Slashdot Mirror
Microsoft on Security: We'll Break Your Apps
jointm1k writes "Wired.com is running a story about how Microsoft is trying to act responsible and all by fixing (or trying to fix?) many (if not all) security holes in Windows. Not only new versions of Windows will be patched or improved, but as I understood they also plan to force security updates for older versions of Windows down peoples throats. Even if that means that some applications will mallfunction.
Nice to see Microsoft taking reponsibility for their mistakes, but they really should have done so when they designed Windows."
Brian-"There's just no pleasing some people"
Beggar-"That's what Jesus said, sir"
---"What did I say that sounded like 'Tell me about your day?'"---
Is that the new niche for software designed for teenage girls?
Assuming Microsoft does actually want to clean up their act, which I'm highly skeptical about, it seems that they'd be criticized for forcing updates just as much as they would for not trying to make adoption of the updates widespread.
Yeah, your right. Microsoft should have written every line perfectly like every line of code you ever have written.
I read the same story at The Register
/. attacking them
The editiorial is innacurate and opinionated.
They are actually giving up on trying to secure older products.
And they are stating that for new security fixes on current products they are now putting security as a higher priority than not breaking the apps.
So rather than provide the security turned off, in the hope that some MCSE will turn it one once the app has been patched, the security is on even if the app breaks.
Now, regardless of the anti M$ feelings, this has got to be a good approach.
Yes you can read it as "Hear comes DRM, suck it down" or you can read it as "Secure by default really does matter, becasue we know 95% of users never change from the default settings" - the latter approach is taken by Suse in 8.1 and I don't see
Trouble making decisions? Just flip for it.
but they really should have done so when they designed Windows
What os didn't need security fixes after it was released?
love is just extroverted narcissism
but they really should have done so when they designed Windows.
I think you have to remember that Microsoft used to put functionality before security. There is a tradeoff between functionality and security. For example, do you allow mailing functionality within the VBS language and the macro language? There is a reason why there are over 20 worms that can spread using MSN messenger, and none that can spread using Yahoo messenger.
However, times change, and people change. Now people put security before functionality. Microsoft is just going with the times...
I am so sick of this revisionist, 20/20 hindsight, why-isn't-microsoft-perfect bullshit! Do you know how many applications written by blithering idiots they've had to keep working? I've heard tons of horror stories directly from friends at MS about the hoops they go through to keep COMPETING SOFTWARE from breaking. Yes, MS employees really do sit around figuring out how to keep Wordperfect from crashing.
What did you eat today? http://www.atetoday.com/
My take on this "impractical". A new version of OS comes out in every couple of years, and in near future I can expect it to be every year. Now that means shelling out money on new, improved version of apps and systems. Let me tell you there are people still using win95 and very happy with it coz it still works. Tell them to upgrade every year and shell out $500 a year on system. They'll just smile at you and say -"boy are you out of your mind, no way"
Yes, and of course he is talking about free software. So if something breaks, just download the new version.
But if the apps are purchased, that is a bit much to swallow. Of course, if MS has service packs that fix the broken apps, then I guess it would not be so bad.
There is another side-effect: Just think of an update that does not only fix two recent security flaws, but also implements incompatible changes to the CIFS/SMB protocol. All users of MS Software are forced to upgrade, so there won't be any interoperability issues. But all those Samba File/Print/PDC installations across the world are suddenly broken.
And Samba is just a randomly picked example.
One of the main arguments buisnesses have been using against looking for Linux solutions is that legacy applications (of the windowsNT/95 variety) must be runnable. Now with Microsoft saying that they may not support all legacy code this is removing one of the last barriers stopping some companies from looking at Linux.
If a company is looking at redoing an application for the windows base it may just be easier for them to make it work with WINE than with the new windows code base.
I am sure Microsoft is aware of this. There must be some really big holes they are going to close with action or they would not consider dropping the support for legacy applications.
Microsoft is doing the right thing.
n dept." -- GIVE ME A BREAK. If that were the goal, Microsoft would quickly be driving itself out of business. "... but they really should have done so when they designed Windows" -- again, who are you trying to fool here?? The same argument could be said for every operating system in mass production use today.
Every vendor Microsoft, Apple, Sun, Red Hat, Debian can create an incident where a patch breaks a vendors application.
I've personally seen it happen with 4 out of the 5 vendors already. Deal with it. AFAIK there is still no forced patching. Your OS doesn't just up and DIE if you decide not to patch your OS because you are aware that patching will create problems for you.
On another note - Certainly Slashdot leans a little left politically and leans a lot toward "open solution" computing but everything about this story just reaks. "windows-ain't-done-while-competing-apps-still-ru
Give it a rest. Your just starting to look foolish now.
http://windows.scares.us
Hopefully we can look forward to more posts containing phrases like "I reckon" and "Y'all" to appear on Slashdot soon. Not to mention that there isn't even anything new in this post at all that has been discussed ad nauseum on Slashdot already.
First of all, one of the big selling points of Wintel is that you have a wide choice of software. In the future, however, Mundie says that you can expect your old apps to be broken.
"We have decided that we will begrudgingly forsake certain app compatibility things when, in fact, they don't allow us to have a default configuration that opts for more security. In the past, the biggest thing that happened to us was IT managers would come to the company and say, hey, all those new features, they're great, all that new security stuff, that's great, but whatever you do don't break my app. So just turn it all off and trust me, we'll fix the apps and then we'll turn it all on. And the reality is that never happened.
And so we're going to tell people that even if it means we're going to break some of your apps we're going to make these things more secure and you're just going to have to go back and pay the price."
Notice that they're breaking your old apps not so they can sell you new ones, but purely in the interest of your security, and furthermore it's your fault they have to do this.
The other point Mundie makes is that, even after they sell you the new OS and the new apps, any security needed will be your responsibility, at your expense.
"And the other thing is that the customers, whether they're individuals or corporations, are going to have to make a decision about when and how much they spend to get these machines to be more secure. And to some extent you can do it by insulating them, to some extent you can do it by putting things around them or in front of them that protect them, you know, firewalls in some sense. And then in some cases, you can just replace them when you get new machines or new software or both that have intrinsically better capabilities."
Thanks, Microsoft, I'm glad you're looking out for my interests.
Making trouble today for a better tomorrow...
"We didn't just fall off the turnip truck a year ago and realize we needed to do this, We started thinking about this three years ago."
Microsoft didn't start thinking about security until Windows 2000 was a release candidate?
Software Engineer: Uh, Craiggers... I just heard some disturbing news.
Craig Mundie: Don't bother me now, I almost beat Bill's fastest time on Minesweeper.
SE: Well, it's just that Joe apparently didn't design any security infrastructure into Windows.
CM: Security what?
SE: Well, remember when I was telling you about how "hackers" can very easily get information on your computer?
CM: What, like that Stellman fellow and his hippie freedom shit?
SE: Not really.
CM: Well, if you think it's important, I'll have Bill send a memo out about it.
"Trustworthy Computing, a sweeping overhaul of Microsoft's software, business models and programming practices, was publicized in January [of this year] by a company-wide memo from Microsoft chairman Bill Gates."
I hope everyone realizes that they're doing this for PR purposes. Right now there are lots of government that are trying to get away from MS products so that they don't put all their information in the hands of an American Company. Also, this is one of the main selling points of OSS vs. MS. As soon as they feel people aren't paying that much attention to security, they'll back away from "cumbersome nuances" like security
I'll buy it that they really care about this stuff when they start building software over previous security-related experience, and I'm not talking patches here, I'm talking OS re-writes based on what works and doesn't security wise.
There are two kinds of people in the world: Those with good memory.
>but they really should have done so when they designed Windows.
No they shouldn't have. Can you imagine the problems with Windows 95, if they would have put tight security on it.
Inexperienced computers users would have throw their hands up in frustration(why can't i install this program!, why won't the printer install! I forgot my password) why do i have to add a new user).
Most people just want to get e-mail, surf the web, run quicken. As users starting demanding more(functionality, security, stability) they will switch to a different OS, or MS will have to improve. Which it seems they are trying.
Windows has plenty of room for improvement, but statement seems a bit of a reach.
He *never* says "screw the userland apps". Modules yes.. system utils yes.. general apps NO.
In fact, you can still run your old a.out apps from 5 years ago provided you have the right libraries installed.
This is the same mentality where I work. We have users still using Lotus 2.4, WordPerfect 5.1, and other crazy applications because the IS people refuse to **MAKE** the users do their own work. The users want the IS departments to migrate and test all the spreadsheets and documents for them because we have Office '97 or Office 2000 installed on the machines. Now 10 years ago when Lotus 2.4 and WordPerfect were introduced we didn't go around making macros and cell calculations for them did we? But we try to introduce new products to keep up with the times and they act stupid on us and say we are killing business because we **WON'T** migrate their stupid macros.
