Slashdot Mirror
Microsoft to Focus on Security
Anonymous Minion writes: "The Associated Press is reporting that Bill Gates announced to employees Wednesday a major strategy shift across all its products to emphasize security and privacy over new capabilities. In e-mail to employees, Gates referred to the new philosophy as "Trustworthy Computing" and called it the "highest priority". Gates said the new emphasis was "more important than any other part of our work."" People criticized Microsoft for treating security breaches as a public relations problem, so Bill Gates sent this email out to the Associated Press to prove them wrong. (rimshot!) Meanwhile, Richard Smith notes that the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.
If you look at the other side of the story, this is pretty much admitting that they haven't cared about security at all. At least now they'll release more PR regarding security issues.
Especially if they find that anyone's distributing exploit code.
--- http://foo.ca
Why does Microsoft saying they're going to focus on security remind me of the US government talking about campaign finance reform?
If using Linux is about choice, how come people complain when I choose to use Windows?
After reading the article, and also having my Microsoft account rep call me up after I have told her that I wont be installing my "enterprise" (every time I say that word, my whole team breaking to ST:TNG theme song), becuase the cost of making sure Microsoft's buggy software (generally Office and Windows W2K) costs me more than the operating system does itself in both actually purchasing costs of software and man power required to check, recheck and check again that everything is set up tight... My account rep had the hide to say this afternoon, "So now we have promised to do this, will you upgrade to Office XP now"...
Nothing has changed as far as I can see, nothing will in the next 1 - 2 years because Microsoft will take that long to get what we currently have running NOW working correctly, and I just feel this is another ploy to get Microsoft to force us to upgrade to the latest and greatest operating system because they are promising that this time, really folks, this time it will be the most secure and stable release of Microsoft software EVER!, as if this is hard to to!
Grrrr, too many NT crashes, not enough intellegent techs to figure out what went wrong, other than.. oh just reboot!
`find / -name "*your_base*" -exec chown us:us {} \;`
A couple of Microsoft's security people published a book - Writing Secure Code - recently.
It's obviously Windows biased with respect to code samples, but it's actually very good.
Now they just need to read it themselves - for example, all the vulnerabilities exploited by the universal plug and play fiasco (buffer overruns, trusting untrustworthy data and denial of service attacks) are well described in the book,
Hogsback
However, take a look at OpenBSD. They really are secure, or at least as secure as anyone can reasonably expect for an operating system. They have done a great job, but it takes time. A lot of time. OpenBSD was based on NetBSD, so security was always a priority, OpenBSD just made it more of a priority.
But really... even if security really is job one now at Microsoft, we aren't going to see any concrete results in the near future. Forget Microsoft's next operating system. It is going to take years, not months, to get results. I mean, we are looking at 2006, likely, until Microsoft systems have a hope of being secure. Will Microsoft (would any corporation) invest that many years of development? Are their customers really demanding security?
Oceania has always been at war with Eastasia.
Microsoft does have a pretty strong track record of hearing what their big customers want to buy, and then building it.
I'm not surprised that they're hearing about security... and I won't be surprised if they find a way to build it.
Hey, I'm just sayin'.
"Consider yourself a member of a virtual corporation with Mr. Torvalds as your Chief Executive Officer." - Linux Advocac
Right. This is not a security problem. This is a privacy issue.
And speaking of which. Many of us have fixed IP addresses. Web sites already track our actions with cookies. Telcos sell information about us to anyone who wants to pay for it. Get over it. We have no privacy to begin with.
If microsoft can, by some complex reorganization of their development and review process, make their code have the same, or less, incidence of critical issue as, say, Linux (I swear I didn't choose that just because its the godhead of this entire forum), What would we do?
/. topics get more sensational?
Honestly, and not trying to troll. What will everyone here do if microsoft ceases being the evil empire? What if they can pull this off, and find some middle ground with the government? I said before, in a much earlier post, that most religions have an antagonist; What happens if we lose ours? Will
MS Press Release:
"Microsoft released a patch today to save 15K of RAM in explorer.exe"
Slashdot:
Microsoft wasting gobs of memory for extra red-dot in windows logo.
