Interview With Microsoft's Chief of Security

Paul Coe Clark III writes: "I interviewed Howard Schmidt, Microsoft's head of security, questioning him about, among other things, cyberterrorism and Redmond's responsibility for insecure features in the wake of many virus attacks. /. readers might find it interesting. They can find it here."

Re:They're trying

[(H)elix1]

Apparently MS realizes they made a wrong decision in their approach to security (trusting the sysadmin's dilligence), and they are making strong strides to change this now, and in the future.

You think they are making strides to clean this up? Looks like patching the PR to me. Take a look at this...
MS rolls out security obscurity bribe program


Code of Conduct:
Microsoft Gold Certified Security Solutions Partners are leaders in the security industry, not only in their products and solutions, but also in their standards of behavior. All Microsoft Gold Certified Security Solutions Partners shall follow a code of conduct regarding the responsible handling of security vulnerabilities. This code of conduct is intended to allow a product vendor to address any individual vulnerability and issue a patch, workaround or other response to the public. Microsoft Gold Certified Security Solutions Partners shall take reasonable steps to ensure that they do not publicly disclose details that would directly allow an outside party to develop or execute an attack exploiting the vulnerability.

comparing Microsoft's performance over the years

[john_uy]

As of Dec. 20, 2001, the total number of published security bulletins is only 58 compared to 100 in 2000 and 60 in 1999. This year, there are 4 cumulative patches so the actual number of published security threats is around 54.

The last 3 security vulnerabilities for XP relate to IE, Windows Media, and USB plug and play feature.

I should say that the products of Microsoft are just becoming mature right now. It is unfair for Linux and Unix since they I believe they have been ages before Microsoft introduced Windows. So it terms of maturity, Linux took years just as Microsoft is.

Like in service packs, the Windows 3.51 had around 13 (or more if I remember correctly.) Windows NT4.0 had 6 (the 7th was not released officially.) Windows 2000 now has 2 (and they are releasing SP3 Q1 2002.) There is WindowsXP although there is no SP around (I believe it may be in the alpha stages.) The number of service packs that is released actually decreases due to the maturity of their products. And most people even some *nix guys say that WindowsXP is actually more stable than ever.

It is also noteworthy to say that the base OS of Windows is getting more secure. It is just the apps integrated with the Internet that have most of the security threats like IE, Outlook, Office. For the servers in W2K, the services are the ones problematic and the user has the freedom to deactivate some and use an alternative. Like in Linux, the same thing applies where a server may use the services from different publishers.

I am not saying that Microsoft is good or anything but I say that comparing Windows (PRO/HOME) and Linux/Unix is like comparing apples and oranges. They are built for different purpose thus designed differently.

In the server arena, I think that it is only in Windows 2000 that they released their 1st server OS and not in Windows NT 4.0. Their Windows .NET server hopefully will do better than W2K servers.