Slashdot Mirror
Microsoft to Focus on Security
Anonymous Minion writes: "The Associated Press is reporting that Bill Gates announced to employees Wednesday a major strategy shift across all its products to emphasize security and privacy over new capabilities. In e-mail to employees, Gates referred to the new philosophy as "Trustworthy Computing" and called it the "highest priority". Gates said the new emphasis was "more important than any other part of our work."" People criticized Microsoft for treating security breaches as a public relations problem, so Bill Gates sent this email out to the Associated Press to prove them wrong. (rimshot!) Meanwhile, Richard Smith notes that the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.
If you look at the other side of the story, this is pretty much admitting that they haven't cared about security at all. At least now they'll release more PR regarding security issues.
Especially if they find that anyone's distributing exploit code.
--- http://foo.ca
Hmm... Now that basically all of our code is developed and systems are embedded in concrete... let's try to secure this, shall we?
Maybe they should have thought of this BEFORE they rewrote the OS?
The ______ Agenda
Normal slashdot staff overreacting again. You can turn that ID off. Granted, they should make it default to off, and ask you before they go around putting out supercookies, but it's possible to fix the hole. Even in WMP6.x. This was going across bugtraq today. Apparently, if you have the ID backdoor disabled, it generates a random number each time the control is queried. Spare his page, though, I wrote this with no replies (first post, almost), and the page was already horribly slow.
funny munging
Why does Microsoft saying they're going to focus on security remind me of the US government talking about campaign finance reform?
If using Linux is about choice, how come people complain when I choose to use Windows?
After reading the article, and also having my Microsoft account rep call me up after I have told her that I wont be installing my "enterprise" (every time I say that word, my whole team breaking to ST:TNG theme song), becuase the cost of making sure Microsoft's buggy software (generally Office and Windows W2K) costs me more than the operating system does itself in both actually purchasing costs of software and man power required to check, recheck and check again that everything is set up tight... My account rep had the hide to say this afternoon, "So now we have promised to do this, will you upgrade to Office XP now"...
Nothing has changed as far as I can see, nothing will in the next 1 - 2 years because Microsoft will take that long to get what we currently have running NOW working correctly, and I just feel this is another ploy to get Microsoft to force us to upgrade to the latest and greatest operating system because they are promising that this time, really folks, this time it will be the most secure and stable release of Microsoft software EVER!, as if this is hard to to!
Grrrr, too many NT crashes, not enough intellegent techs to figure out what went wrong, other than.. oh just reboot!
`find / -name "*your_base*" -exec chown us:us {} \;`
HAHAHAHAHAhahahahahaHAHAHAHAHAHAHAhahahahaheeheehe e.
I guess those stories suggesting that software companies might become liable for damages arising from security holes put the fear of God into him.
so now all of the pr0n sites will know exactly what TYPE of pr0n to feature on the front page whenever I *happen* to stop by...
well, atleast maybe I'll get more targeted advertising... ya know, nothing against transvestites, but the pr0n of them in an advertisement just does NOT make me want to subscribe!
Security over function. That makes sense. I already love it everytime windows warns me that I am about to do something dangerous, restricts me from seeing files I shouldn't touch by default, and dumbs down everything to the point where it takes me 45 minutes to make the machine useful after a clean installation.
Now they are going to focus on security instead of function.
I have a pocket calculator that adds, subtracts, multiplies and divides. The square root button is broken. I just jammed an RJ-45 cable into the slot where the battery normally goes. It appears to be doing nothing.
I'm certain that my calculator now meets Bill's new objectives. It does nothing, but is entirely secure. Particularly since it is behind a firewall.
Good idea Bill.
-Rothfuss
Thanks, Eric! And in other news, Microsoft announced that they are to rename Windows 98 "Windows Diana". They expect that it too will be superficially attractive, consume lots of resources and crash horribly. (from http://members.ozemail.com.au/~lbrash/msjokes/)
If you celebrate Xmas, befriend me (538
Hmmm, I think I'll go read slashdot today...
It looks like you're trying to reach the internet, this is a potential security risk. Find out more about how your internet experience is made more secure with Microsoft by clicking "Find out more." If you wish to continue, click "Ok."
Arrgh, *click ok* (stupid microsoft)
Your computer has begun downloading information, this is a potential security risk. Find out more about how your internet experience is made more secure with Microsoft by clicking "Find out more." If you wish to continue, click "Ok."
And so on!
My Karma was at 49, then they switched to words. All that work for nothing!
..."Trustworthy Computing". This sounds suspiciously like a buzzword-name for digital rights management, especially after that paper on making an OS that prevents anything unauthenticated from getting at secure content.
Anyone else notice this?
m:
the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.
It's not a security problem to have a number assigned to you, it's a privacy problem.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
A couple of Microsoft's security people published a book - Writing Secure Code - recently.
It's obviously Windows biased with respect to code samples, but it's actually very good.
Now they just need to read it themselves - for example, all the vulnerabilities exploited by the universal plug and play fiasco (buffer overruns, trusting untrustworthy data and denial of service attacks) are well described in the book,
Hogsback
How did this old story manage to make the front page of Slashdot when this new story with far greater implications didn't?
However, take a look at OpenBSD. They really are secure, or at least as secure as anyone can reasonably expect for an operating system. They have done a great job, but it takes time. A lot of time. OpenBSD was based on NetBSD, so security was always a priority, OpenBSD just made it more of a priority.
But really... even if security really is job one now at Microsoft, we aren't going to see any concrete results in the near future. Forget Microsoft's next operating system. It is going to take years, not months, to get results. I mean, we are looking at 2006, likely, until Microsoft systems have a hope of being secure. Will Microsoft (would any corporation) invest that many years of development? Are their customers really demanding security?
Oceania has always been at war with Eastasia.
Microsoft does have a pretty strong track record of hearing what their big customers want to buy, and then building it.
I'm not surprised that they're hearing about security... and I won't be surprised if they find a way to build it.
Hey, I'm just sayin'.
"Consider yourself a member of a virtual corporation with Mr. Torvalds as your Chief Executive Officer." - Linux Advocac
Right. This is not a security problem. This is a privacy issue.
And speaking of which. Many of us have fixed IP addresses. Web sites already track our actions with cookies. Telcos sell information about us to anyone who wants to pay for it. Get over it. We have no privacy to begin with.
You make a good point that it can be turned off, but how many "normal end users" of Microsoft products are going to know this. It is not you or I, or for that matter anyone on /. (for the most part ;}) that I am worried about here. It is the people that do not have the first clue about computers, or security, and think that AOL is the internet that I am concerned about with security issues such as this one (and the countless others).
man
No manual entry for
Just because it's possible to fix the hole doesn't make it "Normal slashdot staff overreacting again." Not only does the original report contain the information for how you can turn off the ID, it makes some good arguments for why that isn't good enough.
So no, not an overreaction at all.
If microsoft can, by some complex reorganization of their development and review process, make their code have the same, or less, incidence of critical issue as, say, Linux (I swear I didn't choose that just because its the godhead of this entire forum), What would we do?
/. topics get more sensational?
Honestly, and not trying to troll. What will everyone here do if microsoft ceases being the evil empire? What if they can pull this off, and find some middle ground with the government? I said before, in a much earlier post, that most religions have an antagonist; What happens if we lose ours? Will
MS Press Release:
"Microsoft released a patch today to save 15K of RAM in explorer.exe"
Slashdot:
Microsoft wasting gobs of memory for extra red-dot in windows logo.
Personally, I say good for microsoft. Microsoft, right now, is an intergral part of so many organizations, and admittedly they have security problems; They could use the positive PR. They could also deal with less -unfounded sensationalism- nonsense from the peanut gallery (note, this does not mean the founded, intelligent, objective news items which from time to time may appear in the comments section.)
Just my $0.02, Refundable with a $2.00 restocking fee.
Other than security problems and product activation, I have to admit, that XP is actually a nice product. I may not agree with a number of its design decisions (stuffing things into kernel space that don't need to be there, building the GUI into the kernel, Microsoft ASCII text,etc), but it IS very feature complete for the average end user.
I still won't run it by choice (FreeBSD baybeee), but having to *support* the platform will be a lot less hassle...
just my US0.01c (damn pathetic aussie dollar...)
smash
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Is this in the same vein as the day Bill Gates ordered everyone at MS to stop what they were working on and concentrate on how the Internet would affect their products?
Of course, by that I mean Microsoft finally understanding something several years after the rest of the world "gets it?"
