Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft to Clean Up Code

Posted by CowboyNeal on from the throwing-out-the-cruft dept.

the_pooh_experience writes "Microsoft has decided to beef up their security group by adding a code cleaning group according to Infoworld. As the director of MS security engineering says: 'Microsoft is a long way from its ultimate goal where users can take security for granted in its products...the majority of viruses written attack Microsoft products.'" The new group is called Security Engineering Strategy and while it may seem long overdue to many, it's still a step in the right direction for the folks in Redmond.

14 of 466 comments (clear)

  1. Fat Chance by OmniVector · · Score: 5, Interesting

    If you've learned anything by now, it's not important that Microsoft fix the majority of their security flaws, but that they imply they will.

    The OSS model of peer review on a large scale is the sole reason for such reliable security.

    Proprietary companies still have an edge. If people programmed according to a planned set of pre/post conditions, and tested their modules with black box testing, then a large portion of the controllable errors can be caught. Whether or not Microsoft does this is questionable since we can't see their code.

    Oh, and BOUNDS CHECK EVERYTHING. Buffer overflow errors should have been non-existant for a half a decade by now.

    --
    - tristan
    1. Re:Fat Chance by jkrise · · Score: 4, Interesting

      "it's not important that Microsoft fix the majority of their security flaws, but that they imply they will."

      Let's have a debate at Ask Slashdot. Is it EVER possible to make Windows secure? Not maybe in the same league as Linux or Unix, but even marginally better than what entails now?

      The challenges:
      1. An integrated all-in-one tightly coupled design - anything breaks, everything compromised.
      2. Proprietary standards (if that isn't an oxmoron)
      3. Newer OS releases atleast once a year, to break competing code.
      4. Newer releases to support existing apps (3 and 4 directly contradict)
      5. Code size and complexity - I doubt anyone, even at MS has access, let alone modification rights to the variuos code bases.

      Put simply, Mission Impossible.

      --
      If you keep throwing chairs, one day you'll break windows....
    2. Re:Fat Chance by Daniel+Phillips · · Score: 4, Interesting

      ...that's why Microsoft would be best off, for their long-term interests, with a team of software engineers who would redesign the Windows codebase from scratch.

      They already tried that, it's called "NT". Things got better for a while, then the application mafia got their fingers in and it degenerated back to the current mess.

      So they could start that process over again, and be finished in 5 years, just in time to see their stock make the final dive into the subbasements. Or they could learn from Apple once again, and switch to BSD, it's free :-)

      --
      Have you got your LWN subscription yet?
    3. Re:Fat Chance by walt-sjc · · Score: 4, Interesting

      Just read that drivel, and there ARE some valid points, but it is NOT universally true.

      Case in point, I was on a team that redesigned an entire large-scale system from scratch. The old system was built in lots of little parts using various languages (shell, perl, java, c++, c, python, lisp), multiple databases from various vendors, had virtually no internal documentation on how anything worked, etc. They system was quite unstable crashing multiple times a day, and very difficult to enhance without breaking shit. Kinda like Windows...

      We re-built the entire system in about a year (about 750K lines of code which was about half the size of the original code.) The result was amazing. After the initial deployment period where the bugs were worked out, the system was rock solid being able to stay up for months at a time, was Very easy to enhance, had tones more features and flexability. We had a great team, and a solid commitment from senior management providing the needed resources.

      Netscape's biggest problem was not starting over from scratch, but poor project management (not keeping people within original design constraints) and a lack serious commitment from senior managment. Rather than having a very tight set of requirements and design goals, things were very nebulous and got out of control very quickly. No longer were they building a new browser, but a cross-platform framework for any kind of application they could think of. When you look at projects such as Galeon, most of that bloat is ripped out.

      Rather than folling a bad example of how to run a re-design project (mozilla) MS could EASILY afford a new team to start Windows from scratch, leaving the existing team in place to continue to enhance / maintain the existing code base. This is the step that Netscape missed. They only used a small fraction of their people to maintain (and NOT enhance) the old code.

      Joel is making his claim by using the worst case example. Kinda like if I claimed that you should never put the gas tank in the back of a car pointing to the Pinto as my evidence, ignoring the thousands of other car designs that worked.

  2. I'm suprised... by DJPenguin · · Score: 4, Interesting

    ... that this group didn't exist before. Surely a company the size of MSFT would already have a team or group just doing code auditing?

    Oh well. as they said - it's a step in the right direction.

  3. Where have I seen this before... by geesus · · Score: 5, Interesting

    OpenBSD have done this. They set up a team of dev's who went through the entire code fixing up buffer overflows\underflows, and all that jazz. I hope for the worlds sake (because it seems that the whole world is using Microsoft products) that they do a good job, but in my mind it wont make me feel like Windows or IIS or any other networkable piece of Microsoft written software is secure.

