Can You Trust Microsoft On Security?

simetra writes "Here's a shocker... This story on Yahoo! is pointing out the obvious. How many of these until the suits start believing us?" Maybe the article is just trying to stir up trouble, though: ladislavb points out that Windows XP is an Operating System you can trust. (The review is also available on mirror1, mirror2, mirror3, mirror4.)

Apr, 1st

[ceeam]

I liked the "whitespace" joke better.

Umm...

[evil_one]

I don't think that the Yahoo! story is a Joke... it was posted 03/31 not 04/01... If it is, please correct me. I'd like to be wrong here.

Re:Umm...

[Pharmboy]

I don't think that the Yahoo! story is a Joke... it was posted 03/31 not 04/01... If it is, please correct me. I'd like to be wrong here.

Hey, april fools or not, trusting Microsoft with your security IS A JOKE ;-)

(and no, for once, I didn't bother reading the article. whats the use of having excellent Karma if you can't burn some every now and then?)

Are we surprised?

[rf0]

With the recent spate of MS problem such as the slammer worm, IIS vunrabilities etc their public image is tarnished at best. However I think what people realise is that most programs have potential security holes. What people want is a quick response to the problem.

Take the two recent sendmail issues. Two big holes were found but fixes were available straight away. What about MS? Well I believe the record is 6 months after an exploit is in the public domain. Now thats why I have trouble trusting MS

Rus

Re:Are we surprised?

What people want is a quick response to the problem.

As MS are always saying - and the article admits it's true - they are actually pretty good at releasing patches for most (not all) vulnerabilities quickly.

The security problem is that admins don't apply these patches, because they too often break something that was working before. This is a result of either shoddy testing on MS's part, or unclear specifications and documentation encouraging third-party programmers to make use of facilities they're not supposed to know about.

Microsoft is suffering raging split personality. Part of it wants programmers to use every last nook and hook of the code to squeeze the best possible performance out of it; another part of it wants to control (limit) the features available to third-party programmers, so that it retains the freedom to change inner workings without breaking their code.

This is a major QA problem for MS, and I think - from the tone of their talk on "Trustworthy" computing - that at least some of them are aware of it.

Trust... security??

[fruey]

You cannot trust anyone on security

Beware of the man behind the curtain

However, even the non paranoid don't trust Microsoft. The problem is evidently that the suits are going for Microsoft while the techies (the real ones, who didn't get the job by the list of MCSEs in their CVs) just get beaten into submission.

Can You Trust Microsoft On Security?

[GMontag]

Is this rhetorical?

Use NSA Security Enhanced Linux

Because if you can't trust the NSA, who can you trust?

New feature!

[Pilferer]

The review is also available on mirror1, mirror2, mirror3, mirror4

Yay! Slashdot is finally going to mirror content!

Oh wait, what day is it?

obvoiusly not.

[ethelred]

Trust is earned. You don't becone trustworthy, just by marketing. Ask yourself "Has Microsoft earned my trust?"

Re:Well slashdotters.....

[JaredOfEuropa]

O..o..outside?! You mean where the pizza guy comes from?

No worries. The next upgrade will fix it.

[SgtChaireBourne]

No worries. The next upgrade will fix it.

Microsoft Corp. has announced that later this month Bill Gates will give a world-wide video conference to finally explain dot-Net. "It's time to ascend to the next level", Gates said, "we've cut elsewhere drastically in order to augment our sales staff in time for the event". Business leaders should expect calls, visits, and treats during the next month from Microsoft sales staff to ensure that all end users have installed the license for the current Windows Media Player and the licenses for the latest service packs. Calls will be followed by onsite visits. Microsoft sales staff, all licensed notary publics, and Business Software Alliance inspection teams to ensure that each and every the click-through agreement is followed up with a notarized contract.

As part of the treat, each site will receive packets of flavored drink mix for a special toast at the end of the teleconference. MSCEs will give instructions on the preparation of the mix and will assist the sales staff in dispensing to executive staff.

Poor Patches Screwing User Confidence?

