- home
- reviews
- news
- downloads
- cnet tv
HOLIDAY HELP DESK: Broadcasting live at 1:00 p.m., PT
- log in
- join CNET
- welcome,
- my profile
- log out

(continued from previous page)

News.com special report:

Securing Microsoft: A long road

TalkBack

E-mail

del.icio.us

Digg this

(continued from previous page)

Although those early IE flaws awakened Microsoft to the dangers posed by the scale of the Internet, it took several more waves of attacks to fully form the company's security strategy.

The arrival of Melissa, on July 23, 1999, knocked down one of the core pillars of Internet security at the time: by avoiding e-mail from unknown senders, one could avoid most attacks.

"They broke the trust between the user and his address book," Stathakopoulos said of the worm's authors.

"When we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box."

--Bill Gates, in January 2002 Trustworthy Computing memo

Mass mailers like Melissa and I Love You were largely annoyances, though many companies had their e-mail systems overwhelmed by the sheer number of messages being sent by the viruses. But the threat became stronger as mass mailers started carrying payloads designed to attack, a period Stathakopoulos calls the era of "weaponized" vulnerabilities.

Two major attacks, Code Red and Nimda, hit in mid-2001, striking Microsoft's corporate customers hard and becoming a major headache for not only the security team, but also for the company's top brass.

In the wake of Code Red and Nimda, Gartner issued a report saying companies should "immediately" consider moving away from Microsoft's Internet Information Server product and over to rivals. That was another painful lesson, Cushman said. "Every single person on the IIS team took it personally that there was an outbreak." Cushman said the team felt the report was misreported, but it also led the unit to take new actions, such as bringing in Microsoft's top security experts to help train the members in writing better code, followed by a "bug bash" aimed at rooting out bad programming from the product.

In late 2001, Gates began drafting Microsoft's response, in what ultimately became his now infamous January 2002 Trustworthy Computing memo.

"When we face a choice between adding features and resolving security issues, we need to choose security," Gates wrote in his missive to employees. "Our products should emphasize security right out of the box."

But not everyone took the Microsoft chairman at his word.

"At the time I thought it was a PR initiative," said Adam Shostack, who was then working for Zero-Knowledge Systems in Montreal and is now a senior program manager at Microsoft, working on the company's secure development approach. Shostack said he changed his mind in the ensuing months as Microsoft followed up Gates' words with action.

Microsoft stopped virtually all Windows development work, and for a month all of its engineers focused on security-related work.

It wasn't a demonstration of rigorous coding practices nearly as much as it was a show of brute force designed to attack the problem at its source.

"It was 'take all the engineers and have them each go review code,'" Thomlinson said. "It was kind of the infancy of security engineering."

"You could almost see the aircraft carrier turning. It took a lot of miles and a lot of time, but now it's got the power of the aircraft carrier behind it."

--Katie Moussouris, security strategist, Microsoft

Even so, there was still a culture inside the company that attempted to play down the bugs to the outside world.

"We used to get the reports and say, 'That's not a security bug,'" Stathakopoulos said.

But when Nash was appointed to head up the security team in late 2001, he came in with a different approach: fess up and tell the world about potential security problems. "He said, 'No, you've got to be transparent (with the outside world)," Stathakopoulos said, recalling that his team looked at Nash as if he were insane.

"People already think our products are bad, and if we start talking about those issues more and more, people will think we are horrible," Stathakopoulos said he argued at the time. But Nash persisted, arguing that the company might initially take some added lumps, but over time the company would come to be respected.

Looking beyond the software industry
In building Microsoft's security response apparatus, Microsoft had to look beyond the software industry. "No one had had to figure this out before us," Nash said. One of the companies that Microsoft used as a guide was chemical maker DuPont. While not an exact parallel, Microsoft studied how DuPont reacted to train derailments.

Among the lessons it learned was the fact that emergencies occur at all hours, so Microsoft needed to be staffed more often. "It wasn't quite banking hours, but it wasn't 24 by 7," Nash recalls of the system in place at the time.

Katie Moussouris, who worked for AtStake for a number of years before joining Microsoft, said she recalls a slow but noticeable shift in Microsoft's attitudes and practices.

"You could almost see the aircraft carrier turning," she said. "It took a lot of miles and a lot of time, but now it's got the power of the aircraft carrier behind it," said Moussouris, a security strategist for the Security Engineering and Communications Group.

While the effort would eventually pay dividends, it wasn't enough to head off the era of big worms that kicked off with Slammer in January 2003.

Stathakopoulos recalls getting a call at 3 a.m. from Symantec's Vincent Weafer, saying that a known bug in SQL Server had been exploited. A bit groggy as he answered the phone, Stathakopoulos recalls thinking that the company had patched the flaw months earlier and that there was nothing more that Microsoft could do. He headed back to bed. About 20 minutes later, he got a call from his boss, Nash. Stathakopoulos was told he had better do something.

