Slashdot Mirror
Ballmer Touts Focus on Security
kevinvee writes "Microsoft's Steve Ballmer announced a renewed focus on security at the Worldwide Partner Conference yesterday. He recognizes the fatal user flaw of not applying patches and introduced an educational plan to help correct this. Also included in his statement was a response about computer researchers who publish flaws in Microsoft products, 'I wish those people just would be quiet.' The end of the article gives unbiased coverage of some people's opinions about the latest announcement."
Then they wouldn't have to spend so much time fighting security holes!
Microsoft's Steve Ballmer announced a renewed focus on security
Didn't Bill Gates JUST do the same thing?
He recognizes the fatal user flaw of not applying patches and introduced an educational plan to help correct this. Also included in his statement was a response about computer researchers who publish flaws in Microsoft products, 'I wish those people just would be quiet.' The end of the article gives unbiased coverage of some people's opinions about the latest announcement."
Yeah, and we wish that this gigantic wealthy company would just FIX THEIR SOFTWARE. But it ain't gonna happen.
I still can't figure out why a company with Microsoft's resources has such mediocre security. They should be blowing Linux and BSD and Mac out of the water with tight default firewalls, statistical intrusion detection, distributed monitoring, sandboxed executables, no executable mail attachments, modular software, and anything else short of palladium. Yet they don't. Why? Because they know if legislation is passed, they will be able to afford it and nobody else will? Because they know they have such a huge lock-in, managers will grumble but renew licenses anyway? What's the deal MS?
It bugs the hell out of me that they have the audacity to lock us into their products (which work okay most of the time, I'll give you that) yet can't give us the common courtesy to solve these problems. I really don't give a shit if Office 2003 is based on XML or EBCDIC, I just need the computer to be "Secretary-Proof" for at least a week or two after it's turned on. Monthly security updates? Good grief!! How about getting it right the first time!
Microsoft needs to snap into action ASAP. They need to fix the bugs, do whatever it takes, cut performance by 3/4 and run everything in a virtual machine, I don't care. They need to send out CD's to every single customer who ever made the mistake of buying their product, which looks more like a beta version than a finished program.
Or.. or.. well, okay you got me. We can't afford to switch from Windows. But it seems we can't afford to stay with it either!
And I would have gotten away with it too, if it weren't for you meddling kids!!!
Javascript + Nintendo DSi = DSiCade
Maybe they should just tell M$ about the security flaws? Otherwise people have a small time window to hack and stuff until M$ fixes the problem.
hi
*The Microsoft Sound* Patch it! (Since we can't code it right the first time...)
Automatically updated distributed netfilter rules allows systems to automatically block exploitation attempts without requiring any user intervention or a reboot. While this is only a stopgap measure until patches can actually be applied, it virtually eliminates the exploitability of input validation vulnerabilities as soon as they are discovered. Hats off to Microsoft for being the first to truly promote this approach. Let's hope we see others like Sun step up and attempt to do the same.
...no one mentioned the concentration camps too. How is this any different?
Its not that the computer researchers who publish the flaws thats a problem, its the fact that the only way they can get Microsofts attention is to publish them!!! How many stories have we read about a 'researcher' finding an issue, and then spending 2 months trying to contact MS, before giving up and posting it in places like this!
You wish people would not point out your flaws. No one ever likes their flaws being exposed, but it all a part of getting better. As a user, I want to know how insecure my important data is, and what I can do to fix it. MS and SunnComm both need a reality check. It goes something like this: If you fuck up and try to hide, when people notice, there will be hell to pay.
Next your going to say you dont want people pointing out your obvious personal flaws, just because it might hurt your feeling.
I swear, industries now of day are acting more and more like babies than professionals.
every few weeks one of the execs from Microsoft renews their focus on security...as if it should even expire? i dont feel like digging through old stories but there have been at least 3 in recent memory (
actions speak louder than words.
Notice Balmer's statement, 'I wish those people just would be quiet.'
He's not saying, "Please don't release the findings so that blackhats can't use the exploits."
He's not even saying, "Please delay telling the public about your findings so that we have a chance to fix the flaws."
He's saying, "I wish they would be quiet so that we don't have to spend the time/money/manpower to plug our holes. It's not our fault people are exploiting the holes, it's the people who release security reports."
I know, you're saying that it's obvious a company would want to help it's bottom line, but he didn't even have the decency to make his statement very cryptically.
Can Ballimer seriously want discussion of Windows security to end? If not for bugtraq (and such), the only folks who knew about holes would be those trying to exploit them!
Do I really need to say this? Should someone mod Ballimer (or me even) -1 redundant?
I wish they didn't have anything to talk about.
Carousel is a lie!
'I wish those people just would be quiet.'
I wish they would too. There is nothing worse than finding an exploit that gives me total access to any network I want, and then when some other chucklehead finds it, blabs all over the net, and then Network Administrators start locking down the ports I use to run willy-nilly through their network. I would have about another month to own their network before the patch comes out. But noooo, some jerkhead has to cut me off a month early. And I have to find an unknown exploit all over again.
Maybe I should post anonymously, nah to hell with it.
Yes this is deja vu.. How many times does Microsoft have to announce that they're refocusing on security. Either they repeatedly forget that security is important (seemingly every other month) or this is typical PR stunt to get critics off their back.
Sure they'll announce more security measures this month. The PHBs will get comfortable and clueless people will back off. Next month there will be another exploit (guaranteed). Businesses go down, networks get destroyed. PC-using schools are shut down, and Mac/Linux-using schools who aren't affected are ignored by the press. MS puts on the spin that hackers should be treated as terrorists. Clueless journalists blame it all on Windows popularity, rather than lack of a focus on security.
Then MS annouces once again a renewal on its focus on security.
Rinse. Repeat.
Those who laugh at you for you having a Mac.. are the people who constantly call you to fix their PC.
"It looks like you're writing a virus. Would you like to:
Like woodworking? Build your own picture frames.
Hmmm... And which firewall program will this be? Will there be a choice, or are we heading to a similar situation as what happened to Internet Explorer on the browser front?
Don't leave ports open by default that aren't secure. Please don't have filesystem by default writeable and executable for everyone. Please don't execute code that hasn't been installed and reviewed by user.
Lost too many hours removing junk lately.
Now is this in addition to the employees pulled from across the company for last year's Secure Windows Initiative? Looks like that didn't work very well. I have equal expectations for this charade.
==============
Together, we will drive the rats from the tundra.
What you don't know can't hurt you! NOT
Windows XP was released a little over 2 years ago.
Since that time, browsers like Mozilla and Opera have put out many new releases of their programs, each one containing many bug fixes and new features.
Microsft has released no new versions of Internet Explorer. No new features. No bug fixes.
The only "improvement" has been a haphazard series of patches, each one only released several months after somebody discovers a major security hole.
I wish Steve Ballmer would just be quiet.
Because we all know how effective security through obscurity is. If noone publicises the problems, then they don't get fixed, but if one person has found the flaw, you can bet someone else has too, who doesn't have such good intentions.
/.ed or is Verisign showing them who's boss?
Oh, and is Slashdot getting
...that for those that are quiet and notify Microsoft first, they ARE rewarded...we just don't hear about it. Why else would Microsoft release patches for vunerabilities we have never heard of until they are patched and sealed?
SO I think Balmer's "I wish they would be quiet" should be interpreted as "tell us first, patch it, and we pay you to KEEP QUIET"
..is, did Steve Ballmer jump around like a fricking idiot this time screaming "Developers, developers!" while announcing it?
If not... I don't buy his sincerity...
How many times is MS going to announce a "new focus" on security, or something of the sort?
This is news?
He recognizes the fatal user flaw of not applying patches and introduced an educational plan to help correct this
So you're saying you can DIE from this?
SECURITY, SECURITY, SECURITY, SECURITY!
I... Love... This... Company, YEAH!
I like big butts and I cannot lie.
After the 'I wish they would just be quiet' quote:
"It would be best for the world. That's not going to happen, so we have to work in the right fashion with these security researchers."
You've got to be kidding me?!?! If its this sort of attitude that is shared among everyone else from M$, it would probably be best for the world to be fearful. The fact that this isn't a very professional approach to the situation is the least of their problems.
Whatever happened to MicroSoft shutting down all new development, and focusing entirely on security for a month? Didn't they get all the problems fixed them?
Is this just MicroSoft part II: security refocused? Will the sequel be as good as the original?
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
Ballmer on the defensive as ever, more vaporware developments at Microsoft. If they're so serious about security they would secure existing products through service packs instead of adding these new features to forthcoming products.
First of all, I've seen (like many of you) the pretty pictures of Microsoft sales reps showing off the flashy new GUI features of Windows-to-be. Marvel at how they move like fall leaves, twisting and turning in the wind! If the OS is used for work, nobody's going to want to look at a spreadsheet that looks like a bedsheet on a clothesline in spring! All of the effort that went into creating a pretty (but useless) feature or two could've been spent securing the system. So what if they've got a whole division working on DRM - part of the reason why knowledgable consumers don't trust Microsoft with their computers or data is simply because Microsoft hasn't proven to the consumers that they can keep it safe....civil rights 'n' whatever aside - I buy all my games....
Second of all, Ballmer wishes that the researchers would be quiet - but at least he clarifies that he would like for them to keep quiet until a fix can be developed, tested, and released....but how is the public to know about the fix, or the reason for it, without the researchers telling us about it? Also, how often has Microsoft hoped something would just go away, if it were hushed up? If researchers aren't allowed to publish their findings, who's to say a given bug/virus/worm/malady will EVER be addressed?
I always wonder when the higher-up corporate people say things like this.....are they really laughing inside? Or do they honestly BELIEVE it? I mean....god.....it just boggles the mind how he could keep a straight face while saying this.
Brain.......heating......critical temperature...........WARNING WARNING WARNING......*BOOM*
Buy Steampunk Clothing Online!
Gartner echoes concerns on Microsoft reliance
A copy of the Gartner research note seen by CNET News.com mirrors the conclusions of seven prominent security researchers, who released a paper stating that Microsoft's dominance in software could have serious consequences for national cybersecurity. The Gartner report is scheduled to be published Friday.
(The point is not what they are saying, it who's saying it.)
Back in 2001, Microsoft's Steve Lipner said that code "Review is boring and time consuming, and it's hard,". They don't seem to understand that many people get a lot of satisfaction in doing that. Many people look for things to post to bugtraq because doing so is *fun* for them.
Steve Balmer's recent statement about vulnerability researchers - 'I wish those people just would be quiet' - is downright silly. They are the biggest company on the block right now, and there's always going to be someone who wants to make the big corporation look silly. Microsoft needs to wake up to the fact that there will *always* be someone who is a) bored, and b) wants to make them look bad.
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
...is that they produce code that is only just good enough to provide the desired capability, without any regards to security. That code then becomes v1.0, is rushed to market, and then the inevitable security and functionality bugs are found due to what seems to be a lack of QA, and they get beat up (rightfully so) by us techies for continuing to release binaries based on sloppy code.
Of course, they could do one other thing which is to change coding practices so that code is built robustly and securely the first time, but anyway....
Rule #1 -- Politics always trumps technology.
Should really be called....
:-)
:-)
Yet Another Secure Security program
Sort of Like yacc. Anyone remember yacc? (Yet Another Compiler Compiler)
Great for building compiler parsers, or any sort of parser, because you had to build them so often.
Sort of like Microsoft, it has to build Yet Another Secure Security program.
yass anyone?
Maybe Microsoft should make something like yacc, that way it can turn out a new yass every year with minimal effort.
Damn. I would hate to see the state machine for that puppy.
Although truly, implementing a state machine for a secure computing inititive is probably what they should do.
God knows, Microsoft has so many PhD's there that I am sure this has come up.
However, why Microsoft turns out the worst products, with so many "qualified" PhD's under employment is surely a mystery.
Probably the due to the fact I have never seen any evidence that links code quality to degree earned in the Information Technology field.
The only qualified link I have yet seen that suggests code quality is how many accomplishments (hours experience) on a resume.
Basically people I can call, references. If a person has a running track record, he is usually a good bet. Usually...because when you start combining groups of people to write code....it gets REALLY INTERESTING.
All bets are off then. Its a crap shoot.
I think this is going to have a big impact on our field, though.
Writing software is going to become a licensed trade after the first successful lawsuit against Microsoft.
What I mean by that, it won't matter what sort of degree you have, you will not be able to write software unless you have a license, and have been sent through a proper journeyman training program.
Sort of like carpenters and electricians. You work for about 2-4 years as a journeyman with people with many years of experience before you can write code for public consumption.
They key here is that you learn in the public sector, under "Masters" people in the field 10 years or more, solving real world problems, with minimal class work.
It is no wonder you can pull a guy out of a Tattoo parlor, employ him right next to the PhD you hired and he ends up out coding, out designing, and pissing off far fewer customers with his code, than the PhD guy. I mean everything too, theory and practice. Blew the PhD's pants off. ( I swear I seen it happen, no lie. )
Anyone think this prediction is going to come true with the pending lawsuit against Microsoft or am I making too many generalizations?
-Hack
Got Geometrodynamics? Awe, too hard to figure out? Too bad.
... the captain of the Titanic bragging about it's unsinkability?
"Freedom means freedom for everybody" -- Dick Cheney
.
.
"A microprocessor... is a terrible thing to waste." --
GeneralEmergency
would just be quiet.
- Often had official sounding names in the add/remove programs list like "MS Explorer update Q3395"
- Popped up five or six windows every time a link was clicked in IE, and inevitably one of the popups was for a service or program that claimed to "stop those annoying popups."
For these reasons (trademark infringement, extortion), it would be completely within Microsoft's rights (and perhaps duties) to check for and remove such software as part of the normal update process.If they don't do this already, Microsoft should set up a room full of computers with people just dredging the sleazier parts of the web and installing whatever the latest malicious spawn of Bonzi Buddy and Gator, etc. happen to be. They would have to have non-MS IP numbers, because that would be too easy to check for in one's malware.
Of course, I had a talk with my cousin about clicking "OK" to install every little thing that comes down the pipe, but it felt like trying to talk about genital warts or something.
taken! (by Davidleeroth) Thanks Bingo Foo!
I think the major problem is how patches are structured, i have no idea of how many and which patches i need to install because microsoft site is very confuse and there is always a new bug on the news
Another is the way microsoft sells their OS, the version i bought on store is the same of one year ago. So just after install i need to download and install tons of patches, this is a problem while handling several machines (or several installs on the same one
And there is another one ( i think that's the one i don't update
Examples are: MS WindowsMediaPlayer 6.x vs 7 and up, MSIexplorer 5.5 vs 6.x. I can't patch them, i need to install a new one (often the installing process says it's a patch but is just a install of a newer version).
If a program is complex enough to act as an Internet server (file sharing, network printing, etc.) then it is going to have security bugs. No OS is immune. If an Internet client program has more than the most basic of features (like a text-based FTP) then it is going to have security bugs. Even text-based FTP programs have had some interesting bugs, like being able to download programs with a filename of a (windows) system device, causing windows to crash.
The security industry right now says you have an ethical duty contact the company and work with them to get it fixed. If the company either refuses to fix it or delays fixing it, you have an ethical duty to help other consumers to go public with the bug. The most important goal is to inform other users while minimizing chances of attack. If the supplier is willing to help, they should have the opportunity to do so.frob
//TODO: Think of witty sig statement
As Schneier said later in the article, "Announcements never secured anything." This particular announcement, however, seems to indicate that they'll be securing even less than that.
Ironically, a 'security researcher' is reporting today through NTBugtraq that MS03-039 still leaves holes behind.
MS03-039 refers to the RPC disaster that you lucky *NIX admins haven't had to deal with.
On the bright side, broken patches...
Crap, another late night coming up!
No, really, I'll trust a Microsoft firewall;-)
This man has no ideas. He doesn't even have hair!
Let's not listen.
Maybe partying will help...
I wish everyone would just stop complaining about all the holes in our products and pay us more money
"Ballmer Touts Focus on Security"
pictures Ballmer's infamous monkey dance.... *security!* *security!* *security!*
We can't afford to switch from Windows
I know. If only Linux weren't so damn expensive.
Have you tried Linux yet?
while microsoft focuses on security, they want all bug reports to silently go away.
somehow, i see steve ballmer walking around like elmer fudd, saying "shhhhh, be vewy vewy quiet, we're hunting bugs" -- with as much success as elmer has.
if they've been unable to find the bugs so far, and attempt to take the pressure off from those publicising the bugs, they run the risk of further, undetected, breakins. this is dangerous, and stupid.
but what else would you expect from a cartoon company?
It looks like Microsoft needs to go back and look at their code again. There is a new virus in the wild that is exploiting port 135. Security people have yet another reason to be upset at the Redmond giant.
