Slashdot Mirror
Microsoft to Focus on Security
Anonymous Minion writes: "The Associated Press is reporting that Bill Gates announced to employees Wednesday a major strategy shift across all its products to emphasize security and privacy over new capabilities. In e-mail to employees, Gates referred to the new philosophy as "Trustworthy Computing" and called it the "highest priority". Gates said the new emphasis was "more important than any other part of our work."" People criticized Microsoft for treating security breaches as a public relations problem, so Bill Gates sent this email out to the Associated Press to prove them wrong. (rimshot!) Meanwhile, Richard Smith notes that the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.
If you look at the other side of the story, this is pretty much admitting that they haven't cared about security at all. At least now they'll release more PR regarding security issues.
Especially if they find that anyone's distributing exploit code.
--- http://foo.ca
A couple of Microsoft's security people published a book - Writing Secure Code - recently.
It's obviously Windows biased with respect to code samples, but it's actually very good.
Now they just need to read it themselves - for example, all the vulnerabilities exploited by the universal plug and play fiasco (buffer overruns, trusting untrustworthy data and denial of service attacks) are well described in the book,
Hogsback
Other than security problems and product activation, I have to admit, that XP is actually a nice product. I may not agree with a number of its design decisions (stuffing things into kernel space that don't need to be there, building the GUI into the kernel, Microsoft ASCII text,etc), but it IS very feature complete for the average end user.
I still won't run it by choice (FreeBSD baybeee), but having to *support* the platform will be a lot less hassle...
just my US0.01c (damn pathetic aussie dollar...)
smash
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
First of all, it truly scares me that Bill Gates's announcement that Microsoft will "empasize security and privacy over new capabilities" is considered, in his own words, to be "a major strategy shift." Any reasonable developer knows that security is an inherent part of every feature - not a feature in itself. /. alone, this is the third article in 24 hours (not including the "Unbreakable" story) with direct relevance to Microsoft's security (or lack thereof). The case can be made that there is a low likelyhood that Microsoft would pay that much attention to the /. community - but on the other hand, I'd think they'd listen to this.
Second of all, it can't be said that this is the first time a company has put forth a gung-ho effort (if that is even the case) to secure their products - Oracle's Unbreakable database is clear evidence of this. To me, this seems Microsoft has placed itself further into the security spotlight, and that more holes will be exposed as a result.
Finally, above all else, one has to admit that this announcement seems like the reactionary brainchild of Microsoft's PR department. On
I've had an open security issue on their site for months. [ http://www.devitry.com/security.html ] They don't seem to be too concerned with it, even though they are running the Passport system. Will this Gates email change their minds and get their butts in gear?
-- these are only opinions and they might not be mine.
Two, to what extent is this an agenda for obliterating any shred of interoperability with other commercial products in the name of 'security'? Isn't it an open invitation to claim that total and complete lock-in is the only way to be 'secure'?
To that I say, put your money where your mouth is. Quit endorsing DRM. Quit using proprietary formats in your applications. Open your APIs. Include some decent text manipulation tools at the command line (like GNU textutils). Give the user some choice for a change.
Slashdot's first reaction to VMware
You know, I think they're actually serious this time. I just sat in on a 3-day .Net developer workshop, and the trainer told us that the current directive in Redmond is for all product groups to sweep the entire code base for security-related bugs. Supposedly, new development has been halted during this process, and product groups will be held accountable for all future exploits of their products.
Quite honestly, I don't think they have much choice in the matter, and it's not just a question of liability. Security concerns are one of the top reasons firms decide not to use Microsoft software for enterprise applications, and this is obviously a market they covet. Products like Datacenter Server and SQL Server don't sell well if the customers keep hearing about Microsoft products being exploited.
Ok, what the heck does that mean? Unless Microsoft plans on solving the trusted client problem, once I send you an email there is no way I can control how you use it. The only thing I can think of is letting users add a header to outgoing email, and if it was present Outlook would not allow copying or saving when the recipient viewed it. Of course anything like this is trivial to defeat, resulting in the illusion of privacy rather than actual privacy.
