Slashdot Mirror
Gates Says Windows Reliability Is Greater
mogrinz writes "According to an interview with the New York Times, Bill Gates is proud of the achievements Microsoft has made in increasing the security of Windows. As for the effects on people being attacked by SoBig.F, etc? Gates says this is "something we feel very bad about". Gates summarizes the Microsoft position very succinctly: "We're doing our very best, and that's all we can do"."
for you lazy Geeks:
Link
here is a copy of the article, for the lazy bastards that don't want to register ;)
August 31, 2003
Virus Aside, Gates Says Reliability Is Greater
By JOHN MARKOFF
MICROSOFT, the world's biggest software maker, is the biggest target for computer viruses like the SoBig.F worm that wreaked havoc two weeks ago. Bill Gates, Microsoft's chairman and chief software architect, talked last week about what it is doing to keep hackers at bay. Following are excerpts from the conversation.
Q. You wrote a memo last year calling on Microsoft to focus on reliable software. Now we've had this series of computer-security-related events that make it appear to outsiders that you aren't making progress. Have you in fact made progress?
A. Well, we've certainly made a lot of progress in terms of creating more reliable software, building tools so that people can stay up to date so that they don't run into these problems, creating the procedures that make sure that the recovery actions get widely communicated. We'd be the first to say that we're doing more and more on this. It was very important that we got the company focused on it, made it part of the reviews of all the different employees.
The fact that these attacks are coming out and that people's software is not up to date in a way that fully prevents an attack on them is something we feel very bad about. We want the update process to work so automatically that in the future these problems won't happen. The hackers are attacking not only our systems but other systems, and with the right kind of infrastructure and the right kind of work we can make sure they don't disrupt things.
Q. Have these events created a serious public perception problem about Microsoft on the issue of security?
A. Microsoft's reputation for doing great software research is very strong, and people are looking to us now and saying, "no other software company has solved this; you, Microsoft, need to solve it." We're rising to that challenge. The expectation they have of us is very high.
Q. The buffer overrun flaw that made the Blaster worm possible was specifically targeted in your code reviews last year. Do you understand why the flaw that led to Blaster escaped your detection?
A. Understand there have actually been fixes for all of these things before the attack took place. The challenge is that we've got to get the fixes to be automatically applied without our customers having to make a special effort.
Q. You have enemies who are in a crusade to undermine Microsoft. How do you cope with that?
A. I'm not aware of any systematic attempt by any group. There have been a few of these things that have come along. We have to make our systems invulnerable to these things. It's within our ability to make the systems invulnerable because the speed of update is as great or greater than the speed that somebody comes up with an exploit.
Q. Blaster included a message attacking you. Do you take these things personally?
A. No.
Q. Have you considered enabling the Windows XP Firewall by default?
A. The fact is there has been a fire wall inside of Windows that would have blocked MSblast [the worm]. We're doing a better job of getting information out to people of how to turn that on and when they should turn that on. The idea that it would be on by default is something that we have to push the technology to make that work for people. It looks like we've got a solution to do that.
Q. Some people are concerned about the automatic distribution of patches because of the possibility of doing widespread damage.
A. These patches will be signed by us, and things that are put into the critical security path that we have to pass through we have to be very careful that there is no regression in those things. It's a channel that has to be used not for features, but just for very critical things. We have some other ideas such as something called behavior blocking that will obviate the need in
Why, because you're not trolling or flamebaiting?
I have three Debian stable installs here, all using ext3, yes, ext3 filesystems. How did I do it?
Well, I could boast about my l33tness, but I just selected the 2.4kernel install option from the menu, and then when it asked me to choose a filesystem, I had reiserFS and ext3. W00t!
So, it's not really that hard now, is it?
David
I'm a big fan of linux, but I work in an eviroment where windows is locked in. Yea MS has some problems but so does everyone, what everyone needs to remember is that MICROSOFT RELEASED A FIX FOR BLASTER BEFORE THE BIG HIT CAME. The fact is the people who got hit by blaster didn't maintain thier system, or weren't running firewalls. You wouldn't be on here growling about how debian sucked if a bunch of users didn't do apt-get update / upgrade would you? These guys have a huge market share, have a reasonably good product that most of the population is happy enough using. Many of (myself included) like linux. Both have bugs, both get fixes... but the weakest link is if the admins / system owners update... in this case many didn't and it made MS look bad/
--------- If its possible it will happen, If its impossible it will just take longer
Hey, I am willing to beat up on Microsoft as much as the next citizen of slashdot city, but let's be fair here. A lot of the problems that are hitting people are due to people not applying the patches that are available.
I use both Mac OS X and Windows XP. On both systems, I use the software update mechanisms and religously apply the patches that are made available. On Windows I also have a virus protection utility in place. I have never once been caught with my pants down by a worm, virus, trojan horse, etc. And to answer the question of this out there that are already preparing to ask it, I have also never had my system "broken" by a patch.
So my respone, is that people shouldn "Just Apply The Damn Patches".
Jordan Dea-Mattson
Posting from China, where I am to adopt my daughter! Back to the US in a week!
Linux and OS X ship with zero ports open.
