Tuesday, January 02, 2007

Divining the Devilish: Factors affecting the future of Microsoft Vista

Having previously complained about a lack of "compare and contrast" coverage of Vista versus prior Microsoft operating systems, I feel I should weigh in with a little C&C of my own (with the caveat that this is a blog, not a white paper, so you won't be getting footnotes and fancy formatting—those cost extra).

We know that Vista will be attacked by hackers of all stripes. Only time will tell how well Vista resists attack. One thing to look for in the months to come is the emergence of any "class of vulnerabilities." These are not fragile students, but problems of similar type, for example, memory leaks or buffer overflows. You don't need to get too technical to spot this. Just watch for a Vista hack to be revealed and then patched, only to be followed by news of another hack via a minor variation on the previous technique. This would strongly suggest that code review has not been rigorous enough. and could well presage the sort of rolling patch situation we are in with XP and Office products. Painful as that patch situation is, the early emergence of evidence that Vista is going to be in the same boat will further discourage adoption.

And herein lies one of the variables that emerge from a C&C: rate of adoption. When Windows NT was first released it attracted very little attention from hackers (defined as people who like to pick things apart, for a range of reasons). They were heavy into UNIX back then because if you wanted to explore big and interesting networks, UNIX was the OS you would most likely encounter (if you wanted to do more than explore, the money was also in UNIX and/or mainframes). This created a false aura of security around NT. While UNIX hacks were being announced all the time, NT was relatively--albeit temporarily--unscathed.

But two things happened to change that. One was considered a success for Microsoft, growing adoption of NT in corporate America, as well as the government, the military, and colleges. The other was considered a success for the PC world: the widespread availability of cheap CD-ROM drives and CD-burners. No longer did you need a foot high stack of floppies to install or steal NT. Just a thin, slim, light and easy to conceal CD. Around the 1996-98 time frame you could buy a pirated NT CD for a couple of bucks in Hong Kong or get someone to burn you copy. I remember the first DefCon at which hackers started getting excited about NT. Part of that excitement came from the simple fact that NT was accessible. You could get at it in order to play with it.

So, two factors to consider for Vista are: ease of piracy and extent of adoption. Today we have much faster pipes down which to stuff pirated code and DVD-burners are standard equipment. The strength of Vista's copy protection will be a factor (one that is already under concerted attack). As to adoption. The very thing that Wall Street analysts are mumbling with foreboding--slower than hoped for Vista upgrading--could work to Microsoft's advantage. Several classes of hacking activity are all about the installed base (c.f. first Word macro virus of 1995 after Word doc format had become de facto standard).

But we must also contrast as well as compare, and the landscape of computer abuse today is much different from what it was a few years ago, most notably it is better-funded and more criminally-inclined. That will serve to negate the copy protection obstacles. Suppose you're a criminal who expects most banking systems to be Vista-based by oh-eight. Spending some serious money on cracking Vista in oh-seven might strike you as a good investment (and like they say, anyone who thinks organized crime doesn't make investments hasn't been to Vegas).

However, the most helpful history lesson at this juncture may well be that of "risk displacement" (also discussed here). Even if Vista holds up well in the face of concerted attacks and provides greater protection to users against some forms of information abuse, the level of effort expended to abuse information is unlikely to go down. Not to be flippant, but it is likely to go around. Improved technical controls typically lead to more concerted social engineering attacks (you put a password on the system, the attacker gets the user to reveal the password, and so on).

Just so we are clear, this is NOT the fault of Microsoft. This is the fault of human beings in general--flawed creatures that we are--and the failure of countries around the world to elicit better standards of behavior from their citizens. What would be wrong of Microsoft would be to foster the notion that Vista will somehow make the world a safer place for computing. With three "most secure yet" operating systems under its belt, and IT security spending at all time highs, Microsoft has to know that things are still not very safe out there.

No comments: