Slashdot Mirror
Interview With Microsoft's Chief of Security
Paul Coe Clark III writes: "I interviewed Howard Schmidt, Microsoft's head of security, questioning him about, among other things, cyberterrorism and Redmond's responsibility for insecure features in the wake of many virus attacks.
/. readers might find it interesting. They can find it here."
that at the time this is posted, Hotmail / Msn websites are down ©©
Well, the way you guys constantly dog out Microsoft around here it's no wonder it is insecure. A little TLC should get them back in order in no time.
I wonder if he feels personally responsible/remorseful when someone using a product he helped create is screwed over because he didn't do his job of finding/repairing security holes.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
>
> A: I think any time we find any security vulnerability, we're one of the best in the industry to notify people of the details of them and give them the details to get it fixed.
Conspicuously absent is any description of Microsoft's response when someone else finds the security vulnerability in their products.
Microsoft does focus a lot of effort towards securing their products. Unfortunately the effort is more reactive than proactive. It's a basic flaw in the capitalist model that allows the Marketing and Accounting people to determine release dates--instead of the Developers. The attitude can be paraphrased like this: "As long as the app fires up, it can be released. We'll let the customers be beta testers."
If they were in the car business insted of the O/S business, a lot of people would be dead or mangled.
"What is the sound of one belly slapping?"
Could the blame for Microsofts security issues fall on this man? Rushing products before they are fully tested.
Microsoft's closed-source mode of development guarantees that customers will continue getting cracked and Microsoft will continue pointing the finger of blame everywhere except where it actually belongs.
Man and Goat
Unfortunately for those who oppose full disclosure, the issue was discussed on Bugtraq, which finally led to the details of the vulnerability. This means that the Microsoft-supported way of disclosing bugs (Do issue an advisory but do not publish any details that could be used in creating exploits) apparently didn't work out. Ofcourse, there was a (small) delay, but eventually everybody knew about it before the patch was released.
My question regarding this issue is: how do you feel about this issue? Do you really think that not fully disclosing a vulnerability will prevent exploits to be made? One of the arguments for full disclosure is that sysadmins are able to reproduce the error so that they can test if their system is vulnerable, but with limited disclosure this will only be possible for a small (and probably malicious) public.
--
If code was hard to write, it should be hard to read
The article references this. Here are a couple of URLS on it:
0 24 01.html
s m_ militias/20011031_eff_usa_patriot_analysis.html
Full Bill:
http://www.politechbot.com/docs/usa.act.final.1
EFF Analysis:
http://www.eff.org/Privacy/Surveillance/Terrori
For this, as well as for many other reasons, it is essential that one operating system and one software company does not dominate the industry. The cost of dealing with cross-platform issues is the price we have to pay for a competitive market and a resilient infrastructure.
Suggestions that our salvation lies in uniformity, market dominance by one company, and bigness are more reminiscent of the central planning of the USSR than of what has made our society so successful. It's kind of funny to see that some of the most staunch conservatives and defenders of Microsoft-style laissez-faire economics seem to be falling into the same trap that the communists fell into.
He did coin (or I least I've never heard of it yet) the term cyberhacktivism. So that's gotta be worth something. Cheers
Why does this interviewer have to keep comparing software attacks with the September 11th terrorist attacks? About the only thing they have in common is that they are both malicious. Beyond that, it has no place in an interview about Microsoft security. Very poor taste, IMO.
- Just an AC
Okay, wrong reply (Yes, I scanned the article and saw the words 'microsoft' 'security' 'ask' 'question' and 0 comments, started typing like a wildman to be the first to type an intelligent question ... and realised just a bit too late that it wasn't a call for questions).
:)
Please mod me down before to many people notice my dumbness
--
If code was hard to write, it should be hard to read
Anyone who knows that they're a market leader does have a responsability to see that their stuff isn't going to be the cause of the next great Internet collapse. MS is quickly becoming the leader in getting their bugs exploited, and with so much market penetration, we really could be facing quite a disaster when a better worm comes along.
Does anyone out there work for some other big company with lots of market share? What type of responsability do they assume for the security of their products?
Mac
Does the name Pavlov ring a bell?
A: If you look at the development process, and how long it takes to develop these things and get them out the door, this is not something that people started working on six months ago, and the developer community is saying this is a bad thing. This is stuff that has been in progress for years, which is why we've had to effectively retool the way we do things internally, to meet that new threat environment.
I don't know if the interviewer changed tapes in his recorder or what, but this is the single most important question he asked, and it was completely and totally unaddressed. This one question drives home the problem with Microsoft security, makes him aware that yes, we were all SCREAMING "Stop the madness" BEFORE it rolled out, and he waves his hands saying that hmm, we're meeting the new threat environment. What?
Is there any chance that anyone of importance will see or read this interview? That's the shame. I'd love it if the appropriate congresspeople and/or attorneys-general could see this nonsense made more public.
Not that I expect anyone in his position to actually answer all the questions asked, but it'd be nice if his lips moved in sync to his words, too.
John
John
I think it doesn't make any difference whether it is open source or closed source, it's a matter of identifying them once the product is released.
/home: disk full
So...who cares if there are problems. We'll find them eventually - as soon as someone exploits them and we hear about it. I wonder if they release their code like that for QA as well. It's a matter of identifying bugs once the product is released.
