LISTSERV mailing list manager LISTSERV 16.5

Help for CSSA Archives


CSSA Archives

CSSA Archives


CSSA@LIST.UVM.EDU


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Monospaced Font

LISTSERV Archives

LISTSERV Archives

CSSA Home

CSSA Home

CSSA  September 2003

CSSA September 2003

Subject:

NYTimes.com Article: To Fix Software Flaws, Microsoft Invites Attack

From:

[log in to unmask]

Reply-To:

Computer Science Student Association <[log in to unmask]>

Date:

Mon, 29 Sep 2003 21:35:12 -0400

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (305 lines)

This article from NYTimes.com
has been sent to you by [log in to unmask]


excellent article

[log in to unmask]

/-------------------- advertisement -----------------------\

Explore more of Starbucks at Starbucks.com.
http://www.starbucks.com/default.asp?ci=1015
\----------------------------------------------------------/

To Fix Software Flaws, Microsoft Invites Attack

September 29, 2003
 By STEVE LOHR





Microsoft's Security Response Center in Redmond, Wash., is
the computing equivalent of a hospital emergency ward. When
a problem comes in the door the center's director, Kevin
Kean, and his staff must swiftly make an assessment: Is the
security weakness detected in a Microsoft software product
only minor? Or is it possibly so serious that, if exploited
by a vandal's malicious code (as happened last month with
the Blaster worm) it might crash computers and networks
around the world?

If the threat appears grave, the problem goes immediately
into the center's emergency operating room, where it is
attended to by a team of Microsoft engineers, working
nearly round-the-clock to analyze the flawed code,
anticipate paths of attack, devise a software patch to fix
the defect and alert millions of customers of the problem
and the patch.

"It's triage and emergency response - so it's a lot like an
E.R. ward in that sense," Mr. Kean observed last week.

The race to protect the computing patient has begun again.


On Sept. 10, after Mr. Kean's team completed another E.R.
mission, Microsoft issued an emergency warning of a
critical vulnerability in its Windows operating systems and
released a patch - its 39th so far this year. What
particularly worries computer professionals about the
warning is that the security hole in Windows is the same
kind of flaw, in the same feature of the operating system,
that was exploited in August by the notorious Blaster worm.


Those who monitor Internet crises know that once Microsoft
raises the alarm and releases a patch, a curious race
begins. Digital vandals - those who write worms, viruses
and other rogue programs - eagerly download the patch and
reverse-engineer, taking it apart to search for clues on
how to exploit the very Microsoft security hole the patch
was meant to cover.

Some portion of Microsoft customers, from corporations to
home PC users, takes the time to download the patch, but
most do not. Meanwhile, there is a scramble to write
malicious code and spread it across the Internet.

The Blaster worm was sighted on the Internet 25 days after
Microsoft warned of that security hole. The company issued
the latest warning 19 days ago. So if recent history is a
guide, Blaster 2 may be coming soon to a computer near you.


The brand-name worms and viruses of the last couple of
years - Blaster, SoBig, Slammer, Code Red, Nimda, ILoveYou
and others - are simply the most virulent representatives
of an alarming surge in attacks by malicious programmers.

The CERT Coordination Center at Carnegie Mellon University,
which monitors rogue computer programs, reported 76,404
attack incidents in the first half of this year,
approaching the total of 82,094 for all of last year. And
the 2002 incident count was nearly four times the total in
2000. If anything, the CERT statistics may understate the
problem, because the organization counts all related
attacks as a single incident. A worm or virus like Blaster
or SoBig, a self-replicating program that can infect
millions of computers, is but one event.

The security flaws Mr. Kean's team is scrambling to catch
and patch are part of the larger problem with software
today. The programs that people rely on for all manner of
tasks - from writing reports and sending e-mail, to
monitoring factory floors and managing electric power grids
- are becoming increasingly large, complex and, all but
inevitably, filled with bugs. The problem is magnified by
the fact that most computers are now linked to the
Internet, enabling programs to travel around the globe and
mingle with other programs in unforeseen ways.

