Before We Had MSRC

  • Article

Just ran into a post by Gene Schultz - https://blog.emagined.com/2009/07/21/trouble-brewing-in-the-cloud/ - I first ran into Gene when I worked back at ISS – interesting guy. I think we share some of the same concerns about the security of moving things into the cloud – in many ways, web apps are just harder to really secure for a lot of reasons.

He also said this:

For years Microsoft released products that were severely deficient from an information security point of view. This company orchestrated attacks against individuals who pointed out vulnerabilities in its products instead of making desperately needed changes in its software development process. Microsoft eventually made many of these changes, and now Microsoft product users enjoy a much higher level of at least out-of-the-box security in the products that they use then ever before.

I don't agree with most of this statement, excepting the last line. I do agree that we released a lot of products that had problems – I have written more than one book that largely is based on problems Michael Howard and I have seen in our apps, and other apps. However, I think that our ability to write secure code was about as good (or bad) as the rest of the industry at the time.

The part I take exception to is the statement that attacks were orchestrated. I've been working with NT security since 1993, and worked with it seriously since March 1996 when I joined a very small Internet Security Systems (ISS – now part of IBM). I've known many of the people who have worked with Windows security for quite a while, and I can't think of anyone who was ever attacked. My own experience is almost completely the opposite.

Chris Klaus, the founder of ISS, had the idea of starting the first NT security mailing list – ntsecurity@iss.net. I participated on it quite a bit, being the de-facto moderator. A couple of months later, I picked up the phone, and heard:

"Hi, I'm Jim Kelly. I work on NT security at Microsoft, and I've been watching your posts. We think you'll find things we ought to fix, and I just wanted to make sure you let us know first."

I went on to tell him that I thought there were some problems with TCP initial sequence numbers (I think it took us 3-4 tries to get it completely right), and there were a bunch of information leaks in the calls in the NetAPI32 library. For quite a while, I had no idea who I was really talking to – just Jim at Microsoft. I'd send him mail every time I stumbled on something, and it would just get fixed. Some things took a week or two, others took longer, but everything got fixed. When I knew there was a fix, I'd put a check in the Internet Scanner for the issue, and then I'd talk about it in public. Responsible disclosure didn't have a name yet, but that was the way we wanted to do things, and that suited me – more important to make things better than to be (in the immortal words of Frank Zappa) "Strictly Commercial". I have some thoughts on "Full Di$clo$ure" that I'll save for another day.

I was eventually the very first person to be publicly thanked by Microsoft for being responsible – I think it was a bunch of really bad registry key ACLs that I'd found. They put a link to the ISS web page, and our marketing department was pretty happy – the hits on the web site doubled. Doing the right thing paid off.

Some time later, I found out who Jim really was. I'd gone to a device driver training course, and they were talking about the core people who had come from DEC with Cutler – "…, and Jim Kelly, the architect of the security subsystem,…" My jaw nearly hit the floor. He retired not long after that, but he introduced me to a couple of people who are still here that I talked to until MSRC got started.

Over the 3 years I was at ISS, I found a lot of issues – there was a lot of low hanging fruit in those days. Every one of them got fixed, no exceptions. I never once had to twist any arms, never had to use the threat of full disclosure – things just got fixed. At worst, I might have to spend some time convincing someone it was a serious problem, but that's fair. People here wanted to do the right thing, and most of the other security people I knew at the time had the same experience. I won't name names, but not all of the companies we interacted with at ISS took the same approach – Microsoft was always one of the easier companies to work with for us. But that's just my experience.