Personally, I say good for microsoft. Microsoft, right now, is an intergral part of so many organizations, and admittedly they have security problems; They could use the positive PR. They could also deal with less -unfounded sensationalism- nonsense from the peanut gallery (note, this does not mean the founded, intelligent, objective news items which from time to time may appear in the comments section.)
Just my $0.02, Refundable with a $2.00 restocking fee.
Is this in the same vein as the day Bill Gates ordered everyone at MS to stop what they were working on and concentrate on how the Internet would affect their products?
Of course, by that I mean Microsoft finally understanding something several years after the rest of the world "gets it?"
First of all, it truly scares me that Bill Gates's announcement that Microsoft will "empasize security and privacy over new capabilities" is considered, in his own words, to be "a major strategy shift." Any reasonable developer knows that security is an inherent part of every feature - not a feature in itself. /. alone, this is the third article in 24 hours (not including the "Unbreakable" story) with direct relevance to Microsoft's security (or lack thereof). The case can be made that there is a low likelyhood that Microsoft would pay that much attention to the /. community - but on the other hand, I'd think they'd listen to this.
Second of all, it can't be said that this is the first time a company has put forth a gung-ho effort (if that is even the case) to secure their products - Oracle's Unbreakable database is clear evidence of this. To me, this seems Microsoft has placed itself further into the security spotlight, and that more holes will be exposed as a result.
Finally, above all else, one has to admit that this announcement seems like the reactionary brainchild of Microsoft's PR department. On
Yes, it's all about timing. The rest of the email outlined thier other goals:
1. To workout more
2. To eat better
3. To be nicer to the people we love
4. To not drink so much
The email closed with a lamentation about how these beginning of the year resolutions never seem to work, followed by a humorous panel from the comic strip "Cathy".
- Dan I.
Meanwhile, Richard Smith notes that the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.
It's not a security problem. It's a privacy problem.
If it posted the user's passwords, executed arbitrary code, or removed network firewall configurations, then it would be a security problem.
[
Two, to what extent is this an agenda for obliterating any shred of interoperability with other commercial products in the name of 'security'? Isn't it an open invitation to claim that total and complete lock-in is the only way to be 'secure'?
"Trustworthy Computing" doesn't necessarily mean "secure computing." Microsoft wants you to think that, though, just like they want you to assume "we're innovating" means "we're making products better for you." (Incidentally, MS's definition of "innovation" means "finding new ways to solidify our market position.")
Anyone remember Bill Gates's deposition in the MS antitrust trial? His version of the English language is so far out of whack he spent most of each session professing to have no understanding of common words and terms.
In this case, "Trustworthy Computing" means "convincing computer users that they don't have to wory about security... that they can trust MS."
The last time Bill Gates was widely publicized for announcing a major strategy shift to his employees was back in 1995, when he sent out a memo saying they were going to focus on the internet.
I bet I wasn't alone in laughing. The first version of MSIE that was out at the time was a JOKE. Netscape reigned supreme. RealAudio was king of streaming. Third parties actually had a shot at selling a Windows web server.
How long did it take them to: (a) Kill Netscape with MSIE, (b) maim RealAudio with Windows Media, (c) shutdown 3rd-party Windows webservers with IIS, etc.? Not long.
Extrapolate amongst yourselves.
Goodbye ZoneLabs (makers of ZoneAlarm). What other big Windows security players will have their security software crushed within 3 years? McAfee? Symantec?
Unix users laugh at the inherent security problems with Windows, just as I laughed at MSIE 7 years ago. I haven't been laughing lately. Will you still be laughing a few years from now?
"And like that
To that I say, put your money where your mouth is. Quit endorsing DRM. Quit using proprietary formats in your applications. Open your APIs. Include some decent text manipulation tools at the command line (like GNU textutils). Give the user some choice for a change.
Slashdot's first reaction to VMware
Last time I installed Mandrake 8.1, it automatically partitioned my drive, and auto-detected and properly configured every piece of hardware in my laptop (including my 802.11b card). There are still applications out there that could use some usability enhancements, but the major obstacle (installation) is pretty much out of the way. The only thing Linux needs to be a true competitor on the desktop is applications. These days, the desktop-oriented Linux distros are just as easy, if not easier, to install as Windows. It is the lack of applications that is holding back any progress Linux might make on the desktop.