They're doing their best to attack open source; from buying SGI patents to kill OpenGL to this new intitiative to cut off the age-old argument that open source is more secure (at least on the PR front...) and all the rest. I guess they really do see open source as the number one threat...
What I really hate to see, however, is that we're not doing too much about it. In fact, the only new thing is Lindows, and I sincerely hope they live up to the hype. Unfortunately, Microsoft has realized that Joe Average Consumer *dosen't care* about anything that is not the easiest way to go; even in the server market the PHBs will stick to MS until they see something like the Gartner Report or the FBI declaring Windows XP to be insecure (or whatever).
IMHO, a good part of the Open Source world needs to focus on making Linux a real competitor on the desktop market; such as idiot-proof install programs that need *NO KNOWLEDGE OF PARTITIONING* (and just ask, "do you want to install Linux on separate hard drive, or should I resize your Windows partition to X gigabytes and install it on this hard drive) and autodetect hardware (X Windows configuration is a *REAL* pain in the derriere if you don't know much, if anything about computers, for example) and whatnot. In order for Linux to be a real competitor for the computer of Joe AOLuser, it should take advantage of almost (or as much or more) autodetection/idiot proof default settings as Windows.
Now I know, I know, we aren't after Joe AOLuser, but in order for manufacturers to keep making Open-Source compatible hardware, THEY NEED MARKET DEMAND. It's far easier to cave in to Microsoft if it means losing 5% of sales (to hardcore geeks) than if it means losing 50% of sales (to Joe Average User). And yes, I just pulled those figures out of my hat, but I wouldn't be surprised if they were true.
This
Oh my God, if Billy actually means what he says, what are we going to do now? We've always had a major advantage in security and stability with Linux. Our arguments have always been based on the fact that M$ windoze is a bloated hacker haven.
Linux and the open source movemnet will most certainly never die, but I would really like to see a day where mom, pop and granny all used Linux, most games and popular software ran natively on it, and windows was a weird "fringe" thing like Macs.
I honestly believed we could pull it off in 5 years, 10 tops. But with the full resources of a gigantic monopoly turned to focus on what has always been our strong point, dear lord, what are we going to do now???
Worse than that, what if ole Billy also decides to make it a lot faster? What if the deepest pockets in the world turn to actually making windows a decent OS?
First of all, it truly scares me that Bill Gates's announcement that Microsoft will "empasize security and privacy over new capabilities" is considered, in his own words, to be "a major strategy shift." Any reasonable developer knows that security is an inherent part of every feature - not a feature in itself. /. alone, this is the third article in 24 hours (not including the "Unbreakable" story) with direct relevance to Microsoft's security (or lack thereof). The case can be made that there is a low likelyhood that Microsoft would pay that much attention to the /. community - but on the other hand, I'd think they'd listen to this.
Second of all, it can't be said that this is the first time a company has put forth a gung-ho effort (if that is even the case) to secure their products - Oracle's Unbreakable database is clear evidence of this. To me, this seems Microsoft has placed itself further into the security spotlight, and that more holes will be exposed as a result.
Finally, above all else, one has to admit that this announcement seems like the reactionary brainchild of Microsoft's PR department. On
A)bort R)etry I)gnore
=tad=
Meanwhile, Richard Smith notes that the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.
It's not a security problem. It's a privacy problem.
If it posted the user's passwords, executed arbitrary code, or removed network firewall configurations, then it would be a security problem.
[
I've had an open security issue on their site for months. [ http://www.devitry.com/security.html ] They don't seem to be too concerned with it, even though they are running the Passport system. Will this Gates email change their minds and get their butts in gear?
-- these are only opinions and they might not be mine.
Two, to what extent is this an agenda for obliterating any shred of interoperability with other commercial products in the name of 'security'? Isn't it an open invitation to claim that total and complete lock-in is the only way to be 'secure'?
We all remember Jim Allchin saying that XP was "the most secure Windows ever." And everyone here knows about the UPnP bugs that were discovered the day XP was released. Their other recent announcements lambasting the process of full disclosure by Scott Culp also show that they have no real commitment to providing decent security in their products. Well, if this word from BillG is supposed to mean anything, we ought to see it in action. Unless "trustworthy computing" is supposed to mean trusted computers (a conceptual fiction) for use with digital rights management...
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
It's about fucking time.
In other news, why does this story have a Borg logo on it instead of the Monty Python foot?
-Legion
<QUOTE>Compensation plans of Microsoft product engineers, such as raises and bonuses, will also be tied to how secure their products are.</QUOTE>
If you know anything about managing people, that is probably the #1 way to get people who don't really want to do something to get results. Sounds like while it may be in part a PR stunt, it really is a serious push by Gates.
-Pete
Soccer Goal Plans
Some people think Bill invented the Internet. Now is his chance to invent the Microsoft System for Secure Computing (TM), which will include all of thosde features that MS wants first, and maybe a few that you feeel are important as well.
Microsoft Planet here we come! =8~|
"It is a greater offense to steal men's labor, than their clothes"
"Trustworthy Computing" doesn't necessarily mean "secure computing." Microsoft wants you to think that, though, just like they want you to assume "we're innovating" means "we're making products better for you." (Incidentally, MS's definition of "innovation" means "finding new ways to solidify our market position.")
Anyone remember Bill Gates's deposition in the MS antitrust trial? His version of the English language is so far out of whack he spent most of each session professing to have no understanding of common words and terms.
In this case, "Trustworthy Computing" means "convincing computer users that they don't have to wory about security... that they can trust MS."
The last time Bill Gates was widely publicized for announcing a major strategy shift to his employees was back in 1995, when he sent out a memo saying they were going to focus on the internet.
I bet I wasn't alone in laughing. The first version of MSIE that was out at the time was a JOKE. Netscape reigned supreme. RealAudio was king of streaming. Third parties actually had a shot at selling a Windows web server.
How long did it take them to: (a) Kill Netscape with MSIE, (b) maim RealAudio with Windows Media, (c) shutdown 3rd-party Windows webservers with IIS, etc.? Not long.
Extrapolate amongst yourselves.
Goodbye ZoneLabs (makers of ZoneAlarm). What other big Windows security players will have their security software crushed within 3 years? McAfee? Symantec?
Unix users laugh at the inherent security problems with Windows, just as I laughed at MSIE 7 years ago. I haven't been laughing lately. Will you still be laughing a few years from now?
"And like that
To that I say, put your money where your mouth is. Quit endorsing DRM. Quit using proprietary formats in your applications. Open your APIs. Include some decent text manipulation tools at the command line (like GNU textutils). Give the user some choice for a change.
Slashdot's first reaction to VMware
This is directed at legislators. As PR, it's pretty poor, and against form for microsoft - it admits that a problem exists (remember their old slogans about how windows was fast and reliable?) If they can convince legislators (who are, to some or extent or another, in MS' pocket) that they're doing something, than they can convince legislators to abandon the proposal to make software vendors liable for security failures, which could open up MS to unlimited liability.
The good and new comes from no quarter where it is looked for, and is always something different from what is expected.
Russ Cooper, a security expert with TruSecure Corporation, said the change occurred in part after a new security team assigned to attend every product meeting met resistance from product teams.
I am not very surprised by this
Customers could also see a downside, though. Other than fewer new features, product upgrades could come less frequently or could be pushed back.
Somehow, this is not a drawback, and hopefully this throws the subsription thing out of wack.
"It is a greater offense to steal men's labor, than their clothes"
...for corporations? I expect that increased security means making it harder for us end users to listen to our music and watch our movies whenever we want rather than protecting us from things like viruses and intruders - after all, that's where the money probably is.
-- SIGFPE
Normal slashdot staff overreacting again. You can turn that ID off.
The defaults are everything, Why do you think Microsoft has negotiated so hard for its icons to be on the Mac desktop(IE), and no other browser is allowed to be there ? Why do you think Microsoft has spent so much effort controlling system defaults for media players, and IE home pages, and startup icons ?
This is standard user behavior - they do not change the defaults. Somehow it is the fault of the guy who installed NT server and NEVER WANTED IIS that he got broken into, and not Microsoft's fault for globally enabling IIS and asking the admins to turn it off.
Giving the end user a chance to change a system default is a good way to ensure that 95% will use the default, and the company (Microsoft in this case) can blow blame aside by saying the user can change it.
Now, you can argue users need to be more savvy, or you can accept that Microsoft KNOWS end user behavior and uses it to their advantage. Or both...
In related news, Wall Street reacted favorably to a report that Microsoft is slashing payroll expenses by 80%.
