Slashdot Mirror
MS Exec: 'Our products just aren't engineered for security'
Various Microsoft news tidbits contributed by numerous readers: Phoebus0 notes that Microsoft's Vice-President in charge of Windows development states flat out that Microsoft products aren't engineered for security, absolutely guaranteeing he'll have tomorrow's Ditherati quote. Many readers submitted this Knowledge Base article stating that Microsoft is mystified by a wave of successful hacks on assorted versions of Windows (there's also a news report on this). Microsoft has another security bulletin out on the digital certificate spoofing bug that has caused them so many problems recently.
Another excuse to let people believe that palladium is needed :/
This might be a stupid point, but of course microsoft products aren't engineered for security. The common man doesn't buy products for security, and even now the common man largely does not understand that they could even have their functionality in a secure environment (though arguably most salesguys cannot have the functionality they demand in a secure environment, but that's another debate.)
So far all the replies to this story have been "we already knew that" and "duh". I find those comments idiotic. In that spirit, when cigarette execs admitted they knew their products were bad for people, there should have been no story.
This event is significant, because from the mouth of someone significantly important in MSFTs power structure, there is an admission of failing.
Maybe the exec just wanted to confess his (their) sins?
Is whether this will make the national news. Trust me, if CNN and MS/NBC and all the rest choose not to cover this, the general public won't know, and won't really make a decision based on this information.
Of course, this could just be a ploy to get M$'s most vile next O/S out, Palladium, that will let them 0\/\/|\| j00r s0ul (and credit card, and email, and music, and movies, and any personal items that may happen to be sitting on top of your computer...)
It seems he tries to say that it is impossible to make it 100% secure, because hackers are becoming more sophisticated in their attacks.
Sure, you can't make anything 100% secure (short of keeping it turned off), but there is a difference between something that has a few exploitable holes and something that resembles a sieve.
If you can't beat them, embrace and extend them.
Actually, from what I gather MS's R&D engineers are some of the best engineers around. The actual production engineers are good as well, but nowhere near their R&D counterparts.
neither was UNIX. UNIX is best in trusted, academic settings where it grew up. But, after some big problems with too much trust people figured out how to make it at least "secure enough."
MS needs to stop complaining and fix their buffer overflows.
Stop picking on MS engineers for poor products, and level the blame at the correct place - marketing and management.
A huge part of the problem comes from never deprecating API's. It is one thing to tell someone to design and build something new - much harder to extend something that was not even close to what it was designed for (and did not have time to abstract things out).
To this day, I am amazed the windows kernel even compiles, much less runs...
+++ UGUCAUCGUAUUUCU
You can't tell me that their is any linux distro that can match Windows ease of use. If their is, why arent the masses jumping on that bandwagon???
NOW who is being naive?
Have you not read the stories about M$'s strangle hold (or maybe a good Ric Flair style Figure-4?) on the OEM companies? Are you not aware that companines can not install ANY other OS in tandum with Win* on their machines? Remember the story about Dell putting FreeDOS on their machines just so they could beat the M$ policy?
So why aren't the masses jumping on it (Linux)? Because they are (almost) not allowed to buy a machine that doesn't run Win*.
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
Bingo. As Nathan Myhrvold once said, Microsoft wants to get a vig on every transaction going over the net. Tcp/ip doesn't have a built-in billing model, so they're trying to shoehorn one on top of it. Even though it will be a bloated, insecure mess, the government and the entertainment industry are and will remain enthusiastic supporters of palladium. All that data is an irresistable temptation: so much money to be made, so much monitoring to be done.
The real war will be between this plutocratic regime and the free software movement. The general public doesn't know it yet, but linux is very close to there on the desktop. This represents a serious threat to the universality of palladium, so Microsoft and its allies will try to have laws passed that criminalize free software use, and/or the use of general purpose (i.e. non-palladium equipped) computers.
Sound crazy? It's not. And the issue of freedom & privacy vs. big business & government is going to be huge, front page news as it gets closer and the general public gets a whiff of it. But Disney owns the news, so expect it to be more of a grassroots groundswell-type thing.
Who will win? I don't know. But I see a future that scares the hell out of me, and I really hope we're not too lazy to do something about it.
I believe by the next Windows distro, we'll have security that will stand for something.
Except that you miss exactly what Valentine means:
Windows cannot be secure - MS has finally realized (and admitted) this.
Security is something that must be designed in from the beginning - it's not something that can be 'bolted on' after the product is finished, any more than you can make pudding, and decide you want it to be a house instead - you can't make a house out of pudding.
I think we can all agree that MSFT has succeeded in creating simple, easy-to-use products
You think wrong. I certainly wouldn't characterize MS products as easy-to-use. Easier than some other products, in some situations, perhaps.. but not easy.
As for simple? Have you seen MS Word lately? Bloated with dozens upon dozens of feeatures that nobody uses - you categorize that as simple?
whether you like it or not, there is no easier OS
Spoken like someone who's never tried any other OS.
Ever try MacOS?
How about Amiga?
VMS? Anything besides Linux and Windows?
As an advanced user, I find Linux MUCH easier to use than Windows, because everything is laid out as I expect. I used Windows before I used Linux, and most of the learning curve I experienced came from attempting to do things the Windows way - but after one or two times, I realized that the best way to learn a task was to ask myself "if I had designed this system, how would I implement it?" - and all of a sudden, everything became easy.
Read "ShowStopper!" and then say this again. Its quite a bit more likely that the endless problems with Outlook express were NOT deliberate. The developers just wanted to add some neat features, and made the scripting language as broad and full featured as possible. In THEORY, if the virtual machine that runs the scripts didn't have big holes in it, this would be a perfectly reasonable and secure thing to do.
Of course, the real problem with these kinds of scripts is not viruses...its behavoir the user doesn't want. Popup adds are a perfect example of that : giving a web page control of your browser merely because you visited the site was NOT a good design decision.