Slashdot Mirror
Microsoft: Trust and Antitrust
Microsoft is in the news for two reasons today: the continuing saga of the antitrust cases, and Microsoft's public relations push for "trustworthy computing". A selection of links: Microsoft claims two months of code reviews and half-day seminars surpasses everything ever done by the open source community; Salon talks about the problems with a monoculture; SBC, an abusive telecom monopoly, complains about Microsoft's behavior, an abusive OS monopoly; and Microsoft responds, claiming that SBC is merely being self-serving.
Let the two keep it up and they might just sue each other into financial ruin and kill two birds withone stone. :-)
My $0.02 will always be worth more than your â0.02, so
For those Francophones / Germanophones amongst us, tonight on ARTE (TV channel available on terrestrial and digital satellite) has a problem "Life after Microsoft" which should make interesting viewing. around 20:45 CET I believe.
Conversion Rate Optimisation French / English consultant
SBC: Mommy Microsoft is being bad
MS: No I'm not he is
Mommy (U.S. Government): You're both being bad, now go to your rooms.
Maybe they've seen all the security flaws and bugfixes required, but I hardly think even with all of Microsoft's power, they could not outstrip the entire OSS community in just two months.
There's still a lot more manpower in OSS. It's just more fractious.
If I weren't nailed to the penis, I'd be pushing up the daisies!
Love many, trust a few, do harm to none.
No comment needed.
"Geeks like learning new things, and when they pop out at the end of the process they're entirely brainwashed," he said.
So...rather than teach them how to properly develop, test and peer review software loads, thy're just going to brainwash them into good little Micro$oft monkies. Bleh.
if these are the same coders who made the mistakes the first time... why should i believe they all suddenly became security experts in under 3 months?
'no, i _knew_ about buffer overflows i just was too lazy to type the extra lines'. come on...
It's a good thing MS is starting to do trustworthy computing, since what they've been doing up to this point has clearly been anti-trustworthy computing
Does anyone else see analogy between church fo scientology and microsoft? Both invent their own imaginary worlds, and live in them. Funny.
Windows XP SP1 will include some changes that will allow component removal for things such as Windows Messenger, IE, and Windows Media Player. Now, why someone would want to remove IE and Windows Media Player is beyond me. Also, don't forget all those programs that rely on the Web control and need IE to function.
Steven B. Lipner, Microsoft's director of security assurance, responded, saying: "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."
Hah hah hah!! What an idiot.
Mr. Spey
Cover your butt. Bernard is watching.
The key to user security is to enable it by default. Most people running Win2K at home don't bother modifying their file permissions, closing off unnecessary services, etc. They leave settings at the default and go on their way. If Microsoft made the default installations more secure it would drastically improve the security of its OS. How many times has Security Focus reported on vulnerabilities related to Windows file-sharing? The answer to the problem is to turn it off and let the user decide if they want to turn it on. Outlook scripting, ActiveX, file sharing, Windows messaging, etc. Removing or disabling these services are necessary to secure a Windows box, and to reducing the bad PR that Microsoft receives every time a new vulnerability is discovered.
Or shouldn't be. It's like plants, see. If your crop has all the same genes, it'll be sensitive to one disease and fail. If you have diversity, some genes make it through.
http://www.wehadthewayout.com/
I'm sure it didn't take them two weeks to steal the BSD networking stack.
Now its going to take them two decades to figure out the mess they made.
If my employer ever publicly said anything like that, I'd run for the exits.
Wonder if the chants are part of the brainwashing process.
Developers, developers, developers, developers.
Developers, developers, developers, developers.
Developers, developers, developers, developers.
Love many, trust a few, do harm to none.
Apparentlly you are wrong, Steve wouldn't lie.
Steven B. Lipner, Microsoft's director of security assurance, responded, saying: "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."
>>Steven B. Lipner, Microsoft's director of security assurance, responded, saying: "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."
Maybe the OSS community hasn't done so much work in code review because they don't have to? Maybe they thought that a few less features would pay off in code structured for stability and security from the get-go.
And just because you've done a whopping two months of code review doesn't mean you caught everything.
"fears of crackers and e-commerce fraud" -- That's pretty funny!
and
"Don't panic -- upgrade!" -- To what?
*SRU
Steven B. Lipner, Microsoft's director of security assurance, responded, saying: "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."
"... or even needed to."
It's all 0s and 1s. Or it's not.
two months of code reviews and half-day seminars surpasses everything ever done by the open source community
Yeah, and what was the final bill? Imagine how much work the OSS community might have gotten done for that price.I'm a writer, a poet, a genius, I know it. I don't buy software, I grow it.
So what if they're being self-serving? If everyone is being self-serving by dissing microsoft, it's obvious that microsoft is not adequately serving anyone.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
How often has the community found it necessary to do a complete security review of any package, years after the fact?
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
So... the security assurance process is directed by someone who is very easily astonished? This does not raise my trust in Microsoft's security :-)
Quoting Michael Howard, the security expert who designed the course for Microsoft:
"Geeks like learning new things, and when they pop out at the end of the process they're entirely brainwashed."
I was astonished that he can make such bold claims. I have always thought that geeks have a mindset all of our own, and not one to be brainwashed easily. But then I found this quote:
"Microsoft has always had a crisis-driven mentality," said Mr. Howard, the security expert. "You have my word: we will lead the industry in delivering secure software."
And I couldn't help but laugh my ass off.....
Blah Blah Blah.
Vintage computer games and RPG books available. Email me if you're interested.
"I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."
Giggle. Snort. Tee-hee. ha. Ha. HAHAHAHAHAHAHAHA^999
Sorry about that. They actually think they've made up for years of ignorance in two months? They must have had at least 500,000 programmers doing security code reviews.
This sentence no verb.
Yes, I have karma to burn because like your FAQ says, it's useless. And yes, I just finished moderating up a bunch of posts containing off-topic Katz bashes to his ultra-redundant and buzzword filled rant today. Haha!
Thanks for your attention. If you're looking to hire an editor, let me know and I'll get in touch.
Of all of the groups in the US, I can think of few that are more evil than the Southern Baptist Convention. Boycotting Disney because they refuse to ban gay people from their theme parks is just odious. And somehow these people have never figured out that that whole slavery thing from the 1800s was wrong. People do not own other people, regardless of their skin color.
Steven B. Lipner, Microsoft's director of security assurance, responded, saying: "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months.
Lipner also reacted with astonishment when he was told that professional wrestling matches are fixed.
several of its key program managers warned that underestimating Microsoft's ability to meet the computer security challenge might be as foolhardy as was misjudging its ability to turn itself into a dominant Internet player.
I thought they were the default security player. Don't the vast majority of hackers break into MS boxes already?
I stole this Sig
I look at all the man months that have gone into the development of Windows, etc. and I look at the results. The sheer amount of time put in is no assurance of the quality of the results.
In fact, if I recall right, the sauthor of the book "the Mythical Man-Month" came to the conclusion that the more people you throw at a software project, the slower the project goes.
So the question is how of the work at MS falls into that category
"It is a greater offense to steal men's labor, than their clothes"
KingPrad
Stop the Slashdot Effect! Don't read the articles!
Ok, im a student at a good university.
looking at this -
dozen half-day training sessions for its programmers, about 1,000 at a time.
And i fail to see how you can teach. Its hard as hell to learn in a lecture hall of 300, but 1000? thats insane.
Not only that, but for a half day? Cmon, americans have an attention span of what? 15 sec? if that? (dont anyone take insult...:))
How do they expect coders to pay attention to a small figure in front for a full 6 hours....1.5 hours is hard as it is for a normal college lecture.
This
From the article:
"Geeks like learning new things, and when they pop out at the end of the process they're entirely brainwashed,".
Michael Howard, the Microsoft security expert who prepared the training material for the company's security retraining and led the security classes."
At least they acknowledge what their training tactics are.
Just remember this if you ever consider working for Microsoft.
Microsoft.com Running on Linux
Wired News reported today that Microsoft has outsourced their DNS to Akamai, and microsoft.com is now being served by name servers with a "networking implementation very similar to that of Linux". Akamai Technologies is a well-known Linux shop, but let's see.
If MS is stopping developement work then why hasn't there been any anoucements informing the world that new versions will be delayed?
Oh yeah, baby.
Fuck you.
MS obtained the BSD networking stack legally & ethically. Unlike some other company/OS *ahem* *Red Hat* *ahem* *Linux*
It's called a business strategy. If their product worked flawlessly and was bug free, less people would upgrade. Many of us were relieved to upgrade to 2000 from NT4. It was more stable, robust, and didn't require a lot of registry hacks. It didn't offer a slew of new features, just re-enforced old features. The idea that they don't know where every single bug is, is ridiculous.
Since Gates sent out the letter pushing security, there have been a few patches. Only one of them (From what I can remember) wasn't credited to some security firm. Other companies are finding their code weaknesses and telling them. This is their plan???
Keep in mind that Red Hat Linux has released several versions where the default installation settings had practically everything turned on. This is not a windows-only problem.
Personally, I think both sides have code review procedures which are legitimate. MS is bragging because the open source community can't match what it did within its own procedure. It would be like waterfall method people bragging that they got a product out the door in fewer milestones than an extreme team did. An answer to this is, "Ok, good for you but saying you are better than me is a non-sequitor."
