Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft to Focus on Security

Posted by ryuzaki0 on from the eye-of-sauron dept.

Anonymous Minion writes: "The Associated Press is reporting that Bill Gates announced to employees Wednesday a major strategy shift across all its products to emphasize security and privacy over new capabilities. In e-mail to employees, Gates referred to the new philosophy as "Trustworthy Computing" and called it the "highest priority". Gates said the new emphasis was "more important than any other part of our work."" People criticized Microsoft for treating security breaches as a public relations problem, so Bill Gates sent this email out to the Associated Press to prove them wrong. (rimshot!) Meanwhile, Richard Smith notes that the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.

22 of 720 comments (clear)

  1. Funny, I Don't Feel More Secure... by The+Spie · · Score: 5, Funny

    Why does Microsoft saying they're going to focus on security remind me of the US government talking about campaign finance reform?

    --
    If using Linux is about choice, how come people complain when I choose to use Windows?
  2. Standard Corporate Security Policy by ZenJabba1 · · Score: 5, Insightful

    After reading the article, and also having my Microsoft account rep call me up after I have told her that I wont be installing my "enterprise" (every time I say that word, my whole team breaking to ST:TNG theme song), becuase the cost of making sure Microsoft's buggy software (generally Office and Windows W2K) costs me more than the operating system does itself in both actually purchasing costs of software and man power required to check, recheck and check again that everything is set up tight... My account rep had the hide to say this afternoon, "So now we have promised to do this, will you upgrade to Office XP now"...

    Nothing has changed as far as I can see, nothing will in the next 1 - 2 years because Microsoft will take that long to get what we currently have running NOW working correctly, and I just feel this is another ploy to get Microsoft to force us to upgrade to the latest and greatest operating system because they are promising that this time, really folks, this time it will be the most secure and stable release of Microsoft software EVER!, as if this is hard to to!

    Grrrr, too many NT crashes, not enough intellegent techs to figure out what went wrong, other than.. oh just reboot!

    --
    `find / -name "*your_base*" -exec chown us:us {} \;`
    1. Re:Standard Corporate Security Policy by Waffle+Iron · · Score: 5, Insightful
      current directive in Redmond is for all product groups to sweep the entire code base for security-related bugs.

      Problem is, that's not going to do a lot of good if these people don't have the experience to spot security bugs in the first place. The potential universe of exploits is huge, and it includes interactions between components written by different groups. I doubt that they even have the talent base to do this job effectively.

      It's possible to create an OS that's secure out of the box; OpenBSD is an example. Now Microsoft wants to get to the same place, but with orders of magnitude more code, a small fraction of the time, and next to zero corporate security culture. This is beyond "trying to have a baby in one month". This is more like putting 5900 women in a room and trying to get a baby in one hour.

    2. Re:Standard Corporate Security Policy by pHDNgell · · Score: 5, Funny
      This is more like putting 5900 women in a room and trying to get a baby in one hour.

      I don't know about the rest of you guys, but I'm buying this video when it comes out.

      --
      -- The world is watching America, and America is watching TV.
  3. Writing Secure Code by hogsback · · Score: 5, Interesting

    A couple of Microsoft's security people published a book - Writing Secure Code - recently.
    It's obviously Windows biased with respect to code samples, but it's actually very good.

    Now they just need to read it themselves - for example, all the vulnerabilities exploited by the universal plug and play fiasco (buffer overruns, trusting untrustworthy data and denial of service attacks) are well described in the book,

    --
    Hogsback
    1. Re:Writing Secure Code by cooldev · · Score: 5, Interesting

      To whet your appetite, a little excerpt from the beginning about how quickly machines get attacked:

      Surely, no one will discover a computer slipped onto the Internet, right? Think again. The Windows 2000 test site was found almost immediately, and here's how it happened... Someone was scanning the external IP addresses owned by Microsoft. That person found a new live IP address; obviously, a new computer had been set up. The person then probed various ports to see what ports were open, an activity commonly called port scanning. One such open port was port 80, so the person issued an HTTP HEAD request to see what the server was; it was an Internet IIS 5 server. However, IIS 5 had not shipped yet. Next the person loaded a Web browser and entered the server's IP address, noting that it was a test site sponsored by the Windows 2000 test team and that its DNS name was www.windows2000test.com. Finally the person posted a note on www.slashdot.org, and within a few hours the server was being probed and flooded with IP-level attacks.

  4. About windows media.. by guacamole · · Score: 5, Informative
    Meanwhile, Richard Smith notes that the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.

