Slashdot Mirror
Microsoft to Clean Up Code
the_pooh_experience writes "Microsoft has decided to beef up their security group by adding a code cleaning group according to Infoworld. As the director of MS security engineering says: 'Microsoft is a long way from its ultimate goal where users can take security for granted in its products...the majority of viruses written attack Microsoft products.'" The new group is called Security Engineering Strategy and while it may seem long overdue to many, it's still a step in the right direction for the folks in Redmond.
more of the same lip service from our friends at Redmond. is this the 3rd, or 4th 'security' initiative?
This "emphasis on security" crap is just a PR screen for TCPA^WPalladium^WNext Generation Secure Computing Base.
Bleh you know that their 'clean' code will have just as many problems ;)
"Microsoft has decided to _beef_ up their security group by adding a code cleaning group "
As close to their admitting the code is full of bullshit!
Warning: Slashdot is dissing Microsft. Watch out for monkeys and Gorillas.
If you keep throwing chairs, one day you'll break windows....
If you've learned anything by now, it's not important that Microsoft fix the majority of their security flaws, but that they imply they will.
The OSS model of peer review on a large scale is the sole reason for such reliable security.
Proprietary companies still have an edge. If people programmed according to a planned set of pre/post conditions, and tested their modules with black box testing, then a large portion of the controllable errors can be caught. Whether or not Microsoft does this is questionable since we can't see their code.
Oh, and BOUNDS CHECK EVERYTHING. Buffer overflow errors should have been non-existant for a half a decade by now.
- tristan
Now, if only they would incorporate a business ethics cleaning group, maybe we'll see some progress.
And, yes, please somebody respond to the oxymoronic notion of "business ethics," I'm just begging for it.
... that this group didn't exist before. Surely a company the size of MSFT would already have a team or group just doing code auditing?
Oh well. as they said - it's a step in the right direction.
If you RTFA, it shows that this is entirely security-oriented, not performance oriented. It seems that "cleaning the code" means "patching makeshift holes over problems" not "making code athletic, slim, and fit"...
Pity.
Small potatoes make the steak look bigger.
I'm highly sceptical of this. In my experience, security and features are always on two opposites sides of the spectrum, and Microsoft is too much on the features and ease-of-use mindset to have something really significant coming from this effort.
Microsoft is going to hire testing programmers?
.. but only if they clean up the bugs, and not the patches.. (Hey? what's this if-clause doing here? There is no such thing as a negative packet size!)
"It's too bad that stupidity isn't painful." - Anton LaVey
thats a job that will never go away
They have. It's called J#. It's microsofts answer to a question nobody asked.
Oh yeah! Brilliant idea!
Seems like that a "code cleaning group" would be the most poorly efficient way of accomplishing this.
Now I do not write the cleanest code in the world... but when writing with a group, I can take the time and effort to make ultra clean code--especially if my paycheck depended on it!
Why hire somebody else to do _your_ job?
I've never programmed in a huge group before... so maybe I missing the experience to understand.
Davak
OpenBSD have done this. They set up a team of dev's who went through the entire code fixing up buffer overflows\underflows, and all that jazz. I hope for the worlds sake (because it seems that the whole world is using Microsoft products) that they do a good job, but in my mind it wont make me feel like Windows or IIS or any other networkable piece of Microsoft written software is secure.
Gnome wasnt built in a day.
In it's newest patented process, MS has just invented PeerReview.Net++.
"Microsoft is a long way from its ultimate goal where users can take security for granted in its products"
Strong security policies cannot be enforced when the end user takes security measures for granted. This is a PR campaign.
# dd if=/dev/zero of=/dev/hda bs=512
Seriously, though, this is a good step for them, and I hope other software companies follow their good example.
Microsoft is a long way from its ultimate goal where users can take security for granted in its products
This is precisely the problem we have now. People already take security for granted (they don't think about it). Their goal should be to beef up security and to educate everyone about the features so that they become more security concious, rather than just take it for granted.
And I can't imaging their top coders rushing to join this team.
Still, it could work...
Paul "Say no to feeping creaturism"
the code fix YOU!
I would never want to take my security for granted, in any product. Not windows, not open source, not even goddamn openbsd that proclaims proudly 'only one remote hole in the default install, in more than 7 years' on its front page. Only one hole that has been found. The chances are that, somewhere, there is an obscure security hole that nobody has discovered. It would become the second.
you say it's not intepreted? you're wrong and full of Sun(tm) propaganda.
Try (-1, Tinfoil).
Especially if the clean-up group are not working closely with the original developers.
Fix 1 security hole.
Introduce 100 bugs.
Hmmm.
The trolling editors seem desperate to generate pageviews and posting a Microsoft piece almost guarantees to inflame and troll enough users to accomplish this.
Look at this story...what's really that new or interesting here? This looks like just another opportunity for slashbots and "M$" haters to get their kicks.
The more reasonable readers don't get off on that kind of stuff. Please editors, this is getting old and boring.
SIG:Slashdot: indymedia for nerds.
What is really needed from Microsoft is flat-out redesign, and that means breaking a few eggshells.
The most telling bit from this article: "...the majority of viruses written attack Microsoft products..." Yes, it is certainly true that some of them exploit real bugs, but the majority of viruses target Microsoft software design, not buffer overflows.
I'm willing to bet the code audit team members don't have redesign authority; nor should they. Hopefully, they do have easy access to people who can make the design decisions and can raise issues quickly. Necessary design changes are going to break things.
You can audit the code all day and all night and you will end up with a more secure product in the end. But to solve the real problems with Microsoft security, the product needs to be designed with that security in mind.
"The new group is called Security Engineering Strategy"
A weak name, I suppose. Some suggestions:
1. Next Generation Secure Computing Strategy.
2. Social Engineering Strategy.
3. Brainwashing Services (BS, for short).
4. Severe Acute Repair Services Group (SARS group)
5. Purity Enhancing Networked Information Services. (figure it out)
If you keep throwing chairs, one day you'll break windows....
..you can only realize the truth, that the Windows codes is the virus.
My ignorance is a perfect shield against your logic.
So does that mean I won't have to use 128MB of RAM just for Windows?
-illumina+us "I put on my robe and wizard hat..."
...is peer review by knowledgable people within the security community. And how do they have peer review of their code?..... open the source, of course.
ok, i did not mean for that to rhyme, but you get my point. Microsoft is a big self reliant entity that hires like minded people. Thats not who they need reviewing their code. They need objective 3rd parties with real world experience in security and systems. I'm not saying they need to put the code to WinNT on an FTP server for all to see, but loosening their grip a little.
Once MSFT realizes that they dont have to be nazi-esque with their firm grips around their code base, and they can succeed by opening up a little, they will do great things, imho. They havent quite learned that yet..
I lost my concept of community when my community lost all concept of me.
First, this isn't a code cleaning initiative, as someone above noted -- the article says that the new group will "establish new software development processes and create tools for its programmers so that future Microsoft products will have fewer security flaws." So it looks like their job is to just improve the programming methodology at our favorite software company.
;-)*cough*).
Second, there are only ten people on this task force. Will they have enough time to fix the programming methodology for all Microsoft software? Somehow, I doubt it -- and it doesn't take much imagination to guess that the Mac products, for example, aren't likely to be the primary targets, as well as any spyware that Microsoft finds convenient (*cough*WMP
So it's a step in the right direction but I think they need to use more manpower to solve this problem. God knows they have plenty of it. Until they do, across the board, I don't think many of us will ever trust Microsoft's security. (I'll leave the question of trusting Microsoft itself to another discussion.)
