Holey War

Call Karl Wehden a professional hacker. As a valley software architect, he spends his workdays unapologetically cracking open various company networks via the Internet. He's not there to damage or steal, just to learn from others' mistakes. Wehden and his colleagues slipped through a hole in Monster.com's network, gaining access to its entire database of jobs and résumés. Afterward, they notified Monster.com of the backdoor hole—which existed, Wehden says, because the job-matching site uses Windows.

Microsoft's operating systems are dangerously vulnerable. And the more products Microsoft pushes into the market, the simpler they are to exploit.

All of which is why folks like Wehden could only snicker when Microsoft made much ado earlier this year about focusing on security. Chairman Bill Gates issued an edict to Microsoft Nation to make its products impervious to attack, and he assigned 7,000 programmers to spend the month of February learning how to tighten safety bolts. "We must lead the industry to a whole new level of trustworthiness in computing," Gates wrote in a widely leaked company memo. "Eventually, our software should be so fundamentally secure that customers never even worry about it."

The memo made a media splash, but nowhere is there more skepticism than among hackers, who have largely been those responsible for exposing flaws in the company's products in the past decade. "Every time Microsoft talks about security, the security community sits back and waits for its claims to blow up in its face," says Neal O'Farrell, a former hacker who founded Hackademia, a security-consulting firm. "There's just no credibility. The hacker community is not going to let up on them. Microsoft is a real trophy for hackers."

'The Privilege of Being Raped'

To many, the Gates memo feels like a marketing gambit, offered in response to mounting criticism. Shortly before it was released, a Gartner report discouraged users from running Microsoft's IIS (Internet Information Server) Web server because of security flaws.

"Of course this is just spin," says Eric S. Raymond, editor of The New Hacker's Dictionary (MIT Press, 1996) and a self-described "observer-participant" in the Internet hacker culture. "Good security is not something you can bolt onto an operating system or application after the fact. It has to be designed in from the beginning. Otherwise you get something as riddled with gaps as Windows is now. It's not just that Microsoft's code is insecure—its design is insecure. It would have to scrap its legacy architecture and start over from scratch to have any chance of succeeding."

Redmond usually shrugs off the skeptics. "Microsoft understands that security is a journey, not a destination," says Steve Lipner, director of security assurance at the company. "Microsoft is committed to making its products and services as secure as possible at every step along the way on that journey. . . . Microsoft has developed many programs and services to create better software and keep customers secure—and will do more."

But Raymond is doubtful. "Even if it were possible to bolt on security after the fact, we'd be talking an immense effort here—years of work during which critical holes would remain and be constantly exploited by crackers of all description," he says. "Continuing to pay money to Microsoft for the privilege of being raped by this week's equivalent of Nimda or Code Red is just insane, especially with better and less expensive systems like Linux available."

Microsoft has long kept its development process under wraps, relying instead on patches after the flubs are discovered. And it has rarely been friendly to people like Georgi Guninski, a security consultant who has turned up several Microsoft defects. As a result, the software colossus has created what Wehden calls "a culture of dissent."

WINDOWS FIXES windowsupdate.microsoft.com www.ntbugtraq.com www.annoyances.org What should the company really do? Hackademia's O'Farrell suggests that the first step toward credibility is inviting outside security experts to review products before release. Microsoft says it already does that, having invited Foundstone to look over its .Net framework. But that obviously hasn't been enough, and O'Farrell says that one month of security training for programmers isn't sufficient either. "It'll work only if it happens every month," he says. "Unless they have the ideology of 'saturation security,' they're not going to fix their problems."

The proof of success will come only over a period of years—when and if Redmond can demonstrate that its products are impervious to break-ins and viruses, O'Farrell says. Even then, users shouldn't necessarily assume they're safe. Kevin Mitnick, a convicted hacker whom, as myth has it, the government once labeled "the most wanted computer criminal in U.S. history," suggests that not everyone who finds a flaw will trumpet it to the world and let Microsoft make a retroactive fix. "The more serious problem is people who find a hole and keep it to themselves," says Mitnick. "That's what I used to do. Back in my day, it wasn't about the prestige you got for finding a hole. It was what you could do with it."

Microsoft's Greatest Misses

Here's a brief list of Microsoft's security woes throughout the years.

February 1997 A hacker club in Germany blows up the Microsoft ActiveX security model used to protect online banking and other Internet applications, demonstrating a way to siphon money from home users' bank accounts.

May 2000 The ILOVEYOU virus contaminates an estimated 45 million computers in 20 countries, spreading through Microsoft Outlook address books. It racks up more than $6 billion in damage, forcing the U.S. Navy, the U.S. Senate, Ford Motor Company, and Microsoft to shut down all or part of their e-mail systems.

April 2001 A security firm discovers that Microsoft IIS (Internet Information Server) has a hole that lets anyone anywhere run code on the hosting Windows 2000 server with administrator privileges.

July and August 2001 Code Red worms infect more than 500,000 computers running Microsoft's IIS software on Windows NT or Windows 2000.

December 2001 Less than two months after Windows XP's release, Microsoft admits that a "critical" flaw exists in the system's Universal Plug and Play that would let hackers remotely gain control of a user's computer. Almost simultaneously, Microsoft issues a patch to close holes in Internet Explorer.

Copyright © 2002 Ziff Davis Media Inc. All Rights Reserved. Originally appearing in Ziff Davis Smart Business.