Security Community Reacts to Microsoft Announcement

A number of readers have collected stories concerning the change of focus by Bill Gates to security. Bruce Schneier and Adam Shostack have written a piece, while Crag Mundie of MSFT has also chimed in, along with some commentary from ZD folks. SecurityFocus has other words, as does InfoWarrior.

Wow!

[returnofthe_spork]

How very fascinating!

Re:I'll belive it - heh

[jgerman]

Obligatory Simpson's quote:
"You're charming the pants off of me"
"What did you say Aunt Selma"
"I said take thos damn glasses off!"

But it's not just about security

[All+Dead+Homiez]

Linux has much, much more to offer users than superior security to Windows. Having switched my desktop machine over to Linux several months ago, here are the differences I noticed the most:

• Speed. Linux does more with less. On my Athlon XP 1500+, Windows XP lags noticibly on many operations, but there are virtually zero delays using Linux.
• Usability. I'll take open source desktop tools any day over the Windows equivalent. The GNOME desktop is better than that of Windows, BeOS, KDE, and NeXT combined. It is designed by people who actually know what the users need from a desktop, rather than people intent on writing a desktop that integrates Passport and spyware into every single applet.
• Web browsing. Mozilla 0.9.7 is so compatible, reliable, and quick that I have uninstalled IE on all of my 80 Windows clients' machines and replaced it with Mozilla. The users loved the tabbed browsing and have probably never even looked back.
• Accessibility. Linux supports such accessibility features as sticky modifier keys, text to speech support (even for images, using OCR), and many other things that make life easier for users with disabilities. Windows has limited support, at best, for these things.
• Standardization. Linux supports all of the latest standards that Microsoft flouts. It supports open document formats, open web page formats, and many other encodings that are not patented or non-free. Truly Linux sets the bar for other OSes to live up to.

Given these many reasons, it is hard to imagine that Windows will be able to offer more to the desktop user than Windows anytime soon.

-all dead homiez

Re:Windows needs a clean break

[perky]

I can think of another OS that has a lot of legacy gubbins in it. In fact it's based on a design that's been around far longer than windows.
I'll give you a clue: it begins with the letter L.;)

[OT] Re:It seems to me

[fader]

I'll probably be modded down as troll or flaimbait, but then it just shows the /. mentality.

If I had modpoints, I would definitely mod you down. Not because of the article you link to (in fact, I'd mod that +1 informative otherwise) but because of the perfect example of /. mentality: pretending that you're some poor put-upon soul preaching the truth while everyone else around you refuses to listen to reason.

For every one '-1 Troll' mod that a genuinely informative or interesting pro-Microsoft piece gets, it generally gets +3 or 4 from the 99% of moderators who aren't out just to get you. You're really not being hunted down because you like MS... it's not worth our time. Pretending to be some sort of karma martyr is getting fscking old.

Setting an impossible task

[iangoldby]

Schneier and Shostack are trying to pull one of the oldest tricks in the book. They agree with and welcome Microsoft's new intentions. Then they set out what they think Microsoft will need to do to put it into practise. The trouble is, the very things they list as the first vital steps are exactly the things that are most abhorrent to Microsoft. If Microsoft are going to change anything, these are the last things they would ever consider.

It may be that Schneier and Shostack are trying to pull a very old trick, but they are also very right.

Consider:

• Data/Control Path Separation. Would Microsoft really remove macro functionality from Outlook Express? And completely U-turn on integration of the internet with the desktop?
• Default Configurations. (This involved separate tools for separate tasks rather than monolithic applications.) Such a move would force Microsoft to accept that IE should not have been bundled with Windows, that users should be able to choose a 3rd party spell-checker for Word... If you can perform powerful operations by stringing together a series of small tools that do a single task very well, you can get those tools from wherever you like. That's bad news for Microsoft because they lose control.
• Separation of Protocols and Products. Again, this strikes at the very heart of Microsoft's monopoly position, allowing a mix-and-match approach.
• Advance Publication of Protocols and Designs. This would give competitors the ability to beat Microsoft to the market place by taking a protocol that Microsoft has published and writing their own implementation. Again, a strike right at the heart of Microsoft's monopoly.

Amusingly, in these recommendations, which are anathema to Microsoft, Schneier and Shostack seem to have rather neatly told us what Linux looks like. (I particularly liked the bit about scrapping the monolithic Registry...)

Re:Schnier co-writes a bad column!

[Zeinfeld]

So, I should just let all the spammers, script kiddies and hackers (not crackers; I mean HACKERS) just break into my computer whenever they wanted. Do you understand ANYTHING about security?

Actually selling firewalls is a large part of my business. The point you don't understand is that people often buy firewalls as a substitute for security rather than a means of security. They want to tell their auditors they are secure, they don't actually want security.

There is very little point in buying a $100K firewall installation from me if you don't make sure there are no backdoors into your network. A gateway is no use at all without a fence. But the number of clients who fail to check their telephone networks for unauthorized dial up modems is large. Also depressing is the number of customers we go into where an expensive firewall has been installed but is configured insecurely. It is not unknown to find all ports open in both directions.

These days I try to get customers to buy a VPN with a firewall so that they can provide a controlled means of accessing the network from outside. The official rationale is that companies can save big by decomissioning their unreliable internal modem pools and switch to using a VPN and a national ISP with lots of POPs so the company doesn't have to pay long disatance telephone charges. While the numbers add up the real reason that the companies buy them is so that the CEO can read his company email over his cable modem.