Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft to Focus on Security

Posted by ryuzaki0 on from the eye-of-sauron dept.

Anonymous Minion writes: "The Associated Press is reporting that Bill Gates announced to employees Wednesday a major strategy shift across all its products to emphasize security and privacy over new capabilities. In e-mail to employees, Gates referred to the new philosophy as "Trustworthy Computing" and called it the "highest priority". Gates said the new emphasis was "more important than any other part of our work."" People criticized Microsoft for treating security breaches as a public relations problem, so Bill Gates sent this email out to the Associated Press to prove them wrong. (rimshot!) Meanwhile, Richard Smith notes that the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.

10 of 720 comments (clear)

  1. Come on now... by xinit · · Score: 4, Interesting
    We should know that this is more than just a simple PR move by Microsoft. I mean, don't they normally release information to the press in order to let their employees know how they're changing their focus?

    If you look at the other side of the story, this is pretty much admitting that they haven't cared about security at all. At least now they'll release more PR regarding security issues.

    Especially if they find that anyone's distributing exploit code.

    --
    --- http://foo.ca
  2. Writing Secure Code by hogsback · · Score: 5, Interesting

    A couple of Microsoft's security people published a book - Writing Secure Code - recently.
    It's obviously Windows biased with respect to code samples, but it's actually very good.

    Now they just need to read it themselves - for example, all the vulnerabilities exploited by the universal plug and play fiasco (buffer overruns, trusting untrustworthy data and denial of service attacks) are well described in the book,

    --
    Hogsback
    1. Re:Writing Secure Code by cooldev · · Score: 5, Interesting

      To whet your appetite, a little excerpt from the beginning about how quickly machines get attacked:

      Surely, no one will discover a computer slipped onto the Internet, right? Think again. The Windows 2000 test site was found almost immediately, and here's how it happened... Someone was scanning the external IP addresses owned by Microsoft. That person found a new live IP address; obviously, a new computer had been set up. The person then probed various ports to see what ports were open, an activity commonly called port scanning. One such open port was port 80, so the person issued an HTTP HEAD request to see what the server was; it was an Internet IIS 5 server. However, IIS 5 had not shipped yet. Next the person loaded a Web browser and entered the server's IP address, noting that it was a test site sponsored by the Windows 2000 test team and that its DNS name was www.windows2000test.com. Finally the person posted a note on www.slashdot.org, and within a few hours the server was being probed and flooded with IP-level attacks.

  3. Thoughts by cascino · · Score: 5, Interesting

    First of all, it truly scares me that Bill Gates's announcement that Microsoft will "empasize security and privacy over new capabilities" is considered, in his own words, to be "a major strategy shift." Any reasonable developer knows that security is an inherent part of every feature - not a feature in itself.
    Second of all, it can't be said that this is the first time a company has put forth a gung-ho effort (if that is even the case) to secure their products - Oracle's Unbreakable database is clear evidence of this. To me, this seems Microsoft has placed itself further into the security spotlight, and that more holes will be exposed as a result.
    Finally, above all else, one has to admit that this announcement seems like the reactionary brainchild of Microsoft's PR department. On /. alone, this is the third article in 24 hours (not including the "Unbreakable" story) with direct relevance to Microsoft's security (or lack thereof). The case can be made that there is a low likelyhood that Microsoft would pay that much attention to the /. community - but on the other hand, I'd think they'd listen to this.

  4. Two questions by Chris+Johnson · · Score: 5, Interesting
    Two questions. One, it's all very well to talk about this but isn't it like rewriting Netscape from the ground up? Isn't it either totally meaningless or an announcement of a complete energy sink at Microsoft which will immobilize them?

    Two, to what extent is this an agenda for obliterating any shred of interoperability with other commercial products in the name of 'security'? Isn't it an open invitation to claim that total and complete lock-in is the only way to be 'secure'?

  5. He can talk the talk... by Jon+Abbott · · Score: 5, Interesting

    "Users should be in control of how their data is used" -- Bill Gates

    To that I say, put your money where your mouth is. Quit endorsing DRM. Quit using proprietary formats in your applications. Open your APIs. Include some decent text manipulation tools at the command line (like GNU textutils). Give the user some choice for a change.
    --
    Slashdot's first reaction to VMware
  6. Tradeoffs by dachshund · · Score: 4, Interesting
    If microsoft can, by some complex reorganization of their development and review process, make their code have the same, or less, incidence of critical issue as, say, Linux ... What would we do?

    The typical assumption (as I've heard it) has always been that Microsoft's poor security was a necessary side effect of their quick-to-market and add-lots-of-new-feature strategies. Though I don't think most people on this forum view those two strategies as a "good" thing, it appears that they've worked rather well for MS up until now.

    So the $50,000 question is, can Microsoft focus on security without falling behind on those other fronts? And if they have to slow down on their speedy rollout of new products and features, will they suffer in the marketplace?