It's a complete waste of time listening to these liars. That is all they are. Liars, deceivers, and power-hungry control freaks that wish to see any sense of community destroyed in order to protect their monopoly and cash flow.
It would be a much wiser thing for us to do instead to focus on implementing our own open, Free, and standardized technologies that present solutions in the best interest of the community. This is the issue, and, whether we realize it or not, this is the war. We either leave these things to them and be controlled by them, or implement these solutions ourselves and protect our liberties.
Simple as that.
It could not possibly survive by selling bug-free software - it's just not in their interest. The vast majority of users DON'T blame MS for the crashes, rather they either blame a 3rd party program or themselves even though the fault lies almost entirely on Microsoft.
They DON'T get bad press from outlook viruses - the evil hacker delinquent kids do. MS is seen, of course, as the victim.
Windows2000 was released with, what, 20,000 known bugs in it. It seems to me that my Windows partition works worse and worse with each new version I put on it. So I buy another.
Don't you realize, this is the best business model of all? But of course, now that the nerds, geeks and generally intelligent people are widely blaming microsoft they want to quickly sidestep widespread scrutiny by (you guessed it) telling us security is their highest priority.
Microsoft sells software that is so bloated that if they actually did a decent code audit (which, of course, would be far too expensive) and tightened things up, you wouldn't need that couple gigs just devoted to the OS. In short: MS NEEDS you to upgrade. Why on earth would they really mend their ways? Especially if it would cost more and get less overall business?
"The Microsoft Corporation suggested in court today that SBC Communications was seeking tough antitrust restrictions against it to cripple its ability to compete in the telecommunications market."
Isn't the point of this whole trial that Microsoft used its monopoly power to act in illegal ways? Such as forcing itself into new markets by threatening/bullying competitors?
"Mr. Webb asserted that SBC did not portray Microsoft as a competitive threat until after it broke off talks with Microsoft in July for a partnership to develop seven products, including Internet voice mail."
And if your company had just broken of talks with a proven monopoly, convicted of using its position illegally, wouldn't you start calling it a "competitive threat"?
Don't the state AG's understand this? Microsoft was convicted of playing dirty. People are now testifying that they're scared of MS, given the federal settlement. And MS is responding, "that's only because you didn't partner with us"?
Hello?!?
Solution to blink tags: wrap them in another blink tag, with a javascript delay loop, so they cancel each other out
HAHAHAHAHAHAHAHA!
Stick the guy who was quoted in the article in a room with Theo De Raadt(sp?? sorry Theo) of OpenBSD fame.
:D
Then tape the hilarity that ensues, we could have a new weakest link on our hands.
I know I'll get modded down for this, but you only live once.
Comment removed based on user account deletion
Huh. That's exactly what they did at OpenBSD-- they stopped and reviewed all the code (am I wrong? isn't that what they did?). MS can stuff themselves with this self-serving deception. My favorite is the line where they pretend that "easy to use means easy to hack". What a load! That's the same sort of dishonesty they perpetrate with their "just reboot/reinstall to solve bug X, Y, or Z" approach. Ease of use and security are entirely orthogonal. Microsoft will say *anything* to get you to ignore problems they've helped create.
I do not have a signature
This Salon article asks if people would trust Microsoft enough to allow their programming to fly planes or spaceships. Of course, a plane running on windows 3.1 or win98 would be scary indeed... but even a bloated NT/XP or *nix installation would make anybody nervous.
... but what about a DOS box?
... what about a stripped down *nix box?
It seems to me (a windows user) that the power of the *nix systems is the ability to strip it down to the bare essentials... to remove variables that could cause problems. DOS also kinda had the feel to me.
I wonder if we all would trust microsoft stuff more if we as users could completely remove the nonessential parts... and slowly build as we needed. Everybody knows it's impossible to debug in multiple dimensions...
Until that time... nobody would fly in one of those planes... due to the constant worrying if the movie that they are watching will suddenly change into the "blue screen of death."
Anyway... be gentle... my karma is so fragile...
Davak
Of course, what the PR people say is rarely what's really happening, so I'll chalk it up to lamer marketing guy writing out of his butt.
Nobody notices that there are two ways to be ;)
"not as many"
Dadada dada
the Leader,leader, Leader.
I Love the leader.
The Kruger Dunning explains most post on
Username: dotslash2002 Password: dotslash2002 (had to, no one posted on yet, had to go through the trouble of getting another account registered...)
Comment removed based on user account deletion
First of all history shows us that once MS sets a goal for itself, it WILL delivery (maybe not in the time frame they first promise, but close). The company learns from it's mistakes and catches up with the rest of the world REAL fast. I can't belive that they have ignored security for so long, but maybe their ego just wouldn't accept the fact that their software was so bad with security.
While we have brainwashed ourselves into beliving that the OSS movement is the best way to produce secure software, this isn't always the case. If you have a good software development and review process in place (and a large enough peer review group) a closed source shop can do a good job.
OSS's advantage is that once the software is out in the real world problems can be spotted and fixed quickly, IF there are enough interrested programer-users looking at the code. The problem is that all to many programer-users are more interrested in adding features than fixing security holes.
In Microsoft's case, once they release something and a problem surfaces, they have to find the fix themselves, test it, review it, and finally package it as a service pak some six months after the problem first surfaces. If they can streamline generating fixes for bad security leak problems in their products, maybe they will make some real belivers in their intent. They better realize they WON'T get it right the first time and need to plan on getting patches out to the field FAST when a hole opens up. We'll see.........
Now the real question is whether the open-source community has in total done as many man-years of feature bloating as Microsoft has done since ... since ... since forever? :)
-- Kircle
I wish I had mod points. Up up up! The open source community is no better if no one actually does the reviews...
Thanks.
--RJ
Now for Microsoft: if they have spent two months, 40 hours/week, MS would need to have 2,946 employee's working solely on this project.
note: the numbers here were drawn solely from my fevered mind (except for the 408 developers, a grep | wc in the CREDITS file did that).
REDMOND, Wash., April 4 - On this sprawling corporate campus that is the heartland of personal computing, 9,000 elite Microsoft (news/quote) employees have gone back to school.
.Net. The new computing generation will be defined by the ability to build programs that span tens or even hundreds of computers linked together by the Internet. Such a distributed computing design will present complex new security challenges that have largely not been conquered by the computer security world.
.Net so it could review the code for security problems. Not only do small teams reread the original programmers' instructions looking for flaws, but a variety of automated programs also look for security flaws that might be missed by human eyes.
Stung by a chorus of critics who said that its software code was increasingly buggy and vulnerable to attack, Microsoft began sending its programmers to a special course in writing secure software. And it ordered them to stop creating new programs until they had painstakingly re-examined the millions of lines of Windows operating system software for potential vulnerabilities.
Two months later, Microsoft is still re-examining its code and its attitudes toward software development.
The shift in focus began early in February, when the company held a dozen half-day training sessions for its programmers, about 1,000 at a time.
Members of the select group initially showed some resistance to the process, but in the end the experience of seeing offending snippets of code on a giant screen in a large auditorium proved humbling, said Michael Howard, the Microsoft security expert who prepared the training material for the company's security retraining and led the security classes.
"Geeks like learning new things, and when they pop out at the end of the process they're entirely brainwashed," he said.
The enforced period of corporate self-reflection was initially supposed to last through February. But it has stretched through a second month and is only now nearing completion.
The company insists that its campaign to create a more trustworthy computing system will not really end but instead will continue as a deep shift in attitude that Microsoft hopes
will permeate the work practices of its programming corps.
In a memo in January, Bill Gates, the chairman and co-founder, instructed Microsoft to shift its top priority from adding new features to ensuring that software is secure. Executives said that the memo was the most significant strategy paper from Mr. Gates since one in December 1995, "Internet Tidal Wave."
Some of Microsoft's rivals and some independent security experts have greeted the shift in strategy with skepticism.
"I think that the reason that people are upset with them is the perception that Microsoft will always choose the extra feature, begging the issue of whether that feature is actually of high value to the user and damning the security impact it might represent to all users," said Rebecca Bace, president of Infidel, a security consulting practice.
Microsoft insists that such thinking represented the old Microsoft. In interviews, several of its key program managers warned that underestimating Microsoft's ability to meet the computer security challenge might be as foolhardy as was misjudging its ability to turn itself into a dominant Internet player.
"Microsoft has always had a crisis-driven mentality," said Mr. Howard, the security expert. "You have my word: we will lead the industry in delivering secure software."
It will not be an easy challenge to meet, industry executives said. Microsoft has come to dominate the computer industry in part by rapidly adding a seemingly unending stream of new features to its products. To deliver on its intent, it will have to consider more carefully the trade-offs between new features and security.
Facing the security challenge also conflicts directly with the "easy to use" goals that have until now been the mantra of personal computer software designers. Easy to use frequently also means easy to hack, Microsoft's programmers acknowledged.
Moreover, in its effort to dominate the Internet of the future, Microsoft is about to propel itself into a fundamental new and more complex computing era, which it calls
It was the onset of the brave new world of distributed computing that drove Microsoft to the drastic measures it took in stopping the writing of new programs while it reviewed its existing software.
Its software security leaders, including Mr. Howard and Doug Bayer, the director of the Windows Security Group, say that Microsoft was forced to re-evaluate its security position in a fundamental way after its software was struck last year by two malicious computer worms, named Code Red and Nimbda.