Window Snyder remembers being in a meeting the next Saturday morning when Stathakopoulos pointed to her and motioned for her to leave the room. The two headed straight to another conference room--one full of people "with fire coming out of their ears."

Next page: The beginning of Blue Hat

Stories

Day 1: From pain to progress
Remond's security practices have been transformed since threats like Slammer and Blaster first wormed their way onto the scene.

Day 2: Inviting the hackers inside
Aiming to be more open, company reaches out to the security research community it once kept at a distance.

Day 3: Emerging security threats
Forget widespread worms. Nowadays, limited-scale threats like targeted e-mail attacks are causing the most concern.

Beyond Binary Blog

Day 1: Inside the war room
After years of having to scramble whenever an outbreak hit, Microsoft builds adjoining situation rooms to coordinate its response efforts.

Day 2: Off to the Limo Races
In what might seem an unlikely pairing, Microsoft employees and security researchers team up to go on a scavenger hunt through Seattle.

Day 3: Meet the bug hunters
One talks a mile a minute, another dresses like a bug. Meet some of the people who have helped lead a massive culture change at the company.

Related special reports

Microsoft's lessons from the desktop

Microsoft meets the hackers

'MSBlast' echoes across the Net

Photo galleries

Inside the war room
Painful episodes lead to the creation of a security response center, where teams take on the task of hunting bugs and keeping customers informed.December 3, 2007

The bug hunters
Just who are the people charged with the task of keeping code secure at Microsoft? They're risk takers, whether donning silly costumes or swimming with sharks. December 5, 2007

Credits

Editors: Anne Dujmovic, Mike Ricciuti
Design: Andrew Ballagh
Production: Kendra Dodds

Add a Comment (Log in or register) (58 Comments)

"It's very important when we build an update that it won't break anything."
by `WarpKat December 3, 2007 5:36 AM PST: ...

No comment.

...; Like this Reply to this comment

20 years - not just 10
by caelli December 3, 2007 6:36 AM PST: Hold on - security seems to be totally tied to software quality in this report. Security, far more than that, has to be included in the base design of any system, hardware and software, e.g. the DEC Vax hardware and its VMS operating system, the Intel 286/386/486/Pentium architecture that gave us protection rings, capability enforcement and memory segment protection. The real history of Microsoft goes back to the very start of Windows'NT over Microsoft/IBM's OS/2-3 and even Microsoft's earlier XENIX. The original Intel 286/386 architecture documents clearly referred at the time to the MULTICS protection architecture which its used for its design enabling real security architecture to be defined in a computer system.

So - what happened? The base operating system has to allow for faulty "application" software in such an untrusted world as the Internet and that is exactly what the Intel architecture was designed to do from the start of the 286/386!

Finding and fixing/patching software bugs is NOT the only sign of true integrated security at all! A true secure system, based around well researched security design for the last 30 years or more, creates a properly layered architecture that can cope with faulty applications and middleware and even foreign device drivers. It does not put, for example, device drivers inside the critical access reference monitor/kernel structure for just a start.

This article should look more closely at the real security story. The background to Windows'NT vs OS/2 and the RISC (DEC Alpha, MIPS 4400 processor siuation vs Intel IA-32 design and the role of Microsoft), the underlying security design of Windows'XP/VISTA, the story behind the apparently largely aborted Microsoft "Palladium" or Next Generation Secure Computing Base (NGSCB) activity and its "NEXUS"/ Ring -0 design, the story of XENIX and so on.

What we need is in-depth, investigative reporting that does not confuse software quality concerns, the main Microsoft stance, with true robust computer systems security design such as NSA's Secure LINUX, the GEMSOS system, etc. coupled with underlying hardware resources such as Intel's segmentation and ring structures.; Like this Reply to this comment

This is because IE is so prevalent in the industry
by plee9 December 3, 2007 6:55 AM PST: when everyone is using IE, it is natural that hackers target IE. it is an axiom that a software cannot be proven faultless. thus, this issue is not caused by some incompetency of MSFT engineers. it's because the browser is so popular. i have used other browsers like firefox and they don't even properly support some localization of different language contents.; Like this Reply to this comment

NO MENTION OF SPYWARE?
by ColdMast December 3, 2007 7:40 AM PST: ***?

love the whole waiting months for patches (on Tuesday) only to have a virus release on Wednesday.; Like this Reply to this comment

Progress Noted
by irperez December 3, 2007 9:14 AM PST: Microsoft has definately come a long way. Its always harder to learn lessons when you are the industry leader. The leaders always take the hardest hits while others can stand back and learn without getting hit. I commend Microsoft for humbling themselves and making change and then progress. I can say since 2005 their software has been much better, more stable and less prone to attacks. Although they have ways to go, making it this far is definately worthy of a pat on the back.

