Thursday, September 29, 2005

...then Microsoft gets it all wrong

I'm really agitated that I can't post here more often than I do...but I try to ensure that when I do post, the info is meaningful.

While I earlier commended Microsoft - specifically, the Office product team - for getting it right, the remainder of Microsoft is still getting it all wrong.

A couple of months ago, we signed up for a new Microsoft licensing agreement covering our Office products. We opted for Software Assurance - which means whenever Office revs again, we'll get it for free. But Software Assurance also provides some very enticing benefits. In particular, the TechNet Concierge Chat was of interest to me. I would love for my HelpDesk to get an MS rep on-line when troubleshooting an Office issue for a customer.

I looked into getting us registered & signed up, and this is when the allegations against & stereotypes of Microsoft's security ineptitude took on a very real, very accurate palor.

I learned that this benefit had in fact already been activated for us. Furthermore, an e-mail was sent to me with instructions on using it - an e-mail I never received, because it was sent from Microsoft's mail servers using my boss' e-mail address. That's right. The process Microsoft uses to notify customers of benefit activation involves purposefully sending masqueraded e-mail messages using its customers' own addresses - instead of a Microsoft-owned address.

Any e-mail admin worth their salt won't allow someone to spoof their domain name for incoming messages. We use Postini (you should too), which blocks incoming mail sent from one of our domain names if it doesn't originate from a trusted IP address - Microsoft is not among our trusted addresses, for very obvious reasons.

Microsoft's licensing customer service reps know of this practice, but are powerless to do anything about it. What they will do, however, is verbally give you those credentials if they can speak to the person they believe is the benefit administrator. Very secure indeed.

It gets better.

Assuming you have your login information, you need to use the oft maligned Passport login service to access your benefits. Again, from a security standpoint, there are significant issues here.

First of all, I'm not Ma or Pa Kettle trying to get to my Hotmail account, or the 'Zone to play some stupid version of solitaire or gems or whatever. I'm a paying business customer. If my credentials are compromised, the attacker gets access to some better-than-average stuff.

Second of all, it's not as hard as one believes for your Passport credentials to be obtained maliciously. This is because Microsoft trusts Windows and Internet Explorer cookies to remember your password, etc. more than it trusts you to manage it. Interestingly, last I checked, there weren't any security patches released for my brain to keep me from blurting out my passwords if someone talked to me long enough.

Lastly, around two years ago, an Indian hacker proved he was smarter than the Redmond developers who wrote Passport. To prove it, he compromised literally the entire Passport database in Microsoft's data center.

The original damage estimates were hyperbolic, but it further proved that Microsoft is not very good at security architecture. Even Windows Server 2003, which was redesigned with a strict security focus, is prone to attacks that affect OS versions back to NT4. So much for the story of it having been 'completely re-written'.

Every other enterprise vendor's support and entitlement website requires simple user ID and password authentication. It's a model that is familiar to everyone. For some reason, Microsoft decided to overcomplicate it for the only customers that matter - the ones that pay for services.

To their credit, the people I've spoken to in my account team have taken my concerns very seriously, and are championing my cause within Microsoft in an effort to provide me some form of satisfactory resolution. I'll be sure to publicly commend them for anything they achieve in this regard.

In the mean time, I will remain ever skeptical of Microsoft's claims to be security-minded. The conservative IT manager will be well advised to do the same.

No comments: