Slashdot Mirror
Microsoft to Clean Up Code
the_pooh_experience writes "Microsoft has decided to beef up their security group by adding a code cleaning group according to Infoworld. As the director of MS security engineering says: 'Microsoft is a long way from its ultimate goal where users can take security for granted in its products...the majority of viruses written attack Microsoft products.'" The new group is called Security Engineering Strategy and while it may seem long overdue to many, it's still a step in the right direction for the folks in Redmond.
more of the same lip service from our friends at Redmond. is this the 3rd, or 4th 'security' initiative?
This "emphasis on security" crap is just a PR screen for TCPA^WPalladium^WNext Generation Secure Computing Base.
If you've learned anything by now, it's not important that Microsoft fix the majority of their security flaws, but that they imply they will.
The OSS model of peer review on a large scale is the sole reason for such reliable security.
Proprietary companies still have an edge. If people programmed according to a planned set of pre/post conditions, and tested their modules with black box testing, then a large portion of the controllable errors can be caught. Whether or not Microsoft does this is questionable since we can't see their code.
Oh, and BOUNDS CHECK EVERYTHING. Buffer overflow errors should have been non-existant for a half a decade by now.
- tristan
Now, if only they would incorporate a business ethics cleaning group, maybe we'll see some progress.
And, yes, please somebody respond to the oxymoronic notion of "business ethics," I'm just begging for it.
... that this group didn't exist before. Surely a company the size of MSFT would already have a team or group just doing code auditing?
Oh well. as they said - it's a step in the right direction.
If you RTFA, it shows that this is entirely security-oriented, not performance oriented. It seems that "cleaning the code" means "patching makeshift holes over problems" not "making code athletic, slim, and fit"...
Pity.
Small potatoes make the steak look bigger.
I'm highly sceptical of this. In my experience, security and features are always on two opposites sides of the spectrum, and Microsoft is too much on the features and ease-of-use mindset to have something really significant coming from this effort.
Microsoft is going to hire testing programmers?
.. but only if they clean up the bugs, and not the patches.. (Hey? what's this if-clause doing here? There is no such thing as a negative packet size!)
"It's too bad that stupidity isn't painful." - Anton LaVey
They have. It's called J#. It's microsofts answer to a question nobody asked.
Seems like that a "code cleaning group" would be the most poorly efficient way of accomplishing this.
Now I do not write the cleanest code in the world... but when writing with a group, I can take the time and effort to make ultra clean code--especially if my paycheck depended on it!
Why hire somebody else to do _your_ job?
I've never programmed in a huge group before... so maybe I missing the experience to understand.
Davak
OpenBSD have done this. They set up a team of dev's who went through the entire code fixing up buffer overflows\underflows, and all that jazz. I hope for the worlds sake (because it seems that the whole world is using Microsoft products) that they do a good job, but in my mind it wont make me feel like Windows or IIS or any other networkable piece of Microsoft written software is secure.
Gnome wasnt built in a day.
# dd if=/dev/zero of=/dev/hda bs=512
Seriously, though, this is a good step for them, and I hope other software companies follow their good example.
Microsoft is a long way from its ultimate goal where users can take security for granted in its products
This is precisely the problem we have now. People already take security for granted (they don't think about it). Their goal should be to beef up security and to educate everyone about the features so that they become more security concious, rather than just take it for granted.
I would never want to take my security for granted, in any product. Not windows, not open source, not even goddamn openbsd that proclaims proudly 'only one remote hole in the default install, in more than 7 years' on its front page. Only one hole that has been found. The chances are that, somewhere, there is an obscure security hole that nobody has discovered. It would become the second.
Try (-1, Tinfoil).
Especially if the clean-up group are not working closely with the original developers.
Fix 1 security hole.
Introduce 100 bugs.
Hmmm.
The trolling editors seem desperate to generate pageviews and posting a Microsoft piece almost guarantees to inflame and troll enough users to accomplish this.
Look at this story...what's really that new or interesting here? This looks like just another opportunity for slashbots and "M$" haters to get their kicks.
The more reasonable readers don't get off on that kind of stuff. Please editors, this is getting old and boring.
SIG:Slashdot: indymedia for nerds.
What is really needed from Microsoft is flat-out redesign, and that means breaking a few eggshells.
The most telling bit from this article: "...the majority of viruses written attack Microsoft products..." Yes, it is certainly true that some of them exploit real bugs, but the majority of viruses target Microsoft software design, not buffer overflows.