I understand that you problems happen, but this is kinda like shoving things under the carpet and hoping no-one looks - or to use his analogies - letting the burgler in the front door of the apartment complex and hope that all the doors are locked, but ask him on the way out where he got the loot from.
True reason MS won't release the source code for a security audit:
~$ df
/home 200M free
~$ cd windows/source
~/windows/source$ find . -name "*.c*" -exec grep -l gets {} \; > ~/
volume
:)
A: Security?
Q: ... yeah, security ...
A: Oh... that......... Our policy is to blame the people who find the holes in our software...
Q: What about the people who put the holes in the software in the first place?
A: Yes, of course. We're currently trying to purge the Al Quida factions from our programming team.
Microsoft has been getting better. Many of the current IIS exploits aren't in IIS at all, but in ISAPI extentions like Index Server (Code Red exploited this), and HTTP Printing in Win2K. Almost all of the exploits released last year and this year could've been blocked by simply following MS' security checklist.
Needless to say, sysadmins apparently don't read checklist, follow best practices, or pay attention to alerts. I have seen real movement from MS (on their site, in comments on NT BugTraq, and in other places) that they take this security stuff seriously now, and they are coming out with some good tools (they're even subcontracting them to get them faster and by security companies who have a better track record) to help automate patch downloading and installation, scanning of network resources for missing patches, remote deployment of patches (for those 500 web servers you have in your datacenter), and various checker tools which will basically verify the security checklists for you.
Apparently MS realizes they made a wrong decision in their approach to security (trusting the sysadmin's dilligence), and they are making strong strides to change this now, and in the future.
I know many of you dislike MS, but you must give them at least that.
Sounds more like the head of Marketing at Microsoft than the Head of Security. Most of his answers were the same marketing BS that come out of Micro$oft every time you ask anyone from there a question. I just wish Micro$oft would give straight answers instead of Marketing BS.
"Really, I'm not out to destroy Microsoft. That will just be a completely unintentional side effect." Linus Torvalds
Is there some sort of steganography going on in the typos of this interview?
"Consider yourself a member of a virtual corporation with Mr. Torvalds as your Chief Executive Officer." - Linux Advocac
of Internic hacking:
:-)
Try "whois microsoft.com"
And you'll get a good laugh at it
(result is in capital letters so cannot be posted here because of lameness filter)
And btw this news has been rejected by slashdot.
-- "Life is easier since I have excluded JonKatz stories from my homepage"
Now, that's how to karma whore!
"If I leave my keys in my car because it's convenient for me, and somebody steals my car, is that my fault?"
Just try convincing your insurance company otherwise. I'm just glad Micro$oft don't build houses...based on this quote they'd have plenty of windows (all different of course), and no doors.
Q: But that kind of begs the question, because it wasn't completely unthinkable, like someone flying a plane into a building. At the time when all these features were being rolled out, programmers online were screaming left and right that this was inevitably going to result in these massive incidents, and, sure enough, they did.
A: Well, yes. You're right about that. We were given the signal loud and clear, and completely ignored it. We here at Microsoft are terrible at making software. In fact, please don't ever again buy any of our products. We are very, very bad.
I mean, this guy is speaking on behalf of a multi-billion dollar software giant. He is not going to risk his job by embarrassing his whole company. That's why companies like MS (GM, American Airlines, Exxon) hire guys like this. For reference, consult any presidential press conference.
If you fall off a building, go real limp, because maybe you'll look like a dummy and people will be like hey, free dummy
I think that picture has changed. Once again, we've been developing stuff based on ease-of-use for the customer and what the customer requirements are. I think what happens now is that we've seen the threat picture change. I think it goes back to a physical analogy. If I leave my keys in my car because it's convenient for me, and somebody steals my car, is that my fault? Ten or 15 years ago, the likelihood of that happening was very, very low. But the threat picture has changed dramatically in most places.
Ten or 15 years ago, I still would have stolen his car if he was stupid enough to leave his keys in the ignition.
(When asked about full disclosure, and publishing of exploits)
In some cases, it's tantamount to screaming "fire!" in a crowded movie theater.
Yeah, except there really IS a fire.
So when there is a fire in a movie theatre, he's suggesting the person who notice it just quietly go and tell the management (who will wait to see if it's really a big fire, and then assign some staff to attempt to put it out), instead of telling the people whose lives are in danger?
Yeah, GREAT analogy.
Howard Schmidt: I think the position has always been that you check the final product for vulnerabilities. Because there's a whole lot of open source out there that, day after day after day, there's more reports of vulnerabilities. I think it doesn't make any difference whether it is open source or closed source, it's a matter of identifying them once the product is released.
(bold added by me)
Shouldn't a company with Microsoft's resources be able to identify security holes before the product is released?
Maybe this "release-and-then-check-for-bugs" strategy explains why there are so many MS explots?
___
The way to see by faith is to shut the eye of reason. --Ben Franklin
I've tried it on several 'nix compilers. What does it do, anyway?
In response to the question about MS making Good Times into reality (having scripting in email on by default), he said:
If I leave my keys in my car because it's convenient for me, and somebody steals my car, is that my fault? Ten or 15 years ago, the likelihood of that happening was very, very low. But the threat picture has changed dramatically in most places.
