|
Handing Out Diplomas
You have just graduated from Microsoft's Security Awareness program! Congratulations!
This 2-week course has made you an expert in security, and now, you can write programs with the
expertise of those steeped in years of security experience.
Does this statement seem a little odd? Sure it does not directly come from the course that Microsoft
is proposing, but essentially that is how they do things. Microsoft is putting over 7000 of
their engineers through extensive training and review process methods. The instigating move
for this new course came from Bill Gates affirmation that Microsoft will recommit itself to security.
Wait a minute! Bill Gates, a college dropout, makes a statement that
no lines of code will
be written unless the security implications are assessed : This statement is supposed to make
his engineers security experts? Crackers use many different methods to attack, infiltrate, take-out,
or enlist networked computers. Just as asking a VB coder to write an application in C++, someone
simply cannot drop everything, think about security, and suddenly get inspiration for what's wrong
with the next line of code. The disciplines are worlds apart. Experts (both hackers and
crackers) have spent years studying the implications of security. Calling forth the spirits
of wisdom does not make the programmer wise.
Contrary to popular understanding,
the Hacker is the good guy and the Cracker is the bad guy.
Hackers solve problems and hack out a solution for the general good;
Crackers destroy and infiltrate for their own means and ends.
I constantly get email claiming to give me a diploma in this or that that is simple and easy to do.
These messages claim to be legitimate, accredited centers of learning and certification. Instead,
they are quick solutions that mean less than the paper on which the credits are scrawled. Honestly,
how different are these claims than those made by Bill Gates' campaign for strengthened security?
Surely the information that they portray is accurate and comes experts in the field. But,
knowledge without experience and effort distills to nothingness. Worse yet, the heuristics and
knowledge is cookie-cuttered into "workshops" and forums.
A couple years ago, I reviewed a course on Microsoft's SiteServer course. Surprised at the lack
of depth and utility, I took the course again from another instructor. The exact same material
was presented. The examples were contrived; the results were irrelevant to what my company needed.
If this is the kind of forum that their bright 7000 will receive, the most they may get is two weeks
of binder & paper, drink & donuts, and boredom & IRC. To calculate, if the course is two weeks
long (most companies do not tolerate more than 1 week, but this is important ), Microsoft will
waste 560,000 hours of engineering time. That is $70 million! Now, keep in mind that this
is not just their programmers: It includes your programmers too!
To be fair, not all the developers need this level of training, because they have had the experience
that no professional course can give. These have been trained by the experts in fine colleges
and have been administrators of vast interlocked networks. Unfortunately, these are are the
exception and not the rule in the Windows environment.
For example, a couple years ago, I led a team of Microsoft programmers that created the e-commerce
piece to a service extended to existing clients. I carefully designed the infrastructure so
that it would be secure. I learned that the Microsoft experts had redirected some of the design
to sit on top of a visitor's database. This meant that there was no difference between a client
and a visitor to the site in the database. In fact, the visitor could create as many logins
as he/she desired without any tracking. The potential security risk was completely lost on them:
a cracker could fill the database with fake logins and bring the entire system to its knees.
When the risk was raised, it was dismissed out of hand. Fortunately since that time, the hole
has been plugged.
Windows itself is not what security experts consider to be really secure. Yes, the file systems
on NT-based systems has access control lists, but most installations do not lock the files down like
they should. Therefore, a virus can get in and wreck havoc just as though there was no security
at all. Also, the registry, the central system information database, is world readable and writeable.
In another example, one which places a networked Windows computer in peril, the special socket ports
used in web services are open to any program -- both privileged and unprivileged. In all, the
concept of Windows was not founded in security.
Unless Microsoft commits to rearchitecting their operating system to include core security measures,
all the efforts they make to train Windows developers will be hampered if not stilted.
|
|