Slashdot Mirror
Microsoft Vows Security Commitment on Win2K
dieMSdie writes "MSFT is pledging a firm commitment to security with measures such as equipping its upcoming Windows 2000 operating system with 128-bit encryption and interacting with users and rival vendors to detect software breaches and bugs" reads this story on CNN. There is also a poll; the results so far are quite amusing." I bet they'll be even more amusing once our readers get a crack at it.
Lest the Slashdot community get too holier-than-thou when it comes to security, let us remember that GNU/Linux has had its share of security problems over the years.
Now, of course, GNU/Linux developers are generally faster than Microsoft when it comes to fixing security holes and they don't, as a rule, engage in the same coverups and spin control as the Microsoft's PR flaks, but the question remains, why are there so many bugs in the first place?
Other open source operating systems, such as FreeBSD, NetBSD and OpenBSD have had security problems, but not in such numbers as the various GNU/Linux distributions.
Rather than making fun of Microsoft for its own failings in the security realm, GNU/Linux users and developers could better spend their time improving the security of their OS of choice.
Ooo, 128-bit encryption, that's 16 whole BYTES. No one will ever break that...
We all know that the W2K machine that was "naked" on the internet had no problems at all. Nooo. Uh uh. And if they gave you that Administrator password, it'd be *fine*. (Compare to the linux box. um... no, no comparison.)
What are they going to do to enhance security, stop selling Office? Those pesky macros, always making my paperclip sick...
But seriously, folks, now that Microsoft released this to the press, that they're really *really* serious about it this time, and they're going to be extra-nice by charging us more for this week's upgrade, don't you think we should let them play with the big boys yet?
Nah, I didn't think so either.
Sure, it's easy to criticise Microsoft. Because it's so much fun. And historically accurate. I mean, if they wanted to try to do better now, they'd have to issue a formal apology to anyone who ever had to suffer through an unpatched Windows bug. Whoops, I think that's everyone!
</CHEAP SHOT>
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
I think that's pretty obvious when they don't open source the OS! :)
"Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
For starters, I'd love for reality to live up their hype. Example:
I needed to deploy dozens of computers running web browsers in a college library. These computers need to be fairly locked down.
I downloaded the IEAK (IE admin Kit) *and* bought their IE admin book too. 75% of the book was marketing hype talking about all these great things you could do with the kit, including being able to change customizations through policies, etc...
Great! So I spent two weeks just trying to get it to work. The docs on how actual policy restrictions work and what they do amounted to TWO PAGES. I was forced to experiment.
But then I learned some harsh lessons. First, to get customizations and restrictions to actually apply to a NT user logon, the RunOnce key must be r/w to the user. Yes, that's correct. Even though numerous Microsoft KBs say to *not* make RunOnce r/w to users due to security problems, to make IE restrictions kick in, it must be because rundll32 for some reason wants it that way.
Then the Custom directory must be r/w and all files in it r/w so customizations can be downloaded from a web server and applied to the machine.
Even with all that, all customizations wouldn't work right. Bottom line, the only way to get the browser customizations to work as advertised was to give the logon account ADMINISTRATOR PRIVS.
Then there were other hassles, like the fact that unless your web server MIME types .ins to be application/x-internet-startup, the customization file won't apply (not documented because that's the default in IIS I guess).
So I use and support Microsoft products constantly. All I want, all I really want from Microsoft, is to live up to the hype because these days whenever I read about nifty new features of their software and OSes, I just can't believe a word of it. :-(
This marketroid piece was so full of holes it's not even funny anymore...
Microsoft has made a comprehensive effort to build Windows 2000 with security in mind, including having a staff of 15 people study the code for breaches, denials of service, and bugs.
15 people to review... What was it? 30 MILLION lines of code? And what was the qualification of these people? Script Kiddies??
A preliminary version of the product also was put on the Internet to enable users to look for security breaches, Valentine said. Within two weeks, four denials of service bugs were found, but no breaches were discovered, he said.