-- shayborg
'Microsoft is a long way from its ultimate goal where users can take security for granted in its products...
The way I hear it, most people already take security for granted with MS products.
And are proven idiots.
krystal_blade
It will be easy to motivate our fellow man; there is hardly anything people treasure more than not being annihilated.
what a company!
Yea, it really sucks that I can develop and test code on my Windows laptop and just copy the compiled files over to an AIX box, or Intel/Linux box, and everything works perfectly.
Methinks you're a disgruntled C programmer feeling the world's leaving you behind.
Get with it - there's tools for every job - pick the one that works best.
My original point was made in humor partly - but the main point was that normal security exploits attacking buffer overflows, for example, are a non-issue in my 'interpereted language'.
Nobody in their right mind is going to simply take it for granted that any given operating system is secure. Considering Microsoft's track record of programming, they are the last people anyone should blindly trust. The only way to deliver security on a project of this magnitude is to open the source to peer review.
The majority of software viruses are written for Microsoft products...this probably has something to do with the fact that they're on the majority of computers world wide.
Please, like OSS software is so clean and bug free. At least with MS software, I know there's a division of people working on producing software fixes. With OSS software you get the fix whenever the person feels like it...I welcome the fact that they are admitting their code is buggy and are trying to fix it. When's the last time you heard OSS people say their code is buggy, because honestly they both are.
Are they saying that they will start doing the code review from now on ? Does it mean that they were not doing it before and not following the procedure that is standard in most of the software development firms ?
- Jalil Vaidya
I have still refused all projects that call for Java programming.
.. Or, hmm, maybe you're a school-boy.
Did you stomp your feet when doing so?
If it cannot be programmed with a real language, I don't wanna do it.
Oh, that's brilliant. Do you tell your management that?
The article failed to mention the individual who will be heading the group. I wish Mr. Pen and the rest of his team the best of luck for this endeavor. They'll need it.
daed si luap
Farmer John has decided to close the gate after all
the horses have run away.
For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
its ultimate goal where users can take security
And here I always thought Microsoft's "ultimate" goal was world domination...
I mean, that's what I've read here on slashdot...
(cognitive dissonance takes over...)
They must have gotten that statement screwed up...
krystal_blade
It will be easy to motivate our fellow man; there is hardly anything people treasure more than not being annihilated.
It's tempting to dismiss this sort of announcement as "more of the same", "PR spin", and so on. Perhaps it is, but I don't want to get caught when the security spending starts to produce real fruit.
Think about the success of OpenBSD. In terms of security holes it's probably an order of magnitude better than other free operating systems, and Windows. This result was largely obtained through code auditing. If we aren't careful, in a few years, Microsoft will turn the tables on us. The code auditing they've done will have paid off, and we'll have it all still to do (for the typical Linux distribution, OpenBSD is different).
Laughing at your competitors is a risky strategy.
If the 3r33t community hated other software/platforms as much as they hated Microsoft I'm sure the level of bugs exposed/viruses would be equally as high. I'm not saying Microsoft throws all beautiful software around, but if you devote time to finding holes in software, you'll find it no matter who the maker. As a fair example, look at what happens Larry Ellison tries to make grand claims about the stability of Oracle software. Many of you have valid opinions, and that's respectable, but how so many people can blindly hate Microsoft because of the hate trend makes me want them to succeed.
I'm wrong and so are you.
Java came out of it's shell a few years back and decided it wanted to be an enterprise platform. J2EE has the enviable position of being a cohesive framework that is highly portable and covers large swaths of business computing. This is a Good Thing.
.NET. To compete with java, they released the specifications for the vm and additionaly a c++/java hybrid called c#.
Microsoft liked this idea and saw the benifits of an abstracted enterprise vm and came out
Now, I don't know everything about your programming situation, but I can tell you that regardless of what you think, some of the largest software capitalists in the world believe in all the above technologies. The all plan on make large dollars off it. Perl cannot do this. PHP can't do this. C can't do this. (actually all of them could but they won't)
Microsoft is a long way from its ultimate goal where users can take security for granted in its products
For that matter, Linux is far away from this goal as well. It just doesn't give people as much chauvinistic pleasure to trumpet it. From the glee and sarcasm in the early replies, you'd think Linux is unexploitable.
And many people have pointed out that while the majority of exploits have been directed at Windows machines, there are a lot more Windows users than anything else.
because it's the fox guarding the hen house. When I use Microsoft Software, the group that I most need security protection against is Microsoft Software!
Until Microsoft establishes a fiduciary relationship with the user instead of corporate america, nothing will change.
It's Microsoft that is recording what videos I watch, embedding undisclosed personal information in my word documents and allowing anyone and everyone to track me through their media player, etc. It's a full time career just trying to protect onself from these intrusions.
backdoor installation and upgrading team.
Great! There was a real mess with all the backdoors introduced with every new Windows Update, and the exploiters would spend an awful amount of time and money each time to log in and at the same time use the most user-friendly backdoor.
Great work. Thanks.
I think you forgot to add this:
and everything works perfectly*.
*Perfectly is taken to mean "Works about right as long as that system has the same brand and minor revision of the JRE"
Seriously though, every Java based piece of software we have looked at has been total crap. Many of them require a certain runtime, such as one web service from a major company we looked at, that only works with Apple's runtime. Other's only work with MS Java runtimes. The list goes on.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Ya wanna raise?
:)
Most likely they are renameing another group, or creating a new "Standard" on their own, by making oh lets say the Janitorial department the new "Code Cleaning" group.
I feel PsyCops scanning my mind.
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
But my Project Manager wasnt amused when I sent him empty source files after cleaning up!
Rapid Nirvana
*sees pigs flying*
Microsoft is a long way from its ultimate goal where users can take security for granted in its products
Oh, yeah - that dude is so fired. This is sort of like that moment during the 98 demo that the scanner blue screened the computer while Bill Gates himself was doing a presentation. He had the gall to say "I guess that's why it hasn't been released yet."
I couldn't get over the feeling of how surreal it was to imagine Bill Gates having a single thought about product quality, much less expressing that thought in words.
NEWSFLASH!: Microsoft invents quality control! source code reveiw measures, internal cooperation among units, standardized enterprise wide security measures! Patents soon to follow!
It certainly makes me wonder what the hell they've been doing all these years, besides making gigantic amounts of profit...
Oh... right, less money on development costs == more profits. Now I see why Steve Ballmer and Bill have been selling off so much stock.
A feeling of having made the same mistake before: Deja Foobar
Security can't be just added like that to a product. Security is not a state, it's a process, and has to be had in mind right from the beginning. Closing a few buffer overruns won't magically make Windows safe. There are other kinds of security problems, and I'm pretty sure there's a good number of them that exist due to the design of the API itself.
What Bill should do is contract Theo de Raadt of OpenBSD. He has to be one of the lord high masters of code cleanup in the whole world.
Pay boffo bucks, send a Gulfstream to get him and give him some Bill face time.
He'll give you a seminar on code cleaning you'll never forget.
It's Christmas everyday with BitTorrent.
1) UNIX IP License.
:-D
2) Plan to clean up code.
All they have to do is start swapping files.
--- I wish I could hear the soundtrack to my life. That way I'd know when to duck.
Shouldnt the most extensive security possible come as standard?
Instead, we rarely see anything but attacks on the competition, and hypocritical attacks at that. Microsoft and Intel are bad, but Apple and AMD are good.