;
As seen on full disclosure:
From: "3APA3A"
To: ;
Cc:
Sent: Friday, October 10, 2003 6:48 PM
Subject: Bad news on RPC DCOM vulnerability
Dear bugtraq@securityfocus.com,
There are few bad news on RPC DCOM vulnerability:
1. Universal exploit for MS03-039 exists in-the-wild, PINK FLOYD is
again actual.
2. It was reported by exploit author (and confirmed), Windows XP SP1
with all security fixes installed still vulnerable to variant of the
same bug. Windows 2000/2003 was not tested. For a while only DoS exploit
exists, but code execution is probably possible. Technical details are
sent to Microsoft, waiting for confirmation.
Dear ISPs. Please instruct you customers to use personal fireWALL in
Windows XP.
There's an analogy in the article which explains this perfectly: "Computer security is almost like car insurance. Nobody wants it until their car gets totaled." Very few of MS' customers were asking for security features until recently (within the past two years or so) -- so MS didn't deliver them. Besides, how do you explain "statistical intrusion detection" to the average home user who just wants to read e-mail and surf the Web?
"Crackers might have discovered the same bug earlier, or at the same time."
Better to take the chance that they don't know about a hole while it's being patched than announce the details of the exploit publicly and remove all doubt that they know...
I am of the opinion that the proper course of action upon finding a security hole is to warn the company of the specifics, but otherwise keep it quite for a reasonable amount of time. After a reasonable time has passed, or when they release a patch and a reasonable time for updating systems has passed, then releasing the exploit publicly. Releasing it before there has been a chance to patch *gurantees* that it can be exploited in the interm, and brings almost no benefit over the first strategy.
I wish those people would just be quiet!!! YEAH!! WE'RE NUMBER ONE!! WE'RE NUMBER ONE!!
(#1 in viruses)
Why yes I am paranoid! Thanks for asking!
They need to just spend about half their eleventy billiongazillion dollars on hiring all the out of work tech folks, spend some time and money on training, and start doing a line by line, module by module test and fix of all their damn software. kill 2 birds with one stone... low national employment and poor MS security.
christ, they would probably have to build 10 new offices. there you have more employment for construction. They aren't doing anything better with the money besides give some to a school here and there. And those donations are veiled in a conspiracy to suck the future workforce into Microsofts product line.
Its very simple. Most windows users, close to 85%, have dialup internet access. These users are NOT going to download 100+MB of patches no matter how important. Most of these users never even moved to WinXP. The solution is to take every registered user (hey, a real use for product activation) and ship them regular update CDs. Of course that also implies that MS will actually FIX THEIR CODE. A big if.
The reason is simple. If you want to promote your sphere of dominance over other countries, of course you will pump out computer tools which you have the best backdoors to. Then you can read their secrets at will.
Except this plan is backfiring. Whoever came up with it didn't take into account the ordinary hobbyists who can find the same holes and use them for something "evil".
There are certain intelligence (as in CIA)-related benefits from having crappish security in certain places. You can just go in and take the stuff without troubling your field operatives to break into the place.
There's another thing, too. A company is not a source of products to benefit the mankind (I wish it were), but selling something is just a tool to make profits for the owners of that company. So, as long as Microsoft can sell shit, and people will buy it, they will keep on doing it. Professional pride or quality won't make the upper management's nor the owners' profits any bigger, so there's no reason for Microsoft to bother with that.
Hmmm, let's see, the Apple eMac is white and kinda shaped like a bullet . . . Maybe he's refering to wolfsbane?
It's all fun and games until someone loses the key to the handcuffs.
Probably about the same way you explain TCP/IP to the average home user who just wants to read e-mail and surf the web. You don't. That doesn't mean it can't be of use to the user even if he or she doesn't understand it--or probably even knows it exists.
Every time someone discovers a security hole, Steve Ballmer will be dispatched to bellow, "SECURITY, SECURITY, SECURITY!!!" and get drops of perspiration all over any reporters who show up to cover the story.
That's "Mr. Soulless Automaton" to you, Bub.
Ballmer's "just be quiet" response seems to be on a par with what I see as a growing trend in this industry and others. Instead of dealing with issues, it is now fashionable to stick your head in the sand and then to threaten, litigate or legislate against anybody who tells you you've left your arse is exposed.