Corporate customers were furious, and Microsoft realized that it must act to avoid losing confidence and business.
Mr. Bayer, who was trained as a physicist and works in a cramped office with six computers and a small statue of the cartoon character Dilbert, said that Microsoft had already been finding its way toward improving its security when the worms hit last year.
"A significant number of our customers got hit," he said. Microsoft, in a post-mortem of the attacks, discovered that highly protected corporate data centers had generally not been infected. Many corporations, however, had added "rogue servers," machines that were informally installed by corporate departments. Inexperienced computer users frequently misconfigured those machines.
"The default had been to make it easy to use," he said. "Now we realize the right thing is to make it secure right out of the box."
At the end of last year, the company began to accelerate its security push while it delayed the introduction of an important new programming tool called Visual Studio
Whether thousands of Microsoft's eyeballs will make a difference is a question that is hotly debated in the computer industry. Advocates of open-source software, in which the original programmers' instructions are freely distributed, have long argued that Microsoft's proprietary software secrecy is the company's Achilles' heel.
The development process at Microsoft encourages individuals under deadline pressure to make large changes in products without adequate peer review, said Roy Fielding, chief scientist at Day Software and an open-source developer. Dr. Fielding said he worried that Microsoft was examining its Windows code in mass reviews in which the participants were likely to fall asleep after looking at the first hundred lines of code.
Steven B. Lipner, Microsoft's director of security assurance, responded, saying: "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."
In those two months, MicroSoft has probably fixed more security-compromising bugs than most open source projects (expect for sendmail and BIND) will ever have. MicroSoft can put far more effort behind solving the problems that they have created for themselves that the open source community could ever hope to, both in terms of solving problems and in terms of creating them.
The open source community is always taking shortcuts by not making every possible mistake and them fixing it. Who cares about results? MicroSoft can do more work than anybody else, and that's all that matters.
The Salon article begins with, "Computers helped transport people to the moon and back.."
Correct me if I'm wrong, but I seem to recall that on the Apollo 11 mission, the LEM's landing computer failed just before touchdown, forcing Armstrong and Aldrin to switch to manual control.
In other Microsoft related news, the judge is quoted as saying "I will note that Microsoft sounds a little schizophrenic,"
after "Microsoft asked Kollar-Kotelly to throw out much of Schwartz's testimony"
Not all monopolies are abusive. I have no serious objection to Intel's or Cisco's market dominance, and IMHO SBC falls into the same category.
After they took over Ameritech's operations, service and especially support improved dramatically, at least for me. I'm happy to have them here -- the best telecom company I've ever dealt with (I've done business with Ameritech, PacBell, AT&T, MCI/Worldcom, Sprint, Verizon, and some others).
Ah, but this "big deal" negatively affects their revenue and earnings, which is why I think it is little more than PR.
Historically, Microsoft has piled in multitudes of features and foisted what should be beta software on the market. They find out what breaks, and provide bug fixes (euphemistically called "service packs") for the things people really whine about. This approach maximized their revenue, and accelerates it.
Ask yourself if Microsoft would have turned Windows 2000 into Windows 2001 if a significant security hole was found on the eve of the launch.
It's Linux, damnit! Pay no attention to renaming attempts by self-aggrandizing blowhards.
How much of that work actually made it out of OpenBSD?
I may be wrong on this, but I thought OpenBSD counts as Open Source, and they're certainly doing a security audit of the source code.
Face it, with a few exceptions, the Open Source community is focused on creating a product, not on creating a secure product.
You speak as if "the Open Source community" is a cohesive and organized group. They are not. This "open Source Community" that you speak of is awfully hard to define, consisting of many different people in different countries and speaking different languages with many different opinions and different ideologies. Have you read the debates between the BSD proponents and the GPL proponents? Given how different they are, would you still group the two in this so-called "Open Source community"? Do you not realize that many of the people you may be putting in that camp take issue with the very term "open source"?
And what product is "the Open Source community" focused on creating? Fact is, these people are creating multiple different products, ranging from small applications to programming languages to full-featured office suites to entire operating systems. Some of them are highly focused on being secure. Some are not. You seem to be grouping all of them under an "unsecure" umbrella, and this is not only inaccurate, but insulting to those who do focus on security.
Its not necessarily a bad thing, but the open source community, as a whole, doesnt do much in the way of code audits.
This is a fairly arrogant statement for you to make. How would you know, anyway?
I don't make the rules. I just make fun of them.
"I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."
I love this quote; it's _so_ MS.
Two months of a several thousand developers = 60 days * 8 hours per day (being generous and throwing in weekends) * 9,000 coders = ~ 500 man-years. Not too shabby!
Bullshit, that's playing with numbers. I could further "statistics-ize" this to say that this means every line of Windows XP got 8 minutes of attention in the last 2 months.
The reality is that secure development takes _time_ and _experience_ as well as eyeballs. Not everything is repaired correctly the first time, and the corrections themselves often need further review and correction. A fast fix is often worse than a naive bug.
This sort of thing is even more likely to happen when you're changing your development habits to take security into account - transitions are always messy. I doubt much effective security work actually "got done" on the Windows code in those 2 months, relatyive to the amount of "security twiddling".
While I have to applaud MS for finally _beginning_ to take security seriously, it's complete B.S. on their part (and very much in classic MS form) to suddeny claim that they're "the securest of the secure" when they're just entering the field.
I'm surprised they'd admit that so openly. Maybe they're serious about this trust thing, afterall.
... when Microsoft steered their ship to embrace, extend, and extinguish the Internet, it was a "point adjustment" compatible with their general direction and operating methods. Deciding to quit adding features and ensure security *IS* contrary to their general direction and operating methods. Microsoft has risen fast on gone far based on moving faster than their mistakes, on making quality job 1.1, on getting something out their for sale, and then selling the fixes to the bugs.
.net, after all. Most significant, it changes the ongoing revenue model from point-fix sales to simply ongoing revenue. (presumably services)
Getting the bugs out and making the software secure prior to first sale means that they can't run as fast, getting out ahead of competitors the way they used to. It also deprives them of the point-fix revenue stream.
Maybe now that they're a genuine, legal monopoly they can afford to change business models. That's part of the point of
This turn will simply be harder than the Internet course correction.
The living have better things to do than to continue hating the dead.
Derkec gushed:
True, but in a very real way, Microsoft has a point. The Open Source community has never really taken time to say, "ok let's stop development and everyone will go check code extremely carefully."
No, False. You (and MicroSoft) are completly ignoring Open Source projects that only audit code... i.e. the Kernel Janitors:
I have come to a conclusion that one useless man is a shame, two is a law firm, and three or more is a congress -J Adams
total MS security man-years = ((9000 employees * (2 months * 120 work-hours/month)) - (9000 employees * 4 hours "security re-training")) / 1440 work-hours/year = 1475.
I'm wondering whether Microsoft is ideally placed to take advantage of this .... If Open Source software is intertwined with free transfer of intellectual property, then it seems like the media companies will almost be driven to Microsoft by default.
Is it any wonder that M$ Security sucks when the team consists of 7 people looking at a laptop pointing at it like idiots? (In reference to the picture supplied for the article).
Maybe someone should use that picture for a caption contest.
When is this story gonna end? I think most of us are sick and tired of this Microsoft stories, what kind of country lets this linger for so long, end it right know, split the company, make 'em pay a trillion bucks, make Windows public domain, prohibit IE...
The open-source community has not in total done as many man-years of computer security code reviews as Microsoft. The open-source community tends to consider these things before implementation, reducing the need to do a full-bore code review afterward.
Why? Because the designer added comments during writing that describes the "safety" state of everything. These types of comments make the code review process faster, because you know the assumptions of the code and can look for where those assumptions may be incorrect or incorrectly implemented.
So it's your choice: software that's been well-designed (or at least reasonably designed) from the beginning, or software that's been quickly scrubbed for errors that don't lend themselves to quick discovery.
(Although I personally believe that somewhere at Microsoft there are some people doing good up-front design work... way to go Solitare team!)
I think their claim may be true in a literal sense, but I wonder how effecitve their reviewing has actually been so far? I mean in a literal sense, a man-year of work could be 700 people working until noon too, it doesn't mean they're really getting anything done.Still, I'm really glad they're making the effort.
"Prefiero morir de pie que vivir siempre arrodillado!"
Yo, Microsoft! I've been code reviewing the Linux kernel since 1994.
2 months. I'm not impressed.
-Spack
PS: For the doubters, Yggdrasil, green cover, God playing "pull my finger" with Adam on the cover.
OpenBSD defaults to several YEARS of code reviewing. Years between any security hole in the latest release. (Or more, does the openSSH hole count?)
FreeBSD has trusted BSD which has similear aims, plus some code that would be really nice to have.
Sardonix is trying to start a general project to do code reviews. Not really running yet, but good goals, I hope they work out.
Just a quick search of open source sites and code review reveals that most projects think highly of code reviews and encourage them.
And finially, the typical way to get into open source is to do start reading code, and then contribute when you can do something. One of the things you can do is find potential holes
None of the above is perfect. All are useful, and all go on all the time. Maybe Microsoft put in more work into theirs, but I remember openBSD which was just a better netBSD, and not secure. By fixing problems they got secrure. I've been a programer long enough to know that each fix has implications elsewhere. Microsoft might have solved a lot of problems, but my expirence is the first two months introduce more problems than they fix, it is only after fixing those new problems that you begine to make progress, and it takes months to get them all closed.
