Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

Re: Passport Security

by kwoff (Friar)
on Dec 14, 2001 at 23:50 UTC ( [id://132050]=note: print w/replies, xml ) Need Help??


in reply to Passport Security

It can be done, but I think Microsoft will never release "mission critical" code because it's not in their best interest.

Quote from the article:

It is very clear that either Microsoft does not have sufficient resources in place to properly review the security of their services and software (it only took me about 30 minutes to come up with the basics of the example exploit, why didn't they notice the same issues?) or that they are aware of the shortcomings but decided that attempting to gain market share was more important than their user's security.

The reason Microsoft sucks is they have billions of dollars and still botch it. That quote tells why: their priority is making more billions, not security, not the interest of the user (aside from what's minimally required to keep them interested or FUDded). Why would they waste time designing (they're already late getting in the internet game) and debugging when they can be making money? Then they can sell upgrades, too, and claim it's some "new technology" or "experience". I think something like Passport is far too important to put in the hands of a company with a track record like Microsoft, and I don't apologize for them one bit.

Replies are listed 'Best First'.
What is the real problem here?
by tilly (Archbishop) on Dec 15, 2001 at 05:27 UTC
    You say that Microsoft is out to make more billions like it was a bad thing.

    Um, well of course Microsoft wants to make billions. They are a business. Businesses are about making money. Unless you want to throw out capitalism, this is going to continue to be the case.

    Were Microsoft taken out, would that improve things? I rather strongly doubt it. The problem isn't which company is currently top of the heap. Whether it is Microsoft, Sony, AOL, Oracle etc doesn't really matter. What matters is that companies which shortchange security are likely to make plenty more billions of dollars.

    Until that is solved, the specific advisories are just symptoms.

    Moving beyond that though, claims that Big Bad Evil Microsoft was negligent would be more reasonable if they made mistakes which were out of line with the current state of the art. Do they? Well they make mistakes that are out of line with what people who care about security think that we should expect. But they don't (that I see) make mistakes that are out of line with the norm among software developers. The ones at the Monastery included.

[reply]

      Yes, Microsoft has made mistakes, and that is not necessarily a damning statement. But what is awkward is the reasons for these mistakes.

      Microsoft has always looked to features/convenience as their #1 priority (unless you want to make "sounds good in marketspeak" to the list) and security has always been added as an afterthought.

      The exploit on the page in question was doable because of Microsoft's belief that your HTML doesn't have to be correct to be parseable. It sounds good in theory, but what if they added the same "feature" to perl. The monastery would be up in arms. I personally don't think that expecting HTML to not be littered with garbage tags is so unthinkable.

      Then you get into the "Security through Obscurity" practices, and I start to wonder, would you trust passport??

      Furthermore, from looking at the details of the previous exploit, it would seem that future attacks will need to target users from one particular site. (Since finding the merchant ID is crucial to spoofing the server.) So, if you are a passport enabled site and 10,000 users get their credit card details stolen, you run a good risk that MS will go with the old "It's the merchant's fault" defense. This could be devastating to any onlie merchant. (Look at egghead.com)

      I felt that the authors most insightful comment comes when he is discussing the "special hooks" used by Hotmail nee MS. If you are an early adopter of the passport service you help MS spread its influence by making it useful. Who knows if MS will use those special hooks to build a competing site.

      This also begs the question, How much will passport know about your on-line transactions?? I am not even as worried about what they will do with the user data, as much as their ability to profile sales for cooperating companies. If they decide to become a competitor at a later date....

      The fact that Microsoft is out to make billions is not the question, the question is how do they plan to make it.

      So the Microsoft engineers make the same mistakes as the monks?? I for one would hope that MS uses some of those billions to hire programmers with more experience in security and programming than myself. Where is the testing?? Why are we always paying to join Microsoft's public betas??

      The exploit on the page is related to a long standing Hotmail exploit, and passport just ups the prize for finding these exploits. Perhaps the new ThinkGeek T-shirt should be "I read your e-mail while using your credit card for phone sex."

      They have used fairly weak encryption (MD5) and left some sensitive data out in the open. I think even most of the monks here would think... "Hmm, I should probably not leave the UID out in the open." Again, testing should have revealed weaknesses like these.

      Finally, I would just like to harp on the changing nature of passport. From my own testing it appears that two passport servers do not behave the same way. Most likely due to the behind the scenes tweaking.

      Toss in poor documentation, poor logging and eror recovery, and being logged on to wallet without realizing it?? I could just keep going....

      Let's face it, if you had to in after this and "fix" this program, you'd cuss the developer for a year straight.

      And can I just add that I freakin' hate IE. I do webpages, and I have some IE compatible pages with PURPOSEFUL ERRORS in them, designed to combat some of the render problems. Drives me nuts.

      This message courtesy of Opera 6.0.

      HamNRye
      nothing4sale.org

[reply]
        Everything you say is true, insightful, and irrelevant.

        You have accurately described Microsoft's behaviour. You have raised issues of motivation which, based on past actions, I would say that any company should think long and hard about before following the vision that Microsoft is trying to impose on the world. But it really doesn't address the points that I was trying to get at.

        Sure, Microsoft has lots of good people. If security was their top priority then they should be able to do a far better job than they have done. But it isn't, and it isn't for basic business reasons. And those reasons are inherent in the current system, they would remain there no matter who was on top.

        There is a simple principle from which you can understand a lot of business behaviour. A well-run business will try to divide what they do into profit centers and cost centers. Given that the business wants to make money, it will then throw money and effort into the perceived profit centers, and aim with the cost centers to do the minimum it thinks it can get away with. And if it can, it will attempt to further minimize costs by shoving those costs off to other people. This is a simple pattern, but one which applies time and again to why companies act like they do.

        Now let's apply this to software. Which does security fall into, is it a profit center or a cost center? Well clearly it is a cost center. It costs money to get security right, but it is hard for people to tell how much you have so you don't get anything for it. Feature lists sell software. Security, no matter how much better it might make people's lives, doesn't.

        And so this means that software companies should shortchange security. They should try to do the minimum they think they can get away with. Given the choice between having to fix problems and hiding them under the carpet, they will likely hide them under the carpet. Furthermore you should expect to see companies try to make security someone else's problem where possible.

        How does this theory match with reality? Well pretty well. I need not recite a litany of complaints about companies (not just Microsoft) shortchanging security. The tendancy on the part of most companies to avoid fixing problems if they could is what lead to the full-disclosure movement, no surprises there. And as for making the problem someone else's problem, have you read the warranty disclaimers that are now standard with software? And have you looked at the kind of laws (eg the DMCA) which companies have been lobbying for?

        Security is a cost center. As long as that remains the case, programmers will be under pressure to cut corners and shortchange security. And this will continue to be the case unless and until there are lemon laws which make security so much a problem for software companies that they have to get serious about it. (And then how do you write said laws so that they don't hose open source software? There are some tricky questions here...)

        We can talk about Microsoft's anti-competitive behaviour some other time... :-)

[reply]

In Section Meditations

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://132050]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others exploiting the Monastery: (5)
As of 2024-04-24 21:03 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found