How to solve most of our problems: 1.Lots of nuclear plants. 2.Cure aging.
I don't think they're worried about a Gartner report, Microsoft has been slammed on its poor security record for some time now. (Maybe not by the Gartner Group, but certainly in other PHB reports.)
What probably got their attention was the recent visit from the FBI. Something most people forget is that one of the primary responsibilities of the FBI is counterespionage, and it doesn't take a genius to figure out how much damage a subtle virus could do on government computers. (Esp. after other countries had sensitive documents leak out with that "I write you for your advice" virus.)
We'll never know what the FBI told them... but we can guess based on what we now know. Every group must explicitly consider security issues, senior management remindning the troops to take it seriously. Maybe this is my one cynical-free day each year, but I really don't see this as an ploy to attack open source software such as Samba. I think they finally understand that they have a serious problem.
But, ironically, I'm now concerned that they don't have enough experienced security people. The corporate culture just hasn't encouraged development of the right skills. Any semi-decent programmer can check for buffer overflows and the like - even automated tools can do that in many cases now - but true security comes from an ability and willingness to challenge the most basic assumptions, to question the most sacred code, etc.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
This is an extract from the ie.c file that I managed to pilfer during that source code steal from Microsoft year before last. Revealing it is.
The lameness filter won't let me post it, so I'm linking to it instead.
Of particular interest is the peer review process, ensuring quality standards, and upping the end user experience.
The problem with your "nothing to see here" attitude is that you have to know its a problem in order to change the defaults. If nothing else, this story alerts /. windows users that someone may be tracking them, so that they can change the preferences. And, its ironic that Gates wants Microsoft to be synonymous with "Trustworthy", while at the same time stabbing his customers in the back. Sorry, but I won't trust them with my money or my information, when they are so eager to screw me over for control of my digital media (DRM is the apparent reason for these supercookies), to the point where they would let anybody out there track me.
The plan to base product engineers' raises and bonuses on their code's quality will encourage programmers to write better code...but it's not enough to lead to safer Microsoft products. The problem is that manager / executive bonuses at M$ are still based on product profits, and are generally given as stock options.
This means the managers will still target profitablity over security.
The typical assumption (as I've heard it) has always been that Microsoft's poor security was a necessary side effect of their quick-to-market and add-lots-of-new-feature strategies. Though I don't think most people on this forum view those two strategies as a "good" thing, it appears that they've worked rather well for MS up until now.
So the $50,000 question is, can Microsoft focus on security without falling behind on those other fronts? And if they have to slow down on their speedy rollout of new products and features, will they suffer in the marketplace?
If MS can do security and still be as quick-to-market as they were before, they're probably going to be in a very good position. If, on the other hand, they are forced to make a tradeoff-- of speed and quantity for security, for instance-- then it might be a whole different ballgame. Worse yet, they might wind up compromising on both fronts.
I think basically you are saying that when Windows' technical deficiencies disappear (which in itself makes the dubious presupposition that one size might fit all), there is no longer any reason why we should oppose them.
This presupposes that such is the case right now; i.e. that we are opposing Microsoft because their code is supposedly so horrible.
But that's bullshit. I have to admit I don't know myself where all the folklore of lousy Windows performance and lousy Windows stability came from. Sure their software can run slow. But have you looked at GNOME recently? And as for security, granted their track record is very bad. But at least they don't ship with telnet, right? Besides there is nothing like designing security for a piece of software that runs on 95% of the desktops in the world.
So it's all relative. In any case, I'll tell you the real reason why we should oppose Microsoft: because whatever business you are in right now, if you're successfull, it will be Microsoft's business next week. That's why we need to oppose Microsoft.
Pushin' 'n dealin', shovin' 'n stealin'
If he is actually sincere about this, weither or not I choose to use WindowsOS (haha funny pun, ok mabe not /duck) for other reasons, an increase in general security of the Windows Operating System (desktop or server, whatever the diffrence is..) leads to me fretting less at work because some pinhead decided we would impliment such and such deparment using Microsoft products (yes, despite what you teenage idealists think, this DOES actually happen to professional IT people in real workplaces)
I for one hope that he is really making a buisness decision, not a PR move (no, I'm not saying it dosen't sound like a PR stunt to me). In the past he has decided to turn his company completly on a dime before (internet company anyone?), and he has proven he is a very sucessfull buisnessman and can do such radical things, and come out millions of dollars in the positive.
