why you'll never have security with Microsoft

May 6th, 2008

Here's the thing. I hate stating the obvious. It really annoys me. On the other hand, obvious things are sometimes things that most need to be repeated. So I wrestle with myself and I finally decide that I should, because there is a shockingly large number of people out there who don't realize how obvious this is. See if you can learn something from this mock dialog.

Vendor: Good morning, is this Harry, the CTO*, I'm speaking to?
Client: Yes, how may I help you?
Vendor: Hey Harry, this is Steve from Microsoft. I would like to talk to you about Windows Vista.
Client: What's that?
Vendor: Why, it's the brand new version of our Windows operating system.
Client: Oh, that.
Vendor: I was wondering if I could interest you in our product.
Client: You know what, I don't think so, we are a very security sensitive company, and..
Vendor: But that's precisely the reason I'm calling, I would like to tell you how you can enhance your security with Windows Vista. You see, we've built the operating system with security in mind and it's the state of the art in operating systems.
Client: Hey, that sounds pretty exciting. So how does this work now, you ship us the source code and...
Vendor: No no, we don't distribute the source code.
Client: You don't?!?
Vendor: No, you see it's a trade secret. (my precious etc)
Client: You're kidding, right?
Vendor: No, really.
Client: So how do we know that it's actually secure if we can't see for ourselves? How do we know there isn't anything malicious in it?
Vendor: Well you'll just have to trust us.
*Harry hangs up*
Vendor: Hello? Harry?
*CTO - the highest placed person who makes technical decisions in a company.

How did it go? Did you get it? It was kind of a long thing, huh? Ok, stop racking your brains, I'll give you the answer: no source code, no security.

Here's how that works. It's simple economics, so try to keep up. If they give you the source code, then they put their cards on the table. You can see what the code does, and if it's doing something stupid (security hole) or nasty (like sending your data to back to the vendor), then you'll be able to check for this. Now you may say "I don't know how to check", and that's okay. But just by giving you the source code the vendor knows that you can see everything the code is doing. And if you find something nasty in there, they know you'll never trust them again. So it doesn't really matter if *you* don't know how to check, because there are others who do, and sooner or later someone will find the nasty code if it's in there. Thus, if the vendor gives you the source code, then he'll be a lot more careful about what's in there, because he's risking losing your trust and your business forever. That will keep him honest.

Is there then anything surprising about finding out that Microsoft is putting in backdoors in Windows? No, because how would you know it's there? You don't have the source code! In case you were wondering, the words "security" and "backdoor" are mutually exclusive.

So what have we learned today? Is there somehow we could summarize all this in just one sentence? There is: If you want security, ask for the source code. If you can't get the source code, you know that the vendor isn't taking security seriously.

:: random entries in this category ::

18 Responses to "why you'll never have security with Microsoft"

  1. Tyler says:

    Totally agree. Our security should be vested in the fact that its solid code not the illusion that if we don't allow anyone to see the source code then that's "security." That's just bs.

  2. Rami Taibah says:

    @Tyler, since we have you on board, can I treat you to the latest Canonical treat? Instead of that redmond bloatware you are using ;)??

    Great article Martin

  3. Rami Taibah says:

    Lol Just noticed I posted that from an XP machine at work :D

  4. Martin says:

    What do you believe is then Microsoft`s advantage in the operating systems market? Is it just the power they have what keeps them on top?, I can see this tendency changing; Mac`s OS for instance have their good share market share, it is widely believed that Mac systems are "better" than Microsoft products, Mac has a big share on product image; but has the disadvantage of distribution which is mostly reduced to their own computers, while Microsoft is just everywhere. - I have never used a Mac in my life but I have to use Windows daily.
    On the other hand we have the Linux movement, with some great functionalities you don`t think of, but once you use them you realize how useful they are and feel annoyed when you cannot use them with other operating systems, but really, do you see Linux closer in the competition? I see them growing but their distribution and market share is low, and software producers are yet to show more interest on them, we will have to wait some time before having Linux as a close competitor to Microsoft.
    I believe that eventually there will be a big competitor for Microsoft`s Windows, so let`s start treating them just as an alternative in the market of the operating systems. So really, where do they stand? what is the advantage of Windows in the market, is their source code any better than that of Mac or Linux? is it easier for programers to program (obviously) for Windows?. Are they just a kind of monopoly on top because they have the money, the distributors, and the advantage of being the first to make it big.

    I'm not against Microsoft I am just curious of the Market's situation, I wonder if Microsoft (Windows) would survive under a different market situation where options where more readily available to choose and use. I believe Google is already planning investing on their own operating system, no one knows what could happen...