We can't even get the users to try and open the spreadsheets in Excel or Word. They just refuse to do it. My recommendation in the last meeting was to just turn off Lotus 2.4 and WordPerfect (apps run on server) and tell the user either to use Microsoft Excel and Word or find a new job.
My point being, Microsoft is doing exactly what should be done. You want everything to be stable and secure, well you better be ready to upgrade or patch whatever doesn't work after we do our fixes.
"Some mornings, it's just not worth chewing through the leather straps." ~ Emo Phillips
Actually I HAVE read Linus's post on LKML and that is far from true. In most cases he is willing to break the internals of the kernel but he loaths to break something in userland (but will do it if there is a really really good reason). That is why most programs written for 2.0 still work for 2.4.
I miss the Karma Whores.
Actually MS just dumped the next server version after .NET, so it looks like they are headed towards longer release cycles. Since Liscense 6 gives you support for the last 5 years of os's it would not behoov MS to come out with a new OS every year, that would mean supporting 5 OS's for corp customers and testing all their apps against 5 OS's, not cheap. Instead it looks like MS is going the opposite way, look at the next version of Office, it won't run on any OS's other than win2k with SP3+, or winXP. MS is trying to dump the old kruft to reduce problems and hence support costs both external and internal.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
"I might be threatening to write code."
I think I'll stop here.
The story never mentions *how* they plan to force users of older systems to patch and upgrade their security. As has been the topic of many a comment, the biggest problem in security is an admin/user who doesn't patch. If they haven't been able to get people to patch in the past, how do they think they can force a win95 user to patch their box now?
The best they can hope to do as far as *forcing* upgrades is making the automatic "microsoft update" manditory and non-removable. Imagine the uproar...
Second, a reality check...you will never squash all bugs. Software is a dynamic beast, especially when it comes to operating environments. As the systems grow and functionality increases, so do the chances for bugs. It's a simple fact that the more lines of code you have, the more bugs you have. Microsoft is as able to squash all bugs in all their software as any *nix system is to fix every single bug in theirs. It just isn't going to happen...no system is perfect.
"Nice to see Microsoft taking reponsibility for their mistakes, but they really should have done so when they designed Windows"
I particularly liked that part...as the current incarnation of the internet did NOT exist when the first versions of DOS came out. Heck, most people didn't know what a dialup was when 3.1 came out. Early MS systems were never designed to be multi-tasking, let alone multi user, and therefore never needed security...it simply wasn't thought necisary. If the computer is going to be used by one person and not connected to the net (such was the case in the early 80's), then why include extra usless security code? The same design base was used and simply extended to maintain backward compatability as time progressed. Thus MS saying that their design is fundamentaly insecure...because it didn't HAVE to be secure in the early days. After all, it's easier to expand than re-write...especially if you do want to backward compatability.
As I see it, the sins of the past are more about business practice (which is abhorent), than it is about software design. After all, they have migrated their new OS's to a fundamentaly NT based system, and have increased security and stability in the process. I'm not saying they don't have a ways to go, I'm just saying that it is better than it was.
In anycase...I'm happy with debian, so I don't care what they do for my sake. I hope that something good comes of this so that my parents can get a more stable and more secure OS...
-Frozen
I'm not always the brightest pixel in the stream
And he's right, the only way to avoid massive layers of backwards-compatible cruft is to just slough off the existing infrastructure and create the OS anew for every release.
True. However, if the userland apps are written properly using a sufficiently high-level language, even C, and using standards-based and/or portable APIs, then kernel changes should break only the invervening abstraction layers. Download the updated API or whatever (not much effort), and the huge amount of effort that went in to the userland app is preserved.
This is why I feel so sorry for people who write applications using Windows-only or UNIX-only or whatever-only APIs, when there are portable ways of doing things. Taking standards documents and black-lining the parts that aren't implemented on all the target platforms (thus achieving the lowest-common-denominator) goes a long way towards producing an application that will tolerate volatility at the operating system level. And, really, it isn't much effort for an important piece of software (and a week or two sifting through documentation will only improve the end product, trust me).
And guess what: even the lowest-common-denominator is usually very useful and sufficient to meet the requirements for the software. People who whine otherwise are usually the eye-candy babies who demand using all the nifty Internet Explorer extensions to make dancing mouse trailers and other garbage (for example).
The only excusable applications are those written before truly portable APIs came around. For example, old UNIX apps written with Motif should be forgiven, because Qt, Java Swing, and other fairly recent APIs weren't available. But new applications? No excuse at all.
