Listening to Steve Gibson’s feedback today on the Security Now podcast #934 made me realise that both companies knew about the vulnerabilities but were extremely lax about doing anything (probably both trusting in their security by obscurity). Both also put government data and communications at risk globally.
It’s yet again a lesson on two fronts:
1. Obscurity is no good defence against, especially, state level actors. The same goes for proprietary encryption algorithms. You actually require transparency and interrogation around what is used, and re-inventing the wheel yourself is risky. The same goes for security backdoors, as they’re going to become known at some point.
2. There needs to be some legislative requirement for companies to urgently declare vulnerabilities, and to patch them. In both the cases here, months went by without any action.
Maybe both these companies are just too big, but it also goes to show that bigger, or more secretive, is just not better. I suppose both don’t want to risk their global government business, but this could actually have put lives at risk.
Security through obscurity is no reliable strategy, and should again be a warning against those who think it is fine to have a security backdoor just for governments to use. It’s a bad idea. You either have security, or you don’t. There is no such thing as 80% secure.
The Microsoft case is highly embarrassing, and it is no wonder that the US is going to try to investigate it. All the noise about Huawei, and the real problems were right in the US’s own backyard, committed by US companies. All products need the same levels of scrutiny, no matter what country they belong to. Intention and negligence can often amount to the identical consequences.
With both these vendors now, we’ve also seen their technology being pedalled to non-allies of the US, so that the vulnerabilities could be exploited. It’s also a lesson to other governments to be very careful about what promises are made, and to remember even your ‘allies’ are not your friends. It is no wonder that the BRICS countries all wanted to implement their own operating systems for use across their governments (mostly self-compiled and localised Linux distros). Now we know why…
And of course, with some of Microsoft’s products, once used, it may not be easy to actually switch to someone else (which is, in itself, possibly part of the problem on both sides). How does the US government actually carry through any threat not to use Microsoft? The cost, and time, to move off Huawei network hardware would pale into insignificance.
This is why security standards, interoperability standards, etc just cannot be compromised on. The standards need to be enforced no matter who the vendor is. I have myself seen standards being bent, where it is better just to say you won’t procure the product in the name of ‘modernisation’.