Ask Microsoft's Security VP

There's always lots of discussion on Slashdot about Microsoft's security problems, and whether Windows is or isn't more secure than other popular operating systems. In a "Let's clear the air" move, Mike Nash, Microsoft Corporate Vice President, Security Technology Unit, has agreed to answer 12 of the highest-moderated questions you submit here. (You can skip the "Microsoft and security in the same sentence?" comments we've all heard 1000 times, and ask actual questions, since Mike is answering for himself instead of having PR do it for him.) We'll post his answers next week.

I have a question for you

[FidelCatsro]

Mr Nash , How in the world do you still have a job ?
I would of fire my Security VP if we had a track record like MS.

The Credibility gap

[skyryder12]

MS "bundled" it's web browser as part of the OS. This decision was in part brought about by legal challenges facing the company at the time. In my view, this was a very poor engineering decision, and the resultant "marraige" of browser and OS have led to repeated security nightmares for admins, companies and individual users. To my mind, the obvious solution would be to unbundle the two. But if MS did that, they would be admitting to perjury in court. I find this lack of judgement and integrity greatly disturbing, and this is a major reason I believe that Microsoft cannot be trusted to make the right, correct or best decision. This is not a hppy thought when it comes to my business. My question is, given this past behavior, why should we give ANY credibility to statements concerning security from Redmond?

Will you ever sort and modularize Windows?

[tz]

The XP Embedded version can be created with or without IE or WMP, but I don't know how many DLLs have chunks of code designed to launch or provide IE or other MS product functionality (designed to give Netscape Users "a jarring experience" in the words of a Microsoft person). Is Microsoft ever going to sort and layer things so that there will be an isolated kernel, application layer, GUI, device drivers, (and if so, when), or is "Windows" going to continue to integrate things, e.g. "The Spreadsheet and Editor are now 'part of the operating system'"?

Rationale: Many security problems are due to everything running as Administrator, with privileges, or as part of the OS. One thing I like about GNU/Linux is that each part is separate, so Firefox runs on X which runs using services, which runs using the kernel, with only the kernel having privileges. Generally a buffer overflow problem in X, or Apache doesn't let someone format my hard drive. Also you can put something to analyze or intercept things between such layers - even things like ltrace or strace.

security through obscurity & the many eyes

[largenumber]

What are your thoughts on security through obscurity [wikipedia.org]? Do you believe the technique works? In what ways do you think the closed nature of Windows prevents the corollary many eyes principle [wikipedia.org] from being used? Do you have any ideas on how Windows could utilize the many eyes principle?

Whatever

[MightyMartian]

Look, we all know the drill by now. Microsoft looks bad. The guys get somebody who they think we'll all trust, he comes and says "ask me some questions", but at the end of the day, it's all PR. No one from Microsoft is going to honestly answer any question. Not yesterday, not today, not ever. The purpose of all these idiotic "ten questions" or "twelve questions" is purely PR, to try to make Microsoft look good, and quite frankly I have to ask myself why any employee of Microsoft would so willingly whore themselves out for this exercise.

Just ask him when he stopped beating his wife.

Comparisons with open-source

[yamla]

When counts are released showing the number of Windows security holes vs. the number of holes in Linux, the counts generally include software that can be installed from the original CD. With Windows, this includes MSIE, Windows Media Player, etc. On Linux, this includes thousands of end-user applications, programs that Microsoft does not include with Windows. Do you think these comparisons are fair? Would you rather see comparisons to minimal installs of Linux?

Product Activation

[Shawn is an Asshole]

Will Vista still have the same anoying Product Activation that only affects legitimate users of the software?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Off by Default

[Anonymous Coward]

It has been repeated many times that Outlook's ability to spread viruses was due to the default setting of automatically running scripts that were emailed to a user, and that this could have been avoided by simply turning off this feature by default. It has also been claimed that OS X has improved their security by turning off unnecessary services like personal web serving by default. Does Microsoft feel this is a good way to improve security, and are they planning on doing this in the future? In theory, if a service has an exploitable bug, but it's off by default, then it still isn't a very good vector for spreading a virus or other malware.

Is it really a secure system?

[The_Crowder]

Does the creation of an antispyware tool by Microsoft mean that your team has failed in their role of creating secure software?