Fire and brimstone market prices skyrocketed 72% on the news that hell had indeeed frozen over. Satan declined to comment.
Internet search engine Google reports traffic up 17%, and that the word "security" has become the most popular search term, driven entirely by submissions from the microsoft.com domain.
Film at 11:00.
Ok, what the heck does that mean? Unless Microsoft plans on solving the trusted client problem, once I send you an email there is no way I can control how you use it. The only thing I can think of is letting users add a header to outgoing email, and if it was present Outlook would not allow copying or saving when the recipient viewed it. Of course anything like this is trivial to defeat, resulting in the illusion of privacy rather than actual privacy.
How to solve most of our problems: 1.Lots of nuclear plants. 2.Cure aging.
I don't think they're worried about a Gartner report, Microsoft has been slammed on its poor security record for some time now. (Maybe not by the Gartner Group, but certainly in other PHB reports.)
What probably got their attention was the recent visit from the FBI. Something most people forget is that one of the primary responsibilities of the FBI is counterespionage, and it doesn't take a genius to figure out how much damage a subtle virus could do on government computers. (Esp. after other countries had sensitive documents leak out with that "I write you for your advice" virus.)
We'll never know what the FBI told them... but we can guess based on what we now know. Every group must explicitly consider security issues, senior management remindning the troops to take it seriously. Maybe this is my one cynical-free day each year, but I really don't see this as an ploy to attack open source software such as Samba. I think they finally understand that they have a serious problem.
But, ironically, I'm now concerned that they don't have enough experienced security people. The corporate culture just hasn't encouraged development of the right skills. Any semi-decent programmer can check for buffer overflows and the like - even automated tools can do that in many cases now - but true security comes from an ability and willingness to challenge the most basic assumptions, to question the most sacred code, etc.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
This is an extract from the ie.c file that I managed to pilfer during that source code steal from Microsoft year before last. Revealing it is.
The lameness filter won't let me post it, so I'm linking to it instead.
Of particular interest is the peer review process, ensuring quality standards, and upping the end user experience.
You can only take a $2000 deduction currently for charitable donations. Since Gates probably pays income taxes on much more than that, I doubt he'd even notice. And it doesn't cost you the same amount of money. A $2000 deduction doesn't save you $2000. You just get to pretend like you made $2000 less than you really did.
What?
Now some talking paperclip is going to say to me "It look like you've been R00T3D" and a security 'wizard' will pop up to teach me (in five easy to follow steps) how it unplug my Windows BS Professional box from the network in order to make it secure.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
InfoWorld
And there is this old item from a security mailing list:
The reason trusted systems are not being used right is because the way they are written they are UNUSABLE. Only someone who is forced to use them would even consider touching them!
(seen at: http://www.geocrawler.com/archives/3/90/1995/7/0/4 18940/ )
Granted, it is old, but is the point still valid?
"It is a greater offense to steal men's labor, than their clothes"
The problem with your "nothing to see here" attitude is that you have to know its a problem in order to change the defaults. If nothing else, this story alerts /. windows users that someone may be tracking them, so that they can change the preferences. And, its ironic that Gates wants Microsoft to be synonymous with "Trustworthy", while at the same time stabbing his customers in the back. Sorry, but I won't trust them with my money or my information, when they are so eager to screw me over for control of my digital media (DRM is the apparent reason for these supercookies), to the point where they would let anybody out there track me.
That the digital rights management scheme will be uncrackable, and you will not be allowed to play that digital media stream more then once. Not that the machine will be more secure.
Security to their customer base does not include you. Only large Coorporations who want money each time you listen/see/smell/touch/etc something.
Get a free ipod.
Tools->Options->Player->"Allow Internet sites to uniquely identify your player"
Wow! I'd have NEVER known what it was for, seeing how obscure and undocumented it was...
"People that quote themselves in their signatures bother me" - athakur999
Bloated hackers hacking bloatware...sounds like something out of Dr Seuss!
You're using her as bait, Master!
" Time to uninstall Media Player. I'm just tired of companies sneakily trying to track my browsing/purchasing habits without disclosing it. Enough."
Why not try unchecking the big friendly "Allow media sites to uniquely identify my player" box instead?
graspee
should declare some degree of success. One of their aims was always to raise awareness of security issues. They should congratulate themselves for prompting a thick headed company like Microsoft to dramatically shift their focus. Congratulations people, your hard work has not gone to waste.
Note: I acknowledge that it was only an e-mail that was sent. The true proof will be in the proverbial pudding.
*Condense fact from the vapor of nuance*
This guy is right on the money. Making security a priority can only be accomplished through making good design and good code a priority. And those won't be a priority unless there's some sort of pressure for it. Lowering insurance costs is one pressure. Positive PR is another. But more powerful than both of those is the pressure to keep customers from switching to a viable competitor.
And this, I think is exactly the thing we need: a viable competitor to Microsoft. Microsoft, of course, doesn't want this. Interestingly enough, this will also help deal with Rep. Rick Boucher's recent thoughts on the prevention of cyberterrorism. With all due respect to the many good ideas that Rep. Boucher has made, when he suggested enforcing product liability requirements on software producers, he assumed that was the only way to get better software. But it's not. Competition will be much more effective. "When Microsoft starts creating good software, we've won." - Linus Torvalds. Unfortunately, not only is Boucher's suggestion not as effective as competition, it's got a really nasty side effect: it would effectively kill the only potential competitor to Microsoft on the horizon: open source & free software.
Competition will breed better software. If a competitive market place still produces unsafe products (as was the case with the automobile manufacturers of the '60s) then perhaps new laws make sense.
The point is that the solution to both problems ("cyber-terrorism" and software security) is competition. If the government is going to do anything, let's encourage them to do something that opens up competition to the MS juggernaut. There currently is none, so make laws that produce competition. If, and only if, that doesn't work, then think about other ways to enforce accountability - like product liability for software producers. But don't put the cart before the horse.
$.02
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
Speaking of Microsoft and Enron, how many people have read this:
u le maker000217.htm
http://www.fool.com/portfolios/rulemaker/2000/r
Kind of makes you wonder, doesn't it?
Engineering and the Ultimate
The typical assumption (as I've heard it) has always been that Microsoft's poor security was a necessary side effect of their quick-to-market and add-lots-of-new-feature strategies. Though I don't think most people on this forum view those two strategies as a "good" thing, it appears that they've worked rather well for MS up until now.
So the $50,000 question is, can Microsoft focus on security without falling behind on those other fronts? And if they have to slow down on their speedy rollout of new products and features, will they suffer in the marketplace?
If MS can do security and still be as quick-to-market as they were before, they're probably going to be in a very good position. If, on the other hand, they are forced to make a tradeoff-- of speed and quantity for security, for instance-- then it might be a whole different ballgame. Worse yet, they might wind up compromising on both fronts.
It's interesting to note how product teams resisted the security invasion. Now, while we know very little about how offensively these security teams were implemented, it does harken to a truism about coding.
Properly securing products isn't fun.
Implementing improved, automatic PGP hooks might be fun (hint hint), but slowly and methodically picking through all of your code to make sure that no buffers can overflow is just uninteresting and unglamorous. If we can't convince ourselves to sufficiently comment the code we write, even though we routinely curse ourselves for not having done it previously, security is going to be unfortunately naturally low on the list of things to do.
Likewise, an ounce of glitzy new features tends to sell better than an ounce of better security. People are going to look down upon you if you encourage them to upgrade from the old software you sold them by pointing out the security flaws that it had. It's usually more marketable to say "Trust our products, we have new inline spell checking across all our platforms" rather than "Trust our products, we no longer grant root through tcp/ip overflows."
All of this falls down like a rotten house if you allow your security to get too bad for too long, as is obvious to anyone reading this thread. You can let the support poles wear a little, and usually the cost of a *little* more wear is much less than the cost of fixing the whole thing properly. But unless you have that long-term vision, you'll be sleeping outside eventually. Microsoft didn't, and it is really starting to hurt them. The greatest threat to their monopoly has come from people being unable to use NT in critical applications. You don't want to force your customers to have to go to competitors.
Microsoft has shown throughout history an ability to expend large amounts of money to get things done. IE... MSN... XBOX... WinCE/PocketPC... If they really do set their mind to security issues, I'm sure that they will be hammered out after several slow, unglamorous years. The press release would make it appear that they know that they are up against human nature on both sides but that the company needs to take action or they will lose their stability.
This Sig is a mnemonic device designed to allow you to recognize this author in the future.
