Slashdot Mirror
Microsoft: Trust and Antitrust
Microsoft is in the news for two reasons today: the continuing saga of the antitrust cases, and Microsoft's public relations push for "trustworthy computing". A selection of links: Microsoft claims two months of code reviews and half-day seminars surpasses everything ever done by the open source community; Salon talks about the problems with a monoculture; SBC, an abusive telecom monopoly, complains about Microsoft's behavior, an abusive OS monopoly; and Microsoft responds, claiming that SBC is merely being self-serving.
The key to user security is to enable it by default. Most people running Win2K at home don't bother modifying their file permissions, closing off unnecessary services, etc. They leave settings at the default and go on their way. If Microsoft made the default installations more secure it would drastically improve the security of its OS. How many times has Security Focus reported on vulnerabilities related to Windows file-sharing? The answer to the problem is to turn it off and let the user decide if they want to turn it on. Outlook scripting, ActiveX, file sharing, Windows messaging, etc. Removing or disabling these services are necessary to secure a Windows box, and to reducing the bad PR that Microsoft receives every time a new vulnerability is discovered.
Not necessarily. Many times in the OS community, new code is added to a project. How often does the ENTIRETY of the code get reviewed? Yes, I believe that open source software does seem to result in fewer vulnerabilities. But it doesn't mean that there are NO vulnerabilities in open source software. Windows 2000 has approximately 50 million lines of code. If they've even gone through 1/4 of that it's astonishing. When was the last time someone actively poured through every line of the Linux kernel looking for possible bugs? Very often, code is reviewed in small chunks rather than from start to finish. This will solve small bugs and vulnerabilities related to specific functions, but BIG bugs require reviewing a LOT of code. That's probably what Mr. Lipner is talking about.
> "Geeks like learning new things, and when they pop out at the end of the process they're entirely brainwashed," he said.
I was surprised by this quote too. The implication that developers at MS are some sort of automatons taht are easily brainwashed is amazing. I'm no fan of MS, its products or its tactics but the developers who work there are robots. I have found the MS people I have met to be pretty party-line company guys but they did have brains and were capable of independent thought.
The other problem with training like this is that without reinforcement from management it is not terrible useful. Sure some of the developers will "get religion" and will be absolutely scrupulous about writing secure code, but others will get lazy, forget the training or go back to old bad habits. Without code review and standards enforced by management in some way training is ineffective.
I look at all the man months that have gone into the development of Windows, etc. and I look at the results. The sheer amount of time put in is no assurance of the quality of the results.
In fact, if I recall right, the sauthor of the book "the Mythical Man-Month" came to the conclusion that the more people you throw at a software project, the slower the project goes.
So the question is how of the work at MS falls into that category
"It is a greater offense to steal men's labor, than their clothes"
Ok, im a student at a good university.
looking at this -
dozen half-day training sessions for its programmers, about 1,000 at a time.
And i fail to see how you can teach. Its hard as hell to learn in a lecture hall of 300, but 1000? thats insane.
Not only that, but for a half day? Cmon, americans have an attention span of what? 15 sec? if that? (dont anyone take insult...:))
How do they expect coders to pay attention to a small figure in front for a full 6 hours....1.5 hours is hard as it is for a normal college lecture.
This
Since Gates sent out the letter pushing security, there have been a few patches. Only one of them (From what I can remember) wasn't credited to some security firm. Other companies are finding their code weaknesses and telling them. This is their plan???
It's a complete waste of time listening to these liars. That is all they are. Liars, deceivers, and power-hungry control freaks that wish to see any sense of community destroyed in order to protect their monopoly and cash flow.
It would be a much wiser thing for us to do instead to focus on implementing our own open, Free, and standardized technologies that present solutions in the best interest of the community. This is the issue, and, whether we realize it or not, this is the war. We either leave these things to them and be controlled by them, or implement these solutions ourselves and protect our liberties.
Simple as that.
It could not possibly survive by selling bug-free software - it's just not in their interest. The vast majority of users DON'T blame MS for the crashes, rather they either blame a 3rd party program or themselves even though the fault lies almost entirely on Microsoft.
They DON'T get bad press from outlook viruses - the evil hacker delinquent kids do. MS is seen, of course, as the victim.
