Slashdot Mirror
Microsoft to Focus on Security
Anonymous Minion writes: "The Associated Press is reporting that Bill Gates announced to employees Wednesday a major strategy shift across all its products to emphasize security and privacy over new capabilities. In e-mail to employees, Gates referred to the new philosophy as "Trustworthy Computing" and called it the "highest priority". Gates said the new emphasis was "more important than any other part of our work."" People criticized Microsoft for treating security breaches as a public relations problem, so Bill Gates sent this email out to the Associated Press to prove them wrong. (rimshot!) Meanwhile, Richard Smith notes that the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.
After reading the article, and also having my Microsoft account rep call me up after I have told her that I wont be installing my "enterprise" (every time I say that word, my whole team breaking to ST:TNG theme song), becuase the cost of making sure Microsoft's buggy software (generally Office and Windows W2K) costs me more than the operating system does itself in both actually purchasing costs of software and man power required to check, recheck and check again that everything is set up tight... My account rep had the hide to say this afternoon, "So now we have promised to do this, will you upgrade to Office XP now"...
Nothing has changed as far as I can see, nothing will in the next 1 - 2 years because Microsoft will take that long to get what we currently have running NOW working correctly, and I just feel this is another ploy to get Microsoft to force us to upgrade to the latest and greatest operating system because they are promising that this time, really folks, this time it will be the most secure and stable release of Microsoft software EVER!, as if this is hard to to!
Grrrr, too many NT crashes, not enough intellegent techs to figure out what went wrong, other than.. oh just reboot!
`find / -name "*your_base*" -exec chown us:us {} \;`
..."Trustworthy Computing". This sounds suspiciously like a buzzword-name for digital rights management, especially after that paper on making an OS that prevents anything unauthenticated from getting at secure content.
Anyone else notice this?
m:
the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.
It's not a security problem to have a number assigned to you, it's a privacy problem.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
However, take a look at OpenBSD. They really are secure, or at least as secure as anyone can reasonably expect for an operating system. They have done a great job, but it takes time. A lot of time. OpenBSD was based on NetBSD, so security was always a priority, OpenBSD just made it more of a priority.
But really... even if security really is job one now at Microsoft, we aren't going to see any concrete results in the near future. Forget Microsoft's next operating system. It is going to take years, not months, to get results. I mean, we are looking at 2006, likely, until Microsoft systems have a hope of being secure. Will Microsoft (would any corporation) invest that many years of development? Are their customers really demanding security?
Oceania has always been at war with Eastasia.
Microsoft does have a pretty strong track record of hearing what their big customers want to buy, and then building it.
I'm not surprised that they're hearing about security... and I won't be surprised if they find a way to build it.
Hey, I'm just sayin'.
"Consider yourself a member of a virtual corporation with Mr. Torvalds as your Chief Executive Officer." - Linux Advocac
You make a good point that it can be turned off, but how many "normal end users" of Microsoft products are going to know this. It is not you or I, or for that matter anyone on /. (for the most part ;}) that I am worried about here. It is the people that do not have the first clue about computers, or security, and think that AOL is the internet that I am concerned about with security issues such as this one (and the countless others).
man
No manual entry for
If microsoft can, by some complex reorganization of their development and review process, make their code have the same, or less, incidence of critical issue as, say, Linux (I swear I didn't choose that just because its the godhead of this entire forum), What would we do?
/. topics get more sensational?
Honestly, and not trying to troll. What will everyone here do if microsoft ceases being the evil empire? What if they can pull this off, and find some middle ground with the government? I said before, in a much earlier post, that most religions have an antagonist; What happens if we lose ours? Will
MS Press Release:
"Microsoft released a patch today to save 15K of RAM in explorer.exe"
Slashdot:
Microsoft wasting gobs of memory for extra red-dot in windows logo.
Personally, I say good for microsoft. Microsoft, right now, is an intergral part of so many organizations, and admittedly they have security problems; They could use the positive PR. They could also deal with less -unfounded sensationalism- nonsense from the peanut gallery (note, this does not mean the founded, intelligent, objective news items which from time to time may appear in the comments section.)
Just my $0.02, Refundable with a $2.00 restocking fee.
They're doing their best to attack open source; from buying SGI patents to kill OpenGL to this new intitiative to cut off the age-old argument that open source is more secure (at least on the PR front...) and all the rest. I guess they really do see open source as the number one threat...