This is very disturbing. We are talking about the security of a significant part of our civil and military infrastructure.
Imagine if someone pointed out a flaw in the Golden Gate bridge - jump up and down at the right frequency on a certain spot and it will collapse. I don't think we would want the response to be to tell this peson to "shut up". We might just want to get the bridge fixed before it collapses and we fall into the bay.
I don't know. I just find it unbelievable that people aren't screaming in the streets demanding that vendors fix their products.
"You know Windows has flaws that could allow a hacker to take control of your PC"
"Err, you don't say? umm..."
"Yeah and they could steal your identity and do all sorts of nasty things in your name that you could be liable for"
"Um, really, um that's very, um interesting..."
"Yeah, and did you hear some guy found that the Golden Gate bridge is ready to collapse and they haven't done a thing about it".
"WHAT! This is TERRIBLE! God-damned government! Something has got to be DONE!" etc etc
"Microsoft sent me a patch in my email yesterday, and after I installed it it ate my antivirus and made my whole computer work bad."
---My mother-in-law, after meeting our friend Swen.
Oh yea, what a good idea. Lets get people used to clicking on things that say patch. How about just teaching them to be responsible users instead of feeding them this crap that if only they install all patches, everything will be fine.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Oh please, not Microsoft harping on the full disclosure topic again! This is getting really tiresome, but if you're interested in arguments for full disclosure, Bruce Schneier has a good writeup (from 2001...) here.
The fundamental problem is that Microsofts products were never designed with security in mind - it was features that counted. Taking care of this is probably going to involve rewriting every single application from scratch, possibly with a different functionality (ActiveX/ActiveScripting as we know them today will have to go, that's for sure). To be fair, Microsoft is in it for the money - and I have no problem with that -, and of course it's easier to sell new features than security against some vague threat (until today, that is...).
Internet Explorer is an excellent example of Microsoft not getting this security thingy at all. ActiveX controls and scripts with access to the file system downloaded from the frigging Internet? This must be one of the dumbest design decisions I ever heard of. I just finished a 50-page paper on IE security for my company. My conclusion is that continuing to use it as the default browser is going to entail serious security risks for which there are no practical solutions. Unfortunately, we have no short-term alternative, but my recommendation is to move to a different browser platform in the next 2-3 years.
To add insult to injury, Microsoft is moving IE into the OS service packs, which is a QA nightmare waiting to happen: install the service pack (for bug and security fixes) -> break a few dozen LOB intranet applications, don't install it -> have IT Production and Security breathing down your neck.
Please, Mr. Ballmer, go back to monkey-dancing. You're better at being an entertainer than you're at being a manager and a visionary.
"There are already a million monkeys on a million typewriters, and Usenet is NOTHING like Shakespeare." - Blair Houghton
He recognizes the fatal user flaw of not applying patches and introduced an educational plan to help correct this.
This is also know as posetive reinforcement by virtue of a bat. Come on, I can just see it now. "No click updating" Don't worry about it WE_WILL_take care of it for you just accept this l-o-n-g ULA that you don't want to read and click accept."
No thanx Bill, Balmer, and the other dude at MS.
This SIG pulled due to lack of funding. (This damn war is costing too much!)
Hey, Dave,
I just won security buzzword Bingo with the parent post. You owe me $20.
I agree, things have to be published, unfortunately, for certain companies to get off their asses. Then there's microsoft, who whines and bitches about having to fix published flaws, yet at the same time manages to ignore others. Such as 31 in IE alone.
J
nt
This space is intentionally staring blankly at you
...introduced an educational plan to help correct this...
How about starting with their stupid programmers and the testers all the way up the line to a production release who test things to see if they work instead of testing them to see if they break.
Twin or more? ITA
Apache/Spring/La
... if someone analyzed the security of the nation and then published a report citing specific weaknesses, stating that it would be easy to bomb location X or infiltrate power station Y? What if they provided specific instructions on just how to do it? Is it that so different than someone exposing security holes in an operating system that many people use for storing personal and business information and mission-critical or medical applications? (my opinion) Critical security problems should be reported to Microsoft first, to allow them a chance to repair the issue, before it is released publicly. And this should not be a matter of law or policy - in either case of Microsoft or national security - just pure common sense. - NCDave
I guess the submitter's idea of "unbiased coverage" is "comments from people who have lots of reasons to dislike Microsoft."
