Bruce Schneier is founder and chief technology officer of
Internet security firm
Counterpane. He has written
two books on cryptography and computer security,
Secrets and Lies and
Applied Cryptography, and is an outspoken
critic of Microsoft and other software vendors that produce products that
contain dangerous security holes. We spoke with him about who is responsible
for software security flaws and what consumers can do about the growing
problem.
PCW: Are there more security holes in software, or are
we just getting better at finding them?
Schneier: Both. There are thousands and thousands of
security holes in software. We are better at finding them, but there are many
that we don't find. The problem is getting consistently worse. The basic reason
is complexity. Complexity is the enemy of security. As systems get more
complex, they get less secure.
PCW: Why don't software vendors devote more time to
testing products to find and fix security holes before delivering programs to
market?
Schneier: Because the marketplace doesn't reward
security. A company like Microsoft could spend an extra year developing the
next version of Windows--throw an extra 200 or 500 people at the program,
testing it for security problems--but then the software would be a year late
getting to market.
PCW: Microsoft says it did this with Windows 2000.
According to Scott Culp, program manager for Microsoft's Security Response
Center, the company held back the operating system for so long in order to fix security
bugs.
Schneier: They said [Windows 2000] would be more secure
than any other version to date. But there are more security holes in it than
any other version of Windows.
PCW: Why is it that hackers and security pros find
security holes that Microsoft doesn't seem to be able to find?
Schneier: It doesn't just happen to Microsoft. There are
thousands of people looking for security bugs, so they're bound to stumble upon
them. It might take days, weeks, months--there are just so many holes to find.
I'm sure the software companies do some testing and find some holes, but
they're not doing a lot. They'll tell you they'll do a lot, but they're
not.
There has to be a market incentive to provide security. Either you lose
sales, or you get sued. But there is no such product liability in software. If
Microsoft produces an insecure product and your data gets stolen, they are not
liable.
I think consumers should be livid about this. We would never stand for
this in a stepladder or an automobile or an aircraft, yet we stand for this in
software all the time.
PCW: Yes, but no one's going to get killed by...
Schneier: But people do get killed by software. It
doesn't happen often, but there have been deaths from software bugs in medical
devices. But usually you just read about Windows. Usually you just lose a lot
of money. There's been an enormous amount of money lost because computers have
failed. Where are the class-action suits against [companies like]
Microsoft?
PCW: But you've said that the more complex software
gets, the more it will have flaws.
Schneier: But there's a balance. The automobile
manufacturers have managed to strike this balance. We get new cars every year,
new features every year, yet there is liability. They're not going to give you
a feature that they know isn't safe, even though it would be fun to have. So
there is a balance, and that balance is struck over years through litigation,
through laws and policies. The problem with software is that you just get one
side--you just get features; you don't get reliability or safety or
security.
PCW: You talked about the fact that there is no forward
learning in software; the same problems seem to be creeping up over and over
again.
Schneier: Buffer overflows are the poster child of why
problems aren't getting better. They were discovered in the 1960s and were
first used to attack computers in the 1970s. The Morris worm in 1989 was a very
public use of an overflow, which at the time knocked out 10 percent of the
Internet--6000 computers. Here we are 40 years later, and buffer overflows are
the most common security problem. And that's an easy problem to fix. If you are
a software vendor, there is zero excuse for buffer overflows.
PCW: Is Microsoft good about fixing problems once
they're discovered in its products?
Schneier: They actually spend a lot more time paying lip
service to security and not doing security. When a security bug is [found in a
Microsoft products], they will deny it until it's made clear that it's
true.
PCW: Are you saying the Microsoft Security Response
Center is not responsive?
Schneier: If it's an easy fix, they'll fix it quickly
and announce how good they are. If it's a hard fix, they'll tell you it's not a
problem. That is, until they fix it, and then they'll tell you how good they
are. Unfortunately, Microsoft treats security problems as public relations
problems, and they'll do whatever they can do to get the most PR.
PCW: Is full disclosure beneficial or harmful to
security?
Schneier: The full-disclosure movement appeared because
companies were ignoring the problems with security holes or lying about them.
Security professionals and amateurs would find a security flaw, alert the
company, and the company would threaten them with a lawsuit and not fix the
problem. Or they would send the vulnerability to an organization like CERT [the
Computer Emergency Response Team at Carnegie Mellon University], which would
sit on it for five months.
So the full-disclosure movement was formed out of frustration. And by
God it works. If you told Microsoft there was a problem a bunch of years ago,
they would have told you to shut up. Nowadays they know they better fix it fast
because it's going to be in the newspaper next week.
In some ways full disclosure helps the bad guys, but it also helps the
good guys. So it's double-edged. I think if we said we're no longer going to do
full disclosure, the companies would go back to paying lip service and not care
about it. So you need it to keep the pressure on. Right now what the community
has settled on is alert the company, give them reasonable notice, and then
announce the vulnerability. And that seems to be working.
PCW: Many bug finders provide exploit code with their
vulnerability announcement. Why give a warning to users about a hole and at the
same time give hackers a tool to exploit it?
Schneier: Because, unfortunately, many companies say,
Well, that's a theoretical vulnerability but it doesn't actually work.
PCW: You could just send Microsoft the exploit to prove
the hole is not theoretical and not post it publicly where everyone can get
it.
Schneier: But then [the vendor] will lie. They'll say
they never received it or they tested it and it didn't work. You're assuming
that the companies are being honorable, and they're not.
I don't like the fact that vulnerabilities get in the hands of script
kiddies who exploit them. I would prefer if we could announce the
vulnerability, we wouldn't explain the details, the company would fix it, and
all would be good. But that's not always the way it happens.