What I really hate to see, however, is that we're not doing too much about it. In fact, the only new thing is Lindows, and I sincerely hope they live up to the hype. Unfortunately, Microsoft has realized that Joe Average Consumer *dosen't care* about anything that is not the easiest way to go; even in the server market the PHBs will stick to MS until they see something like the Gartner Report or the FBI declaring Windows XP to be insecure (or whatever).
IMHO, a good part of the Open Source world needs to focus on making Linux a real competitor on the desktop market; such as idiot-proof install programs that need *NO KNOWLEDGE OF PARTITIONING* (and just ask, "do you want to install Linux on separate hard drive, or should I resize your Windows partition to X gigabytes and install it on this hard drive) and autodetect hardware (X Windows configuration is a *REAL* pain in the derriere if you don't know much, if anything about computers, for example) and whatnot. In order for Linux to be a real competitor for the computer of Joe AOLuser, it should take advantage of almost (or as much or more) autodetection/idiot proof default settings as Windows.
Now I know, I know, we aren't after Joe AOLuser, but in order for manufacturers to keep making Open-Source compatible hardware, THEY NEED MARKET DEMAND. It's far easier to cave in to Microsoft if it means losing 5% of sales (to hardcore geeks) than if it means losing 50% of sales (to Joe Average User). And yes, I just pulled those figures out of my hat, but I wouldn't be surprised if they were true.
This
Meanwhile, Richard Smith notes that the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.
It's not a security problem. It's a privacy problem.
If it posted the user's passwords, executed arbitrary code, or removed network firewall configurations, then it would be a security problem.
[
"Trustworthy Computing" doesn't necessarily mean "secure computing." Microsoft wants you to think that, though, just like they want you to assume "we're innovating" means "we're making products better for you." (Incidentally, MS's definition of "innovation" means "finding new ways to solidify our market position.")
Anyone remember Bill Gates's deposition in the MS antitrust trial? His version of the English language is so far out of whack he spent most of each session professing to have no understanding of common words and terms.
In this case, "Trustworthy Computing" means "convincing computer users that they don't have to wory about security... that they can trust MS."
The last time Bill Gates was widely publicized for announcing a major strategy shift to his employees was back in 1995, when he sent out a memo saying they were going to focus on the internet.
I bet I wasn't alone in laughing. The first version of MSIE that was out at the time was a JOKE. Netscape reigned supreme. RealAudio was king of streaming. Third parties actually had a shot at selling a Windows web server.
How long did it take them to: (a) Kill Netscape with MSIE, (b) maim RealAudio with Windows Media, (c) shutdown 3rd-party Windows webservers with IIS, etc.? Not long.
Extrapolate amongst yourselves.
Goodbye ZoneLabs (makers of ZoneAlarm). What other big Windows security players will have their security software crushed within 3 years? McAfee? Symantec?
Unix users laugh at the inherent security problems with Windows, just as I laughed at MSIE 7 years ago. I haven't been laughing lately. Will you still be laughing a few years from now?
"And like that
Normal slashdot staff overreacting again. You can turn that ID off.
The defaults are everything, Why do you think Microsoft has negotiated so hard for its icons to be on the Mac desktop(IE), and no other browser is allowed to be there ? Why do you think Microsoft has spent so much effort controlling system defaults for media players, and IE home pages, and startup icons ?
This is standard user behavior - they do not change the defaults. Somehow it is the fault of the guy who installed NT server and NEVER WANTED IIS that he got broken into, and not Microsoft's fault for globally enabling IIS and asking the admins to turn it off.
Giving the end user a chance to change a system default is a good way to ensure that 95% will use the default, and the company (Microsoft in this case) can blow blame aside by saying the user can change it.
Now, you can argue users need to be more savvy, or you can accept that Microsoft KNOWS end user behavior and uses it to their advantage. Or both...
That the digital rights management scheme will be uncrackable, and you will not be allowed to play that digital media stream more then once. Not that the machine will be more secure.
Security to their customer base does not include you. Only large Coorporations who want money each time you listen/see/smell/touch/etc something.
Get a free ipod.
It's interesting to note how product teams resisted the security invasion. Now, while we know very little about how offensively these security teams were implemented, it does harken to a truism about coding.
Properly securing products isn't fun.