It's almost impossible to avoid bias in anything, but this one is plain as day!
Gee whiz Gomer, Barney from Microsoft says that it's the users fault for not patching their systems. (Partially agree)
Barney from MS says that security companies shouldn't tell anyone about MS software problems. (Disagree)
Barney from MS says that they're really, really going to focus on security this time. (Vehemently Disbelieve)
Head of MS security, Gomer, reiterates that security is number one at MS. (Denying urge to vomit)
Smart people from around the world say "Bullshit, MS hasn't done shit, and are just giving users lipservice."(Pounding head into desk with agreement and frustration)
Sigh, what's news in this article here?
-justify my non-sig-
"class-action lawsuit filed in Los Angeles Superior Court last week that accuses the company of not doing enough to guard the personal information of Windows users." Okay I understand Microsoft has a long ways to go in making their products secure, but come on people, when are Windows users going to wake up and take some responsibility for their machines. I'm a user of Windows/Linux/Solaris and I have long since learned to live by the phrase "Patch Frequently and Patch Often." Maybe it is just something we *nix users have gotten used to, but it is something Windows users need to become more aware of and quite blaming Microsoft for their inability to secure their own machines.
Sig? No thanks, I don't smoke.
With this kind of cash, they could rent a building and staff it with hundreds of people whose sole purpose is to fix the security problems. After all, they have source code for the whole thing.
One group could audit the code from all Windoze versions and fix all of the buffer overruns, and other basic coding errors.
Other groups could address components of the system, examining the code and testing for various exploits. Their job is to find the holes before the crackers, and fix them.
Who cares if they step on the toes of the OS developers? It will shame the OS developers into writing better code!
Why M$ isn't doing this is beyond my imagination.
Reading Slashdot is ruining my spelling and grammar.
Yeah, you're right...in fact, if the app isn't signed by MS, then they should remove it, because you never know, it might be doing something "bad".
Problem is, you'd be screaming just as much about this "solution" as you are right now about the popups, etc. And you'd be perfectly justified in doing so.
If a MS OS is going to have the ability to run arbitrary executables (arguably the OS's most important job), then it can't be responsbile for what those apps do.
I'm not sure what the solution is, but one possibility might be to create two (or more) different versions of Windows. There could be:
WinXP for Business
- Only runs MS signed apps...anything else will refuse to install (maybe overridable by someone with administration ability?).
- Will actively search for "bad" apps like you described and remove them if they get installed somehow.
WinXP for Home
- Will run whatever you damn well chose, but it's your own fault when something goes wrong.
Actually maybe these are the same OS, just with different settings. Perhaps MS could make different default install configs depending on your setup.
I wonder if Ballmer was bouncing around the conference all out of breath and sweaty yelling "SECURITY SECURITY SECURITY SECURITY SECURITY SECURITY".
Let's see... the story has the M$ BillBorg, the Tech/IT mobo, security, and business icons - but where's the Python foot for humor??
'Automatically updated' is a fundamentally flawed security hole in itself. What is also flawed is how the MS operating system will execute any file if the name ends with .exe, .bat, or .com.
"Only in their dreams can men truly be free 'twas always thus, and always thus will be."
--Tom Schulman
Is he touting the 31 unfixed security holes in IE?
The global economy is a great thing until you feel it locally.
Wow, this is great. Look how much they accomplished last time!
Need Free Juniper/NetScreen Support? JuniperForum
MS did this last year.
Was there a dramatic decline in Remote root exploits? Sure didn't look like it to me.
Explain to me again, why we should believe in it this time?
MS is a day late and a dollar short. Security hasn't been a marketable feature, according to MS. Thus, they haven't done much with it.
Now it's too late. MS is known as a broken dick dog on security. They are not going to lose that reputation for years.
Good luck Steve. Your company sucks.
Cheers,
Greg
Who gave that analogy? Computer security is like car security: wheels that don't fall off while driving, seatbelts that don't break and let you fly through the windshield when your car crashes, door locks that really work, doors that don't open while driving, et cetera. Maybe Microsoft's software ``engineers'' buy car insurance thinking that it magically makes their cars indestructible...
And ironically:
Yeah, that was kind of the point.
I didn't say that MS should be able to uninstall anything just because they feel like it, I specifically said because of the trademark infringement and attempted extortion that these programs are designed for, they are just as legitimate a target for removal as "viruses" are.
taken! (by Davidleeroth) Thanks Bingo Foo!