First, Microsoft has finally flushed the security-hopeless operating systems (DOS, Win3.5x, Win95, Win98, WinME) out of their product line. The current product line is Win2K and XP, both of which have reasonable underlying security machinery. It's not well-used, but it's there.
Given a reasonable underlying OS, it's quite possible for Microsoft to arrange things so that all executable content executes in a "jail". More generally, a security distinction has to be made between what the user is doing and what external content is doing, and the OS kernel has to enforce this.
If MS does this right, it won't matter if IE has security holes, because trouble will get no further than the current IE document.
We're all going to be doing a lot more forking and IPC.
If he is actually sincere about this, weither or not I choose to use WindowsOS (haha funny pun, ok mabe not /duck) for other reasons, an increase in general security of the Windows Operating System (desktop or server, whatever the diffrence is..) leads to me fretting less at work because some pinhead decided we would impliment such and such deparment using Microsoft products (yes, despite what you teenage idealists think, this DOES actually happen to professional IT people in real workplaces)
I for one hope that he is really making a buisness decision, not a PR move (no, I'm not saying it dosen't sound like a PR stunt to me). In the past he has decided to turn his company completly on a dime before (internet company anyone?), and he has proven he is a very sucessfull buisnessman and can do such radical things, and come out millions of dollars in the positive.
Before I get mass flamed, let me clearly state, I think Windows is the worst comercial consumer operating system in common usage, even if you dont include the real operating systems for guru's. But I also think Bill is a great buisnessman (weither or not hes ethical is a far diffrent question)
Now that we have that cleared up lets look at the problems in WinXP (since I assume they are going to continue buildling from that instead of going back to Win2k, though I think it might be a wise decision for them to do so)
Other than that the majority of all complaints I could honestly extend are security related.
It is my feeling that if they did a feature freeze on the UI and driver interface and the general configuration setup, and worked soley upon improvments and security (of corse with a small team doing new UI stuff to impress the drooling x-treme programer types), and developed office/IE to use only the documented API (with the API frozen) with both products focused upon security (office is plenty usable as it is, optimization and security would be the best, and the ability to create decent 'other filetype' exports) the OS would mature rapidly
The things I really hate about using M$ products currently (not because they are closed source, I use plenty of closed source apps, I don't choose my software based upon politics, I choose it upon what works and gets the job done) is that I feel like I'm using a OS that has a lacking kernel, and whils't there are security exploits on my OS of choice (FreeBSD if your curious) they are generally quickly patched, and always workaroundable, not to mention the fact no software I've ever liked has had a major security flaw to my knowledge), there are far more security exploits for M$ windows (mostly dealing with Outlook, an app thats completly banned for use at our company, our daily bat file actually deletes the would be outlook folder if someone did install it, so they can call us up and complain about the errors caused and get promptly chewed out). While using my OS of choice, I feel that if there was a security exploit, it'd be all over everywhere, not sitting in some hackers mind (though that is possible, much less likley) whereas with M$ I feel that there might be a 9 month old exploit that hasn't even made SecurityFocus yet, that bothers me.
In conclusion, I do think this sounds an awful lot like a nice PR leak, I hope that it isn't. If I liked M$, it would be great, even though I dont like M$, since I'm forced to deal with it on a semi-regular basis, it greatly effects me anyway. This isnt a *nix vs M$ discussion or anything, I'm just stating that in the scope of M$ development, them focusing on security would actually be a good thing in my eyes.
(ps forgive the I'm sure numerous grammer/spelling errors in this post, I'm typing it while about to go to bed)
I live in a giant bucket.
So, what to do? Switch businesses to a software rental model (stream of income) and get a piece of B-to-C and B-to-B E-Commerce (preferably a big piece). In other words
But - for
[Insert pithy quote here]
Uh....what are you talking about? Windows NT, which Windows XP is based on, has had userids and file system permissions for years.
except instead of "Quality is Job #1", it is "security is job #1". And if Microsoft's version of security is similar to Ford's version of quality, we will see massive recalls on M$ products. Only M$ won't have Firestone to kick around for their mistakes. I'm sure they'll blame Roxio, Sun, or Apple...
today is spelling optional day.
Now I'm someone who will cherily click past a click-through license agreement without reading it, but Microsoft still managed to draw my attention to the existance of this ID, then told me what benifits it gave, and then how to disable it (which I did).
(They didn't mention the supercookie privacy bug tho
When you install WMP7 it brings up a Privacy Policy dialog (and those words immediately make anyone who would actually care [about web pages being able to collate info about them etc] decide 'this is something I should read') which explains pretty much in bullet points every aspect of WMP that might violate your privacy, what advantge you get by having it on, and how you can turn it off (including the Content Rights Management). You then have to tick an "I have read the privacy policy" checkbox before you can continue the install.
In that sense "an obscure option in WMP which is barely documented" is complete bollox. However, I imagine it's possible (now or soon) that you could buy a machine preconfigured from the store with WMP7, and not be provided with any information, or warning.
Windows2000 (SP2) comes bundled with a much earlier version of WMP so no worries there, but I've not looked at XP.
My question for anyone who has bothered to read this far...
(I'll word the same question it 3 different ways)
Is this just a bug, or would the only way to fix this bug defeat the entire purpose of the ID? / Can this feature exist without the side-effect? / Is it a side-effect or just the other side of a double edged sword?
Obviously, focusing on security is a Good Thing. After all, they've made these products and are selling them to all comers - it's good for them to know how to use them properly too.
Associated Press- Correction:
Bill Gates announced to THE MICROSOFT MARKETING DEPARTMENT Wednesday a major strategy shift across all its products to emphasize security and privacy over new capabilities. In e-mail to THE MARKETING DEPARTMENT, Gates referred to the new philosophy as "Trustworthy Computing" and called it the "highest priority".
Development personnel who heard rumors of this were told go go back in their cubes and stop wasting time.
- For the complete works of Shakespeare: cat
Guys this is not a case of "big bad company wants you to think they care about security but they really don't" as the posting suggests.
This is unequivocally a case of "big bad company finally realizes their biggest PR nightmare and has no choice but to finally take security seriously."
Don't think for a minute Gates' e-mail wasn't prompted by a genuine desire to improve security. M$ has finally realised the financial implication of crappy code.
This crowd won't ease off Microsoft GPLs its software. All of it. And issues royalty-free use of any of its patents.
Interesting thought experiment, but don't hold your breath waiting for the reality to appear.
Translation: [serious] Users should be made to think that our ideas of how their data should be used are also their ideas.
-or-
[humorous] Microsoft should be in control of how its users are used.
Seriously, though, all those who fit Microsoft's definition of user already think they are in control of their data. They believe that Microsoft provides them freedom to do what they want. Look at those Windows XP flying commercials. People actually believe that stuff. Just a thought.
A solution to the problem with music today
...to take the main insecurities out of their operation:
...)
Breed a brother of clippy. Make it look like a string of barbed wire and name it, well, Barby (or appropriate alternative to avoid Mattel lawsuits).
Bring in Barby every fucking time the user tries to do something potentially harmful (like choosing the "Remember password" function, opening an attachment, sending out more than 1k of data to the net,
That would at least teach people some sense of security about their system. Hell, most car manuals even remember you to keep your car locked at all times it's not in operation and to remove the key from the ignition NO MATTER WHAT. It seems all so logical to thinking people, but most people don't want to think. They want someone to remind them. Still, some people leave their cars idling when they jump into the 7-11, but there is always stupid morons. Those who strictly obey rules had them hammered into their heads or learned it the hard way. Same should apply to OS'es.
+++ath0
This is precisely what led to Outlook Express being such a useless piece of *&*#& to use: allowing the SENDER to specify how email is used. Sorry Bill, but allow the RECEIVER to control this. Spam, 4MB attachments, and OE viruses/trojans/worms are all a result of the sender being in control.
Just write me a damn email client that lets ME choose what to receive, and how to display it. Wow, amazingly 99% of the problems with OE disappear!
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
What if, by persuing this "Trustworthy Computing" avenue, the existing Microsoft customers begin to believe in Microsoft. They rally around the "vision", and start extending it.
Now a committee is created to "audit" all released software (funded by guess who), and Open Source software will now be subject to "approval" by a committee, probably via a pay-only system of review applications. Now this slows the release of Open Source software to a crawl, or stops it altogether, because most of us do not get paid for our work, nor can we afford to submit our releases for review. If we can, we're going to be damn sure to close every hole, therefore slowing down the frequency of releases.I, for one, hope this is not their intent, but Microsoft has always had an alterior motive with every single action they've taken. Having Bill Gates declare it so publically and firmly, leads me to believe he has some other motive here.
