Slashdot Mirror
Gates Says Windows Reliability Is Greater
mogrinz writes "According to an interview with the New York Times, Bill Gates is proud of the achievements Microsoft has made in increasing the security of Windows. As for the effects on people being attacked by SoBig.F, etc? Gates says this is "something we feel very bad about". Gates summarizes the Microsoft position very succinctly: "We're doing our very best, and that's all we can do"."
Dear Bill,
Far and away your #1 bug is the infamous "buffer overrun" flaw. These usually mostly manifest themselves in string libraries. I know that you have at least 3 library solutions in-house (Safestr for C, CString in MFC, and basic_string in STL) but your developers don't use them otherwise these problems wouldn't happen.
I'd like to point you out to another alternative:
http://bstring.sf.net/
Which your developers may prefer. But whatever you do, why don't you simply make it a requirement that <string.h> simply be outlawed (you could easily write a tool to enforce that couldn't you?), or take some other drastic action?
Buffer overruns are certainly the most common kind of bug that isn't caught by QA (the right answer is not to try to train QA to find them -- they would require the skill of a hacker.) If you concentrate on this one bug alone, you will probably easily remove 80% of these attacks.
I have never gotten a virus with xp. Never even even had one come up in a virus scan. But, I do all the right things like use a firewall and autoupdate. I also do things no one else does like use IE security settings and turn -everything- (java, activex) for all but say 40 sites on the net. This last step is just far too much work even for expert users (esp with that stupid site may not display properly dialog for ActiveX). Further it is just beyond the typical home XP user.
Linux and OS X ship with zero ports open. Windows XP and even Windows Server 2003 ship with 4 open ports. What does that mean? Four places that anyone can jack your system, and even if you have a firewall (a good one at that) programs that have managed to get onto your system whether through shadow installs (see Gator) or tricky web-pages that use java to make you download something and not tell you or even e-mail attachments-- all of those will be able to access the outside world and pull in information and throw it out there too without you ever knowing because those 4 ports are open.
Windows is not secure. Instead of fixing little problems like this that are incredibly simple, they decide to invest billions of dollars into programs like Palladium which will, among other less desirable things, make the platform "more secure" both from the outside world and from yourself. Figure your shit out Redmond, please (by Redmond I mean Microsoft, not Nintendo America).
The New Root Council, kickin' ass sinc
"We're doing our very best, and that's all we can do"
Concerned about the impact of viruses like Blaster and SoBig on your business? Look, here's what Bill Gates has to say on the issue. Even he's saying it's not going to get any better, so you can expect these kinds of incidents to keep recurring.
Now, let's talk about how to fix this...
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Not only that, but in real terms, you have to go out of your way to not install the fix. Windows by default now downloads and asks you to install the patch. What more do you want? I mean, christ, let's get real. You have to try not to fix the problem.
> Bill's made it possible for any random high-school loser [reuters.com] to destroy $14 billion [net-security.org] Actually, they haven't found the creator of msblast yet--just some teenage copycat. In fact, that $14B is supposedly caused by SoBig, not msblast. And don't you love the figures that these organizations pull out of their ass, I mean, databases. Of course, it is a crying shame that microsoft is allowed to sell such unsafe software--but it took legislation to get seat belts into cars and even more legislation to get the great unwashed to wear them. My god, there was debate as to the need for drunk driving laws! To expect software providers to do the right thing is a bit of a folly, really.
This is double-speak. He is trying to imply that people's failure to auto-update is somehow related to Windows' risk of virus/worm attack. But they are in no way related.
System architecture that fails to maintain security is a design flaw, not a maintenance problem. Gates and Microsoft are attempting to blame shift their responsibilities to their product's users. Pretty much anyone would recognize this in a tort law suit, although I expect very few to make this claim in court simply because of Microsoft's size and reputation.
There is no need to use a SlashDot sig for SEO...
I agree with you, but I was pleasantly surprised to find that a lot of users actually cancel Windows auto updates when they become available because they think they're viruses attacking their computer...
Again, what is needed is more education of computer users in general - Windows Update really needs paper literature devoted to it in the box as it really is that important - from the perspective that the end results can affect others. It's the same issues with anti-virus software updates - a lot of people think installing from the box is all that's necessary.
What amazes me is that some large companies have a 'no executables' download policy on their networks. This umbrella policy also stops Windows Update working correctly, leaving a lot of exposed machines. Microsoft has supplied a way for larger companies to have their own internal Windows Update server running that will get around this problem and allow updates, but in some cases, company policy seems to be more important that IT common-sense.
