• United States

I expect it would get Bill’s attention

May 19, 20033 mins
Access ControlMicrosoftNetworking

Here it goes again. Microsoft made the front pages recently for yet another security bug, this time in its Passport authentication service.

What made this more than your average today’s-bug story was the too-hyped observation that Microsoft could be assessed a fine of $11,000 per Passport account. With 200 million or so Passport accounts, not a small number of which were created just to enable one or another Microsoft software product, the fine would amount to $2.2 trillion. Even Bill would notice such a hit. But the prospect of a significant reduction in the national debt is not the subject of this column; common sense is.

The idea of hitting Microsoft upside the head with a fine of almost eight times its market cap reminds me of what a cab driver in Singapore told me about driver’s education there. He said the fines for traffic violations were not high enough to get the attention of rich folk, so caning was more effective at sending a message. No one could say this fine would not get the attention of whatever remained of Microsoft. But enough silliness – as CNN noted, “any fine would be significantly lower.”

To put things in perspective, it has been said that Windows has somewhere between 30 million and 50 million lines of code. To only have a bug a week with a code base of that size is doing rather well. But sometimes the bug is not one of bad code, but of bad design, as seems to be the situation in this latest case.

The press reports said the person who found the problem did so with a few minutes of poking around after someone hacked his Passport account. It seems that a feature designed to let a user recover from a forgotten password let someone other than the user take over the account and have access to whatever data was there. After figuring out the design problem, the bug discoverer said he tried to contact Microsoft a number of times. When he didn’t get any response, he posted the information on the FullDisclosure security list on May 7. Microsoft blocked the exploit soon after. The design bug seems to be one that a first-year security apprentice would have been demoted over.

The underlying problem is not that Microsoft isn’t perfect, nor is it that Microsoft might not have responded to warnings it received. The underlying problem is that for Passport to play the core-of-the-world role that Microsoft wants it to play, the company would have to be perfect and be able to respond before it received notice of a problem. Remember, Microsoft wants this service to have important information about as many Internet users as it can. More than 200 million already; many times that in Microsoft’s dreams.

Common sense says that putting so much sensitive information in one place is a very, very bad idea. It becomes a major target of attention and when (not if) compromised, the damage can be great. Hackers, spies or disgruntled employees, someone will get into the playpen every now and then. What will be the damage next time?

Disclaimer: Harvard’s sense, by definition, is not common. But the above observation is my own.

Bradner is a consultant with Harvard University’s University Information Systems. He can be reached at