Gates Says Windows Reliability Is Greater

mogrinz writes "According to an interview with the New York Times, Bill Gates is proud of the achievements Microsoft has made in increasing the security of Windows. As for the effects on people being attacked by SoBig.F, etc? Gates says this is "something we feel very bad about". Gates summarizes the Microsoft position very succinctly: "We're doing our very best, and that's all we can do"."

Re:No?

[tomstdenis]

Why? His company released a patch to fix it a few months before the attack started.

Would Linus feel particularly hurt if a worm went around that attacked kernel v0.94 ???

Tom

Please.

[Fnkmaster]

They didn't even bother locking down any of these dangling ports until somebody exploited the fuck out of them. Now they are at least going to ship Windows with the Internet Connection Firewall enabled by default, which is a good thing. They are a reactive organization - it comes with the territory of having a dominant market position and being scared shitless of change, unless and until it forces itself on them, usually by inducing fear of losing the dominant market position.

Re:Just Great

[digitalunity]

Now that's just mean.

If by reliability, you mean it's ability to function in a proper way without self-destruction, I'd say he is succeeding. Windows XP is indeed better than the previous offerings. Once upon a time, you didn't even have to touch your computer and it would spontaneously have problems. It has gotten much better. Now, it's resilience against the evils of the internet...

That's another story. Indeed, Gates should institue a moratorium on new projects until the old ones can become stable enough to actually properly handle the internet.

Sobig.F is a good example of how fundamental the problems with Microsoft software is. The changes required to secure (pick one: Windows,IE,Outlook,Exchange,IIS) need to happen at the API layer. Unfortunately, this would take industry-wide support, something not even Microsoft can make happen overnight. It would seem with all the money companies already have invested, there is a lot of corporate inertia to overcome.

Re:No?

[militantbob]

Agreed. Microsoft took the appropriate actions. They recognized the problem, and released a fix far before any damage was done. They even made AutoUpdate enabled by default, to cover the rear ends of lazy/unknowing/careless users. I think Microsoft is making steps forward - small but important steps, such as ahead-of-time patches, offering a foundation for cooperation with 3rd party IM client producers, and admitting to and showing indications of intention of addressing security and stability problems.

Microsoft has a long way to go. There's no doubt about that. But *some* of the recent news concerning Microsoft has surprised and pleased me.

If users would leave AutoUpdate on, or take the time to check for patches once every week or two themselves.. and MS doesn't bloat 2004 and instead focuses on security/stability... I think things will be just fine.

Re:Get off the Bashing Kick

[vondo]

If you're worried about draconian EULAs, why would you be running Windows in the first place?

Gates and the Chewbaca defense

[UnknowingFool]

It's interesting how Gates tries to deflect the questions:

Q. The buffer overrun flaw that made the Blaster worm possible was specifically targeted in your code reviews last year. Do you understand why the flaw that led to Blaster escaped your detection?

A. Understand there have actually been fixes for all of these things before the attack took place. The challenge is that we've got to get the fixes to be automatically applied without our customers having to make a special effort.

The interviewer asks how Blaster occurred despite Trustworthy Computing. Gates responds again and again that if everyone patched their systems, Blaster would not have been an issue. In essence, he is correct but he doesn't really answer the question. But this isn't a complete solution as not all users can automatically patch their systems.

Before everyone starts chiming in on how real system admins would have been prepared. Remember a few things:
1) After being burned by a few bad patches, some corporations now have a policy that specifically states that patches must be tested first. With the huge amount of patches that is released by MS, this is a full time job.
2) Remote users (laptop users, VPN users, etc.) are like sailors coming back from overseas. Who knows what they were exposed to and what viruses they have. This is outside the control of most admins.
3) Microsoft itself was not prepared for Slammer. SQL servers that were being used in a development environment (read outside of normal sys admin networks) were not patched. With large organizations, sometimes there are unknown, rogue installations.

Re:No?

[gl4ss]

actually linus might take it pretty personally if there was a hole found in linux that affects every linux kernel from 0.94 to 2.6test4.. even if he did then release a patch for it a bit later.

(as equivalent as the holes that have found to be in all nt based ms os's)

-

Re:No?