I don't know where he was living 15 years ago, but where I grew up (granted I didn't have a car then), there's no way you'd leave your keys in your car and act surprised when it was gone in the morning.
If your car gets stolen because you left the keys in it, its not entirely your fault because it's illegal to steal the car regardless. But it was still bloody stupid.
If it was my friend who left my keys in the car, I'd be pissed as hell. And if the manufacturer put a spare key on every car in the exact same place so it was easy to find and my car got stolen, I'd join the class-action lawsuit that would surely result.
It's one thing to say that MS has good security, and non-disclosure is the right way to go, etc etc. He has to. But to dismiss this question as though it wasn't their fault, without even a "Yeah, we shouldn't have done that", I think is demonstrative of the thinking that led to the problem in the first place.
The enemies of Democracy are
You're going to hit the 50 point karma cap with three off-topic posts in a row.
Splendid, man, splendid.
How did he get a job in security even the basics of security in microsoft products are lacking......
so many users are creating accounts like administrator with out even a password and being allowed to leave it blank....Why not force a password?....this would also work better for microsoft, if the user forgets their password i am sure they wont mind charging for support.
"I disapprove of what you say, but I will defend to the death your right to say it." - Voltaire
regarding mr. schmidt... > i sure am glad the military/industrial complex is a fiction. otherwise i might think it suspicious that the man responsible for security on most of the world's computers works for the government. love your country. fear your government.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
Did someone interview the Security Chief at Microsloft and seriously expect to get somthing besides a politician? The guy even works three blocks from the WhiteHouse.
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
What does random microsoft subdomains have to do with hacking microsoft? You can call your subdomain anything you want.
It's already been on slashdot. Old news, was in one of the quickies.
"Standards inhibit the ability to innovate"? Do I even need to point out the bashing potential?
The Internet is full. Go away.
But there is a fire. Its only irresponsible to shout "fire!" in a crowded movie theater if there isn't on, just like it would be irresponsible to post non-existent exploits to bugtraq.
Mr. Schmidt is suggesting:
Geez... They must have cut their spin budget recently.
Q: . . . things like . . . making e-mail attachments executable.
A: I think that picture has changed. Once again, we've been developing stuff based on ease-of-use for the customer . . . it goes back to a physical analogy. If I leave my keys in my car because it's convenient for me, and somebody steals my car, is that my fault?
No, it's not. But if the Foo Car Company set all their remote locks to open when you clap your hands thrice, for "when your hands are filled with grocery bags, to save you from searching your pockets for the key", and only allowed this to be disabled by opening the hood and clipping the red wire with the blue tracer, I'd say they would be responsible for my aunt's CDs disappearing.
Opening the hood and clipping a wire is farther than most people want to go when it comes to modifications. I'd even wager that it is more than many drivers are capable of. Searching around in the "control panel" is further than your average MS-Outlook user is likey to feel comfortable with. They are afraid of "breaking" things.
The car keys are in the user interface portion of the car, I guess my point is. It's "easy" to remove them, put them in your pocket, to provent unauthorized use. How "easy" is it to disable the trojan propigation in Outlook?
The previous has been a secret message to my comrades.
Classic Microsoft... standards bad, embrace and extend good... we do it for security reasons, not because we're trying to leverage our monopoly power into yet-another market. I can almost understand the "don't tell anyone about the exploit until we have a chance to fix it" stance, but this makes me sick to my stomache.
I would be in favor of government standards of security. And not just because it would force more open standards, but because it's a good idea. Yes, it will probably not be easy to implement, and it might force MS to ship a product or two late, but at least it will enforce some needed checks from a company who's concept of security is identifying problems after product release.
Those who fail to understand communication protocols, are doomed to repeat them over port 80.
"My server got rooted, and all I got was assurance from Howard Schmidt that we have a special obligation to improve security"
"What is the sound of one belly slapping?"
I'm sure the position is. We just write software. We're not responsible for anything bad that happens to you if you actually USE it in production.
If we have vulnerable systems, it is likely that terrorists will use our own weaknesses against us. As is mentioned in the interview, the cost of bringing down our communication systems is fairly small.
Remember the Morris Worm? It brought the entire internet to its knees, and Robert Morris didn't mean to release it. What if a "virus" (more correctly, a worm or trojan) is created that destroys every MS-Windows installation? This means more than just Grandma Jane's computer-- I mean military, telecom, and hospital-controlling computer in the world.
The threat isn't that great. Although it wouldn't be expensive in the monetary sense, it would be hard to engineer. But as long as the threat *exists,* it must be considered a potential.
- Tony
Microsoft is to software what Budweiser is to beer.
I think it doesn't make any difference whether it is open source or closed source, it's a matter of identifying them once the product is released.
So...who cares if there are problems. We'll find them eventually - as soon as someone exploits them and we hear about it.
Precicely.
If you want bug-free code you need to start at the architecture/design process (avoiding bug-prone choices), then debug as you go. It's like growing a perfect crystal - you push the impurities out as it solidifies, so only the boundary needs attention. The longer you wait, the larger your search space for each bug, and the bigger the hive of ofspring each bug has produced as new code was added to buggy code.
Security issues are a special case of "bugs", with more than the typical amount of effort needed at precoding stages to avoid building unfixable problems into the basic architecture.
