Slashdot Mirror
Ballmer Touts Focus on Security
kevinvee writes "Microsoft's Steve Ballmer announced a renewed focus on security at the Worldwide Partner Conference yesterday. He recognizes the fatal user flaw of not applying patches and introduced an educational plan to help correct this. Also included in his statement was a response about computer researchers who publish flaws in Microsoft products, 'I wish those people just would be quiet.' The end of the article gives unbiased coverage of some people's opinions about the latest announcement."
He recognizes the fatal user flaw of not applying patches and introduced an educational plan to help correct this. Also included in his statement was a response about computer researchers who publish flaws in Microsoft products, 'I wish those people just would be quiet.' The end of the article gives unbiased coverage of some people's opinions about the latest announcement."
Yeah, and we wish that this gigantic wealthy company would just FIX THEIR SOFTWARE. But it ain't gonna happen.
I still can't figure out why a company with Microsoft's resources has such mediocre security. They should be blowing Linux and BSD and Mac out of the water with tight default firewalls, statistical intrusion detection, distributed monitoring, sandboxed executables, no executable mail attachments, modular software, and anything else short of palladium. Yet they don't. Why? Because they know if legislation is passed, they will be able to afford it and nobody else will? Because they know they have such a huge lock-in, managers will grumble but renew licenses anyway? What's the deal MS?
It bugs the hell out of me that they have the audacity to lock us into their products (which work okay most of the time, I'll give you that) yet can't give us the common courtesy to solve these problems. I really don't give a shit if Office 2003 is based on XML or EBCDIC, I just need the computer to be "Secretary-Proof" for at least a week or two after it's turned on. Monthly security updates? Good grief!! How about getting it right the first time!
Microsoft needs to snap into action ASAP. They need to fix the bugs, do whatever it takes, cut performance by 3/4 and run everything in a virtual machine, I don't care. They need to send out CD's to every single customer who ever made the mistake of buying their product, which looks more like a beta version than a finished program.
Or.. or.. well, okay you got me. We can't afford to switch from Windows. But it seems we can't afford to stay with it either!
Its not that the computer researchers who publish the flaws thats a problem, its the fact that the only way they can get Microsofts attention is to publish them!!! How many stories have we read about a 'researcher' finding an issue, and then spending 2 months trying to contact MS, before giving up and posting it in places like this!
Notice Balmer's statement, 'I wish those people just would be quiet.'
He's not saying, "Please don't release the findings so that blackhats can't use the exploits."
He's not even saying, "Please delay telling the public about your findings so that we have a chance to fix the flaws."
He's saying, "I wish they would be quiet so that we don't have to spend the time/money/manpower to plug our holes. It's not our fault people are exploiting the holes, it's the people who release security reports."
I know, you're saying that it's obvious a company would want to help it's bottom line, but he didn't even have the decency to make his statement very cryptically.
Can Ballimer seriously want discussion of Windows security to end? If not for bugtraq (and such), the only folks who knew about holes would be those trying to exploit them!
Do I really need to say this? Should someone mod Ballimer (or me even) -1 redundant?
I wish they didn't have anything to talk about.
Carousel is a lie!
I wish they would not have to talk that much
No bug fixes? You ever heard of service packs?
No new realeases? What about Windows 2003?
I'm not a big Microsoft fan (hell as I write this reply I'm loading Mandrake 9.1 on my subnotebook), but your comment is patently false.
I'm a writer, a poet, a genius, I know it. I don't buy software, I grow it.
There's an analogy in the article which explains this perfectly: "Computer security is almost like car insurance. Nobody wants it until their car gets totaled." Very few of MS' customers were asking for security features until recently (within the past two years or so) -- so MS didn't deliver them. Besides, how do you explain "statistical intrusion detection" to the average home user who just wants to read e-mail and surf the Web?
Probably about the same way you explain TCP/IP to the average home user who just wants to read e-mail and surf the web. You don't. That doesn't mean it can't be of use to the user even if he or she doesn't understand it--or probably even knows it exists.
Who gave that analogy? Computer security is like car security: wheels that don't fall off while driving, seatbelts that don't break and let you fly through the windshield when your car crashes, door locks that really work, doors that don't open while driving, et cetera. Maybe Microsoft's software ``engineers'' buy car insurance thinking that it magically makes their cars indestructible...
Lets just do the math.
Could we assume that the cost of really hardening Windows and the other core products should cost less than one billion dollars? (I'd certainly hope so.)
So, for 1/40th of MS's cash, or way less than the cost from all the worm/virus outbreaks, we could fix windows.
Lets see. Programmers cost $100K a year. (They should be serious kick ass programmers.) Lets also assume 25% of all costs are overhead and non-salary costs.
Thus, for $500,000,000 we should be able to hire 7500 programmers to fix the problem in 12 months.
Given these facts, it's clear that fixing the problem is really quite trivial, provided there is some real desire to do so. The obvious conclusion I reach, there is no real desire to fix things.
