Shouldn't the author have first contacted MS letting them know of the flaw and making a post (and taking the credit) after they have fixed the flaw.
That is what I have seen happen in the past when the DNS flaw was discovered and also recently when the Twitter XSS vulnerability was found.
This is considered standard. You only go public with a live exploit if the company shows no interest in fixing it. The author receives no sympathy from me on this.
Regardless of if what the author did is deserving of sympathy, I think most of us can agree that the correct course of action is fixing the security bug rather than trying to cover it up. I mean we all know how well that works.
On the other hand, the only way to force a company react promptly is to publish the exploit.
In this case the exploit was apparently self-evident to nearly any technical mind -- I think that even I understood how simple and naive the bug was -- so you could safely assume that loads of fraudsters would've been milking the system while the bug report would slowly snake through the internal organs of Microsoft before eventually landing on some engineer's table.
It's only saddening that the first reaction is through legal department. Or did Microsoft say somewhere they fixed this already? Or take down the Bing Cashback until the issue is resolved?
This is the standard course of action for security professionals. Perhaps the author was just unaware of industry practices. To tell you the truth, I'm not sure what I would have done, and I even know about vendor disclosure. I probably wouldn't have given it much thought and just assumed that I missed something. Then maybe posted something to see what my flaw was. Then if I happened to be right I would have run afoul of vendor disclosure.
If you're not a pro, it's easy to lose track of best practices.
On the other hand, this is such a glaring security flaw that it's hard to have much sympathy for Microsoft (or Microsoft's infamous legal department), since this could cause significant problems for a merchant. The people deserve to know the truth. ;-) Thank you for making this public.
Because their only important clients - those responsible for about 90% of their revenue (Acer, Lenovo, HP, IBM and Dell) - are still buying lots of licenses.
Not to mention the inestimable harm done to their reputation, leading to some unknown number of lost sales. Presumably they have some support staff overhead too for enterprise customers.
Given the relative weights on MSFT's balance sheets of Windows vs Live Cash Back, I'd say any serious OS problem probably costs them orders of magnitude more than this.
Like I said, they have a dozen important Windows clients: Acer, Lenovo, HP, Dell, IBM and a couple others. As long as those are happy, MS execs are making their bonuses and everything is right.
As for a reputation... Well... There is a PHB graduated every minute.
But that's a fixed cost, not a variable one. They have to issue the fix, period. The poster's point was that MS does not lose money because of an OS vulnerability directly. Here, however, they do.
I gather that's a high multiple of what was saved in quality assurance.
Sometimes, software QA is a gamble. You don't spend all the money you need to make 100% perfect software, expecting to pay for the correction of all bugs that are discovered and that cost you money in support calls, lost business and lawsuits. Mind you - most of the support calls are to their OEMs.
Last time I had to make a support call (HP about 9 years ago, needed a OS disk) it cost me 80p per minute. More bugs = more profit in that sort of regime. Don't know if this sort of thing is still the norm. That call took me 20mins before they would just send me out the Windows install disk that should have been in the box when I bought the computer, £16!
I've called a few UK ISPs on behalf of friends when setting up their internet connections - 35p x 10mins to get a password reset.
Just doing a quick check now and Dell UK have "no fix no fee" for £19 minimum phone support. So OEMs probably like there to be some bugs in there ...
Microsoft spends huge on QA. Unusually so. Google "Microsoft QA ratio" for starters. That has nothing to do with security. QA doesn't find security bugs, because security bugs are different from normal bugs: they're only possible under subtle adversarial conditions.
It's not about how much you spend. It's the result you achieve.
It seems the architecture of Windows and its backward compatibility are a growing burden on Microsoft's shoulders.
The sad truth in software business is that you don't have to make your product robust enough to last forever, just long enough for you to pocket your bonus and retire.
I also have a problem with the idea that security bugs are not ordinary bugs. Bugs are parts of the program that don't do what should be done, be it about crashing, corrupting data or handing over the keys to your kingdom, they are still bugs and should be detected and corrected.