This announcement has brought out all levels of commentary so far... some saying "not gonna happen" or "impossible." Some are saying "if they really want to do it, they can and they will."
I sit in the second camp... mostly. But I tend the think that they will not be able to deliver on the promise for at least a couple of years.
In order for them to deliver on the promise, they will have to radically redesign their OS from the inside out and I doubt they have enough of the original coders around who can remember what they did to mess it up in the first place.
On the other hand, they can simply write an entirely new OS or build one from existing stable OSs. Making a BSD derrivative first comes to mind. And why not? Just do what Be did. Write up some support for NTFS, a little migration and throw up a really nice GUI interface that looks like Windows always has and they're 90% done.
Is it possible? Very. Is it likely? I just don't know any more -- it depends on how serious they are.
I'm a Linux fan -- I use it when I can and when I'm comfortable. I also use MS Windows for things too... especially Japanese language support. If they can deliver on their promise, I'll use the product. (Am I actually saying this?) Yeah that's right, I'll use it.
But I guess they would have to satisfy my own expectations -- make it more Unix like. Quit using backslashes!! What's with the stupid A:, C: crap? You just limited yourself to 26 drives... freakin' brilliant.
Okay, it's late and I'm tired. I actually hope they can pull this off but I have my doubts that it will be anything that benefits the consumer more than it benefits MS's own purposes... I hope they can deliver my dream OS, but I just can't believe in it yet.
You missed his point. Just as the personal data about ourselves should belong to us, Microsoft fundamentally believes that the music you listen to, the video you watch, and the software you run are not your data. They are other entities' data, who only grant you a limited license to use their data as they see fit.
The only certainty is entropy.
But what would Slashdot do if Microsoft changes? They'll go on. Slashdot is not the anti-Microsoft site. There would be plenty of other news if Microsoft dropped out of sight tommorow. Microsoft just manages to do things often enough to become a prime subject of this community.
Microsoft constantly stands out from their peers. The IT industry is full of large, powerfull corporations. They all put out products that could have their merrits debated. They all make marketing claims, promise things to their customers, and set company policy that impacts end users (including Slashdot readers). Yet somehow Microsoft manages to raise to the top.
Sure, there is over-the-top bashing of Microsoft (ignoring Microsoft's own PR, reputation for FUD, and zelous proponents). But there are also lots of legitimate grieviences ranging from product quality to Microsoft's marketing tactics.
Microsoft gets attention because they deserve it.
When Microsoft changes its ways, they will fade in to the background with other industry leaders like IBM. And the news will march on with or without them.
If Microsoft is serious about security, they'll supply encrypted file systems and encrypted email that are easy to enable and use, and suddenly vast amounts of email traffic will go "dark" to eavesdropping and wiretaps. The FBI tolerates some geeks using PGP now, but will completely flip out if it's deployed on the scale of Outlook encrypting everything by default. Legislated, mandatory key escrow will be a done deal. Ashcroft will read our mail forever.
Of course. I hear they're going to make their software "unbreakabale."
Sure. But this isn't the same target.
Microsoft went after the Internet in the same manner they targeted other markets. It was a simple matter of identifying the target and applying the same business tactics they had been honing on other products / markets.
And it is some of these tactics that has caused the security issues they have today.
Microsoft will not be able to rehash their usal bag of tricks to win this new target. It will take some fundimental shifts in Microsoft's philosophy and culture. This will greatly affect their development. It will blind-side their marketing.
Microsoft began attacking the internet market by leveraging their name/reputation, new features, and quiet agreements (to name three). This fails in the current security environment.
First, Microsoft have found themselves with a failing reputation. If they hadn't, they wouldn't be taking these actions. But now, Microsoft security issues are making headlines in tech journalism. Microsoft can no longer dust these issues under the carpet just because they're Microsoft.
Microsoft's security woes have little to do with new features. If anything, it is their drive to add features without proper consideration towards security (and bug hunting) that has caused their trouble.
Microsoft has already began trying to control their security problems with quiet agreements. But keeping major security companies quiet will not end their problems. The infosec industry is full of small groups and individuals who have numerous reasons to discover and publish vulnerabilities in Microsoft products. Sometimes these entities are doing what they consider a public service. Other times it involves making a name for oneself or business. But in any case, vulnerabilities will be found and the media will pick them up and report them as it makes a good story.
If Microsoft is to be successful, it will require a major shift. A shift they have never done before, Internet or no Internet.
Why?
Because I know how Bill Gates' mind works, and if I can't see the code, I'm not going to run it. Yes, us Linux sysadms have a rep for being paranoid bastards. Yer damn right we are, and proud of it. That's what's kept me virus-free and crack-free the last five years, watching boxes powered by You Know Who drop like flies.
Linux isn't perfect, no, but it'll take him a minimum of 2 years to get his codebase in order even with the army of people he's got.... and by then we'll have our world domination, and they'll be putting Linus' picture behind that Borg eye rather than Bill's. We might even get Mozilla to 1.0, who knows.
But, seriously. Even if l0pht and friends were to publish with much fanfare, "holy penguins! I can't crack this thing!" I still wouldn't buy it, and not just because I'm opposed to getting on this $100 every eighteen months to upgrade kick.... Not when I can run a product I personally helped design if not build. And can look at the code and see that it is good... or fix it if it's not. And there's huge advantages to being able to talk to the guy that wrote it.
Real-life situation, several weeks ago. I had a problem with the Mylex raid driver. Sent email to the guy who was listed in the headers for the source. A little email tag ensues. Eventually he sends me a patch. cut, paste, compile, init 6. Blammo. It worked. Total elapsed time, about 48 hours.
You will never get that out of Microsoft. Ever.
Then there's the principle of the thing. The Borg's stated objective is to take over the world and have it for his own. I'm not giving aid and support to that cause. I'm giving aid and support to another guy who wants to take over the world... and set it Free. I may be pagan, but there are some altars at which I will not kneel. Far more likely to torch'em.
--
Nuke'em from orbit.
It's the only way to be sure.
This is most likely nothing more than the prelude to a new product line, imagine the possibilities...
M$ Firewall Pro, M$ Firewall Enterprise,
M$ Secure Server XP Advanced, M$ Antivirus,
M$ Secure Outlook, M$ Secure Browser,
M$ AntiHack Pro Deluxe, M$ IIS, Secure Edition
On the other hand, probably not.. that would be an admission that their software wasn't secure to start
Where? I'm holding onto 6.4, tried 7.x and really hate the GUI. I can't find this option anywhere. Can't find the registry keys either. There is a "user id" in there though.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
PR Man (PR): I've just completed that study you asked for, the one on why the Slashdot editors hate us.
Bill Gates (BG): Can you give me the executive summary?
PR: It's because we don't place enough emphasis on security.
BG: Fine. We'll do more about security.
6 months later
PR: I've just completed that report on why the Slashdot editors still hate us.
BG: And?
PR: It's because we place too much emphasis on security.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
The defaults are everything,
Will you remember that the next time somebody installs a Linux workstation with every daemon in the world running?
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
It's not a security problem. It's a privacy problem.
Pardon? Security is about protecting assets. Is a list of all the music, video, and web sites I view not an asset?
I don't think so.
Look at it this way. Developed countries have a set of systems that can be defined as critical infrastructure. These maintain the operability of a nation on a day-to-day basis. If any of these systems break down, then society will follow down too.
Some examples? Well... water, power, sewerage, welfare, health, emergency services, police and justice, banking, government, communications, and one of the latest additions would have to be IT.
IT must been damn close to being critical infrastructure, if it isn't already. We all know MSFT is very dominant in Operating Systems. Their systems are being used within many of these critical services, which would tend to suggest that MSFT is already inextricably linked to the other critcal infrastructures.
Already countries overseas are opting for alternatives to MSFT because of some of the risks that their products provide. Govt's of Germany, France, and others are looking for more 'trusted' IT products - partly for cost, but also because some of the systems are critical.
MSFT didn't have any choice but to accept security, much as they had to accept the Internet in '95. If they didn't, they would see dwindling market share, and their products being dropped from IT solutions involved in critical infrastructure. So, they have to get on the 'trusted' bandwagon to maintain market share. Govt's do spend a bit of money on IT after all.
According to what I read on bugtraq, Internet Explorer is vulnerable even if you don't ever use the windows media player. I always browse trough all options of programs I use, but I can not be expected to look trough all options of applications I never use, do I?
