Back to article
.comment: Leveraging Linux
November 14, 2001
There will probably be no .comment column the week after the first negligence suit is filed against a firm whose negligent action is the use of Microsoft software when they should have known better, with the result being a client's confidential documents having become public.
It is difficult to type when one is laughing oneself into a total thoracic muscle cramp. And I'm not sure I'll be able to get it out of my system in a week.
But seriously, folks . . .
I got to thinking about this when I learned that a law firm I know is about to embrace Outlook as its email client. One need to have paid only very little attention over the last couple of years to know that if one wishes to keep a secret, one does not want it ever to pass through Outlook or to reside on a machine where Outlook is ever used. (The firm gets its IT services from an outside outfit, which typically means someone for whom it was an MSCE or the Army, and the Army said no. There are exceptions, but in my experience there is not a dimmer string of bulbs on the planet than that made up of MSCE certificants.) It will be no particular surprise to hear that confidential client documents have hitched a ride out of the firm on some SirCam variant.
Wonder if the crackerjacks hired by the law firm know to turn off, and if they do, how to turn off, IIS. If not, there's another little surprise that could give a cracker hours of amusement. (Microsoft is going into the game box business; for many persons of malicious intent, Microsoft has been in the game box business all along.)
Now we get news that there is a vulnerability in Internet Explorer which allows unauthorized persons either locally or elsewhere to mine confidential data from cookies. I've long railed against cookies, claiming that they are a monstrous potential security hole, and now Microsoft has removed the word "potential" from that claim. Microsoft claimed under oath that Internet Explorer is so crucial to its operating system that its operating system won't work without it. This means that the vulnerability is as hard-coded as it gets. (Microsoft says that the fix is to turn off scripting. This renders useless sites designed specifically for IE. Serves 'em right.)
And that's all before we get into the really juicy stuff.
It got some note last year, but it's worth revisiting the study, Cyber Threats and Information Security, released last December by the highly regarded Center for Strategic and International Studies. The study's authors -- and there isn't a lightweight among them -- noted that Microsoft's computers containing source code, had been cracked, and said:
"There are several recent examples of how formerly industry-specific concerns have risen -- or have the potential to rise -- to the level of national security concerns. Perhaps the most recent example is the admission by Microsoft that hackers had broken into their systems and accessed next-generation Windows software that was not only unreleased, but not yet even announced. A profound concern to both private and public entities becomes whether or not any of these products will be trustworthy once they are released. It is doubtful that the millions (sometimes billions) of lines of code required to power Microsoft's products could readily be sanitized. "
Let's see. What would, a year ago, have been referred to as "next-generation Windows software"? Why, it's XP! What CSIS is saying, without coming right out and saying it, is that there could be all sorts of back doors inserted into the XP code without anyone beyond the cracker, least of all Microsoft, knowing about it. What they're also saying, and this time they do come right out and say it, is that Microsoft's software is therefore a national security risk.
Now, there is a concept in the law called "due diligence," and what it means, basically, is the ability to prove that one knows all that he or she (or it, in the case of a firm) can reasonably be expected to know. It is required in many securities transactions, corporate reports, and the like. It can be offered as an affirmative defense in negligence suits.
And I think I have demonstrated above that it would not be a very effective defense in a case in which the negligent act came in entrusting confidential data to unsecure Microsoft software. But I repeat myself; the phrase "unsecure Microsoft software" is redundant.
When that lawsuit comes, the effects will be widespread and instant. Engineers call it the "pucker factor," and without getting too descriptive let me describe it as the phenomenon in which, because of fear, the chair tends to remain attached to its occupant even after the occupant stands up. There will be a mad scramble to eliminate exposure to liability resulting from the use of Microsoft products. At which point there is likely to be considerable job turnover in the IT industry.
Time to get ready.