"I have a problem with the idea that security bugs aren't ordinary bugs, [...] becase they are still bugs and should be detected and corrected".
You just said absolutely nothing about security flaws OR QA. You want to try again? Because I think all you've got here is, "bugs should get fixed". Yeah, you got me there.
"Microsoft spends huge on QA" and "QA doesn't find security bugs" are things you said.
If their QA can't find security bugs, then, perhaps, they should rethink what software quality means to them. Remember: even if bugs costs them millions of dollars, they cost even more to their customers.
Ricardo, can you point me to the security flaws you've discovered and documented? I looked you up on LinkedIn, and you have a long resume in software development --- but no apparent experience whatsoever in software security.
Your claims about QA and security are so wildly outside my own experience and the general understanding of my field that I'm wondering where you get the confidence to make them so forcefully. I've never met a QA team anywhere that could reasonably be left responsible for testing software security.
I don't work with software security and have discovered absolutely no new security flaws. I have, however, experienced many and created some in the long career you refer to.
Still, none of the security problems I wrote into my code could be blamed on highly adversarial conditions - all of them were plain bugs, places I forgot to do something or when I trusted something one should never trust.
The fact you never met a QA team that could uncover security problems possibly stem from them not looking into the code itself and never having the responsibility of finding such problems. Validating compliance, correctness of observed behavior and even user overall experience is also called quality assurance, but it is, by no means, defining of the whole software quality concept.
As long as we're clear that by "them", I mean "a broad cross section of the whole industry, from embedded infrastructure code to 'web 2.0'", and you mean "the fictitious QA team that works the way I say QA teams do", then I think we agree.
Because I'm telling you that you're wrong about the relationship between QA and security in the real world.
I joined the Windows Update team at Microsoft around two months ago. While I can't give exact figures, a standard non-SSIRP update costs Microsoft around 6 figures to code, test, and ship. October was our biggest release in history with something like 44 updates released (you can do the math).
Security incidents that are SSIRPs (effectively vulnerabilities that start actively being exploited, in particular with potential global impact) cost a lot more. Conficker.b was costing Microsoft over a million dollars a day for weeks in support calls alone.
Security flaws cost Microsoft a ton of money directly and through things like damaging their brand. They invested insane amounts of money improving security for Win 7, we'll see how it works out (as best as I can tell, it should be pretty effective).
Sure, I appreciate it costs a lot to put things right.
"damaging their brand."
How can you damage Microsofts brand any more than it already is? I don't think most people buying Microsoft buy it because of the brand. Which is why I don't think OS vulnerabilities particularly cost them in lost revenue.
The people that buy into other platforms for "security" are misinformed, and I say this as an inveterate Mac user who ships software on Debian VMs.
A good acid test for whether someone is talking out their ass about security: they make smart-ass comments about Microsoft. It's getting harder and harder to find reputable security researchers who haven't done work for Microsoft.
Security is a more complex terrain than that Microsoft vs. Free Software space people keep insisting to drag the discussion into. Dragging it into this place is a straw man.
A straw man compounded to your ad hominem is not up to the usual standards here.
It is possible for you to hire people to secure an open platform from the ground up. It is up to Microsoft to secure Windows from top to wherever they think the cost exceeds the benefit for them. That's a key difference - it doesn't matter how much effort you spend securing Windows, if you are not Microsoft, you can never be sure of the results until you find them out the hard way.
Yes. I do like Free Software and I use it extensively. I also use Sun, Oracle, IBM, SAP, PeopleSoft and, from time to time, even recommend MS SQL Server when it makes sense. It would, however, be insane to simply disregard Microsoft's software appalling security record or to oversimplify it as a Free vs Evil dichotomy. It's not.
It's just that Microsoft seems to spend more money promoting their wares than properly checking and securing them. Security seems to be grafted on instead of built into.
And, for the other argument, of security issues arising only from adversarial conditions and not bugs, that's simply incorrect. Software that's correct should not have holes like unchecked buffers that allow code injections. And it's not only Microsoft who's guilty here - just about every product I use seems to have fallen for this one in a given point in its history. Still, the fact others face it does not make Microsoft's products more secure. Like I said, it's a more complex issue than this false dichotomy.
