Slashdot Mirror
Security Community Reacts to Microsoft Announcement
A number of readers have collected stories concerning the change of focus by Bill Gates to security. Bruce Schneier and Adam Shostack have written a piece, while Crag Mundie of MSFT has also chimed in, along with some commentary from ZD folks. SecurityFocus has other words, as does InfoWarrior.
Let's wait and see, announcement are just words, let's see how they will react when there's going to be another big security hole (because there always are going to be, and that on just about any platforms, but especially with Microsoft), if they've really changed philosophy, they will react more quickly (as in programmer-wise and not PR-marketting-wise), and not handle this as a press release taking their customers for complete idiots and reacting immaturely blaming people that finds the bugs as "terrorists".
And anyways, for those of us that are on some security mailing lists like NTbugtraq, we'll see how the people got their discovery handled by Microsoft, if they change for real, maybe we won't read as many "We notified microsoft 3 weeks ago about this matter and nothing was done, now it's time to bring it public" and then having the Microsoft PR and legal team on their back.
I think they are starting to feel the heat of people that are really not satisfied and claiming that buisness damage due to insecure OS should be fined to the creator of the OS, especially when they claim it's secure. Heh.. good thing.
--- Metamoderating abusive downgraders since my 300th post.
I would look for MS to make at least two major acquisitions in order to shore up their security offerings - they have used acquisitions in the past to shore up problem areas.
Of course the caveat is that they are not so much concerned with security as an intrinsic value but in the selling of security, and there is an important distinction here. As with any growing software market, you can't underestiamte Microsoft's efforts, and I think it is largely naive for the readership here to snicker and write off MS in this regard.
Well, duh!
It's the timing that gets me. They made the announcement shortly after a major OS release. So whenever somebody points out a bug in existing software (XP or earlier), they can shrug and say "That was the old Microsoft, the new Microsoft no longer makes those mistakes."
And since it'll be sometime before they release another highly-vulnerable product, nobody will be able to contradict them.
I once heard a story about the Denny's restaurant chain. I'm not sure if it's true but the moral is. The story goes like this.
Apparently, Denny's had intended to be a 24x365 operation, never closing its doors. Therefore, when they built the restaurants, they didn't bother putting locks on the doors.
One year, they decided to give their employees Christmas day off. In order to close the restaurants, they needed to be able to lock the doors. Therefore, they had locksmiths go out to all of the stores and install locks.
Now, instead of having spent about $10 per door when the store was built to have locks installed, they needed to send locksmiths to all of the stores and pay them for a couple of hours work resulting in a cost of a few hundred thousand dollars to give their employees a day off.
The moral: It's a lot easier to design security into a system in the first place than to try to add it on later.
Microsoft has their work cut out for them.
Step 1: Embrace some technology.
Step 2: Extend it in proprietary ways, locking the users in to Microsoft.
How long before we hear,
How long before the security protocols used are known only to Microsoft (for security reasons, naturally)?Three months—at the most!
Are you saying they *shouldn't* be doing what they want to do? Should they do what you want them to do?
If he's a Microsoft customer, yes.
Microsoft is very unusual in the sense that it doesn't follow the adage that the customer is always right. If any normal (read -- business that doesn't have a monopoly and can rest on the fact that >95% of the home users and >40% of businesses will buy their products because they see no alternative) business employed Microsoft's attitude, they'd soon be out of business.
Say you went down to your local grocery store to buy some Extra-Triple Fudge Fatty Ice Cream and they said "no, we're only going to let you buy plain Neopolitian -- and by the way, we're going to be changing the policy here, if you want ice cream, you'll take it whenever we want to sell it to you and we'll be instituting annual billing for 52 Gallons of ice cream a year. Oh, and if you want to give your kids some, you'll have to buy extra containers for them, only one user per container. Oh, and our profit margins are below what our shareholders are used to, so we'll be raising the price every few months and thinking of new ways to require that you only buy Microsoft Ice Cream."
How long would you remain a customer? In effect, this is what M$ is doing and as a customer you can't do a damn thing about it as long as you continue using Windows.
It isn't normal for the majority of a businesses customers to hate the product that make, but have to accept it anyway.
Security and stability are things that Microsoft's customers have been screaming for for years, so yes -- they should be doing it whether it's something that they want to do or not.
Unfortunately, the main focus of their development has been to add features that lock people into the Microsoft platform.
Security is only becoming a focus now because the biggest potential Microsoft lock-ins won't be adopted unless Microsoft can convince the public that they are secure. I don't think this is a genuine effort, except on the part of the PR department -- it's a sincere effort to convince everyone that they're going to be more secure, but I don't believe that it's going to happen -- well, they may become *more* secure, but that won't take much.
That is, to put it politely, complete bunk.
Microsoft's biggest problem is not buffer overflows. You don't need to sneak a virus through the basement window when you can drive it in through the front door, waving merrily as you go. Many of Microsoft's biggest security problems have been with viruses that simply take advantage of what they're explicitly allowed to do. Most Outlook viruses don't exploit low-level coding errors, they exploit the high-level error of allowing arbitrary foreign executables free access to the system. Ditto with Office macro viruses. I wouldn't call that solid coding. Solid coding means preparing for the eventuality that your users are naive and making it as hard as possible for them to shoot themselves (or their neighbours, in the case of Melissa, et. al.) in the foot.
I'm not saying that Sun or IBM are any better, but saying that Microsoft writes solid code is absolutely ludicrous.
The problem is that an alarmingly large number of people cannot distinguish between the following:
What has happened to the software industry in general is exactly what has happened to the American political process. If you make promises and then cash the check, it doesn't really matter if you deliver. The reason is that people are gullible.
So you think, "gosh, wouldn't it be great if they've finally decided to do it right." But they haven't done it; they've just said that they are going to do it. Any support for mere words on the hope that it might come to pass will remove any incentive for actually doing it.
Most people get off so much on the hope and the promises that they don't realize how they're encouraging integrity-challenged behavior with their actions. It takes a real cynical bastard not to get caught up in this, and then we get told, "Oh, you Microsoft Bad Religious Types."
This one kills me. From Craig Mundie:
"Many people today are still reluctant to trust computers with their personal information, such as financial and medical records, and few people would knowingly entrust their lives to them"
Every time you fly on a plane your life is in the 'hands' of computers. Every time someone gets an x-ray or a CT scan or any one of many now normal medical procedures you are entrusting your life and health to computers. Most (if not all) medical and financial records are entrusted to computers.
We do it everyday and the reason we do it is because these devices are designed and built by companies that have earned our trust by building quality products to very strict specifications for safety. These companies have good track records of safety and if they have problems then they are reported.
What Mr. Mundie should have said is:
"Many people today are still reluctant to trust Microsoft with their personal information, such as financial and medical records, and few people would knowingly entrust their lives to Microsoft."
--
-- Hofstadter's Law: It always takes longer than you expect, even when you take into account Hofstadter's Law.