Most software bugs are a result of small oversights by a
programmer. And most large software programs are
combinations of newer code and old code, accumulated over
time, almost as if in sedimentary layers. A programmer
working years ago could not have foreseen the additional
complexity and the interaction of software programs in the
Internet era. Yet much of that old code lives on, sometimes
causing unintended trouble.

Security holes, computer experts say, are a manifestation
of the fragile and often unreliable software foundation
that underlies today's economy. "These worms and virus
attacks are just the visible tip of a massive iceberg,"
said Peter G. Neumann, a computer scientist at SRI
International, a research firm.

The major rogue programs all exploit vulnerabilities in
Microsoft products, and Microsoft is the leading target of
criticism by computer security experts. Indeed, Microsoft
must shoulder a lot of the responsibility for the security
woes suffered by its customers, analysts say. But the
security weaknesses in Microsoft products, it seems, stem
mainly from the company's success as the leader of the PC
era of computing.

The PC business model has been to push products out the
door fast, add features constantly and market each product
version as a millennial event. Microsoft perfected the
model and attracted millions of customers. But security
experts note that the PC business model has not placed much
value on building secure, well-engineered software.

The other reason Microsoft is the white whale for most
digital vandals is that more than 90 percent of all desktop
PC's run on the Windows operating system software. And the
company's Office package of programs has more than 90
percent of the market for word processing, spreadsheet and
presentation software.

Other operating systems like Linux, Unix and Macintosh,
experts say, all have security vulnerabilities. "But they
don't get the attention and the attacks because, unlike
Microsoft, the other technologies are not deployed on 300
million computers," said Russ Cooper, a security expert at
TruSecure, a computer security company. "This is not just
Microsoft's problem."

The task of making software more reliable and secure will
not be quick or easy. But computer scientists and industry
analysts say that the goal is achievable, and that some
encouraging steps have been taken. Improvements, they note,
will depend largely on changing attitudes in the
marketplace so that software makers have a greater
incentive to invest in building better software.

"By and large, vendors build what people are willing to pay
for," said Edward Lazowska, a professor of computer science
at the University of Washington. "People have historically
been willing to pay for features - not reliability or
security."

There is evidence, though, that corporations and the
federal government are placing a greater emphasis on
obtaining secure software. Within the last two years, the
government has pushed security initiatives in its
technology policy, especially in the aftermath of the Sept.
11 terrorist attacks.

Recent moves by the government include placing greater
emphasis during the purchasing process on software design
and reliability standards like the Common Criteria and the
National Security Telecommunications and Information
Systems Security Policy No. 11, a Pentagon directive that
went into effect 14 months ago.

Such standards now apply mainly to the Department of
Defense and national security agencies, but Congress is
looking to extend similar standards to other federal
agencies. The federal government is the world's largest
buyer of information technology, spending nearly $60
billion a year.

"If the government made a serious commitment to buying
better software, it would change the industry," said Mary
Ann Davidson, chief security officer of Oracle, the big
database software company.

Two weeks ago, the House Subcommittee on Technology,
Information Policy, Intergovernmental Relations and the
Census, which is under the Committee on Government Reform,
held a hearing on the impact of the Pentagon's programs to
link procurement to tighter security standards for
software.

Representative Adam H. Putnam, the Florida Republican who
is chairman of the subcommittee, said he saw great promise
for adopting similar standards for civilian agencies. "The
government can leverage its purchasing power," he said,
"and can be a leader for the entire industry in setting
rules and standards of engineering behavior."

A decisive step toward changing market incentives would be
to expand product liability law to include software
products. So far, software companies have sidestepped
liability suits partly by selling customers licenses to use
their programs, not own them, with a lengthy list of
caveats and disclaimers.

The industry has resisted any suggestion that software
should be held legally liable for bugs. The industry's
argument is that software is a highly complex product,
which users tend to misuse or modify, so trying to assign
responsibility for a failure would be unfair to any single
company.

Whether the software industry can continue to operate
beyond the reach of product liability suits is uncertain.

A report last year by a panel of the National Academy of
Sciences, "Cybersecurity Today and Tomorrow: Pay Now or Pay
Later," included the recommendation that "policy makers
should consider legislative responses to the failure of
existing incentives to cause the market to respond
adequately to the security challenge."

