Microsoft Cracked, Source Code Stolen|
Is this the correct time to say "..I told you so."?
By John Holstein, Cotse Help Desk Coordinator
Not 10 Days ago I wrote an editorial on the outcome of not patching your Operating System/Web Server software. In particular, I pointed out the security vulnerabilities within the infrastructure of Microsoft Web Servers. Today, we learn about a crack that has been perpetrated against Microsoft where the source code of upcoming Microsoft Products may have been stolen.
In this business, timing is everything. You must keep in tune with the latest security bugs. You must keep up with all Operating System bugs. You must patch your systems accordingly. We hear this all the time, but do we adhere to the standards set forth by the consultants? How can business and industry take security seriously if the security consultants themselves do not keep up with the latest product updates. At the VERY LEAST you would assume that Internal Microsoft Policy would dictate that ALL system administrators and web masters will keep up with NTBugTraq, Microsoft Product Security and other Microsoft Security advisories.
Friends, this is a double-black-eye-broken-nose-busted-lip moment for Microsoft and their admin's. Simply put, with the resources and educational opportunities available to tech's at Microsoft, there's no excuse for allowing this type of compromise of security.
"Everyone is fallible." Sorry, but faults are intolerable for software giants. There's no excuse for this type of behavior from the LARGEST software manufacturer in the world. As stated in the previous editorial, it's a known rule of thumb that we do not put a web server up before the proper patches are in place and we attempt to keep up with all upcoming security patches.
From the reports that have came in over the weekend, Microsoft claims that no source code to any specific Operating System was stolen. Even though the operating systems themselves are not in jeopardy, obtaining source code to IIS, Backoffice, Exchange or other volatile programs could make future compromise and virus writing alot easier. Look for this slip-up to haunt Microsoft and the users thereof in the near future.
With the vague decisions coming forth concerning cyber-related laws and regulations, can software producers be held responsible for future penetrations of client systems? In the most extreme circumstances could software vendors be held responsible for their inabilities to secure their systems? In this case, could a judge later rule against Microsoft for allowing access to secure-information if in the event someone uses this gained information for future penetrations of a Microsoft Client's systems?
Is it the responsibilty of a bank, online e-commerce site, or department store to securely maintain their clients credit card and other financial information? If the information is stolen, who is responsible for the outcome? Do they not carry insurance for such breakins and thefts? What about cyber-crime? This circumstance is far-fetched to say the least, but not impossible to see occuring.
Security is for everyone. Everyday. Cracking WILL NOT stop. In order for clients to secure their own systems, the developers of the software need to set the standard and secure themselves before releasing "buggy" software for purchase by the consumer.
I have heard this time and time again from software manufacturers: "..we release this for review by the consumer and we will patch the product as troubles arise." When "troubles arise" is the EXACT moment that someone else, like a cracker, also find the "trouble" and exploit it. If this piece of software was tested properly, before release, this may not have occurred. But companies tend to release software to allow the public access to bigger and better "bells and whistles". Do we need the "bells and whistles" that fast? Should we compromise our lives for the sake of being able to save an extra click here and there? I think not.
It's simple, software companies need to police themselves and for gods sake, non-open-source producers should slow the process down and stop releasing software to the public before it's ready.
Problems? Questions? Bugs? Email me.
Return to the Help Desk