Thus, things will continue as they have. It's easier and cheaper to snow people with press-releases and speeches than actually doing anything.
Isn't that the ultimate PHB approach?
Cheers,
Greg
- They should be blowing Linux and BSD and Mac out of the water with tight default firewalls, statistical intrusion detection, distributed monitoring, sandboxed executables, no executable mail attachments, modular software, and anything else short of palladium.
I think you've put your finger on it right there. After year after year of the dominant desktop being a security nightmare, Palladium, which will promise absoute security, will be an easy sell to a exploit weary community.The reason is simple really. Microsoft is a consumer grade software company (trying to outgrow that, with rather iffy results so far)and is thus naturally market driven; and market driving.
"Consumer demand" (or what they can force the consumer into "demanding")is king. They aren't a technology company at all and claims they make of such are simply part of the marketing.
Security has no meaning to them other than as an advertisable "feature."
As such they have made certain decisions regarding the architecture of their operating systems that make no sense from a technological point of view.
Please note that even Ballmer's current vomiting up of "initiatives" is pure market speak and doesn't actually mean anything with regards to their software.
Fixing the situation isn't merely a matter of plugging the holes. It would take a true change of philosophy company wide, a complete restructuring of the OS and, most problematic of all, removing certain things that customers have come to expect as standard features and will bitch over losing.
"Hey, where did the autorun of executables from email go!?"
Go figure.
People want security, but not at the price of being secure. How many home users keep a box with sensitive data isolated from the net? That would require some disk swapping now and again. How inconvienient.
Let us not grow over snide in our disdain, however, and always keep as an object lesson in our minds that it was a ludicrous design decision in Gnu emacs that allowed the Lawrence Berkeley Labs network to be rooted.
We can all make mistakes.
Fotunately the Lawrence Livermore Labs ( where they keep all the "Nuclear Wessels") was isolated from the web and thus uneffected by the intrusion.
It's not a bad idea to take that as an object lesson as well.
KFG
Windows XP includes an "Internet Connection Firewall" that acts like a basic deny-all inbound firewall. It's probably not as customizable or tweakable as ipfw or pf.
[...] tight default firewalls, statistical intrusion detection, distributed monitoring, sandboxed executables, no executable mail attachments, modular software, and anything else short of palladium. Yet they don't. Why?
Would implementing any of those things make Microsoft more money than not implementing them? It's all about profit margins. Proactive development cuts into profitability, as does the practice of hiring experienced developers instead of fresh-faced children just out of engineering school who are willing to work twice as hard (although not twice as smart) in exchange for a free mountain bike and occasional use of the game room.
do whatever it takes, cut performance by 3/4 and run everything in a virtual machine, I don't care.
You may not, but all the rest of Microsoft's customers do. "Fast but wonky" is all too often perceived as preferable to "slow but bulletproof."
How about getting it right the first time!
Microsoft needs to snap into action ASAP.
You just have all the answers, don't you? Maybe Microsoft should hire a fresh new voice like you to oversee their development efforts.
Are you willing to work 60hr weeks for $55k and all the free Mountain Dew you can drink?
The reason Microsoft has $40 billion in cash on hand is because they keep it on hand insteading of spending it on things like a building full of security experts constantly reviewing their code.
They use 50% contractors so they can lay people off at the drop of a hat and never take a PR hit for layoffs. When I worked there, they laid off half of our QA people even though they were annoucning record profits. Why did they lay them off? Cost cutting.
They also don't pay their developers anywhere near what Apple pays. That's why their OS is still way behind MacOS X. It will continue to be behind Apple in terms of features, innovation, and quality as long as that is true. The people they recruit tend to be average developers. Most of the devs I've met from Apple tended to be really brilliant.
And Microsoft doesn't care. They consider Apple to be no threat to them and to be sort of their "research arm". And that's likely to continue to be the case as long as Apple's at a strategic disadvantage - which they definately in. As long as something doesn't cause the equilibrium to change, Apple can continue to have 3-5% marketshare and can continue to produce a higher quality, more expensive computer that will appeal to some folks.
Microsoft is obviously much more worried about Linux. From a strategic point of view, Linux is a good OS, it runs on x86 hardware, and there's not much stopping PC manufacturers from putting pre-loading Linux instead of Windows. Right now, its just customer expectation and ease of use. What I think they are afraid of is some leader emerging who will go through the time and effort of ironing out some of the usability problems that Linux has and using it as a club to beat microsoft to death. Who could do that? Maybe IBM?
Have the security problems cost them marketshare? Maybe some sales in servers went to Linux, so their turning on the PR machine and they are doing things internally to address security. (I hear this from friends who still work there.) Meanwhile, Longhorn's new graphics engine gets features Apple put into Quartz 3 years ago.
Average users just want to run Word and surf for pr0n and they can do that with Windows.
For me, I'll stick with the Mac.
Avoid Missing Ball for High Score