Implementing improved, automatic PGP hooks might be fun (hint hint), but slowly and methodically picking through all of your code to make sure that no buffers can overflow is just uninteresting and unglamorous. If we can't convince ourselves to sufficiently comment the code we write, even though we routinely curse ourselves for not having done it previously, security is going to be unfortunately naturally low on the list of things to do.
Likewise, an ounce of glitzy new features tends to sell better than an ounce of better security. People are going to look down upon you if you encourage them to upgrade from the old software you sold them by pointing out the security flaws that it had. It's usually more marketable to say "Trust our products, we have new inline spell checking across all our platforms" rather than "Trust our products, we no longer grant root through tcp/ip overflows."
All of this falls down like a rotten house if you allow your security to get too bad for too long, as is obvious to anyone reading this thread. You can let the support poles wear a little, and usually the cost of a *little* more wear is much less than the cost of fixing the whole thing properly. But unless you have that long-term vision, you'll be sleeping outside eventually. Microsoft didn't, and it is really starting to hurt them. The greatest threat to their monopoly has come from people being unable to use NT in critical applications. You don't want to force your customers to have to go to competitors.
Microsoft has shown throughout history an ability to expend large amounts of money to get things done. IE... MSN... XBOX... WinCE/PocketPC... If they really do set their mind to security issues, I'm sure that they will be hammered out after several slow, unglamorous years. The press release would make it appear that they know that they are up against human nature on both sides but that the company needs to take action or they will lose their stability.
This Sig is a mnemonic device designed to allow you to recognize this author in the future.
First, Microsoft has finally flushed the security-hopeless operating systems (DOS, Win3.5x, Win95, Win98, WinME) out of their product line. The current product line is Win2K and XP, both of which have reasonable underlying security machinery. It's not well-used, but it's there.
Given a reasonable underlying OS, it's quite possible for Microsoft to arrange things so that all executable content executes in a "jail". More generally, a security distinction has to be made between what the user is doing and what external content is doing, and the OS kernel has to enforce this.
If MS does this right, it won't matter if IE has security holes, because trouble will get no further than the current IE document.
We're all going to be doing a lot more forking and IPC.
Would you trust a bank that got robbed every week? Of course not.
.net rely on them being trusted.
Microsoft wants to take a cut off every transaction on the web. They want to be a front counter to the banks and the insurance companies.
People won't trust them to do this unless they are perceived to be secure. It'll take them years to get this right, but their future plans rely on this, so sure they'll start to do it. Their plans for hailstorm and
*offtopic*
Once they are a portal for banks, this is what will happen. One friday afternoon MS will buy a small bank somewhere. That weekend all their customers will get a button on their bank login "Press this button to transfer your funds to MS bank for a 5% drop in your credit card rates". The banking industry will come into work Monday morning to find all their customers gone. The moral : never outsource your link to your customers
What if, by persuing this "Trustworthy Computing" avenue, the existing Microsoft customers begin to believe in Microsoft. They rally around the "vision", and start extending it.
Now a committee is created to "audit" all released software (funded by guess who), and Open Source software will now be subject to "approval" by a committee, probably via a pay-only system of review applications. Now this slows the release of Open Source software to a crawl, or stops it altogether, because most of us do not get paid for our work, nor can we afford to submit our releases for review. If we can, we're going to be damn sure to close every hole, therefore slowing down the frequency of releases.I, for one, hope this is not their intent, but Microsoft has always had an alterior motive with every single action they've taken. Having Bill Gates declare it so publically and firmly, leads me to believe he has some other motive here.
This is most likely nothing more than the prelude to a new product line, imagine the possibilities...
M$ Firewall Pro, M$ Firewall Enterprise,
M$ Secure Server XP Advanced, M$ Antivirus,
M$ Secure Outlook, M$ Secure Browser,
M$ AntiHack Pro Deluxe, M$ IIS, Secure Edition
On the other hand, probably not.. that would be an admission that their software wasn't secure to start
Look at it this way. Developed countries have a set of systems that can be defined as critical infrastructure. These maintain the operability of a nation on a day-to-day basis. If any of these systems break down, then society will follow down too.
Some examples? Well... water, power, sewerage, welfare, health, emergency services, police and justice, banking, government, communications, and one of the latest additions would have to be IT.
IT must been damn close to being critical infrastructure, if it isn't already. We all know MSFT is very dominant in Operating Systems. Their systems are being used within many of these critical services, which would tend to suggest that MSFT is already inextricably linked to the other critcal infrastructures.
