Ballmer Touts Focus on Security

kevinvee writes "Microsoft's Steve Ballmer announced a renewed focus on security at the Worldwide Partner Conference yesterday. He recognizes the fatal user flaw of not applying patches and introduced an educational plan to help correct this. Also included in his statement was a response about computer researchers who publish flaws in Microsoft products, 'I wish those people just would be quiet.' The end of the article gives unbiased coverage of some people's opinions about the latest announcement."

we'll focus on security .. this time we mean it!

He recognizes the fatal user flaw of not applying patches and introduced an educational plan to help correct this. Also included in his statement was a response about computer researchers who publish flaws in Microsoft products, 'I wish those people just would be quiet.' The end of the article gives unbiased coverage of some people's opinions about the latest announcement."

Yeah, and we wish that this gigantic wealthy company would just FIX THEIR SOFTWARE. But it ain't gonna happen.

I still can't figure out why a company with Microsoft's resources has such mediocre security. They should be blowing Linux and BSD and Mac out of the water with tight default firewalls, statistical intrusion detection, distributed monitoring, sandboxed executables, no executable mail attachments, modular software, and anything else short of palladium. Yet they don't. Why? Because they know if legislation is passed, they will be able to afford it and nobody else will? Because they know they have such a huge lock-in, managers will grumble but renew licenses anyway? What's the deal MS?

It bugs the hell out of me that they have the audacity to lock us into their products (which work okay most of the time, I'll give you that) yet can't give us the common courtesy to solve these problems. I really don't give a shit if Office 2003 is based on XML or EBCDIC, I just need the computer to be "Secretary-Proof" for at least a week or two after it's turned on. Monthly security updates? Good grief!! How about getting it right the first time!

Microsoft needs to snap into action ASAP. They need to fix the bugs, do whatever it takes, cut performance by 3/4 and run everything in a virtual machine, I don't care. They need to send out CD's to every single customer who ever made the mistake of buying their product, which looks more like a beta version than a finished program.

Or.. or.. well, okay you got me. We can't afford to switch from Windows. But it seems we can't afford to stay with it either!

Its not the computer researchers fault

[samsmithnz]

Its not that the computer researchers who publish the flaws thats a problem, its the fact that the only way they can get Microsofts attention is to publish them!!! How many stories have we read about a 'researcher' finding an issue, and then spending 2 months trying to contact MS, before giving up and posting it in places like this!

Interesting Wording

[31415926535897]

Notice Balmer's statement, 'I wish those people just would be quiet.'

He's not saying, "Please don't release the findings so that blackhats can't use the exploits."

He's not even saying, "Please delay telling the public about your findings so that we have a chance to fix the flaws."

He's saying, "I wish they would be quiet so that we don't have to spend the time/money/manpower to plug our holes. It's not our fault people are exploiting the holes, it's the people who release security reports."

I know, you're saying that it's obvious a company would want to help it's bottom line, but he didn't even have the decency to make his statement very cryptically.

"I really wish they would just shut up."

[Saint+Aardvark]

I wish they didn't have anything to talk about.

Re:I'm sure he does wish they would be quiet

[midav]

I wish they would not have to talk that much

Re:we'll focus on security .. this time we mean it

[Kevinb]

I still can't figure out why a company with Microsoft's resources has such mediocre security. They should be blowing Linux and BSD and Mac out of the water with tight default firewalls, statistical intrusion detection, distributed monitoring, sandboxed executables, no executable mail attachments, modular software, and anything else short of palladium. Yet they don't. Why?

There's an analogy in the article which explains this perfectly: "Computer security is almost like car insurance. Nobody wants it until their car gets totaled." Very few of MS' customers were asking for security features until recently (within the past two years or so) -- so MS didn't deliver them. Besides, how do you explain "statistical intrusion detection" to the average home user who just wants to read e-mail and surf the Web?

Re:we'll focus on security .. this time we mean it

[poot_rootbeer]

[...] tight default firewalls, statistical intrusion detection, distributed monitoring, sandboxed executables, no executable mail attachments, modular software, and anything else short of palladium. Yet they don't. Why?

Would implementing any of those things make Microsoft more money than not implementing them? It's all about profit margins. Proactive development cuts into profitability, as does the practice of hiring experienced developers instead of fresh-faced children just out of engineering school who are willing to work twice as hard (although not twice as smart) in exchange for a free mountain bike and occasional use of the game room.

do whatever it takes, cut performance by 3/4 and run everything in a virtual machine, I don't care.

You may not, but all the rest of Microsoft's customers do. "Fast but wonky" is all too often perceived as preferable to "slow but bulletproof."

How about getting it right the first time!
Microsoft needs to snap into action ASAP.

You just have all the answers, don't you? Maybe Microsoft should hire a fresh new voice like you to oversee their development efforts.

Are you willing to work 60hr weeks for $55k and all the free Mountain Dew you can drink?