    Right. This is not a security problem. This is a privacy issue.

    And speaking of which. Many of us have fixed IP addresses. Web sites already track our actions with cookies. Telcos sell information about us to anyone who wants to pay for it. Get over it. We have no privacy to begin with.

  5. If.. by AnalogBoy · · Score: 5, Insightful

    If microsoft can, by some complex reorganization of their development and review process, make their code have the same, or less, incidence of critical issue as, say, Linux (I swear I didn't choose that just because its the godhead of this entire forum), What would we do?

    Honestly, and not trying to troll. What will everyone here do if microsoft ceases being the evil empire? What if they can pull this off, and find some middle ground with the government? I said before, in a much earlier post, that most religions have an antagonist; What happens if we lose ours? Will /. topics get more sensational?

    MS Press Release:
    "Microsoft released a patch today to save 15K of RAM in explorer.exe"

    Slashdot:
    Microsoft wasting gobs of memory for extra red-dot in windows logo.

    Personally, I say good for microsoft. Microsoft, right now, is an intergral part of so many organizations, and admittedly they have security problems; They could use the positive PR. They could also deal with less -unfounded sensationalism- nonsense from the peanut gallery (note, this does not mean the founded, intelligent, objective news items which from time to time may appear in the comments section.)

    Just my $0.02, Refundable with a $2.00 restocking fee.

    1. Re:If.. by vondo · · Score: 5, Insightful
      I find AOL/TW less scary than MS, at least on a personal level.

      Sure, I watch CNN. Maybe I pick up Time occasionally, but I'm aware of who they are and what they are doing. If I want to avoid their media conglomeration entirely, I can. And if I do, it doesn't affect me. (Of course it affects the society around me.)

      Maybe I don't hear the incessant ads for AOL on CNN, maybe I have to use a smaller ISP. I think I can live without those things.

      Microsoft, on the other hand, by trying to extend its monopolies, is targeting my ability to communicate with other people. I can choose not to run Powerpoint or Word, but if 90% of the people around me only speak that "language" I can't see what they're saying. I can choose not to run IE, but if I can't read half the web because of it, I've lost. If I choose not to use Window's Media Whatever-its-called, I might not be able to hear the music I want to. And of course if I choose to run Linux, I can't even choose not to use all these MS products.

      When this happens, I've not just lost out on being able to use MS's products, but on a larger part of my world.

      AOL/TW is trying to control the content. MS is trying to control the underlying language. I find MS's intrusions more threatening to my lifestyle.

    2. Re:If.. by Pussy+Is+Money · · Score: 5, Interesting
      Nice post.

      I think basically you are saying that when Windows' technical deficiencies disappear (which in itself makes the dubious presupposition that one size might fit all), there is no longer any reason why we should oppose them.

      This presupposes that such is the case right now; i.e. that we are opposing Microsoft because their code is supposedly so horrible.

      But that's bullshit. I have to admit I don't know myself where all the folklore of lousy Windows performance and lousy Windows stability came from. Sure their software can run slow. But have you looked at GNOME recently? And as for security, granted their track record is very bad. But at least they don't ship with telnet, right? Besides there is nothing like designing security for a piece of software that runs on 95% of the desktops in the world.

      So it's all relative. In any case, I'll tell you the real reason why we should oppose Microsoft: because whatever business you are in right now, if you're successfull, it will be Microsoft's business next week. That's why we need to oppose Microsoft.

      --
      Pushin' 'n dealin', shovin' 'n stealin'
    3. Re:If.. by mjh · · Score: 5, Insightful
      If microsoft can, by some complex reorganization of their development and review process, make their code have the same, or less, incidence of critical issue as, say, Linux ... What would we do?

      Declare victory. I think Linus once said, "If Microsoft starts producing good software, we've won."

      Personally, I think this is the goal: to get good software. I enjoy the fact that currently the best software around doesn't cost me any money to obtain. But I'm not going to maintain some sort of religious fanatacism about it. If better software comes along that costs money, I'll buy it.

      How many of you play only free games on your computers? Me either. I play Q3A or SimCity. I paid for them. Why? Because they're better than the free stuff. I'll pay for an OS too, if it's better than the free stuff.

      --
      Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
  6. Is this like internet day? by vondo · · Score: 5, Funny

    Is this in the same vein as the day Bill Gates ordered everyone at MS to stop what they were working on and concentrate on how the Internet would affect their products?

    Of course, by that I mean Microsoft finally understanding something several years after the rest of the world "gets it?"