Patches are important, they're just as important as those product recalls for exploding monitors/laptops and monetarily can probably cause more damaged if not applied.
They'd figure out some way to make it possible to run your Windows XP Pro system with a Limited (i.e. non-root) account without rendering it totally useless.
The few programs I've actually managed to get running on a Limited account still don't seem to have the access they need to SAVE THEIR SETTINGS... So they need to be reconfigured every time they load up.
And the only way I've figured out for dealing with that is to temporarily add the Limited Account to the administrators group, pull the network cable, log in with it like that, make the changes, log back out, remove it from the administrators group, reconnect network cable and run Ad-Aware and pray nothing went horribly wrong.
Which is a bit of a hassle.
Please God, let me find my blue hat with the red trim. (Frances Farmer)
However, this is where M$ has to step up. They have to realize as the biggest makers of software in the world, their software has to be MORE secure than everyone else's. They have to take bigger, more progressive steps to ensure security and reliability. I think the issue w/ AutoUpdate is a good one. However, what about other new features they have put into Windows? The built in messenger service that allows people top drop spam on your desktop? Universal Plug and Play? The security holes that allowed worms like Blaster etc to propogate? This is where M$ is striking out. These are pretty easy to see as problems or better yet, security issues. Why not leave THIS stuff disabled by default and then allow users to turn it on when they a)need it and b)know what the hell they are doing!
That all being said, M$ is getting better, but they still have a ways to go. What I wish is that Bill Gates would step up and have accountability on these issues and more importantly give better answers. Sure these are ok answers that he gave, but they are really nothing more than company line. When asked:
That isn't the answer I am looking for. I am looking for something more along the lines of: "We understand that as the largest maker of software we are going to be an obvious target for hackers. As such we have to do better in the future to secure our software from such breaches." True Gates did say some of this, but I think he is foolish to say that there is not an actual effort to undermind his company. Slashdot alone is full of people who don't use M$ products out of shear distain for Gates and the flaws of Windows etc.
Still, as I said a few times already, M$ is getting better. But they still have a lot of work to do before the stigma of poor software writing is off them (his claim that "Microsoft's reputation for doing great software research is very strong" was extremely funny and again is that company line that I am not looking for).
It is human nature to take shortcuts in thinking.
I think the whole Linux vs. Microsoft thing where security and stability are concerned comes down to the dilemma of the "soft" parent vs. the "hard" parent. Microsoft is the "soft" parent and *NIX/Linux distros are the "hard" parent.
Remember when you wanted to go out somewhere with some friends of yours and your folks didn't? They did that for your own security and wellbeing. In some cases, you probably had a parent that was easier on you. For example, my dad was the "soft" parent for me. If I asked him something, he'd cautiously say that I could do X as long as I was home beore my mom found out. If I asked my Mom, the answer was most positively one of the following:
1. No!
2. Only if you've done everything else you need to do to get some free time.
3. Why would you want to do that? Go do something useful.
So you can guess which parent I asked more often. I asked the parent that gave me what I WANTED, not what I NEEDED.
Microsoft is the "soft" parent. They give the average user what they want without thinking too much about what the implications are. Or they assume that the user will "do the right thing". *NIX/Linux distros are the "hard" parent since they don't (by default) allow the user to do anything they shouldn't be doing. It's a pain in the ass to have to switch over to "root" to take care of some administrative tasks in Linux. Newer distros make it a little easier, but they still throw up the password protection which would annoy an average Windows user to no end. Think of how many times a Windows user complains when they have to remember a password and they can't or they have to write it down somewhere. Windows doesn't do this kind of thing. Instead they thwart security by being the "nice guy" on the surface. I have plenty of friends who got pissed off having to deal with passwords on their boxes and logging out to become administrator. They eventually all asked me to reconfigure them so that they log in as admin by default automatically with no password. I told them what the implications were and they still wanted this. The real problem still comes down to lazy and uneducated users. The PC industry is giving them the keys to Ferarris and nukes even though they aren't qualified to handle them.
I think that eventually it will become necessary to give people what they need with no respect given to what they want. However, it doesn't have to be impossible to deal with from the end user's perspective. I think RedHat's root dialog box when trying to run an administrative command from the GUI is a perect example of how it can be made slightly easier, but still secure.
Until the average user understands why they SHOULDN'T run as root or Administrator, we are giving them loaded weapons pointed at their heads without telling them how to use them.
Un-news