Seldom have I read anything here that suggests why I should consider using open source software. All I hear is why select blacklisted companies are bad. I am dubious of anyone who favors relentless attacks on the competition over honest self-promotion.
"Ask not what your country can do for you." --John F. Kennedy
...that you use an open-source alternative, and not have to take "security for granted"!!
... at the same time they make their products more "secure"? Well, I guess the 2nd part of my question answered the first -- ain't neither one gonna happen...
"Obviously, I'm not an IBM computer any more than I'm an ashtray" (Bob Dylan)
MS employs a staff that roughly equals 20% of GE. And the bulk is either in marketing or legal. Factor out these yocals, mid-level managers doing nothing but CYA and all the air-head interns and there's not much left. There's your 'task force,' working on this whitewashing.
What is Microsoft's full-time worldwide headcount? Current employment headcount as of 6/30/02: Worldwide: 50, 030
GE operates in more than 100 countries and employs 313,000 people worldwide. Now, that's manpower. Anything under 250,000 is just an excuse to have vending machines in the lobby.
This is a delayed April Fools joke, right? Someone forgot to check a date on a submission or something? When would the director of MS security actually admit something like "Microsoft has bunches of bugs"?
Denver Isuzu Suzuki
The Code Cleaning group has come up with a brillinat idea! Instead of releasing buggy code and fixing it with Service Packs later, the new technique is to release Service Packs first... typically in the form of leaks. Once this is done, then the 'previous' versions are leaked. After a while, the code reaches the users.
This way, users are sure to get fully patched OSes from day one. Similar strategies are being adopted by anti-virus s/w writers as well.
If you keep throwing chairs, one day you'll break windows....
Sisyphus to push rock up Hill.
"Job needs to be done, and I project an early strong effort should complete this onerous but necessary task" states Sisyphus.
G.
OH I feel for the progress report writer for that group...
...when it gets down to fundamentals, do what you have to do and shed no tears. Dr. Matson in Tunnel in the Sky
Forever is the release date.
;-)
"Empathise with stupidity, and you're halfway to thinking like an idiot." - Iain M. Banks
some of the largest software capitalists in the world believe in all the above technologies
.NET Big whoop. Call me back in three years and we'll see who believes what then.
.NET was originally supposed to do? Microsoft took a very long time before even they could decide what .NET actually was. They manged to be believe in something that didn't even exist..
Coorporations believe in a lot of things, and miss a lot of other things in doing so.
In the early 90's, everyone expected Unix to collapse and NT to take over the server market. A decade later, Unix market share has grown via. Linux and NT is in the minority on the web.
Microsoft believed in MSN and almost completely missed the Internet revolution.
Sun believed in NeWs and X stomped it into the ground.
Sun also believed in JINI. Remember that? I doubt you do.
Microsoft believed in Passport & Hailstrom, then scaled back their plans, then buried most of it.
Now Sun believed in Java and Microsoft believes in
By the way, do you remember what
Firstly, filter it if you don't like it.
Secondly, I believe it's very important to keep track of any and all movments of the biggest, richest, most powerful company in the world.
Of the company that controls 95% of the desktop market that Linux might, hopefully, break into.
If they're looking into new strategies, even ones that are years behind their time, we should know about it. When you only look at yourself, you'll sometimes see innovation or monopolism take over while you're busy staring at your shoes.
A company with such terrible operating practices should be watched closer than any other company, and I'm all for it.
Despite your obvious trolling, I will agree that it might seem a bit much, but I'll tell you, I'm glad we're looking too hard, than not looking hard enough.
I wait for these same comments about the SCO case in a few days.
Let's see - You're a code reviewer for the M$ Code Cleanup crew. Windows 2005 is rolling through developement and you find a security issue that'll add a man-month to the project. What kind of pressure will you encounter from Microsoft's marketing department?
Don't forget, when MS speaks of security, they often mean their own security. For example, users not being able to transfer the OS from one PC to another.
Instead, OSS developers do what they like and don't cooperate. I can't blaim them for this, I'm very gratefull for the libre software they write for free, but without cooperation MS will win.
See the Too Much Free Software article (and it's comments). There are a lot of examples of programming hours which could be better used ( latest one: ephiphany vs. galeon )
I hate M$ as much as the next guy but being the biggest software company and a monopoly makes you a juicy target for hackers. Yes, they have security problems, but also remember, they are under assault constantly from wannabes and script kiddies.
CDE open sourced! https://sourceforge.net/projects/cdesktopenv/
They're a company with probably the most products and services in the world that also integrate with each other and other products more than any other, and are far more extensible! So, whoopty-f'in-do to your little 1000-line, "bug-free" linux script that does something that 100 scripts already do and doesn't integrate with anything!
Yup, and what about these here!
the majority of viruses written attack Microsoft products.
That is because it is the predominant format, there would be a lot more virus's for unix if it was adopted more. You can write a virus for any OS. Personally if I was going to write a virus, wouldn't I want to distribute it to the masses? You won't find me doing that with BeOS for instance, relatively few people use it in the grand scheme of things.
"Microsoft code... so fresh and so clean!"
This just in... Microsoft is attempting to catch up to the rest of the world. Full story at 11.
We are blind to the Worlds within us
waiting to be born...
Obviously, MS bashing abounds, but I view this as a good thing.
Working in an environment that is purely MS based on the desktop, with significant MS server infrastructure, I can only applaud any efforts they are making to clear up the mess that is obviously present. No, it's not going to happen overnight - Just as the company I work for is not going to replace all it's investment in MS tech overnight.
Unfortunately, being a developer does not make you a security expert. Some are, others will continue to allow simple flaws, such as buffer overruns, into their code. Having a group of people who focus on security review that code is without a doubt a good thing. While this may not be the potentially rigorous code review that OSS gets, it's better what presently happens at MS.
As for the issue of scapegoats...from an external point of view, getting MS to recognise bugs can be a difficult job at the best of times. Internally, if a group of security "experts" fail to recognise security flaws in a piece of code...then surely they are failing at their job?
Finally, there's been a lot of flaming about the fact that this is yet-another-initiative from MS in the security field. I welcome all of them, in parallel, as moving towards sorting out some of the many issues they have. The less time I have to spend working on patching buggy MS software, the happier I will be.
*Perfectly is taken to mean "Works about right as long as that system has the same brand and minor revision of the JRE"
Nope, don't think so... I develop on 1.4.1, and my stuff runs fine on 1.2.2 and up.
This isn't any ordinary darkness. It's advanced darkness.
If you really want to make your code secure, you have to do it before the Geni is out of the bottle. This means longer coding cycles, development times and QA processes. How many of us have written some code that worked, thought about it over night and decided that we would like to refactor it but just didn't have the time due to development cycles?
Clean-up is a real tricky thing. The main problem is that every time you 'clean-up' a line of code, you are potentially throwing out a bug fix. Clean up too much code (throw out a single bug fix) and you open yourself up to more security problems (majority of all 'attacks' result from buffer over/under-runs)
All your base are belong to us!
"SCO: The hour is later than you think - Microsoft's forces are already moving. The nine have left Redmond.
OSS: The Nine?
SCO: They crossed the River Columbia on Midsummer's Eve, disguised as Riders in Black.
OSS: They've reached the Shire!
SCO: They will find the source code, and KILL the one who carries it!
OSS: Linux!
SCO: You did not seriously think that free software could contend with the will of Microsoft. There are none who can. Against the power of Redmond, there can be no victory.
We must join with him, OSS. We must join with Microsoft. It would be wise, my friend...
OSS: Tell me, 'friend', when did SCO the Wise abandon reason for MADNESS!"
