Slashdot Mirror
MS Exec: 'Our products just aren't engineered for security'
Various Microsoft news tidbits contributed by numerous readers: Phoebus0 notes that Microsoft's Vice-President in charge of Windows development states flat out that Microsoft products aren't engineered for security, absolutely guaranteeing he'll have tomorrow's Ditherati quote. Many readers submitted this Knowledge Base article stating that Microsoft is mystified by a wave of successful hacks on assorted versions of Windows (there's also a news report on this). Microsoft has another security bulletin out on the digital certificate spoofing bug that has caused them so many problems recently.
Another excuse to let people believe that palladium is needed :/
This might be a stupid point, but of course microsoft products aren't engineered for security. The common man doesn't buy products for security, and even now the common man largely does not understand that they could even have their functionality in a secure environment (though arguably most salesguys cannot have the functionality they demand in a secure environment, but that's another debate.)
So far all the replies to this story have been "we already knew that" and "duh". I find those comments idiotic. In that spirit, when cigarette execs admitted they knew their products were bad for people, there should have been no story.
This event is significant, because from the mouth of someone significantly important in MSFTs power structure, there is an admission of failing.
Maybe the exec just wanted to confess his (their) sins?
Is whether this will make the national news. Trust me, if CNN and MS/NBC and all the rest choose not to cover this, the general public won't know, and won't really make a decision based on this information.
Of course, this could just be a ploy to get M$'s most vile next O/S out, Palladium, that will let them 0\/\/|\| j00r s0ul (and credit card, and email, and music, and movies, and any personal items that may happen to be sitting on top of your computer...)
It seems he tries to say that it is impossible to make it 100% secure, because hackers are becoming more sophisticated in their attacks.
Sure, you can't make anything 100% secure (short of keeping it turned off), but there is a difference between something that has a few exploitable holes and something that resembles a sieve.
If you can't beat them, embrace and extend them.
Arthur Anderson Heads: We Ignored/Covered Up Every Accounting Fraud That Ever Came Our Way.
Because a lot of their code can have buffer overruns due to the lack (or precieved lack) of this function by their own programmers. Makes it easy to create insecure programs and harder to create secure ones.
Lenny Primak PP-ASEL-IA,Heli
Actually, from what I gather MS's R&D engineers are some of the best engineers around. The actual production engineers are good as well, but nowhere near their R&D counterparts.
neither was UNIX. UNIX is best in trusted, academic settings where it grew up. But, after some big problems with too much trust people figured out how to make it at least "secure enough."
MS needs to stop complaining and fix their buffer overflows.
And in Classic Microsoft style the security bulletin notes that patches are avaible ONLY for Windows XP and NT
95 isn't supported ( ok, I can understand that )
98 isn't supported ( getting a little too close for my comfort )
ME isn't supported ( didn't that just come out 2 years ago? )
2K isn't supported ( What about people running servers? )
Just another tactic to force people to upgrade
With the recent change in Licensing terms and the inability to support products they've made within the past 2 years they have the gall to say that using anything else is insecure on the part of the government?
Microsoft products are not engineered period.
Saying they are "not engineered" is a statement of your naivity. Imagine designing and coding a huge prog. such as Windows or MS Office... Do you think they sit a big room and just piece code together like a puzzle? Please don't say that they are not engineered...
They're thrown together, spend half their time making it look pretty
Making it look pretty is half the battle, hence half the battle is won. The average MS consumer (the majority of the computer users), doesnt care what the nitty gritty underlying code.. they care about ease of use and a comfortable, easily usable system. You can't tell me that their is any linux distro that can match Windows ease of use. If their is, why arent the masses jumping on that bandwagon???
100% Insightful
I thought it was Microsoft's policy to keep their mouth shut when it comes to lack of security in their OS. It just seems that after spending all sorts of money into advertising and marketing Win2k/XP as very secure platforms, M$ would rather not have a SVP in development blow it all away. I wonder how long he will last talking openly about these problems.
"I bet I'll get blamed for this." --Mayor Quimby
I agree. I mean listen to what the man said for God's sake:
"I'm not proud," he told delegates yesterday (5 September). "We really haven't done everything we could to protect our customers. Our products just aren't engineered for security," admitted Valentine, who since 1998 has headed Microsoft's Windows division.
Come on. This sounds a whole lot like a guy who was given an albatross (DOS) and was told to build an eagle (something remotely secure) from it. He just hasn't been able to do all the things that would need to be done because there's too much because they're saddled with the fact that they didn't realize when they started how important it would be.
Jeez. I know this is Slashdot, but give the guy a break!
Ben
Stop picking on MS engineers for poor products, and level the blame at the correct place - marketing and management.
A huge part of the problem comes from never deprecating API's. It is one thing to tell someone to design and build something new - much harder to extend something that was not even close to what it was designed for (and did not have time to abstract things out).
To this day, I am amazed the windows kernel even compiles, much less runs...
+++ UGUCAUCGUAUUUCU
Most of MS's customers dont know UNIX.... Most of MS's users are not computer scientists.. they are average people...