This sig under construction. Please check back later.
here
There seems to be a feeling that MS aren't doing this sincerely. Maybe not they're not but we can't possibly know that yet. I think there is every reason to believe they will go through with this. Does anyone remember what happenned when Bill Gates realised his company had taken its eye of the ball by ignoring the internet?
Will you remember that the next time somebody installs a Linux workstation with every daemon in the world running?
In all the (four or five years of) Linux experience I've had, no one blames RedHat users (except arrogant jerks), but everyone blames RedHat.
The difference between that and IIS is that when RedHat is installed as a desktop OS and still has a world of rootable daemons installed by default, that's stupid design. When Windows NT is installed with IIS by default on a desktop machine, it is, again, stupidity on the part of the company (in this case, Microsoft).
When someone gets paid to install/admin a box and they leave security holes open by default, I'm inclined to blame the person getting paid - it is their duty to be aware of problems and fix them, and if something so simple as a stupid default installation is beyond their grasp, they should look for a new line of work. For someone who just wants to use the computer, however, I don't think they deserve blame, no matter what OS they chose (or not) to install.
--Dan
Vendors will have to use Passport in order to get a "Microsoft Trustworthy Computing" seal on their website (have they trademarked that fucker yet?).
Users attempting to access Commerce sites without Passport integration will be warned with a big "THIS SITE NOT MS-TRUSTWORTHY-CERTIFIED!" messages.
After all, every consumer knows you need a big, familiar, feel-good corporation like MS to ensure your Internet security and privacy...
pr0n - keeping monitor glass spotless since 1981.
It cracks me up that Microsoft disabled Java support in XP for "security reasons".
Even with Microsoft's broken "Java", it was too secure. Of course Microsoft removed it for security reasons. Microsoft didn't say it was to increase security, did they?
I think the idea is that if all your personal information, music, videos, text, and so on don't belong to you, and your OS license doesn't bequeath anything to you but rather lets you use MS's OS for a while, then if someone breaks into 'your' computer, it's not your stuff they're deleting, so it's not 'insecure'.
New in Windows Media Player: Digital Rights Management! Remember, 'If you have no rights, there's nothing to lose!'
--Dan
Stand in a parking lot with a clipboard and write down the license plate numbers of everybody that enters. ;-)
From the risks digest....
Re: "Buffer Overflow" security problems (Baker, RISKS-21.84)
"Nicholas C. Weaver"
Sat, 5 Jan 2002 13:15:52 -0800 (PST)
I agree with Henry Baker's basic assessment that buffer overflows, especially in code which listens to the outside world (and therefore vulnerable to remote attacks) should be classed as legally negligent.
However, it seems to be nigh-impossible to get programmers to write in more semantically solid languages.
There is another solution: software fault isolation [1]. If the C/C++ compilers included the sandboxing techniques as part of the compilation process, this would eliminate the most deleterious effects of stack and heap buffer overflows: the ability to run an attacker's arbitrary code, with a relatively minor hit in performance (under 10% in execution time).
An interesting question, and one for the lawyers to settle, is why haven't these techniques been widely deployed? The techniques were being commercialized by Colusa Software as part of their mobile code substrate [2] in the mid 1990s. In March 1996, Colusa software was purchased by Microsoft and it seems effectively digested, thereby eliminating another potential mobile-code competitor, something Microsoft seemed to fear at the time.
The interesting RISK, and one which is probably best left to the lawyers, is that as a result, for over half a decade, Microsoft has owned the patent rights and the developments required to eliminate two of their biggest security headaches: unchecked buffer overflows and Active-X's basic "compiled C/C++" nature, yet seems to have done nothing with them.
What is the liability involved when a company owns the rights to a technology which could greatly increase safety, at an acceptable (sub 10%) performance penalty, but does nothing to use it in their own products? Especially when the result is serious, widespread security problems which
could otherwise be prevented?
[1] "Efficient Software-Based Fault Isolation", Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham, in *ACM SIGOPS Operating Systems Review*, volume 27, number 5, December 1993, pp 203--216,
[2] "Omniware: A universal substrate for mobile code"
Nicholas C. Weaver nweaver@cs.berkeley.edu
- ship everithing with scripting engines disabled: if user enables them, put out a big security warning window. Not real security, but good for PR : "default windows installation is secure!".
- Make stacks non-writable with something akin to the linux kernel patch shipped with OpenWallLinux. This would ensure some temporary security, until all current buffer overflow exploits are re-written. Again, PR people could again use this time to show off the improved security.
They could make a different set of boxes (Windows XXP!) and make money out of itCiao
----
FB
...MS to declare that the major security threat lies in other vendor's software and other OS's? After all, they used Win95 to kill off DR-DOS ("it isn't really compatible with the special code we added to Windows")
Then they will argue that they have to close up everything to bring about security: "Only MS products are really safe with MS Windows. Only MS protocols are secure."
Then the Big Lie: "you are only safe with us"
I am anarch of all I survey.
Don't get me wrong, the philosophy of unions is fine with me, but so is the philosophy of democracy, and neither one works particularly well over time - both systems have been corrupted. Unfortunately, maybe it's just human nature, but whenever there is the potential for a system to be abused, it is abused.
Name, for example, one government program that has the potential for abuse, but hasn't been abused? Now name one union that has been around for any length of time that hasn't been at least investigated for abuse or had an official fired or voted out (as a scapegoat) for abuse.
Stupid sexy Flanders.
Hm, IIS is not installed by default on desktop version of NT/2K
--
Two witches watched two watches.
Which witch watched which watch?
For immediate release:
Due to the current flurry of negative (and obviously biased) reports about XP's security of late, Microsoft PR 3.0 has created the following new security certification: BS1.
Achieving this rating marks a milestone in the development of the Windows eXPerience. The most recent press release lambasting the "evil, commie, terrorist bastards" who dare to release exploit code challenging the "Security is Job 3.0" corporate mantra in Microsoft has successfully pushed XP into the BS1 certification category.
BS1 is marked by the following:
* 3+ Metric tons of press releases denying any and all problems.
* 1GB+ downloadable "patches" and "enhancements" required for all new installations.
* 100,000th "grass roots" letter of support delivered to Congress
We would like to thank all of the people in Marketing and the good folks over at W&E for helping us reach this milestone in the Windows eXPerience.
--- I wish I could hear the soundtrack to my life. That way I'd know when to duck.
Given Microsoft Corp. track of press announcements, vaporware and talks about "... the next version will fullfill this need.." I foresee this as YAMK (Yet Another Marketing Campaing).
Come on. You do not need to be an expert in marketing tactics. But for a company that is expending $1 billion (that is, $1,000 million in Europe) just in advertising for the XP family... It just makes sense that, after having everybody talking about how much security is needed, Microsoft promises that it will deliver just that. Next version, of course.
Microsoft has been making promises like this since it was created. It has hardly delivered... on time. The record is out there. Our money, in their bank accounts. And they still are saying that the next product will have this or that feature that we need right now.
Come on! We can be naive! But not after 20 years of not delivering!
OTOH, Microsoft Marketing Department would do great promoting the virtues of democracy around the world. In 20 years, everyone and their mothers would be triying to be a democracy.
Ah! The power of Marketing!
It looks like it's NOT installed if you select "default" install. However, if you select a custom intall, it's checked by default. At least, thats how it was for me.
Where are the userids and file system permissions for files on a FAT partition?
How do I get a directory listing with owner and file permissions for files on an NTFS partition?
Right-Click, Properties, Security tab, Permissions. File-by-file. Thousands of files. No cigar.
Windows: Focused on security since 2002. Really, we're serious this time. Stop laughing.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
I remember the same sentiment a few years back, when, after saying the Internet wasn't even a consideration, that they were turning their company around and focusing on the Internet. Everybody laughed, and didn't think it meant anything. They aren't laughing now. They all laughed when Microsoft said they were 'betting the company' on NT5/2K technology. Well, they did. 2K. XP. Xbox. It's all NT5 tech now. And now they're saying that they're going to turn around and focus on security. Well, a while ago they put out Internet Security and Acceleration Server, aka Proxy Server 3. And it was NICE.
Vintage computer games and RPG books available. Email me if you're interested.
Security is one of those things that is required to come at the planning stage of any product -- not as an afterthought during the coding and test stages.
MS needs profits to buy new companies so they don't have to pay divedends. They need big profits so that the stockholders will be happy with the 'value' of MS as a whole.