As for more sophisticated attacks that rely on memory access patterns, memory protection mishandling, improper erasure and so on, well... If the processor is not, itself, correct, you can't really expect the software to cover all the holes - only the possible ones.
I read this comment 3 times, up and down, and I can't find an assertion about security in it that is (a) based in any kind of fact or (b) falsifiable in any way with any facts I can bring to the discussion.
Suffice it to say that I'm not a Microsoft "astro-turfer", and you're just flat out wrong --- and not only wrong, but actually making things up out of whole cloth. "More money promoting their wares than properly securing them". I'm surprised you feel comfortable making claims like that. In any case, I'm sure you'll never be convinced either way, so, enjoy the last word.
I can't remember accusing anyone specifically of being an astro-turfer. I only noticed a tendency of any comment critical of Microsoft having a more than average likelihood of being downvoted, something I already noticed years ago, when Digg was intersting. This topic seems to bring out a certain amount of passion in the audience, myself included.
There are two statements you can try to falsify: "It is possible for you to hire people to secure an open platform from the ground up" and "It is up to Microsoft to secure Windows from top to wherever they think the cost exceeds the benefit for them". As for the third, "Microsoft seems to spend more money promoting their wares than properly checking and securing them", it's an impression and, as such, subjective. The "seems" is there because they do spend a whole lot of money in promoting their software and the "properly" is there because it doesn't matter how much they spend, the results are still pitiful, as the mountain of spam in my inbox and the constant onslaught of botnets on my clients (no - my trade is software, but my code has passed more security audits than I can remember) demonstrate so eloquently. Their programs seem to be improving with every release, true, but there is still a long way until I would entrust my data to them.
>The people that buy into other platforms for "security" are misinformed
While I don't doubt what you say, isn't there something to be said about the fact that more attacks are targeted at Microsoft's platform than, say, OS X?
While Vista may be more secure, isn't there still a higher chance of getting nailed by a security flaw in Vista than OS X purely because more people are attacking the former?
"Conficker.b was costing Microsoft over a million dollars a day for weeks in support calls alone"
It was not Conficker that cost Microsoft a million a day - it was the support to their customers that bought software that had uncorrected bugs that should have been detected earlier and that made Conficker possible. Shipping bugs costs a lot of money. Unless they cost more than getting rid of them, they are never corrected.
And if it did cost Microsoft a million a day, it cost a lot more to their customers.
What? You make a buggy software product someone finds a way to exploit automatically and when your customers come calling asking for help to repair their systems, suddenly, you are not to be blamed? Not even a little? How so?
Let's move the example from software to aerospace.
Someone builds planes that, when an engine inhales a bird, explode, killing all passengers and crew. They do not know the problem exists and did as little testing as required by regulations. Knowing the problem, a kid decides to release pigeons in the path of the plane, creating a quite spectacular accident. Who will you blame? Just the kid, just the manufacturer or both?
Until executive bonuses get cut, you will see no improvement over there. Unfortunately, lots of bonuses get calculated on limited scopes and don't reflect the complete lifetime of a product. This way, it's easy to close sales, pocket huge bonuses right now, get promoted, and to let the support cost bomb explode in the hands of your successor while you capitalize on your success and head up the corporate ladder.
If you look them closely, big corporations are rarely more intelligent than a sponge or a coral reef.
The MS Cashback program is great. I don't think it's doing a thing to attract people to Bing but I've used it to buy several Macs at a nice discount off eBay. Thank you Microsoft.
Seriously though guys, glad to see you're doing well. I hope the publicity nets you a traffic spike that results in more revenue than the $2k you could have kept.
dick move indeed, he should have kept it to himself and friends and make as much as he can from them or better yet hint a few cronies to make the easy money as well.
I'll be he was trying a little altruism only to encounter the threat of a possible sentence. Bountii if you discover a loophole again email me, i'll pay you for the tip. viabyte at yahoo dot com