[peterdaly]

Koetzle noted that while Microsoft's patches for the last nine high-profile Windows security holes predated such attacks by an average of 305 days, too few customers applied the fixes because "administrators lacked both the confidence that a patch won't bring down a production system and the tools and time to validate Microsoft's avalanche of patches."

I know I have totally screwed at least one "critical" production server by installing a service pack. Granted, that was NT4, which on the whole is just an impossible architecture to patch...or so they say.

Lack of security from the ground up in their design is what I believe the problem really is. The lack of a simple "bring this server up to date" scheduler doesn't help either. Even if they had that, people wouldn't use it due to patches toasting systems in the past.

-Pete

Definitions of "trust"

[abulafia]

From the article:
While 77 percent of respondents in the information technology (IT) field said security was a top concern when using Windows, 89 percent still use the software for sensitive applications[...]

So, clearly people *do* trust Windows, in that they are using the software for "sensitive applications". Of course, they probably have very little choice in the matter, and hopefully they take my tack of firewalling it off from everything when forced to use it.

I was just getting at the obvious false statement in the teaser - the respondents *are* trusting Win, they just aren't *happy* about having to.

Re:Definitions of "trust"

[Pharmboy]

So, clearly people *do* trust Windows, in that they are using the software for "sensitive applications".

Actually, its doesn't prove that at all. Its partially a matter of who makes the decisions about applications (often clueless managers) and some may only run on windows. The other part is left over infrastructure from years past, like our office, where we still have programs we use left over from windows 3.0 days. yea, i know...

Trusting OS's

[secondsun]

I only trust an operating system as far as I can throw it. After comprehensive tests windows XP CD's fly 300 feet when launched from my skeet shooter and are still bootable. But most of my Linux CD's never survive the launch process so I there fore I can not trust Linux since I can't throw it.

.NET a way out for MS?

[DrTentacle]

Given that the Windows codebase has evolved over so many versions, it's hardly surprising that there are plenty of security holes. If the foundation is shakey, don't expect the building to stay up. Especially in a closed-source environment where the number of people scrutinising the code is minimal.

It seems to me that one potential benefit for MS from it's .Net products is the opportunity for them to start over with their security. The models in place for .Net apps are superior to what was previously on offer for Windows development. They even throw in stuff like run-time buffer overflow detection...if you turn it on.

Given that the number of .Net security problems so far appears to be minimal, MS could improve their image as being poor in security, provided they get sufficient take up...and don't screw it up this time around...

ASCII magic

[Compact+Dick]

The "translation" is done using the ASCII charset which is used as a standard in computers, and the corresponding numbers are in hexadecimal form.

The whole message is F0AD:42494C4C. From this, we get "Fuck Off And Die: Bill". How, you ask?

F0AD == Fuck Off And Die [hacker slang]

42494C4C: break them into pairs, as we do with hex numbers. We get 42 49 4C 4C.

Now match the hex numbers with their corresponding values from the ASCII Table.

42 == B
49 == I
4C == L
4C == L

Slammer

[SgtChaireBourne]

Security is the last nail in the coffin.

People aren't applying the patches in spite of clear warnings.

Even Microsoft's own servers got hit by Slammer. It has been quit common for Microsoft's security upgrades to break something else, fail to fix what they claim to fix, and/or introduce additional holes. The Slammer worm showed that even Microsoft knows that it's patches can be unhealthy for production systems. Other companies and software projects just don't have this kind of quality problem.

Even if the patches worked, and even if it had been an old-style, slow worm, you can't patch fast enough. But it wasn't. Slammer reached saturation in 8.5 minutes. Most likely this story was a tidbit to draw fire away from the quarterly financial statement or from the DRM/Palladium stealth payload in Windows Server 2003 + Office 2003.

Sure folks may wish to run Microsoft products for ideological reasons, but there aren't any technical ones and now the market is changing. C*Os have figured out the OS X, RedHat, Mandrake, Debian, OpenBSD, etc. are much easier install and maintain than Windows Xp and far more flexible and secure -- both on the workstation and the server. Novell Netware should also be mentioned as excellent. C'mon when was the last time you heard of MS machine reaching an uptime of more than 200 days? That would be embarassingly short for QNX and Novell.

Microsoft has been to computing what Big Tobacco was to sports.