If you could ask Microsoft's top gun in security anything you wanted to, what would you talk about?
I had that opportunity at the recent EnergizeIT conference in Toronto.
Andre Mintz used to be a police officer, but now he's director of trustworthy computing for Microsoft Corp.
He has, as he puts it, an office not far away from "some guy named Bill," and his beat is a lot bigger than the streets of Charleston, S.C., that he used to patrol.
Cyber bad guys can, and do, come from anywhere. Nevertheless, Mintz sees a lot of similarities between the two jobs.
In his keynote presentation, he showed what he called "public domain information" to support the claim that Microsoft's software is actually faring better from a security viewpoint than its competitors.
Vulnerability reports are increasing for all vendors, he said, but Microsoft had "significantly less" of them.
So, why doesn't it feel that way? The news is full of attacks on Microsoft systems, including their new Windows Vista.
"One thing I learned as a police officer is that the first one through the door gets whatever is coming," Mintz laughs.
He believes that Microsoft has a reputation for poor security "simply because of the footprint of our products."
Mintz says that many security holes that keep users awake at night are really a misuse of some fine features that we should all be enjoying.
He draws the analogy to a Polycom conference-call box: If a bunch of business people are having a peaceful meeting and one suddenly picks up the box and bludgeons another to death with it, "should the family be able to sue the designer of the phone for not designing in something to prevent that from happening?" Mintz even trots out the old chestnut that "guns don't kill people; people kill people."
Perhaps a more realistic analogy is that a lethally heavy and largely invisible Polycom box is hanging by a thread over the business conference.
It falls randomly, killing, say, every 10,000th person who walks under it. At least, that's the way many users feel when an obscure software "exploit" brings down their company's network or sends their confidential data out into cyberspace.
Mintz doesn't like that analogy one bit, but he does acknowledge that many Microsoft users have come to dread the second Tuesday of each month, the so-called Patch Tuesday when Microsoft releases fixes for critical security bugs.
Aside from having a bunch of corporate and home computers suddenly installing strange fixes, there's the uncertainty about what it's really doing. Sometimes things stop working after the patches. One recent Microsoft patch sent me scurrying for the original CD/ROM for Microsoft Office. Luckily, I had it.
Asked about the thriving marketplace for exploitable bugs in Microsoft products, Mintz says some companies actually sell and buy vulnerabilities and exploits. "It's unfortunate," he says. "Microsoft does not condone that nor do we participate in such activity."
So, they'll happily take bug reports for free but don't want to start a bidding war over this kind of information. They're probably right, because paying for exploitable bugs is like paying to free a hostage.
Then again, all this has led to the phenomenon of Exploit Wednesday. Criminals buy some evil knowledge, then use it the day after the patches are released, knowing that they have almost two weeks to do their dirty work on systems around the globe.
Quizzed about Microsoft's process to design security into software, Mintz talks about the company's famous final security review (FSR) process, and suggests that software designers sometimes leave meetings in tears when their pet project is scrapped or delayed for failing the FSR. Indeed, it is widely believed that the shipment of Windows Server 2003 was held up for security reasons.
Yet, Mintz acknowledges that the review work is generally done by the same people who built the software. There's lots of evidence that these may be the worst people to review the code, since they probably have lots of blind- spots. What major company would forgo external auditors and let its own accountants go check the numbers again?
Even if you take Mintz's advice and run the latest Microsoft software, with all the latest patches, there's still a big gaping hole in your computer security. It's called people.
This was ably demonstrated by Kai Axford, another Microsoft security geek whose resume lists "weapons squad leader with the U.S. Army's elite 75th Ranger Regiment" as his previous position. Axford is fond of leaving USB sticks in the parking lots of major companies with intriguing labels such as Financial Projections, Salary Data or his favourite, Chicken Porn. "For some reason," he says, "100 per cent of the people who pick up that stick just have to put it in a computer."
More details about what might be on a USB stick in a parking lot came from Laura Chappell of the San Jose, Calif.-based Protocol Analysis Institute.
Chappell calls herself a "professional eavesdropper" and spoke recently at the Trilateral Security Conference in Calgary. It's a miracle she made it into the country, since she was carrying an array of hacker toys ranging from USB earrings to a three-way antenna that can eavesdrop on three wireless connections at once.
She has also done the experiment of dropping USB sticks in parking lots, and iPods too, because, hey, they're just big memory devices. "Every single one of the iPod nanos was connected to a system," she says. "People just had to find out what was on them."
If these memory devices were dropped by a bad guy, they might contain software like SwitchBlade or HackSaw. There's a lot of technicalities here, but what you need to know is that, as of last year, some USB sticks have the ability to automatically load and run programs when you insert them into a computer.
Again, it was supposed to be a nice little feature to allow us all to carry our digital lives around with us, but the bad guys grabbed it and things are going horribly wrong.
"I got a call on Monday from a customer who realized that they were missing $409,000 out of their business bank account," Chappell says. She and the FBI are working on the case and, "sure enough, from the files I've seen so far, we can see which one of the systems had been compromised, and we can see that system sending user names and passwords for the bank accounts to a site in China."
Law-enforcement officials roll their eyes when they hear that the information is going to a foreign country, because investigating international computer cases is often difficult and frustrating. Some countries don't try very hard to track down citizens who are bringing in foreign currency, even if it's not by legal means.
The best offence is a good defence. Chappell knows one company that went around putting glue into the USB ports of all its computers. Then it found out that was the only place to plug in a mouse. Oops.
The moral is that computer security is going to be an ongoing battle, with no end in sight, no matter how hard Microsoft and others might try.
Mintz and Chappell have the best kind of job security - a nasty, critically important business threat that just won't go away.
(Tom Keenan is a professor at the University of Calgary and an expert on technology and its social implications. He can be reached at keenan@businessedge.ca)
