Microsoft's security image problem goes back a long way. At the moment, Microsoft has some good security procedures...
in place and has an apparently effective program for dealing with newly discovered vulnerabilities. It's definitely not perfect, but it is one of the better process-driven programs out there.
However, there will always be people who think what Microsoft does never will be good enough. And many remember Microsoft's arrogance and denial about security problems in the 1990s.
At the time, Microsoft was infamous for letting security vulnerabilities going unpatched. It also denied that the security vulnerabilities were actually problems to begin with. For example, one of the most clueless comments was about one of the first versions of L0phtCrack, a brute-force password cracking attack on the Microsoft LanMan password algorithm. A Microsoft spokesman stated something to the effect, "Don't they have anything better to do with their time than trying brute force attacks?" As Peiter "Mudge" Zatko basically replied, "That's what computers are for."
Again, Microsoft had the proverbial 'come to Jesus' talk, and has made drastic improvements from those days. However, it would appear that the world needs a zero-sum gain, so now we have the Bluetooth SIG.
Last month, I reported on an antenna that can target Bluetooth devices from more than a mile away. When a security magazine recently interviewed a Bluetooth Special Interest Group representative about the growing concern, he reiterated the Bluetooth standard line that devices might be vulnerable within the standard 10 meters. He also said that there will always be problems and that software updates will take care of everything. They just don't get it.
Let's first assume that estimate is correct, but have you thought of how many potential attackers can be within 10 meters of you? If you are sitting in a building, you are theoretically
Looking further into the general statements of the Bluetooth spokesperson, you really have to consider how many people actually update the telephone's software. And, frankly, I am not even sure that there are updates easily available for the hardware drivers. Fundamentally, though, there are no updates available for the problem if it is possible to patch it.
The way I look at it, the Bluetooth SIG has two choices. It could either say nothing, or could just provide good, fundamental security information. If the group says nothing, at least it isn't perceived to be in denial or just fundamentally stupid, and the sheer majority of the general public will just continue to be happily ignorant.
If I were the spokesman, I would have stated that all technologies could experience vulnerabilities. As time goes on, technologies that are safe now, can be vulnerable to newly discovered attacks in the future. In the mean time, deactivate the Bluetooth functionality if you are not using it. If you are using the functionality, then make sure Bluetooth is not set in the discoverable mode.
Bluetooth SIG is comprised of people from some very aware security organizations. Unfortunately, they are exhibiting the same arrogance and denial that has put Microsoft in the doghouse for more than a decade. Sadly, we appear to have a zero-sum gain on our hands.