As Dr Evil would say: "Riiiiiiight"... Within two weeks, the NT2K server crashed so many times they decided to put it off-line. I'll let you, gentle reader, decide for yourself what that means...
Source code also was delivered to 70 agencies and universities around the world for their perusal.
*Yawn* Which Universities? Which Agencies? (Mindcraft???!!!) Names, references, Web site? Results of aforementioned "perusal"? Are these results published anywhere? (Probably not...) Were the "agencies" able to modify the source code?
As someone else said: "Microsoft is not an answer. Microsoft is a question. The answer is: No".
Read my lips Microsoft: Open-Source is going to bury you alive. Commodification of hardware, commodification of OS is the end of Bill's Evil Empire. The penguin and the demon will dance on your graves... (insert Dr Evil most sinister laughter here)
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
This is too funny - check out what Microsoft recommends for you to do, to see the IIS 4.0 Security checklist.
It's good to see that they're giving us those safety tips already.
This is off of http://www.microsoft.com/security/ - the link is in the article too, but it's broken.
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
I used to work for a Microsoft Solution Provider, whose job it was to sell and support Microsoft products. And yet they have several different levels of support which they charged us for. We actually had to pay for "Premium" support to get access to information, knowledge base articles etc that would help us fix or workaround a problem one of our clients had with their products. In other words, they were denying us access to information, fixes, known problems, incompatabilities, etc. that would help us do our job supporting THEM and THEIR software unless we paid them. And we were an "Official" Microsoft Solution Provider!!
Microsoft, security, commitment, 128-bit encryption....
I've read this yesterday:
There was a kangaroo in one zoo. And every day it somehow been managing escaping from its cell. Then the zoo has built higher fencing around it. But kangaroo escaped once again. Then the zoo has built a 20 feet high fence. Once again - kangaroo escaped. A neighbour hippo chatting with our hero:
H: Well, how high you think they'll build it?
K: Don't know, 100 feet maybe. But really - they should've start locking my cell door first.
Morale: No zillion bits encryption will help M$ as long as their "NT security guide" is dedicated to selecting proper chains to attach servers to the room walls.
Asking several interesting poll questions to the average cnn reading user:
Do you trust linux security?
Average users thoughts: "hmm that's internet isn't it? that must be insecure"
result:
yes : 25%
no : 75%
Do you trust *BSD?
"huh, *BSD? that must be something I don't know
result:
yes : 5%
no : 95%
Do you hand a waiter you don't know your credit card to pay the bill?
"what would they mean by that? why not?"
result:
yes : 95%
no : 5%
Again I feel forced to criticize this "poll". Ppeople don't trust internet.. why? no reason really.
They trust the mailman with postcards but they don't trust a server with their boring e-mail message.
They trust waiters in tiny restaurants in the most corrupt nations in the world with their credit card yet they have doubts about using that card in a way that actually transmits their number/expiry date encrypted.
So what do we learn from this poll?
Well, the only thing I learn is that people don't want to do or use stuff for irrational reasons until told by those people who are least knowledgable about said stuff (their neighbours-brothers- second cousin) that doing/using it is ok.
The internet is just as secure as any shopping street, but you need a college level education to be a pickpocket.
I know I don't have to say it, but the security is nothing like what you'd find in Linux (or any UNIX that comes to mind). The Win 2000 "Administrator" account has nothing on root :)
Thumbs up to Microsoft for (at least) making a decent effort at a flexible, easy to use, and relatively secure operating system (to say it bluntly, "as good as Windows will be for a long while").
Build 2195 has also made some great strides from the bugged menus and SMP slipups of the early betas (you might remember even RC1 had some serious pitfalls). As much as I may hate to admit it, Microsoft did its homework on this one.
Win 2000, although perhaps not the Ultimate answer to Linux, is IMHO better in most aspects than NT. It's going on my first personal box for the time being (Red Hat 6.1 on the other) - and also on my webcam server until there's decent USB support in Linux.
--------
Oscarfish.com: tropical fish with attitude. Way t