Slashdot Mirror
Microsoft to Focus on Security
Anonymous Minion writes: "The Associated Press is reporting that Bill Gates announced to employees Wednesday a major strategy shift across all its products to emphasize security and privacy over new capabilities. In e-mail to employees, Gates referred to the new philosophy as "Trustworthy Computing" and called it the "highest priority". Gates said the new emphasis was "more important than any other part of our work."" People criticized Microsoft for treating security breaches as a public relations problem, so Bill Gates sent this email out to the Associated Press to prove them wrong. (rimshot!) Meanwhile, Richard Smith notes that the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.
After reading the article, and also having my Microsoft account rep call me up after I have told her that I wont be installing my "enterprise" (every time I say that word, my whole team breaking to ST:TNG theme song), becuase the cost of making sure Microsoft's buggy software (generally Office and Windows W2K) costs me more than the operating system does itself in both actually purchasing costs of software and man power required to check, recheck and check again that everything is set up tight... My account rep had the hide to say this afternoon, "So now we have promised to do this, will you upgrade to Office XP now"...
Nothing has changed as far as I can see, nothing will in the next 1 - 2 years because Microsoft will take that long to get what we currently have running NOW working correctly, and I just feel this is another ploy to get Microsoft to force us to upgrade to the latest and greatest operating system because they are promising that this time, really folks, this time it will be the most secure and stable release of Microsoft software EVER!, as if this is hard to to!
Grrrr, too many NT crashes, not enough intellegent techs to figure out what went wrong, other than.. oh just reboot!
`find / -name "*your_base*" -exec chown us:us {} \;`
However, take a look at OpenBSD. They really are secure, or at least as secure as anyone can reasonably expect for an operating system. They have done a great job, but it takes time. A lot of time. OpenBSD was based on NetBSD, so security was always a priority, OpenBSD just made it more of a priority.
But really... even if security really is job one now at Microsoft, we aren't going to see any concrete results in the near future. Forget Microsoft's next operating system. It is going to take years, not months, to get results. I mean, we are looking at 2006, likely, until Microsoft systems have a hope of being secure. Will Microsoft (would any corporation) invest that many years of development? Are their customers really demanding security?
Oceania has always been at war with Eastasia.
Microsoft does have a pretty strong track record of hearing what their big customers want to buy, and then building it.
I'm not surprised that they're hearing about security... and I won't be surprised if they find a way to build it.
Hey, I'm just sayin'.
"Consider yourself a member of a virtual corporation with Mr. Torvalds as your Chief Executive Officer." - Linux Advocac
If microsoft can, by some complex reorganization of their development and review process, make their code have the same, or less, incidence of critical issue as, say, Linux (I swear I didn't choose that just because its the godhead of this entire forum), What would we do?
/. topics get more sensational?
Honestly, and not trying to troll. What will everyone here do if microsoft ceases being the evil empire? What if they can pull this off, and find some middle ground with the government? I said before, in a much earlier post, that most religions have an antagonist; What happens if we lose ours? Will
MS Press Release:
"Microsoft released a patch today to save 15K of RAM in explorer.exe"
Slashdot:
Microsoft wasting gobs of memory for extra red-dot in windows logo.
Personally, I say good for microsoft. Microsoft, right now, is an intergral part of so many organizations, and admittedly they have security problems; They could use the positive PR. They could also deal with less -unfounded sensationalism- nonsense from the peanut gallery (note, this does not mean the founded, intelligent, objective news items which from time to time may appear in the comments section.)
Just my $0.02, Refundable with a $2.00 restocking fee.
Meanwhile, Richard Smith notes that the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.
It's not a security problem. It's a privacy problem.
If it posted the user's passwords, executed arbitrary code, or removed network firewall configurations, then it would be a security problem.
[
"Trustworthy Computing" doesn't necessarily mean "secure computing." Microsoft wants you to think that, though, just like they want you to assume "we're innovating" means "we're making products better for you." (Incidentally, MS's definition of "innovation" means "finding new ways to solidify our market position.")
Anyone remember Bill Gates's deposition in the MS antitrust trial? His version of the English language is so far out of whack he spent most of each session professing to have no understanding of common words and terms.
In this case, "Trustworthy Computing" means "convincing computer users that they don't have to wory about security... that they can trust MS."
The last time Bill Gates was widely publicized for announcing a major strategy shift to his employees was back in 1995, when he sent out a memo saying they were going to focus on the internet.
I bet I wasn't alone in laughing. The first version of MSIE that was out at the time was a JOKE. Netscape reigned supreme. RealAudio was king of streaming. Third parties actually had a shot at selling a Windows web server.