Before I get mass flamed, let me clearly state, I think Windows is the worst comercial consumer operating system in common usage, even if you dont include the real operating systems for guru's. But I also think Bill is a great buisnessman (weither or not hes ethical is a far diffrent question)
Now that we have that cleared up lets look at the problems in WinXP (since I assume they are going to continue buildling from that instead of going back to Win2k, though I think it might be a wise decision for them to do so)
Other than that the majority of all complaints I could honestly extend are security related.
It is my feeling that if they did a feature freeze on the UI and driver interface and the general configuration setup, and worked soley upon improvments and security (of corse with a small team doing new UI stuff to impress the drooling x-treme programer types), and developed office/IE to use only the documented API (with the API frozen) with both products focused upon security (office is plenty usable as it is, optimization and security would be the best, and the ability to create decent 'other filetype' exports) the OS would mature rapidly
The things I really hate about using M$ products currently (not because they are closed source, I use plenty of closed source apps, I don't choose my software based upon politics, I choose it upon what works and gets the job done) is that I feel like I'm using a OS that has a lacking kernel, and whils't there are security exploits on my OS of choice (FreeBSD if your curious) they are generally quickly patched, and always workaroundable, not to mention the fact no software I've ever liked has had a major security flaw to my knowledge), there are far more security exploits for M$ windows (mostly dealing with Outlook, an app thats completly banned for use at our company, our daily bat file actually deletes the would be outlook folder if someone did install it, so they can call us up and complain about the errors caused and get promptly chewed out). While using my OS of choice, I feel that if there was a security exploit, it'd be all over everywhere, not sitting in some hackers mind (though that is possible, much less likley) whereas with M$ I feel that there might be a 9 month old exploit that hasn't even made SecurityFocus yet, that bothers me.
In conclusion, I do think this sounds an awful lot like a nice PR leak, I hope that it isn't. If I liked M$, it would be great, even though I dont like M$, since I'm forced to deal with it on a semi-regular basis, it greatly effects me anyway. This isnt a *nix vs M$ discussion or anything, I'm just stating that in the scope of M$ development, them focusing on security would actually be a good thing in my eyes.
(ps forgive the I'm sure numerous grammer/spelling errors in this post, I'm typing it while about to go to bed)
I live in a giant bucket.
except instead of "Quality is Job #1", it is "security is job #1". And if Microsoft's version of security is similar to Ford's version of quality, we will see massive recalls on M$ products. Only M$ won't have Firestone to kick around for their mistakes. I'm sure they'll blame Roxio, Sun, or Apple...
today is spelling optional day.
But what would Slashdot do if Microsoft changes? They'll go on. Slashdot is not the anti-Microsoft site. There would be plenty of other news if Microsoft dropped out of sight tommorow. Microsoft just manages to do things often enough to become a prime subject of this community.
Microsoft constantly stands out from their peers. The IT industry is full of large, powerfull corporations. They all put out products that could have their merrits debated. They all make marketing claims, promise things to their customers, and set company policy that impacts end users (including Slashdot readers). Yet somehow Microsoft manages to raise to the top.
Sure, there is over-the-top bashing of Microsoft (ignoring Microsoft's own PR, reputation for FUD, and zelous proponents). But there are also lots of legitimate grieviences ranging from product quality to Microsoft's marketing tactics.
Microsoft gets attention because they deserve it.
When Microsoft changes its ways, they will fade in to the background with other industry leaders like IBM. And the news will march on with or without them.
If Microsoft is serious about security, they'll supply encrypted file systems and encrypted email that are easy to enable and use, and suddenly vast amounts of email traffic will go "dark" to eavesdropping and wiretaps. The FBI tolerates some geeks using PGP now, but will completely flip out if it's deployed on the scale of Outlook encrypting everything by default. Legislated, mandatory key escrow will be a done deal. Ashcroft will read our mail forever.