"All great things are simple & expressed in a single word: freedom, justice, honor, duty, mercy, hope." --Churchill
Like it or not, Windows is improving all the time, just look at the leap in quality between Windows 98 and 2000 alone. This is a company that is doing some good stuff and getting their act together.
I still use Linux for development, because it's a better platform for what I need to do. But I think it's a good thing that there may be difficult decisions in the future about what platform to use. If there is only one hands down winner, then who's driving the innovation. OSX, Linux, MS. All these have become very viable platofrms and users of each one are benifiting from the competition.
Now if we could just get MS to compete on software quality and features alone instead of legal rangeling to rid itself of it's competitors. That whole SCO thing scares me a bit.
Troy
When push comes to shove, Microsoft always chooses new features (interoperability) over security.
This new group is just for properganda, to make it seem like they are working on the problem
IF you tell a lie enough it becomes truth.
Windows need cleaning.
Last time I checked, they went baosting on the millions of lines of code that the OS and related products comprises. Code cleaning means spotting POSSIBLE semantic errors, refactoring classes, refactoring organisation, and quite possibly, totaly rewrite whole parts just because it was all wrong from the start. That's gonna be some long hours for a handfull of programmers if they have to do everything again, with the added danger to introduce new bugs or alternative behavior. Unless they have the behavior of every little teensy bit of code clearly documented, with exceptions, timing issues, every damn possible pre and post condition, this is barely something you can oversee (and even if you had that kind of information you'd probably drown in it).
Most of all, additional security means additional cycles souped up. And introducing alternative code paths can potentially break an API.
The fact that they even try this approach means that their top execs have no understanding what it is to write software. It is often times better to throw everything away (well, at close hand range anyway) and restart from scratch with all the new ideas and designs. But I guess good old 'backwards compatibility' has allways been the haunting ghost in SF-bay & Redmond.
Cheers & eurocents,
With great power comes great electricity bills.
Code clean-up is always a great idea, just like programming with security in mind, programming with memory and CPU efficiency, with simplicity, etc.
What I wonder is what will happen practically.
Crufty code crawls in and out of so many wormholes that major clean-up is likely to result in big changes in functionality. I'd expect backward compatibility is likely to suffer.
"Provided by the management for your protection."
Here in Oz the S.E.S. is the State Emergency Service - the people who tidy up the mess and damage after disasters occur.
Hmm... sounds like they have similar agendas, except that ours tackle natural disasters which were not our own fault!
Go permanent? In your dreams and my worst nightmares.
I'll put up with their stupid PR stunts. Until then, I'm not holding my breath.
as I look outside my window this morning, I see something in the sky. Is it a bird? A plane?
oh wait..
its a flying pig.
The security record of most operating systems is pathetic, including both the commercial and open source categories. Even OpenBSD relies on auditing after the fact, not on designing with security in mind at the beginning. Have we learned nothing since the introduction of Multics in 1965? Multics had a higher security evaluation than whatever POS is currently running on your desktop.
Mea navis aericumbens anguillis abundat
Wasn't taking security for granted the problem in the first place? We see where that got Microsoft...
I'd also like to point out (love 'em or hate 'em) what Bob X said about cleaning up code...
M$oft has announced plans to push Longhorn back to 2006 . The company has decided to start from scratch and their latest OS will be based on the Linux kernel...
How on earth is this a troll?
The poster asked for debate - I responded with a point by point response to his post.
And I get labelled a troll for not being anti-MS!
My Journal
Microsoft has code cleaners mucking about with great regularity for some time now. Every MS security update introduces a slew of em...
From excellent karma to terible karma with a single +5 funny post...
how do you clean up a pile of shit, without first dirty-ing your hands?
Microsoft does no good by doing right, they dont do anything right, they are shit and evil.
More later on Linux Daily.
Saying they are going to do it and pulling it off are two completely different undertakings. Even throwing x-amount warm bodies and money at it is still quite the iffy proposition. If it was really that simple, they could pull a truckload of cash out of the bank and sprinkle it all over redmond from aeroplanes.
It's gotten so bad with microsoft and "normal" joe users I have started to refuse all microsoft tech related "help me please" requests from people I know. One, is most of the time I really can't help them, fixes and problems are way beyond my interest or expertise any more, I just plain stopped even trying to use it. The second is--what's the point? Really, what's the point? Even if it was completely 100% "fixed"(I doubt at this time they can do it really) it would still be...just plain wrong, from my viewpoint on what software should be now and what it is for and what is the best for people and what legitimate business should be. I do not seperate money from ethics in my life. Note, that is merely my personal opinion on it, anyone on the planet can choose to still use and "support" them, I just choose not to, similar to a few other large corporations that I consider to have "crossed the line" into sophisticated international thuggery and criminality. I REALLY DO consider them to be an unethical and immoral company, and their products reflect that, again, IMO. I am sorry for the people who work there and aren't crooks or bad people, I am sure most of them are just fine regular old folks just trying to make a buck,and I am not trying to put them down or anything, but at this time that company and managerial and directorial mindset needs to be scattered to the winds of business history. At one time, and for many years, they were more or less fine, I didn't consider them the way I do now, but what has been revealed with them, and watching the evolution of their products and influence on all of our technological society has changed my opinion of them, and shows me it's just a big bully criminal gang now who happen to be in the software business. Same as any other gang out there, I am not concerned with "reforming or fixing" the mafia or it's "products" for example, even if a large part of the mafia now has morphed and is considered "legitimate business", they got there in the first place by being crooks and thugs whenever they could get away with it.
It's sort of sad in a way, too, there is no joy or gloating over it from my viewpoint, it just is reality.
We've heard this before. Didn't they take a year and clean up all of thier code before? Are they going to take another year and do it again? How many years will this take any ways?
In all reality, if they want to fix their security, they need to fix the way they view data and process. They blur the lines between the the two way too much. They also encourage the users to blur the line between the two as well.
If they truely want to make a more secure OS, they need to remove the ability to run code from every form of document you cvan make with their code. Macros are nice but when they let you have full access to the system and it's resources they are deadly and the biggest security hole you can ask for!
I should not be able to run full blown basic apps just by opening a word doc, email, spread sheet or whatever.
-- Many men would appreciate a woman's mind more if they could fondle it
As the director of MS security engineering says: 'Microsoft is a long way from its ultimate goal where users can take security for granted in its products...the majority of viruses written attack Microsoft products.'"
Personally, I do not think that security should ever be taken for granted. I think it has been proven that this lax security awareness leads to problems independent of the software (e.g. stolen credit card numbers and identity theft from insecure websites and to a lesser extent the proliferation of spam). Most people do not take the locks on their front dor for granted, why should the computer be any different. Especially now that many individuals use the computer as the primary portal to the outside world.
However, the lower limit of this service pack/previous version approach will be Windows95.
Ballmer says that the regression will stop short of reverting to 16 bit code, or his name is Adam Osbourne
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
LOL! :'D
I had no idea that Microsoft was prepared to completely rewrite their entire operating system from scratch. But since it says that they have instituted a group to clean up their code, that must be the case.
then ship the JRE with the app. geez, the JRE is redistributable. i might be wrong, but it is my understanding that a majority of java apps are written for internal consumption.
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
Move along.
According to the article, the new group will be called outa'sync (um, no, wrong article. Hang on. Ok). The new group will called the (drum roll, please):
Anything group that has the word "strategy" in it will spend their time writing memos about how this piece of already written code could be better.
These memos will then be ignored by everybody so they can meet their deadlines.