I'm willing to bet the code audit team members don't have redesign authority; nor should they. Hopefully, they do have easy access to people who can make the design decisions and can raise issues quickly. Necessary design changes are going to break things.
You can audit the code all day and all night and you will end up with a more secure product in the end. But to solve the real problems with Microsoft security, the product needs to be designed with that security in mind.
"The new group is called Security Engineering Strategy"
A weak name, I suppose. Some suggestions:
1. Next Generation Secure Computing Strategy.
2. Social Engineering Strategy.
3. Brainwashing Services (BS, for short).
4. Severe Acute Repair Services Group (SARS group)
5. Purity Enhancing Networked Information Services. (figure it out)
If you keep throwing chairs, one day you'll break windows....
..you can only realize the truth, that the Windows codes is the virus.
My ignorance is a perfect shield against your logic.
...is peer review by knowledgable people within the security community. And how do they have peer review of their code?..... open the source, of course.
ok, i did not mean for that to rhyme, but you get my point. Microsoft is a big self reliant entity that hires like minded people. Thats not who they need reviewing their code. They need objective 3rd parties with real world experience in security and systems. I'm not saying they need to put the code to WinNT on an FTP server for all to see, but loosening their grip a little.
Once MSFT realizes that they dont have to be nazi-esque with their firm grips around their code base, and they can succeed by opening up a little, they will do great things, imho. They havent quite learned that yet..
I lost my concept of community when my community lost all concept of me.
First, this isn't a code cleaning initiative, as someone above noted -- the article says that the new group will "establish new software development processes and create tools for its programmers so that future Microsoft products will have fewer security flaws." So it looks like their job is to just improve the programming methodology at our favorite software company.
;-)*cough*).
Second, there are only ten people on this task force. Will they have enough time to fix the programming methodology for all Microsoft software? Somehow, I doubt it -- and it doesn't take much imagination to guess that the Mac products, for example, aren't likely to be the primary targets, as well as any spyware that Microsoft finds convenient (*cough*WMP
So it's a step in the right direction but I think they need to use more manpower to solve this problem. God knows they have plenty of it. Until they do, across the board, I don't think many of us will ever trust Microsoft's security. (I'll leave the question of trusting Microsoft itself to another discussion.)
-- shayborg
'Microsoft is a long way from its ultimate goal where users can take security for granted in its products...
The way I hear it, most people already take security for granted with MS products.
And are proven idiots.
krystal_blade
It will be easy to motivate our fellow man; there is hardly anything people treasure more than not being annihilated.
Yea, it really sucks that I can develop and test code on my Windows laptop and just copy the compiled files over to an AIX box, or Intel/Linux box, and everything works perfectly.
Methinks you're a disgruntled C programmer feeling the world's leaving you behind.
Get with it - there's tools for every job - pick the one that works best.
My original point was made in humor partly - but the main point was that normal security exploits attacking buffer overflows, for example, are a non-issue in my 'interpereted language'.
Nobody in their right mind is going to simply take it for granted that any given operating system is secure. Considering Microsoft's track record of programming, they are the last people anyone should blindly trust. The only way to deliver security on a project of this magnitude is to open the source to peer review.
And probably more new ones, too. Let's face it, something, somewhere, is going to be calling the code they're "cleaning" and if it doesn't work right, it's going to break shit. Bigtime.
blog |
It's tempting to dismiss this sort of announcement as "more of the same", "PR spin", and so on. Perhaps it is, but I don't want to get caught when the security spending starts to produce real fruit.
Think about the success of OpenBSD. In terms of security holes it's probably an order of magnitude better than other free operating systems, and Windows. This result was largely obtained through code auditing. If we aren't careful, in a few years, Microsoft will turn the tables on us. The code auditing they've done will have paid off, and we'll have it all still to do (for the typical Linux distribution, OpenBSD is different).
Laughing at your competitors is a risky strategy.
If the 3r33t community hated other software/platforms as much as they hated Microsoft I'm sure the level of bugs exposed/viruses would be equally as high. I'm not saying Microsoft throws all beautiful software around, but if you devote time to finding holes in software, you'll find it no matter who the maker. As a fair example, look at what happens Larry Ellison tries to make grand claims about the stability of Oracle software. Many of you have valid opinions, and that's respectable, but how so many people can blindly hate Microsoft because of the hate trend makes me want them to succeed.
