Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Exec: 'Our products just aren't engineered for security'

Posted by ryuzaki0 on from the see-no-evil dept.

Various Microsoft news tidbits contributed by numerous readers: Phoebus0 notes that Microsoft's Vice-President in charge of Windows development states flat out that Microsoft products aren't engineered for security, absolutely guaranteeing he'll have tomorrow's Ditherati quote. Many readers submitted this Knowledge Base article stating that Microsoft is mystified by a wave of successful hacks on assorted versions of Windows (there's also a news report on this). Microsoft has another security bulletin out on the digital certificate spoofing bug that has caused them so many problems recently.

4 of 687 comments (clear)

  1. Stop picking on the engineers by anthonyclark · · Score: 5, Interesting



    While working at Sony, Microsoft closed down a UK R&D facility. A whole department of ex-MS software engineers came to work in my department. They were the some of the best engineers I have ever worked with, designing innovative and stable code years ahead of its time.


    Stop picking on MS engineers for poor products, and level the blame at the correct place - marketing and management.

    --
    ----- Documentation is worth it just to be able to answer all your mail with 'RTFM' - Alan Cox.
  2. How marketers ruin code by yerricde · · Score: 5, Interesting

    I have not heard of any instances of marketeering guffbags and manglement ruining code, primarily because they don't code.

    They ruin the code by ruining the requirements. In a firm that produces mass-market software, the marketing department generally writes each product's requirements document. If resistance to buffer overflow attacks isn't specified as a must-have in the requirements document, then it will surely get cut at the last minute in favor of other requirements such as ship date.

    --
    Will I retire or break 10K?
  3. MS products actually designed for insecurity? by geoswan · · Score: 5, Interesting
    I believe that MS took a leaf from the playbook of the Tobacco industry

    There is a guy recognized as a genius in the Tobacco industry. I read that twenty odd years ago he told other Tobacco industry executives that, while they could afford to hire the shrewdest, meanest, most dishonest lawyers on planet Earth, they could only fight a rear-guard action.

    Eventually, he told his colleagues, even the meanest lawyers couldn't hold off lawsuits over the lethal effects of their product. Once suits go to trial, everything will start to unravel. We have no real defense. So, we need to plan ahead.

    His plan? Pretend to fight against mandatory warnings, but actually let them go ahead. Keep stalling on the trials -- so that when the trials happen we have a defense.

    "But, your honour, we have had to have health warnings on our products for fifteen years. The claimant can't say they didn't know our products were dangerous."

    Are Microsoft executives any more ethical than Tobacco executives?

    Nah.

    I believe that MS planned ahead too. I believe that MS has wanted to "own" the desktop, to own our computers, all along.

    Anyone could have foreseen that embedding a macro language in their data files, that was automatically executed when the file was opened, was a sure guarantee of terrible security problems.

    This was not an accident. This was a design decision. They did this on purpose. I don't believe it was a mistake. I believe they knew exactly what they were doing.

    I believed that they looked ahead, and planned to distribute insecure products, so that the could harness the publics anger at vandals, interlopers and spam artists to justify draconian security measures that we never wuold have agreed to otherwise.

    I'd like to see Gates, Ballmer and the whole filthy crew serve serious hard time.

  4. Re:Tries to shift blame by PythonOrRuby · · Score: 5, Interesting

    Microsoft's approach to operating systems and security has created an arms race between them and hackers(both malicious, and those legitimately testing the software).

    The answer is not to make the OS more complex and create more special cases, but to streamline it, and offer a more consistent model for applications and users to interact with the operating system.

    This is why pretty much everyone else these days uses some variant on Unix. More than anything else, the appeal of Unix is simplicity at a basic level.

    Now, Microsoft doesn't have to ship a Unix-based or compatible OS by any means, but if they want to take security seriously, they need to take what they have now, and what they are planning on for five or ten years down the road, reduce it down to the most basic components that can still address all of those problems, and rethink how Windows is put together.

    Also important is to get over their antipathy towards the open source "movement", and realize that it can be a tool. If they released a simplified, streamlined Windows kernel, they could let the world hack away at it, finding flaws, then take that work and put the components on top of it that would make it Windows. They've "borrowed" ideas from Apple and NeXT in the past, why not look at what OpenStep was, and what Darwin and Mac OS X have become and borrow that idea too?

    In short, it takes more than saying to your developers, "ship bug fixes in a week rather than a month." They'll hae to really examine Windows, and where the flaws come in, and if there's some other way(and there always is) that those things could be done, then the old way has to go.