Why?
Because I know how Bill Gates' mind works, and if I can't see the code, I'm not going to run it. Yes, us Linux sysadms have a rep for being paranoid bastards. Yer damn right we are, and proud of it. That's what's kept me virus-free and crack-free the last five years, watching boxes powered by You Know Who drop like flies.
Linux isn't perfect, no, but it'll take him a minimum of 2 years to get his codebase in order even with the army of people he's got.... and by then we'll have our world domination, and they'll be putting Linus' picture behind that Borg eye rather than Bill's. We might even get Mozilla to 1.0, who knows.
But, seriously. Even if l0pht and friends were to publish with much fanfare, "holy penguins! I can't crack this thing!" I still wouldn't buy it, and not just because I'm opposed to getting on this $100 every eighteen months to upgrade kick.... Not when I can run a product I personally helped design if not build. And can look at the code and see that it is good... or fix it if it's not. And there's huge advantages to being able to talk to the guy that wrote it.
Real-life situation, several weeks ago. I had a problem with the Mylex raid driver. Sent email to the guy who was listed in the headers for the source. A little email tag ensues. Eventually he sends me a patch. cut, paste, compile, init 6. Blammo. It worked. Total elapsed time, about 48 hours.
You will never get that out of Microsoft. Ever.
Then there's the principle of the thing. The Borg's stated objective is to take over the world and have it for his own. I'm not giving aid and support to that cause. I'm giving aid and support to another guy who wants to take over the world... and set it Free. I may be pagan, but there are some altars at which I will not kneel. Far more likely to torch'em.
--
Nuke'em from orbit.
It's the only way to be sure.
I can't believe I'm falling into answering this, but what application do you need that you don't have? (Sincere question -- I write software; might be fun to fill in a gap).
Unless, of course, this is the classic (I need "Word" because everyone else has "Word.") What amuses me about this is how quickly we forget. Just 7 years ago Word was the upstart. WordPerfect was the defacto standard. Word 6 was the first version of Word that wasn't a joke and Word95 was the first to make major inroads.
An earlier post ask why Microsoft is so reviled. The simple answer is that they use a monopoly in systems to extend a monopoly in applications. At this point, Office is a monopoly in itself. They are positioning themselves to be the monopoly media platform, net service platform, etc.
After seeing them do this enough times, you start to have Capt. Kirk's feelings about Klingons (be sure to add the excessively dramatic emphasis Shatner adds when you read this): "DON'T belive them! DON'T trust them!"
I'll be very happy if I never have to do another thing in a Microsoft OS ever again. I don't right now. When people send me things in Word format, I politely inform them that I don't use Windows. I'll do the best I can with OpenOffice to read and use their stuff, but maybe they should consider using RTF or HTML, since these are open standards.
Wow! Not only did I get dragged in by a troll (intended or not), but I slipped off into a rant! Why should I be any different frm the average slathering slashdotter...
I imagine at some point, they had next to zero corporate internet culture.
That's not true -- they were a VAX shop and had a usenet feed and e-mail back in the days of bang-paths. billg@microsoft.com has been a live address for decades.
Back in '89 or so, they made it clear that TCP/IP was going to be the LAN protocol of choice by building it into OS/2 LAN Manager, even though IPX had something like a 90% marketshare at the time.
What they didn't get very quickly was that the WWW (primarily stupid pictures of people's cats at the time) was going to be a major revolution in corporate computing, or that it would be more useful to the home user than a proprietary online service.
PR Man (PR): I've just completed that study you asked for, the one on why the Slashdot editors hate us.
Bill Gates (BG): Can you give me the executive summary?
PR: It's because we don't place enough emphasis on security.
BG: Fine. We'll do more about security.
6 months later
PR: I've just completed that report on why the Slashdot editors still hate us.
BG: And?
PR: It's because we place too much emphasis on security.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
The defaults are everything,
Will you remember that the next time somebody installs a Linux workstation with every daemon in the world running?