Yet, the software side of thier business is a stagnent market -- huge and captive but not growing as it used to. Because of that they need to retain customers and get them to upgrade on a regular basis (subscriptions everyone?).
Then, we're back to the schedule and the features and security getting short shrift.
Does anyone expect it to be any other way?
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
What would MS have been like if a Gatesian personality had not been at the helm? Possibly not the MS we've come to love. Added attention to security now is obviously not any kind of move in the "right" direction, but instead just a CYA maneuver now that Bill's finally awakened to the fact that their security concerns could be enough to bring the whole house down unless they pay some attention to them. But he cannily waited until the problem was bad enough to be worrisome - had he been more community-minded he would have attacked this more seriously a long, long time ago.
Kind of makes you wonder what will happen to MS once Gates has removed himself entirely. Will they begin to play more nicely with others? (Insert Ballmer monkey comment here.)
Was that out loud?
I don't use MS products specifically because of security concerns - and I think it's more like "better late than never."
Any commitment focus on security is always a good thing..
Of course, I'm still skeptical - considering MS's track record, the best attitude is "wait and see"..
I find AOL/TW less scary than MS, at least on a personal level.
At least Microsoft didn't spend millions lobbying both political parties to pass the Bono Act and DMCA like AOL(tw) did back when it was just Time Warner.
If I want to avoid their media conglomeration entirely, I can. And if I do, it doesn't affect me.
It does in the United States, where you can go to jail merely for watching a DVD.
Microsoft, on the other hand, by trying to extend its monopolies
Except AOL(tw) doesn't try; it succeeds in extending its monopolies.
Updated!
Will I retire or break 10K?
There are two ways I can think of:
¦ ©® ±
They moved the link on us. It's now here.
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
That part is really central to the problem.
Microsoft has been the dominant player for so long now (what, about 15 years?) that it has become complacent and arrogant. They can say, with all credibility,
even if it grates on the ears of their competitors and users.There are definitely some brilliant people working in Redmond, but if they are managed by the same people that bred this culture of arrogance, then only rare glimpses of that brilliant work will be revealed to the world. Most of that good work will be muffled and warped beyond recognition under various business pratices such as supporting Windows, leveraging Office, promoting .NET or whatever the fad (cf, Trustworthy Computing) of the day happens to be.
The sooner that megalithic company is split into smaller pieces the sooner it will have a chance to bring genuinely good products to the marketplace.
"Provided by the management for your protection."
Right.
It is installed by default on NT Server.
I still get pinged by dozens of locals machines that are rooted through that one.
Will you remember that the next time somebody installs a Linux workstation with every daemon in the world running?
Remember it - I've had to live it. On two separate occasions I had to reinstall RH on machines with BIND. These were not nameservers. Since then I do regular audits of machines on which I might be asked to work.
"netstat -al | grep LISTEN" and nmap -sT
Secure by default should be the motto for default server installations. Redhat has learned from its mistakes. So have all other linux vendors. Debian and the BSDs never had such problems to begin with.
But there are still several million Windows machines displaying the default IIS home page.
Also, knowledge of this feature is useful to administrators of systems where there is policy that the privacy of the users is to be protected.
For example, it is illegal for any federal website to collect personally identifable information about any of their website's users without their explicit permission. While there is an exemption for the temporary collection of browser info and IP found in server logs, since these in and of themselves are not very reliable at identifying individuals (and there are regulations in place to prevent their use without judicial guidance), the level of individual identification allowed by this feature/bug likely would not be allowed.
Without these privacy violations being widely announced, its likely that federal website administrators could unknowingly violate the privacy regulation.
Work for Change & GET PAID!
But it doesn't have to be done manually! A simple Google search turned up lots of tools that eat raw C and C++ code and detect potential buffer overflows. Use of tools like these ought to be a mandatory quality control step for any organization that really cares about secure and reliable applications.
And of course, all of this completely ignores the possibility of using other languages where buffer overflows and stack smashes are implementation problems rather than application programmer errors.
In my opinion, shipping code written in unsafe languages without at least an automatic static check for potential security problems should make the shipper liable for damages.
To a Lisp hacker, XML is S-expressions in drag.
They've dominated the market for years, mainly because they were there first, but also because of usability/convenience factors. People put such things above security (and most likely privacy). They want something that works easily with little effort or configuration that does what they need it to. Windows has always been that.
On the other hand, no real OS of the time could really equal that level of user-friendliness and simple interface that Windows offered. As times are changing (and many people are figuring this out), a vast shift in many UNIXes has been towards developing a friendlier interface (Window's strongpoint). It only makes sense that Microsoft should shift its goals towards security and stability (UNIXes strongpoints). Basically, if Microsoft gets there first (stability, security, AND an easy UI) before any of the UNIXes gets more firmly cemented in the market, it will become _drastically_ harder to get people to switch over.
Magius_AR
I think that this message may be a way of sneaking the Secure Execution Mode that MS is working on into the public awareness, and that is in fact one of MS' highest priorities. The capitilized phrase "Trustworthy Computing" is what tipped me off, because it is very much what they want, if you use a different context for "trustworthy" than what they want you to assume.
The key thing to note about "Trustworthy Computing" is that it has nothing to do with you trusting them. It has to do with them not trusting you. Basically it's about preventing anyone without a logic analyzer from being able to tell what is in memory, as a way of enabling DRM that you can't (as easily) laugh at.
So you're right. You have absolutely no reason to be reassured.
The enemies of Democracy are
None of the revelations about XP surprise me. I've known them for a year or more. So has every reasonably intelligent person who has paid attention.
The problem is that an awful lot of people played "what if." They saw the promises that said that XP would be great and secure. They wanted it to be so, and as a result they believed the promises. Since the promises worked and ensured sales, they didn't actually need to do it.
Microsoft seems obviously in love with their own PR. The problem is when people go along with the gag, which they've been doing for far too long. Now you want to play some more. As long as you play, get used to bending over.
I also have a hard time understanding the idea of "middle ground." What, like Microsoft gets to abuse its monopoly on Mondays, Wednesdays, and Fridays? Being a monopoly is legal. Abusing monopoly power is. The government wants them to stop but won't do anything to make them stop. So, what exactly do you want?
I'm also getting more than a little tired of this Linux As Religion stuff. Sure, there are zealots, but this is mostly a Beavis-and-Butthead-style dismissal. Most geeks like cool stuff. I've been a computer geek for about 30 years, and Microsoft used to be cool. Nobody cared that they monopolized the microcomputer languages field, because Microsoft BASIC was good. RTF and SYLK were good. The first version of Excel was good. Even MS-DOS, for all its primitiveness, basically worked. It isn't some sort of religious conversion that makes me dislike what Microsoft has been doing over the past decade; it's the fact that they've been doing bad.
I'm finishing up Lawrence Lessig's latest book "The Future of Ideas", and one of his main points both in this book and in "Code and Other Laws of Cyberspace" is that the open, accessible by all with all being equal nature of the TCP/IP protocol is the central point around which the internet has grown, allowing anyone who wishes to use the internet however they wish.
In this latest book he does a good if sometimes abstruse job of showing how not only computer companies but all kinds of businesses are trying to prioritize/demarcate/segment/control the net and prevent any more innovative uses ala P2P to occur because it threatens the old way of doing business. It's a good related read if anyone's interested.
In other news, even if this is true, there's no reason us geeks can't continue to use our own TCP/IP & not use any new proprietary protocol. Who knows? Might be nice to have the spamming, virus-spreading masses that don't know anything about their computers all off on a different protocol & all. Remember too that AOL/Prodigy/Compuserve never volunteered to provide access to the 'net. They were forced to by customer demand for the content TCP/IP made it possible to provide.
The only tool you've got against psychosis is experience.
Is it April 1 already?
JET Program: see Japan, meet intere
[some filter defeating comments]
ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha
Laws affecting technology will always be bad until enough techies become lawyers.
I say this as a long time Microsoft detractor and Mac fan.
This is a very significant change. I think it is as significant as when Gates decided that the company should focus on the internet. Since then, Microsoft has made efforts to improve their internet technology, integrate it into the OS, and evangelize it. I'm not saying their technology is always great, but their efforts have moved them to the point where they are a very significant player in areas where they weren't such as web servers (IIs sucks, but is a pretty widely used web server), browsers, web development, etc.
I think Gates correctly recognized security as being a weakness that the competition can exploit. Their main competitors that can attack them on security being Linux, Sun, and IBM (I'm referring to both MVS and IBM's new Linux initiatives) in the OS space and Oracle and IBM in database space. There are others.