"Geeks like learning new things, and when they pop out at the end of the process they're entirely brainwashed," he (Michael Howard) said.
Brainwashed? This coming from a Microsquash guy? I guess I'd be brainwashed too if I worked there....
EFGearman
Atomic batteries to power! Turbines to speed!
I can change I can change. I'll no longer be a sandy little butt hole. Sadam from Bigger Longer and Uncut
Sorry but it seems that MS still treats this as a PR problem....
Microsoft insists that such thinking represented the old Microsoft.
The proofs in the pudding....lets see how many more bugs come out.
Vote early. Vote often. Vote CowboyNeal.
There's still a lot more potential manpower in OSS. As has been proven in several big OSS projects, like Mozilla for one, just because there are tens of thousands of people who can work on a poject, it doesn't mean there will be tens of thousands of people who do work on a project.
resignation and postmortem.
The truth is that, by virtue of the fact that the contributors to the Mozilla project included about a hundred full-time Netscape developers, and about thirty part-time outsiders, the project still belonged wholly to Netscape -- because only those who write the code truly control the project.
"A selection of links: Microsoft claims two months of code reviews and half-day seminars surpasses everything ever done by the open source community"
That would be true if they(OSS) treated security as an after thought...
Secure Microsoft code - great, why not?
Insecure Open Source code - sure, has happened and is bound to happen again.
But the point is: is the development cycle going to be in favour of all of us - or is it only in favor of the market position Microsoft is defending?
Trustworthyness is more than just secured code. Trust has to do with knowledge about the thing or person trusted in - it is a function of knowledge. And trust in a person or company is directly related to my vision about the intentions of that person/company.
Bill Gates has not changed, Microsoft is still wanting to dominate the world-market. Only this time with 'trustworthyness'. Hahaha Hohohoho!
Comment removed based on user account deletion
I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months.
I wonder what Theo has to say about that!
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
Microsoft most likely is doing code reviews OF FUTURE PRODUCTS, I.E. .NET, .NET Server, Windows XP, Office NGO, etc.
You want security? Fine, buy our subscription products.
InThane
From Salon: "Would you trust your life to Microsoft?"
I predict we're going to see a whole new category of Darwin awards.
Have you tried turning it off and on again?
How can MS boast that they have reviewed their entire code base in 2 months yet claim that releasing the Windows code for review would be futile because the code is just too complex to understand without years of study?
"As God is my witness, I thought turkeys could fly." A. Carlson
or implement these solutions ourselves and protect our liberties
For as long as it's legal to do so.
End of lesson. You may press the button.
Glad to see that Microsoft is trying taking some responsibility for their bugs finally. But if they've spent two months fixing bug, why haven't we seen all these bugfixes getting released? I wonder exactly what they have spent all that time in those meetings doing exactly?
"DENIAL"-How an optimist keeps from becoming a pessimist- \ \
Thanks for correcting me guys. This is why I like slashdot. I can contribute an idea and learn more about things because ppl shoot down my idea. Please mod some of the people correcting me up as informative.
"User convenience" vs security is a classic trade off in engineering and it has long been considered a classic trade off in programming. While "ease of use" and "user convenience" are not identical there is enough of "ease of use" in "user convenience" that I have to question one of the following:
your use of the word orthogonal especially as modified by entirely,
your knowledge of programming,
your knowledge of security
Just because you can't trust anything that Microsoft says, does not mean that _everything_ they say is false. They do attempt to contaminate their bulls**t with a few grains of truth.
Comment removed based on user account deletion
Also, he is ignoring Open Source projects that start out to be secure code in the first place ie. qmail,djbdns... The thing about open soure is we have a choice. More then likely Windows users don't.
Yeah, we all know how clean and nice the linux kernel is. Seriously, what the fuck kind of statement is "I have the sneaking suspicion that if I ever saw their code, I'd never again use a MS product."? What it ultimately comes down to is that fact that Microsoft's products do a lot more for me than any other company/movement, rendering whether the code is 'bad' or not irrelevant. What I use works fine, and that's what matters.
Also, judging from your statement, I doubt you'd know bad code anyway.
I used to have the same problem in college, but then again, I went to class several times a day, 5 days a week, 2 semesters a year, for several years. I fell asleep (mentally if not physically) many times, even in 1 hour classes. Now that I'm out of school, I have no problem paying attention to a 5 hour training session. It's actually a nice break. It's not like I do it every day, or even every week.
...are those who impress people by pretending that they're Linux gurus because they know a little perl and read a C book once. People who actually get things done are generally not people like this, but rather people like the software engineers at microsoft (who are, in all honesty, pretty much the best in the world).
Members of the select group initially showed some resistance to the process, but in the end the experience of seeing offending snippets of code on a giant screen in a large auditorium proved humbling,...
Anyone see a parallel to Clockwork Orange?
"It was penguin lust...at its worst." --someone
Think about what you said for a second...then realize that it makes no sense whatsoever. Thank you.
It seems they're out to generate more propoganda than anything else. And maybe it's working.
I mean Microsoft has a rather striking history of being in the absolute gutter as far as security goes. And then all the sudden they bring out this dog and pony show and you discard your lessons from the past and without any results or evidence in hand, you stand up and say "Microsoft has a legitimate code review process"
Your statements have no foundation in reality. None.
"There should be five giant strong architectures out there that can emulate each other," he says. "The classic way you do risk management is you limit the amount of damage one person can do because he can't cross boundaries."
Make it five times as likely that one-fifth of all computers will be compromised? I don't see the advantage.
The shareholder is always right.
Well, what else could he have meant?
Comment removed based on user account deletion
More users will upgrade their OS and apps for the "Gee Whiz"
features of the new release than for bug fixes. Only the nerds
like us get excited about actual functional improvements.
Microsoft is in a doubly beneficial position with respect to
the security initiative...
First, (as shown above) they can try to spin this whole thing
into bonus marketing for current and future products.
Second, if they actually do make a dent in their codebase now
by patching flaws and improving the design process, that can
leave them in a better position to manage new products and
ventures that are based on the same technology.
If they are able to play this off right, they can end up turing
the cost and effort of vetting thier code into instant advertising,
and possibly end up with a better platform on which to throw in all
the other bells and whistles that really make thier products saleable
to Joe Blow at CompsR_US.
C'mon. He's making a good point about geeks -- you can use their love of learning new stuff and putting it to use makes it possible to change their collective direction quickly. It's a valid insight.
Microsoft has been able to exploit this better than any other large company. It's a matter of hiring the right people. They don't always get the right direction, but they can be moved rapidly when necessary. Remember Microsofts total lack of preparation for the Internet a couple of years ago? Now we're worrying about the possibility they may coopt it.
I would view a similar microsoft shift towards more trustworthy software development practices as an unmitigated good. You can't dominate the field of "trustworthy" software. It's just about producing higher quality software, which benefits both their customers and even people who aren't their customers (how many non-windows sites suffered collateral damage to Code Red).
The problem is the inevitable PR baloney that goes with it. Perhaps Microsoft sincerely wants to produce more trustworthy software; this is good. However they want their customers to trust their products right now, so they're trying to make them think that most of the problems have been fixed by a gargantuan effort. This is bad. You can't fix years of shoddy work with a couple of months of auditing. Fixing security problems is, I don't know, but I'd guess at least a ten times as hard as avoiding them in the first place.
A little humility would make people who know better feel a bit more comfortable that this is more than PR hype.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Apparently the new "Ministry of Trustworthy Computing" will be headquartered at 1 Microsoft Way, Redmond, WA.
in the immortal words of my father.
"show me the last solution and i'll show you the problem"
beware of a quick fix!
Has this been fixed yet? IE restoring the coyright notice?
"I'm not impatient. I just hate waiting." - My Dad
From the Salon monoculture article:
"Software engineers are not traditional engineers. They're rock stars," Copeland says, meaning they're less interested in meticulously removing all flaws from a design the way a skycraper architect would feel compelled to do.
I take issue with this. What software engineer doesn't try to remove all the flaws from their code? All good engineers do this...heck I could almost be called obsessive-compulsive about making sure my code works correctly. Maybe there are a bunch of bad programmers out there who think they're rock stars. And if there are, I don't want them working for me. Ever.
They had a documentary on Linus two weeks ago.
Totally agreed. It's almost comical there's a discussion over two months of code review after 25 years of doing business the way they have.
"Hello, World", 17 errors, 31 warnings
Yes, I antitrust MS. Implicitly.
Sorry, I just had to say that :-) Mod me down, please.
I choose to remain celibate, like my father and his father before him.
This is a really awful way of doing it. In order to get a good implemenation you need:
1) A solid design. That means no automatic execution of attachments.
2) Continuous review of the code. If the code sits for 3 years before it's reviewed, then you've exposed yourself to bugs in that time, and perhaps you've even accidentally built stuff which relies on that bug.
At least three of the patches recently have been "Security Rollup Patches." One for Win2K as an OS, one for IE, and one for COM+. (There may have been a few more...I'm just remembering these off the top of my head.)
Who knows how many fixes were included in those rollup patches. Probably more than you would think.
-Jayde
What's a sig?
"Michael Howard, the Microsoft security expert who prepared the training material for the company's security retraining and led the security classes."
