering security features in a clear and understandable way has not been solved yet. Just look at the design of the SP2 firewall configuration. I would love to see a usability study conducted on windows security features and how they are used and perceived by regular home users.
Privacy is mentioned twice in the talk. Once at the beginning and once at the end - both times like "you know, privacy is important". Gates began his talk with an example on privacy (when he lost his papers at a conference). But between this example and the one on the "importance of privacy" nothing more was said on this topic. Worse - many of the technologies which where presented have a severe impact on your privacy. No mention of this. Look at all the collaborative techniques against spam, phishing, viruses and attacks. They collect a lot of data about you and your PC. They need complete and up-to-date information on what is installed on your machine (and along that when it was used and how many times etc.). And the same goes for the update services. And all this information is needed just to make the technology work at all. The digital restriction management frequently needs callbacks to servers which can easily create viewing profiles on users.
Preventing privacy violations here will be very hard because the security services are designed in a way that they will not work without your private data.
The talk is about 20 pages long and I had to read it three times to at least see some structure (I wonder what the people attending the live talk did understand). Full of technical bits, product names etc. it was extremely hard to understand. I used a technique called mindmapping to create an overview. I learned this technique last term from Timo Kössing, a student at the HDM and I must say it was very helpful. This time I did it on paper but next time I will use the freemind open source product.