Gates is definately a smart businessman and I think he's making a good call for Microsoft here. It's really about protecting their OS business and recognzing that Passport can't succeed without a perception that it is at least reasonable secure. The security holes they have had in the past have been very bad publicity for MS.
Will this initiative succeed?
I think Microsoft has demonstrated in the past that when they put their collective attention on a problem (such as internet integration), they can make significant progress in a relatively short time. However, security is harder and more runs counter to their corporate culture of keeping their costs very low and getting product out the door regularly and quickly. (Again, these terms "regularly" and "quickly" are relative to the rest of the industry.)
In order to do what Gates wants, they are going to have to evolve to be more like IBM. I've worked at both Microsoft and IBM doing dev work on actual products. The differences between the two in terms of their overall development processes are very different. IBM's processes are more focused on producing quality products than are Microsoft's. My experience is that IBM is willing to spend more money and time on really getting a product "right" than Microsoft. Microsoft has a much greater degree of urgency about getting things done. For small software companies, urgency about getting things done is very important, but I think Gates knows that Microsoft has enough of an established business (understatement) to slow down a bit and concentrate more on quality.
The good thing about the current culture is that they can respond to new innovative products somewhat quickly. Once they start caring more about security and quality, it will be harder for them to use their OS to squash competitors. If they can't integrate new technology into the OS at the drop of a hat, then the best they can do is have a product dev group create a competing application to whatever the new hot thing is and compete head to head. I think it will be easier for the third parties to win under this scenerio. What MS gets in return is a greater ability to compete effectively against competitors who have eluded them in the past such as Intuit, Oracle, and Linux.
Avoid Missing Ball for High Score
Hugh Daniel went up there some time last year, to do some interoperability testing between NT's IPSEC, and free S/WAN. He asked them, what crypto they'd implemented and could test. They told him that they'd only done 40-bit DES.
He just left.
Personally, I'm not holding my breath for MS to ever implement a securable system. They'll do things that let them check off the boxes in their product literature, but as for those features being truly robust, I wouldn't count on it.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
(This isn't meant as a funny or trollish comment, but I can't seem to exactly what I want into words I know won't be taken for "M$ wants to stamp out alternatives". *sigh*)
~REZ~ #43301. Who'd fake being me anyway?
To quote from the 80's Wendy's commercial:
"Where's the beef?!"
Gee Willekers, Bill Gates is using his bully-pulpit with the press to announce that Microsoft is going to do something that all of there customers have been _wanting_ them to do for aeons. This is about as pressworthy as Larry Ellison advocating a gigantic national database -- running Oracle software.
This "leaked" email is rather silly. The press should have more restraint in printing patently self-serving "inside scoops" like this. Microsoft is insanely rich -- make them pay for their marketing.
Shane
Don't you remember? Bill Gates *created* open source!
:)
Keep up! It was at the last stockholders meeting!
(The amount of bullshit tollerated in the corporate world is astounding.)
It's been a long time.
Unlikely. Now there's an understatement.
An unsafe scripting interpreter is more powerful and easier to use than a safe scripting interpreter. To be safe, it probably easiest to run the interpreter in a sandbox where one does not need to trust the interpreter, let alone the script.
(if it is even possible to write useful scripts in such a limited environment)
Possible? Yes. Necessary? Yes. Easy? No.
Gives an idea why Sun gets all uptight about people screwing around with Java. They aren't about to let anybody turn their baby into some sort of Viral Basic.
That's gotta be a joke.
:)
If so, it's damn funny.
If not, it's damn scary.
It's been a long time.
And when you discover someone in a 3rd floor window snooping with binoculars and writing down license plate numbers, ....
What is benign about writing down people's license plate numbers?
OK, MS provided a check-box somewhere for this. What guarantee is there that MS provides a check-box somewhere for everything affecting my privacy? Do I have any way of knowing if I have found all of them?
blah blah blah Trustworthy Computing, blah blah, Trustworthy Computing, blah blah blah blah, Trustworthy Computing...
"Chiswick! Fresh horses!"
So when will I be able to to visit any of the Microsoft websites with IE browser security set to High?
Microsoft executives said the memorandum resembled previous broadsides that have been fired off by Mr. Gates, the company's co-founder and chairman, when he thought that the company's strategic direction needed radical changes.
In 1995, for example, Mr. Gates sent a companywide e-mail message exhorting employees to turn the direction of the Microsoft "battleship" and focus all the company's efforts on the threat of the Internet to Microsoft's business.
They viewed the free comunications media that was growing as a threat. This is why they did not rush to embrace it, but fought to destroy or dominate it. Sure, billg made a vanity web page and company policy was to tell everyone that was all it was good for. I remember it from being there. They rolled netbios out on the majority of their victims and tried to hold off TCP/IP for freaking ever, or at least till winsock was ported from BSD for free and they could steal and sell it. Since then they have done everything in their power to cram their stupid propriatory formats over it by buying out companies and perverting them to spam sites. Like bolshivicks, they seek to disrupt the medium until they can control it. They are evil, and we have yet to see if the internet will win this one but freedom has a way of ignoring snake oil until there is nothing left but a fringe market for fools.
Security on M$ platforms is impossible. There are no real user ID's, nor file permisions built into the kernel or the file system. The PNP hole on port 5000 iw a great example of this. Why did it take so long to find it? Where were the comercial firewall companies that so many trolls like to tout here? You would think that they would have spotted it and closed it if such things were possible on an OS that does not really keep track of all the processes that are running.
As I lost two karma points for in an earlier post, the only M$ is going to be able to provide any kind of security is to follow the Apple example and dump Windows. I imagine they will roll a BSD and make some kind of WINE like compatibility mode. It's not going to work. They are far to behind, after all Apple bought up Next and it still took them years. They canned all their good VAX people and gutted the majority of their work as they shifted focus from their failed Unix killer, NT. I don't think so much as their mediocre korn shell made it to win 2000. The ridiculous proposition of a month long "focus" on security by all of their employees shows that they have an impossible task on their hands. Their sins are all looking them in the face and laughing. Had they spent as much time working with other platforms as they did breaking interfaces, swapping print methods and ruining other companies in general, they would be in a much better position today.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
At every bootup Windows will contact Microsoft for security activation based on User, Password, HardwareID, and comprehensive SystemLog of all activity.
Any unauthorized access will result in immediate shutdown. Reactivation will require voice confirmation and explanation of unauthorized activity. 1-900-ILO-VEMS. To enhance your security and combat privacy, fines will be conviently billed to your phone.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Microsoft HAS to lock down security BIGTIME.
Microsoft just got a patent on Digital Rights Management Operating Systems.
If you read the patent you'll see they plan to keep the user locked down with an iron fist.
If you secure an operating sytem from attacks by authorized users, what chance does an unauthorized attacker have?
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
True that M$ is nowhere near as secure as *nix; however, as you bash away and curse M$, remember one thing -- if it wasn't for M$, it's bugs, flaws and SIZE, you probably would never have been able to afford the computer you are using to post your bashings. If NOTHING else, at least Bill G. has pushed the market forward and the Windows monopoly has in turn pushed the hardware developers. It is irrelevant which operating system is the most widely used because there will always be the groups of people who don't want to conform and as such feel the need to promote whatever product they use as superior. Well often those people perceive "Alternative" to be synonymous with "Superior" -- that doesn't mean its true. If MAC's ruled the world, you can bet you ass that OSX would be nothing like what it is today - it would not have the slightest traces of *nix and would be the endless target of rants, bashes and various posts by people who just wanted to be "non-conformists". Funny thing about non-conformists though; most of them conform more than they admit. I'd be willing to bet that the majorority of the vitrolic posts concerning this article were derived by someone sitting at their PC - and if they had just finished playing a game (OTHER THAN freakin another freakin quake engine clone) they may still be logged into that hated Windows OS! Yes, bitching all the way, but still, somewhere secreted away is their installation of Windows. So stop ranting about the advantages of Linux and just be happy that perhaps somehting is now going to be done about the security issues at hand and have a little damn respect for the develpers that (misguided or not) have put an OS onto more machines than you can possibly imagine! Monopoly - sure, but at some point those monopolies server/ed a purpose... if it wasn't for the AT&T monopoly years ago you'd still be turning a damn crank to talk to Martha the switchboard operator to call Andy and Barney down at the sheriff's department...
So in closing - who gives a rats ass what OS you run, ANY attention to security is good for EVERYONE!
...n8