Microsoft: Flawed and loving it
October 28, 2000
Microsoft announced Friday that hackers infiltrated its computer networks and gained access to top-secret proprietary source code. The corporation first noticed the intrusion when its security discovered passwords being sent to an e-mail account in St. Petersburg, Russia.
Instead of a frontal assault, hackers employed a trojan horse called QAZ. According to the Wall Street Journal, the malicious mare disguised itself as Notepad and once executed, installed a backdoor and notified a computer in Asia of its location while slowly replicating itself across Microsoft’s Intranet. Once installed, another program e-mailed employee passwords to an account in Russia. Under the guise of legitimate telecommuting employees, hackers accessed Microsoft’s internal network and uncompiled works to a future product.
The long-term ramifications of this intellectual property hijacking have yet to be fully realized, but if you’re a Microsoft sympathizer you shouldn’t lose sleep over this. Microsoft has enough legal clout to protect itself from harm.
If the stolen code was posted on the Internet, it sounds plausible enough that Linites or competing software houses could borrow liberally from the better parts and incorporate it into their kernels as they saw fit. Not so, because none of them are that stupid. If the perpetrator was an open-source developer, she would be barred for life from contributing to open-source projects. If the perpetrator was a corporation, Microsoft would sue them out of business and rightfully so. It’s wrong to pillage another company’s ideas. Not that most of Microsoft’s are that great or original to begin with.
The issue at stake here is Microsoft’s reputation in the Information Technology world. After all, if Microsoft can get hacked with a well-document trojan horse, doesn’t that mean their software can’t be trusted? Well, not any more than before. Microsoft is considered a joke by IT professionals for its weak security standards. Since NT 4 hit the fan, however, Microsoft security has built a reputation among professionals as poor but fixable.
As long as your company had a strong firewall, tight proxies and you hired a Microsoft-certified systems administrator who diligently installed all the patches and service packs, read all the bulletin boards and subscribed to all the mailing lists, your Windows environment was relatively safe. Even if your Web site got defaced or Intranet got hacked after all those precautions, you could shrug it off and say, “it happens to everyone.” Never mind the main reason it happens to everyone is because everyone is running Microsoft.
The problem is Microsoft makes it difficult for network administrators to lock their systems down. Conscious configuration defaults decided by the Micro-spawn in Redmond make the computers that run its software dangerously trustworthy to outsiders.
This is true of everything they make. Windows allows anonymous NetBIOS and registry access out of the box. Office has the authority to do all kinds of awful things. Its HTML interpreter is vulnerable to a buffer-overflow that allows the execution of malicious code. Outlook is configured to automatically launch deadly payload attached to an e-mail without a user ever opening it. Visual Basic Script should be renamed Visual Virus Script.
Countless bugs and vulnerabilities in Microsoft’s products are discovered all the time. If enough publicity is raised about one, it will patch it. If not, it’ll ignore it. It makes software designed for end users, but as a result hangs security administrators out to dry. Microsoft can get away with this because IT professionals have little choice. If they chose more secure software, they would marginalize the very importance of their jobs. With Microsoft, they have strength in numbers. Like lemmings off a cliff. It’s an unfortunate decision, but no one was ever fired for choosing Windows.
Microsoft wields too much control over the software industry. It has so much power that it refuses to sacrifice any user friendliness for security or even as an out-of-the-box configuration option. It doesn’t have to, either, because IT professionals will always purchase Windows and Office no matter how insecure or bug-ridden. Microsoft can’t possibly cost-justify making its software more secure, because it can’t sell more copies than it does now. So it does nothing. One might think getting hacked using deliberate vulnerabilities in its own software would humble the Goliath software firm, but trust me, it’s already forgotten.