Already countries overseas are opting for alternatives to MSFT because of some of the risks that their products provide. Govt's of Germany, France, and others are looking for more 'trusted' IT products - partly for cost, but also because some of the systems are critical.
MSFT didn't have any choice but to accept security, much as they had to accept the Internet in '95. If they didn't, they would see dwindling market share, and their products being dropped from IT solutions involved in critical infrastructure. So, they have to get on the 'trusted' bandwagon to maintain market share. Govt's do spend a bit of money on IT after all.
We should know that this is more than just a simple PR move by Microsoft. I mean, don't they normally release information to the press in order to let their employees know how they're changing their focus?
The last time Microsoft made an annoucement like this, they refocused the company on the Internet, and started hammering out MSIE into a Netscape-killer. For all his faults, once Gates and his people get an idea in their heads, they can turn on a dime and they won't stop until they do what they want to do.
There seems to be a feeling that MS aren't doing this sincerely. Maybe not they're not but we can't possibly know that yet. I think there is every reason to believe they will go through with this. Does anyone remember what happenned when Bill Gates realised his company had taken its eye of the ball by ignoring the internet?
Agreed. Sure, Bill and his minions may usually end up the last people to "get it" (*starting* to think about the internet in 1995? sheesh), but like you said, once they've put it into their heads to do something, they'll get it done. Just don't expect results any time soon (witness the tediously long time it took to turnn MSIE into something useful, or how many versions of windows were released before they managed to build one that didn't suck).
News and bla for computer musicians: http://lomechanik.net/
...MS to declare that the major security threat lies in other vendor's software and other OS's? After all, they used Win95 to kill off DR-DOS ("it isn't really compatible with the special code we added to Windows")
Then they will argue that they have to close up everything to bring about security: "Only MS products are really safe with MS Windows. Only MS protocols are secure."
Then the Big Lie: "you are only safe with us"
I am anarch of all I survey.
"Security Features" is too much like putting a steel security door on a tar-paper shack. Looks impressive, but there are too many ways around it. OpenBSD's security doesn't come from "features". It's there because they've taken the trouble to secure the perimeter.
What would MS have been like if a Gatesian personality had not been at the helm? Possibly not the MS we've come to love. Added attention to security now is obviously not any kind of move in the "right" direction, but instead just a CYA maneuver now that Bill's finally awakened to the fact that their security concerns could be enough to bring the whole house down unless they pay some attention to them. But he cannily waited until the problem was bad enough to be worrisome - had he been more community-minded he would have attacked this more seriously a long, long time ago.
Kind of makes you wonder what will happen to MS once Gates has removed himself entirely. Will they begin to play more nicely with others? (Insert Ballmer monkey comment here.)
Was that out loud?
That part is really central to the problem.
Microsoft has been the dominant player for so long now (what, about 15 years?) that it has become complacent and arrogant. They can say, with all credibility,
even if it grates on the ears of their competitors and users.There are definitely some brilliant people working in Redmond, but if they are managed by the same people that bred this culture of arrogance, then only rare glimpses of that brilliant work will be revealed to the world. Most of that good work will be muffled and warped beyond recognition under various business pratices such as supporting Windows, leveraging Office, promoting .NET or whatever the fad (cf, Trustworthy Computing) of the day happens to be.
The sooner that megalithic company is split into smaller pieces the sooner it will have a chance to bring genuinely good products to the marketplace.
"Provided by the management for your protection."
They've dominated the market for years, mainly because they were there first, but also because of usability/convenience factors. People put such things above security (and most likely privacy). They want something that works easily with little effort or configuration that does what they need it to. Windows has always been that.
On the other hand, no real OS of the time could really equal that level of user-friendliness and simple interface that Windows offered. As times are changing (and many people are figuring this out), a vast shift in many UNIXes has been towards developing a friendlier interface (Window's strongpoint). It only makes sense that Microsoft should shift its goals towards security and stability (UNIXes strongpoints). Basically, if Microsoft gets there first (stability, security, AND an easy UI) before any of the UNIXes gets more firmly cemented in the market, it will become _drastically_ harder to get people to switch over.
Magius_AR
To quote from the 80's Wendy's commercial:
"Where's the beef?!"
