With Vista soon to be unleashed on we poor consumers (even my Mac needs Parallels) I thought I'd offer my thoughts on a talk on Vista Security, given by Michael Howard (the self-proclaimed God of code security at Microsoft) at the OWASP conference in Seattle back in September. His book has a good reputation and a place on my bookshelf (a dusty place--I fell asleep trying to read it) and he has a good reputation in the industry for knowing code security. It didn't make much sense, though, that he was speaking at OWASP, because Vista is not a Web Application server. His talk bore that out: he was on and on about low-level programming issues, not web application security. But it was about security and I guess OWASP was just happy to have him there

Listening to him was a painful "return-to-Mormonism" hour for me. Working at Microsoft must be a lot like working for the LDS church. He never presented any external data about Vista or security issues in general, he went on and on about how silly and uneducated those "open source" idiots are, and how Microsoft is taking security seriously (he himself is exibit A: look at how smart he is!).

In typical, "brainwashed-institution" fashion, he framed the debate in the way that only his side made any sense. Come to think of it, that was the advice my law school professor had for legal arguments... At least in Law, the other side can make their own case. No apple/Linux/BSD representatives here...

Howard framed the debate like this:

Problem: Software development has security flaws. They are not discovered before launch because: 

1-Developers aren't security minded
2-QA people are stupid
3-There are no external people looking at the software
4-No tools can find them

Solution (as brilliantly worked out by himself):

1-We have smart security developers who review code ("look at me--I wrote books, sing with Homer Simpson: I am so smart, S M R T")
2-Microsoft has required annual security training for developers ("my book is part of the curriculum!")
3-We have crash files that report why systems crashed--we give those to our non-Microsoft beta users ("see, we have a 'user community'--just like Open Source!")
4-We have internally developed tools

Most of what he said was so painfully self-serving and contradictory I thought I was at a Mormon General Conference: 

--He tells the epic tale of how he found a security flaw in XP and, as our hero--the valiant security guy--he defended his requirement that some component be deactivated in the face of the evil corporate types who wanted him to surrender his principles to the God of Money. Eventually, he surrendered because the Evil Corporate Types pointed out that no one would use Windows if this component were not activated. Next, he tells a story of how security people are useless because all *they* do is criticize and tear down, but never offer solutions and build. Was it a coming of age tale where our hero learns that people only pay you to write code if other people can *use* that code? No, he was right both when he fought and when he caved.

--He says that having many eyes on your code helps find bugs (example: Microsoft uses consultants to review their code! Consultants are *never* beholden to their client). However, when he, in his brilliance, found one bug in an Apache 1.3 security patch, he reported it to the open source developer who wrote the patch. That developer got mad because a Microsoftie (himself) had found something. It offended his open source sensibilities. Those silly open source people.

Oh, and wasn't I smart because I found that Apache flaw?

--Tools are, according to him, all but useless. They can't solve "human" problems. Oh, but Microsoft uses SAL. A debugging tool.

--"'Browser' and 'secure' should never be used in the same sentence." Then he goes on to except IE7 from that list. It's the shit--no security bugs there! 

Besides the rampant internal contradictions, the general information about Vista is that they are fighting last year's fight. He went on and on about how he's comparing/evaluating Vista against XP and how much better Vista is. For example, Vista now has service-specific wrappers! Something that sounds familiar to the Unix world, but is lacking in Windows, until now! It doesn't actually bind services to interfaces, but hey--it's a start.

He then went on to show us a table about all the things that Vista does that Mac OS X doesn't (I don't think he saw how many glowing apples were in the audience, staring up at him). Not sure why he decided to pick on Mac (those "I'm a Mac/I'm a PC" ad had just come out...) but he did. It's a bit technical, but on three code security topics, he said this:

For images:

Mac doesn't have Section reordering (well, ok neither does Vista)
Mac doesn't have EXE randomization (well, neither does Vista)
But Vista does have DLL randomization! (which Mac doesn't have, because Mac doesn't use DLLs...)

On the stack:
Vista has Frame protection, exception protection, local variable protection, randomization, and it is non-executable.

Granted, those are nifty unless someone turns them off (read on...).

For the Heap
Vista offers metadata protection, randomization, and it is also non-executable

Mac... well not so much of any of those. Alas.

But then the finale! This just blew my mind. He talks about how Vista has all these things turned off by default, but that a program can turn them on! That Law School class taught me a few things about how lawyers think. This is a law-talking-guy thing to do. It provides Microsoft with plausible deniability! They are saying, in essence, "we turned everything off by default, so if it's insecure, it's because you turned the insecurity back on!"

So what exactly is the value of Windows now? It's no longer "easy to use" because you have to go in and enable things in order to allow your program to work. It's no longer "interoperable" because what works on my system may not work on yours because services are not enabled. And most of all--if you get hacked, it's not Microsoft's fault!

Vista--use at your own risk.

Some final, random notes:

look--we have Blue Hat (a "hacker" conference)! Don't mention that it's invitation only.

"Non-Windows people are in denial about their own security issues"

"I wish other people would admit that they have security problems"