Windows2000 was released with, what, 20,000 known bugs in it. It seems to me that my Windows partition works worse and worse with each new version I put on it. So I buy another.
Don't you realize, this is the best business model of all? But of course, now that the nerds, geeks and generally intelligent people are widely blaming microsoft they want to quickly sidestep widespread scrutiny by (you guessed it) telling us security is their highest priority.
Microsoft sells software that is so bloated that if they actually did a decent code audit (which, of course, would be far too expensive) and tightened things up, you wouldn't need that couple gigs just devoted to the OS. In short: MS NEEDS you to upgrade. Why on earth would they really mend their ways? Especially if it would cost more and get less overall business?
Ah, but this "big deal" negatively affects their revenue and earnings, which is why I think it is little more than PR.
Historically, Microsoft has piled in multitudes of features and foisted what should be beta software on the market. They find out what breaks, and provide bug fixes (euphemistically called "service packs") for the things people really whine about. This approach maximized their revenue, and accelerates it.
Ask yourself if Microsoft would have turned Windows 2000 into Windows 2001 if a significant security hole was found on the eve of the launch.
It's Linux, damnit! Pay no attention to renaming attempts by self-aggrandizing blowhards.
"I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."
I love this quote; it's _so_ MS.
Two months of a several thousand developers = 60 days * 8 hours per day (being generous and throwing in weekends) * 9,000 coders = ~ 500 man-years. Not too shabby!
Bullshit, that's playing with numbers. I could further "statistics-ize" this to say that this means every line of Windows XP got 8 minutes of attention in the last 2 months.
The reality is that secure development takes _time_ and _experience_ as well as eyeballs. Not everything is repaired correctly the first time, and the corrections themselves often need further review and correction. A fast fix is often worse than a naive bug.
This sort of thing is even more likely to happen when you're changing your development habits to take security into account - transitions are always messy. I doubt much effective security work actually "got done" on the Windows code in those 2 months, relatyive to the amount of "security twiddling".
While I have to applaud MS for finally _beginning_ to take security seriously, it's complete B.S. on their part (and very much in classic MS form) to suddeny claim that they're "the securest of the secure" when they're just entering the field.
Big difference between adding an IP stack and a browser component and debugging/stabilizing/refactoring/etc your entire product line.
.NET initiative? If (and its still an "if") they follow through on that vision they will have completely changed their software architecture to a completely Internet-centric model.
Well if you think that's all Microsoft have done to become Internet-centric then you are vastly missing the point. Have you looked at their
Sailing over the event horizon
OpenBSD defaults to several YEARS of code reviewing. Years between any security hole in the latest release. (Or more, does the openSSH hole count?)
FreeBSD has trusted BSD which has similear aims, plus some code that would be really nice to have.
Sardonix is trying to start a general project to do code reviews. Not really running yet, but good goals, I hope they work out.
Just a quick search of open source sites and code review reveals that most projects think highly of code reviews and encourage them.
And finially, the typical way to get into open source is to do start reading code, and then contribute when you can do something. One of the things you can do is find potential holes
None of the above is perfect. All are useful, and all go on all the time. Maybe Microsoft put in more work into theirs, but I remember openBSD which was just a better netBSD, and not secure. By fixing problems they got secrure. I've been a programer long enough to know that each fix has implications elsewhere. Microsoft might have solved a lot of problems, but my expirence is the first two months introduce more problems than they fix, it is only after fixing those new problems that you begine to make progress, and it takes months to get them all closed.
I used to have the same problem in college, but then again, I went to class several times a day, 5 days a week, 2 semesters a year, for several years. I fell asleep (mentally if not physically) many times, even in 1 hour classes. Now that I'm out of school, I have no problem paying attention to a 5 hour training session. It's actually a nice break. It's not like I do it every day, or even every week.
This may sound like a troll, but it's honestly my own perception: Microsoft operates on a cult-like corporate culture. It was especially evident during the antitrust trial; the behavior of the lawyers and execs and their obvious inability to concede, even to themselves, that they just might not be arguing from a rock solid position. It really did remind me of Scientology.
