Security Community Reacts to Microsoft Announcement

A number of readers have collected stories concerning the change of focus by Bill Gates to security. Bruce Schneier and Adam Shostack have written a piece, while Crag Mundie of MSFT has also chimed in, along with some commentary from ZD folks. SecurityFocus has other words, as does InfoWarrior.

This is too funny.....MS Security ROFL ....

[CDWert]

MS is NOT a security driven developemnt enviroment.

This kills me every time I read it, almost as much as the Linux sales memo, Can you see all the MS developers huddling around saying Ok were going to tighten the security up here,..... HA, they obviously didnt have a clue on the security side of things to begin with, the MS project managers preaching security over all. this is the blind leading the blind and the deaf.

Its great for marketing, well that is if it dosent backfire, if theeir stuff dosent get a whole lot tighter a whole lot quicker its going to make them look yet worse, they (MS) acts as if secuity didnt need to be a main goal. Shit, the Govt has judges ordering other govt websites down because of inadequite security on MS servers (Dept Interior?)

MS is going to push now, more than ever to limit disclosure, through this they can APPEAR to be accomplising their lofty goal set by BG.

This should be a funny story to watch , as they say it aint over till the fat lady sings ;)

GOTT MIT LINUX

What about the potential implications for Linux?

[Shoeboy]

Ok, I think we can all agree that M$ has been making life hard on Linux advocates. First off they come out with Windows 2000 which doesn't crash and then they follow it up with Windows XP which also doesn't crash.

Of course, this hasn't stopped us from complaining about Windows stability (a true zealot is never deterred by facts), but it has made us look a bit ridiculous.
So what happens when Windows becomes secure (assuming this happens). It'll be a sad day for Linux advocates everywhere is what will happen. Window will then join VMS, OSX and FreeBSD in being basically superiour to Linux. Thank god for BeOS going extinct, because, as a Linux advocate I jsut don't think I could bear that.

Anyway, Micro$haft (he he, aren't I original), please don't make a secure product. Please, I'm begging you.

Your former employee,
--Shoeboy

MS security = oxymoron

[peter303]

oxymoron: (def) A two word phrase in which the meaning of the first word contraditions the meaning of the second word.

Schnier co-writes a bad column!

[petej]

Usually, Bruce Schnier writes good stuff, and I enjoy reading it. This time, though, the piece is riddled with misinformation and poor advice. I'm surprised.

SOAP isn't just a Microsoft protocol, for one, but the main problem with that paragraph is that SOAP was not designed to elude firewalls, any more than RPC was. SOAP is just an RPC mechanism that happens to flow over HTTP, mostly because Dave Winer only knows one protocol -- HTTP. Mr. Winer didn't try to evade protocols, he just couldn't conceive of creating a different protocol for this application -- an error of omission, not commission.

In terms of file and media distribution, the function of a HTTP server, FTP server and gopher server are very similar, so there's actually some sense in bundling the three together (and MS isn't the only group to do this). The security problems come when dynamic execution is added to the mix in HTTP. Mssrs. Schnier and Shostack desperately want to undo this, but they don't have the right answer -- the problem isn't stocking the three protocols together; it's that the Internet gave us three ways to do the same thing. To really address the security issue here, we should probably go back and redo the protocols so that dynamic content and media content flow over separate protocols, but there's no chance of this happening -- HTTP didn't kill FTP, and even gopher is making a mild comeback, so we're stuck with this mess for a long time.

There's some good advice regarding security in that article, but the authors' notions of product design are off-target, and contrary to the direction a lot of folks (even those beyond MS) are taking.

Re:One other reason

[yatest5]

Their products are so bloated with useless features that no one sees a reason to upgrade what they have

Whoa there horsie, way to slip in a lame dig at Microsoft there! I think what you meant to say was 'Because their software contains all the features their users need, they see no reason to upgrade'. Having extra useless features is not going to discourage anyone from upgrading. This makes you a biased idiot, but way to karma-whore.

M$ Secure PC Instructions

[aroobie]

FROM M$:
In order to secure your PC while having a Micorsoft product installed, unplug the power cord from the wall AC outlet.

NEW AND IMPROVED

[greymond]

M$ now offers COMPLETE security and stability for all there products - simply shutdown your system, unplug all cables, disconnect your modem/dsl from the wall and instantly be amazed at how theres no more CRASHES or HACKS in this totally secure and stable environment!

Warning: stability and security may be compromised if machine is operable.

Translation: we've run out of ideas.

[landley]

"So now, when we face a choice between adding features and resolving security issues, we need to choose security." -Gates memo.

I.E. we can't think of anything new to cram into windows that anybody would actually WANT (and it's getting harder to copy stuff since all our remaining competition is a Unix variant and can address things like latency that we'd have to throw windows out and start over to address) so we're going to stop doing new things and put a happy face on it. Heck, you're all going to a rental model anyway, we don't HAVE to do new stuff anymore. You'll keep paying us anyway or you desktop will stop working.

Rob