The following text is copyright 2003 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

 

I expect it would get Bill's attention

 

By Scott Bradner

 

Here it goes again.  Microsoft made the front pages for yet another security bug, this time in their Passport authentication service.  What made this more than your average today's-bug story was the too-hyped observation that Microsoft could be assessed a fine of $11,000 per Passport account.  With 200 Million or so Passport accounts, not a small number of which were created just to enable one or another Microsoft software product, the fine would amount to $2.2 trillion.  Even Bill would notice such a hit.  But the prospect of a significant reduction in the national debt is not the subject of this column, common sense is.

 

The idea of hitting Microsoft up-side the head with a fine of almost 8 times its market cap sort of reminds me of what a cab driver in Singapore told me about drivers education in that country.  He said that the fines for traffic violations were not high enough to get the attention of the rich folk so caning was more effective at sending a message.  No one could say that this fine would not get the attention of whatever remained of Microsoft.  But enough silliness, as CNN noted, "any fine would be significantly lower."

 

To put things in perspective, it has been said that Windows has somewhere between 30 and 50 million lines of code (depending on which random guess you believe) -- to only have a "bug-a-week" with a code base of that size is doing rather well.  But sometimes the bug is not one of bad code but of bad design instead, as seems to be the situation in this case. 

 

The press reports said that the person who found the problem did so with a few minutes of poking around after someone hacked his Passport account.  It seems that a feature designed to let a user recover from a forgotten password let someone other than the user take over the account and have access to whatever data the user had there.  After figuring out the design problem he said he tried to contact Microsoft a number of times then, when he did not get any response, posted the information on the FullDiscosure security list on May 7th.  (http://lists.insecure.org/lists/fulldisclosure/2003/May/0093.html)  Microsoft blocked the exploit soon after.  The design bug seems to be one that a first year security apprentice would have been demoted over.

 

The underlying problem here is not that Microsoft is not perfect, nor is it that Microsoft may not have responded to the warnings it received.  The underlying problem is that for Passport to play the core of the world role that Microsoft wants it to play Microsoft would have to be perfect and be able to respond before it received notice of a problem.  Remember, Microsoft wants this service to have important information about as many Internet users as it can.  Over 200 million already, many times that in Microsoft's dreams. 

 

Common sense says that putting so much sensitive information in one place is a very very bad idea.  It becomes a major target of attention and when (not if) compromised the damage can be great.  Hackers, spies or disgruntled employees, someone will get into the playpen every now and then.  What will be the damage the next time?

 

disclaimer:  Harvard's sense, by definition, is not common but the above observation is my own.