Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Exec: 'Our products just aren't engineered for security'

Posted by ryuzaki0 on from the see-no-evil dept.

Various Microsoft news tidbits contributed by numerous readers: Phoebus0 notes that Microsoft's Vice-President in charge of Windows development states flat out that Microsoft products aren't engineered for security, absolutely guaranteeing he'll have tomorrow's Ditherati quote. Many readers submitted this Knowledge Base article stating that Microsoft is mystified by a wave of successful hacks on assorted versions of Windows (there's also a news report on this). Microsoft has another security bulletin out on the digital certificate spoofing bug that has caused them so many problems recently.

7 of 687 comments (clear)

  1. Stop picking on the engineers by anthonyclark · · Score: 5, Interesting



    While working at Sony, Microsoft closed down a UK R&D facility. A whole department of ex-MS software engineers came to work in my department. They were the some of the best engineers I have ever worked with, designing innovative and stable code years ahead of its time.


    Stop picking on MS engineers for poor products, and level the blame at the correct place - marketing and management.

    --
    ----- Documentation is worth it just to be able to answer all your mail with 'RTFM' - Alan Cox.
  2. Palladium, of course by PMuse · · Score: 4, Interesting

    Step 1: Admit that current MS OS is insecure.

    Step 2: Allege that problem is fundamental due to the nature of the hardware platform. Fear. Uncertainty. Doubt.

    Step 3: But wait! MS has the solution that will solve this crisis -- Palladium.

    --
    "We reject as false the choice between our safety and our ideals." --The American President (20.1.2009)
  3. How marketers ruin code by yerricde · · Score: 5, Interesting

    I have not heard of any instances of marketeering guffbags and manglement ruining code, primarily because they don't code.

    They ruin the code by ruining the requirements. In a firm that produces mass-market software, the marketing department generally writes each product's requirements document. If resistance to buffer overflow attacks isn't specified as a must-have in the requirements document, then it will surely get cut at the last minute in favor of other requirements such as ship date.

    --
    Will I retire or break 10K?
  4. MS products actually designed for insecurity? by geoswan · · Score: 5, Interesting
    I believe that MS took a leaf from the playbook of the Tobacco industry

    There is a guy recognized as a genius in the Tobacco industry. I read that twenty odd years ago he told other Tobacco industry executives that, while they could afford to hire the shrewdest, meanest, most dishonest lawyers on planet Earth, they could only fight a rear-guard action.

    Eventually, he told his colleagues, even the meanest lawyers couldn't hold off lawsuits over the lethal effects of their product. Once suits go to trial, everything will start to unravel. We have no real defense. So, we need to plan ahead.

    His plan? Pretend to fight against mandatory warnings, but actually let them go ahead. Keep stalling on the trials -- so that when the trials happen we have a defense.

    "But, your honour, we have had to have health warnings on our products for fifteen years. The claimant can't say they didn't know our products were dangerous."

    Are Microsoft executives any more ethical than Tobacco executives?

    Nah.

    I believe that MS planned ahead too. I believe that MS has wanted to "own" the desktop, to own our computers, all along.

    Anyone could have foreseen that embedding a macro language in their data files, that was automatically executed when the file was opened, was a sure guarantee of terrible security problems.

    This was not an accident. This was a design decision. They did this on purpose. I don't believe it was a mistake. I believe they knew exactly what they were doing.

    I believed that they looked ahead, and planned to distribute insecure products, so that the could harness the publics anger at vandals, interlopers and spam artists to justify draconian security measures that we never wuold have agreed to otherwise.

    I'd like to see Gates, Ballmer and the whole filthy crew serve serious hard time.

  5. Re:Tries to shift blame by PythonOrRuby · · Score: 5, Interesting

    Microsoft's approach to operating systems and security has created an arms race between them and hackers(both malicious, and those legitimately testing the software).

    The answer is not to make the OS more complex and create more special cases, but to streamline it, and offer a more consistent model for applications and users to interact with the operating system.