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
Normal slashdot staff overreacting again. You can turn that ID off.
The defaults are everything, Why do you think Microsoft has negotiated so hard for its icons to be on the Mac desktop(IE), and no other browser is allowed to be there ? Why do you think Microsoft has spent so much effort controlling system defaults for media players, and IE home pages, and startup icons ?
This is standard user behavior - they do not change the defaults. Somehow it is the fault of the guy who installed NT server and NEVER WANTED IIS that he got broken into, and not Microsoft's fault for globally enabling IIS and asking the admins to turn it off.
Giving the end user a chance to change a system default is a good way to ensure that 95% will use the default, and the company (Microsoft in this case) can blow blame aside by saying the user can change it.
Now, you can argue users need to be more savvy, or you can accept that Microsoft KNOWS end user behavior and uses it to their advantage. Or both...
The typical assumption (as I've heard it) has always been that Microsoft's poor security was a necessary side effect of their quick-to-market and add-lots-of-new-feature strategies. Though I don't think most people on this forum view those two strategies as a "good" thing, it appears that they've worked rather well for MS up until now.
So the $50,000 question is, can Microsoft focus on security without falling behind on those other fronts? And if they have to slow down on their speedy rollout of new products and features, will they suffer in the marketplace?
If MS can do security and still be as quick-to-market as they were before, they're probably going to be in a very good position. If, on the other hand, they are forced to make a tradeoff-- of speed and quantity for security, for instance-- then it might be a whole different ballgame. Worse yet, they might wind up compromising on both fronts.
It's interesting to note how product teams resisted the security invasion. Now, while we know very little about how offensively these security teams were implemented, it does harken to a truism about coding.
Properly securing products isn't fun.
Implementing improved, automatic PGP hooks might be fun (hint hint), but slowly and methodically picking through all of your code to make sure that no buffers can overflow is just uninteresting and unglamorous. If we can't convince ourselves to sufficiently comment the code we write, even though we routinely curse ourselves for not having done it previously, security is going to be unfortunately naturally low on the list of things to do.
Likewise, an ounce of glitzy new features tends to sell better than an ounce of better security. People are going to look down upon you if you encourage them to upgrade from the old software you sold them by pointing out the security flaws that it had. It's usually more marketable to say "Trust our products, we have new inline spell checking across all our platforms" rather than "Trust our products, we no longer grant root through tcp/ip overflows."
All of this falls down like a rotten house if you allow your security to get too bad for too long, as is obvious to anyone reading this thread. You can let the support poles wear a little, and usually the cost of a *little* more wear is much less than the cost of fixing the whole thing properly. But unless you have that long-term vision, you'll be sleeping outside eventually. Microsoft didn't, and it is really starting to hurt them. The greatest threat to their monopoly has come from people being unable to use NT in critical applications. You don't want to force your customers to have to go to competitors.
Microsoft has shown throughout history an ability to expend large amounts of money to get things done. IE... MSN... XBOX... WinCE/PocketPC... If they really do set their mind to security issues, I'm sure that they will be hammered out after several slow, unglamorous years. The press release would make it appear that they know that they are up against human nature on both sides but that the company needs to take action or they will lose their stability.
This Sig is a mnemonic device designed to allow you to recognize this author in the future.
Translation: [serious] Users should be made to think that our ideas of how their data should be used are also their ideas.
-or-
[humorous] Microsoft should be in control of how its users are used.
Seriously, though, all those who fit Microsoft's definition of user already think they are in control of their data. They believe that Microsoft provides them freedom to do what they want. Look at those Windows XP flying commercials. People actually believe that stuff. Just a thought.
A solution to the problem with music today
Of course. I hear they're going to make their software "unbreakabale."
Why?
Because I know how Bill Gates' mind works, and if I can't see the code, I'm not going to run it. Yes, us Linux sysadms have a rep for being paranoid bastards. Yer damn right we are, and proud of it. That's what's kept me virus-free and crack-free the last five years, watching boxes powered by You Know Who drop like flies.