    --
    Gnome wasnt built in a day.
  4. Slashdot's Microsoft Obsession by Pave+Low · · Score: 3, Interesting
    Recently it seems not a day goes by on slashdot without a few Microsoft stories. This supposedly linux, open-source focused site seems awfully preoccupied with Microsoft for some reason, and it's not good.

    The trolling editors seem desperate to generate pageviews and posting a Microsoft piece almost guarantees to inflame and troll enough users to accomplish this.

    Look at this story...what's really that new or interesting here? This looks like just another opportunity for slashbots and "M$" haters to get their kicks.

    The more reasonable readers don't get off on that kind of stuff. Please editors, this is getting old and boring.

    --
    SIG:Slashdot: indymedia for nerds.
  5. Credit Where Due by k0de · · Score: 5, Interesting

    If the 3r33t community hated other software/platforms as much as they hated Microsoft I'm sure the level of bugs exposed/viruses would be equally as high. I'm not saying Microsoft throws all beautiful software around, but if you devote time to finding holes in software, you'll find it no matter who the maker. As a fair example, look at what happens Larry Ellison tries to make grand claims about the stability of Oracle software. Many of you have valid opinions, and that's respectable, but how so many people can blindly hate Microsoft because of the hate trend makes me want them to succeed.

    --
    I'm wrong and so are you.
    1. Re:Credit Where Due by deranged+unix+nut · · Score: 4, Interesting

      Check out Windows Server 2003 - Microsoft was really trying to focus on security, and even got bashed by customers because they made it so secure that some of the applications wouldn't work anymore.

      You don't "fix" 50 million lines of code overnight, especially not when it has taken 10 years (or more) to write. However, all of the developers really did take a few days to go through a set of classes on how to write secure code, and then spent the next month reviewing their code for security problems. All of the program managers really did go to classes to learn about security vulerabilities and how to find security weaknesses in their designs, and then went back and updated designs where needed. All of the testers really did go to classes to learn how to find security bugs and then created security test plans and spent a month doing nothing but looking for security bugs.

      It probably isn't perfect, if Microsoft went for perfect you would be paying ten to twenty times more for the software, but for the first stab at really fixing the server operating system so that it is secure out of the box, I would say that 6 months of effort went into making Windows Server 2003 secure that wasn't in the plan prior to the trustworthy computing initiative.

  6. I'm telling you again - Hire Theo. by TerryAtWork · · Score: 5, Interesting

    What Bill should do is contract Theo de Raadt of OpenBSD. He has to be one of the lord high masters of code cleanup in the whole world.

    Pay boffo bucks, send a Gulfstream to get him and give him some Bill face time.

    He'll give you a seminar on code cleaning you'll never forget.

    --
    It's Christmas everyday with BitTorrent.
  7. Manpower? More MS myth tossing by djupedal · · Score: 3, Interesting

    MS employs a staff that roughly equals 20% of GE. And the bulk is either in marketing or legal. Factor out these yocals, mid-level managers doing nothing but CYA and all the air-head interns and there's not much left. There's your 'task force,' working on this whitewashing.

    What is Microsoft's full-time worldwide headcount? Current employment headcount as of 6/30/02: Worldwide: 50, 030

    GE operates in more than 100 countries and employs 313,000 people worldwide. Now, that's manpower. Anything under 250,000 is just an excuse to have vending machines in the lobby.

  8. Re:A good thing by dthable · · Score: 3, Interesting

    The concept pre-dates open source development. They did have peer reviews in the days of the mainframe.

  9. Re:more of the same by tomhudson · · Score: 3, Interesting
    and putting it in the hands of a review group, rather than educating their coders (who are, after all, the ones who wrote the bugs in the first place) on how not to write buffer overflows, etc, is the WORST way to go about it.

    So, here's a rather obvious 1-2-3-profit list

    1. patent the buffer overrun
    2. sue microsoft for every infringement
    3. profit!
  10. Re:sceptic by Shalda · · Score: 4, Interesting

    Perhaps you haven't looked too closely at Windows Server 2003. I've been kicking it around for about 2 weeks now and let me give you some highlights.

    1. Stuff works. It's the easiest time I've ever had configuring a server. It's like flipping a switch.
    2. Stuff is locked down. Everything out of the box is turned off. When you do turn it on, it's locked down by default. Everything runs with the lowest privelege possible to get the job done.
    3. Reliable. Nearly anything can be done without restarting the machine. The only exception I've had so far is making it a domain controller.

    Frankly, I'm looking forward to working with it in a production environment.

    --
    bance.net