I'm wrong and so are you.
I think you forgot to add this:
and everything works perfectly*.
*Perfectly is taken to mean "Works about right as long as that system has the same brand and minor revision of the JRE"
Seriously though, every Java based piece of software we have looked at has been total crap. Many of them require a certain runtime, such as one web service from a major company we looked at, that only works with Apple's runtime. Other's only work with MS Java runtimes. The list goes on.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
NEWSFLASH!: Microsoft invents quality control! source code reveiw measures, internal cooperation among units, standardized enterprise wide security measures! Patents soon to follow!
It certainly makes me wonder what the hell they've been doing all these years, besides making gigantic amounts of profit...
Oh... right, less money on development costs == more profits. Now I see why Steve Ballmer and Bill have been selling off so much stock.
A feeling of having made the same mistake before: Deja Foobar
What Bill should do is contract Theo de Raadt of OpenBSD. He has to be one of the lord high masters of code cleanup in the whole world.
Pay boffo bucks, send a Gulfstream to get him and give him some Bill face time.
He'll give you a seminar on code cleaning you'll never forget.
It's Christmas everyday with BitTorrent.
1) UNIX IP License.
:-D
2) Plan to clean up code.
All they have to do is start swapping files.
--- I wish I could hear the soundtrack to my life. That way I'd know when to duck.
Fool me once, shame one you
Fool me twice, shame on me
Fool me over and over and I must be the IT selection manager/commitee/group at a fortune 500 firm.
Anyone remember Douglas Adams' concept of the SEP field generator? It generates a sense that something is Someone Else's Problem and people's natural predisposition to overlook it makes the something invisible. Makes me wonder if that's not built into the code somewhere...
A feeling of having made the same mistake before: Deja Foobar
MS employs a staff that roughly equals 20% of GE. And the bulk is either in marketing or legal. Factor out these yocals, mid-level managers doing nothing but CYA and all the air-head interns and there's not much left. There's your 'task force,' working on this whitewashing.
What is Microsoft's full-time worldwide headcount? Current employment headcount as of 6/30/02: Worldwide: 50, 030
GE operates in more than 100 countries and employs 313,000 people worldwide. Now, that's manpower. Anything under 250,000 is just an excuse to have vending machines in the lobby.
some of the largest software capitalists in the world believe in all the above technologies
.NET Big whoop. Call me back in three years and we'll see who believes what then.
.NET was originally supposed to do? Microsoft took a very long time before even they could decide what .NET actually was. They manged to be believe in something that didn't even exist..
Coorporations believe in a lot of things, and miss a lot of other things in doing so.
In the early 90's, everyone expected Unix to collapse and NT to take over the server market. A decade later, Unix market share has grown via. Linux and NT is in the minority on the web.
Microsoft believed in MSN and almost completely missed the Internet revolution.
Sun believed in NeWs and X stomped it into the ground.
Sun also believed in JINI. Remember that? I doubt you do.
Microsoft believed in Passport & Hailstrom, then scaled back their plans, then buried most of it.
Now Sun believed in Java and Microsoft believes in
By the way, do you remember what
Firstly, filter it if you don't like it.
Secondly, I believe it's very important to keep track of any and all movments of the biggest, richest, most powerful company in the world.
Of the company that controls 95% of the desktop market that Linux might, hopefully, break into.
If they're looking into new strategies, even ones that are years behind their time, we should know about it. When you only look at yourself, you'll sometimes see innovation or monopolism take over while you're busy staring at your shoes.
A company with such terrible operating practices should be watched closer than any other company, and I'm all for it.
Despite your obvious trolling, I will agree that it might seem a bit much, but I'll tell you, I'm glad we're looking too hard, than not looking hard enough.
I wait for these same comments about the SCO case in a few days.
Obviously, MS bashing abounds, but I view this as a good thing.
Working in an environment that is purely MS based on the desktop, with significant MS server infrastructure, I can only applaud any efforts they are making to clear up the mess that is obviously present. No, it's not going to happen overnight - Just as the company I work for is not going to replace all it's investment in MS tech overnight.
Unfortunately, being a developer does not make you a security expert. Some are, others will continue to allow simple flaws, such as buffer overruns, into their code. Having a group of people who focus on security review that code is without a doubt a good thing. While this may not be the potentially rigorous code review that OSS gets, it's better what presently happens at MS.
