[LINK] Code Red puts Microsoft in hot seat

[Bernard Robertson-Dunn]

Code Red puts Microsoft in hot seat 
By Dan Verton 
6 August, 2001 8:37
Washington, U.S.

It was a scene that would be familiar to officials at Bridgestone/Firestone
Inc. An executive from Microsoft watched as a government official told a
gathering of reporters that there was a serious problem with a Microsoft
product.

Ronald Dick, director of the U.S. Federal Bureau of Investigation's
National Infrastructure Protection Center, this week warned that the Code
Red computer worm was spreading rapidly across the Internet for the third
time in less than three weeks. It was taking advantage of a vulnerability
discovered in the Web server software that runs on Microsoft's popular
Windows 2000 and NT operating systems. The health of the Internet and
e-commerce was at stake, the government warned.

But unlike the case with faulty tires from Firestone, Microsoft's problem
wasn't life-threatening, and it didn't lead to a massive product recall.
Instead, it cost businesses around the world more than US$1 billion,
according to some estimates, and hundreds of man-hours to fix. That has led
some users and experts to argue that it's time to demand more secure
software from vendors.

"Do we have to wait until someone gets killed?" asked Jack Ring, owner of
Innovation Management, an IT consulting firm in Scottsdale, Ariz., in a
letter to Computerworld. "[It] must be nice to be a billionaire, but can it
feel good when the billion is what others are losing by using your
products?"

Because of the security issues associated with Microsoft software, "we are
looking at other technologies," said a chief technology officer at a
pharmaceutical supply company in the Northeast who requested anonymity.
"There are other Web servers out there. Microsoft's customers have to
demand better software."

Robert Odom, chief operating officer at AFAB International Inc., a security
equipment reseller in Fort Lauderdale, Fla., said that because of security
concerns, his company has completely removed Microsoft Outlook from its
systems and has removed "as much of [Internet Explorer] as we can."

Microsoft issued 100 security bulletins last year related to its software
and 42 so far this year, according to information on its Web site. Even so,
Steve Lipner, manager of Microsoft's Security Response Center and chief of
the Secure Windows Initiative, said the company undertakes a massive effort
to find security flaws in products "before they get out the door."

The centerpiece of the effort, said Lipner, is a program called Prefix. It
scans the entire code base of the Windows operating system and all Office
products for potential vulnerabilities. When one is found, Prefix
identifies the "offending coding practice that caused the vulnerability,"
he said. It's an effort that represents a "significant investment" across
the company and one that "absolutely has commitment from the top," Lipner
said.

That begs the question of how yet another flaw in Microsoft's Internet
Information Services software made it out the door.

"Security and software development are human endeavors where mistakes are
going to happen," Lipner said.

Yet there is concern because critical services such as the Federal Aviation
Administration, medical services and the electric power grid are
increasingly using commercial software. And the fear, based on the
Microsoft experience, is that some of this software could be unreliable and
full of security holes.

It's only a matter of time before consumers and businesses start to demand
more reliable and secure software, said Dave McCurdy, executive director of
the Internet Security Alliance in Arlington, Va. "When health and safety
concerns are raised, then there are going to be higher expectations of
accountability," he said.

"People have every right to expect reliable, secure software," said Jay
Nickson, a security trainer at Ronin Software Group in West Chesterfield,
N.H. He added that developers should be responsible if errors in their
software result in lost profits, lost hours or bodily harm. He even
suggested that it might be time for a "software users' bill of rights."

But Alan Paller, director of the SANS Institute, a security research
organization in Bethesda, Md., said that's a long shot. A routine check of
the terms of the agreement included with every shrink-wrapped package of
software from Microsoft and other developers would show that users "have no
rights at all," he said.

-- 
A man will fight harder for his interests than for his rights.
-- Napoleon Bonaparte

Regards
brd

Bernard Robertson-Dunn
Canberra Australia
brd@dynamite.com.au
brd@austarmetro.com.au