Slashdot Mirror
Microsoft Vows Security Commitment on Win2K
dieMSdie writes "MSFT is pledging a firm commitment to security with measures such as equipping its upcoming Windows 2000 operating system with 128-bit encryption and interacting with users and rival vendors to detect software breaches and bugs" reads this story on CNN. There is also a poll; the results so far are quite amusing." I bet they'll be even more amusing once our readers get a crack at it.
No matter WHAT they do, they're going to be raked over the coals here.
If they hire 1000 people to do nothing but track down bugs and security problems, you people will say it's not enough.
If they totally open-source Win2000 and give away everything, including the source code....you people will say "oh, they're just trying to jump on the Open Source bandwagon...it's all hype".
If they say: "ok, we give up...we're getting out of the OS business"...you people will THEN yell at them for being quiters.
So what I want to know is this....WHAT do you want Microsoft to do?
I disagree. Different people have different skill-sets. If you are an 31337 crypto expert, by all means work on the security, however, if time pressures or a "real" job or plain lack of talent (in my case) or whatever prevent you from contributing actual code base, you can still make a difference to the progress of the open-source steamroller by exposing Micro$haft to ridicule wherever their marketing-driven FUD rears its ugly head. Remember that the mis-perception of a platform's security is in itself, a security flaw.
The poster of the self-extracting .exe link made a valuable contribution. Remember, in marketing perception not reality is everything.
After reading that link, my perception of Microsoft's commitment to security was that it is non-existant.
I'm no expert on win2k security, but I do notice the addition of Kerberos 5, which was not in NT4. Kerberos 5 is not a "minor change".
And what is the "overall picture" you're speaking of? Sounds kinda vague.
I'd like to think that IIS5 is more secure than IIS4; if not, expect to see Barnes and Noble go down some, since they've been running win2k for months now on their servers.
Lest the Slashdot community get too holier-than-thou when it comes to security, let us remember that GNU/Linux has had its share of security problems over the years.
VMS has had it's share of security problems too. So what? A more interesting metric is not whether an OS, or any underlying apps, present security holes, but how quickly they are fixed. See this Securityportal cover story for a comparison of time from announcement to vendor fix between Redhat Linux, Windows NT, and Sun Solaris (see, I can add gratuitous links as well!) I note that Redhat Linux won hands down in this competition, and that's only security updates from a vendor supplied source! I don't know about you, but when I hear about a serious security hole in lpd (for example), I don't wait around for Redhat to go recompile the fix. However, the Securityportal article makes a reasonable assumption that most small to medium sized businesses would probably rely on vendor supplied fixes rather than trying to find a hot Linux guru to compile up to the minute security fixes.
Now, of course, GNU/Linux developers are generally faster than Microsoft when it comes to fixing security holes and they don't, as a rule, engage in the same coverups and spin control as the Microsoft's PR flaks, but the question remains, why are there so many bugs in the first place?
DUH. Because C doesn't bounds check during compilation or run time. That's just ONE reason. Look, I'm no security "expert", but if you're uptight about security, and don't consider yourself competent at securing your own code, then either hire a professional to go through your C code with a fine tooth comb, or write it in some interpreted language like perl, LISP, Scheme, Python (whatever) and let the LANG developers deal with security.
Not that this will make your application any more secure, but it will pass the buck to the likes of Larry.
Other open source operating systems, such as FreeBSD, NetBSD and OpenBSD have had security problems, but not in such numbers as the various GNU/Linux distributions.
This is bogus. And I run OpenBSD, the BSD distribution tailored for security, on my cablemodem gateway and consider it an excellent secure distribution out of the box (CD). But, so what? Can you give me ANY specific examples of userspace application security holes present in Linux that were not present in BSD? Hell, most of the networking kernel holes seemed ubiquitous across just about every OS and networking stack, BSD sockets and streams based.
On the kernel side I seem to remember that both BSD and Linux (and NT!) were vulnerable to the Ping of Death, various Tear Drop attacks and fragmented TCP attacks, and those lovely smurf DOS attacks. Don't see a significant difference here... both the BSD's and Linux kernel groups figured the problems out and posted solutions in record time, while the commercial vendors picked their butts and didn't post fixes for their products I might add.
