Slashdot Mirror
Gates Says Windows Reliability Is Greater
mogrinz writes "According to an interview with the New York Times, Bill Gates is proud of the achievements Microsoft has made in increasing the security of Windows. As for the effects on people being attacked by SoBig.F, etc? Gates says this is "something we feel very bad about". Gates summarizes the Microsoft position very succinctly: "We're doing our very best, and that's all we can do"."
Welcome to The New York Times on the Web!
For full access to our site, please complete this simple registration form.
As a member, you'll enjoy:
In-depth coverage and analysis of news events from The New York Times FREE
Up-to-the-minute breaking news and developing stories FREE
Exclusive Web-only features, classifieds, tools, multimedia and much, much more FREE
Please enter your Member ID:
Please enter your password:
Remember my Member ID and password on this computer.
Forgot your password?
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
A. No. "
He should.
Losers always whine about their best. Winners go home and fuck the prom queen.
Still, with a plan, you only get the best you can imagine. I'd always hoped for something better than that. -CP
I like the part about "are you afraid of product liability suits". He should have answered. "no, now that we understand how to buy politicians and use lobbyists, we no longer fear the law".
photoplankton
for you lazy Geeks:
Link
They didn't even bother locking down any of these dangling ports until somebody exploited the fuck out of them. Now they are at least going to ship Windows with the Internet Connection Firewall enabled by default, which is a good thing. They are a reactive organization - it comes with the territory of having a dominant market position and being scared shitless of change, unless and until it forces itself on them, usually by inducing fear of losing the dominant market position.
Dear Bill,
Far and away your #1 bug is the infamous "buffer overrun" flaw. These usually mostly manifest themselves in string libraries. I know that you have at least 3 library solutions in-house (Safestr for C, CString in MFC, and basic_string in STL) but your developers don't use them otherwise these problems wouldn't happen.
I'd like to point you out to another alternative:
http://bstring.sf.net/
Which your developers may prefer. But whatever you do, why don't you simply make it a requirement that <string.h> simply be outlawed (you could easily write a tool to enforce that couldn't you?), or take some other drastic action?
Buffer overruns are certainly the most common kind of bug that isn't caught by QA (the right answer is not to try to train QA to find them -- they would require the skill of a hacker.) If you concentrate on this one bug alone, you will probably easily remove 80% of these attacks.
I have never gotten a virus with xp. Never even even had one come up in a virus scan. But, I do all the right things like use a firewall and autoupdate. I also do things no one else does like use IE security settings and turn -everything- (java, activex) for all but say 40 sites on the net. This last step is just far too much work even for expert users (esp with that stupid site may not display properly dialog for ActiveX). Further it is just beyond the typical home XP user.
For Chris'sake BILL what the fuck is taking so Goddamn long.
Steal the fucking Linux Kernel slap a Windows sticker on it sue the GPL out of business and give us One OS To Bind (not BIND) Them All already.
You ripped everything else off, how about ripping off so fucking security?
This
I'm a big fan of linux, but I work in an eviroment where windows is locked in. Yea MS has some problems but so does everyone, what everyone needs to remember is that MICROSOFT RELEASED A FIX FOR BLASTER BEFORE THE BIG HIT CAME. The fact is the people who got hit by blaster didn't maintain thier system, or weren't running firewalls. You wouldn't be on here growling about how debian sucked if a bunch of users didn't do apt-get update / upgrade would you? These guys have a huge market share, have a reasonably good product that most of the population is happy enough using. Many of (myself included) like linux. Both have bugs, both get fixes... but the weakest link is if the admins / system owners update... in this case many didn't and it made MS look bad/
--------- If its possible it will happen, If its impossible it will just take longer
Now that's just mean.
If by reliability, you mean it's ability to function in a proper way without self-destruction, I'd say he is succeeding. Windows XP is indeed better than the previous offerings. Once upon a time, you didn't even have to touch your computer and it would spontaneously have problems. It has gotten much better. Now, it's resilience against the evils of the internet...
That's another story. Indeed, Gates should institue a moratorium on new projects until the old ones can become stable enough to actually properly handle the internet.
Sobig.F is a good example of how fundamental the problems with Microsoft software is. The changes required to secure (pick one: Windows,IE,Outlook,Exchange,IIS) need to happen at the API layer. Unfortunately, this would take industry-wide support, something not even Microsoft can make happen overnight. It would seem with all the money companies already have invested, there is a lot of corporate inertia to overcome.
You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
"We're doing our very best, and that's all we can do"
Concerned about the impact of viruses like Blaster and SoBig on your business? Look, here's what Bill Gates has to say on the issue. Even he's saying it's not going to get any better, so you can expect these kinds of incidents to keep recurring.
Now, let's talk about how to fix this...
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Quote the article:
"Q. You have enemies who are in a crusade to undermine Microsoft. How do you cope with that?
