Slashdot Mirror
MS Exec: 'Our products just aren't engineered for security'
Various Microsoft news tidbits contributed by numerous readers: Phoebus0 notes that Microsoft's Vice-President in charge of Windows development states flat out that Microsoft products aren't engineered for security, absolutely guaranteeing he'll have tomorrow's Ditherati quote. Many readers submitted this Knowledge Base article stating that Microsoft is mystified by a wave of successful hacks on assorted versions of Windows (there's also a news report on this). Microsoft has another security bulletin out on the digital certificate spoofing bug that has caused them so many problems recently.
the link above just goes to front of a tech section, here's a direct link to the story3 25075&REQSESS=HM5797&REQHOST=site1&REQAUTH=2313828 &2131REQEVENT=&CARTI=115571&CCAT=1&CCHAN=13&CFLAV= 1
http://www.cw360.com/bin/bladerunner?REQUNIQ=1031
Microsoft: "Our products aren't engineered for security"
.net developer conference in Seattle, USA.
Friday 6 September 2002
Brian Valentine, senior vice-president in charge of Microsoft's Windows development, has made a grim admission to the Microsoft Windows Server
click here
"I'm not proud," he told delegates yesterday (5 September). "We really haven't done everything we could to protect our customers. Our products just aren't engineered for security," admitted Valentine, who since 1998 has headed Microsoft's Windows division.
In August the company put out eight security bulletins. This month it has released two, so far, with the latest urging users to patch a flaw in its digital certificate technology that could allow attackers to steal a user's credit card details.
Microsoft's regular stream of security bulletins has continued despite Bill Gates company-wide Trustworthy Computing Initiative, announced earlier this year.
The Initiative was launched with a memo from Bill Gates, Microsoft's chairman and chief software architect, and saw the company halt production on new code in all of its products while employees scanned every line of existing code in search of vulnerabilities.
"We realised that we couldn't continue with the way we were building software and expect to deliver secure products," Valentine said.
But the company is dealing with a problem that is not easily resolved. Valentine told developers at the conference that as the company works to shore up its products the security dilemma will evolve as hackers become more sophisticated.
"It's impossible to solve the problem completely," Valentine said. "As we solve these problems there are hackers who are going to come up with new ones. There's no end to this."
Microsoft has also been employing new tools developed by Microsoft Research that are designed to detect errors in code during the development process, Valentine said.
According to Chandra Mugunda, a software consultant with Dell who attended Valentine's presentation, buggy software is "an industry-wide problem, not just a Microsoft problem. But they're the leaders, and they should take the lead to solve them," he said.
95 isn't supported ( ok, I can understand that )
98 isn't supported ( getting a little too close for my comfort )
ME isn't supported ( didn't that just come out 2 years ago? )
2K isn't supported ( What about people running servers? )
Just another tactic to force people to upgrade
As someone who is actually subscribed to receive these bulletins from MSFT, I note that they sent a second revision out today. I quote:
"And like that
Consider the above statement. Then go back to 1994 and set up three corporate LANs: one with Microsoft Lan Manager 2.x, one with Novell 3.11, and one with Vines. Use them intensively in a large, multi-site corporate environment for 6 months. Then tell me again that Microsoft's products are "just as well architected" as others on the market???
The point being that the LAN problem (to take one example) had already been solved by 199x. Microsoft ignored everything that had already been done and created its own "standard", which was decidedly inferior to the competition.
sPh
You mean fixed the same day it was announced by Microsoft. This bug has been discussed on Bugtraq for a month now.
You have drives that contain \Winnt? That's a problem too: install to a different directory.
How many people create a restricted user for IIS, rather than running it as LocalService?
I suspect the problem lies more with the components installed on the system, than on Windows & IIS themselves. For example, our Linux server was being exploited for spam recently. They shut down sendmail as a daemon, but the spam still flowed. It turns out that somebody had installed an old version and buggy version of Formmail. Grrr.
Isn't that the point though. Unix learned that it needed to be secure. And it changed and adapted to suit itself to the multi-user environment (where a lot of the users were college kids, just exploring what they could do with a computer).
Linux came along after Unix had learned to be secure, and was designed from the gound up with that model in mind.
OTOH, DOS was a single user operating system, and didn't need to be secure. When viruses started showing up, they were fixed in DOS not by improving intrinsic security, but by adding on a virus-proofing package. Windows descended from that. (And there doesn't seem to have been a fresh rewrite at any point, MS PR to the contrary.)
So Linux was designed from the start with security as a consideration. Not always a major consideration, but at leas a present one. It's been through many cycles of change and improvement, and at each step along the way, security has been considered.
Windows, OTOH, has always addressed security via add-on programs. (Well, NT made some attempt at security, e.g., it created users that it could be difficult to get into. And admin priviledges. I admit I don't know what they were...)
Still, in Linux security was built in from the beginning, and user interfaces was an add-on. In Windows, user interfaces were built-in from the beginning, and security was an add-on. In both cases the add-ons have gotten a lot better than they were.
I feel that the Linux windowing environment is now on a par with Windows, or perhaps better, but that it still falls short of the Mac. I feel, based solely on news reports, that the Windows security, while improved, is still lacking.
And to me, this is largely irrelevant. The MS licenses are so bad, that I wouldn't recommend them even if I thought that they were the best contender in all other aspects. I intend to file for retirement the day my company installs a system with Windows XP, as I don't want to be associated with any company that is either that suicidal or that unethical. (They've got to be either one or the other. Agreeing to a contract without understanding it is suicidal. Agreeing to that contract [I've only seen pieces, but that's enough] is suicidal even if you *do* understand it. The alternative is that they understand it, and intend to ignore it. [I'm not sure this is possible, but they might think that it is.] And that's too unethical for me.)
I think we've pushed this "anyone can grow up to be president" thing too far.
Unfortunately, don't neglect the fact that just up the street are dozens of vendors selling other attractive goodies (let's call them cookies and cake, I guess) that many people depend on, but that don't work unless you have a glass of Bill's lemonade in hand.
In the antitrust case, this was called the "application barrier to entry" and was one of the main reasons that MS was declared a monopolist.