Is Microsoft Update a national security threat?

Posted in Security at 5:49 am by mike

I wrote this 2.5 years ago:   Now see this: Slashdot: Flame Malware Hijacks Windows Update


So when I heard Obama’s Cyber Security speech last month, I really didn’t think much of it.    It seemed to me that all this was obvious to the NSA and that computer technology is a more liberally acceptable trough for the government to be dumping money into vs. more conventional defense programs.   Furthermore, my employer directly benefits from more attention to cyber security issues which certainly helps me, so who am I to complain?

A few weeks later, while testing my sound system with the Die Hard DVD, a very interesting and somewhat scary thought crossed my mind.   Microsoft Windows is installed on over 1 billion machines (as of 2007).  Some very large percentage of those are running Windows Update.    Even people like me who don’t usually run with the auto-install option (I don’t like my machine rebooting without my knowledge), most blindly install the updates once the popup appears in the task bar.   Now unlike Bruce Schneier, I don’t loose any sleep over the ridiculous assertion that someone is going to crack the digital signature and replace Windows Update with their own version.   I suspect there are enough people in the Windows Update team whose sole job it is to make sure that doesn’t happen, and the obviousness of the attack vector probably has someone else employed full time looking over their shoulder.  Plus, I read this really thick red cryptography book back in the 90’s which said that cracking digital signatures was really hard.

My concern now goes to the Window’s Update team’s Christmas party, where Hans Gruber is being paid $X million by the <insert your favorite US hating> government to take the entire team hostage and force them to install the BonTwitter botnet on 1b computers the next morning which will block all twitter access from cell phones and thus bring the US economy to it’s knees and prevent all the troops deployed in Iraq and Afghanistan from figuring out what’s going on.   Hopefully, someone on the team is in the process of getting divorced from Bruce Willis and the disaster is avoided in the end.

So now imagine the same government playing the long-game.    A few years back, Microsoft hires retired Lt. Cmdr. Tom Farrell figuring this Navy guy has a great background aside from that one senator he worked for which runied his political career.   Little do they know that this he is actually the ultra KGB agent Ivan, trained from birth to pretend he’s a Bill Gates worshiping computer geek.    He’s now worked his way onto the Windows Update team by saving Ray Ozzie from a life-threating repeative-stress-injury.     Now you have to hope he starts dating Ballmer’s mistress and is then tapped to investigate her murder.

OK, so now I’m getting a little out-of-hand, but my point is that there’s a set of people somewhere in Redmond who have the keys to something like 90% of the world’s processing power.    It’s not that I don’t trust them or Microsoft in general, but doesn’t that make the members of that team fairly high profile targets for anyone who would like to get access to that resource?   Given there are governments who don’t like us very much, and have the finanical resources to buy just about anything they want, what is keeping them away from the Windows Update team?

So if they aren’t already, maybe someone in Microsoft HR or Obama’s new Cyber Security Czar will consider the following precautions:

  1. Full FBI background check on all MS Update team members. It’s not that if you are Timothy McVeigh’s cousin, and you’ve memorized the Unabomer’s Manifesto, that you should be automatically disqualified from working at Microsoft; but just maybe you shouldn’t be on the Windows Update Team.
  2. If you’re on the Windows Update team, don’t tell your neighbors.   Say you’re working on the re-incarnation of Microsoft Clippy.   Sure, your house might get egged and tee-peed, but at least you won’t have terrorists knocking on your door.
  3. Third party review of all updates.    Either Microsoft or the NSA needs to contract with a selection of third party security companies who review each update before it’s released.    Who outside of Microsoft is reviewing every update as it’s released?   You don’t want it to be the same company every time, or else that group could be compromised as well.
  4. Spooks living in Redmond.  You know that overly friendly neighbor who lives next door and is always checking your mailbox for brown bags full of cash?  He works for the NSA (You and I hope!).

At least they aren’t publishing these people’s names on the blog, or anything dumb like that.   But even if you implement all of the above, and the American public sleeps a little more soundly, what if you’re on the other side of the fence?

Imagine your the project lead for Windows Update, it’s the middle of the night and you’re woken up by David Hasselhoff wearing an eye patch and chewing on a cigar. (Yes, I purposefully chose the worst Nick Fury ever…) and he says in order to stop North Korea from sending a nuclear missle into Tokyo, you must create a Windows Update to disable every Windows computer in eastern Asia.   OK, so we all hope and pray that no-one is running their nukes on MS Windows, but you get the idea.   Who would refuse such a task?   And what would happen if you did?