A. I'm not aware of any systematic attempt by any group. "
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
> Bill's made it possible for any random high-school loser [reuters.com] to destroy $14 billion [net-security.org] Actually, they haven't found the creator of msblast yet--just some teenage copycat. In fact, that $14B is supposedly caused by SoBig, not msblast. And don't you love the figures that these organizations pull out of their ass, I mean, databases. Of course, it is a crying shame that microsoft is allowed to sell such unsafe software--but it took legislation to get seat belts into cars and even more legislation to get the great unwashed to wear them. My god, there was debate as to the need for drunk driving laws! To expect software providers to do the right thing is a bit of a folly, really.
This is double-speak. He is trying to imply that people's failure to auto-update is somehow related to Windows' risk of virus/worm attack. But they are in no way related.
System architecture that fails to maintain security is a design flaw, not a maintenance problem. Gates and Microsoft are attempting to blame shift their responsibilities to their product's users. Pretty much anyone would recognize this in a tort law suit, although I expect very few to make this claim in court simply because of Microsoft's size and reputation.
There is no need to use a SlashDot sig for SEO...
You are wrong about open ports. If you take OpenBSD which is the most secure OS on the planet ships with SSH open by default. Now yes it secure but its still an open port.
Rus
Cheap UK and US VPS
Why should Microsoft fix anything? Window's is the most secure OS according to http://www.wininformant.com/Articles/Index.cfm?Ar
If you use Linux, please help development of Autopac
They'd figure out some way to make it possible to run your Windows XP Pro system with a Limited (i.e. non-root) account without rendering it totally useless.
The few programs I've actually managed to get running on a Limited account still don't seem to have the access they need to SAVE THEIR SETTINGS... So they need to be reconfigured every time they load up.
And the only way I've figured out for dealing with that is to temporarily add the Limited Account to the administrators group, pull the network cable, log in with it like that, make the changes, log back out, remove it from the administrators group, reconnect network cable and run Ad-Aware and pray nothing went horribly wrong.
Which is a bit of a hassle.
Please God, let me find my blue hat with the red trim. (Frances Farmer)
Before everyone starts chiming in on how real system admins would have been prepared. Remember a few things:
1) After being burned by a few bad patches, some corporations now have a policy that specifically states that patches must be tested first. With the huge amount of patches that is released by MS, this is a full time job.
2) Remote users (laptop users, VPN users, etc.) are like sailors coming back from overseas. Who knows what they were exposed to and what viruses they have. This is outside the control of most admins.
3) Microsoft itself was not prepared for Slammer. SQL servers that were being used in a development environment (read outside of normal sys admin networks) were not patched. With large organizations, sometimes there are unknown, rogue installations.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Like you, I find the $14B figure highly suspicious. However, I cannot help but notice how much things add up. My company's cost for the last few virus/worms is tens of millions in helpdesk time (all metered, hence easy to count), plus lost productivity. Take a high-level engineer whose lab time, including salary, equipment, real estate and benefits come to $250/hour. Have him spent the morning fiddle with his Windows machine that has to be brought up to the last service pack, then rebooted 3 times, then he has to download and install three patches from saturated servers... (even if the guy actually never caught a worm and wasn't dumb enough to open an attachment titled "Free XXX Pics!", Networking won't let him reconnect before he patches his machine). And even on machines that said engineer has carefully kept patched, Networking insist that he downloads and runs an update verification program that will certify this machine is indeed patched. Oh, and the verifier is a bit buggy so on some machines, you need to tweak it before it runs correctly.
And soon your cost is a cool grand. Multiply by many, many instances all over the world for every outburst. It adds up quickly.
Meanwhile, of course, the Linux machines in the lab are perfectly happy. It's just that the engineer needs Windows to access his email because of the boneheaded all-Windows desktop strategy that the higher-up morons barfed on unsuspecting cubicle dwellers. But that's a different problem.
Don't tell me that these procedure are wasteful and inflexible. I know it. Unfortunately, that's still better than sending helpdesk technicians to each machine, which is even more costly.
So the total figure can easily come to billions because of the huge mandatory waste of time to update and run the verification program on each machine.
Right now, this weekend, in many colleges and universities, thousands of IT depts and student/faculty helpdesk techs are running around like crazy patching machines of students coming back to school. The cost for our local college alone (5000 students) is estimated at $15-30 per student. Do the math.
Conclusion: The $14B might well be optimistic after all.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
I think the whole Linux vs. Microsoft thing where security and stability are concerned comes down to the dilemma of the "soft" parent vs. the "hard" parent. Microsoft is the "soft" parent and *NIX/Linux distros are the "hard" parent.
Remember when you wanted to go out somewhere with some friends of yours and your folks didn't? They did that for your own security and wellbeing. In some cases, you probably had a parent that was easier on you. For example, my dad was the "soft" parent for me. If I asked him something, he'd cautiously say that I could do X as long as I was home beore my mom found out. If I asked my Mom, the answer was most positively one of the following:
1. No!
2. Only if you've done everything else you need to do to get some free time.
3. Why would you want to do that? Go do something useful.
So you can guess which parent I asked more often. I asked the parent that gave me what I WANTED, not what I NEEDED.