Karma: Food Fight (Mostly affected by Date Plate).
...being shot out of an air cannon straight towards your face.
Here's something to worry about. Does the timing, that the U.S. Gov just instituted a new position for this (the cyber-security chief) which I have already commented on here, seem odd to anyone else?
This looks remarkably like the same type of handwaving smoke and mirror show that the government is trying to put on. "look at us, we're doing something(tm) about security!
makes me wonder if this is microsoft's way of making sure it has a chance to influence what the gov. considers secure.
This comment is fully compliant with RFC 527.
Lip service or not, these developers have in their job description to be scapegoats. That is not an enviable position.
Absolutely, as everybody, with even the slightest sense of how software security works, knows, you can't just *add* security afterwards as Microsoft seems to be proposing with this "code review".
It just doesn't work that way !
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
Slashdot's product placement and trolling stepped up while European legislators were discussing software patents. Picayune articles, many of which consisted of rehashed softer versions of old FUD and misinformation, covered topics which have already been dealt with, again and again.
Since most novices do not understand the scope and severity of MS's problems and since any critique of MS, no matter the merit, gets written off as "MS-Bashing", it would be best to focus on the more successful areas of the IT sector. Here are a few examples:
Check the forums for tools that work - *BSD, Linux, QNX, Netware, eDirectory, LDAP, Kerberos, KDE, Gnome, Apache, MySQL, Postgresql, and so on ...
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Do you suppose you could secure windows by putting it inside a windows emulator?
For example: is a Mac running OSX and windows emulator (eg virtual PC) more secure than windows by itself
or how about linux running win for lin ?
Can you really stuff things up by running a mac X emulator or unix emulator on windows?
-- it must be true, it's on the internet.
It's still an after-the-fact cleanup, patching in security after the code is written is not very reassuring.
If microsoft was serious about computer security, they would bundle antivirus with windows for free, like they did with IE, and we wouldn't need third party antivirus programs.
... bad news for Linux etc. when it does.
...95 was a big improvement.
...Windows 2000 was a huge improvement.
...The 2003 servers ARE a big step in the right direction.
Windows 3 was crap.
Windows 95 is unstable.
Windows 2000 Server is insecure.
If they progress as far in the next decade as in the past decade, they will be delivering stable, relyable and secure servers. If that happens I dont see Linux based systems able to offer too much competition.
Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated up.
Not "to sell secure software" you'll notice, but to make customers "take security for granted".
So presumably if the security stinks but everyone assumes the system is secure, they will be satisfied.
Everything I dislike about the company in a nutshell
Don't let THEM immanentize the Eschaton!
Step 1: CD C:\data\sources\
/* Microsoft codebase V2.0...
Step 2: erase *.c
Step 3: erase *.h
Step 4: notepad.exe newrelease.txt
Step 5: Start typing...
[]'s Carlos Cardoso - Becoming a brazilian ProBlogger, typo by typo
Have a team of debuggers on staff.
When something breaks stick an open debugger on the task.
I knew a profesional debugger when I was a kid.
He called my computer a toy... I didn't appreceate that.
I don't actually exist.
so windows will crash without any blue screen - that cleans the code by some fifty lines ...
Pardon, I think you mean PeerReview.Net#
By reading this comment, you immediately waive any and all rights regarding it.
actually, it is Emacs/readline.
Security holes at MS come from one of two sources:
There was one case where I had gone through a farily lenghty piece of code (ok, maybe not *that* large, but it was a good 25 pages of print-out). The next day I received a new print-out of the code with nearly each line annotated with a comment like "This should be like this" etc...
I do have to say that they were very thourough in their review, but that once the review was done nobody went back through the code to make sure that I had actually made the changes.
I think it was Butler Lampson who said "all problems in Computer Science can be solved by another level of indirection."
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
I hope for the world's sake they do a terrible job and most people realize it. If their software remains marginally good enough in most people's minds, as it is now, it'll continue to be used. Their walking a thin line right now. If their software is seen as more expensive, buggier, or more insecure than it is now, even by just a little, they'll hurt. Anything that keeps them above that line keeps them in business. I'd much rather see them fail so there's a much quicker transition to FOSS.
Developers: We can use your help.
nice way to hide in a constructive way the 750M fine to AOL, that team will probably cost around 750M overall so the earning / share will not suffer much :P
No matter what they do, they'll spin it like the other deficiencies in the past as if stability and security were features and innovation as opposed to standards every other OS has had for years. I don't think that they will ever become as stable and secure as Linux and Unix, but they'll get most people to believe that they are.
Well, there's spam egg sausage and spam, that's not got much spam in it.
is not the same as building without holes. This is a waste of resources if you ask me, it wont improve the situation at all. I pity the members of this team.
TallGreen CMS hosting
You mean you actually take them at their word????? This is nothing more than marketingspeak, insincere, good-time rock-n-roll garbage spewing forth from Redmond. I have not seen any of their previous efforts resulting in a relatively error-free environment for me.
You're right in that it's not going to happen overnight. But then again, it's not happened in the past several years (since they launched the whole "trustworthy computing" thing - however long that's been) or even the past decade. I still have computer crashed triggered by cutting and pasting plain text between applications. Now it's not happening daily anymore, but once or twice a week now...then again, this is still completely unacceptable to me.
I'm sorry to rant, but they've had their chances to unf*ck their software, and they've consistantly blown it, and they've been rewarded for it. I see no real incentive for them to change. I DO see an incentive for them to make noise about how they're changing, but all the window dressing in the world won't make my MS Windows workstation any more stable. They have a long history as a pack of unrepentant, unpunished liars, and I just don't believe them.
Besides, their paperclip mascot is nowhere near as cool as our penguin.
What, AGAIN!?!?
-- You can't idiot-proof anything, because they're always coming out with better idiots.
I personally think that ms should start a all over again from the ground up. The problem is that fixing up bad code is annoying and you ultimately get something that's mangled.
The best thing to do would be to start over but make things appear the same at the upper layers so some existing apps work. However I do understand that this would leave a bunch of non working apps, but I think it might give M$ new life.
They could even rip off linux and call it their own. But don't get me wrong, I hate M$.
cat bad_code.c |grep -v getchar > good_code.c
Just go right on believing. The cool-aid makes it all real.....
Microsoft is a long way from its ultimate goal where users can take security for granted in its products
How come Microsoft gets to take security for granted in its products, but the users don't?!
If they're looking into new strategies, even ones that are years behind their time, we should know about it. When you only look at yourself, you'll sometimes see innovation or monopolism take over while you're busy staring at your shoes.
I had no idea this was a competition.
--- I do not moderate.
Why is it that when I read this, my first thought is "oh, so now Microsoft is going to be writing lots of viruses for other platforms...how nice"? There's more than one way to skin cats, and Microsoft always seems to pick the way that does harm to its competition. Benefits to its own customers are seldom a serious consideration.
Maybe I'm just overly cynical this morning...but tell me you didn't think the same thing...
Maybe there's already groups doing this - but it would be interesting to set up a group of OSS people who are willing to be pulled into to perform security reviews of open source software. It would basically be a service to OSS projects.
Will this group have the authority to hold up a release if there are security holes? If not, they are just window dressing.
Is this group REALLY going to be able to get Microsoft to create secure code, or just avoid goofs so large they provoke those embarassing industry articles about lack of security?
Microsoft would be much more sucesful if they accually read the bug-reports send by people, nnot just deleted them.
Cheers,
RoadkillBunny
Sorry Bill, I have to call bullshit on this one.
