Slashdot Mirror
Microsoft: Trust and Antitrust
Microsoft is in the news for two reasons today: the continuing saga of the antitrust cases, and Microsoft's public relations push for "trustworthy computing". A selection of links: Microsoft claims two months of code reviews and half-day seminars surpasses everything ever done by the open source community; Salon talks about the problems with a monoculture; SBC, an abusive telecom monopoly, complains about Microsoft's behavior, an abusive OS monopoly; and Microsoft responds, claiming that SBC is merely being self-serving.
For those Francophones / Germanophones amongst us, tonight on ARTE (TV channel available on terrestrial and digital satellite) has a problem "Life after Microsoft" which should make interesting viewing. around 20:45 CET I believe.
Conversion Rate Optimisation French / English consultant
Maybe they've seen all the security flaws and bugfixes required, but I hardly think even with all of Microsoft's power, they could not outstrip the entire OSS community in just two months.
There's still a lot more manpower in OSS. It's just more fractious.
If I weren't nailed to the penis, I'd be pushing up the daisies!
No comment needed.
Windows XP SP1 will include some changes that will allow component removal for things such as Windows Messenger, IE, and Windows Media Player. Now, why someone would want to remove IE and Windows Media Player is beyond me. Also, don't forget all those programs that rely on the Web control and need IE to function.
Steven B. Lipner, Microsoft's director of security assurance, responded, saying: "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."
Hah hah hah!! What an idiot.
Mr. Spey
Cover your butt. Bernard is watching.
The key to user security is to enable it by default. Most people running Win2K at home don't bother modifying their file permissions, closing off unnecessary services, etc. They leave settings at the default and go on their way. If Microsoft made the default installations more secure it would drastically improve the security of its OS. How many times has Security Focus reported on vulnerabilities related to Windows file-sharing? The answer to the problem is to turn it off and let the user decide if they want to turn it on. Outlook scripting, ActiveX, file sharing, Windows messaging, etc. Removing or disabling these services are necessary to secure a Windows box, and to reducing the bad PR that Microsoft receives every time a new vulnerability is discovered.
If my employer ever publicly said anything like that, I'd run for the exits.
Wonder if the chants are part of the brainwashing process.
Developers, developers, developers, developers.
Developers, developers, developers, developers.
Developers, developers, developers, developers.
Love many, trust a few, do harm to none.
Apparentlly you are wrong, Steve wouldn't lie.
Steven B. Lipner, Microsoft's director of security assurance, responded, saying: "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."
SBC has a monopoly in the telcom world?
But that can't be. When we deregulated them, they promised to play nice.
two months of code reviews and half-day seminars surpasses everything ever done by the open source community
Yeah, and what was the final bill? Imagine how much work the OSS community might have gotten done for that price.I'm a writer, a poet, a genius, I know it. I don't buy software, I grow it.
So what if they're being self-serving? If everyone is being self-serving by dissing microsoft, it's obvious that microsoft is not adequately serving anyone.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
How often has the community found it necessary to do a complete security review of any package, years after the fact?
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
Quoting Michael Howard, the security expert who designed the course for Microsoft:
"Geeks like learning new things, and when they pop out at the end of the process they're entirely brainwashed."
I was astonished that he can make such bold claims. I have always thought that geeks have a mindset all of our own, and not one to be brainwashed easily. But then I found this quote:
"Microsoft has always had a crisis-driven mentality," said Mr. Howard, the security expert. "You have my word: we will lead the industry in delivering secure software."
And I couldn't help but laugh my ass off.....
Blah Blah Blah.
Vintage computer games and RPG books available. Email me if you're interested.
Steven B. Lipner, Microsoft's director of security assurance, responded, saying: "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months.
Lipner also reacted with astonishment when he was told that professional wrestling matches are fixed.
several of its key program managers warned that underestimating Microsoft's ability to meet the computer security challenge might be as foolhardy as was misjudging its ability to turn itself into a dominant Internet player.
I thought they were the default security player. Don't the vast majority of hackers break into MS boxes already?
I stole this Sig
Oh, yes, SBC has a lot of competition in INDY. Too bad SBC owns all the copper, fibre, conduit, etc., or enough of it to make no difference.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
I look at all the man months that have gone into the development of Windows, etc. and I look at the results. The sheer amount of time put in is no assurance of the quality of the results.
In fact, if I recall right, the sauthor of the book "the Mythical Man-Month" came to the conclusion that the more people you throw at a software project, the slower the project goes.
So the question is how of the work at MS falls into that category
"It is a greater offense to steal men's labor, than their clothes"
KingPrad
Stop the Slashdot Effect! Don't read the articles!
Ok, im a student at a good university.
looking at this -
dozen half-day training sessions for its programmers, about 1,000 at a time.
And i fail to see how you can teach. Its hard as hell to learn in a lecture hall of 300, but 1000? thats insane.
Not only that, but for a half day? Cmon, americans have an attention span of what? 15 sec? if that? (dont anyone take insult...:))
How do they expect coders to pay attention to a small figure in front for a full 6 hours....1.5 hours is hard as it is for a normal college lecture.
This
Microsoft.com Running on Linux
Wired News reported today that Microsoft has outsourced their DNS to Akamai, and microsoft.com is now being served by name servers with a "networking implementation very similar to that of Linux". Akamai Technologies is a well-known Linux shop, but let's see.
Since Gates sent out the letter pushing security, there have been a few patches. Only one of them (From what I can remember) wasn't credited to some security firm. Other companies are finding their code weaknesses and telling them. This is their plan???
Keep in mind that Red Hat Linux has released several versions where the default installation settings had practically everything turned on. This is not a windows-only problem.
Personally, I think both sides have code review procedures which are legitimate. MS is bragging because the open source community can't match what it did within its own procedure. It would be like waterfall method people bragging that they got a product out the door in fewer milestones than an extreme team did. An answer to this is, "Ok, good for you but saying you are better than me is a non-sequitor."
It's a complete waste of time listening to these liars. That is all they are. Liars, deceivers, and power-hungry control freaks that wish to see any sense of community destroyed in order to protect their monopoly and cash flow.
It would be a much wiser thing for us to do instead to focus on implementing our own open, Free, and standardized technologies that present solutions in the best interest of the community. This is the issue, and, whether we realize it or not, this is the war. We either leave these things to them and be controlled by them, or implement these solutions ourselves and protect our liberties.
Simple as that.
It could not possibly survive by selling bug-free software - it's just not in their interest. The vast majority of users DON'T blame MS for the crashes, rather they either blame a 3rd party program or themselves even though the fault lies almost entirely on Microsoft.
They DON'T get bad press from outlook viruses - the evil hacker delinquent kids do. MS is seen, of course, as the victim.
Windows2000 was released with, what, 20,000 known bugs in it. It seems to me that my Windows partition works worse and worse with each new version I put on it. So I buy another.
Don't you realize, this is the best business model of all? But of course, now that the nerds, geeks and generally intelligent people are widely blaming microsoft they want to quickly sidestep widespread scrutiny by (you guessed it) telling us security is their highest priority.
Microsoft sells software that is so bloated that if they actually did a decent code audit (which, of course, would be far too expensive) and tightened things up, you wouldn't need that couple gigs just devoted to the OS. In short: MS NEEDS you to upgrade. Why on earth would they really mend their ways? Especially if it would cost more and get less overall business?
Stick the guy who was quoted in the article in a room with Theo De Raadt(sp?? sorry Theo) of OpenBSD fame.
:D
Then tape the hilarity that ensues, we could have a new weakest link on our hands.
I know I'll get modded down for this, but you only live once.
Comment removed based on user account deletion
Huh. That's exactly what they did at OpenBSD-- they stopped and reviewed all the code (am I wrong? isn't that what they did?). MS can stuff themselves with this self-serving deception. My favorite is the line where they pretend that "easy to use means easy to hack". What a load! That's the same sort of dishonesty they perpetrate with their "just reboot/reinstall to solve bug X, Y, or Z" approach. Ease of use and security are entirely orthogonal. Microsoft will say *anything* to get you to ignore problems they've helped create.
I do not have a signature
This Salon article asks if people would trust Microsoft enough to allow their programming to fly planes or spaceships. Of course, a plane running on windows 3.1 or win98 would be scary indeed... but even a bloated NT/XP or *nix installation would make anybody nervous.
... but what about a DOS box?
... what about a stripped down *nix box?
It seems to me (a windows user) that the power of the *nix systems is the ability to strip it down to the bare essentials... to remove variables that could cause problems. DOS also kinda had the feel to me.
I wonder if we all would trust microsoft stuff more if we as users could completely remove the nonessential parts... and slowly build as we needed. Everybody knows it's impossible to debug in multiple dimensions...
Until that time... nobody would fly in one of those planes... due to the constant worrying if the movie that they are watching will suddenly change into the "blue screen of death."
Anyway... be gentle... my karma is so fragile...
Davak
Dadada dada
the Leader,leader, Leader.
I Love the leader.
The Kruger Dunning explains most post on
Username: dotslash2002 Password: dotslash2002 (had to, no one posted on yet, had to go through the trouble of getting another account registered...)
Comment removed based on user account deletion
In those two months, MicroSoft has probably fixed more security-compromising bugs than most open source projects (expect for sendmail and BIND) will ever have. MicroSoft can put far more effort behind solving the problems that they have created for themselves that the open source community could ever hope to, both in terms of solving problems and in terms of creating them.
The open source community is always taking shortcuts by not making every possible mistake and them fixing it. Who cares about results? MicroSoft can do more work than anybody else, and that's all that matters.
In other Microsoft related news, the judge is quoted as saying "I will note that Microsoft sounds a little schizophrenic,"
after "Microsoft asked Kollar-Kotelly to throw out much of Schwartz's testimony"
Not all monopolies are abusive. I have no serious objection to Intel's or Cisco's market dominance, and IMHO SBC falls into the same category.
After they took over Ameritech's operations, service and especially support improved dramatically, at least for me. I'm happy to have them here -- the best telecom company I've ever dealt with (I've done business with Ameritech, PacBell, AT&T, MCI/Worldcom, Sprint, Verizon, and some others).
Ah, but this "big deal" negatively affects their revenue and earnings, which is why I think it is little more than PR.
Historically, Microsoft has piled in multitudes of features and foisted what should be beta software on the market. They find out what breaks, and provide bug fixes (euphemistically called "service packs") for the things people really whine about. This approach maximized their revenue, and accelerates it.
Ask yourself if Microsoft would have turned Windows 2000 into Windows 2001 if a significant security hole was found on the eve of the launch.
It's Linux, damnit! Pay no attention to renaming attempts by self-aggrandizing blowhards.
I may be wrong on this, but I thought OpenBSD counts as Open Source, and they're certainly doing a security audit of the source code.
Face it, with a few exceptions, the Open Source community is focused on creating a product, not on creating a secure product.
You speak as if "the Open Source community" is a cohesive and organized group. They are not. This "open Source Community" that you speak of is awfully hard to define, consisting of many different people in different countries and speaking different languages with many different opinions and different ideologies. Have you read the debates between the BSD proponents and the GPL proponents? Given how different they are, would you still group the two in this so-called "Open Source community"? Do you not realize that many of the people you may be putting in that camp take issue with the very term "open source"?
And what product is "the Open Source community" focused on creating? Fact is, these people are creating multiple different products, ranging from small applications to programming languages to full-featured office suites to entire operating systems. Some of them are highly focused on being secure. Some are not. You seem to be grouping all of them under an "unsecure" umbrella, and this is not only inaccurate, but insulting to those who do focus on security.
Its not necessarily a bad thing, but the open source community, as a whole, doesnt do much in the way of code audits.
This is a fairly arrogant statement for you to make. How would you know, anyway?
I don't make the rules. I just make fun of them.
"I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."
I love this quote; it's _so_ MS.
Two months of a several thousand developers = 60 days * 8 hours per day (being generous and throwing in weekends) * 9,000 coders = ~ 500 man-years. Not too shabby!
Bullshit, that's playing with numbers. I could further "statistics-ize" this to say that this means every line of Windows XP got 8 minutes of attention in the last 2 months.
The reality is that secure development takes _time_ and _experience_ as well as eyeballs. Not everything is repaired correctly the first time, and the corrections themselves often need further review and correction. A fast fix is often worse than a naive bug.
This sort of thing is even more likely to happen when you're changing your development habits to take security into account - transitions are always messy. I doubt much effective security work actually "got done" on the Windows code in those 2 months, relatyive to the amount of "security twiddling".
While I have to applaud MS for finally _beginning_ to take security seriously, it's complete B.S. on their part (and very much in classic MS form) to suddeny claim that they're "the securest of the secure" when they're just entering the field.
I'm surprised they'd admit that so openly. Maybe they're serious about this trust thing, afterall.
... when Microsoft steered their ship to embrace, extend, and extinguish the Internet, it was a "point adjustment" compatible with their general direction and operating methods. Deciding to quit adding features and ensure security *IS* contrary to their general direction and operating methods. Microsoft has risen fast on gone far based on moving faster than their mistakes, on making quality job 1.1, on getting something out their for sale, and then selling the fixes to the bugs.
.net, after all. Most significant, it changes the ongoing revenue model from point-fix sales to simply ongoing revenue. (presumably services)
Getting the bugs out and making the software secure prior to first sale means that they can't run as fast, getting out ahead of competitors the way they used to. It also deprives them of the point-fix revenue stream.
Maybe now that they're a genuine, legal monopoly they can afford to change business models. That's part of the point of
This turn will simply be harder than the Internet course correction.
The living have better things to do than to continue hating the dead.
Derkec gushed:
True, but in a very real way, Microsoft has a point. The Open Source community has never really taken time to say, "ok let's stop development and everyone will go check code extremely carefully."
No, False. You (and MicroSoft) are completly ignoring Open Source projects that only audit code... i.e. the Kernel Janitors:
I have come to a conclusion that one useless man is a shame, two is a law firm, and three or more is a congress -J Adams
total MS security man-years = ((9000 employees * (2 months * 120 work-hours/month)) - (9000 employees * 4 hours "security re-training")) / 1440 work-hours/year = 1475.
I'm wondering whether Microsoft is ideally placed to take advantage of this .... If Open Source software is intertwined with free transfer of intellectual property, then it seems like the media companies will almost be driven to Microsoft by default.
I think their claim may be true in a literal sense, but I wonder how effecitve their reviewing has actually been so far? I mean in a literal sense, a man-year of work could be 700 people working until noon too, it doesn't mean they're really getting anything done.Still, I'm really glad they're making the effort.
"Prefiero morir de pie que vivir siempre arrodillado!"
Yo, Microsoft! I've been code reviewing the Linux kernel since 1994.
2 months. I'm not impressed.
-Spack
PS: For the doubters, Yggdrasil, green cover, God playing "pull my finger" with Adam on the cover.
OpenBSD defaults to several YEARS of code reviewing. Years between any security hole in the latest release. (Or more, does the openSSH hole count?)
FreeBSD has trusted BSD which has similear aims, plus some code that would be really nice to have.
Sardonix is trying to start a general project to do code reviews. Not really running yet, but good goals, I hope they work out.
Just a quick search of open source sites and code review reveals that most projects think highly of code reviews and encourage them.
And finially, the typical way to get into open source is to do start reading code, and then contribute when you can do something. One of the things you can do is find potential holes
None of the above is perfect. All are useful, and all go on all the time. Maybe Microsoft put in more work into theirs, but I remember openBSD which was just a better netBSD, and not secure. By fixing problems they got secrure. I've been a programer long enough to know that each fix has implications elsewhere. Microsoft might have solved a lot of problems, but my expirence is the first two months introduce more problems than they fix, it is only after fixing those new problems that you begine to make progress, and it takes months to get them all closed.
"Geeks like learning new things, and when they pop out at the end of the process they're entirely brainwashed," he (Michael Howard) said.
Brainwashed? This coming from a Microsquash guy? I guess I'd be brainwashed too if I worked there....
EFGearman
Atomic batteries to power! Turbines to speed!
There's still a lot more potential manpower in OSS. As has been proven in several big OSS projects, like Mozilla for one, just because there are tens of thousands of people who can work on a poject, it doesn't mean there will be tens of thousands of people who do work on a project.
resignation and postmortem.
The truth is that, by virtue of the fact that the contributors to the Mozilla project included about a hundred full-time Netscape developers, and about thirty part-time outsiders, the project still belonged wholly to Netscape -- because only those who write the code truly control the project.
Comment removed based on user account deletion
"Maybe someone should use that picture for a caption contest."
No, no, no. The red nine on the black ten.
EFGearman
Atomic batteries to power! Turbines to speed!
Vintage computer games and RPG books available. Email me if you're interested.
I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months.
I wonder what Theo has to say about that!
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
Microsoft most likely is doing code reviews OF FUTURE PRODUCTS, I.E. .NET, .NET Server, Windows XP, Office NGO, etc.
You want security? Fine, buy our subscription products.
InThane
Um, yah! Like I want people working with and for me that can be brainwashed in a half a day.
IMHO, if this clown thinks that ``geeks'' can be brainwashed in that short of a time, he doesn't understand ``geeks''. (My experience is that most technical employees, upon hearing of an edict like this coming down from upon high, will question the entire process. Especially if they're not included in the process at all which is what it sounds like happened at Microsoft. They're about as likely to jump in and accept this process about as much as Microsoft's upper management is likely to admit that they did anything wrong leading up to the anti-trust conviction.)
And if this code review was so damned effective that it put the OSS movement to shame why have there been recently discovered bugs made public by people outside Microsoft? And made public by people who first brought them to Microsoft's attention and were ignored?
CUR ALLOC 20195.....5804M
I just moved to a small town outside of Madison, WI. called Cottage Grove. We have Verizon as the primary ILEC. It feels like jumping out of the pot into the fire. Moving out of an SBC (Amerithell^h^h^h^htech) territory and into Verizon's has done zip to improve customer service. We finally decided to simply eacvh have acell phone and not even bother to get a land line for the house. Anyways, I can verify that SBC is a _very_ abusive monopoly, at least within it's territory. I have friends that are SBC techs and they tell me stories about how they have "accidentily" disconnected other telcos equipment, or how they would lose work orders for other telcos DSL DSLAM installs. It really burns my ass hearing that kinda shit. On the other hand, Micro$hit is probably the worst monopolistic company in history. Thank god for alternatives.
--- Think of it as evolution in action ---
Definition of a man-year: 730 people working feverishly until noon.
Somehow, I think this may be similar.
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
And if the article's correct, it just reinforces my belief that working for Microsoft is sort of like being in a cult.
CUR ALLOC 20195.....5804M
Thanks for correcting me guys. This is why I like slashdot. I can contribute an idea and learn more about things because ppl shoot down my idea. Please mod some of the people correcting me up as informative.
Comment removed based on user account deletion
Also, he is ignoring Open Source projects that start out to be secure code in the first place ie. qmail,djbdns... The thing about open soure is we have a choice. More then likely Windows users don't.
Hello? There have been new "Critical Updates" on Windows Update every couple days for the last few weeks.
I agree that Microsoft's entire architecture is fundamentally flawed WRT security, but at least they're willing to admit they've screwed up.
You are in a maze of twisty little passages, all alike.
Correct. That's what the beeping is on the recordings of the last moments before "the Eagle landed".
One of those great bits of trivia that isn't well known enough.
KMSMA (WWBD?)
I used to have the same problem in college, but then again, I went to class several times a day, 5 days a week, 2 semesters a year, for several years. I fell asleep (mentally if not physically) many times, even in 1 hour classes. Now that I'm out of school, I have no problem paying attention to a 5 hour training session. It's actually a nice break. It's not like I do it every day, or even every week.
"There should be five giant strong architectures out there that can emulate each other," he says. "The classic way you do risk management is you limit the amount of damage one person can do because he can't cross boundaries."
Make it five times as likely that one-fifth of all computers will be compromised? I don't see the advantage.
The shareholder is always right.
Comment removed based on user account deletion
More users will upgrade their OS and apps for the "Gee Whiz"
features of the new release than for bug fixes. Only the nerds
like us get excited about actual functional improvements.
Microsoft is in a doubly beneficial position with respect to
the security initiative...
First, (as shown above) they can try to spin this whole thing
into bonus marketing for current and future products.
Second, if they actually do make a dent in their codebase now
by patching flaws and improving the design process, that can
leave them in a better position to manage new products and
ventures that are based on the same technology.
If they are able to play this off right, they can end up turing
the cost and effort of vetting thier code into instant advertising,
and possibly end up with a better platform on which to throw in all
the other bells and whistles that really make thier products saleable
to Joe Blow at CompsR_US.
C'mon. He's making a good point about geeks -- you can use their love of learning new stuff and putting it to use makes it possible to change their collective direction quickly. It's a valid insight.
Microsoft has been able to exploit this better than any other large company. It's a matter of hiring the right people. They don't always get the right direction, but they can be moved rapidly when necessary. Remember Microsofts total lack of preparation for the Internet a couple of years ago? Now we're worrying about the possibility they may coopt it.
I would view a similar microsoft shift towards more trustworthy software development practices as an unmitigated good. You can't dominate the field of "trustworthy" software. It's just about producing higher quality software, which benefits both their customers and even people who aren't their customers (how many non-windows sites suffered collateral damage to Code Red).
The problem is the inevitable PR baloney that goes with it. Perhaps Microsoft sincerely wants to produce more trustworthy software; this is good. However they want their customers to trust their products right now, so they're trying to make them think that most of the problems have been fixed by a gargantuan effort. This is bad. You can't fix years of shoddy work with a couple of months of auditing. Fixing security problems is, I don't know, but I'd guess at least a ten times as hard as avoiding them in the first place.
A little humility would make people who know better feel a bit more comfortable that this is more than PR hype.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
From the Salon monoculture article:
"Software engineers are not traditional engineers. They're rock stars," Copeland says, meaning they're less interested in meticulously removing all flaws from a design the way a skycraper architect would feel compelled to do.
I take issue with this. What software engineer doesn't try to remove all the flaws from their code? All good engineers do this...heck I could almost be called obsessive-compulsive about making sure my code works correctly. Maybe there are a bunch of bad programmers out there who think they're rock stars. And if there are, I don't want them working for me. Ever.
This is a really awful way of doing it. In order to get a good implemenation you need:
1) A solid design. That means no automatic execution of attachments.
2) Continuous review of the code. If the code sits for 3 years before it's reviewed, then you've exposed yourself to bugs in that time, and perhaps you've even accidentally built stuff which relies on that bug.
Oh, man! They didn't [cringe] use those clips to prevent their eyelids from closing, did they?
CUR ALLOC 20195.....5804M
At least three of the patches recently have been "Security Rollup Patches." One for Win2K as an OS, one for IE, and one for COM+. (There may have been a few more...I'm just remembering these off the top of my head.)
Who knows how many fixes were included in those rollup patches. Probably more than you would think.
-Jayde
What's a sig?
I mean, how hard do you have to work to convince a developer not to use gets() to parse an .ini file?
I wouldn't call this brainwashing. I remember reading an article about Oracle that they put the top 10 insecure things that you can do in C on a worksheet and they have every package maintainer sign off that these techniques have not been used. These are only touchstones, though, and security problems could easily be introduced while still using valid code.
Think of it more as a "security epiphany" or "security enlightenment" - they were probably just presented with a minimal list of what not to do. Hard to disagree about such things.
When one of the DNS root servers switches to NT, please let me know - not that DNS is that stable or secure.
When IIS has a 60% market share (as Apache does now), I might also get a bit concerned.
When the Microsoft Sybase rip-off has a 46% market share (as Oracle currently has), we might start worrying about the datacenter.
When they have a stable, scalable 64-bit version of Windows, we might start worrying.
In order for Microsoft to get any of these markets, they will have to have a good product, good customer service, and good interoperability with other vendors products. I don't see that happening anytime soon.
After all, we gave them SMTP, and look what they did with that.
It seems as if he wants to entrench in everyone's minds the idea that the current software "environment" - a static food chain with Microsoft as the perpetual gigantic super-predator at the top - is a healthy, naturally-occurring state of being.
pr0n - keeping monitor glass spotless since 1981.
Oh goody, a borgette.
>Thousands of people across various product teams >have attended security lectures,
That means they will write more secure code why? In the past you have called the "many eyes make bugs shallow" idea a myth for pretty much the same reasons that "attending lectures on writing secure code" would make code more secure.
> new development >has been stopped, old code and new code has been >stringently reviewed,
1. For Joe User, the code reviews will mean exactly nil.
When exactly will users of Win 95,98,ME,NT 4.0 be seeing the fruits of those labors...simply put they won't. As always Microsoft is only focusing on the latest-greatest products they are shipping. Economically this makes sense, but how many thousands of NT 4.0 IIS 4.0 servers, SQL 7.0 servers and (soon to be obsoleted) Win2K Pro boxes will continue to hammer my clients firewalls because Microsoft refuses to maintain any sort of legacy product support?
2. No Proof of coding reviews.
What sort of reviews? In the past you have called for formal, codified coding review policies. I have yet to see Microsoft document how exactly they are reviewing their code. Simply sending developers to a lecture and making them re-read their code does not = more secure coding practices. How many patches has Microsoft released to fix bugs found in released products because of this review? Combing bugtraq I see none.
>Now on to counter the main claims of your post >that releasing software with security issues is >a good business [snipped for space]
3. Insecure software still makes sense for Microsoft.
It still unfortunately makes good business sense. Shall I send you the ads from Microsoft that litter my inbox, touting that WinXP is more secure than previous Microsoft OS's...Again, Microsoft is NOT releases patches for past products where security flaws are found, The message has stayed the same. Want a "secure" os/platform, then upgrade to our latest and greatest.
>[...]when in truth there is more to security >than just applying a buzzword technology or >software development style
4. Yup, re-read what you wrote again. Memos of "we must do better", 2 months of reviewing and sending developers to lectures on a topic they should ALREADY know do not change decades of practice, nor the underlying attitude of management. If you want to produce secure, reliable code it takes a consistent attention to detail, a emphasis on quality and a understanding that code you write today may well be in use long after you've retired. It takes understanding of basic principles of software development; it takes understanding software development as an engineering practice, not as a semi-skilled trade.
What surprises me is that Microsoft (and much of the industry) acts like writing secure software is something new. Software security problems have been around since before telenet was patching holes left and right because of the quality of their login code. If you think Microsoft is bad about security, you should browse the quality of code that many in-house projects have though.
I would add that if you really have a commitment to security, then you must be willing to understand that you can't call it secure and then shoot the messenger when he/she posts a vuln that says otherwise
Bugs Bunny was right.
You probaly should have mentioned OpenBSD as another example.
Security oriented code audits of every package, this has already been done.
It is exactly what MS said didn't exist.
Well I doubt that everyone will get together to work on this, but individual projects might.
Even if they were actually successful (not likely) in cleaning up the massive number of unintentional screw-ups in their code, the stuff they do intentionally is worse, including the Product Activation 'technology', their Secure Audio Path crapola (==selling their users's rights to the highest bidder), that abominable Plug'n'Play crap that just 'decides' to randomly re-configure your system hardware, and Anything.Net. Also, their gratutitous changes to file formats, communications protocols and APIs to enforce upgrades and preclude competition.
It's the stuff they do with full knowledge and intent that makes them un-trustworthy.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
Scripting for the scriptless with OWC in IE.
Reading local files with OWC in IE.
Controlling the clipboard with OWC in IE.
Multiple local files detection issues with OWC in IE.
-- Don't Tase me, bro!
And then all the sudden they bring out this dog and pony show and you discard your lessons from the past and without any results or evidence in hand
My computer has received 10+ security updates from MS since the beginning of February. Prior to that they came out few and far between (every few months). I would say that from an end-user's perspective, I can see a major difference. And I had noticed the increased updates without seeing any of their "Dog and Pony Show." It remains to be seen whether or not these updates prove useful, and also just how many more updates will come out (how many are needed?), but I can see that they're doing *SOMETHING*, which is more than I've seen in the past.
Outlook Express *still* ships with the preview pane turned on by default, and port 139 is still wide open by default too. These are the two biggest security flaws in Windows operating systems, allowing the spread of every virus in recent memory. Yet Microsoft has done nothing about this.
I work at a software shop that developed an extensive amount of code compiling under Linux, Solaris, and Win2000. We constantly compile the same code under all three platforms and frequently have to deal with portability issues.
Today, my next-cubicle neighbor asked me why we keep the warning-level at 3 in the MSVC++ environment. Being primarily a Linux/Solaris guy, I said I had no idea why and suggested he raise the level to 4 (the maximum) and see what happens. Ten minutes later, he got his answer: the compiler issued 1000+ warnings, most of which came from the standard library header files! Talk about a need for code reviews...
But I guess I shouldn't worry, since Mr. Lipner will simply sic his Uruk-Hai legions on that code for a week, and they'll make it into a thing of such sparkling crystalline beauty that the gcc developers will weep with envy.
yppupdurc
--
"Some mornings, it's just not worth chewing through the leather straps."
I was wondering about the numbers myself.
During odd minor number releases you add features.
During even minor number releases you only fix bugs.
Not every OSS project uses this model but a huge number do.
I don't know if you intended to imply that doing the right thing with attachments was the only thing necessary for a secure setup, but take a look at Java Web Start as an example of how the platform itself can give assured security, regardless of the kind of code being run on it.
Students that are paying for their own education are holding down a job at the same time that they are going to classes. They do a much worse job of being awake. They do a much worse job of paying attention. They probably try harder, but how hard you try isn't everything.
I've been on both sides of that fence.
OTOH, being depressed is worse than either. And can be mixed with either.
I think we've pushed this "anyone can grow up to be president" thing too far.
From what I've seen, when the bottom line is threatened the top guys (who they are depends on the organization) focus on short term face-saving actions, as they prepare to jump ship. To say it in other words, they do things to make the short term picture look good with the hope that they can disguise the problems until they've landed another job. And to hell with the people who trusted them.
This seems to be a pretty general rule. I wouldn't say that it's always the way things work, but it sure is the way they frequently work. Look around at any company that's recently had a bunch of layoffs, and listen to the rhetoric. Or see top execs who've recently gotten a new job, and then look at the old company. It isn't always sinking. Not always. But that's the way to figure if you don't have good reason to believe otherwise.
I think we've pushed this "anyone can grow up to be president" thing too far.
I went to your site about the "myth" of open source software being more secure, and I see where you point to the Security Focus table to try and prove your point. For the *thousandth* time, that table takes into account every single application that ships with a distribution. Can we lump in all the vulnerabilities for MS Office/Outlook, MS Works, SQL Server, and Exchange into the NT/2000 group?
My article does not compare Microsoft products and any Open Source technologies so I am confused as to where this rant stems from. I do remember linking to the Security Focus table as a way to point out that it is disputable to claim that Linux distros are more secure than Windows.
My actual article uses the Vulnerability Archive to compare UNIX flavors and Linux distributions to point out that the license the software is released under does not have as much of a bearing on whether the software is secure or not. So your rant (and +4 score) are rather unwarranted.
The trainers always claim that. To an extent, they're correct. More so if most of what they are saying is things that are "pretty much known, but not thought about recently".
OTOH, experiments have tended to show that the total amount of genuinely new material that can be learned in a particular area (i.e., organized around and extending from some particular area) is a bit limited as a function of time. Sorry I can't remember a particular reference, but that is the gist of it.
After learning new stuff in some area, a break with dreaming sleep is needed to consolidate the information before any more material can be learned that is directly connected to that area. Otherwise you get the "cramming" effect, where things are learned and remembered only for a short period of time, but if you check back a week or so later, most of the new information has been forgotten.
I think that I read the synopsis of the research in Science News, but I couldn't tell you even which year to search. (And I suppose that it might have been Scientific American or somewhere else.)
I think we've pushed this "anyone can grow up to be president" thing too far.
Yes, they probably will do some good. Yes, they will probably help a little with the perennial problems with Microsoft software: that it is dumped on the market with way too many bugs, that it is dumped on the market with way too many features, and that it is dumped on the market much earlier than the software from more conscientious competitors, driving them out of business.
But it doesn't address the fundamental problems. Microsoft software is still closed source and it is still written and controlled by a small number of programmers up in Redmond, programmers who often have no experience of anything beyond Microsoft. Even if Microsoft made all their software "shared source", the economic incentives would favor the crackers (other developers don't have much interest in contributing fixed to Microsoft that they just have to pay for again in the next release).
Most importantly, however, Microsoft's goal of total market domination is their own worst enemy: an OS that runs on 95% of the machines is intrinsically and unavoidably not secure. We need operating system diversity. If no single OS or server software runs on more than 5-10% of desktops and servers, then security problems are automatically self-limiting. And, as a bonus, the increased competition would give us better products and more innovation. (And, yes, these comments apply to Apache as well.)
You may be right. I'll never know. Because I will never agree to what I've seen of the recen MS licenses.
So I will continue to percieve MS software as basically unfriendly, useless, insecure, etc. The last versions that I could legally look at and evaluate were that way, and I see no reason to change my opinion. Any company that makes it illegal to post reviews of their current products does not deserve any amount of "suspension of disbelief".
More to the point, any company that insists on the right to add, delete, copy, or remove whatever software it chooses from my hard disk cannot be considered secure no matter how secure the software itself actually is. That legal requirement is nearly the zenith of possible insecurity, and renders any software that requires it unsuitable for any application that I can conceive of.
Perhaps you've changed your license again. Is there any reason for me to believe that you won't change it back just as soon as I buy in? You seem to be requiring the right to change the terms of the license without my agreeing to it, of even knowing of it (via "license specs are kept on a web page").
I don't see how things COULD be less secure, for the end user.
I think we've pushed this "anyone can grow up to be president" thing too far.
Idiot karma whore.
Mmmm.. Donuts
Steven B. Lipner, Microsoft's director of security assurance, responded, saying: "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."
Of course, the MS guy counts security in man-years.
Frankly, I would expect that one hour of John Gilmore, Hugh Daniel, or ESR's time working on security issues is worth at least a man-year from the average MS coder.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Um, I completely disagree about the preview pane being a security flaw. If Outlook can be controlled completely by code within an email, it doesn't matter if it's previewed or not. If it's a halfway intelligent email worm, the subject will fool you. What would you do if you got an email from your mom, subject line "Hi"? Would you open it? Outlook has to be able to view email safely. The preview is not the problem.
There are no trails. There are no trees out here.
Fear - Be afraid, that OSS might not be very secure.
Uncertainty - Well, if it isn't secure you probably shouldn't deploy it, should you. Use commerical software (and keep my paycheck coming).
Doubt - Hmm, well, maybe we should stick with the tried and true, good ole MS. (or IBM if we want to go back in time.)
Interesting. I don't see anywhere in the article where I singled out Open Source software for being more insecure than proprietary software in fact the vulnerability list I show ends up making Solaris (a proprietary product) out to be the worst of all. Secondly my article commends both Debian and OpenBSD, I'd be very amused to see you come up with some Microsoft related conspiracy theory about how Bill Gates and Steve Balmer have decided
I'm all ears.
Ther is no way that M$ can keep up with free software. Even if their intent were not sullied by considerations like pushing adverts on their users and denying users the ability to copy files, Microsoft's honest efforts would be quickly overtaken. It shows in their 10 year old window manager that limits users to a single virtual screen and multitasks about as well as a calculator. But Microsoft is not honest, and they are wasting their resources on stupid things. The astonishing thing is that Lipner and friends can keep a strait face when they say things like this.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
What Microsoft meant to say was "two months of code reviews and half-day seminars [regarding security] surpasses everything ever done [before] by Microsoft".
-Paul Komarek
I was doing a reinstall of Win 98SE and putting all of my drivers on, getting a new update on my computer's video card.
Guess what? I was putting in my firewall when I noticed someone had already put in some damn
Doh!
So, is two hours a world record or what?
Needless to say, I had to reinstall the little demon OS, because you never know what you got. There was about 2 hours down the drain.
And yes, I know. I shouldn't be running wintendo. Forgive me, monsiegnor.
Uhm. Competition is about battling for the same resource. It isn't about playing nice. I don't know where you get these absurd ideas about capitalism. The self-correcting part is there, but it is a result of competition (battles). Ultimately, consumers do get better deals in the end. This is the result of every battle. More battles = good for consumer.
The government's job is not to make business play nice. Business IS war. To think otherwise is to not know the true nature of business. Keep purchasing what you want (voting with your dollars) and the market DOES correct itself.
Dijkstra Considered Dead
For what it's worth, the Soviets used a form of DOS to get run their rockets. If a system is critical to operation, it will be made robust and physically isolated from the outside.
If remote control is also needed, then a second element will be created so that security does not interfere with the machine, or, like teller machines, some work will go into making them tamper-proof.
That OS/2 is often used for ATMs and other embeddd systems, but has no native inbuilt security (this is an addon), suggest that robustness and security are different.
Much of what Microsoft has been doing is about "security", that is, stopping people using poorly written comingled code to do things to people's hard disks through net apps.
I would rather trust my life to a robust system than a secure one.
OS/2 - because choice is a terrible thing to waste.
Right, and if the author has a brain, you can't know it's a virus WITHOUT OPENING IT.
There are no trails. There are no trees out here.
That was a default server installation. At the time everyone admitted that the default server install was quite insecure. But it is hardly fair to call it a "typical installation". It was something that almost everyone knew was insecure, whether or not they knew what to do about it.
.2) we were using 6.2, and it had, as many have noted bad holes in the inital install.
Unfortunately I wish this was true. A large part of my job involves building (or helping people build) Red Hat boxes as firewalls or samba servers. They can send their server to me, and I will setup their system in a secure and functional manner. Up until RH 7.2 came out (I will not use any RH distro until it ends in a
Most of these things could be fixed by bastille, but I personally prefer to do everything manually, so I know it gets done.
However, many of our customers, and a networking company that we are affiliated with often perform their own installs. These are installed often with 6.2 in a "default" install (because the people installing don't know what to adjust, despite the documentation we have provided for free..).
I won't comment on how many of these things have been owned. (True, I have seen NT servers get owned in the same environment/manner, but I work far more with Linux.)
I can remember one distinctly that I was taking a look at because it was operating improperly. It was only connected to the net for about 10 min so that a bunch of RPM's could be downloaded. In that time it got hit by a scanner and a script, and was owned. I first discovered it by accident, troubleshooting this server for the guy who set it up, and I noticed that "ls -alh" did not work properly. The "-h" flag was not functioning. I could not figur out why... Then I ran an MD5 sum on ls and found it did not match with known good binaries. Most of the binaries on that system were fsked with. We formatted, and I reinstalled and configured the system for him.
Of course, it has happened to me too, I have made some mistakes (and learned a great deal from them too...) You should check out (as another poster mentioned) the honynet project and try building your own honeypot and see how fast it gets owned. Of course, if you are monitoring your logs (logcheck!), or using tools such as portsentry you should see hits on a regular basis to your outside systems on your network. If you are *NOT* looking for these things, I pity you. Hell, I just went through a great deal of trouble with the latest SSH bug, not a fun time when you find the crc messages in your logs. (Sure, as an admin I could have fixed it faster, but I was on vacation, and I did not get the alert.)
So, unfortunately, I must disagree that the "default" installation (from what I have seen) is far far too often the typical installation. Heck, up until recently the "default" installation was used on a regular basis by most of the members of our LUG!
I wish this were not the case, I really do. It is not what I have witnessed however.
Try to hack my 31337 firewall!
Right, and if the author has a brain, you can't know it's a virus WITHOUT OPENING IT.
Unless you live outside the English-speaking world where you can spot those easily.
"I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."
There's no way the open-source community has done that little.
Oh I'm sure that Microsoft has reviewed their entire code base (about like I review /. every day). Knowing what to look for and what to do about it is an entirely different matter, and doesn't happen in anything resembling a big hurry.
And if the article's correct, it just reinforces my belief that working for Microsoft is sort of like being in a cult
And after talking to some MS 'programmers' - or god forbid, some of MS middle management - that suspicion will ony be thoroughly confirmed.
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?