  5. numerodix says:

    Martin, this (market share) isn't really what my argument is all about, but the answer to your question is very simple. Microsoft owns distribution. You have to work very hard to buy a computer without Windows (lord knows I've tried). Can you think of any other industry where you have a warped status quo like this?

  6. bubicarus says:

    just wanted to see my browser and OS show up.

  7. I tried, but I couldn't think of any other industry in a similar situation. What you say is, Microsoft is offering security on their products, which is not completely true and they can cover themselves by not distributing the source code (you paid for).
    Would you really consider alternative operating systems more secure?.

    Wikipedia says in history of Microsoft Windows "Microsoft has taken two parallel routes... The dual routes have generally led to home versions having greater multimedia support and less functionality in networking and security, and professional versions having inferior multimedia support and better networking and security.[citation needed]" I'm not sure about the "greater multimedia support" and don't see Windows' multimedia support as an advantage for them, if "security" is Microsoft's ace, your article reveals Microsoft's Achilles' tendon.

  8. mozilla says:

    Yeah, no source no security, so we should go ahead and open source SAP, Quick books and every other piece of software that's every built because all of them could be transmitting your data back to the vendor. Yeah?

    Oh and yes, when you open source you expose your security holes it the system. What that means is that hackers can download your source code and read it. Doesn’t take make hacking your system easier? Yeah, in the world where you live in the community will fix all your bugs and the world will be a happy place to live in, right?

    MS open sources a host of frameworks including the entire .NET framework and ASP.NET Ajax. With their OS they choose not to. There are thousands of other vendors which don’t open source their products.

    The way I see it, these are two distinctly different business models and the end consumer decides which one rules. Clearly in today’s world the verdict is in Microsoft’s favor. Try stepping out of your world to the world of an end user and try installing Ubuntu on a box and then sharing a document with a friend. You find it easy? Of course!

    Don’t get me wrong; I have nothing against open source but you seem to take a dogmatic view of the world and seem to come strongly on Microsoft which is disturbing.
    And by the way, there are multiple ways of finding out if your data is being sent back to the vendors by intercepting the packets being transmitted through port monitors. People who can read the source code and understand it can also use port monitors and see if their data is being transmitted.

    Oh and the only thing the “Windows Vista… A what’s that?” thing show is lack of ignorance on the client’s side. I’m sure there are many more clients in this world that would go “Ubuntu…. What’s that?” than “Windows Vista… What’s that?”

    Suggestion: try and be pragmatic in your criticisms because if you’re not posts quickly turn into rants. :)

  9. mozilla says:

    Yeah, no source no security, so we should go ahead and open source SAP, Quick books and every other piece of software that's every built because all of them could be transmitting your data back to the vendor. Yeah?

    Oh and yes, when you open source you expose your security holes it the system. What that means is that hackers can download your source code and read it. Doesn’t take make hacking your system easier? Yeah, in the world where you live in the community will fix all your bugs and the world will be a happy place to live in, right?

    MS open sources a host of frameworks including the entire .NET framework and ASP.NET Ajax. With their OS they choose not to. There are thousands of other vendors which don’t open source their products.

    The way I see it, these are two distinctly different business models and the end consumer decides which one rules. Clearly in today’s world the verdict is in Microsoft’s favor. Try stepping out of your world to the world of an end user and try installing Ubuntu on a box and then sharing a document with a friend:). You find it easy? Of course!

    Don’t get me wrong; I have nothing against open source but you seem to take a dogmatic view of the world and seem to come strongly on Microsoft which is disturbing.

    And by the way, there are multiple ways of finding out if your data is being sent back to the vendors by intercepting the packets being transmitted through port monitors. People who can read the source code and understand it can also use port monitors to see if their data is being transmitted.

    Oh and the only thing the “Windows Vista… A what’s that?” thing shows is lack of ignorance on the client’s side. I’m sure there are many more clients in this world that would go “Ubuntu…. What’s that?” than “Windows Vista… What’s that?”

    Suggestion: try and be pragmatic in your criticisms because if you’re not posts quickly turn into rants which don't contribute anything positive to the reader. :)

    If You’re going to do a post, may I suggest do one on objectively analyzing the security sub-systems of Vista and Ubuntu and present the pros and cons of both.

    Too busy to do that?

    Thought so. Rants are easy. Objective comparison, pragmatic thinking and constructive criticisms are hard.

  10. mozilla says:

    Yeah, no source no security, so we should go ahead and open source SAP, Quick books and every other piece of software that's every built because all of them could be transmitting your data back to the vendor. Yeah?