I wonder if they release their code like that for QA as well. It's a matter of identifying bugs once the product is released.
My impression is that Schmidt is completely unaware that software QA, or any other pre-release potential for (securyty) bug suppression, exists. At a minimum his statement implies that Security as a department doesn't participate in architecture, design, code reviews, or QA, and that its leader either feels no need to do so, or is deliberately directing attention away from an inability to affect those stages.
That the head of security for Microsoft could emit such an answer is appalling. But it also goes a long way toward explaining the security problems in Microsoft products.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I think security is recognized as the number-one priority across the company.
After the interview, Mr. Schmidt realized that the question was actually about Microsoft's software products, and not about locking the doors each night at MS HQ.
THE lawyers won't just sue Microsoft, they will also be suing the maker of the "killing object" that M$ software was put in, for being so insane as to not to make a more custom bulletproof application.
BAHAHAAHAH...
Thanks d00d. I've been wondering when someone would convert this into my prefered reading format.
QED
The guy even works three blocks from the WhiteHouse.
The software is developed in a suburb of Seattle Washington (state) and the company's security chief works in Washington (DC), nearly as far from the software department as you can get and still be in the continental US.
THAT explains the security problems in Microsoft products!
B-)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Microsoft's head of security works 3 blocks from the White House? The last I heard, the rest of MS campus was in Washington state, not Washington D.C. I would have asked him how the hell he effectively manages security for an operation the size of MS from 3000 miles away. He seems more like Microsoft's liason to Congress, not any kind of security manager. He's fully integrated into the MS management hive-mind it seems from the way his answers mirror what we always hear from MS executives. Wait a minute, maybe that's how he manages his teams at the main campus? :)
and your still screaming, all the time, about anything and everything, which is why the only people who listen are fellow screamers.
...clearly one the least candid and varbally honest individuals on the planet today, and the Bush administration is making one whopper of a mistake taking this guy's advice on anything more important than decorating tips for the White House xmas trees.
CSO, my ass, this guy's just another corporate frat boy if you ask me.
"A microprocessor... is a terrible thing to waste." --
GeneralEmergency
This interview assures me that Microsoft is continuing down the road to success. Based on their past performance, and their constant vigilence on computer security issues (extremely minor incidents withstanding), I will be switching away from some of my Red Hat Linux servers.
Frankly, the ease of use and support I've seen with Windows XP, not to mention the stability and compatilibilty i've seen have finally swayed me back. Red Hat has a long way to go, and I'll be recommending to all my collegues not to try out this so called operating system. Even more so for the dying BSD lineage. Microsoft is going strong and will continue on into the forseeable future. I can't frankly say the same about other Operating Systems.
Head for the hills!
No, this is not flame bait, but the guy points out a perfectly valid point: every other OS has the same problem in terms of vulnerabilities. The difference comes from the user base. If you look at the typical linux user vs. the typical windows user, you're looking at two different people. My grandmother could never use linux, and by the same token, could never turn stuff OFF in windows. So if IIS is turned on, or Remote Assistance, she's not going to know a darn thing on how to disable it or secure our machine. Me on the otherhand, I've got the virusscan doing daily updates, the firewall, etc. It's not that windows is any less secure than linux, its just that it COMES less secure and users can't fix it easily.
- gtaluvit (prnc. GOT-tuh-LUV-it)
Leave their keys in their cars, I mean. Is it stupid? Maybe, but so long as they don't get stolen (hint: after twenty odd years of this, they haven't) then you can say that in their situation it works.
Really, this parallels the whole trust on the Internet thing. I don't leave mail relays open anymore, I don't run ftp or telnet services; hell, I don't even let my computer respond to ping or finger.
Microsoft should have fixed their default settings problem a couple years ago. I wouldn't blame them for having it like that, though. Most Linux distributions come somewhat secure out of the box now, but a year ago most didn't.
Even Slashdot wants to hide some things
You discover that a theater's reel-room lock can be bypassed with a credit card. You corroberate this by calling a friend in a neighboring city, and the doors in his theater are similarly weak. You are now the only two people who know that it is easier than expected to perform a criminal act against the theater.
Should you
Is this not a good analog of a digital security vulnerability? It's not a fire except in the figurative sense when it's being aggressively exploited. It's just like discovering a certain door can be bypassed with a particular trick that most doors aren't vulnerable too.
By the way, I'm not telling you where I live, because my front door was hung poorly. The stupid anti-creditcard-trick-tongue on it falls into the jam opening when you close the door all the way, so it's useless. I don't consider it a big risk most of the time, since I also have windows in my house, and if you steal physical stuff I can have the police go after you using physical evidence... but that's off-topic.
Cheers,
Sandy
"It's a piece of code that you write to go do something bad, and now the availability of those sort of things is very widespread. People have computers in their homes, connected to DSL and cable modems, so the cost of the ability to do damage is down.
I see! Maybe this is where Microsoft's idea that security is made by the ignorance of the public comes from. So they want to suppress the knowledge of security holes in order to make their software "more secure". But the larger issue (obviously) is that the people want to know. We want to know about and understand these holes so we can learn from them. The only people who are afraid of letting this knowledge out are those who fear they couldn't understand it so other "bad" people would have the upper hand... and companies who want to hide and control all advanced knowledge of their products in order to maintain lower costs to them.