Microsoft is the "soft" parent. They give the average user what they want without thinking too much about what the implications are. Or they assume that the user will "do the right thing". *NIX/Linux distros are the "hard" parent since they don't (by default) allow the user to do anything they shouldn't be doing. It's a pain in the ass to have to switch over to "root" to take care of some administrative tasks in Linux. Newer distros make it a little easier, but they still throw up the password protection which would annoy an average Windows user to no end. Think of how many times a Windows user complains when they have to remember a password and they can't or they have to write it down somewhere. Windows doesn't do this kind of thing. Instead they thwart security by being the "nice guy" on the surface. I have plenty of friends who got pissed off having to deal with passwords on their boxes and logging out to become administrator. They eventually all asked me to reconfigure them so that they log in as admin by default automatically with no password. I told them what the implications were and they still wanted this. The real problem still comes down to lazy and uneducated users. The PC industry is giving them the keys to Ferarris and nukes even though they aren't qualified to handle them.
I think that eventually it will become necessary to give people what they need with no respect given to what they want. However, it doesn't have to be impossible to deal with from the end user's perspective. I think RedHat's root dialog box when trying to run an administrative command from the GUI is a perect example of how it can be made slightly easier, but still secure.
Until the average user understands why they SHOULDN'T run as root or Administrator, we are giving them loaded weapons pointed at their heads without telling them how to use them.
Un-news
For those who are completely ignorant of computer security and never update their systems, they are akin to someone buying a power tool, not knowing how to use it, then trying to sue when they lop off a body part. You don't blame the manufacturer for those problems, you chalk it up to natural selection.
For those who are a bit more knowledgable, there is the issue of trust. After having used Microsoft's products for roughly 2 decades(since msdos), I feel I can't trust them to do something right anymore.
I know of people who got burned by the auto-update feature and their system was rendered unusable until they either restored or went into safemode to undo whatever "fix" was applied. Granted this is better than the "good old days" when a patch might require a clean re-install. Lots of good weekends gone to waste because of MS's "fixes".
Just this past week, I installed a update and suddenly, I couldn't make backups of my system because Autoupdate dinked with the drive access dll's. Thankfully, this only required the re-installation of the backup software to restore the DLLs to a working condition, but at what cost to the other parts of the system?
I have auto-update's download feature enabled, but I review the updates before installing them. I didn't get hit by the worm since I patched my system almost immediately after the fix came out.
The problem can't be completely attributed to users or to the producer of the software. But when the design of the software is so buggy that after literally tens of thousands of fixes, it is still riddled with security holes, you have to wonder if they are truly serious about security and about delivering a quality product to the end-user or if they are trying to do just enough.
It is understandable that MS is saying that they are doing the best that they can. That is all well and fine. But there is such a thing as their best not being good enough. Especially when there is so much slack to be made up for.
There is also the issue of this "got to be secure" attitude is recent. If it hadn't been for Linux arising quickly in the server and business markets both domestically and globally and if it hadn't been for the recent DOD government contract renewal, do you think MS would be so hot to trot to respond to problems like this?
Having watched and used MS's products for as long as I have, my personal opinion is that they've got a long way to go still and they aren't breaking even.
Winged Power Photography
> Every MS virus, worm, and what not does not cause BILLIONS in lost dollars. There are I am sure some cases of actual lost real money, but if they totalled billions I'd be surprised.
So be surprised.
Here are some virus costs from Wired:
Nimda -- $635 million
Code Red -- $2.62 billion
SirCam -- $1.15 billion
Love Bug -- $8.75 billion
While we're looking at statistics, here's another...
According to CERT, the number of reported security incidents grew, starting in 1988, until they hovered at just over two thousand incidents per year from 1994 to 1997.
But then in 1998, the number of incidents started to explode:
1998 -- 3,734
1999 -- 9,859
2000 -- 21,756
2001 -- 52,658
2002 -- 82,094
2003 -- 76,404 (so far)
So what happened in 1998?
Microsoft introduced embedded e-mail scripting in Outlook Express!
Even an idiot could have predicted the consequences.
But why would Microsoft do something that was so clearly incompetent and irresponsible?
The answer can be found in another event that occurred in 1998, namely, the leaked release of the Halloween document. That internal Microsoft document described a strategy for fighting Open Source, as follows:
> OSS projects have been able to gain a foothold in many server applications because of the wide utility of highly commoditized, simple protocols. By extending these protocols and developing new protocols, we can deny OSS projects entry into the market.
So there you have it. The embedded scripting in Outlook Express is just one part of a general Microsoft strategy to decommoditize (i.e. break) Internet protocols.
In other words, these viruses and worms, which are costing us $billions, are just a side effect of MICROSOFT'S EXTENDED DENIAL OF SERVICE ATTACK ON OPEN SOURCE USERS.
If Jeffrey Parson might be going to jail for his denial of service attack (modifying the DDOS Blaster worm), then why not the president of Microsoft?