Professor Lazowska, a member of the panel who at times has
advised Microsoft, explained, "You could draw an analogy to
auto safety, where a set of government actions has caused
automobiles to become far more safe over the course of the
past 35 years."

Technology is giving programmers tools to build more
reliable software. The Java programming language, created
at Sun Microsystems, and C#, developed later by Microsoft,
are technologies for creating "managed code," which sharply
limits the damage that can be done by errant lines of
programming. "You have to design it so that bad things
don't happen when programmers make mistakes," said William
Joy, the former chief scientist at Sun.

At Microsoft, much more time is now being set aside in the
design cycle of products for security considerations, a
mandate approved by senior management this spring. "There
is a shift from mainly an emphasis on working features to
an emphasis on trustworthy and secure computing," said
Steven B. Lipner, director of security engineering strategy
at Microsoft.

Some of the tougher security standards, Mr. Lipner said,
have shown measurable improvement in Windows Server 2003,
which shipped earlier this year. The number of security
vulnerabilities detected so far is half as many as at this
stage after the release of Windows Server 2000, Mr. Lipner
said.

Yet years of steady progress in the quality of software
engineering will be needed for big gains in security and
reliability to become apparent. And it starts with
education, noted Shawn Hernan, a security specialist at
CERT. He makes a game of seeing how quickly he can find
security vulnerabilities in the programming examples used
in college textbooks. It rarely takes him more than few
minutes.

"The textbook examples are riddled with vulnerabilities,"
Mr. Hernan noted. "Computer science culture is based on,
build it, get it working and fix it later. We need a
culture change away from the cowboy and toward the
engineer."

Even as his E.R. team scrambles to patch Microsoft's
security holes, Mr. Kean agreed. "It's not just Microsoft,"
he said. "The world will commit itself to more secure
computing. There will be a cultural change."

http://www.nytimes.com/2003/09/29/technology/29SOFT.html?ex=1065885712&ei=1&en=32d0aaecd0cd8d8d


---------------------------------

Get Home Delivery of The New York Times Newspaper. Imagine
reading The New York Times any time & anywhere you like!
Leisurely catch up on events & expand your horizons. Enjoy
now for 50% off Home Delivery! Click here:

http://www.nytimes.com/ads/nytcirc/index.html



HOW TO ADVERTISE
---------------------------------
For information on advertising in e-mail newsletters
or other creative advertising opportunities with The
New York Times on the Web, please contact
[log in to unmask] or visit our online media
kit at http://www.nytimes.com/adinfo

For general information about NYTimes.com, write to
[log in to unmask]

Copyright 2003 The New York Times Company

Top of Message | Previous Page | Permalink

Advanced Options


Options

Log In

Log In

Get Password

Get Password


Search Archives

Search Archives


Subscribe or Unsubscribe

Subscribe or Unsubscribe


Archives

November 2020
July 2020
April 2020
March 2020
February 2020
July 2019
March 2019
September 2018
June 2018
August 2017
July 2017
June 2017
October 2016
September 2016
August 2016
July 2016
June 2016
April 2016
October 2012
August 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
May 2007
April 2007
March 2007
February 2007
January 2007
November 2006
October 2006
September 2006
June 2006
May 2006
April 2006
March 2006
January 2006
December 2005
November 2005
October 2005
September 2005
July 2005
May 2005
April 2005
March 2005
February 2005
January 2005
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
August 2002
May 2002
April 2002
February 2002
January 2002
December 2001
November 2001
October 2001
September 2001
July 2001
May 2001
April 2001
March 2001
February 2001
January 2001
December 2000
November 2000
October 2000
September 2000
August 2000
June 2000
May 2000
April 2000
February 2000
January 2000
November 1999
October 1999
September 1999
July 1999
April 1999
March 1999
January 1999
November 1998
October 1998
September 1998
August 1998
July 1998
April 1998
March 1998

ATOM RSS1 RSS2



LIST.UVM.EDU

CataList Email List Search Powered by the LISTSERV Email List Manager