Think outside your techie box....
100% Insightful
You can't tell me that their is any linux distro that can match Windows ease of use. If their is, why arent the masses jumping on that bandwagon???
NOW who is being naive?
Have you not read the stories about M$'s strangle hold (or maybe a good Ric Flair style Figure-4?) on the OEM companies? Are you not aware that companines can not install ANY other OS in tandum with Win* on their machines? Remember the story about Dell putting FreeDOS on their machines just so they could beat the M$ policy?
So why aren't the masses jumping on it (Linux)? Because they are (almost) not allowed to buy a machine that doesn't run Win*.
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
.....Maybe then it can actually make a difference.
I hate the fact that whenever a new MS computer virus hits, news reports always neglect to mention "This virus only infects computers running Microsoft operating systems". That would go a long way to convince people to look elsewhere.
A sentence you'll never see on an Internet discussion board: "You know what? You're right."
Bingo. As Nathan Myhrvold once said, Microsoft wants to get a vig on every transaction going over the net. Tcp/ip doesn't have a built-in billing model, so they're trying to shoehorn one on top of it. Even though it will be a bloated, insecure mess, the government and the entertainment industry are and will remain enthusiastic supporters of palladium. All that data is an irresistable temptation: so much money to be made, so much monitoring to be done.
The real war will be between this plutocratic regime and the free software movement. The general public doesn't know it yet, but linux is very close to there on the desktop. This represents a serious threat to the universality of palladium, so Microsoft and its allies will try to have laws passed that criminalize free software use, and/or the use of general purpose (i.e. non-palladium equipped) computers.
Sound crazy? It's not. And the issue of freedom & privacy vs. big business & government is going to be huge, front page news as it gets closer and the general public gets a whiff of it. But Disney owns the news, so expect it to be more of a grassroots groundswell-type thing.
Who will win? I don't know. But I see a future that scares the hell out of me, and I really hope we're not too lazy to do something about it.
I believe by the next Windows distro, we'll have security that will stand for something.
Except that you miss exactly what Valentine means:
Windows cannot be secure - MS has finally realized (and admitted) this.
Security is something that must be designed in from the beginning - it's not something that can be 'bolted on' after the product is finished, any more than you can make pudding, and decide you want it to be a house instead - you can't make a house out of pudding.
I think we can all agree that MSFT has succeeded in creating simple, easy-to-use products
You think wrong. I certainly wouldn't characterize MS products as easy-to-use. Easier than some other products, in some situations, perhaps.. but not easy.
As for simple? Have you seen MS Word lately? Bloated with dozens upon dozens of feeatures that nobody uses - you categorize that as simple?
whether you like it or not, there is no easier OS
Spoken like someone who's never tried any other OS.
Ever try MacOS?
How about Amiga?
VMS? Anything besides Linux and Windows?
As an advanced user, I find Linux MUCH easier to use than Windows, because everything is laid out as I expect. I used Windows before I used Linux, and most of the learning curve I experienced came from attempting to do things the Windows way - but after one or two times, I realized that the best way to learn a task was to ask myself "if I had designed this system, how would I implement it?" - and all of a sudden, everything became easy.
If you've been compromised even once, you frankly don't know what you're doing.
I work NOC in a mostly Windows shop. We have several hundred NT and 2K boxes, and have never been compromised. The only machines that got hacked *ever* were customer owned boxes that the customer failed to patch against CodeRed.
If you patch the box properly, firewall it properly, turn off unnecessary applications and services, and run a correctly configured IDS, then a windows box can be just as secure as any other OS.
"A terrorist is someone who has a bomb but doesn't have an air force." -William Blum
Read "ShowStopper!" and then say this again. Its quite a bit more likely that the endless problems with Outlook express were NOT deliberate. The developers just wanted to add some neat features, and made the scripting language as broad and full featured as possible. In THEORY, if the virtual machine that runs the scripts didn't have big holes in it, this would be a perfectly reasonable and secure thing to do.
Of course, the real problem with these kinds of scripts is not viruses...its behavoir the user doesn't want. Popup adds are a perfect example of that : giving a web page control of your browser merely because you visited the site was NOT a good design decision.
Exactly; any executive at microsoft knows that selling more features is much easier than selling less bugs.
Make no mistake, this phony confession is nothing but a strategic move to begin grooming the world to the idea that Palladium is the only hope for "Trustworthy Computing".
It's groundwork for a bald-faced pack of lies, Micro$oft FUD in it's purest form.
It's also further proof that Micro$oft's upper level minions are utterly without any moral compunctions whatsoever, always willing to pimp themselves again and again for the good of the Motherland.
Micro$oft uber Alles!
Seig heil!
t_t_b
I'm on PJ's "enemies" list! Are you?
How many remote exploits have there been in Apache over the past 3 years? Now how many in IIS?
Now how many remote exploits have there been in OpenBSD? How many in Windows 2000 Server?
If someone is passing you on the right, you are an asshole for driving in the wrong lane.