On the userspace side of things, this is managed project by project. Since much our application software is ported between the BSDs, Linux, and most any other commercial UNIX, there's little difference. A bug in one version of lpd on Linux is almost surely the same bug on BSD
Rather than making fun of Microsoft for its own failings in the security realm, GNU/Linux users and developers could better spend their time improving the security of their OS of choice.
There. Now you said something rational.
For all the things Microsoft say they will do, and which should have been done before, they just don't have the necessary level of paranoia guiding the design.
I haven't tried Win2000 yet, but under NT4 if you can gain access to the PC I use, and you can steal my NT domain password then you can use my digital identity. I selected high security when installing it in browser and mailer, but those applications can just use my private key without so much as a dialog to warn me. It is as if they had decided that dialling in the combination of the safe is too inconvenient so they provide a robot that will do it for anyone who can walk into my office.
There needs to be a fundamental change of attitude, not just some fixing of holes (although that is necessary).
Linux and the BSDs (especially OpenBSD) have a poor (ie., all-or-nothing) security model which is very well-implemented.
Windows NT, on the other hand, has a really good security model but the implementation sucks.
(/me waits for howls of laughter from Slashdot)
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
I am a big fan of accuracy, and so I think that people should probably all use "Linux" when talking about the kernel, and "GNU/Linux" when talking about the system commonly known as "Linux". But that's not going to happen...heck, _I_ don't even follow it :)
However, where can the line be drawn? Do you look at the security of Sendmail and say hey, that counts as Linux? Well, no...Sendmail is run on lots of platforms all over the place. Do you look at a hideous malformation like rdist? Not really...I don't even think that's GNU. X Windows? Not GNU, either.
What, then, is left of Linux? In my mind, Debian shows it best. If you install from floppy disks, you have your basic UNIX system, about 30MB of software. Tar, gzip, more, ftp, telnet--all the collectable charachters! THIS is Linux. Though even then, tcpwrappers is included, which is not Linux-specific...
Of course, the reason that I agree with you is that no one could use that system. OpenSSH or SSH would go first, and then Apache, Sendmail, etc. depending on the function...but, I could just as easily use AOLserver, zeuss, zmailer, qmail, etc. as those 2. That's why it's hard to nail apps to Linux...sure, there are ones that MOST people use, but there are no real DEFAULTS. With Linux, you get to pick from several GNU alternatives, each interesting in its own way. With NT, you get One Microsoft Way...not fuzzy at all. But not my style, either.
And, it is too bad about the zealots. My machine _is_ dual boot, and I know my TNT is faster under '98...but I haven't booted '98 in months, since I got the PSX...
WMBC freeform/independent online radio.
NT's security is NOTHING like you'll find on linux or any other unix or similar. Whohoa. On what kind of fact is this based?? On the fact Unix's security is based on 1 superuser which is needed for all daemons? on userrights instead of object rights?
To me it sounds like people who rate NT's security as 'lame and nowhere the level of security on Unix is' really don't have a clue about how NT's security works.
Let me sum up a small list of items, related to the topic. This is not ment for a flamebate, but to let unixpeople learn it's not windows 9x we're talking about, but NT/windows2000.
- NT is in the US/Canada area already 128bit for years. Windows 2000 will be using 128bit security worldwide.
- NT 3.x and 4.x uses the weak NTLM protocol. It could be tough to break but in areas outside US/Canada, the encryptionkey was too short to hold long. Windows2000 will use Kerberos strong encryption, which is an industry standard. Poking at MS that their encryption is weak (especially in their upcoming product) is without ground, because Kerberos is a proven secure technology.
- NT uses security throughout the system on objects. It's then way more flexible to set security flags, without the necessity to open up the system because a certain daemon needs root access, for example.
- MS fixes security leaks within 24 hours most of the time. Arguing it takes ages to get a fix are therefor unfounded.