This sentence got me. If this guy is on MS staff and MS security has been so bad, why is HE writing the training material and instructing the security classes? I would think that he would have been advising the MS programmers all along. Maybe he was looking over their shoulders and laughing.
I mean, how hard do you have to work to convince a developer not to use gets() to parse an .ini file?
I wouldn't call this brainwashing. I remember reading an article about Oracle that they put the top 10 insecure things that you can do in C on a worksheet and they have every package maintainer sign off that these techniques have not been used. These are only touchstones, though, and security problems could easily be introduced while still using valid code.
Think of it more as a "security epiphany" or "security enlightenment" - they were probably just presented with a minimal list of what not to do. Hard to disagree about such things.
"Microsoft insists that such thinking represented the old Microsoft. In interviews, several of its key program managers warned that underestimating Microsoft's ability to meet the computer security challenge might be as foolhardy as was misjudging its ability to turn itself into a dominant Internet player."
So, what Microsoft is saying is that because they can abuse the Monopoly power of their OS to extend their presents into the Internet services sector, we should believe that they can secure their software??
The title of the article is: "Microsoft Programmers Focus on Secure Software." I can only wonder where they found some secure software on which to focus.
The race isn't always to the swift... but that's the way to bet!
When one of the DNS root servers switches to NT, please let me know - not that DNS is that stable or secure.
When IIS has a 60% market share (as Apache does now), I might also get a bit concerned.
When the Microsoft Sybase rip-off has a 46% market share (as Oracle currently has), we might start worrying about the datacenter.
When they have a stable, scalable 64-bit version of Windows, we might start worrying.
In order for Microsoft to get any of these markets, they will have to have a good product, good customer service, and good interoperability with other vendors products. I don't see that happening anytime soon.
After all, we gave them SMTP, and look what they did with that.
Your own source refutes your point. Maybe you missed the big header in read that gives instructions on interpreting the results! Maybe the disclaimer that these numbers mean nothing about the security vulnerabilities means nothing to you??? Maybe you just like the look of the numbers, even though it says right there that they prove NOTHING!!
It seems as if he wants to entrench in everyone's minds the idea that the current software "environment" - a static food chain with Microsoft as the perpetual gigantic super-predator at the top - is a healthy, naturally-occurring state of being.
pr0n - keeping monitor glass spotless since 1981.
1000+ people in a dozen half day seminars?? Are they nuts??
/. way of admitting that friendly fire isn't.
Steven B. Lipner, Microsoft's director of security assurance, responded, saying: "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."
Well, here's some tips.
1) Code inspect in groups of 4-6
2) Don't have the author read the code.
3) Have clearly assigned Moderator, Reader and
Inspector(s) roles. They can overlap, but
remember 2)
4) Don't go for more than 2 hour sessions, twice a day.
5) Don't do more than 200 lines of code a session.
6) Prep on the code.
7) Follow up on minutes.
Most designers hate code inspections, in my experience (myself included), but they do
serve a purpose, and aren't too painful when
you follow thse guidelines.
9000 people should have been able to inspect the
entire Windows codebase in this space of time,
if they've stopped or even slowed development.
Ideally, this is _part of the development process_. Or something similar, at least.
Members of the select group initially showed some resistance to the process, but in the end the experience of seeing offending snippets of code on a giant screen in a large auditorium proved humbling, said Michael Howard, the Microsoft security expert who prepared the training material for the company's security retraining and led the security classes
Yea, that's it. Humiliation really works in
rooting out those bugs. How professional.
O ya. Laptop. Ergonomics. Smarten up! Geesh.
AC is the
"Trustworthy computing" - I doubt MS can do that.
How about "Antitrustworthy Computing?" Thats where they seem to excel.
Juln
There is natural monoploy, which is the existence of production where there is no alternative, a vacacuum
or
Artifical monoply, which existences by forcing competitiors out of the market
I think for a long time Microsoft thought itself as former. There is slowly a change to the latter but I still think it some respects a former exists
That's the same sort of dishonesty they perpetrate with their "just reboot/reinstall to solve bug X, Y, or Z" approach
This is not their fault. A large percentage of windows problems are caused by problems with the Registry (mostly invalid entries). There is NO WAY for the average Joe-schmo computer user to KNOW what has been altered in the registry in order to fix it. There is certainly no way for MS to know what has been changed and what the correct value should be. What is the solution? Re-install and start from scratch. Is this the best solution? Right now, yes. Would MS go back and alter the way the registry is implemented if they could? I would bet they would do a few things differently. But now that you've got several thousands of software applications that use the Registry as it currently exists, it's kind of hard to go back and make changes.
Of course they could change it, and require everyone to upgrade to a new version of Windows, and buy all new applications, but that wouldn't make the consumer very happy would it? Sounds like a Catch-22 to me. Sort of like having to still (even in XP) maintain backwards compatibility with Windows 3.1. It was released in 1993 for heaven's sakes!
Oh goody, a borgette.
>Thousands of people across various product teams >have attended security lectures,
That means they will write more secure code why? In the past you have called the "many eyes make bugs shallow" idea a myth for pretty much the same reasons that "attending lectures on writing secure code" would make code more secure.
> new development >has been stopped, old code and new code has been >stringently reviewed,
1. For Joe User, the code reviews will mean exactly nil.
When exactly will users of Win 95,98,ME,NT 4.0 be seeing the fruits of those labors...simply put they won't. As always Microsoft is only focusing on the latest-greatest products they are shipping. Economically this makes sense, but how many thousands of NT 4.0 IIS 4.0 servers, SQL 7.0 servers and (soon to be obsoleted) Win2K Pro boxes will continue to hammer my clients firewalls because Microsoft refuses to maintain any sort of legacy product support?
2. No Proof of coding reviews.
What sort of reviews? In the past you have called for formal, codified coding review policies. I have yet to see Microsoft document how exactly they are reviewing their code. Simply sending developers to a lecture and making them re-read their code does not = more secure coding practices. How many patches has Microsoft released to fix bugs found in released products because of this review? Combing bugtraq I see none.
>Now on to counter the main claims of your post >that releasing software with security issues is >a good business [snipped for space]
3. Insecure software still makes sense for Microsoft.
It still unfortunately makes good business sense. Shall I send you the ads from Microsoft that litter my inbox, touting that WinXP is more secure than previous Microsoft OS's...Again, Microsoft is NOT releases patches for past products where security flaws are found, The message has stayed the same. Want a "secure" os/platform, then upgrade to our latest and greatest.
>[...]when in truth there is more to security >than just applying a buzzword technology or >software development style
4. Yup, re-read what you wrote again. Memos of "we must do better", 2 months of reviewing and sending developers to lectures on a topic they should ALREADY know do not change decades of practice, nor the underlying attitude of management. If you want to produce secure, reliable code it takes a consistent attention to detail, a emphasis on quality and a understanding that code you write today may well be in use long after you've retired. It takes understanding of basic principles of software development; it takes understanding software development as an engineering practice, not as a semi-skilled trade.
What surprises me is that Microsoft (and much of the industry) acts like writing secure software is something new. Software security problems have been around since before telenet was patching holes left and right because of the quality of their login code. If you think Microsoft is bad about security, you should browse the quality of code that many in-house projects have though.
I would add that if you really have a commitment to security, then you must be willing to understand that you can't call it secure and then shoot the messenger when he/she posts a vuln that says otherwise
Bugs Bunny was right.
It's annoying how "the ignorant" masses will take anything Microsoft says as fact.
You probaly should have mentioned OpenBSD as another example.
Security oriented code audits of every package, this has already been done.
It is exactly what MS said didn't exist.
Well I doubt that everyone will get together to work on this, but individual projects might.
Much better to research the problem on your own PC from the comfort of your office. Then check the server config files out of CVS, make changes, SSH into the box and perform your testing.
As for the Novell and Linux servers that "had problems", it does'nt surprise me as I doubt you have the proper experience to effectivly administer either.
Kind Regards
"A few great minds are enough to endow humanity with monstrous power, but a few great hearts are not enough to make us w
Even if they were actually successful (not likely) in cleaning up the massive number of unintentional screw-ups in their code, the stuff they do intentionally is worse, including the Product Activation 'technology', their Secure Audio Path crapola (==selling their users's rights to the highest bidder), that abominable Plug'n'Play crap that just 'decides' to randomly re-configure your system hardware, and Anything.Net. Also, their gratutitous changes to file formats, communications protocols and APIs to enforce upgrades and preclude competition.
It's the stuff they do with full knowledge and intent that makes them un-trustworthy.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
when it takes more man hours to deploy them to large enterprises than to actually setup the enterprise?
A thread in microsoft's public newsgroup recently discusses methods of deployment. Oddly enough, the one post that contained a list of 3rd party programs and pricing structures is now gone, but the rest of the thread exists: applying updates
Here are the free utilities that MS provides:
hfnetchk
MBSA
Nice, though they still don't INSTALL THE UPDATES to any workstations. The 3rd party programs I mentioned cost thousands for licenses.
As our funds are VERY low for anything (I work for the State), we couldn't just spend thousands for 3rd party programs to apply bug fixes (or even hundreds for that matter). Instead, I wrote a batch script to silently apply critical updates to workstations to nearly a thousand users, with integrity checks and output logs (would work for any number of workstations).
Wow, what a concept, too bad for MS the "open-source community's man hours" paid off (apt-get, up2date) for *FREE* functionality to apply updates. MS can learn a thing or two, if they'd stop bashing the open-source network, and instead spend their "man hours" providing functional programs to the millions of customers they have forced their OS on.
