Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft to Focus on Security

Posted by ryuzaki0 on from the eye-of-sauron dept.

Anonymous Minion writes: "The Associated Press is reporting that Bill Gates announced to employees Wednesday a major strategy shift across all its products to emphasize security and privacy over new capabilities. In e-mail to employees, Gates referred to the new philosophy as "Trustworthy Computing" and called it the "highest priority". Gates said the new emphasis was "more important than any other part of our work."" People criticized Microsoft for treating security breaches as a public relations problem, so Bill Gates sent this email out to the Associated Press to prove them wrong. (rimshot!) Meanwhile, Richard Smith notes that the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.

9 of 720 comments (clear)

  1. Standard Corporate Security Policy by ZenJabba1 · · Score: 5, Insightful

    After reading the article, and also having my Microsoft account rep call me up after I have told her that I wont be installing my "enterprise" (every time I say that word, my whole team breaking to ST:TNG theme song), becuase the cost of making sure Microsoft's buggy software (generally Office and Windows W2K) costs me more than the operating system does itself in both actually purchasing costs of software and man power required to check, recheck and check again that everything is set up tight... My account rep had the hide to say this afternoon, "So now we have promised to do this, will you upgrade to Office XP now"...

    Nothing has changed as far as I can see, nothing will in the next 1 - 2 years because Microsoft will take that long to get what we currently have running NOW working correctly, and I just feel this is another ploy to get Microsoft to force us to upgrade to the latest and greatest operating system because they are promising that this time, really folks, this time it will be the most secure and stable release of Microsoft software EVER!, as if this is hard to to!

    Grrrr, too many NT crashes, not enough intellegent techs to figure out what went wrong, other than.. oh just reboot!

    --
    `find / -name "*your_base*" -exec chown us:us {} \;`
    1. Re:Standard Corporate Security Policy by Waffle+Iron · · Score: 5, Insightful
      current directive in Redmond is for all product groups to sweep the entire code base for security-related bugs.

      Problem is, that's not going to do a lot of good if these people don't have the experience to spot security bugs in the first place. The potential universe of exploits is huge, and it includes interactions between components written by different groups. I doubt that they even have the talent base to do this job effectively.

      It's possible to create an OS that's secure out of the box; OpenBSD is an example. Now Microsoft wants to get to the same place, but with orders of magnitude more code, a small fraction of the time, and next to zero corporate security culture. This is beyond "trying to have a baby in one month". This is more like putting 5900 women in a room and trying to get a baby in one hour.

  2. If.. by AnalogBoy · · Score: 5, Insightful

    If microsoft can, by some complex reorganization of their development and review process, make their code have the same, or less, incidence of critical issue as, say, Linux (I swear I didn't choose that just because its the godhead of this entire forum), What would we do?

    Honestly, and not trying to troll. What will everyone here do if microsoft ceases being the evil empire? What if they can pull this off, and find some middle ground with the government? I said before, in a much earlier post, that most religions have an antagonist; What happens if we lose ours? Will /. topics get more sensational?

    MS Press Release:
    "Microsoft released a patch today to save 15K of RAM in explorer.exe"

    Slashdot:
    Microsoft wasting gobs of memory for extra red-dot in windows logo.

    Personally, I say good for microsoft. Microsoft, right now, is an intergral part of so many organizations, and admittedly they have security problems; They could use the positive PR. They could also deal with less -unfounded sensationalism- nonsense from the peanut gallery (note, this does not mean the founded, intelligent, objective news items which from time to time may appear in the comments section.)

    Just my $0.02, Refundable with a $2.00 restocking fee.

    1. Re:If.. by vondo · · Score: 5, Insightful
      I find AOL/TW less scary than MS, at least on a personal level.

      Sure, I watch CNN. Maybe I pick up Time occasionally, but I'm aware of who they are and what they are doing. If I want to avoid their media conglomeration entirely, I can. And if I do, it doesn't affect me. (Of course it affects the society around me.)

      Maybe I don't hear the incessant ads for AOL on CNN, maybe I have to use a smaller ISP. I think I can live without those things.

      Microsoft, on the other hand, by trying to extend its monopolies, is targeting my ability to communicate with other people. I can choose not to run Powerpoint or Word, but if 90% of the people around me only speak that "language" I can't see what they're saying. I can choose not to run IE, but if I can't read half the web because of it, I've lost. If I choose not to use Window's Media Whatever-its-called, I might not be able to hear the music I want to. And of course if I choose to run Linux, I can't even choose not to use all these MS products.

      When this happens, I've not just lost out on being able to use MS's products, but on a larger part of my world.

      AOL/TW is trying to control the content. MS is trying to control the underlying language. I find MS's intrusions more threatening to my lifestyle.