- In the past year, there were some minor security glitches in NT itself. The security bugs in IIS are due to leaks in modules that IIS uses, not IIS itself, like the idq.dll module for old style indexserver queries. Today you don't need these modules. Still, unskilled administrators install the basic set. Like unskilled administrators will with RedHat 6.x on their hands. That's why there are idiotproof docs to guide these (majority, unfortunately) people.
:) - IE holes are a problem, but who surfs the net on a production server.
- MS provides a bulkload of security documents how to implement security on your servers. These are perhaps silly for die hard techies ("Duh! don't install the examples!!"), but MOST of the system administrators, ALSO on unix, are not people with 10 to 12 years of experience with administrating servers. Don't forget that. Most sites which are hacked are setup by not well skilled people. Pointing at the OS is silly. No-one says unix is unsave because sendmail is crap. the administrator should be aware that the sendmail on his system is likely an older version than available today.
- Which brings the last and most important subject to the surface: if you don't follow the security sites, if you don't apply patches REGULARLY!, if you don't know what to close and what to remove from the system to keep/make it secure, and most important: if you DON'T let a 3rd party, specialized in security, scan your systems for leaks, your system won't BE secure, no matter what kind of OS you have. Admitted: some OS-es have LESS open doors than others, but NO OS has NONE closed doors. Don't forget that.
NT 4 was a wise lesson for MS. They have it on track now, but it has been a long road. It's nowhere near the end, there are still areas for improvement, but these are there too in other OS-es, like Linux or *BSD. Being aware of the weaknesses of your own system is a Good Thing (tm). You can then secure it more. Blinding yourself with talk that only MS makes insecure stuff is silly. Ask all those Solaris administrators currently suffering the DoS wormsBashing the FUTURE without knowing what it will bring (have you all used Win2K server??? have you tested the security???) with the facts of old material from the past is not fair. If you turn around the roles and people will bash Linux using the hundreds of holes in all the distributions which were found in the last 2 years and say: "linux is not secure... because of all those leaks in it in the past years." is that fair? I'm pretty sure you'll say: "No!".
Never underestimate the relief of true separation of Religion and State.
Lest the Slashdot community get too holier-than-thou when it comes to security, let us remember that GNU/Linux has had its share of security problems over the years.
Now, of course, GNU/Linux developers are generally faster than Microsoft when it comes to fixing security holes and they don't, as a rule, engage in the same coverups and spin control as the Microsoft's PR flaks, but the question remains, why are there so many bugs in the first place?
Other open source operating systems, such as FreeBSD, NetBSD and OpenBSD have had security problems, but not in such numbers as the various GNU/Linux distributions.
Rather than making fun of Microsoft for its own failings in the security realm, GNU/Linux users and developers could better spend their time improving the security of their OS of choice.
Ooo, 128-bit encryption, that's 16 whole BYTES. No one will ever break that...
We all know that the W2K machine that was "naked" on the internet had no problems at all. Nooo. Uh uh. And if they gave you that Administrator password, it'd be *fine*. (Compare to the linux box. um... no, no comparison.)
What are they going to do to enhance security, stop selling Office? Those pesky macros, always making my paperclip sick...
But seriously, folks, now that Microsoft released this to the press, that they're really *really* serious about it this time, and they're going to be extra-nice by charging us more for this week's upgrade, don't you think we should let them play with the big boys yet?
Nah, I didn't think so either.
Sure, it's easy to criticise Microsoft. Because it's so much fun. And historically accurate. I mean, if they wanted to try to do better now, they'd have to issue a formal apology to anyone who ever had to suffer through an unpatched Windows bug. Whoops, I think that's everyone!
</CHEAP SHOT>
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
I think that's pretty obvious when they don't open source the OS! :)
"Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
This marketroid piece was so full of holes it's not even funny anymore...
Microsoft has made a comprehensive effort to build Windows 2000 with security in mind, including having a staff of 15 people study the code for breaches, denials of service, and bugs.
15 people to review... What was it? 30 MILLION lines of code? And what was the qualification of these people? Script Kiddies??
A preliminary version of the product also was put on the Internet to enable users to look for security breaches, Valentine said. Within two weeks, four denials of service bugs were found, but no breaches were discovered, he said.