Healthcare article at Kuro5hin
But this story reminds me of that great Chris Rock routine. (paraphrasing, and substituting the N word)
People always want credit for something they're supposed to do.
I ain't never been to jail. What do you want, a cookie?!
I take care of my kids. You're supposed to you dumb motherfucker!
So yes, while it is good that MS is doing this, I think that it is no big deal - they should do it. I am not going to praise them for it, this is what they should have done long before now. I am not going to rail on them either, because they are making some kind of effort. Assuming that they actually do what they say they are going to do. Sorry, but they have a bad track record, I am not going to believe it until I see it. Why am I skeptical? Among other things, I have seen the Win2kSP2 EULA. I wonder what the EULA on these new security patches will look like...
My beliefs do not require that you agree with them.
Microsoft lives on the income from OS/Office upgrades at least as much as from new installs.
One line blog. I hear that they're called Twitters now.
There is a difference between writing a security patch that happens to break an application, and a security patch that is designed to break an application.
A security patch on any OS could potentially cause problems with software that runs on it. However, it wouldn't put it past me for Microsoft to purposefully make sure that competing products are broken.
At best case, MS isn't going to purposefully break anything. This is a legitimate attempt to fix security.
At worst case, this might Microsoft's first step in "testing" the strength of the court to see if they'll notice/tolerate them purposefully breaking applications and then claiming they can't release the fixes to the application maker because it is part of Windows "security."
"You spoony bard!" -Tellah
I'm all for security updates as long as they don't force Digital Restrictions Management or their usual abusive EULAs upon those who install the updates. I want my windows box to be secure, but not at the cost of limiting what I can use it for and what control M$ would gain over my system.
Microsoft may prohibit self-modifying code and code on the stack. You don't get any performance gain with either technique any more, since processors went superscalar.
And maybe Microsoft will delete the 16-bit compatibilty engine. It's time. In NT 3.5x, the 16-bit engine was optional, the system ran fine without it, and it should have stayed that way.
Microsoft will probably do something to break Word 97, and blame it on "security". They need the revenue. But there's a problem:
Plugging those holes, he said, would require not just rolling out new versions of Windows, but forcing security fixes onto users of older Windows versions, which he claimed was 30 to 40 times larger than the installed base of current versions.
XP sales must be lower than Microsoft admits. Microsoft has to make sure that their pressure forces people to upgrade to XP, rather than locking people into the legacy OS. Expect something on the server side that makes Internet usage difficult for legacy users.
The trade rags may be sycophantic pole-smokers, but I'd like to think the Slashdot population is more fair than that. We have been kicking Microsoft square in the nuts about their lack of security for years now, so does it make sense to flipflop and start kicking them for taking security seriously?
Now if the article was more like "Microsoft breaks apps to implement security, offers expensive upgrades" then we could continue kicking M$'s family jewels guilt-free.
When I first started visiting Slashdot, the articles were much more geek-friendly and much less anti-Microsoft. In the 3-4ish years I've been reading Slashdot, it's definitely seemed that it's devolved into a MS bashing forum.
One or two Microsoft stories are published everyday, no matter how insignificant the news is. Even if the news is a good thing, typically the submitter of the story puts a negative spin on it (like today's submission). Of course everyone jumps in and bashes away, not only at Microsoft, but at anyone who tries to speak positively about Microsoft. It doesn't do well to encourage intelligent discussion--anyone who is happy using Microsoft products and speaks up about it around here quickly becomes bitter and defensive. Or they leave.
Slashdot nowadays is quite similar to the media in the middle east. My grandfather lived in Dubai for 8 or 9 years, and he was amazed that the newspapers had an article about "The Jews" on the front page, every day. The Dubai media never referred to Israel. "The Jews" were always killing Muslim children, subverting the government, doing-random-very-crappy-thing, etc. The media was breeding hate among the people.
The big difference between Slashdot and Dubai is that the Dubai government was intentionally making people hate to distract them from shady things it was doing, and Slashdot's de-evolution is (probably) not intended. It definitely seems that the editors have got some bug up their ass about Microsoft, but I think they're just publishing what kicks up the most response rather than trying to fan the flames.
I think it's because Slashdot has become the epicenter of a pro-linux geek subculture. In this subculture, it's cool to hate Microsoft. Folks want to fit in somewhere, so they come to Slashdot and bash Microsoft.
Linus said in this interview:
"I've tried to stay out of the Microsoft debate. If you start doing things because you hate others and want to screw them over the end result is bad."
I don't think he hates Microsoft. He likes Linux.