Please help! I'm stuck inside my virtual reality headset!
I think security is recognized as the number-one priority across the company. That goes not only to operational security and securing our assets, but also to product development. (emphasis mine)
Anyone else find his priorities in terms of security, shall I say, interesting?
-- B.
This sig does in fact not have the property it claims not to have.
Yeah but the potential of a terrorist attack against our computer resources wasn't the focus of the interview (or at least it didn't start out that way). There are many things people are freaking out about right now. Take for instance, the U.S. nuclear plants.
Sure, it would be scary to see a plane fly into a nuclear plant. But given the considerable thought and planning that went into the WTC attack, would an Islamic terrorist _really_ want to attack a power plant? Probably not. Why? Well, their immediate objective is to get the U.S. to butt out of the Middle East. How do you do that? Make it not worth their while to be there.
Destroying a nuclear plant makes the U.S. MORE dependent on foreign oil. Counterproductive.
Much in the same way, attacking the Internet on a large scale is counterproductive to them. The Internet doesn't reinforce U.S. oil dependence. Additionally, it isn't something the public truly FEARS losing. Deaths scare people, whether that's by large explosions or little microbes. Disrupting the Internet, though, just costs money and inconveniences people and companies.
In the end, immediate monetary costs have LESS impact on the U.S. economy than a large drop in consumer confidence. That's why the Trade Center attacks were so effective, especially as seen by the airline industry.
On the other hand, the Internet does provide a medium of communication that is useful to the terrorists themselves. So it really isn't in their best interest to destroy it.
Still, going back to the main point: this interviewer was interviewing Microsoft's head security honcho about _software_. Terrorism should have been left out of the discussion. Now if you want to interview U.S. government and military officials and see what they are doing to secure their systems, then the interview certainly takes on a new tone and that type of questioning is justified. But I'd wager that mission critical systems are not using "out of the box" Microsoft software in the first place, and many aren't even on the Internet.
Just my opinion.
I always wondered how they had the DoJ in their pocket to drop the anti-trust case. It's obvious the ex-FBI, ex-Miltary, current head of MS Security is the ace in the whole.
I only need the Preview button when I haven't used the Preview button.
'Nuff said...
I have no problem with your religion until you decide it's reason to deprive others of the truth.
In some cases, it's tantamount to screaming "fire!" in a crowded movie theater. Responsible reporting means if you find a vulnerability, you contact the person in the best position to fix it,
Bob, decided to be a responsible reporter, silently walk out of the movie theater when he found the toilet was on fire. He then dialed 911 across the street for somebody to fix the problem "Hi, are you sure you are the person in the best position to put the fire off? I wouldn't report until I get to this guy."
I really am not interested in anything Microsoft has to say. It's all fettered with lies anyway.
They are in it to control the world which ultimately leads to money, and they will attempt to gain this by any means necessary, lies and oppression included.
Q: So, you're the chief security officer here at Microsoft?
A: Yes I am. I'm Ex-FBI, Ex-cop, Ex-lover of Liberace.
Q. Ok, I didn't need to know that last part. So what does your job require of you?
A. Well, in the morning I get coffee and donuts. Then I usually spend the next 8 hours or so watching CCTV monitors.
Q. So, you watch monitors with software and code? Interesting.
A. No. I watch monitors of people coming and going in different hallways. There's this little hottie secretary on floor 5 in the XP wing that's really got a nice..
Q. What? You're just a security GUARD and not a software security expert?
A. Yeah, who the hell told you otherwise? Well this was real fun and all but I gotta get back to watching the bathrooms.
As of Dec. 20, 2001, the total number of published security bulletins is only 58 compared to 100 in 2000 and 60 in 1999. This year, there are 4 cumulative patches so the actual number of published security threats is around 54.
.NET server hopefully will do better than W2K servers.
The last 3 security vulnerabilities for XP relate to IE, Windows Media, and USB plug and play feature.
I should say that the products of Microsoft are just becoming mature right now. It is unfair for Linux and Unix since they I believe they have been ages before Microsoft introduced Windows. So it terms of maturity, Linux took years just as Microsoft is.
Like in service packs, the Windows 3.51 had around 13 (or more if I remember correctly.) Windows NT4.0 had 6 (the 7th was not released officially.) Windows 2000 now has 2 (and they are releasing SP3 Q1 2002.) There is WindowsXP although there is no SP around (I believe it may be in the alpha stages.) The number of service packs that is released actually decreases due to the maturity of their products. And most people even some *nix guys say that WindowsXP is actually more stable than ever.
It is also noteworthy to say that the base OS of Windows is getting more secure. It is just the apps integrated with the Internet that have most of the security threats like IE, Outlook, Office. For the servers in W2K, the services are the ones problematic and the user has the freedom to deactivate some and use an alternative. Like in Linux, the same thing applies where a server may use the services from different publishers.
I am not saying that Microsoft is good or anything but I say that comparing Windows (PRO/HOME) and Linux/Unix is like comparing apples and oranges. They are built for different purpose thus designed differently.
In the server arena, I think that it is only in Windows 2000 that they released their 1st server OS and not in Windows NT 4.0. Their Windows
Live your life each day as if it was your last.
Q: Capacity issues...
A: Right.