Keep up the good work Microsoft.; Like this Reply to this comment

Apple is not to be trusted...
by AppleSuxLeo December 3, 2007 10:21 AM PST: Leoptard installs with the firewall turned off and even when on is full of holes. And Apple zealots are reporting that it crashes often. Sounds like MSFT used to be.I pity Apple when hackers start going after them. They used to get by by being a small target , but those days are numbered. Quicksand(Quicktime)is one of the most INSECURE products on the planet and I refuse to use it. iTunes is also full of holes and never use it either.Truth is Leoptard is a half-baked product Apple released so they could have more useless visual fluff. The real innovation is on the cloud, and MSFT with their "LIVE" services is miles ahead of anything Apple has created.
Vista has been out over a year and has had NO MAJOR SECURITY RELATED ISSUES...even though Mr Jobs probably wished it did.; Like this Reply to this comment

Microsoft leads in security!!
by anil_shanmugam December 3, 2007 10:57 AM PST: I'm not mocking.

http://www.databasesecurity.com/dbsec/comparison.pdf

This is about the secutity patches between SQL Server and Oracle. This is amazing!!; Like this Reply to this comment

No progress as the Storm rages on.
by Macaresafer December 3, 2007 11:45 AM PST: Storm: http://www.wired.com/politics/security/commentary/securitymatters/2007/10/securitymatters_1004

I'll stick with my Mac, thank you. PC apologists can scream that it isn't secure all they like, but I still don't know any Mac users with virus problems. In fact, I still haven't heard of anyone infected with a documented virus, outside of a "security researcher's" office.

I know lots of PC users who have been and continue to be infected.; Like this Reply to this comment

Microsoft is HORRID at security. YES HORRID
by onlyauser December 3, 2007 3:54 PM PST: Microsoft does not have a clue about Operating System needs or security in the slightest.

Every little single thing they do is BLOATED off the charts. No wonder the crap software they produce is not secure.

I wanted to use OneCare, I bought OneCare, I tried to use and like OneCare. OneCare nearly killed my machine. It became like a blue screen light show. So I dumped the Microsoft junk and got NOD32. Now we are talking REAL security.

Also every IT pro I know is not going to move to Vista. EVERYONE KNOW beyond any doubt this bloated piece of crap is tech's biggest and most costly joke!

It is wake up time Microsoft. You make CRAPPY OS and are even worse at security.; Like this Reply to this comment

Most of these viruses are a result of cyberterrorism
by Proustian December 3, 2007 5:18 PM PST: and North Korea, China, Russia, Cuba, Venezuela and other rouge nations spend over $30 million dollars each year to train hackers to write viruses to infect systems on the Internet in various countries as a form of cyberterrorism.; Like this Reply to this comment

Microsoft may have progressed a little...
by wbenton December 7, 2007 4:56 PM PST: But their progression record is the slowest in the industry and they still have a lot further to progress before they can be compared with other, more security responsible vendors!

Walt; Like this Reply to this comment

Some people just amaze me
by xscottr February 15, 2008 4:44 PM PST: I have been using Microsoft products since the early 90?s and I am way too familiar with the problems faced on the long road to security faced by Microsoft. However, no system or network is any more secure then the individuals assigned to install, configure and secure them. I have worked extensively on very critical Microsoft networks as well as Linux networks and networks running both Linux and Windows. The pure amount of engineering that goes into Microsoft products is phenomenal and while Linux designers and engineers are worth their weight in gold they lack two very important things in the IT world that are often over looked; clarity and consistency. For the most part a Linux server is cheap to build set up and as far as network management is concerned very reliable. However, when it comes to higher end functionality it is often the realm of some third party software designer who cost the company using Linux server about 40 to 50% more in time and money then it would had they gone a similar route with Windows 2003. This is not my opinion this is reality. When it comes to security I will be the first to agree that there are vulnerabilities inherent in Windows, but I guarantee you that in a mission critical environment ALL Microsoft products can be secured without the loss of productivity. The bottom line is that this is not possible in a Linux, Novell or MAC environment, simply because they lack productivity features. So, quit confusing the security of these operating systems with the security of the network. Also, it is the work of companies like Adobe and Microsoft that are keeping the Mac afloat in the market, or are you all blind as well as ignorant? What productivity applications are there for Mac? I mean something used in the corporate world designed by apple? Indeed, you got it, nothing! Now as far as Linux and the open source community is concerned I have to hand it to the devs that put together open office they really did a good job with that product and I was really impressed to find the ODBC, JDBC and OLE DB drivers available for SQL Server (yes the Microsoft Database).; Like this Reply to this comment