    If MS can do security and still be as quick-to-market as they were before, they're probably going to be in a very good position. If, on the other hand, they are forced to make a tradeoff-- of speed and quantity for security, for instance-- then it might be a whole different ballgame. Worse yet, they might wind up compromising on both fronts.

  7. Re:If.. by Pussy+Is+Money · · Score: 5, Interesting
    Nice post.

    I think basically you are saying that when Windows' technical deficiencies disappear (which in itself makes the dubious presupposition that one size might fit all), there is no longer any reason why we should oppose them.

    This presupposes that such is the case right now; i.e. that we are opposing Microsoft because their code is supposedly so horrible.

    But that's bullshit. I have to admit I don't know myself where all the folklore of lousy Windows performance and lousy Windows stability came from. Sure their software can run slow. But have you looked at GNOME recently? And as for security, granted their track record is very bad. But at least they don't ship with telnet, right? Besides there is nothing like designing security for a piece of software that runs on 95% of the desktops in the world.

    So it's all relative. In any case, I'll tell you the real reason why we should oppose Microsoft: because whatever business you are in right now, if you're successfull, it will be Microsoft's business next week. That's why we need to oppose Microsoft.

    --
    Pushin' 'n dealin', shovin' 'n stealin'
  8. Am I going to trust Microsoft? Ever? by warpeightbot · · Score: 4, Interesting
    To state the obvious, not no but hell no.

    Why?

    Because I know how Bill Gates' mind works, and if I can't see the code, I'm not going to run it. Yes, us Linux sysadms have a rep for being paranoid bastards. Yer damn right we are, and proud of it. That's what's kept me virus-free and crack-free the last five years, watching boxes powered by You Know Who drop like flies.

    Linux isn't perfect, no, but it'll take him a minimum of 2 years to get his codebase in order even with the army of people he's got.... and by then we'll have our world domination, and they'll be putting Linus' picture behind that Borg eye rather than Bill's. We might even get Mozilla to 1.0, who knows.

    But, seriously. Even if l0pht and friends were to publish with much fanfare, "holy penguins! I can't crack this thing!" I still wouldn't buy it, and not just because I'm opposed to getting on this $100 every eighteen months to upgrade kick.... Not when I can run a product I personally helped design if not build. And can look at the code and see that it is good... or fix it if it's not. And there's huge advantages to being able to talk to the guy that wrote it.

    Real-life situation, several weeks ago. I had a problem with the Mylex raid driver. Sent email to the guy who was listed in the headers for the source. A little email tag ensues. Eventually he sends me a patch. cut, paste, compile, init 6. Blammo. It worked. Total elapsed time, about 48 hours.

    You will never get that out of Microsoft. Ever.

    Then there's the principle of the thing. The Borg's stated objective is to take over the world and have it for his own. I'm not giving aid and support to that cause. I'm giving aid and support to another guy who wants to take over the world... and set it Free. I may be pagan, but there are some altars at which I will not kneel. Far more likely to torch'em.

    --
    Nuke'em from orbit.
    It's the only way to be sure.

  9. M$ already own the technology to kill buffer issue by martin · · Score: 5, Interesting

    From the risks digest....

    Re: "Buffer Overflow" security problems (Baker, RISKS-21.84)
    "Nicholas C. Weaver"
    Sat, 5 Jan 2002 13:15:52 -0800 (PST)

    I agree with Henry Baker's basic assessment that buffer overflows, especially in code which listens to the outside world (and therefore vulnerable to remote attacks) should be classed as legally negligent.

    However, it seems to be nigh-impossible to get programmers to write in more semantically solid languages.

    There is another solution: software fault isolation [1]. If the C/C++ compilers included the sandboxing techniques as part of the compilation process, this would eliminate the most deleterious effects of stack and heap buffer overflows: the ability to run an attacker's arbitrary code, with a relatively minor hit in performance (under 10% in execution time).

    An interesting question, and one for the lawyers to settle, is why haven't these techniques been widely deployed? The techniques were being commercialized by Colusa Software as part of their mobile code substrate [2] in the mid 1990s. In March 1996, Colusa software was purchased by Microsoft and it seems effectively digested, thereby eliminating another potential mobile-code competitor, something Microsoft seemed to fear at the time.

    The interesting RISK, and one which is probably best left to the lawyers, is that as a result, for over half a decade, Microsoft has owned the patent rights and the developments required to eliminate two of their biggest security headaches: unchecked buffer overflows and Active-X's basic "compiled C/C++" nature, yet seems to have done nothing with them.

    What is the liability involved when a company owns the rights to a technology which could greatly increase safety, at an acceptable (sub 10%) performance penalty, but does nothing to use it in their own products? Especially when the result is serious, widespread security problems which
    could otherwise be prevented?

    [1] "Efficient Software-Based Fault Isolation", Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham, in *ACM SIGOPS Operating Systems Review*, volume 27, number 5, December 1993, pp 203--216,

    [2] "Omniware: A universal substrate for mobile code"

    Nicholas C. Weaver nweaver@cs.berkeley.edu