How long did it take them to: (a) Kill Netscape with MSIE, (b) maim RealAudio with Windows Media, (c) shutdown 3rd-party Windows webservers with IIS, etc.? Not long.
Extrapolate amongst yourselves.
Goodbye ZoneLabs (makers of ZoneAlarm). What other big Windows security players will have their security software crushed within 3 years? McAfee? Symantec?
Unix users laugh at the inherent security problems with Windows, just as I laughed at MSIE 7 years ago. I haven't been laughing lately. Will you still be laughing a few years from now?
"And like that
Normal slashdot staff overreacting again. You can turn that ID off.
The defaults are everything, Why do you think Microsoft has negotiated so hard for its icons to be on the Mac desktop(IE), and no other browser is allowed to be there ? Why do you think Microsoft has spent so much effort controlling system defaults for media players, and IE home pages, and startup icons ?
This is standard user behavior - they do not change the defaults. Somehow it is the fault of the guy who installed NT server and NEVER WANTED IIS that he got broken into, and not Microsoft's fault for globally enabling IIS and asking the admins to turn it off.
Giving the end user a chance to change a system default is a good way to ensure that 95% will use the default, and the company (Microsoft in this case) can blow blame aside by saying the user can change it.
Now, you can argue users need to be more savvy, or you can accept that Microsoft KNOWS end user behavior and uses it to their advantage. Or both...
It's interesting to note how product teams resisted the security invasion. Now, while we know very little about how offensively these security teams were implemented, it does harken to a truism about coding.
Properly securing products isn't fun.
Implementing improved, automatic PGP hooks might be fun (hint hint), but slowly and methodically picking through all of your code to make sure that no buffers can overflow is just uninteresting and unglamorous. If we can't convince ourselves to sufficiently comment the code we write, even though we routinely curse ourselves for not having done it previously, security is going to be unfortunately naturally low on the list of things to do.
Likewise, an ounce of glitzy new features tends to sell better than an ounce of better security. People are going to look down upon you if you encourage them to upgrade from the old software you sold them by pointing out the security flaws that it had. It's usually more marketable to say "Trust our products, we have new inline spell checking across all our platforms" rather than "Trust our products, we no longer grant root through tcp/ip overflows."
All of this falls down like a rotten house if you allow your security to get too bad for too long, as is obvious to anyone reading this thread. You can let the support poles wear a little, and usually the cost of a *little* more wear is much less than the cost of fixing the whole thing properly. But unless you have that long-term vision, you'll be sleeping outside eventually. Microsoft didn't, and it is really starting to hurt them. The greatest threat to their monopoly has come from people being unable to use NT in critical applications. You don't want to force your customers to have to go to competitors.
Microsoft has shown throughout history an ability to expend large amounts of money to get things done. IE... MSN... XBOX... WinCE/PocketPC... If they really do set their mind to security issues, I'm sure that they will be hammered out after several slow, unglamorous years. The press release would make it appear that they know that they are up against human nature on both sides but that the company needs to take action or they will lose their stability.
This Sig is a mnemonic device designed to allow you to recognize this author in the future.
Look at it this way. Developed countries have a set of systems that can be defined as critical infrastructure. These maintain the operability of a nation on a day-to-day basis. If any of these systems break down, then society will follow down too.
Some examples? Well... water, power, sewerage, welfare, health, emergency services, police and justice, banking, government, communications, and one of the latest additions would have to be IT.
IT must been damn close to being critical infrastructure, if it isn't already. We all know MSFT is very dominant in Operating Systems. Their systems are being used within many of these critical services, which would tend to suggest that MSFT is already inextricably linked to the other critcal infrastructures.
Already countries overseas are opting for alternatives to MSFT because of some of the risks that their products provide. Govt's of Germany, France, and others are looking for more 'trusted' IT products - partly for cost, but also because some of the systems are critical.
MSFT didn't have any choice but to accept security, much as they had to accept the Internet in '95. If they didn't, they would see dwindling market share, and their products being dropped from IT solutions involved in critical infrastructure. So, they have to get on the 'trusted' bandwagon to maintain market share. Govt's do spend a bit of money on IT after all.
We should know that this is more than just a simple PR move by Microsoft. I mean, don't they normally release information to the press in order to let their employees know how they're changing their focus?
The last time Microsoft made an annoucement like this, they refocused the company on the Internet, and started hammering out MSIE into a Netscape-killer. For all his faults, once Gates and his people get an idea in their heads, they can turn on a dime and they won't stop until they do what they want to do.