Slashdot Mirror
Microsoft to Clean Up Code
the_pooh_experience writes "Microsoft has decided to beef up their security group by adding a code cleaning group according to Infoworld. As the director of MS security engineering says: 'Microsoft is a long way from its ultimate goal where users can take security for granted in its products...the majority of viruses written attack Microsoft products.'" The new group is called Security Engineering Strategy and while it may seem long overdue to many, it's still a step in the right direction for the folks in Redmond.
more of the same lip service from our friends at Redmond. is this the 3rd, or 4th 'security' initiative?
If you've learned anything by now, it's not important that Microsoft fix the majority of their security flaws, but that they imply they will.
The OSS model of peer review on a large scale is the sole reason for such reliable security.
Proprietary companies still have an edge. If people programmed according to a planned set of pre/post conditions, and tested their modules with black box testing, then a large portion of the controllable errors can be caught. Whether or not Microsoft does this is questionable since we can't see their code.
Oh, and BOUNDS CHECK EVERYTHING. Buffer overflow errors should have been non-existant for a half a decade by now.
- tristan
Now, if only they would incorporate a business ethics cleaning group, maybe we'll see some progress.
And, yes, please somebody respond to the oxymoronic notion of "business ethics," I'm just begging for it.
... that this group didn't exist before. Surely a company the size of MSFT would already have a team or group just doing code auditing?
Oh well. as they said - it's a step in the right direction.
If you RTFA, it shows that this is entirely security-oriented, not performance oriented. It seems that "cleaning the code" means "patching makeshift holes over problems" not "making code athletic, slim, and fit"...
Pity.
Small potatoes make the steak look bigger.
I'm highly sceptical of this. In my experience, security and features are always on two opposites sides of the spectrum, and Microsoft is too much on the features and ease-of-use mindset to have something really significant coming from this effort.
Microsoft is going to hire testing programmers?
They have. It's called J#. It's microsofts answer to a question nobody asked.
Seems like that a "code cleaning group" would be the most poorly efficient way of accomplishing this.
Now I do not write the cleanest code in the world... but when writing with a group, I can take the time and effort to make ultra clean code--especially if my paycheck depended on it!
Why hire somebody else to do _your_ job?
I've never programmed in a huge group before... so maybe I missing the experience to understand.
Davak
OpenBSD have done this. They set up a team of dev's who went through the entire code fixing up buffer overflows\underflows, and all that jazz. I hope for the worlds sake (because it seems that the whole world is using Microsoft products) that they do a good job, but in my mind it wont make me feel like Windows or IIS or any other networkable piece of Microsoft written software is secure.
Gnome wasnt built in a day.
# dd if=/dev/zero of=/dev/hda bs=512
Seriously, though, this is a good step for them, and I hope other software companies follow their good example.
Microsoft is a long way from its ultimate goal where users can take security for granted in its products
This is precisely the problem we have now. People already take security for granted (they don't think about it). Their goal should be to beef up security and to educate everyone about the features so that they become more security concious, rather than just take it for granted.
I would never want to take my security for granted, in any product. Not windows, not open source, not even goddamn openbsd that proclaims proudly 'only one remote hole in the default install, in more than 7 years' on its front page. Only one hole that has been found. The chances are that, somewhere, there is an obscure security hole that nobody has discovered. It would become the second.
Especially if the clean-up group are not working closely with the original developers.
Fix 1 security hole.
Introduce 100 bugs.
Hmmm.
The trolling editors seem desperate to generate pageviews and posting a Microsoft piece almost guarantees to inflame and troll enough users to accomplish this.
Look at this story...what's really that new or interesting here? This looks like just another opportunity for slashbots and "M$" haters to get their kicks.
The more reasonable readers don't get off on that kind of stuff. Please editors, this is getting old and boring.
SIG:Slashdot: indymedia for nerds.
What is really needed from Microsoft is flat-out redesign, and that means breaking a few eggshells.
The most telling bit from this article: "...the majority of viruses written attack Microsoft products..." Yes, it is certainly true that some of them exploit real bugs, but the majority of viruses target Microsoft software design, not buffer overflows.
I'm willing to bet the code audit team members don't have redesign authority; nor should they. Hopefully, they do have easy access to people who can make the design decisions and can raise issues quickly. Necessary design changes are going to break things.
You can audit the code all day and all night and you will end up with a more secure product in the end. But to solve the real problems with Microsoft security, the product needs to be designed with that security in mind.
"The new group is called Security Engineering Strategy"
A weak name, I suppose. Some suggestions:
1. Next Generation Secure Computing Strategy.
2. Social Engineering Strategy.
3. Brainwashing Services (BS, for short).
4. Severe Acute Repair Services Group (SARS group)
5. Purity Enhancing Networked Information Services. (figure it out)
If you keep throwing chairs, one day you'll break windows....
TCPA^WPalladium^WNext Generation Secure Computing Base.
vi commands are not known by your browser. Please use backspace.
..you can only realize the truth, that the Windows codes is the virus.
My ignorance is a perfect shield against your logic.
...is peer review by knowledgable people within the security community. And how do they have peer review of their code?..... open the source, of course.
ok, i did not mean for that to rhyme, but you get my point. Microsoft is a big self reliant entity that hires like minded people. Thats not who they need reviewing their code. They need objective 3rd parties with real world experience in security and systems. I'm not saying they need to put the code to WinNT on an FTP server for all to see, but loosening their grip a little.
Once MSFT realizes that they dont have to be nazi-esque with their firm grips around their code base, and they can succeed by opening up a little, they will do great things, imho. They havent quite learned that yet..
I lost my concept of community when my community lost all concept of me.
First, this isn't a code cleaning initiative, as someone above noted -- the article says that the new group will "establish new software development processes and create tools for its programmers so that future Microsoft products will have fewer security flaws." So it looks like their job is to just improve the programming methodology at our favorite software company.
;-)*cough*).
Second, there are only ten people on this task force. Will they have enough time to fix the programming methodology for all Microsoft software? Somehow, I doubt it -- and it doesn't take much imagination to guess that the Mac products, for example, aren't likely to be the primary targets, as well as any spyware that Microsoft finds convenient (*cough*WMP
So it's a step in the right direction but I think they need to use more manpower to solve this problem. God knows they have plenty of it. Until they do, across the board, I don't think many of us will ever trust Microsoft's security. (I'll leave the question of trusting Microsoft itself to another discussion.)
-- shayborg
'Microsoft is a long way from its ultimate goal where users can take security for granted in its products...
The way I hear it, most people already take security for granted with MS products.
And are proven idiots.
krystal_blade
It will be easy to motivate our fellow man; there is hardly anything people treasure more than not being annihilated.
It's tempting to dismiss this sort of announcement as "more of the same", "PR spin", and so on. Perhaps it is, but I don't want to get caught when the security spending starts to produce real fruit.
Think about the success of OpenBSD. In terms of security holes it's probably an order of magnitude better than other free operating systems, and Windows. This result was largely obtained through code auditing. If we aren't careful, in a few years, Microsoft will turn the tables on us. The code auditing they've done will have paid off, and we'll have it all still to do (for the typical Linux distribution, OpenBSD is different).
Laughing at your competitors is a risky strategy.
If the 3r33t community hated other software/platforms as much as they hated Microsoft I'm sure the level of bugs exposed/viruses would be equally as high. I'm not saying Microsoft throws all beautiful software around, but if you devote time to finding holes in software, you'll find it no matter who the maker. As a fair example, look at what happens Larry Ellison tries to make grand claims about the stability of Oracle software. Many of you have valid opinions, and that's respectable, but how so many people can blindly hate Microsoft because of the hate trend makes me want them to succeed.
I'm wrong and so are you.
NEWSFLASH!: Microsoft invents quality control! source code reveiw measures, internal cooperation among units, standardized enterprise wide security measures! Patents soon to follow!
It certainly makes me wonder what the hell they've been doing all these years, besides making gigantic amounts of profit...
Oh... right, less money on development costs == more profits. Now I see why Steve Ballmer and Bill have been selling off so much stock.
A feeling of having made the same mistake before: Deja Foobar
What Bill should do is contract Theo de Raadt of OpenBSD. He has to be one of the lord high masters of code cleanup in the whole world.
Pay boffo bucks, send a Gulfstream to get him and give him some Bill face time.
He'll give you a seminar on code cleaning you'll never forget.
It's Christmas everyday with BitTorrent.
MS employs a staff that roughly equals 20% of GE. And the bulk is either in marketing or legal. Factor out these yocals, mid-level managers doing nothing but CYA and all the air-head interns and there's not much left. There's your 'task force,' working on this whitewashing.
