About a year and a half ago, as I was preparing for a series of Microsoft-sponsored security talks with Mark Minasi, I suggested that my talk--which was to focus on Microsoft's security road map--might be jokingly called "Finding the Humor in Security." For the record, I was serious about the title, but the attempt at humor fell on deaf ears in Redmond and we used a more staid (i.e., boring) title.
I'm not laughing anymore. On Sunday night, while preparing for a trip Monday to New York, the notebook I had planned to bring was suddenly struck by the most malicious software (malware) I've ever encountered. This Trojan horse got through my defenses despite the fact that I was running the Release Candidate 1 (RC1) version of Windows XP Service Pack 2 (SP2) with the firewall turned on. It was infuriating, and after hours of investigating, deep cleaning with various antivirus and spyware products, and consulting with my technical guru (Storage UPDATE's Keith Furman, a lifesaver), I finally gave up. As I write this commentary, I'm heading to New York by train, using a different machine, and my infected laptop is home, awaiting a complete wipeout. I never did completely clean up the machine, and I'm still frustrated by the defeat.
This isn't the first time I've been hacked. A few years ago when Nimda hit, I discovered the chilling message, "You've been hacked by the Chinese" on one of my Web servers. Fortunately, I had previously taken the simple step of moving my Web sites out of the default location (i.e., they weren't in C:\Inetput\wwwroot), so I didn't lose any data. But the episode left me with an uncomfortable feeling of violation.
As a news reporter, I write daily stories about Microsoft and the computer industry and, as you might expect, security-related topics have dominated the headlines recently in ways that no topic--even Microsoft's epic antitrust battle with the US government--ever has. Even here in Windows & .NET Magazine UPDATE, security has been an overwhelmingly popular topic: The editorials in at least 10 of the last 24 issues have dealt, at least in some way, with security. These days, the topic is almost unavoidable.
Oddly, I've actually defended Microsoft and its security record. I've written--and I still believe--that no company is doing as much work as Microsoft is right now to secure computer systems and that, ultimately, this work will benefit us all as PCs become more and more adept at dealing with electronic intrusions. Last week, in a meeting at Microsoft, XP Lead Product Manager Greg Sullivan, showed me how XP SP2 prevents a particularly nasty form of attack, in which malicious users can use chromeless (i.e., borderless) browser windows to hide warnings and make you think that you're accepting a valid bit of Microsoft code. The ingenuity in such an attack highlights the problems Microsoft faces as it seeks to secure Windows and its other products against increasingly sophisticated attackers.
But ultimately, I'm not as concerned with Microsoft's problems as I am with how the company addresses its customers' needs. One concept I've always tried to get across, whether here in Windows & .NET Magazine UPDATE or on the road during speaking engagements, is that we need to remember where we, as Microsoft customers, fit in the equation. We pay Microsoft for specific services and capabilities, and we need to start holding the company to a higher standard. And we need to demand better security--it's just not there today, not yet.
And based on my recent experience, SP2 might not be the panacea I was hoping for. Indeed, days before my unfortunate experience with the aforementioned particularly irritating Trojan horse, Sullivan intimated during our meeting that SP2 wouldn't cure all security problems. Although the company is raising the bar in this release--dramatically, in some ways, especially for next-generation PCs whose microprocessors support the No Execute (NX) security technologies--SP2, like most technologies, will be too little, too late, for some people.
That brings me to another little bit of humor that I pull out whenever something goes wrong--maybe a demo isn't working quite right or a projector refuses to cooperate with my laptop for some reason. "Technology has never failed me," I'll deadpan. It always gets laughs, but you know what? Maybe the joke is really on me. If anything, technology has done nothing but constantly fail me. And now, purposeful technological glitches are starting to bridge the gap between simple irritation and economic ruination. I'm starting to fear that the Good Guys can't keep up.
Pick your poison: Today, we have spam, browser phishing, browsing hijacking, Trojans, worms, and viruses and probably have other malware of which I'm naively ignorant. Call me a Luddite, but I long for simpler days.
Register
For example, I have a mix of hardware/software at my home LAN, ranging from Cisco PIX firewalls, to embedded Soekris appliances running OpenBSD as a firewall/router, some windows PCs and many Linux servers and workstations (running several distributions, like EnGarde Trusted Linux, Fedora Core 2 and SUSE Linux). This won't stop any hacker from beating me, but will make much more difficult for anyone to perform a single attack that affects all my systems at once. The hacker can target my Cisco PIX firewall, or my Soekris box, but it's really difficult to target all my systems with a single, automated attack.
As it has been said, monoculture is bad. Microsoft is forcing the market on monoculture, i.e. all devices running Windows. That's really horrible. Windows has made some serious mistakes, like producing a modified version of Kerberos that nobody in the cryptographic community has validated, for example. Betting all your business into one vendor is simply said a suicide. No one system vendor can offer you everything (no one-size fits all). For example, nobody can beat OpenBSD on embedded security systems like those from Soekris. And nobody can, currently, beat Windows as a multimedia platform. Nobody can beat sendmail/postfix as the best performing, most used, smallest footprint MTA on the market, and nobody can beat Linux as customizable and flexible system for clusters or servers. We should choose the best offerings from different vendors, while not trying to marry ourselves with one single vendor (let it be Sun, IBM or Microsoft).
Felipe Alfaro Solana May 28, 2004