Howard failed to see the sarcasm in Paul's response - he's being totally irrelevent in answering Paul's question. Paul asked you security in telecom not freaking capacity issue!!!
Talking about we ain't got enough clueless people to run the security....
So that makes him a good cop. Good at the "reactive role", lousy at prevention. Explains the MS model of security perfectly.
It is worse: [quote]"If I leave my keys in my car because it's convenient for me, and somebody steals my car, is that my fault?"[unquote]
Yes, for god's sake it is, and all I might add is that every company has the CSO it deserves.
A World in a Grain of Sand / Heaven in a Wild Flower,
Infinity in the Palm of your Hand / And Eternity in an Hour.
We've all been saying that Microsoft should improve their security, but all the time Microsoft has! Here, have a look at what he says:
I added the emphasis, but look at it! They are securing their assets. He lists security in product development is an afterthought.
So now you know why they are so anti-piracy: they are securing their products.
Microsoft's head of security
Isn't that like the taliban having a minister of women's rights?
Disconnect your television. Do your own research. Draw your own conclusions. They're probably lying. Don't be a sheep.
Q: [...] Explain for us a little bit how security fits into the Microsoft corporate structure.
:)
A: I think security is recognized as the number-one priority across
the company. That goes not only to operational security and securing our
assets, but also to product development. [...]
Perhaps I'm not reading this right, or reading into his wording too much, but it seems they put more effort into securing their company instead of securing their product? That explains a few things.
Is this how it's always been, or how it's going to be? hmmm....
As I understand it, the pressure vessels surrounding nuclear reactors are strong enough to contain a severe meltdown within- this also makes them supposedly strong enough to withstand an airliner impact.
Alcohol, Tobacco and Firearms should be the name of a store, not a government agency.
>[quote]"If I leave my keys in my car because it's convenient for me, and somebody steals my car, is that my fault?"[unquote]
You are responsible for the consequences of your actions.
That goes for leaving keys in cars because you're a dumbass or creating lousy software that constantly gets exploited because you're a dumbass.
As we all know, one of the greatest things about living in these here United States of America is that you never have to take responsibility for your actions even if you are a moron (or Microsoft).
1) As Multics taught us, security with significant hardware support is significantly easier to do than without. A result of this is that we need to be asking Intel (etal) about help (like tagged memory blocks) in hardware. It really is time that we got away from just the stale VonNeuman ideas that Mr Cray graciously gave us in the 1960s and 1970s.
2) Once the hardware exists, then we can move to implement better O/Ses that are significantly more robust. Everyone will win, even MS.
-- Multics
have a look at the OpenBSD homepage... OpenBSD "Four years without a remote hole in the default install!"
And Damn proud of it too! Perfect Secrurity does exist!
For instance. Even with all the security patches Microsoft has provided with IIS, their FTP server is still insecure. How do I know this. Because some warez dudez managed to use my server, even though I had applied all the patches and set the FTP directory to be read only.
Now, if this ever happens to you, let me tell you, these guys play a dirty trick so you can't easily delete their directory. They name their folders with names that cannot be deleted the normal way, names like COM1 or DEL, names that are reserved somehow when you try to delete the files and folders.
The amusing thing about this is that the only way to get rid of these files is to install the posix utilities and use rm to get rid of them.
Now here's the kicker. If you use rm -r CO* to get rid of a directory called COM1 you might find out that this directory is really called "COM1\
Yes, I perform backups, so I proceeded to restore the files. But insidiously, SQL Server on the same machine refused to run, because it felt the installation had been corrupted. I basically had to figure out how to trick it into running again, because(another hideous design fault) you can't just uninstall SQL server and reinstall it and hope your data directory is OK. I had no way of doing an up to date backup of my data on this machine. So I had to trick it into believing it wasn't a corrupt installation, or I would have lost data.
Now, how many things can you count that would have never happened with an open source system. You certainly wouldn't have files with the latter part hidden. You can back up data directories to completely different servers by simply copying the directory. Its very easy to drop in other FTP servers without loss of functionality. And there is certainly nothing that will stop a program from running if all its files are there and the execute permission is set.
All, in all, I had a very frustrating experience that never would have happened with a Linux system. With Microsoft, its their way or the highway, and you can't change things or fix them when the design is bad. Rather than the user dictating what the software does, Microsoft dictates to you how their software will work. Because of that, closed source is less flexible and configureable, is less managable and nimble, and therefore cannot respond nearly as well to any number of problems, including security.
No, Thursday's out. How about never - is never good for you?
Gotta LOVE this exchange ...
...
Q: Some of the security problems with Microsoft products are things like buffer overflows. That happens in programming, and you fix it. But others seem like boneheaded decisions based on marketing. Things like enabling Windows Scripting Host by default on millions of consumer machines and making e-mail attachments executable. In these big virus attacks, doesn't Microsoft bear some responsibility for those choices?
A: I think that picture has changed. Once again, we've been developing stuff based on ease-of-use for the customer and what the customer requirements are. I think what happens now is that we've seen the threat picture change. I think it goes back to a physical analogy. If I leave my keys in my car because it's convenient for me, and somebody steals my car, is that my fault?