Hrm, I know this has been beaten to death, but: Doesn't anyone see anything wrong with the fact that MS (aside from the evil OEM bullying) sells an OS that they have to release patches for weekly (including patches for patches), then provide no way to deploy these to large enterprises?
Can you imagine if Auto Manufacturers provided service like this? Let's say Ford would sell an Explorer that blew up if you filled the gas tank up too much (we'll call it a 'gas tank buffer overflow'), so they released a gas tank modification kit to fix it. Now, they will send you all the kits you need for your lot, but it's up to you to install them all. Furthermore, if they catch you selling Chevy's, they'll penalize you. And your license agreement says you HAVE to sell the new model when it comes out. *OR*, here's a list of 'partners' that will install them for you, at a pretty penny.
Vinny Valdez
p.s. if anyone would like a copy of the script, just email me.
"The more you suffer, the more it shows you really care, right?" -Offspring
Scripting for the scriptless with OWC in IE.
Reading local files with OWC in IE.
Controlling the clipboard with OWC in IE.
Multiple local files detection issues with OWC in IE.
-- Don't Tase me, bro!
And then all the sudden they bring out this dog and pony show and you discard your lessons from the past and without any results or evidence in hand
My computer has received 10+ security updates from MS since the beginning of February. Prior to that they came out few and far between (every few months). I would say that from an end-user's perspective, I can see a major difference. And I had noticed the increased updates without seeing any of their "Dog and Pony Show." It remains to be seen whether or not these updates prove useful, and also just how many more updates will come out (how many are needed?), but I can see that they're doing *SOMETHING*, which is more than I've seen in the past.
Outlook Express *still* ships with the preview pane turned on by default, and port 139 is still wide open by default too. These are the two biggest security flaws in Windows operating systems, allowing the spread of every virus in recent memory. Yet Microsoft has done nothing about this.
where is all this apologistic rubbish coming from with you guys? i guess one of the drones sends out an email saying "get on /. and support us" and you all run out there to make excuses for the drone master? get a life! i don't agree with /. constantly bashing microsoft for the sake of it, but reading you all just go on and on and on and on and on about how m$ is so great and how m$ are the best and how we all owe our lives to m$ is as boring as it is factually incorrect.
go away and play on zdnet.com or something.
Well, MS in the news again. The God and Devil Show has Bill Gates as their guest and they talk about his new operating system, Windows Eternity. Its a flash cartoon about 4-5 mins. Make sure to send Bill to either heaven or hell. (I suggest send him first to heaven and then to hell).
Some might find this offensive so please watch at your own discretion.
microsoft bad!
open source good!
perlgolf: the only place where shorter is better
favorite quote:
"Geeks like learning new things, and when they pop out at the end of the process they're entirely brainwashed," he said
I hope their brainwashing organizers doesn't use the same crack QA team their OS people do. I'd imagine I'd start unconciously yelling things like:
"java bad!"
"IIS is god."
"oooh, cookies are good."
"comments? what are they?"
"bill gates is a sexy man."
Looking for Book Reviews? Check out Literary Escapism.
News:
St. Louis, MO, Nov 31, 2030: An American Airline plane, piloted by Microsoft Pilot software, crashed 50 miles outside St. Louis. The flight recorder listed a general protection error as the cause of the crash. American Airlines apparently forgot to renew the software subscription...
I work at a software shop that developed an extensive amount of code compiling under Linux, Solaris, and Win2000. We constantly compile the same code under all three platforms and frequently have to deal with portability issues.
Today, my next-cubicle neighbor asked me why we keep the warning-level at 3 in the MSVC++ environment. Being primarily a Linux/Solaris guy, I said I had no idea why and suggested he raise the level to 4 (the maximum) and see what happens. Ten minutes later, he got his answer: the compiler issued 1000+ warnings, most of which came from the standard library header files! Talk about a need for code reviews...
But I guess I shouldn't worry, since Mr. Lipner will simply sic his Uruk-Hai legions on that code for a week, and they'll make it into a thing of such sparkling crystalline beauty that the gcc developers will weep with envy.
yppupdurc
--
"Some mornings, it's just not worth chewing through the leather straps."
I was wondering about the numbers myself.
Can I please subscribe to up to the minute /. updates on exactly what MS is doing, when, where, and with who? If there is a mouse in a wharehouse muttering "news" about MS I want to hear about it. Because I care.
During odd minor number releases you add features.
During even minor number releases you only fix bugs.
Not every OSS project uses this model but a huge number do.
That's what they get for trying to fly through the Gateway Arch.
I used to train 8 hour days, breaking for lunch, 5 days a week. Web design, some SQL, etc.
It was tiring, more so for me I think than the students, but they stayed awake when they were learning something new.
So it stands that security is a new topic to the Microsoft programmers!
I don't know if you intended to imply that doing the right thing with attachments was the only thing necessary for a secure setup, but take a look at Java Web Start as an example of how the platform itself can give assured security, regardless of the kind of code being run on it.
Students that are paying for their own education are holding down a job at the same time that they are going to classes. They do a much worse job of being awake. They do a much worse job of paying attention. They probably try harder, but how hard you try isn't everything.
I've been on both sides of that fence.
OTOH, being depressed is worse than either. And can be mixed with either.
I think we've pushed this "anyone can grow up to be president" thing too far.
From what I've seen, when the bottom line is threatened the top guys (who they are depends on the organization) focus on short term face-saving actions, as they prepare to jump ship. To say it in other words, they do things to make the short term picture look good with the hope that they can disguise the problems until they've landed another job. And to hell with the people who trusted them.
This seems to be a pretty general rule. I wouldn't say that it's always the way things work, but it sure is the way they frequently work. Look around at any company that's recently had a bunch of layoffs, and listen to the rhetoric. Or see top execs who've recently gotten a new job, and then look at the old company. It isn't always sinking. Not always. But that's the way to figure if you don't have good reason to believe otherwise.
I think we've pushed this "anyone can grow up to be president" thing too far.
I went to your site about the "myth" of open source software being more secure, and I see where you point to the Security Focus table to try and prove your point. For the *thousandth* time, that table takes into account every single application that ships with a distribution. Can we lump in all the vulnerabilities for MS Office/Outlook, MS Works, SQL Server, and Exchange into the NT/2000 group?
My article does not compare Microsoft products and any Open Source technologies so I am confused as to where this rant stems from. I do remember linking to the Security Focus table as a way to point out that it is disputable to claim that Linux distros are more secure than Windows.
My actual article uses the Vulnerability Archive to compare UNIX flavors and Linux distributions to point out that the license the software is released under does not have as much of a bearing on whether the software is secure or not. So your rant (and +4 score) are rather unwarranted.
Yes, they probably will do some good. Yes, they will probably help a little with the perennial problems with Microsoft software: that it is dumped on the market with way too many bugs, that it is dumped on the market with way too many features, and that it is dumped on the market much earlier than the software from more conscientious competitors, driving them out of business.
But it doesn't address the fundamental problems. Microsoft software is still closed source and it is still written and controlled by a small number of programmers up in Redmond, programmers who often have no experience of anything beyond Microsoft. Even if Microsoft made all their software "shared source", the economic incentives would favor the crackers (other developers don't have much interest in contributing fixed to Microsoft that they just have to pay for again in the next release).
Most importantly, however, Microsoft's goal of total market domination is their own worst enemy: an OS that runs on 95% of the machines is intrinsically and unavoidably not secure. We need operating system diversity. If no single OS or server software runs on more than 5-10% of desktops and servers, then security problems are automatically self-limiting. And, as a bonus, the increased competition would give us better products and more innovation. (And, yes, these comments apply to Apache as well.)
but that doesn't count cause M$ likes the BSD license.
Jaysyn
There is a war going on for your mind.
You may be right. I'll never know. Because I will never agree to what I've seen of the recen MS licenses.
So I will continue to percieve MS software as basically unfriendly, useless, insecure, etc. The last versions that I could legally look at and evaluate were that way, and I see no reason to change my opinion. Any company that makes it illegal to post reviews of their current products does not deserve any amount of "suspension of disbelief".
More to the point, any company that insists on the right to add, delete, copy, or remove whatever software it chooses from my hard disk cannot be considered secure no matter how secure the software itself actually is. That legal requirement is nearly the zenith of possible insecurity, and renders any software that requires it unsuitable for any application that I can conceive of.
Perhaps you've changed your license again. Is there any reason for me to believe that you won't change it back just as soon as I buy in? You seem to be requiring the right to change the terms of the license without my agreeing to it, of even knowing of it (via "license specs are kept on a web page").
I don't see how things COULD be less secure, for the end user.
I think we've pushed this "anyone can grow up to be president" thing too far.
Dare I say what everyone who reads slashdot is thinking?
What glue have they been sniffing today?
Brielle
A little off topic, but it had to be said somewhere:
Netscape is a fucking useless piece of fucking shit and clients who standardize on it should be fucking dragged out into the street and beaten to fucking death!!!!!
(not an endorsement of Micro$oft)
"I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months.
When was the last time that Linux had to do a total overhaul on security? Yet, paradoxically, Linux has continued to be more secure than windows. And how long has m$ put off this important task? A good software developer should plan ahead. M$ is again turning their shortcomings around and accuse their competitors of said deficiency.