Rubbish. Mandrake, at least, runs a number of daemons by default if you install them (such as sshd), and warns you about this fact at install time. Depending on the exact choices you make while installing it, it's entirely possible to have half a dozen or more ports open.
It's official. Most of you are morons.
You are wrong about open ports. If you take OpenBSD which is the most secure OS on the planet ships with SSH open by default. Now yes it secure but its still an open port.
Rus
Cheap UK and US VPS
The truth is, every other mainstream OS has solved the security problem better than Microsoft. Most other OSes, especially *nix ones, have a philosophy of least privelege
Actually, security was added to Unix as an afterthought. You talk about least privilege, but most Unix systems have exactly two privilege levels: user and superuser. And no ACLs on the filesystem either. At least with Windows, there really is seperation of privilege; someone can be a printer administrator without the privilege to set the system clock, for example. It only needs a competent admin to set it up.
As an example of Unix security philosophy, consider the idea that only root-owned processes could bind to ports below 1024. Exactly what does that accomplish? Nothing useful, and it's directly responsible for all the sendmail and BIND exploits there have been over the years. So much for the "Unix way".
There's an old saying about people who live in glass houses.
Most stack buffer overrun problems (Blaster bug, etc) are possible because the stack is executable. Other systems, such as VMS on Alpha don't have executable stacks, making this kind of exploits very difficult to do.
At least, the problem seems to have been fixed in the x86-64 hardware, but the operating systems need to take advantage of it. See here.
So when will we see M$ take advantage of good simple security features in the hardware instead of trying to invent new fantastic schemes (Palladium)? Why wasn't buffer overflow attacks fixed 5-10 years ago? I'm not sure if earlier x86 chips allowed non-executable stacks, but if M$ were serious about security, they could certainy have requested that feature from Intel. It's not rocket science.
)9TSS
John Markov is the reporter that has essentially harassed Kevin Mitnick via articles. Mitnick essentially says that Markov bent the truth (or even outright lied) about Mitnick in order to sell more articles, etc. Having watched Operation Takedown, I'm fairly certain Mitnick is right.
I'm giving up the possibility of modding in this topic in order to respond. Hehe, I'm an example for future generations!
-- It is no measure of health to be well adjusted to a profoundly sick society.
Did your high level engineer not use the network scanning tool that Microsoft provided to identify unpatched computers, and then just fix those?
> Every MS virus, worm, and what not does not cause BILLIONS in lost dollars. There are I am sure some cases of actual lost real money, but if they totalled billions I'd be surprised.
So be surprised.
Here are some virus costs from Wired:
Nimda -- $635 million
Code Red -- $2.62 billion
SirCam -- $1.15 billion
Love Bug -- $8.75 billion
While we're looking at statistics, here's another...
According to CERT, the number of reported security incidents grew, starting in 1988, until they hovered at just over two thousand incidents per year from 1994 to 1997.
But then in 1998, the number of incidents started to explode:
1998 -- 3,734
1999 -- 9,859
2000 -- 21,756
2001 -- 52,658
2002 -- 82,094
2003 -- 76,404 (so far)
So what happened in 1998?
Microsoft introduced embedded e-mail scripting in Outlook Express!
Even an idiot could have predicted the consequences.
But why would Microsoft do something that was so clearly incompetent and irresponsible?
The answer can be found in another event that occurred in 1998, namely, the leaked release of the Halloween document. That internal Microsoft document described a strategy for fighting Open Source, as follows:
> OSS projects have been able to gain a foothold in many server applications because of the wide utility of highly commoditized, simple protocols. By extending these protocols and developing new protocols, we can deny OSS projects entry into the market.
So there you have it. The embedded scripting in Outlook Express is just one part of a general Microsoft strategy to decommoditize (i.e. break) Internet protocols.
In other words, these viruses and worms, which are costing us $billions, are just a side effect of MICROSOFT'S EXTENDED DENIAL OF SERVICE ATTACK ON OPEN SOURCE USERS.
If Jeffrey Parson might be going to jail for his denial of service attack (modifying the DDOS Blaster worm), then why not the president of Microsoft?
Please send this to mswish [at] microsoft [dot] com. I know for a fact that they do get and route this information to the right people. Many features and tweaks have been implemented in this fashion.
-Shippy
Linus doesn't ship an operating system - he provides a kernel.
A kernel, by itself, doesn't open any ports on the outside world.
Of course Microsoft is to blame for this. They know
a) users rarely change default settings
b) rpc ports are open by default
If Microsoft took the very tiny but reasonable step of making the RPC port closed until sharing is enabled, then Blaster wouldn't have done much.
Likewise, Microsoft knows that users are horrible at patching systems, and should have a better system in place for autoupdating the system. It should, in a sense, appear as a higher priority to the user. Instead, Microsoft enables the MS Messenger by default, so the user thinks every message is a spam.
At Microsoft, a lot of the defects in security are defective by basic design, and the fact that an exploitable bug appeared was inevitable.
And you know what - there are still millions of machines with the RPC exploit that are on the net. Blaster only took down about 150,000. The other 20 million are still exploitable.
It is gonna get worse.