What is Microsoft's full-time worldwide headcount? Current employment headcount as of 6/30/02: Worldwide: 50, 030
GE operates in more than 100 countries and employs 313,000 people worldwide. Now, that's manpower. Anything under 250,000 is just an excuse to have vending machines in the lobby.
Firstly, filter it if you don't like it.
Secondly, I believe it's very important to keep track of any and all movments of the biggest, richest, most powerful company in the world.
Of the company that controls 95% of the desktop market that Linux might, hopefully, break into.
If they're looking into new strategies, even ones that are years behind their time, we should know about it. When you only look at yourself, you'll sometimes see innovation or monopolism take over while you're busy staring at your shoes.
A company with such terrible operating practices should be watched closer than any other company, and I'm all for it.
Despite your obvious trolling, I will agree that it might seem a bit much, but I'll tell you, I'm glad we're looking too hard, than not looking hard enough.
I wait for these same comments about the SCO case in a few days.
Obviously, MS bashing abounds, but I view this as a good thing.
Working in an environment that is purely MS based on the desktop, with significant MS server infrastructure, I can only applaud any efforts they are making to clear up the mess that is obviously present. No, it's not going to happen overnight - Just as the company I work for is not going to replace all it's investment in MS tech overnight.
Unfortunately, being a developer does not make you a security expert. Some are, others will continue to allow simple flaws, such as buffer overruns, into their code. Having a group of people who focus on security review that code is without a doubt a good thing. While this may not be the potentially rigorous code review that OSS gets, it's better what presently happens at MS.
As for the issue of scapegoats...from an external point of view, getting MS to recognise bugs can be a difficult job at the best of times. Internally, if a group of security "experts" fail to recognise security flaws in a piece of code...then surely they are failing at their job?
Finally, there's been a lot of flaming about the fact that this is yet-another-initiative from MS in the security field. I welcome all of them, in parallel, as moving towards sorting out some of the many issues they have. The less time I have to spend working on patching buggy MS software, the happier I will be.
*Perfectly is taken to mean "Works about right as long as that system has the same brand and minor revision of the JRE"
Nope, don't think so... I develop on 1.4.1, and my stuff runs fine on 1.2.2 and up.
This isn't any ordinary darkness. It's advanced darkness.
As the director of MS security engineering says: 'Microsoft is a long way from its ultimate goal where users can take security for granted in its products...the majority of viruses written attack Microsoft products.'"
Personally, I do not think that security should ever be taken for granted. I think it has been proven that this lax security awareness leads to problems independent of the software (e.g. stolen credit card numbers and identity theft from insecure websites and to a lesser extent the proliferation of spam). Most people do not take the locks on their front dor for granted, why should the computer be any different. Especially now that many individuals use the computer as the primary portal to the outside world.
Here's something to worry about. Does the timing, that the U.S. Gov just instituted a new position for this (the cyber-security chief) which I have already commented on here, seem odd to anyone else?
This looks remarkably like the same type of handwaving smoke and mirror show that the government is trying to put on. "look at us, we're doing something(tm) about security!
makes me wonder if this is microsoft's way of making sure it has a chance to influence what the gov. considers secure.
This comment is fully compliant with RFC 527.
... bad news for Linux etc. when it does.
...95 was a big improvement.
...Windows 2000 was a huge improvement.
...The 2003 servers ARE a big step in the right direction.
Windows 3 was crap.
Windows 95 is unstable.
Windows 2000 Server is insecure.
If they progress as far in the next decade as in the past decade, they will be delivering stable, relyable and secure servers. If that happens I dont see Linux based systems able to offer too much competition.
Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated up.
cat bad_code.c |grep -v getchar > good_code.c
Security is one of the main areas that MS gets blasted for. While the security in their server products has some merits, it's undermined by the bugs that continuously appear and the total lack of lockdown in out-of-the-box config. Their push on security would have to address all these issues - Removing issues from the code prior to shipping, improving their response to the bugs that still appear, locking down products and educating users to unlock them as appropriate, and most importantly of all, concentrating on designing their systems to incorporate security from the start, rather than trying to tack it on later. There's been some movement in some of these areas...but nowhere near enough yet.
So will they do it? You're right in that there is little evidence so far. Given the constant slating they receive in this area, there is certainly a motive to improve it. But given the apparent lifetime of legacy code in Windows, it's not going to show significant results any time soon in that arena. I would suspect it would be more evident in "new" products such as
Trustworthy computing was launched in Jan 2002, there's some info on what they claim to have achieved on their site.
I do agree with you about Clippy tho