Astute /.'ers will recall His Billness having to withdraw an ad that claims his wares "makes hackers obsolete". Even more astute /.'ers will remember the day when Microsoft's own code was compromised. They can't even protect their own IP with their own products! If M$ can't keep its own IP secure with Windows, who can?
Is it just me, or does it seem that the main reason most virii are written for MS products is because MS products are installed on 90+% of PCs? It would be rather silly to write a virus for BeOS or other similarly underappreciated OSes. If Linux was installed on 90+% of PCs I'm sure we'd see fewer MS virii and more Linux virii. Doesn't take a mathematician to figure that out.
-Jagged
the only microsoft os ive seen that is secure is win. 3.1 despite its lack of functioning, remember, 3.1 didn't need a serial , good times... i mean how many operating systems to you have to put out to get it right? i think if they make the end-all do-all os they would all be out of a job
So you want to have one of those arguments? Check the news about all of the countries whose governments are switching desktops to linux. Take a look at the largest country in the world having their government promote their own flavor of desktop linux. And how about yesterday's news of a country with more people than the US having a president recommending linux. Let's not forget IBM with over 250,000 employees switching. And then there's Merryl Lynch and Morgan Stanley. How about 640,000 TiVo users? See my list for a few more.
Developers: We can use your help.
Microsoft is a federal criminal that wasn't punished.
they have no motive to do anything in honesty. It is more likely that updates and patches only provide MS with more hooks into your system.
The only way to verify in the publics eyes what MS is doing is to open their source up.
And we all know that is not going to happen.
Who want's to bet that if there is SCO code in Linux it was either SCO or MS that put it there?
This Monday, FCC Chair Michael Powell will hold his vote on media
consolidation. There's nothing special about that date -- it's totally
arbitrary. The vote will conclude a process which has shown deliberate
disregard for the views and opinions of the American
people. Powell has refused to even release the actual language of
the rule change -- it won't be known until after the vote. And he's
only held a single meeting to hear the views of the public. Even when a
bipartisan group of Senators requested that he give Congress some time
to discuss the impact of this change, Powell brushed them off.
Chairman Powell still has the power to delay the rule change and allow
time to have a democratic debate about its consequences. Please call
him today and ask him to allow a real public debate on an issue of such
massive importance.
You can reach Powell's office at:
(202) 418-1000
Once you've made your call, please let us know at:
http://moveon.org/fcccall.html
"Moving through the masses like a fish through water." syrup
Don't forget this most important issue...many people *started* using M$ products, but now, like a bad crack habit, they can't stop - the cost is just too great. I'd argue that they might like to look at alternatives, but M$' proprietary document formats, ever-changing APIs, etc, is making it next to impossible to implement a compatible alternative.
Here here! What you have said perfectly illustrates how it is that "middle-men" infect every sector of human society. These middle men have nothing to offer of any real worth. They simply repackage (ie. dress up the image) other people's work and claim to have something new, different or good for you. SOme examples:
The "Knowledge Manager" - This curious occupation *DID* at one point have validity. These were people who were charged with the task of taking the vast amounts of information that our digital culture has created and organizing that data. They SHOULD be a perfect blend between librarian and DB admin. In reality, most knowledge managers know nothing about technology, but argue vehemently that they should control the direction of its use in a company. Most of the KM trade journals I've looked at usually put the knowledge manager in the position of "knowing" more than the programmer or engineer about technology. Many illustrations in the articles show you a stylish, "professional" who is "leading" the lowly tech/admin/coder to building the next "great thing". Most of the KM journals themselves are extremely light on any disucssion of technology and put more emphasis on management. The mistaken assumption when it comes to KM today is that the "M" means managing people. It doesn not mean that at all... it means managing information. The middle men have worked their way into yet another promising field and "ponzied" it.
The "Employment Agency" - Today, employment agencies are one of the biggest businesses in the United States (and possible the rest of the capitalist world). They purport to connect a promising employee with an employer for a temporary period of time. This service takes money from both the employer and the employee. When the employment agency is actually competent with IT candidates, this can be somewhat beneficial. But look at the big picture. Take a ten mile step back and look at what's happening. These companies are making incredible amount of money by connecting people with jobs. Most of the jobs are temporary and both parties pay for the service. What's wrong with this picture? In reality, these companies aren't doing anything really productive and are getting a disproprtionately large amount of money for it. Again... the middle men make a grab for it.
When it comes to REAL IT folks, it's all about what you know in relation to technology and getting your hands dirty. Even if you are management.
Un-news
you have to admit, they have more people freely helping them research security than anyone else.
For many years, the NSA used a Multics system, dockmaster, for Internet email and networked forums.
Mea navis aericumbens anguillis abundat
Doesn't sound too secure...
philcrissman.com.
More seriously, did anybody here ever have the occasion to take a look at bits of windows code ? What did it look like ?
Actually, it's because every program that runs on Windows can do (almost) whatever it wants. I'd bet you'd see a lot more Linux viruses if we all ran as root.
Microsoft has decided to beef up their security group by adding a code cleaning group according to Infoworld.
Maybe they can slip some "SCO code" in there while they're at it.
All the Windows source files will now be properly formatted and indented!
Make that "Visual PeerReview.Net#"
Thing is, they have no business reason to do so. The only reason they'd do this would be if security and quality issues lowered their market share and/or their stock price. And I haven't heard that it has. Well, perhaps announcing this will raise both?
I've proposed cleaning up code before in previous lives (um, not with Microsoft), but my project manager / CTO would look at me and say, "Does it make business sense to do this? Will we see tangible savings by cleaning up the code? Can you prove that by spending X hours refactoring or redesigning our foundation that we can recover X+ hours of productivity?" Of course I couldn't, or at least I didn't want to spend the time doing the analysis while getting futher behind in the project. Yeah, you can say that this is dangerous thinking, but this guy had to cover his ass, and if his boss found out that we were making the code "prettier", he'd get his butt chewed.
In this regard, there not being a business reason for Microsoft to clean up their code, my preference would be that Microsoft would just keep quiet, sit back, and let the bucks roll in as usual. Money's not a totally bad thing, you know. Especially when you own the world.
DT
Is this thing on? Hello?
There is no way on earth Windows is going to get anymore secure. In fact, it will only get LESS secure as time goes on.
.Net services, and leave just a IP Stack and a Pop Mail service on the machine, you go much further in protecting the security of the machine.
Why is that you say?
Simple. Windows is a monolithic piece of software.
You say so what and what does that have to do with it?
Plenty.
For starters, anyone who knows anything about Software Engineering, and what came out of the DARPA and TRW research agencies in the 80's/90's, building some of the largest edifaces of software ever concieved is: Less software makes more secure software.
That is, you don't make a software system, more secure, by adding more secure software to it.
Software by its definition is not a discrete mathematical concept, it is quite open ended. Therefore you can never compute, predict, or make software, by definition secure on a Von Neumann computing device.
It is a pipe dream.
(That is why I don't subscribe to the idea that software is patentable, as some say because it is like a physical system, machine. It isn't. Software is a method for producing abstract mathematics. It has no bounds, and all thinking methods in the known universe are employed to make it work. By its definition it is PUBLIC DOMAIN.)
Furthermore, agencies working in secret, building black projects with the tax base of the entire US trillion dollar economic base at thier disposal, have studied these issues with far more resources than any commercial venture can muster, certainly more than Microsoft has.
I find it ironic that even the most declassified basic research that comes out of the published reports on the DARPA software engineering/development organization goes unheeded by so called "Microsoft Press" book publishing "experts".
