Friday, May 23, 2008

If Microsoft wrote a script for "Romeo and Juliet", everyone would die as soon as the ball scene starts

In this article dumbasses security professionals from Microsoft write about 10 Immutable Laws of Security. Actually, it is hard to call it an article — it's more like a cheap propaganda aiming at convincing unhappy customers that it's not our (Microsoft's) fault that Microsoft Windows operating systems hold leading positions in systems that have been compromised[1].

Take a look at this:

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore

It's an unfortunate fact of computer science: when a computer program runs, it will do what it's programmed to do, even if it's programmed to be harmful. When you choose to run a program, you are making a decision to turn over control of your computer to it. Once a program is running, it can do anything, up to the limits of what you yourself can do on the computer. It could monitor your keystrokes and send them to a website. It could open every document on the computer, and change the word "will" to "won't" in all of them. It could send rude emails to all your friends. It could install a virus. It could create a "back door" that lets someone remotely control your computer. It could dial up an ISP in Katmandu. Or it could just reformat your hard drive.

BULL.SHIT. A program is just a set of instructions to execute. Make a program for a Turing machine that will format my hard drive. It will only do this if the Turing machine emulator allows it to perform such a trick. Or there is an error in the emulator that will allow the program to modify the actual code of the emulator itself (to perform hard drive formatting).
In both cases it will be the fault of those who wrote the emulator, not the result from the way computers work how Microsoft positions it.
You will say Operating systems don't interpret programs like Turing machine emulator does, they let it run directly on hardware. That's the reason hardware manufacturers have given you Rings of protection and Super-powers and still you just can't use them right. Say yes, we are lousy programmers instead of the way computers work — at least it will be honest.

Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more

This is basically Law #1 in reverse. In that scenario, the bad guy tricks his victim into downloading a harmful program onto his computer and running it. In this one, the bad guy uploads a harmful program to a computer and runs it himself. Although this scenario is a danger anytime you allow strangers to connect to your computer, websites are involved in the overwhelming majority of these cases. Many people who operate websites are too hospitable for their own good, and allow visitors to upload programs to the site and run them.

Are you on drugs? Show me at least one of this many websites that those many people operate. I'm really eager to run some of my programs there — but the problem is "website that allows me to run executable files" Google query returns 0 results.

Law #5: Weak passwords trump strong security

Strong security systems don't use passwords, dumbasses. Or are you claiming that your lousy login manager is a "strong security"?

Law #6: A computer is only as secure as the administrator is trustworthy

... For instance, store audit data on write-only media

What the fuck is write-only media? Who needs the media you can only write to? You should be able to READ from that media as well, otherwise the data that you have written to that "write-only media" is as good as erased from the very beginning[2].

Law #9: Absolute anonymity isn't practical, in real life or on the Web

Does this mean that privacy on the Web is a lost cause? Not at all. What it means is that the best way to protect your privacy on the Internet is the same as the way you protect your privacy in normal life—through your behavior. Read the privacy statements on the websites you visit, and only do business with ones whose practices you agree with.

This is the advice of the century.
Free tip how to make money: Enter your credit card details on every suspicious website you see and once one of these websites disappears the next day (together with your bank account balance) sue Microsoft for twice the amount for telling you to do business with sites that have privacy statements you agree with.

Great article, Microsoft. Keep it up, so I will finally decide against installing a virtual Windows XP machine just to run some games I feel nostalgic about.

  1. (Yeah I know that it is because there are simply more Windows systems around, thus raising total amount of compromised Windows systems. Targeted — Macs still fall first.
  2. I'm fooling around about it. My comment to this rule doesn't refer to Microsoft security issues; it refers to the dumbass that wrote the article. I will be kind today and give you a right term: non-rewritable. Write-only is a term to describe a failed memory device, and so is your tech writing career.

said thank you for this page

Liked this article? Bookmark/share it with others: Didn't like the article, found a mistake or just want to express your own opinion? Post a comment!


Post a Comment

Have anything to say? Leave a comment!
Too shy or got a too private question? Email me
Alternatively, you can drop me a line on Twitter