As for the issue of scapegoats...from an external point of view, getting MS to recognise bugs can be a difficult job at the best of times. Internally, if a group of security "experts" fail to recognise security flaws in a piece of code...then surely they are failing at their job?
Finally, there's been a lot of flaming about the fact that this is yet-another-initiative from MS in the security field. I welcome all of them, in parallel, as moving towards sorting out some of the many issues they have. The less time I have to spend working on patching buggy MS software, the happier I will be.
*Perfectly is taken to mean "Works about right as long as that system has the same brand and minor revision of the JRE"
Nope, don't think so... I develop on 1.4.1, and my stuff runs fine on 1.2.2 and up.
This isn't any ordinary darkness. It's advanced darkness.
So what if this amounts to Microsoft saying there is problems with their code. Everyone knows there are problems, so admitting it doesn't hurt them.
Now they are telling the world they want to clean it up. They have a team on it.
Corporate buyers want to hear this. They like to know that the dollars they are spending are going into making the product better. Knowing that they software will be better/more secure in the next revision keeps them from making the choice to move to a different platform.
In business, money talks. They understand the concept that Microsoft NEEDS to do this, to keep making money. It's hard to understand the driving factor that causes people to spend time inproving Linux- in general it isn't dollars.
That's the marketing portion, and it really does make sense.
Of course, they will need to deliver the goods too- and Windows users will benefit from that.
So by announcing to the world that they are working on it- they get a big marketing push. By actually doing the job, their products will get more and more secure. It may take a while, but as long as they are working on it, people will continue to buy.
Most of the anecdotes on Slashdot have to do with Windows 95, 98 (ME!) and NT. 2000 and XP are not perfect, or even wonderful, but the amount of improvement in stability is amazing. If this trend continues, their efforts will have paid off- and there will be a lot less reason to switch over to a different operating system.
No reason to lie.
Saying they are going to do it and pulling it off are two completely different undertakings. Even throwing x-amount warm bodies and money at it is still quite the iffy proposition. If it was really that simple, they could pull a truckload of cash out of the bank and sprinkle it all over redmond from aeroplanes.
It's gotten so bad with microsoft and "normal" joe users I have started to refuse all microsoft tech related "help me please" requests from people I know. One, is most of the time I really can't help them, fixes and problems are way beyond my interest or expertise any more, I just plain stopped even trying to use it. The second is--what's the point? Really, what's the point? Even if it was completely 100% "fixed"(I doubt at this time they can do it really) it would still be...just plain wrong, from my viewpoint on what software should be now and what it is for and what is the best for people and what legitimate business should be. I do not seperate money from ethics in my life. Note, that is merely my personal opinion on it, anyone on the planet can choose to still use and "support" them, I just choose not to, similar to a few other large corporations that I consider to have "crossed the line" into sophisticated international thuggery and criminality. I REALLY DO consider them to be an unethical and immoral company, and their products reflect that, again, IMO. I am sorry for the people who work there and aren't crooks or bad people, I am sure most of them are just fine regular old folks just trying to make a buck,and I am not trying to put them down or anything, but at this time that company and managerial and directorial mindset needs to be scattered to the winds of business history. At one time, and for many years, they were more or less fine, I didn't consider them the way I do now, but what has been revealed with them, and watching the evolution of their products and influence on all of our technological society has changed my opinion of them, and shows me it's just a big bully criminal gang now who happen to be in the software business. Same as any other gang out there, I am not concerned with "reforming or fixing" the mafia or it's "products" for example, even if a large part of the mafia now has morphed and is considered "legitimate business", they got there in the first place by being crooks and thugs whenever they could get away with it.
It's sort of sad in a way, too, there is no joy or gloating over it from my viewpoint, it just is reality.
We've heard this before. Didn't they take a year and clean up all of thier code before? Are they going to take another year and do it again? How many years will this take any ways?
In all reality, if they want to fix their security, they need to fix the way they view data and process. They blur the lines between the the two way too much. They also encourage the users to blur the line between the two as well.
If they truely want to make a more secure OS, they need to remove the ability to run code from every form of document you cvan make with their code. Macros are nice but when they let you have full access to the system and it's resources they are deadly and the biggest security hole you can ask for!
I should not be able to run full blown basic apps just by opening a word doc, email, spread sheet or whatever.