The only way to make Windows more secure is to start copying the way Unix was concieved of and built, and take a lesson from history.
That is, Linux/BSD/Unix allows you to CUT OUT large sections of software that need not be loaded or used on a machine for a particular purpose by the kernel or OS.
If you could for example, cut out the GUI on Windows, all of the COM/DCOM and
But you can't do that. Microsoft is trying to make machines so easy to use that a monkey could operate them.
That is fine, but the world is composed of bigger problems than the monkey and the machine combined.
This is of itself is not bad, software should be easy to use, but software must solve a problem, and I am afraid, business/scientific problems cannot be ALL classified in the same genere as Miss Tilken's and her Mail Merge problem that can be solved with a Dialog Box and OK/CANCEL options in a Wizard.
But this is how Microsoft continues to proceed, building ever more enourmous Operating System Software and applications, taking this philosophy and putting it into thier OS base were it doesn't belong.
The Monkey Philosophy belongs on the application level, along with Miss Tilken's. Not at the OS level.
Effectively, Microsoft is attempting to encode every possible "Enterprise" scenario in its products "Wizards", so that the software makes most of the decisions, and the User just pushes buttons.
Worse, those scenarios not covered in this contrived decision tree, are deemed "enemies of the state". (i.e. products, such as third party tools you load on your XP machine can be viewed by Microsoft as 'something we don't support', call back after you remove the offending software..thank you for your $300 dollars, have a nice day.).
Then many people on slashdot, and Microsoft, I have seen have said "Well, our products save you a ton of time and make things very easy..."
I am sorry, but software and computers, and particularly the problems they attempt to solve...ALL CAN'T BE EASY. Undoubtedly SOME can, but not ALL. For things like Word Processing and SpreadSheet work,
Got Geometrodynamics? Awe, too hard to figure out? Too bad.
Is that OEM, upgrade, developer, enterprise, testing, professional or home edition?
By reading this comment, you immediately waive any and all rights regarding it.
I don't know about anyone else, but being assigned to clean Microsoft's code sounds like one of the worst jobs imaginable. Not just from the sheer size, but attempting to find all of those little loopholes amid a mish-mash of cross integration without sacrificing functionality and speed? I hope they're well paid.
Kalen D'arrie
I can do it in one line:
C:> deltree D:\source_code\windows
...all that remains is:
int main(int argc, char** argv)
{
return -1;
}
"the majority of viruses written attack Microsoft products."
Well if that's the problem, the solution is simple.
1) Tell the new team to write viruses to attack non-Microsoft products.
2) Advertise that 90% of viruses attack non-Microsoft products.
3) Profit!
Note, that order might be slightly mixed up.
Seeing as how they're paying Indians $1.25 an hour to do the code, I'm not surprised they're finnally doing this. All the code matainence jobs are moving overseas. Only the high end stuff is being kept. I've got friends lossing tech support job to India, so I'm kinda bitter. A good friend of my just went from $9.25/hr with AOL to $6/hr at Jack in the Box. Sucks
I like how Microsoft attacks linux for not providing America jobs and taxes then moves the jobs overseas and uses loopholes to avoid taxes.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
...indicates their security code will open up security holes. Their credit is so bad, people won't take their cash.
"What luck for the rulers that men do not think." Adolf Hitler
Win 2k+3 costs thousands of USD/processor... Linux - still free.
Still think Linux can't compete?
Sean
All M$ does is form more security groups to try and convince the world that it is working on securing its products, and that is why they added IIS to the kernel in Windows 2003 so that when a cracker exploits it he has more control than ever. So much for making the software more secure.
how long is it gonna take 'em to implement it? (So that the general public notices, that is...)
The GEEK shall inherit the earth...
Obviously, GNU bashing abounds, but only in the world of end-users. I view this as a good thing.
Working in an environment that is purely Red Hat-based on the desktop, with significant Red Hat server infrastructure, I can only applaud any efforts Open Source guys are making to clear up the mess that is obviously present. No, it's not going to happen overnight - Just as the company I work for is not going to replace all it's investment in tech support talent overnight.
Unfortunately, being a GNU developer does not make you a usability expert. As usual, Xfree (and anything using it) will continue to allow simple flaws, such as buffer overruns, into their code, allowing root access to idiots - but that's the least of users' worries on an OS as close to UNIX as humanly possible, without infringing on any of SCO's dubious rights. Having a group of people who focus on Open Source usability would be, without a doubt, a VERY good thing. While this may not be the potentially rigorous design/interface review that proprietary software gets, since people *do* pay for proprietary, after all, it's better than what presently happens - ie, absolutely ZERO and intelligent design or consistency in user interface elements. Why don't Open Source zealots just clone OSX? Save some time on the design, and make things nicer for everybody.
As for the issue of scapegoats...from an external point of view, getting Linux people to admit to Xfree's abysmal GUI latency, AND do anything to fix it, can be a difficult job at the best of times. Internally, if a group of interface "experts" fail to recognise flaws in a piece of code...then surely they are failing at their job? Strangely enough, BeOS had this issue nailed down *years* ago, but still OSS lags behind 1996 technology.
Finally, there's been a lot of flaming about the fact that there's another window manager coming out daily from the Free Software crowd. I welcome all of them, in parallel, as moving towards sorting out some of the many issues they have. The less time I have to spend working on patching buggy GNU or other free software, the happier I will be.
just like the humble blood clot... turboporsche@telus.net
So I found it interesting that there is a "Windows Services for UNIX 3.0" CD included with the June issue of Sys Admin (the journal for UNIX systems administrators.)
Those who trade freedom for security will lose both, and deserve neither" -- Ben Franklin
So what happened in Feb 2002?
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
Oh, that's brilliant. Do you tell your management that? .. Or, hmm, maybe you're a school-boy.
Yes, I tell my management that. I just turned down a Java component that was supposed to be one of my responsibilities.
The manager was very cool with that and we just shuffled components with another guy.
No.. I'm not a school boy. I also know how to program with this piece of crap. I just feel it is not of any use.
You, on the other hand haven't probably had a touch with a real life. That, or you have got some silly Java project after high school so you don't have to fry hamburgers.
Oh yeah, almost forgot: My dad can beat up your dad and you must be an immature child because you might have a strong opinion about something.
Ok, I might hate Java because I have to nowadays deal with so many simpletons who don't understand how the computers work they are supposed to "program".
Bot Assisted Blogging
I do hate being a pendantic asshole . . .
;)
Yeah, I'm sure it keeps you up at night
I'd suggest you don't use Slashdot as your only news source, or you will suffer permanent brain damage.
Sugar coated shit is still shit. MM
Is it just me, or has Microsoft seriously upped their initiatives now that the SCO vs IBM suit is in the media? Coincidence?
The Soviets tried it, and it didn't work. Why should it be any different for Microsoft?
Word needs skins.
It's been said before... it's all lip service. How many times is Microsoft going to promise to get its act together before the whole world realizes they're just blowing smoke.
That VP said it right, security is an afterthought at MS. A company that can't even go a week without discovering a security hole "that allows attackers to completely take over a machine" has no business doing anything but apologizing profusely.
After all, most of these bugs seem to be from buffer overruns... which is Computer 101 stuff. When you can't get stuff right that they were doing in the 1950's how can we expect software for the 2000's?
I'm happy to blow a couple karma points to get this off my chest.
You are in a maze of twisty little passages, all alike.