    2. Re:If.. by mjh · · Score: 5, Insightful
      If microsoft can, by some complex reorganization of their development and review process, make their code have the same, or less, incidence of critical issue as, say, Linux ... What would we do?

      Declare victory. I think Linus once said, "If Microsoft starts producing good software, we've won."

      Personally, I think this is the goal: to get good software. I enjoy the fact that currently the best software around doesn't cost me any money to obtain. But I'm not going to maintain some sort of religious fanatacism about it. If better software comes along that costs money, I'll buy it.

      How many of you play only free games on your computers? Me either. I play Q3A or SimCity. I paid for them. Why? Because they're better than the free stuff. I'll pay for an OS too, if it's better than the free stuff.

      --
      Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
  3. You should be afraid... by tswinzig · · Score: 5, Insightful

    The last time Bill Gates was widely publicized for announcing a major strategy shift to his employees was back in 1995, when he sent out a memo saying they were going to focus on the internet.

    I bet I wasn't alone in laughing. The first version of MSIE that was out at the time was a JOKE. Netscape reigned supreme. RealAudio was king of streaming. Third parties actually had a shot at selling a Windows web server.

    How long did it take them to: (a) Kill Netscape with MSIE, (b) maim RealAudio with Windows Media, (c) shutdown 3rd-party Windows webservers with IIS, etc.? Not long.

    Extrapolate amongst yourselves.

    Goodbye ZoneLabs (makers of ZoneAlarm). What other big Windows security players will have their security software crushed within 3 years? McAfee? Symantec?

    Unix users laugh at the inherent security problems with Windows, just as I laughed at MSIE 7 years ago. I haven't been laughing lately. Will you still be laughing a few years from now?

    --

    "And like that ... he's gone."
    1. Re:You should be afraid... by djrogers · · Score: 5, Insightful

      Adding functionality to an OS is much easier than adding security. There's nothing magic about building a web server or browser, and giving them away/bundling them makes it quite easy to gain marketshare. Note that everything you mention in your e-mail has been involved in HUGE security holes...

      --
      Think outside the... Hey, where'd the friggin' box go?
  4. Re:That GUID on WMP? Yeah . . . by blakestah · · Score: 5, Insightful

    Normal slashdot staff overreacting again. You can turn that ID off.

    The defaults are everything, Why do you think Microsoft has negotiated so hard for its icons to be on the Mac desktop(IE), and no other browser is allowed to be there ? Why do you think Microsoft has spent so much effort controlling system defaults for media players, and IE home pages, and startup icons ?

    This is standard user behavior - they do not change the defaults. Somehow it is the fault of the guy who installed NT server and NEVER WANTED IIS that he got broken into, and not Microsoft's fault for globally enabling IIS and asking the admins to turn it off.

    Giving the end user a chance to change a system default is a good way to ensure that 95% will use the default, and the company (Microsoft in this case) can blow blame aside by saying the user can change it.

    Now, you can argue users need to be more savvy, or you can accept that Microsoft KNOWS end user behavior and uses it to their advantage. Or both...

  5. security, programmers, human nature... by Chris+Canfield · · Score: 5, Insightful

    It's interesting to note how product teams resisted the security invasion. Now, while we know very little about how offensively these security teams were implemented, it does harken to a truism about coding.

    Properly securing products isn't fun.

    Implementing improved, automatic PGP hooks might be fun (hint hint), but slowly and methodically picking through all of your code to make sure that no buffers can overflow is just uninteresting and unglamorous. If we can't convince ourselves to sufficiently comment the code we write, even though we routinely curse ourselves for not having done it previously, security is going to be unfortunately naturally low on the list of things to do.

    Likewise, an ounce of glitzy new features tends to sell better than an ounce of better security. People are going to look down upon you if you encourage them to upgrade from the old software you sold them by pointing out the security flaws that it had. It's usually more marketable to say "Trust our products, we have new inline spell checking across all our platforms" rather than "Trust our products, we no longer grant root through tcp/ip overflows."

    All of this falls down like a rotten house if you allow your security to get too bad for too long, as is obvious to anyone reading this thread. You can let the support poles wear a little, and usually the cost of a *little* more wear is much less than the cost of fixing the whole thing properly. But unless you have that long-term vision, you'll be sleeping outside eventually. Microsoft didn't, and it is really starting to hurt them. The greatest threat to their monopoly has come from people being unable to use NT in critical applications. You don't want to force your customers to have to go to competitors.

    Microsoft has shown throughout history an ability to expend large amounts of money to get things done. IE... MSN... XBOX... WinCE/PocketPC... If they really do set their mind to security issues, I'm sure that they will be hammered out after several slow, unglamorous years. The press release would make it appear that they know that they are up against human nature on both sides but that the company needs to take action or they will lose their stability.

    --
    This Sig is a mnemonic device designed to allow you to recognize this author in the future.