Okay, but what if the manufacturer ships the car with the keys attached to the steering column with a chain,because THAT way I don't have to worry about losing the keys? Now I have to find out (from someone other than the manufacturer, since the manufacturer's customer support staff is clueless) how to detach them. NOW is the manufacturer responsible, in any way, when my car is stolen?
utter rubbish
This is Microsoft for gods sake. Think real hard, look over the last 20 or thirty things some top level MS exec said in public. Find one interview, statement, debate, press release or anything that did not contain at least one lie. I dare you.
Every corporation has a culture. The culture MS has chosen to develop is one of lying, cheating and stealing.
War is necrophilia.
that everyone keep quiet if they see a fire in a crowded apartment building because, horror of horrors, people will actually try to save themselves rather than waiting for the MFD to come and save them (market forces permitting, of course).
Goddamn, you're a comedic genius.
C:\
C:\DOS
C:\DOS\RUN
Number 1. Adding new product features
Number 2. Getting products on the shelves
Number 3. Security
The reason for this is that people can't tell whether a product is secure by looking at reviews or even trying it out (and they sure as hell can't tell by looking at a shrink wrapped box). So, there are very few dollars in it short-term.
Longer term, issues of reputation kick in - and Microsoft are finding that their poor reputation in this area is now biting them, especially as they move into net services.
Unfortunately, turning an entire corporate culture around on a dime is not possible. Even if it was, there's way too much legacy software around, requiring compatability. It will therefore be some time before their product security is all it should be.
"Well, put a stake in my heart and drag me into sunlight."
Heh
.. I must remember that :)
But indeed, I didn't know that this kind of posts worked so well
(yes, I was honest, no, I won't be in the future)
--
If code was hard to write, it should be hard to read
digital rights management operating system protects rights-managed data, such as downloaded content, from access by untrusted programs
To protect the rights-managed data resident in memory, the digital rights management operating system refuses to load an untrusted program into memory
If the untrusted program executes at the operating system level, such as a debugger, the digital rights management operating system renounces it's trusted identity (it lobotimizes itself)
To protect the rights-managed data on the page file, the digital rights management operating system prohibits raw access to the page file, or erases the data from the page file before allowing such access.
operating system also limits the functions the user can perform on the rights-managed data and the trusted application
provide a trusted clock used in place of the standard computer clock
It's good to see Microsoft finaly getting tough on security!
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Let the technicians rise up and overthrow the reign of the marketting and accounting global hegemony!
All will code according to their ability and run programs according to their need!
And while we're at it:
"As long as the app fires up, it can be released. We'll let the customers be beta testers."
Isn't that the whole way OPEN SOURCE works??!?!? Open source releases software with numerous more bugs but has a very broad test cycle. I feel confident with open-source solutions with the commonly used apps, but to be honest (and maybe it's just me) I don't have that much confidence at all in some of the most obscure and rarely used packages that hang around in woody or potato.
How do you clap your hands thrice when your holding a couple of grocery bag?
The nice thing about standards is that there are so many to choose from. - ast
i think i will go for the chief of security job too :P
That has to be the most cluefull AC post I've seen here ever, wish I had points to rise it above 0!
I agree that it would be an extremely bad idea to use NT / Windows 2000 for anything that is mission critical (such as running a semaphore network), and that would be a misuse of the product, but there are plenty of proper uses that can produce really bad results due to software failure, and companies should be held accountable for these failures.
Overcaffeinated. Angry geeks.
BIND
wu-ftpd
Open-SSH
TUX HTTPD
lpd
SYNcookies
Lion
Ramen
Torn
Adore
etc...
We get several attacks from compromised LINUX boxes every fucking day of the week!
gee, that Microsoft software sure does suck...
Some guy once said "Let him who is without sin cast the first stone."
Do you see what I'm getting at here?
"Information wants to be paid"
With software, testing starts at the requirements stage. When you have captured the requirements you then force the customer to review them. You don't just get them to sign off documents, because they will happily do that without reading them. You get them to sit through a presentation. The same applies after the functional specs and you cross check the functional specs against the requirments.
All this before you have written one line of code!!!
As regards exploits if you code defensively against exploits, you will produce better code. You should never trust data that hasn't come out of a checked process and only through a failure-free path.
I also agree that Writing Solid Code by Steve Maguire is a good book. It is a pity that Microsoft seems to regard the practices described in these books as a luxury!!!!
See my journal, I write things there
Nobody can access my computer then - pretty neat, eh?
Seriously, 2K is much better than NT was but I wonder whether Microsoft actually knows what computer security is? We were taught the initials C.I.A. That is Confidentiality, Integrity and Availability.
It doesn't matter how a product fits into these categories as long as the customer knows what it is being provided. If you are selling a system and application to a customer and telling them that they can bet their business on it, then it had better not go down every other day or let the whole world and their dog every time you connect to the Internet.
See my journal, I write things there
1. Marketing != PR
2. Marketing != advertising
3. Marketing != reactive
Marketing is about Product, Price, and Position. It proactive and its scientific, what Microsoft confuses with Marketing is like confusing Socialogy with sleazy used cars salesmanship.
What they need to do, like the vast majority of corperations is completely seperate Marketing from advertising, and accounting. Real Marketing is much closer to R & D and should have a closer relationship to product developement than any other department.
1. Product needs work I think the real market has slipped out from under them.
Security, Stability, Speed in that order is where the market seems to be heading. Less consern with feature creap and more attention to make basic functionality rock solid and easy to use.
