Skeptical Security

served with a side of Heavy Sarcasm

Tuesday, June 13, 2006

Trust - Does Microsoft Not Know the Definition?

I've been thinking about Microsoft Security and their Trustworthy Computing thingie and my conclusion is ... somebody over there doesn't get it! (Big surprise, eh?)

First, there is the thing where they use Trustworthy Computing and better Security almost interchangably. STOP THAT! Trust is about your behavior well beyond the behavior of your software. I mean, which Vice Presidential Idiot authorized the High Priority deployment of beta code to everyone's production systems for the sole purpose of your fight against software piracy (aka "so MS makes more money")? Don't you understand that the lack of trust has WAY more to do with your monopolistic behavior than it does with the "blue screen of death"? I guess not.

Here's a thought, next time one of you have a big brainstorm like this, think "hey, what if my cable company did this to me? What if they deployed some beta software for stopping illegal cable taps that wasn't fully tested and ended up hosing my set-top box on the final night of American Idol?" Hmmm, people might not like that - what would be the trustworthy thing to do?

So, here is my two cents. Work on the security of your products, yes, but work on your behavior more.

Friday, May 26, 2006

Oracle CSO Mary Ann Davidson - Unbreakable Idiocy

CNET carries an article today called Oracle exec hits out at 'patch' mentality in which they cover the comments of Oracle Chief Security Officer (CSO) Chief Security Officer Mary Ann Davidson (henceforth referred to as MAD) who continues to rage against the security researchers that are throwing rocks at the Unbreakable Oracle glass house of security. There is additional coverage of MAD in Network World covering the same conference called Oracle's security chief lambastes faulty coding.

The thing I can't understand about MAD is how she can get up at conferences like this one (the WWW2006 conference in Edinburgh, Scotland) in front of thousands of people and spout tripe, contradict herself, all while reacting childishly. I am embarrassed on her behalf.

Let's review (from the CNET article):
The pressure to deal with the problem of unreliable and insecure software is building, and the industry has reached a "tipping point," she said.

Wow, so MAD thinks the industry has reached a tipping point. With the Unbreakable Oracle database having hundreds of unfixed security issues that, according to researchers finding them, they can't seem to get fixed, and only 4 years after even Microsoft recognized they needed to do something more about security, Oracle recognizes a tipping point! Whew!

But if regulation is coming, the industry has only itself to blame, she said.
"Industries don't want to be regulated, but if you don't want to be regulated, the burden is on you to do a better job."

That's incredible. After years of claiming victory, claiming to have an unbreakable system, MAD offers that if you don't want to be regulated, you have to do a better job. I'm confused, since their doing a terrible job, does she mean she wants to be regulated? I don't see how else to interpret that.

(and finally, this childish little gem)

She claimed that the British are particularly good at hacking as they have "the perfect temperament to be hackers--technically skilled, slightly disrespectful of authority, and just a touch of criminal behavior."

Backhanded compliment, or dig at the Litchfields and others for exposing so many flaws?

Let's review (from the Network World article):
Mary Ann Davidson, chief security officer for database giant Oracle, remembers the first time she heard her company's marketing scheme that advertised its database products as "unbreakable." "I think my response was 'What idiot dreamed this up?," Davidson said

W-w-WHAT?!? Hello! Well, that may be true, I can't seem to get another tune out of my head, from 2002. It's called Unbreakable: Oracle’s Commitment to Security by Mary Ann Davidson (small print, pg 15). I kind of feel sorry for her - she must have felt it her duty to defend the "idiocy". Let's see what MAD was saying in early 2002:

Most vendors would never dream of claiming they are Unbreakable, because they put minimal effort into securing their software and —by extension— their customer’s systems. They don’t care, and it shows. They don’t care, and it costs their customers in multiple ways:

  • increased “hacker insurance” premiums from running unsecurable software
  • billions of dollars in damages from viruses caused by neglect of basic security mechanisms
  • increased costs from applying patch after patch in a vain attempt to secure products for which security was an afterthought

Unbreakable is a commitment that Oracle gladly makes for multiplereasons:

  • importance of security. September 11 wasa wake-up call for information security as much as physical security. The ultimate terrorist attack is one in which our critical infrastructure is brought down via a cyber attack by an unknown person from an unknown device in an unknown place.
  • business reputation. Oracle’s very first customers were among the most security- aware in the world. Twenty-five years after our founding, our core customer constituency still includes the most security-aware customers in the world. Our good name in security is our stock in trade, and ours to lose if we are not Unbreakable.
  • cost avoidance. The saying “pay now, or pay later” is especially applicable to security. It is far cheaper for our customers —and for us— that Oracle builds security correctly the first time,than to try to patch it after the fact.

Those who deride Unbreakable as a marketing gimmick should ask the question: why doesn’t every vendor commit to make their security Unbreakable?

Okay, good question, MAD. Now, this is just a guess, mind you but just maybe, and I say maybe, companies avoid a public commitment on Unbreakable because ... THEY WOULD LOOK LIKE IDIOTS.

SecurityX - proudly serving up security skepticism with a side of sarcasm

Wednesday, March 15, 2006

What they're not saying.

Old joke, made new: When a vendor talks about the security of their product, how can you tell when they are lying?

Answer: When their mouth is moving.

That kind of summarizes it up. Oracle is unbreakable, Security is the number one priority at Microsoft and any Linux based system is SECURE! Ahem. Well maybe not.

This blog is dedicated to telling the full story, and not just the approved talking points of the vendors. You want to get the facts? You want transparency? Don't look to the vendors, look to SecurityX to tell it like it is.