Slashdot Mirror
Ballmer Touts Focus on Security
kevinvee writes "Microsoft's Steve Ballmer announced a renewed focus on security at the Worldwide Partner Conference yesterday. He recognizes the fatal user flaw of not applying patches and introduced an educational plan to help correct this. Also included in his statement was a response about computer researchers who publish flaws in Microsoft products, 'I wish those people just would be quiet.' The end of the article gives unbiased coverage of some people's opinions about the latest announcement."
They want to educate people but do not want the people who really know to talk about it? This seems a bit paternalistic even for microsoft. They want to be the ones who work with people to make updates but do not want anybody else to have a voice.
The semantics themselves are also a bit problematic. I'm assuming that he doesn't really want them to "shut-up" but rather not talk to people outside of the microsoft offices???
Gartner echoes concerns on Microsoft reliance
A copy of the Gartner research note seen by CNET News.com mirrors the conclusions of seven prominent security researchers, who released a paper stating that Microsoft's dominance in software could have serious consequences for national cybersecurity. The Gartner report is scheduled to be published Friday.
(The point is not what they are saying, it who's saying it.)
Back in 2001, Microsoft's Steve Lipner said that code "Review is boring and time consuming, and it's hard,". They don't seem to understand that many people get a lot of satisfaction in doing that. Many people look for things to post to bugtraq because doing so is *fun* for them.
Steve Balmer's recent statement about vulnerability researchers - 'I wish those people just would be quiet' - is downright silly. They are the biggest company on the block right now, and there's always going to be someone who wants to make the big corporation look silly. Microsoft needs to wake up to the fact that there will *always* be someone who is a) bored, and b) wants to make them look bad.
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
- Often had official sounding names in the add/remove programs list like "MS Explorer update Q3395"
- Popped up five or six windows every time a link was clicked in IE, and inevitably one of the popups was for a service or program that claimed to "stop those annoying popups."
For these reasons (trademark infringement, extortion), it would be completely within Microsoft's rights (and perhaps duties) to check for and remove such software as part of the normal update process.If they don't do this already, Microsoft should set up a room full of computers with people just dredging the sleazier parts of the web and installing whatever the latest malicious spawn of Bonzi Buddy and Gator, etc. happen to be. They would have to have non-MS IP numbers, because that would be too easy to check for in one's malware.
Of course, I had a talk with my cousin about clicking "OK" to install every little thing that comes down the pipe, but it felt like trying to talk about genital warts or something.
taken! (by Davidleeroth) Thanks Bingo Foo!
I agree, things have to be published, unfortunately, for certain companies to get off their asses. Then there's microsoft, who whines and bitches about having to fix published flaws, yet at the same time manages to ignore others. Such as 31 in IE alone.
J
They already do that. Just about every vulnerability report about Microsoft has followed so-called responsible disclosure guidelines. First, the discoverer contacts the vendor. Vendor acknowledges the bug and discoverer waits a reasonable time while vendor comes up with patch. When the patch is ready discoverer and vendor announce it the same day, and vendor thanks so and so in the security bulletin for finding the bug.
There's still a time window to hack between the announcement of the bug and when most systems get patched. In the case of Blaster, the worm was release less than a month after the announcement.
The real danger with keeping quiet is the so-called 0-day exploits. If less ethical security researchers find vulnerabilities and not tell anybody, or if a vulnerability gets leaked before the official announcement, we're all worse off.
the new windows in not any better, and has MSIE 6 on it with the SAME holes as everyone else. Just finished installing the MOST recent Developer release of 2K3, don't hold your breath for this release to be ANY better than the previous one regarding security. In fact if the integration continues expect all the "BROWSER" based exploits to be migrated right into the local system without even a look backwards. So far beyond extended memory/proc support I fail to see any REAL improvements in 2K3, much GUI'fied updates, some useless moving ad renaming of function from one place to another, and some really lame shutdown documentation requirments. M$ just really doesn'tunderstand what people want, or even how to find out what their customers really see as the #1 prioroties....
errr....umm...*whooosh* *whoosh* Is this thing on ?
According to this, it was September 16, 2003.
0 03 -09-13/2003-09-19/0
http://www.securityfocus.com/archive/1/337662/2
Any other questions?
Can I get an eye poke?
Dog House Forum