    Oh and yes, when you open source you expose your security holes in the system. What that means is that hackers can download your source code and read it. Doesn’t take make hacking your system easier? Yeah, in the world where you live in the community will fix all your bugs and the world will be a happy place to live in, right?

    MS open sources a host of frameworks including the entire .NET framework and ASP.NET Ajax. With their OS they choose not to. There are thousands of other vendors which don’t open source their products.

    The way I see it, these are two distinctly different business models and the end consumer decides which one rules. Clearly in today’s world the verdict is in Microsoft’s favor. Try stepping out of your world to the world of an end user and try installing Ubuntu on a box and then sharing a document with a friend:). You find it easy? Of course!

    Don’t get me wrong; I have nothing against open source but you seem to take a dogmatic view of the world and seem to come strongly on Microsoft which is disturbing.

    And by the way, there are multiple ways of finding out if your data is being sent back to the vendors by intercepting the packets being transmitted through port monitors. People who can read the source code and understand it can also use port monitors to see if their data is being transmitted.

    Oh and the only thing the “Windows Vista… what’s that?” thing shows is lack of ignorance on the client’s side. I’m sure there are many more clients in this world that would go “Ubuntu…. What’s that?” than “Windows Vista… What’s that?”

    Suggestion: try and be pragmatic in your criticisms because if you’re not posts quickly turn into rants which don't contribute anything positive to the reader. :)
    If you’re going to do a post, may I suggest do one on objectively analyzing the security sub-systems of Vista and Ubuntu and present the pros and cons of both.

    Too busy to do that? Thought so. Rants are easy. Objective comparisons, genuine research and constructive criticisms are hard.

  11. numerodix says:

    You make way too many points for me to answer, so I'll just stick to the point I made in my blog. Yes, we should open source SAP and everything else if we really care about security. Or at least the client should have the option to see the source code, which FYI already happens with Microsoft when they want to peddle their stuff to certain big companies and government institutions.

    But that is less important. Your baseline security comes from the operating system. A hardened, security aware OS is enough to enforce policies that will disallow undesirable behavior by any application. The important thing is that you can actually see for yourself what the operating system is doing. Since when are we on the honor system where we trust people on their word? That's ridiculous and contradicts every security principle in the book.

    Your argument that "hackers will read the source code" is complete nonsense. The principle is called "security by obscurity" and the very first security person will tell you that it's completely futile. It makes vulnerabilities harder to find, but it doesn't make your system secure. Which I think 15 years of Windows has proven beyond any doubt.

    And no, I'm not saying this about Microsoft only, I'm saying it as a general statement. It applies just the same to Apple and everyone else. But like I said, operating systems are most crucial.

  12. mozilla says:

    > And no, I’m not saying this about Microsoft only, I’m saying it as a general statement. It applies just the same to Apple and everyone else. But like I said, operating systems are most crucial.

    Trust me, I'm all for open-source too. But the whole "Vista... what's that?" thing sounded sarcastic and dogmatic, so I added a little bit of sarcasm too.

    The same fundamental principals of open-source which vest freedom in the hands of users should also make us developers mature enough to respect and give freedom of choice to vendors so that they can pick whichever model is it that they want to pick.

    My two cents.

  13. numerodix says:

    Who said anything about vendors' freedom of choice? That is neither here nor there. Mostly because it has absolutely nothing to do with the customer's security, which is the issue at stake here.

  14. pariah says:

    Well, you say that even though I can't read the source code, someone else can and security holes will be found and the company discredited. The same logic applies with MS software, I think. Even though I can't de-compile the software, someone else can and security issues will be found and the company discredited. Isn't this how all the viruses and malicious processes are developed, by smart people who de-compile the program.

  15. numerodix says:

    I don't think you understand how this works. Software cannot be decompiled to source code.

  16. pariah says:

    Sure it can although the source code is Assembly language. Some decompilers can go into higher level languages. Likewise the code itself is in machine language. I can't understand any of those but there are smart people who can. That is why every piece of software has a disclaimer about reverse engineering.

  17. numerodix says:

    Like I said, I don't think you understand. Assembly language is not the same thing as the original source language. It is still the same program, but the abstractions from the original code are gone. There is a reason why we work in high level languages and not assembly - it's not feasible. In other words it's magnitudes harder reasoning about assembly code from any kind of context (security, performance etc) than it is from the original source. Otherwise, why would there be an "open source" movement if all code is by definition decompilable?

  18. pariah says:

    Thanks.