2. Price, who can beat free? that's what the consumer pays; after all it comes on the machine, very few people write a seperate check. Businesses on the other hand are kicking and screeming over liciensing costs lately. I guess they are tired of subsidising the consumer grade product. I chuckle when some suit says "open software is worth the price you pay for it." when their company is running 2K oem M$ licienses.
3. M$ has position down pat; they're everywhere.
Apocalypse Cancelled, Sorry, No Ticket Refunds
It's not about security.
It's about functionality.
The people chose functionality,
so Microsoft gave them that.
Like in service packs, the Windows 3.51 had around 13 (or more if I remember correctly.) Windows NT4.0 had 6 (the 7th was not released officially.) Windows 2000 now has 2 (and they are releasing SP3 Q1 2002.) There is WindowsXP although there is no SP around (I believe it may be in the alpha stages.) The number of service packs that is released actually decreases due to the maturity of their products.
The reason Win2000 has "only" 2 SPs and NT4 has 6 is not better security, but quite simply the time these products have been on the market. The longer the product's life cycle the more updates you have to make. This really can't be taken as a sign of maturity of *new* products.
All Rights Reversed.
uhm... grossly misinterpret what he was saying, why don't you?
context, please. he was NOT implying he would not be at fault in that situation.
Microsoft itself is a major problem when it comes to security...
Let's give some credit where credit is due. Criminals are a major problem when it comes to security. Yes, it should be Microsoft's responsibility to produce a secure product, just as it should be every CIO's responsibility to make sure their deployments are secure.
But it's also law enforcement's responsibility to track down and punish those who get around -- or even attempt to get around -- any security holes.
If I build a vault, then accidentally drop the combination out on the street, you're still breaking the law if you come and steal something from it.
If I build an incredibly secure vault, and someone finds you outside it with a crowbar and explosives, you'll still get arrested even if you didn't steal anything.
Yet there's very little discussion here of what law enforcement agencies do (or don't do) to track down and punish e-criminals.
Is it a lack of faith in the ability of law enforcement?
Or an assumption that e-criminals are somehow exempt from laws guarding property?
You'd expect the police to do everything in their power to catch someone who burned down your home... why not expect the same if they crack your servers?
Microsoft's argument is "any popular OS will have viruses, so we might as well all run Microsoft software". But what we really need is a dozen substantially different operating systems with equal market share. Then, viruses will have virtually no chance of doing much damage.
As an aside, the term "Linux" itself stands for many different distributions, often with largely disjoint vulnerabilities, so several Linux distributions could make it simultaneously in the marketplace and still give people the benefit of diversity. Microsoft actively aims for standardization and a single code-base. In fact, the term "Linux" doesn't even really stand for a single OS, while, with XP, "Windows" pretty much does.
Linux will not dominate the market, and I don't think it should. But, on balance, I think we'd be better off if shared the market equally with Windows and if there were several other big players, including some that actually innovate a bit.
...you have to remember that a correctly behaving browser will presume that a file is whatever MIME type the server sends it.
Internet Explorer is the only browser I know of that tends not to trust server-given MIME-types. (IE loaded PNGs from a malconfigured server that Netscape 4.76 and 6.1 refused to touch.)
What's this Submit thingy do?
You know, I was thinking.... maybe it's within their agenda to release poor insecure applications. Everyone hates M$, and so goes out of their way to find security flaws in their programs... so they don't have to.
Think about how much money they save not having to security test their products, cuz they know that the moment it's released, it's gonna be pounded on by all the Microsoft haters. Sure, they pay the coders to fix the problems that are released in the press and submitted to them, but testing is a HUGE expense for software companies.
They have a huge market share, and are pretty locked in to the corporate desktop... do you know how much proprietary middleware there is in the corporate world for MS Word and Excel?? And large corporations, where M$ gets most of the cash, never upgrade right away, they wait until the kinks are worked out (usually a couple years - Certain parts of the NASD was still using Windows 95 in 2000!). Thus all the individual users and hackers have already pounded the crap out of the software for them.
All I'm saying is, it may be purposeful? Thoughts??
"BadTimes will make you fall in love with a penguin" - Laika
I'll probably be quoting that somewhere, if you don't mind.
You're right of course - all I was trying to say was that only testing the finished software product, and only then by usage testing, is a poor development methodology. I wasn't intending to imply manufacturing does do that either, just that in my mind a manufacturing process has a more concrete 'finished product' - I get the impression you might have some ties to that part of industry :)
It's interesting to read in Writing Solid Code that before the practices in the book were made standard across MS, they had products cancelled because of runaway buglists. The book was published a few years ago now, so all current products were theoretically built using those methods, yet there are still some pretty fundamental mistakes being unearthed - use of a good libc would expose a lot of the buffer overrun problems that IIS has had, for example.
"don't fall into the fallacy of believing that Perl can solve social problems. Maybe Perl 6 can, but that's a ways off"
Let's see... The very first release of the Linux kernel was introduced in 1992. Windows 3 was released in 1990.
Of course, that's not a very fair comparison -- Windows 3.1 had much more functionality than Linux 0.01, and came from an older code base including DOS and earlier versions of windows.
Someone else has already addressed the falsity in the comparison of number of service packs.