[militantbob]

Turning off AutoUpdate is a scary thing, in the case of the casual user. This is one area where I wish there was *more* harrassment and hassle required before disabling could be accomplished. A big bold warning box as soon as that checkbox is clicked, and another when the changes are saved. Many of my non-technical friends have heard about the 'insecurity' or 'privacy concerns' that are 'inherent' in auto-installs such as AutoUpdate and virus definition updates... and so they figure out how to turn it off, not knowing that THAT is the most dangerous thing they could do.

The harm caused by a worm to the user who disables AutoUpdate is his own responsibility. But the warnings should be more clear and in more places, when one considers what you pointed: that the user's choice may very well prove harmful to countless others. It is his machine, it is his choice. But he should be compelled by the software itself to make that choice in a more educated fashion.

Huge loss of money

[SysKoll]

Every MS virus, worm, and what not does not cause BILLIONS in lost dollars. There are I am sure some cases of actual lost real money, but if they totalled billions I'd be surprised.

Like you, I find the $14B figure highly suspicious. However, I cannot help but notice how much things add up. My company's cost for the last few virus/worms is tens of millions in helpdesk time (all metered, hence easy to count), plus lost productivity. Take a high-level engineer whose lab time, including salary, equipment, real estate and benefits come to $250/hour. Have him spent the morning fiddle with his Windows machine that has to be brought up to the last service pack, then rebooted 3 times, then he has to download and install three patches from saturated servers... (even if the guy actually never caught a worm and wasn't dumb enough to open an attachment titled "Free XXX Pics!", Networking won't let him reconnect before he patches his machine). And even on machines that said engineer has carefully kept patched, Networking insist that he downloads and runs an update verification program that will certify this machine is indeed patched. Oh, and the verifier is a bit buggy so on some machines, you need to tweak it before it runs correctly.

And soon your cost is a cool grand. Multiply by many, many instances all over the world for every outburst. It adds up quickly.

Meanwhile, of course, the Linux machines in the lab are perfectly happy. It's just that the engineer needs Windows to access his email because of the boneheaded all-Windows desktop strategy that the higher-up morons barfed on unsuspecting cubicle dwellers. But that's a different problem.

Don't tell me that these procedure are wasteful and inflexible. I know it. Unfortunately, that's still better than sending helpdesk technicians to each machine, which is even more costly.

So the total figure can easily come to billions because of the huge mandatory waste of time to update and run the verification program on each machine.

Right now, this weekend, in many colleges and universities, thousands of IT depts and student/faculty helpdesk techs are running around like crazy patching machines of students coming back to school. The cost for our local college alone (5000 students) is estimated at $15-30 per student. Do the math.

Conclusion: The $14B might well be optimistic after all.

-- SysKoll

An issue of trust.

[digital+photo]

For those who are completely ignorant of computer security and never update their systems, they are akin to someone buying a power tool, not knowing how to use it, then trying to sue when they lop off a body part. You don't blame the manufacturer for those problems, you chalk it up to natural selection.

For those who are a bit more knowledgable, there is the issue of trust. After having used Microsoft's products for roughly 2 decades(since msdos), I feel I can't trust them to do something right anymore.

I know of people who got burned by the auto-update feature and their system was rendered unusable until they either restored or went into safemode to undo whatever "fix" was applied. Granted this is better than the "good old days" when a patch might require a clean re-install. Lots of good weekends gone to waste because of MS's "fixes".

Just this past week, I installed a update and suddenly, I couldn't make backups of my system because Autoupdate dinked with the drive access dll's. Thankfully, this only required the re-installation of the backup software to restore the DLLs to a working condition, but at what cost to the other parts of the system?

I have auto-update's download feature enabled, but I review the updates before installing them. I didn't get hit by the worm since I patched my system almost immediately after the fix came out.

The problem can't be completely attributed to users or to the producer of the software. But when the design of the software is so buggy that after literally tens of thousands of fixes, it is still riddled with security holes, you have to wonder if they are truly serious about security and about delivering a quality product to the end-user or if they are trying to do just enough.

It is understandable that MS is saying that they are doing the best that they can. That is all well and fine. But there is such a thing as their best not being good enough. Especially when there is so much slack to be made up for.

There is also the issue of this "got to be secure" attitude is recent. If it hadn't been for Linux arising quickly in the server and business markets both domestically and globally and if it hadn't been for the recent DOD government contract renewal, do you think MS would be so hot to trot to respond to problems like this?

Having watched and used MS's products for as long as I have, my personal opinion is that they've got a long way to go still and they aren't breaking even.