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Please someone explain to me what this means (from the first document), Bill is answering:
15 Q. Do you use a computer at home?
16 A. Yes, I do.
17 Q. Do you use that on work-related
18 matters?
19 A. Some of the computers I do and some of
20 the computers I don't.
21 Q. Do you know whether those computers
22 were searched in connection with a document search in
23 this litigation?
24 A. Those computers don't have storage.
25 Q. But you don't know whether the hard
8
1 disk was searched for any material that might be
2 there that --
3 A. You should understand it's a portable
4 computer, it moves back and forth. That's the
5 computer with my e-mail, it moves back and forth. So
6 it's the same computer in my office as at home.
7 Q. I see, okay. And I assume the computer
8 in your office was searched for relevant e-mails; is
9 that your understanding?
10 A. Yes.
No storage? Huh? Back and forth? It's late...anybody make sense of that?
- dave
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
Vendors will have to use Passport in order to get a "Microsoft Trustworthy Computing" seal on their website (have they trademarked that fucker yet?).
Users attempting to access Commerce sites without Passport integration will be warned with a big "THIS SITE NOT MS-TRUSTWORTHY-CERTIFIED!" messages.
After all, every consumer knows you need a big, familiar, feel-good corporation like MS to ensure your Internet security and privacy...
pr0n - keeping monitor glass spotless since 1981.
From the risks digest....
Re: "Buffer Overflow" security problems (Baker, RISKS-21.84)
"Nicholas C. Weaver"
Sat, 5 Jan 2002 13:15:52 -0800 (PST)
I agree with Henry Baker's basic assessment that buffer overflows, especially in code which listens to the outside world (and therefore vulnerable to remote attacks) should be classed as legally negligent.
However, it seems to be nigh-impossible to get programmers to write in more semantically solid languages.
There is another solution: software fault isolation [1]. If the C/C++ compilers included the sandboxing techniques as part of the compilation process, this would eliminate the most deleterious effects of stack and heap buffer overflows: the ability to run an attacker's arbitrary code, with a relatively minor hit in performance (under 10% in execution time).
An interesting question, and one for the lawyers to settle, is why haven't these techniques been widely deployed? The techniques were being commercialized by Colusa Software as part of their mobile code substrate [2] in the mid 1990s. In March 1996, Colusa software was purchased by Microsoft and it seems effectively digested, thereby eliminating another potential mobile-code competitor, something Microsoft seemed to fear at the time.
The interesting RISK, and one which is probably best left to the lawyers, is that as a result, for over half a decade, Microsoft has owned the patent rights and the developments required to eliminate two of their biggest security headaches: unchecked buffer overflows and Active-X's basic "compiled C/C++" nature, yet seems to have done nothing with them.
What is the liability involved when a company owns the rights to a technology which could greatly increase safety, at an acceptable (sub 10%) performance penalty, but does nothing to use it in their own products? Especially when the result is serious, widespread security problems which
could otherwise be prevented?
[1] "Efficient Software-Based Fault Isolation", Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham, in *ACM SIGOPS Operating Systems Review*, volume 27, number 5, December 1993, pp 203--216,
[2] "Omniware: A universal substrate for mobile code"
Nicholas C. Weaver nweaver@cs.berkeley.edu
Security is one of those things that is required to come at the planning stage of any product -- not as an afterthought during the coding and test stages.
MS needs profits to buy new companies so they don't have to pay divedends. They need big profits so that the stockholders will be happy with the 'value' of MS as a whole.
Yet, the software side of thier business is a stagnent market -- huge and captive but not growing as it used to. Because of that they need to retain customers and get them to upgrade on a regular basis (subscriptions everyone?).
Then, we're back to the schedule and the features and security getting short shrift.
Does anyone expect it to be any other way?
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
Hugh Daniel went up there some time last year, to do some interoperability testing between NT's IPSEC, and free S/WAN. He asked them, what crypto they'd implemented and could test. They told him that they'd only done 40-bit DES.
He just left.
Personally, I'm not holding my breath for MS to ever implement a securable system. They'll do things that let them check off the boxes in their product literature, but as for those features being truly robust, I wouldn't count on it.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."