And I'm offended that Mr. Howard thinks of us "geeks" as such simple, predictable, uniformly malleable children. Methinks he's been working in a cult organization too long.
I can see the fnords!
In response to you and cscx (below)...
crudeboy writes: (in regards to IE and Media Player) but... a more correct question might be: Why bother to remove it?
End user applications have no business existing on a dedicated server machine. As for why, see below:
cscx writes: Second of all, you don't install all the goodies in Windows 2000 server/advanced server. Why do you need IE? Well, it's handy as hell. You can locally install updates while at the box in the server room, run windows update, download hotfixes, etc. Plus, it's also useful for visiting tech documents / howtos to diagnose problems that the Novell and Linux servers in the same server room are having (yes, this has happened to me before ;P)
So you're going to be surfing random sites on a critical server machine... while logged in as Administrator?????
I'm glad you don't work for me. That would be grounds for a reprimand, at the very least.
Back in the old days, surfing the web ran no risk to the client machine. Nowdays there are all kinds of risks because of mobile code (ActiveX, Javascript, etc.) and exploitable client programs (increasingly complex web browsers). Do either of you guys remember how those worms were spreading last year? Sooner or later, someone's going to figure out yet another exploit for IE.
Yes, yes, you can limit the risks with security settings, but that is no longer proof against attacks.
crudeboy writes: If you really think that you probably shouldn't work with security at all... To say that things you do when implementing a software solution should be carried out first is just plain nonsense...
Well, if "limit your exposure" isn't supposed to be #1 on a security checklist, then it is #2 or #3.
Since you don't seem to understand the basics, then I suggest you read up on the subject before you start calling things "nonsense".
When one of the DNS root servers switches to NT, please let me know - not that DNS is that stable or secure.
When IIS has a 60% market share (as Apache does now), I might also get a bit concerned.
When the Microsoft Sybase rip-off has a 46% market share (as Oracle currently has), we might start worrying about the datacenter.
When they have a stable, scalable 64-bit version of Windows, we might start worrying.
In order for Microsoft to get any of these markets, they will have to have a good product, good customer service, and good interoperability with other vendors products. I don't see that happening anytime soon.
After all, we gave them SMTP, and look what they did with that.
You may be right. I'll never know. Because I will never agree to what I've seen of the recen MS licenses.
So I will continue to percieve MS software as basically unfriendly, useless, insecure, etc. The last versions that I could legally look at and evaluate were that way, and I see no reason to change my opinion. Any company that makes it illegal to post reviews of their current products does not deserve any amount of "suspension of disbelief".
More to the point, any company that insists on the right to add, delete, copy, or remove whatever software it chooses from my hard disk cannot be considered secure no matter how secure the software itself actually is. That legal requirement is nearly the zenith of possible insecurity, and renders any software that requires it unsuitable for any application that I can conceive of.
Perhaps you've changed your license again. Is there any reason for me to believe that you won't change it back just as soon as I buy in? You seem to be requiring the right to change the terms of the license without my agreeing to it, of even knowing of it (via "license specs are kept on a web page").
I don't see how things COULD be less secure, for the end user.
I think we've pushed this "anyone can grow up to be president" thing too far.
I was trying to avoid direct criticism here, but since you started...I understand what disputable means, thank you. Unfortunately I think you need to look into what the scientific method is before writing an article like you did. You reference articles with misleading statistics, your logic has gaping holes in it, and your conclusions are invalid. All other things being EQUAL (developed by the same people, with the same tools, at the same time in computing history, written in the same language, going through the same review process, etc.) open source software would be more secure as *additional people* would be able to audit the code. Comparing AIX or HP-UX to a Linux distro has *no statistical relevance* because there are DOZENS of other factors that *skew* the results. You even say so in your claim that we shouldn't compare Windows to Linux/OSS because they are so different, then go onto to do the same flawed comparison with commercial Unices vs. Linux.
In conclusion, I find your article nothing more than semi-sophisticated FUD.
Fear - Be afraid, that OSS might not be very secure.
Uncertainty - Well, if it isn't secure you probably shouldn't deploy it, should you. Use commerical software (and keep my paycheck coming).
Doubt - Hmm, well, maybe we should stick with the tried and true, good ole MS. (or IBM if we want to go back in time.)