    This is why pretty much everyone else these days uses some variant on Unix. More than anything else, the appeal of Unix is simplicity at a basic level.

    Now, Microsoft doesn't have to ship a Unix-based or compatible OS by any means, but if they want to take security seriously, they need to take what they have now, and what they are planning on for five or ten years down the road, reduce it down to the most basic components that can still address all of those problems, and rethink how Windows is put together.

    Also important is to get over their antipathy towards the open source "movement", and realize that it can be a tool. If they released a simplified, streamlined Windows kernel, they could let the world hack away at it, finding flaws, then take that work and put the components on top of it that would make it Windows. They've "borrowed" ideas from Apple and NeXT in the past, why not look at what OpenStep was, and what Darwin and Mac OS X have become and borrow that idea too?

    In short, it takes more than saying to your developers, "ship bug fixes in a week rather than a month." They'll hae to really examine Windows, and where the flaws come in, and if there's some other way(and there always is) that those things could be done, then the old way has to go.

  6. Re:Experience? by MoneyT · · Score: 4, Interesting

    Simple, brand name. Try to explain to a non tach savy person (yes they still exist, and in millions at a time) that they should buy a product that isn't Microsoft. They've probably never heard of the other company, and if it isn't microsoft "I won't work right with my computer because my computer had microsoft on it already". Believe me I've heard that hundreds of times. Now imagine that same attitude on a corporate scale, and you've got one hell of a succesful business nomattr what crap you feed these people.

    --
    T Money
    World Domination with a plastic spoon since 1984
  7. Re:Experience? by Qrlx · · Score: 4, Interesting

    Simple, brand name

    This is correct. Microsoft's genius lies in the marketing. Not that their products are all terrible, and thrive ONLY because of marketing, but marketing got them and keeps them where they are today.

    Microsoft's corporate sales pitch deliberately glosses over the technical side of things. The corporate execs aren't technical people anyway, so why try to explain the benefits of a product in technical terms that only a select few understand? No, Microsoft invented the term "TCO" (Total Cost of Ownership) and sold the concept that Microsoft was the less costly way to go. Execs understand the concept of money very well. Everyone responds to emotional sales pitches (unless they are Noam Chomsky or something). Through a combination of $$$ claims about lower TCO and carefully placed FUD, they have established a dominant position on the LANs they were merely clients on ten years ago.

    Another thing Microsoft realized is that computers would be everywhere, and they wouldn't always be under the control of UNIX admins with pocket protectors and advanced CS degrees. There just aren't enough uber-geeks to go around for all the offices in the world. Billiant foresight. It might be the CFO who suddenly finds the company has grown and now they need to bring the network back under control. Microsoft has hands down the slickest sales materials I've seen in the computer field.

    Microsoft sells a culture, a lifestyle, in which you don't have to worry about computer problems because there are teeming millions of MCSEs and phone support and etc. to hold your hand through whatever problems may arise. And in fact this is true. Microsoft will smile and nod and politely empty your wallet.

    A few months ago, there was a story on Slashdot about MS sending the BSA after school districts in the Northwest. After the admins got into a tizzy and threated to install Linux everywhere, Microsoft had the Come to Jesus meeting. "The themes for today are friendly and flexible," the sales lady said. It's the classic good cop/bad cop routine, a pure psychology play, and Microsoft knows their shit in this regard. Geeks, being socially stunted and sexually frustrated, are putty in Microsoft's hands, especially when the nice woman in the business suit shows up to put down the rebellion.

    That is how Microsoft has achieved their monopoly. Unlike the other computer companies, they don't try to sell the technology itself. Instead they sell the REWARDS of implementing a Microsoft solution, they sell a warm fuzzy bundle of love, a pre-made community of smiling, personable non-geeks who are there to ease your assimilation into the Collective.

    Microsoft was the first to bring big-time Madison Avenue marketing psychology to an exponentially growing computer market, that's why they're on top now.

    This T-shirt I saw said it best:

    Political <---------- You are here
    Presentation
    Session
    Application
    Transpor t
    Network
    Data link
    Physical