Computer Security Weekly, September 6, 1999


For Labour Day we'll give you (and me) a bit of a rest from stories of the trials, tribulations, and loopholes of the security world, and I'll do a bit of editorializing instead. (Well, I do a bit of editorializing all the time anyway, but this one will be completely off the cuff.)

The big story from this past week gave us a respite from Microsoft bashing, and centred on the failure of Hotmail's security. Of course, there are many possible loopholes in Web based email systems, but last week Hotmail seemed to be wide open. Indeed, because the failure emanated from the new Passport "single sign-on" system, a number of other sites may have been at risk as well.

Well, of course, this failure is associated with Microsoft. Microsoft owns Hotmail. Hotmail does not run on any variety of Windows. (When Microsoft bought the company, they tried to make the switch, only to find that Windows simply did not have the power and scalability needed to run the operation.) But Microsoft calls the shots, none the less, and the Passport system is a case in point. Microsoft has always followed a course of functionality in software and systems, even if security has to suffer. And, in this latest instance, put forth a trial function, with full connectivity to the main accounts, that seems to have had a security loophole the size of Brazil.

So, once again we have the battle between security and ease of use, and ease wins out. This is not news. It is depressingly familiar.

Is this Microsoft's fault? Well, that is the position that a lot of people take. After all, Microsoft regularly produces products not just with security vulnerabilities, but where a security weakness is almost an inherent part of the design. A few years back the security community was looking at the latest Microsoft offerings, and making low growling noises about the general quality of the goods. (The security community usually only makes low growling noises. If any of us had any personal courage, we wouldn't be in the security field.)

Microsoft's answer was quite interesting. Stripped of the positive spin that they put on it, the answer was that we were quite right, all of Microsoft's products were insecure. This was a deliberate choice by Microsoft. Microsoft followed the market, and the market didn't want security. In fact, said Microsoft, they could prove their position. Microsoft had made a fortune selling products that everyone knew were insecure. If the public had the slightest interest in security, the market would buy other available products with greater security. But Microsoft was the largest software company in the world, so, obviously, nobody cared about security. QED.

The copyright of the article Computer Security Weekly, September 6, 1999 in Computer Security is owned by Robert Slade. Permission to republish Computer Security Weekly, September 6, 1999 in print or online must be granted by the author in writing.

Go To Page: 1 2

Articles in this Topic    Discussions in this Topic