"MS: So bad we have to remake it. Again!"
"Before you feel all high and mighty I think I should point out that something likely 75% of all redhat boxes are rooted in the first 24 hours."
.75 the odds of none of them having been rooted in the first 24 hours is 244.141*10^-6
I have set up probobly 6 redhat boxes. None of which have been rooted at all in their life cycles while I was running them, much less in the first 24 hours. Most of them have not had the basic security work done on them in that time period, so lets check statistics...
Assuming a binomial distribution n = 6 and p =
I didn't realize I was that much of a statistical anomaly.
Integrate Keynote and LaTeX
Idiot karma whore.
Mmmm.. Donuts
Steven B. Lipner, Microsoft's director of security assurance, responded, saying: "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."
Of course, the MS guy counts security in man-years.
Frankly, I would expect that one hour of John Gilmore, Hugh Daniel, or ESR's time working on security issues is worth at least a man-year from the average MS coder.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Um, I completely disagree about the preview pane being a security flaw. If Outlook can be controlled completely by code within an email, it doesn't matter if it's previewed or not. If it's a halfway intelligent email worm, the subject will fool you. What would you do if you got an email from your mom, subject line "Hi"? Would you open it? Outlook has to be able to view email safely. The preview is not the problem.
There are no trails. There are no trees out here.
Fear - Be afraid, that OSS might not be very secure.
Uncertainty - Well, if it isn't secure you probably shouldn't deploy it, should you. Use commerical software (and keep my paycheck coming).
Doubt - Hmm, well, maybe we should stick with the tried and true, good ole MS. (or IBM if we want to go back in time.)
Interesting. I don't see anywhere in the article where I singled out Open Source software for being more insecure than proprietary software in fact the vulnerability list I show ends up making Solaris (a proprietary product) out to be the worst of all. Secondly my article commends both Debian and OpenBSD, I'd be very amused to see you come up with some Microsoft related conspiracy theory about how Bill Gates and Steve Balmer have decided
I'm all ears.
I'm a person who for years, has been able to grab updated packages within /hours/ of exploits being found. Over and over again, I think to myself, "Holy cow, these guys are on the ball!"
Exploits in the kernel are solved just about as fast. Linux and BSD folks have been very security conscious for years, have a huge base of security related documentation, software packages, developers, entire operating systems that have been audited line by line.
And then here comes Microsoft, after staging a series of presentations, declaring their dominance in the area of security. It's assinine, crazy talk. It's like reading a pamphelet on seal hunting, and then proclaiming you're better than an eskimo.
Are you familiar with snort, or PAM? Holy cow, each of those packages alone, make anything Microsoft has to offer look like some sort of teething ring you'd give to a child. And there are thousands of packages like that available.
You just don't understand how far Microsoft is behind, perhaps the gap is so great that the mind recoils at comprehension of it.
...If you consider the fact the MS is shipping software that is ONLY NOW being reviewed for security....well that seems to qualify as a late project.
Perhaps these security issues at MS can be attributed to the failed strategy of attempting to develop networked (server) software with development techniques barely sufficient for stand-alone desktop PC apps. I recall a periodical produced by Yourdon called "The guerilla programmer" where he studied software development techniques at MS. He suggested the term "good enough software" indicating that it was ok to ship software with bugs - especially if doing so got you to market ahead of your competition. That was back in the mid 90's...interesting that only now is MS catching on that multiuser networked applications are not just scaled-up versions of Notepad!
I want to be alone with the sandwich
One can bicker back and forth all day long about statistics on this system or that system, and how based on CURRENT trends, some such system is more safe than some other system.
None of this, however, is relevant to the basic principle that what I don't know about or don't have control over (e.g., access to code, purchasing choice) is inherently insecure to me. It's not known problems I'm worried about, it's possible FUTURE ones. You cannot feel secure without control, and MS is the last corporation to place control in the hands of anyone but itself.
The problem is that once we put all our eggs in MS's basket, they have control over what I can and can't buy, how I buy things, and what I use. And when MS has complete control, we lose the ability to determine what MIGHT have been had MS not had an illegal/unfair monopoly. MS also loses any practical incentive to give me the security I want (I would argue they already have).
I don't give a rat's ass how much MS might be improving its security, to tell you the truth. The problem is, once MS has complete control over a market, there is no way of knowing at a future point in time if something better might have been available had they not had a monopoly.
Comparing open source distributions to proprietary distributions IS flawed in this regard, because regardless of the libre nature of the software, I would argue most sociologists, etc. would argue that MS's current emphasis on security is the direct result of OPEN DISCUSSION of MS's flaws and the presence of ALTERNATIVES to compare it to.
Once we lose the ability to openly discuss software security and lose alternatives, we make our systems inherently less secure.
Is open source more secure? Maybe, maybe not. But what is more secure is an open MARKET, which we don't have without Linux and UNIX.
The kind of shift Microsoft is doing kind of reminds me of when the Japanese almost had a death grip on the car industry. Let's hope the same thing happens in this case and the corporation keeps it's promises.
:)
This article also kinda reminds me of an enema... but that's just me.
From the NY Times article:
,fuck the open source developers for doing it right the first time. Let's take a quick opinion poll: Which is more time consuming, writing the code correctly the first time or going back through it looking for erros and REwriting it?
Steven B. Lipner, Microsoft's director of security assurance, responded, saying: "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."
LOL. Well,
Chris
I'll begin with a sobering fact. I interviewed for a job with one of the larger computer security companies not too long ago. When I asked the cluefull gentleman who interviewed me why they didn't use several Open Source security tools recognized as the clear best-of-breed in the security community, his answer was blunt: Accountants and clients don't understand the benefits of Open Source, even when they're hearing it from security professionals.
That said, those Open Source packages were auditing and intrusion detection tools, not operating systems. Tools, individual packages, have always been the strength of the Open community, born out of the legacy of "hacks" and elegant solutions. But putting all these tools together is a tough task, and harder still when every tool is a potential weak link. Open software suffers from the existing operating system model just as much as proprietary software, and the statistics on "holes per year," as with all petty statistical arguments, should be ignored.
As a constructive but near-sighted solution, code audits are at least a first stab at improved security. Measures like this, in tandem with ugly PR campaigns, are the constant fallback of the American corporate world; the end result is about looking good this fiscal quarter, positive press, and return for shareholders; long-term benefits to community and consumers be damned.
If Microsoft or the Open Source community was truly interested in security, the proposed solution and counter-arguments would not even consider today's operating systems. Anyone following security can see a trend in all sub-arenas (incidents, viruses, defense) towards virtualizing computing processes. The metaphors vary: sandboxes, virtual machines, analysis queues. But they all result a way of operating a machine that's far removed from today's server OS world.
Indeed, "removal" would be the key concept. Removing processes from their environment and associated weaknesses; removing computations that violate trusted measures; removing the weaknesses that come with the bulk of a "modern" OS. Of course, many Open projects aim to re-work existing platforms to be "trusted.". Nonetheless, it's clear that while server OSes are built on this legacy design, we're still going to be tallying up vulnerabilities. Whether the proprietary world that Microsoft embodies or the Open community will offer the solution first is unknown. If you see security as an altruistic endevor, as I clearly do, then put your bets on Open folks to sit down and rethink the way this all works. If you don't see such massive changes in thinking happening without the money and industry connections of the Big Boys, then there you go.
But don't think that in a day when the boundaries between client machine and server machine, operating system and network, are dissolving (or at least being questioned) that this game is going to look the same for long.
You know, there hasn't been an OE preview pane bug discovered for like 2 years.
We seem to forget that not only do people not always work on weekends, but that they don't spend eight hours a day reviewing source code. I've just been on a Code Inspection course, so I know everything about this now. (Sort of.)
Firstly, code reviews often involve two to four people, and sometimes more, rather than just one. Secondly, the code inspection takes 30-50 minutes for a 200-line module or class. Thirdly, on the assumption that source code is neither easy nor enjoyable to read, you can't realistically expect to do more than about three or four of these a day without going utterly mad. Fourthly and finally, code reviews are performed to find errors in code, and somebody always has to go away and fix them, right?
(To correct, 8 weeks * 5 days/week * 2 hours/day * 3,000 teams of reviewers would be closer to 30 man-years - whatever that means.)
Even removing the questionable maths from the discussion, jdbo hits the nail square on the head:
The chief aim of performing code reviews is not to have to review code in the future. Consider also that security holes aren't the only problems with Microsoft's code - Windows XP, for all its uniformity, is still a buggy and disjointed mess.
Given that Microsoft bug reports appearing in the media at about the same rate as always, and given that Microsoft's track record for writing stellar, secure, efficient and bug-free code is not a good one, it's difficult to see the point. I know they're on higher moral ground now, but none of it seems to be working any better. Two months was never going to be enough, but how much time have they got?
Attack its weak point for massive damage!
Whatever they are, we should focus on our own solutions and let them spend their time FUDding.
The best defense, is to flourish!
To hell with all the ones saying it cannot be done, we've been doing it and we are undoubtedly the fastest growing grassroot movement on the face of earth.
Why, because of the joy to create solutions for others. The pride of seing your solution working!