  7. Thoughts by cascino · · Score: 5, Interesting

    First of all, it truly scares me that Bill Gates's announcement that Microsoft will "empasize security and privacy over new capabilities" is considered, in his own words, to be "a major strategy shift." Any reasonable developer knows that security is an inherent part of every feature - not a feature in itself.
    Second of all, it can't be said that this is the first time a company has put forth a gung-ho effort (if that is even the case) to secure their products - Oracle's Unbreakable database is clear evidence of this. To me, this seems Microsoft has placed itself further into the security spotlight, and that more holes will be exposed as a result.
    Finally, above all else, one has to admit that this announcement seems like the reactionary brainchild of Microsoft's PR department. On /. alone, this is the third article in 24 hours (not including the "Unbreakable" story) with direct relevance to Microsoft's security (or lack thereof). The case can be made that there is a low likelyhood that Microsoft would pay that much attention to the /. community - but on the other hand, I'd think they'd listen to this.

  8. Re:timing? by daniel_isaacs · · Score: 5, Funny

    Yes, it's all about timing. The rest of the email outlined thier other goals:

    1. To workout more
    2. To eat better
    3. To be nicer to the people we love
    4. To not drink so much

    The email closed with a lamentation about how these beginning of the year resolutions never seem to work, followed by a humorous panel from the comic strip "Cathy".

    --
    - Dan I.
  9. Two questions by Chris+Johnson · · Score: 5, Interesting
    Two questions. One, it's all very well to talk about this but isn't it like rewriting Netscape from the ground up? Isn't it either totally meaningless or an announcement of a complete energy sink at Microsoft which will immobilize them?

    Two, to what extent is this an agenda for obliterating any shred of interoperability with other commercial products in the name of 'security'? Isn't it an open invitation to claim that total and complete lock-in is the only way to be 'secure'?

  10. You should be afraid... by tswinzig · · Score: 5, Insightful

    The last time Bill Gates was widely publicized for announcing a major strategy shift to his employees was back in 1995, when he sent out a memo saying they were going to focus on the internet.

    I bet I wasn't alone in laughing. The first version of MSIE that was out at the time was a JOKE. Netscape reigned supreme. RealAudio was king of streaming. Third parties actually had a shot at selling a Windows web server.

    How long did it take them to: (a) Kill Netscape with MSIE, (b) maim RealAudio with Windows Media, (c) shutdown 3rd-party Windows webservers with IIS, etc.? Not long.

    Extrapolate amongst yourselves.

    Goodbye ZoneLabs (makers of ZoneAlarm). What other big Windows security players will have their security software crushed within 3 years? McAfee? Symantec?

    Unix users laugh at the inherent security problems with Windows, just as I laughed at MSIE 7 years ago. I haven't been laughing lately. Will you still be laughing a few years from now?

    --

    "And like that ... he's gone."
    1. Re:You should be afraid... by djrogers · · Score: 5, Insightful

      Adding functionality to an OS is much easier than adding security. There's nothing magic about building a web server or browser, and giving them away/bundling them makes it quite easy to gain marketshare. Note that everything you mention in your e-mail has been involved in HUGE security holes...

      --
      Think outside the... Hey, where'd the friggin' box go?
  11. He can talk the talk... by Jon+Abbott · · Score: 5, Interesting

    "Users should be in control of how their data is used" -- Bill Gates

    To that I say, put your money where your mouth is. Quit endorsing DRM. Quit using proprietary formats in your applications. Open your APIs. Include some decent text manipulation tools at the command line (like GNU textutils). Give the user some choice for a change.
    --
    Slashdot's first reaction to VMware
  12. Re:That GUID on WMP? Yeah . . . by blakestah · · Score: 5, Insightful

    Normal slashdot staff overreacting again. You can turn that ID off.

    The defaults are everything, Why do you think Microsoft has negotiated so hard for its icons to be on the Mac desktop(IE), and no other browser is allowed to be there ? Why do you think Microsoft has spent so much effort controlling system defaults for media players, and IE home pages, and startup icons ?

    This is standard user behavior - they do not change the defaults. Somehow it is the fault of the guy who installed NT server and NEVER WANTED IIS that he got broken into, and not Microsoft's fault for globally enabling IIS and asking the admins to turn it off.

    Giving the end user a chance to change a system default is a good way to ensure that 95% will use the default, and the company (Microsoft in this case) can blow blame aside by saying the user can change it.