Most viruses come in the form of .exe and .bat attachments in your outlook mail. As long as Microsoft OS keeps the link between clicking your attachment and executing a program, viruses are going to hang around MS OS's. Unlike MS ...linux or other favours of unix , by default, do not grant any file execute bit permission ... just based on their extensions. This points to a inherently weak architecture design in MS OS's. Fortunately evil Microsoft finds it hard to change this architecture as doing so would evidently men giving up some of the "user-friendly" features like clicking executables from attachments.
Hell To Freeze Over
Flying Pigs Spotted Over Boston
Bush Adopts Islam
section of slashdot?
He pointed out that if Microsoft wants to add a feature, they have control of the whole code from kernel to Excel, and can make all the changed needed for that new feature directly, and quickly, where with open source (or suppliers who don't have a complete software solution), you need to get different project groups/companies together to agree on whether they want this feature, how to implement it, how the components should interact, and so on.
This, he says, is why Microsoft can "innovate" (add features, whether they're actually innovative or not) more quickly than open source software.
This is also the weakness, because when a bug appears, there is no easy way to tell where in the entire massive Microsoft code base the problem lies. The entire structure is so interrelated that, while you can add things easily, removing even a small thing may break things massively - so they don't, leading to bloat - and tracing things is like a needle in a haystack, and getting worse.
You can see the Microsoft way in the .NET vs. Java EE "pet shop" demonstration application. The Java version, created by Sun, was intended to be a "best practices" demonstration of modular, easily modifyable design, and wasn't intended to perform well. Microsoft's .NET version has often been called a living "anti-pattern" - an example of how not to create an enterprise application, although its faster.
By comparison, open source (and most smaller proprietary software systems) are small modules which interface to each other with simple, well-defined interfaces - largely because defining interfaces is so much trouble that nobody likes to do it, so they're only added with careful forethought and design to make them as general as reasonable, so you don't have to change it later or add another.
This means that generally, when there's a bug, it's well defined, easily tracable, and more importantly, its damage is limited. It is inherently more secure than an integrated, unstructured approach. It is also much slower to advance.
One of the reasons that customers in the software industry accept such hideous software as is available now is simply that it's a new industry - computers are still finding new uses, and at this point it's more important to get computers to do these new things at all, than to get them to do them well. Microsoft's success has been partly because it's development model is based on getting computers to do new things first, thus defining the market.
There is a limit to the new things that can be done with computers. Or at least, certain fields which have become well defined as far as what features are needed and useful. Office applications are an example - Microsoft has not been able to introduce a single genuinely useful feature to Word, Excel, or most of its other desktop software in a long time.
This will affect the entire computer industry. My guess is that we've figured out about a third of all the things computers are useful for. When that upper limit is finally approached, then competing software will all be able to catch up feature-wise, and all do basically the same thing. At that point, software quality will be the main way of differentiating products, and any company that's not able to switch development models away from feature-expansion to quality improvement will be in big trouble.
My guess is that will start to happen in about 40 years, but I may be wrong. There are some signs of it happening in some areas already (servers, for example).
Probably very well.
Here's an example of the kind of thinking that went into Multics - stacks went up from 0, not down from the high end of memory. That was so that the return address and important stack information was stored below any local buffers. If some poorly written application overwrote a local buffer, the excess data would flow harmlessly upward into unallocated memory land. It might screw up local variables, but it would not, ever, allow the return address to be overwritten, and could not, ever, be used to execute arbitrary code.
Solaris and other secure operating systems do things like non-executable stacks, which patch the problem, but don't solve it completely. I don't think Linux does even that.
There was a lot of OS know-how of the past that seems to have been lost like the mytical Atlantis.
I suggest Harvey Keitel, not Jean Reno.
you simply can't make honey(linux) out of dog shit(windows).
ILoo + SCO + Code Cleaning....
Am I alone here or does this give a whole new meaning to "core-dump"?
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
I don't think so. You can trust your own code(as long as it has not been hacked/tampored with) for not overstepping a buffer.
Where you have to bound check are inputs: incoming network packets, cli input, file input, web input, etc.
...I tend to think, "Sadly, it was cancelled because it was up and down like a yoyo for about two weeks and that looked bad."
OTOH, the Free Software community responded by putting up a PPC Linux box that the cracker got to keep (major incentive, contrast this with the tight-assed billionaire company not awarding the cracker anything) and it took something like six months for a cracker to get that - and even then he didn't get root despite the root password being published, just rewrote the web-page.
So: +5 Informative, but very bad news for Microsoft.
My take on this latest flag day is: much too little, much too late, but it will be good if their security does improve - I'll get less constant knocking on my servers' doors from broken Borg boxen. I am still getting CodeRed and Nimda hits!
Got time? Spend some of it coding or testing
First post? (-:
Got time? Spend some of it coding or testing
The original version of NT was spelling-error-compatible with MICA, a VMS 5 variant. Microsoft did that by buying the programmers instead of buying DEC. They paid heavily for that in court later. DEC even back-ported NT drivers into VMS for a number of years. Then the usual Microsoft thing happened and they fucked it up completely. VMS could be secured to fairly deep military levels by setting a single system variable, contrast this with any released version of Windows. Microsoft even fucked up OS/2 somewhat by forcing IBM to use a "single message queue" design in it for Windows (at the time) compatibility. There is apparently no end to the reach of Microsoft's "passion fingers".
It's also noteworthy that Unix (in the form of Xenix) and OS/2 each had their turn in the limelight as the next Great White Hope for Microsoft. That's an implicit admission that what they had at the time sucked. They never seem to learn that it sucked because Microsoft wrote it. They copied as much as they could (too much, it turned out) of the Mac GUI into Windows because Bill knew that the Windows UI sucked and Mac OS =9 didn't (in relative terms). No innovation, just degradation. Every single worthwhile piece of software ever released by Microsoft was stolen or bought from or with another company.
Perhaps we should call this buy-the-tech process "exnovation"?
And the process of internally degrading software should be one or more of "infessation" (as in making weary or exhausted), "invetulation" (as in making elderly) or "insenelation" (as in making senile)?
Got time? Spend some of it coding or testing
For example they could hunt down all uninitialized variables, resource leaks, possible buffer overflows, etc.
I've been on the receiving end of security fixes for an Open Source tool. One day, I woke up to find a patch in the SourceForge tracker that touched roughly half the files. The majority of "fixes" addressed the use of things like strcpy in cases where actually looking at the code showed the usage was safe. What's worse, some complex encoding routines were fixed in a way that is entirely unobvious, with wrapper routines that were not documented to boot.
And needless to say, the fixes broke the code.
Now, if these guys had used the developer mailing list, we could have dealt with the security issues in a more constructive fashion.
It is my observation that lack of communication more than anything is the cause of perpetuating sloppy coding.
Bert Driehuis -- All I asked was a friggin' rotatin' chair. Throw me a bone here, people.
I like pick style multivalue databases because I find them more intuitive and direct.
I dislike SQL normalised type "relational" databases where many to many relationships are resolved with annoying link tables removing you ever further from the data you actually want.
Indirection, is that what we have with MS systems? iforget->Dos->win3.11->Win95->Win98->X P I don't include win2K because thats more of an NT hybrid which is another variety of misdirection altogether - don't let the similar names fool you.
Now I have to go look up Butler Lampson cos I never heard of him. I like Dorothy Parker quotes...I don't care what they say about me so long as it isn't true.
-- it must be true, it's on the internet.
it's closer to 6,000. Another interesting statistic is that 80 percent of those "coders" are openly gay. I'm not even kidding. I guess some of that has made it into their operating systems.