Linux isn't perfect, no, but it'll take him a minimum of 2 years to get his codebase in order even with the army of people he's got.... and by then we'll have our world domination, and they'll be putting Linus' picture behind that Borg eye rather than Bill's. We might even get Mozilla to 1.0, who knows.
But, seriously. Even if l0pht and friends were to publish with much fanfare, "holy penguins! I can't crack this thing!" I still wouldn't buy it, and not just because I'm opposed to getting on this $100 every eighteen months to upgrade kick.... Not when I can run a product I personally helped design if not build. And can look at the code and see that it is good... or fix it if it's not. And there's huge advantages to being able to talk to the guy that wrote it.
Real-life situation, several weeks ago. I had a problem with the Mylex raid driver. Sent email to the guy who was listed in the headers for the source. A little email tag ensues. Eventually he sends me a patch. cut, paste, compile, init 6. Blammo. It worked. Total elapsed time, about 48 hours.
You will never get that out of Microsoft. Ever.
Then there's the principle of the thing. The Borg's stated objective is to take over the world and have it for his own. I'm not giving aid and support to that cause. I'm giving aid and support to another guy who wants to take over the world... and set it Free. I may be pagan, but there are some altars at which I will not kneel. Far more likely to torch'em.
--
Nuke'em from orbit.
It's the only way to be sure.
Look at it this way. Developed countries have a set of systems that can be defined as critical infrastructure. These maintain the operability of a nation on a day-to-day basis. If any of these systems break down, then society will follow down too.
Some examples? Well... water, power, sewerage, welfare, health, emergency services, police and justice, banking, government, communications, and one of the latest additions would have to be IT.
IT must been damn close to being critical infrastructure, if it isn't already. We all know MSFT is very dominant in Operating Systems. Their systems are being used within many of these critical services, which would tend to suggest that MSFT is already inextricably linked to the other critcal infrastructures.
Already countries overseas are opting for alternatives to MSFT because of some of the risks that their products provide. Govt's of Germany, France, and others are looking for more 'trusted' IT products - partly for cost, but also because some of the systems are critical.
MSFT didn't have any choice but to accept security, much as they had to accept the Internet in '95. If they didn't, they would see dwindling market share, and their products being dropped from IT solutions involved in critical infrastructure. So, they have to get on the 'trusted' bandwagon to maintain market share. Govt's do spend a bit of money on IT after all.
here
From the risks digest....
Re: "Buffer Overflow" security problems (Baker, RISKS-21.84)
"Nicholas C. Weaver"
Sat, 5 Jan 2002 13:15:52 -0800 (PST)
I agree with Henry Baker's basic assessment that buffer overflows, especially in code which listens to the outside world (and therefore vulnerable to remote attacks) should be classed as legally negligent.
However, it seems to be nigh-impossible to get programmers to write in more semantically solid languages.
There is another solution: software fault isolation [1]. If the C/C++ compilers included the sandboxing techniques as part of the compilation process, this would eliminate the most deleterious effects of stack and heap buffer overflows: the ability to run an attacker's arbitrary code, with a relatively minor hit in performance (under 10% in execution time).
An interesting question, and one for the lawyers to settle, is why haven't these techniques been widely deployed? The techniques were being commercialized by Colusa Software as part of their mobile code substrate [2] in the mid 1990s. In March 1996, Colusa software was purchased by Microsoft and it seems effectively digested, thereby eliminating another potential mobile-code competitor, something Microsoft seemed to fear at the time.
The interesting RISK, and one which is probably best left to the lawyers, is that as a result, for over half a decade, Microsoft has owned the patent rights and the developments required to eliminate two of their biggest security headaches: unchecked buffer overflows and Active-X's basic "compiled C/C++" nature, yet seems to have done nothing with them.
What is the liability involved when a company owns the rights to a technology which could greatly increase safety, at an acceptable (sub 10%) performance penalty, but does nothing to use it in their own products? Especially when the result is serious, widespread security problems which
could otherwise be prevented?
[1] "Efficient Software-Based Fault Isolation", Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham, in *ACM SIGOPS Operating Systems Review*, volume 27, number 5, December 1993, pp 203--216,
[2] "Omniware: A universal substrate for mobile code"
Nicholas C. Weaver nweaver@cs.berkeley.edu