Re:Patch Release Cycle

[AgentUSA]

This has been answered before. Microsoft has stated that they will release patches out of cycle if there is an exploit in the wild that poses a significant enough threat to their customers.

Re:Why not improve the default permissions?

[AntEater]

I'd like to build on this thought a bit:

Why doesn't microsoft make common use of the use of the administrator account a thing of the past? All of the pieces have been there since NT for Windows to use a strict separation of user versus Administrator accounts like we see with OS X and all of the Unix based operating systems? Having just recently setup an XP system for family, I noticed that the default install encourages, for all practical purposes, the user to run with Administrator privileges. Having worked as a Windows Administrator in a corporate environment I found that there are many things that were difficult for the end user to do without having Admin. rights. By comparison, I rarely get requests for things that require root access from users on a Unix/Linux desktops who do similar functions because the applications and system are setup assuming that root/admin. access will not be available to the user. In addition, it would seem that the default permissions for user files could be tightened up without creating a difficult work environment. As it is, the addition of security features in windows looks it has been treated as an afterthought, not an integral part of the operating system configuration - particularly for home users who are likely not to change from the defaults their system came with.

Re:Usability and Security

[kafka47]

(Re-post, with formatting.)

The revised mantra of Microsoft application security has been "Secure by default", a strategy that was applied with varying degrees of success to many of your products in recent memory. In security circles, this might seem like a no-brainer, but for consumer-level applications the strategy can be a nightmare. For a company that spends so much on usability and ease-of-use for end-users, the act of explicitly prohibiting certain operations or features seems to fly in the face of that investment. The users get what is perceived as a broken product, and the administrators get the headache of decreased security (say, after they install a patch that break "secure by default"). For various reasons, these two contradictory approaches seem to serve neither usability nor security.

In that vein, what other effective strategies have been considered? For years, the NSA has provided a unique service to the users of various products, including Microsoft Windows operating systems. They produce "hardening" guides for these products in an effort to ensure their continued security and viability in the wilds of the Internet. Has Microsoft ever considered producing guides like these, seeing as how they're the authors of their own products? In that vein, has Microsoft considered redacting the secure by default to enhance usability, yet instead produce tools or wizards that electorally enable hardening for your applications and OS'?

/K

MSFT employee here

[Anonymous Coward]

Hi, Mike,

I have just one question for you. Why do we STILL ship products with KNOWN security issues?

I'll even tell you how it works in the trenches. Folks build the product. At the end of it all a "Security Push" gets declared. For two to three weeks people pretend they care about security by coming up with potential security issues and assigning DREAD+VR scores to them. Then management arbitrarily sets the "bar" below which we don't fix potential and real security issues. This bar is usually very high, sometimes at around 8, because hardly anyone has time in the schedule to fix all issues found. Now, DREAD score 8 means that flaw will affect a ton of customers and cost Microsoft significant litigation. Some of very severe bugs slip under the bar just because they don't affect more than 10% of customers. Now, even this exercise is a joke, because most developers don't know what DFD is and how to put one together.

This wasn't even the most ridiculous part of the exercise. The most ridiculous part is security "code reviews". It's when feature owners walk into a room with a huge stack of printouts and pretend they can be reviewed in a couple of hours they've allocated for this. You can barely glance through this much code in this much time, 90% of security issues remain unnoticed during this "code review".

After all is said and done, product is only slightly more secure (SOME of the most ridiculous things have been fixed), and management gets delusional saying that product is now Fort Knox secure.

If you ask me, that's abomination, not a proper security process. Are there any plans to change it?

If you had to store your Credit Card Number ?

[DrSkwid]

If you had to store your Credit Card Number, SSN, etc. on your computer, where would you put it/them ?

Also: is/was Microsoft lying?

[rbochan]

And no, unlike the comments in the page topic, I'm not trying to be snarky...

Since Win2k/XP was supposed to be a complete, from the ground up, re-write after Win3.0/NT/9x, and Long^H^H^HVista is supposed to be a complete, from the ground up, re-write after Win2k/XP... why was code from 1990 [slashdot.org] included in these later releases?
Just what is going on with this latest security debacle? Are these supposed to be re-writes or recycles?