-- Many men would appreciate a woman's mind more if they could fondle it
Multics didn't operate in today's environment, however. How would it have done if it was attached to the Internet? This isn't to knock Multics, about which I know precisely nothing. But a large part of the security landscape these days is the fact that J Random Hacker has the means to access your computer from a remote location all the time. Of course universities and the military were on the forerunner of the Internet in those days, but the number of people with access to a connection was miniscule compared to today.
Reality is defined by the maddest person in the room
As the director of MS security engineering says: 'Microsoft is a long way from its ultimate goal where users can take security for granted in its products...the majority of viruses written attack Microsoft products.'"
Personally, I do not think that security should ever be taken for granted. I think it has been proven that this lax security awareness leads to problems independent of the software (e.g. stolen credit card numbers and identity theft from insecure websites and to a lesser extent the proliferation of spam). Most people do not take the locks on their front dor for granted, why should the computer be any different. Especially now that many individuals use the computer as the primary portal to the outside world.
According to the article, the new group will be called outa'sync (um, no, wrong article. Hang on. Ok). The new group will called the (drum roll, please):
Anything group that has the word "strategy" in it will spend their time writing memos about how this piece of already written code could be better.
These memos will then be ignored by everybody so they can meet their deadlines.
Karma: Food Fight (Mostly affected by Date Plate).
Here's something to worry about. Does the timing, that the U.S. Gov just instituted a new position for this (the cyber-security chief) which I have already commented on here, seem odd to anyone else?
This looks remarkably like the same type of handwaving smoke and mirror show that the government is trying to put on. "look at us, we're doing something(tm) about security!
makes me wonder if this is microsoft's way of making sure it has a chance to influence what the gov. considers secure.
This comment is fully compliant with RFC 527.
... bad news for Linux etc. when it does.
...95 was a big improvement.
...Windows 2000 was a huge improvement.
...The 2003 servers ARE a big step in the right direction.
Windows 3 was crap.
Windows 95 is unstable.
Windows 2000 Server is insecure.
If they progress as far in the next decade as in the past decade, they will be delivering stable, relyable and secure servers. If that happens I dont see Linux based systems able to offer too much competition.
Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated up.
Not "to sell secure software" you'll notice, but to make customers "take security for granted".
So presumably if the security stinks but everyone assumes the system is secure, they will be satisfied.
Everything I dislike about the company in a nutshell
Don't let THEM immanentize the Eschaton!
I hope for the world's sake they do a terrible job and most people realize it. If their software remains marginally good enough in most people's minds, as it is now, it'll continue to be used. Their walking a thin line right now. If their software is seen as more expensive, buggier, or more insecure than it is now, even by just a little, they'll hurt. Anything that keeps them above that line keeps them in business. I'd much rather see them fail so there's a much quicker transition to FOSS.
Developers: We can use your help.
I personally think that ms should start a all over again from the ground up. The problem is that fixing up bad code is annoying and you ultimately get something that's mangled.
The best thing to do would be to start over but make things appear the same at the upper layers so some existing apps work. However I do understand that this would leave a bunch of non working apps, but I think it might give M$ new life.
They could even rip off linux and call it their own. But don't get me wrong, I hate M$.
cat bad_code.c |grep -v getchar > good_code.c
Will this group have the authority to hold up a release if there are security holes? If not, they are just window dressing.
Is this group REALLY going to be able to get Microsoft to create secure code, or just avoid goofs so large they provoke those embarassing industry articles about lack of security?
Security is one of the main areas that MS gets blasted for. While the security in their server products has some merits, it's undermined by the bugs that continuously appear and the total lack of lockdown in out-of-the-box config. Their push on security would have to address all these issues - Removing issues from the code prior to shipping, improving their response to the bugs that still appear, locking down products and educating users to unlock them as appropriate, and most importantly of all, concentrating on designing their systems to incorporate security from the start, rather than trying to tack it on later. There's been some movement in some of these areas...but nowhere near enough yet.
So will they do it? You're right in that there is little evidence so far. Given the constant slating they receive in this area, there is certainly a motive to improve it. But given the apparent lifetime of legacy code in Windows, it's not going to show significant results any time soon in that arena. I would suspect it would be more evident in "new" products such as
Trustworthy computing was launched in Jan 2002, there's some info on what they claim to have achieved on their site.
I do agree with you about Clippy tho
Doesn't sound too secure...
philcrissman.com.