As Dr Evil would say: "Riiiiiiight"... Within two weeks, the NT2K server crashed so many times they decided to put it off-line. I'll let you, gentle reader, decide for yourself what that means...
Source code also was delivered to 70 agencies and universities around the world for their perusal.
*Yawn* Which Universities? Which Agencies? (Mindcraft???!!!) Names, references, Web site? Results of aforementioned "perusal"? Are these results published anywhere? (Probably not...) Were the "agencies" able to modify the source code?
As someone else said: "Microsoft is not an answer. Microsoft is a question. The answer is: No".
Read my lips Microsoft: Open-Source is going to bury you alive. Commodification of hardware, commodification of OS is the end of Bill's Evil Empire. The penguin and the demon will dance on your graves... (insert Dr Evil most sinister laughter here)
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
This is too funny - check out what Microsoft recommends for you to do, to see the IIS 4.0 Security checklist.
It's good to see that they're giving us those safety tips already.
This is off of http://www.microsoft.com/security/ - the link is in the article too, but it's broken.
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
I used to work for a Microsoft Solution Provider, whose job it was to sell and support Microsoft products. And yet they have several different levels of support which they charged us for. We actually had to pay for "Premium" support to get access to information, knowledge base articles etc that would help us fix or workaround a problem one of our clients had with their products. In other words, they were denying us access to information, fixes, known problems, incompatabilities, etc. that would help us do our job supporting THEM and THEIR software unless we paid them. And we were an "Official" Microsoft Solution Provider!!
Microsoft, security, commitment, 128-bit encryption....
I've read this yesterday:
There was a kangaroo in one zoo. And every day it somehow been managing escaping from its cell. Then the zoo has built higher fencing around it. But kangaroo escaped once again. Then the zoo has built a 20 feet high fence. Once again - kangaroo escaped. A neighbour hippo chatting with our hero:
H: Well, how high you think they'll build it?
K: Don't know, 100 feet maybe. But really - they should've start locking my cell door first.
Morale: No zillion bits encryption will help M$ as long as their "NT security guide" is dedicated to selecting proper chains to attach servers to the room walls.
Asking several interesting poll questions to the average cnn reading user:
Do you trust linux security?
Average users thoughts: "hmm that's internet isn't it? that must be insecure"
result:
yes : 25%
no : 75%
Do you trust *BSD?
"huh, *BSD? that must be something I don't know
result:
yes : 5%
no : 95%
Do you hand a waiter you don't know your credit card to pay the bill?
"what would they mean by that? why not?"
result:
yes : 95%
no : 5%
Again I feel forced to criticize this "poll". Ppeople don't trust internet.. why? no reason really.
They trust the mailman with postcards but they don't trust a server with their boring e-mail message.
They trust waiters in tiny restaurants in the most corrupt nations in the world with their credit card yet they have doubts about using that card in a way that actually transmits their number/expiry date encrypted.
So what do we learn from this poll?
Well, the only thing I learn is that people don't want to do or use stuff for irrational reasons until told by those people who are least knowledgable about said stuff (their neighbours-brothers- second cousin) that doing/using it is ok.
The internet is just as secure as any shopping street, but you need a college level education to be a pickpocket.
I know I don't have to say it, but the security is nothing like what you'd find in Linux (or any UNIX that comes to mind). The Win 2000 "Administrator" account has nothing on root :)
Thumbs up to Microsoft for (at least) making a decent effort at a flexible, easy to use, and relatively secure operating system (to say it bluntly, "as good as Windows will be for a long while").
Build 2195 has also made some great strides from the bugged menus and SMP slipups of the early betas (you might remember even RC1 had some serious pitfalls). As much as I may hate to admit it, Microsoft did its homework on this one.
Win 2000, although perhaps not the Ultimate answer to Linux, is IMHO better in most aspects than NT. It's going on my first personal box for the time being (Red Hat 6.1 on the other) - and also on my webcam server until there's decent USB support in Linux.
--------
Oscarfish.com: tropical fish with attitude. Way t