Hosting Redmond
There's a lively discussion on Slashdot this morning about a recent revelation that Microsoft is bypassing local lookups for some websites. Normally there's a HOSTS file that allows the administrator to locally block specific sites, but apparently Microsoft routes around this file when looking up a small list of addresses. Coincidentally, they are all Microsoft-related sites.
There are security reasons why MS has done this. Malware often mucks with the HOSTS file to stop lookups to well-known antivirus sites. By using the OS to do the lookup and ignoring the file for their sites, Microsoft has a way to increase security by always having a software lookup to their sites that can't be messed with (at least at that level.)
The problem with this is twofold. The first and most obvious one is that it's undocumented. There's an arrogance to this approach. The DNS system is implemented differently between the various operating systems, but nonetheless operate in a similar and predictable manner. Security is not about hidden tricks, but about painstaking protections, blocking well-known holes and proactively stopping problems. Doing what they "think is best for everyone" is that old Microsoft paternalism of old. I like it even less now in a rapidly-growing open source world than I did when they were the big dog in town.
The second problem with this is that architecturally, clever work-arounds are not ever the right answer. Once a company stops security problems by brute force methods such as this one, they increase the complexity for the administrators and eventually the end users. It's not an elegant solution to the problem.
Posted on April 17, 2006
