Challenging the Immutable Laws Of Security

By Larry Seltzer  |  Posted 2008-10-07 Print this article Print

Have the facts behind the basic maxims of computer security changed in the last eight years? In fact, there has been progress, but the rules generally have stood the test of time.

One of the great, classic articles of computer security comes from Microsoft in an era when security was not their strong suit. The article "10 Immutable Laws of Security" by Scott Culp relates rules which ring as true today as they did in 2000 when the article was written-or do they?

Now Jesper M. Johansson, a Microsoft MVP and Ph.D in MIS has begun a series of articles re-examining the laws. The first in the series looks at laws 1 through 3. They're all important laws, but in the eight years since they were formulated have things changed to make them less true?

The first law is something you hear all the time from every reputable source: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore. Once you let someone execute code on your system there are ways for them to take control of it. What has happened in this regard since 2000? Johansson points out that in 2000 the mainstream operating systems, Windows 98 and NT 4.0, were certainly under the thumb of this law. The 9x generation of Windows didn't have any way to prevent others from running code on your system.

NT had a basic model of privileges so in theory you might be able to prevent malicious code from running or mitigate its effects. But as a practical matter, it didn't work very well and the system was so full of holes that it couldn't be effectively secured. As Johansson says, anyone who wanted to get work done in NT4 ran it as Administrator, which means that any malicious code did as well. That year Windows 2000 was released, improving the situation, but by less than it seemed at the time.

Windows Vista and Windows Server 2008, the current shipping versions, are clearly far more secure products than those of eight years ago. Does that mean that Law No. 1 is no more? No way. But things are different. Johansson notes IE Protected Mode as one of several "security boundaries" that did not exist eight years ago, but doesn't go very far with it. I think IE Protected Mode really does represent a meaningful dent in the first law, although I hope nobody thinks I'm saying that Vista is now bulletproof. And in spite of IE Protected Mode there have been vulnerabilities in IE7 on Vista that Microsoft said could result in remote code execution. But clearly it has also effectively sandboxed many attacks; they may get to run through IE, but they can't do much of value to an attacker.

And it's not just Windows; anti-virus protection in 2000 was many generations behind where it is now, where top-notch protection includes a host-intrusion prevention system, software which monitors running processes for activity which appears malicious. These systems are not perfect, but clearly they do stop some attacks. Once again, a dent in law No. 1, but you're still best served by assuming the law stands because you can't rely on the protection.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel