Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft: Trust and Antitrust

Posted by ryuzaki0 on from the ironic-t-shirt-slogan dept.

Microsoft is in the news for two reasons today: the continuing saga of the antitrust cases, and Microsoft's public relations push for "trustworthy computing". A selection of links: Microsoft claims two months of code reviews and half-day seminars surpasses everything ever done by the open source community; Salon talks about the problems with a monoculture; SBC, an abusive telecom monopoly, complains about Microsoft's behavior, an abusive OS monopoly; and Microsoft responds, claiming that SBC is merely being self-serving.

17 of 518 comments (clear)

  1. Key to user security... by nakhla · · Score: 5, Insightful

    The key to user security is to enable it by default. Most people running Win2K at home don't bother modifying their file permissions, closing off unnecessary services, etc. They leave settings at the default and go on their way. If Microsoft made the default installations more secure it would drastically improve the security of its OS. How many times has Security Focus reported on vulnerabilities related to Windows file-sharing? The answer to the problem is to turn it off and let the user decide if they want to turn it on. Outlook scripting, ActiveX, file sharing, Windows messaging, etc. Removing or disabling these services are necessary to secure a Windows box, and to reducing the bad PR that Microsoft receives every time a new vulnerability is discovered.

    1. Re:Key to user security... by rabtech · · Score: 5, Informative

      Microsoft has gotten the message. If you were on the Windows.NET server beta, you'd have gotten the memo ;)

      Essentially, Windows.NET server ships with absolutely NOTHING enabled by default. This does present a problem to the typical Microsoft "its so easy just plug it in" sort of thing, but that is solved by an improved "configure your server wizard". The first time the server boots up, the user can explicity select what to install and/or turn on, and ONLY what they select gets installed/turned on.

      The individual components themselves have improved as well. IIS 6 by default will serve only static HTML files, and installs no sample files or other stuff. You have to manually run the IIS security wizard to turn on things like ASP, CGI, etc. If you install a new ISAPI filter or something of the like, you have to manually enable it. Nothing gets turned on unless YOU the admin turns it on.

      The other thing is that IIS 6 is a complete ground-up rewrite; no code from IIS 5 was used in its creation. Its gone through a complete code review to (hopefully) eliminate any buffer overflows or other bugs. There are other improvements as well... for example, the easy ability to run each website being hosted under a separate security account, typically with minimal access to anything.

      Microsoft isn't stupid; they see that their biggest PR problem right now is security and they are doing something about it. True, they should have jumped on this a long time ago, but late is better than never.

      --
      Natural != (nontoxic || beneficial)
  2. Microsoft... by PhotoGuy · · Score: 5, Funny
    Man, does this quote send shivers down anyone else's spine???:

    "Geeks like learning new things, and when they pop out at the end of the process they're entirely brainwashed," he said.
    If my employer ever publicly said anything like that, I'd run for the exits.

    Wonder if the chants are part of the brainwashing process.

    Developers, developers, developers, developers.
    Developers, developers, developers, developers.
    Developers, developers, developers, developers.
    --
    Love many, trust a few, do harm to none.
  3. Re:Quote from the article: by nakhla · · Score: 5, Insightful

    Not necessarily. Many times in the OS community, new code is added to a project. How often does the ENTIRETY of the code get reviewed? Yes, I believe that open source software does seem to result in fewer vulnerabilities. But it doesn't mean that there are NO vulnerabilities in open source software. Windows 2000 has approximately 50 million lines of code. If they've even gone through 1/4 of that it's astonishing. When was the last time someone actively poured through every line of the Linux kernel looking for possible bugs? Very often, code is reviewed in small chunks rather than from start to finish. This will solve small bugs and vulnerabilities related to specific functions, but BIG bugs require reviewing a LOT of code. That's probably what Mr. Lipner is talking about.

  4. Re:Brainwashed geeks? by MinusOne · · Score: 5, Insightful

    > "Geeks like learning new things, and when they pop out at the end of the process they're entirely brainwashed," he said.

    I was surprised by this quote too. The implication that developers at MS are some sort of automatons taht are easily brainwashed is amazing. I'm no fan of MS, its products or its tactics but the developers who work there are robots. I have found the MS people I have met to be pretty party-line company guys but they did have brains and were capable of independent thought.
    The other problem with training like this is that without reinforcement from management it is not terrible useful. Sure some of the developers will "get religion" and will be absolutely scrupulous about writing secure code, but others will get lazy, forget the training or go back to old bad habits. Without code review and standards enforced by management in some way training is ineffective.

  5. Lipner is astonished! by Dharzhak · · Score: 5, Funny

    Steven B. Lipner, Microsoft's director of security assurance, responded, saying: "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months.

    Lipner also reacted with astonishment when he was told that professional wrestling matches are fixed.

  6. Mythical Man Month by Alien54 · · Score: 5, Insightful
    "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months'

    I look at all the man months that have gone into the development of Windows, etc. and I look at the results. The sheer amount of time put in is no assurance of the quality of the results.

    In fact, if I recall right, the sauthor of the book "the Mythical Man-Month" came to the conclusion that the more people you throw at a software project, the slower the project goes.

    So the question is how of the work at MS falls into that category

    --
    "It is a greater offense to steal men's labor, than their clothes"
  7. students view by bpb213 · · Score: 5, Insightful

    Ok, im a student at a good university.

    looking at this -
    dozen half-day training sessions for its programmers, about 1,000 at a time.

    And i fail to see how you can teach. Its hard as hell to learn in a lecture hall of 300, but 1000? thats insane.

    Not only that, but for a half day? Cmon, americans have an attention span of what? 15 sec? if that? (dont anyone take insult...:))

    How do they expect coders to pay attention to a small figure in front for a full 6 hours....1.5 hours is hard as it is for a normal college lecture.

    --

    This .sig looking for creative and witty saying.
  8. Bad Idea for Microsoft by jacobb · · Score: 5, Insightful
    Microsoft is rich because people upgrade if not every year, then every other year.
    It could not possibly survive by selling bug-free software - it's just not in their interest. The vast majority of users DON'T blame MS for the crashes, rather they either blame a 3rd party program or themselves even though the fault lies almost entirely on Microsoft.

    They DON'T get bad press from outlook viruses - the evil hacker delinquent kids do. MS is seen, of course, as the victim.

    Windows2000 was released with, what, 20,000 known bugs in it. It seems to me that my Windows partition works worse and worse with each new version I put on it. So I buy another.
    Don't you realize, this is the best business model of all? But of course, now that the nerds, geeks and generally intelligent people are widely blaming microsoft they want to quickly sidestep widespread scrutiny by (you guessed it) telling us security is their highest priority.

    Microsoft sells software that is so bloated that if they actually did a decent code audit (which, of course, would be far too expensive) and tightened things up, you wouldn't need that couple gigs just devoted to the OS. In short: MS NEEDS you to upgrade. Why on earth would they really mend their ways? Especially if it would cost more and get less overall business?

    1. Re:Bad Idea for Microsoft by Carnage4Life · · Score: 5, Insightful

      Don't you realize, this is the best business model of all? But of course, now that the nerds, geeks and generally intelligent people are widely blaming microsoft they want to quickly sidestep widespread scrutiny by (you guessed it) telling us security is their highest priority.

      As someone who's actually inside the Borg cube I can tell you that security is currently our highest priority. Thousands of people across various product teams have attended security lectures, new development has been stopped, old code and new code has been stringently reviewed, an emphasis on secure defaults is beginning to occur, and new functionality is designed with security in mind before all else.

      Of course some people will complain about why this has taken so long while others will probably say "better late than never" but either way it should be noted that a code review/security audit on this scale is probably unprecedented in software development history. Some may chime in about how Open Source is supposedly a constant large scale code review but I've previously written on the fallacy of this kind of thinking.

      Now on to counter the main claims of your post that releasing software with security issues is a good business model. This may have been true in an un-networked world where the most a compromise could do was allow another user on your system perform some mischief but in a world where some kid in Asia can tie up mail servers on most of the planet by using a GUI virus toolkit, security becomes very important. Unfortunately across the entire software development spectrum from *NIX to Windows, from Open Source to proprietary we as developers are failing and clinging to panaceas and silver bullets (Open Source - the with many all bugs are shallow myth, safe programming languages, just use crypto, etc) when in truth there is more to security than just applying a buzzword technology or software development style. I outlined some of the practices and techniques that lead to more secure software in my The Myth of Open Source Security Revisited v2.0 article. Having done some more research into security issues I should probably do a followup article and focus on other fallacies and problems which lead to complacency in software development and from there insecure software.

      Disclaimer: This post is my opinion and does not reflect the opinions, intentions, strategies or plans of my employer.

    2. Re:Bad Idea for Microsoft by BurritoWarrior · · Score: 5, Interesting

      Microsoft really does brainwash their employees. I went to your site about the "myth" of open source software being more secure, and I see where you point to the Security Focus table to try and prove your point. For the *thousandth* time, that table takes into account every single application that ships with a distribution. Can we lump in all the vulnerabilities for MS Office/Outlook, MS Works, SQL Server, and Exchange into the NT/2000 group?

      And even with those misleading statistics, the only distro above NT/2000 (42) is Red Hat (54).

      Your lack of objectivity renders your entire article irrelevant.

  9. NY Times username/password by AmigaAvenger · · Score: 5, Informative

    Username: dotslash2002 Password: dotslash2002 (had to, no one posted on yet, had to go through the trouble of getting another account registered...)

  10. impressive chutzpah or bad math? by jdbo · · Score: 5, Insightful

    "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."

    I love this quote; it's _so_ MS.

    Two months of a several thousand developers = 60 days * 8 hours per day (being generous and throwing in weekends) * 9,000 coders = ~ 500 man-years. Not too shabby!

    Bullshit, that's playing with numbers. I could further "statistics-ize" this to say that this means every line of Windows XP got 8 minutes of attention in the last 2 months.

    The reality is that secure development takes _time_ and _experience_ as well as eyeballs. Not everything is repaired correctly the first time, and the corrections themselves often need further review and correction. A fast fix is often worse than a naive bug.

    This sort of thing is even more likely to happen when you're changing your development habits to take security into account - transitions are always messy. I doubt much effective security work actually "got done" on the Windows code in those 2 months, relatyive to the amount of "security twiddling".

    While I have to applaud MS for finally _beginning_ to take security seriously, it's complete B.S. on their part (and very much in classic MS form) to suddeny claim that they're "the securest of the secure" when they're just entering the field.

  11. Re:Two months? Get real. by ILikeRed · · Score: 5, Informative

    Derkec gushed:
    True, but in a very real way, Microsoft has a point. The Open Source community has never really taken time to say, "ok let's stop development and everyone will go check code extremely carefully."

    No, False. You (and MicroSoft) are completly ignoring Open Source projects that only audit code... i.e. the Kernel Janitors:

    --
    I have come to a conclusion that one useless man is a shame, two is a law firm, and three or more is a congress -J Adams
  12. Re:Two months? Get real. by bluGill · · Score: 5, Insightful

    OpenBSD defaults to several YEARS of code reviewing. Years between any security hole in the latest release. (Or more, does the openSSH hole count?)

    FreeBSD has trusted BSD which has similear aims, plus some code that would be really nice to have.

    Sardonix is trying to start a general project to do code reviews. Not really running yet, but good goals, I hope they work out.

    Just a quick search of open source sites and code review reveals that most projects think highly of code reviews and encourage them.

    And finially, the typical way to get into open source is to do start reading code, and then contribute when you can do something. One of the things you can do is find potential holes

    None of the above is perfect. All are useful, and all go on all the time. Maybe Microsoft put in more work into theirs, but I remember openBSD which was just a better netBSD, and not secure. By fixing problems they got secrure. I've been a programer long enough to know that each fix has implications elsewhere. Microsoft might have solved a lot of problems, but my expirence is the first two months introduce more problems than they fix, it is only after fixing those new problems that you begine to make progress, and it takes months to get them all closed.

  13. you've been in school too long then by wadetemp · · Score: 5, Insightful

    I used to have the same problem in college, but then again, I went to class several times a day, 5 days a week, 2 semesters a year, for several years. I fell asleep (mentally if not physically) many times, even in 1 hour classes. Now that I'm out of school, I have no problem paying attention to a 5 hour training session. It's actually a nice break. It's not like I do it every day, or even every week.

  14. Possibly correct by HiThere · · Score: 5, Insightful

    You may be right. I'll never know. Because I will never agree to what I've seen of the recen MS licenses.

    So I will continue to percieve MS software as basically unfriendly, useless, insecure, etc. The last versions that I could legally look at and evaluate were that way, and I see no reason to change my opinion. Any company that makes it illegal to post reviews of their current products does not deserve any amount of "suspension of disbelief".

    More to the point, any company that insists on the right to add, delete, copy, or remove whatever software it chooses from my hard disk cannot be considered secure no matter how secure the software itself actually is. That legal requirement is nearly the zenith of possible insecurity, and renders any software that requires it unsuitable for any application that I can conceive of.

    Perhaps you've changed your license again. Is there any reason for me to believe that you won't change it back just as soon as I buy in? You seem to be requiring the right to change the terms of the license without my agreeing to it, of even knowing of it (via "license specs are kept on a web page").

    I don't see how things COULD be less secure, for the end user.

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.