    Now, you can argue users need to be more savvy, or you can accept that Microsoft KNOWS end user behavior and uses it to their advantage. Or both...

  13. security, programmers, human nature... by Chris+Canfield · · Score: 5, Insightful

    It's interesting to note how product teams resisted the security invasion. Now, while we know very little about how offensively these security teams were implemented, it does harken to a truism about coding.

    Properly securing products isn't fun.

    Implementing improved, automatic PGP hooks might be fun (hint hint), but slowly and methodically picking through all of your code to make sure that no buffers can overflow is just uninteresting and unglamorous. If we can't convince ourselves to sufficiently comment the code we write, even though we routinely curse ourselves for not having done it previously, security is going to be unfortunately naturally low on the list of things to do.

    Likewise, an ounce of glitzy new features tends to sell better than an ounce of better security. People are going to look down upon you if you encourage them to upgrade from the old software you sold them by pointing out the security flaws that it had. It's usually more marketable to say "Trust our products, we have new inline spell checking across all our platforms" rather than "Trust our products, we no longer grant root through tcp/ip overflows."

    All of this falls down like a rotten house if you allow your security to get too bad for too long, as is obvious to anyone reading this thread. You can let the support poles wear a little, and usually the cost of a *little* more wear is much less than the cost of fixing the whole thing properly. But unless you have that long-term vision, you'll be sleeping outside eventually. Microsoft didn't, and it is really starting to hurt them. The greatest threat to their monopoly has come from people being unable to use NT in critical applications. You don't want to force your customers to have to go to competitors.

    Microsoft has shown throughout history an ability to expend large amounts of money to get things done. IE... MSN... XBOX... WinCE/PocketPC... If they really do set their mind to security issues, I'm sure that they will be hammered out after several slow, unglamorous years. The press release would make it appear that they know that they are up against human nature on both sides but that the company needs to take action or they will lose their stability.

    --
    This Sig is a mnemonic device designed to allow you to recognize this author in the future.
  14. Microsoft's Acceptable User Parameters by i_am_nitrogen · · Score: 5, Funny
    "Users should be in control of how their data is used" -- Bill Gates

    Translation: [serious] Users should be made to think that our ideas of how their data should be used are also their ideas.

    -or-

    [humorous] Microsoft should be in control of how its users are used.

    Seriously, though, all those who fit Microsoft's definition of user already think they are in control of their data. They believe that Microsoft provides them freedom to do what they want. Look at those Windows XP flying commercials. People actually believe that stuff. Just a thought.

    --
    A solution to the problem with music today
  15. M$ already own the technology to kill buffer issue by martin · · Score: 5, Interesting

    From the risks digest....

    Re: "Buffer Overflow" security problems (Baker, RISKS-21.84)
    "Nicholas C. Weaver"
    Sat, 5 Jan 2002 13:15:52 -0800 (PST)

    I agree with Henry Baker's basic assessment that buffer overflows, especially in code which listens to the outside world (and therefore vulnerable to remote attacks) should be classed as legally negligent.

    However, it seems to be nigh-impossible to get programmers to write in more semantically solid languages.

    There is another solution: software fault isolation [1]. If the C/C++ compilers included the sandboxing techniques as part of the compilation process, this would eliminate the most deleterious effects of stack and heap buffer overflows: the ability to run an attacker's arbitrary code, with a relatively minor hit in performance (under 10% in execution time).

    An interesting question, and one for the lawyers to settle, is why haven't these techniques been widely deployed? The techniques were being commercialized by Colusa Software as part of their mobile code substrate [2] in the mid 1990s. In March 1996, Colusa software was purchased by Microsoft and it seems effectively digested, thereby eliminating another potential mobile-code competitor, something Microsoft seemed to fear at the time.

    The interesting RISK, and one which is probably best left to the lawyers, is that as a result, for over half a decade, Microsoft has owned the patent rights and the developments required to eliminate two of their biggest security headaches: unchecked buffer overflows and Active-X's basic "compiled C/C++" nature, yet seems to have done nothing with them.

    What is the liability involved when a company owns the rights to a technology which could greatly increase safety, at an acceptable (sub 10%) performance penalty, but does nothing to use it in their own products? Especially when the result is serious, widespread security problems which
    could otherwise be prevented?

    [1] "Efficient Software-Based Fault Isolation", Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham, in *ACM SIGOPS Operating Systems Review*, volume 27, number 5, December 1993, pp 203--216,

    [2] "Omniware: A universal substrate for mobile code"

    Nicholas C. Weaver nweaver@cs.berkeley.edu