Gee Willekers, Bill Gates is using his bully-pulpit with the press to announce that Microsoft is going to do something that all of there customers have been _wanting_ them to do for aeons. This is about as pressworthy as Larry Ellison advocating a gigantic national database -- running Oracle software.
This "leaked" email is rather silly. The press should have more restraint in printing patently self-serving "inside scoops" like this. Microsoft is insanely rich -- make them pay for their marketing.
Shane
Finally the person posted a note on www.slashdot.org, and within a few hours the server was being probed and flooded with IP-level attacks.
Sounds bad. Does that make us hacker terrorists?
It's been a long time.
Microsoft executives said the memorandum resembled previous broadsides that have been fired off by Mr. Gates, the company's co-founder and chairman, when he thought that the company's strategic direction needed radical changes.
In 1995, for example, Mr. Gates sent a companywide e-mail message exhorting employees to turn the direction of the Microsoft "battleship" and focus all the company's efforts on the threat of the Internet to Microsoft's business.
They viewed the free comunications media that was growing as a threat. This is why they did not rush to embrace it, but fought to destroy or dominate it. Sure, billg made a vanity web page and company policy was to tell everyone that was all it was good for. I remember it from being there. They rolled netbios out on the majority of their victims and tried to hold off TCP/IP for freaking ever, or at least till winsock was ported from BSD for free and they could steal and sell it. Since then they have done everything in their power to cram their stupid propriatory formats over it by buying out companies and perverting them to spam sites. Like bolshivicks, they seek to disrupt the medium until they can control it. They are evil, and we have yet to see if the internet will win this one but freedom has a way of ignoring snake oil until there is nothing left but a fringe market for fools.
Security on M$ platforms is impossible. There are no real user ID's, nor file permisions built into the kernel or the file system. The PNP hole on port 5000 iw a great example of this. Why did it take so long to find it? Where were the comercial firewall companies that so many trolls like to tout here? You would think that they would have spotted it and closed it if such things were possible on an OS that does not really keep track of all the processes that are running.
As I lost two karma points for in an earlier post, the only M$ is going to be able to provide any kind of security is to follow the Apple example and dump Windows. I imagine they will roll a BSD and make some kind of WINE like compatibility mode. It's not going to work. They are far to behind, after all Apple bought up Next and it still took them years. They canned all their good VAX people and gutted the majority of their work as they shifted focus from their failed Unix killer, NT. I don't think so much as their mediocre korn shell made it to win 2000. The ridiculous proposition of a month long "focus" on security by all of their employees shows that they have an impossible task on their hands. Their sins are all looking them in the face and laughing. Had they spent as much time working with other platforms as they did breaking interfaces, swapping print methods and ruining other companies in general, they would be in a much better position today.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
True that M$ is nowhere near as secure as *nix; however, as you bash away and curse M$, remember one thing -- if it wasn't for M$, it's bugs, flaws and SIZE, you probably would never have been able to afford the computer you are using to post your bashings. If NOTHING else, at least Bill G. has pushed the market forward and the Windows monopoly has in turn pushed the hardware developers. It is irrelevant which operating system is the most widely used because there will always be the groups of people who don't want to conform and as such feel the need to promote whatever product they use as superior. Well often those people perceive "Alternative" to be synonymous with "Superior" -- that doesn't mean its true. If MAC's ruled the world, you can bet you ass that OSX would be nothing like what it is today - it would not have the slightest traces of *nix and would be the endless target of rants, bashes and various posts by people who just wanted to be "non-conformists". Funny thing about non-conformists though; most of them conform more than they admit. I'd be willing to bet that the majorority of the vitrolic posts concerning this article were derived by someone sitting at their PC - and if they had just finished playing a game (OTHER THAN freakin another freakin quake engine clone) they may still be logged into that hated Windows OS! Yes, bitching all the way, but still, somewhere secreted away is their installation of Windows. So stop ranting about the advantages of Linux and just be happy that perhaps somehting is now going to be done about the security issues at hand and have a little damn respect for the develpers that (misguided or not) have put an OS onto more machines than you can possibly imagine! Monopoly - sure, but at some point those monopolies server/ed a purpose... if it wasn't for the AT&T monopoly years ago you'd still be turning a damn crank to talk to Martha the switchboard operator to call Andy and Barney down at the sheriff's department...
So in closing - who gives a rats ass what OS you run, ANY attention to security is good for EVERYONE!
...n8