Ther is no way that M$ can keep up with free software. Even if their intent were not sullied by considerations like pushing adverts on their users and denying users the ability to copy files, Microsoft's honest efforts would be quickly overtaken. It shows in their 10 year old window manager that limits users to a single virtual screen and multitasks about as well as a calculator. But Microsoft is not honest, and they are wasting their resources on stupid things. The astonishing thing is that Lipner and friends can keep a strait face when they say things like this.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
In the past few months, Microsoft has done more *continuously focused on one project at one time with corporate backing* computer security code reviews than OSS has in ten years
A better way to say what they're saying is:
OSS didn't have as many bugs to start with--they really didn't need two months of intesnsive security review like we did, but hey.. Better late than never!
Who mediates your information?
What Microsoft meant to say was "two months of code reviews and half-day seminars [regarding security] surpasses everything ever done [before] by Microsoft".
-Paul Komarek
I was doing a reinstall of Win 98SE and putting all of my drivers on, getting a new update on my computer's video card.
Guess what? I was putting in my firewall when I noticed someone had already put in some damn
Doh!
So, is two hours a world record or what?
Needless to say, I had to reinstall the little demon OS, because you never know what you got. There was about 2 hours down the drain.
And yes, I know. I shouldn't be running wintendo. Forgive me, monsiegnor.
For what it's worth, the Soviets used a form of DOS to get run their rockets. If a system is critical to operation, it will be made robust and physically isolated from the outside.
If remote control is also needed, then a second element will be created so that security does not interfere with the machine, or, like teller machines, some work will go into making them tamper-proof.
That OS/2 is often used for ATMs and other embeddd systems, but has no native inbuilt security (this is an addon), suggest that robustness and security are different.
Much of what Microsoft has been doing is about "security", that is, stopping people using poorly written comingled code to do things to people's hard disks through net apps.
I would rather trust my life to a robust system than a secure one.
OS/2 - because choice is a terrible thing to waste.
Bill Gates made a typo in that e-mail. He meant "antitrust-worthy computing".
With the preview pane turned on, you can't even select the message for deletion without opening it.
Guess what? The upgrade treadmill, while it may be bad for consumers, is GOOD for American business, and good for /.ers' employment status on the whole, I would imagine.
Why? Because it drives hardware sales, and that's good. Now that PC and other IT hardware sales are slowing, we see how much it sucks for everyone when things aren't going well.
Point 2: at some point, arbitrage should develop and desktop users will be willing to buy a used machine running a free OS at a lower overall price than a Windows box. There should be a tipping point when the perceived advantages of Windows are outweighed by a price advantage. We aren't there yet.
-------- -praktike
Im so sick of hearing about Microsoft. I wish they would just fall of the face of the earth and us open source people can move on with our lives. Ahhh.. what a nice thought...
That was a default server installation. At the time everyone admitted that the default server install was quite insecure. But it is hardly fair to call it a "typical installation". It was something that almost everyone knew was insecure, whether or not they knew what to do about it.
.2) we were using 6.2, and it had, as many have noted bad holes in the inital install.
Unfortunately I wish this was true. A large part of my job involves building (or helping people build) Red Hat boxes as firewalls or samba servers. They can send their server to me, and I will setup their system in a secure and functional manner. Up until RH 7.2 came out (I will not use any RH distro until it ends in a
Most of these things could be fixed by bastille, but I personally prefer to do everything manually, so I know it gets done.
However, many of our customers, and a networking company that we are affiliated with often perform their own installs. These are installed often with 6.2 in a "default" install (because the people installing don't know what to adjust, despite the documentation we have provided for free..).
I won't comment on how many of these things have been owned. (True, I have seen NT servers get owned in the same environment/manner, but I work far more with Linux.)
I can remember one distinctly that I was taking a look at because it was operating improperly. It was only connected to the net for about 10 min so that a bunch of RPM's could be downloaded. In that time it got hit by a scanner and a script, and was owned. I first discovered it by accident, troubleshooting this server for the guy who set it up, and I noticed that "ls -alh" did not work properly. The "-h" flag was not functioning. I could not figur out why... Then I ran an MD5 sum on ls and found it did not match with known good binaries. Most of the binaries on that system were fsked with. We formatted, and I reinstalled and configured the system for him.
Of course, it has happened to me too, I have made some mistakes (and learned a great deal from them too...) You should check out (as another poster mentioned) the honynet project and try building your own honeypot and see how fast it gets owned. Of course, if you are monitoring your logs (logcheck!), or using tools such as portsentry you should see hits on a regular basis to your outside systems on your network. If you are *NOT* looking for these things, I pity you. Hell, I just went through a great deal of trouble with the latest SSH bug, not a fun time when you find the crc messages in your logs. (Sure, as an admin I could have fixed it faster, but I was on vacation, and I did not get the alert.)
So, unfortunately, I must disagree that the "default" installation (from what I have seen) is far far too often the typical installation. Heck, up until recently the "default" installation was used on a regular basis by most of the members of our LUG!
I wish this were not the case, I really do. It is not what I have witnessed however.
Try to hack my 31337 firewall!
"I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."
There's no way the open-source community has done that little.
Oh I'm sure that Microsoft has reviewed their entire code base (about like I review /. every day). Knowing what to look for and what to do about it is an entirely different matter, and doesn't happen in anything resembling a big hurry.
I have done a security audit for a company that isn't Microsoft, but wants to be (don't ask, it's really sad). I'd like to say that I had help, but I didn't. Kids, don't try this kind of software project management at home.
/usr/bin matched patterns that suggested vulnerability, but fewer than 10% of the programs actually had exploitable vulnerabilities upon closer inspection. Most of the vulnerabilities were /tmp file-creation/symlink attacks, and many of the holes required the attacker to have very much control over the victims' activities to exploit.
/tmp-style exploits and buffer overruns, even when it is provably not necessary for security.
The thing about commercial software development (open-source or otherwise) is that the population of developers is small, and their schedule does not allow them to develop their coding style very much. As a result, you can usually recognize who wrote which code after you've read enough of it, and once you can do that, you can predict the quality of their future code based on past code.
The thing about security bugs in code that has NEVER been audited before is that most of them (by number) are the same basic stupid mistakes repeated over and over again.
Exploiting this to its full potential, you can find security holes with 'find' and 'grep'. In my case, about 250 security holes per hour (20 seconds of computer time, 3580 seconds of looking at the code in question and eliminating cases where calling or enclosing code prevents exploitation of dangerous code) in 275 KSLOC during the first day of auditing. This rate drops off to about 120 "hits" per search with maybe a dozen false positives (interestingly enough the false-positive rate always hovered around 10%), for a total of just over 1000 security holes in a single week.
After I made that pass, where I might be finding and even fixing multiple vulnerabilities in a single *minute*, I then look at who wrote the code I am fixing, who mentored them, who they mentored, etc. Basically I construct a picture from the corporate organization, the revision history, and the code, to find out who the bad coders are--then I audit everything they ever touched. This finds bugs of all kinds, but not all of them are security-related. There are still dozens of security bugs found per day using this search strategy.
Another search tactic is to do global source code searches for the variable names in functions I am fixing, and for the syntactic structures (i.e. everything around the variable names). This finds an amazing amount of plagiarization, as well as code examples that might have originated from corporate training or "learn language_X in N days" books and which were cut + pasted without any further thought about issues like checking for error returns or invalid inputs.
Note that the vast majority of the bugs found were the Unix equivalent of taking a string from an untrusted entity, blindly sprintf'ing it into an automatic array variable, and feeding the result to system() -- three different security holes in as many lines of code. This is probably also true of Microsoft code--thousands upon thousands of instances of a handful of problems, over and over again.
Simple bugs require only a few seconds to fix, especially if you are looking at repeated errors made by the same coder, and you've already worked out a general solution. Other bugs require more time, but very few bugs require more than a few hours to fix--instances where a redesign is required are very rare, and often this kind of problem is discovered by other means (e.g. by looking specifically for network servers or programs that run setuid, instead of searching for dangerous code fragments). The average time required is MUCH less than 8 minutes per line of code--it's actually closer to 8 minutes per bug, and 4 bugs per KSLOC.
Assume an average bug rate of one bug per 500 lines, and an average review rate of 8 minutes per line, I'd have 4000 minutes per bug for analysis and repair. That is plenty of time to get rid of 99% of the bugs--I spent less than 4000 minutes on my entire audit, and given 4000 minutes per bug I could learn a new programming language for each one!
This kind of audit certainly does not fix all problems--the security holes that were found after the release of the code I audited attest to that. Audits like this don't produce perfect results, only better ones--half a dozen exploitable vulnerabilities are much better than a thousand.
This is what we can expect from Microsoft: fewer stupid vulnerabilities in the short term, fewer bad design decisions in the long term, with no noticeable impact on the more sophisticated attacks in any amount of time.
Incidentally, I also did an audit of a Linux distribution using more or less the same technique. I found that about 90% of the programs in
Some time after I did the Linux audit, Linux distribution vendors started taking security seriously. Now when I audit Linux programs I'm pleasantly surprised to discover that they are already hardened against
-- I avoid spam by accepting only OpenPGP encrypted or signed email at this address. Clear-signed, RFC2015, heck, even
"Steven B. Lipner, Microsoft's director of security assurance, responded, saying: "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months.""
Come on!! Maybe if they would take the time to check their code for problems as they are working on it, they wouldnt have this problem?? Besides, we dont have to spend man-years working on security problems.. Our programs dont have security problems!! Man.. This guy is some ignorant capitolist soab!
Live to be happy!! OR ELSE!!