Obviously the filter rules would be cryptographically signed, so crafting malicious ones would require that you compromise Microsoft's physical security and obtain their private DSA key, or that you compromise the DSA itself. Neither of these are particularly realistic possibilities...
What bothered me about Ballmer:
u h
Steve is Uncle Fester
Dun-nuh-nuh-nuh
Snap, snap
Dun-nuh-nuh-nuh
Snap, snap
Dun-nuh-nuh-nuh
Dun-nuh-nuh-nuh
Dun-nuh-nuh-n
Snap, snap
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
Windows, like Unix, is insecure *by design*.
You can't fix that with a bunch of smart people looking for buffer overruns.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
It's worrying to note that the book Writing Secure Code published by Microsoft Press is out of print.
> What is also flawed is how the MS operating system will execute any file if the name ends with .exe, .bat, or .com.
What, like the way Unix-like operating systems will execute any file if it has the executable bit set?
Ah, didn't realize you were keying on a trademark issue. I understand that sentiment, but then the "bad guys" would just change the installed names of their apps to things like "Internet Connector" or "Web Site Accelerator" or whatever. That'd get them around MS and they'd sound just as important to the average user.
As much as this would make things easier, think about the negative aspects. Software is never perfect, and it would be far to easy for such an "auto delete" program to damage crucial files. A far better solution would be to integrate/bundle a spyware scanner that the user could run at thier leisure.
I would not want ANY company (microsoft, apple, sun, redhat, etc.) deleting software during an update. A box saying Windows Blah has detected x, y, z malware on your computer, is it ok to clean these files? is fine, but a non interactive auto delete would be a Bad Thing.
Let's make a difference
Having just helped someone put WindowsXP on a laptop last night I easily say the flaw is not on the user end. There's a hojillion security vulnerabilities in WindowsXP. Most people do not have broadband. Lacking broadband makes it really damn difficult to keep up with patches. The fresh WindowsXP install that went on the laptop couldn't even connect to the internet for five minutes without being hit by MSBlaster. Five minutes. That's ridiculous. The user is not at fault in a situation like that, Microsoft is.
Ballmer can blame users all he wants. It comes down to Microsoft having a crappy security model and poor development practices. Having a bunch of temporary employees programming black boxes gets them into a lot of trouble. So does having DCOM services a majority of users will never need or use enabled by default. A WindowsXP Pro system shouldn't be listening to RPCs from the internet.
Ballmer needs to have his developers look more closely at how they are designing their systems. Windows shouldn't have a broadband connection as part of the damn system requirements. Even with an automagic updater people without fast persistant connections will still run around without the proper patches. Maybe Microsoft needs an ounce of prevention to release more secure and robust systems in the future.
I'm a loner Dottie, a Rebel.
I think not
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Really? OpenBSD is insecure by design? Remind me the last time they had a remote root exploit in their default install?
--grendel drago
Laws do not persuade just because they threaten. --Seneca
Your cousin is visiting adult sites. Check for hairy palms.
Quack, quack.
I'm suprised there aren't more class action lawsuits against Microsoft for their woefully insecure products. Whether or not the alternatives are more secure is not the issue! The courts have ruled that Microsoft has a monopoly. Because of this, I think they should be held to a higher standard, be that much more accountable for their actions, and have a greater obligation to customer/consumer needs.
Microsoft has no shortage of money; they probably employ the majority of the better software developers. And yet they continue to get away with paying little more than lip service to security issues. True, many of Microsoft's security problems are related to user error, but it's the principle of the matter: I see no reason why they can't do better. It's only self-interest that keeps Microsoft from being more proactive about security and customer education.
Like it or not, Microsoft is the dominant software provider---the monopoly software provider. They should be held to higher expectations and have greater responsibility.
You mean they had one to begin with?!!!
...a response about computer researchers who publish flaws in Microsoft products, 'I wish those people just would be quiet.'
He recognizes the fatal user flaw of not applying patches and introduced an educational plan to help correct this.
Well, that should fix THEIR own boxes. But what about the rest of us?
Oh I get it! You'll fix your boxes and the hell with the rest of us!
Jeese! You just gotta love that kind of business plan! Well heck! Crap to you too!
-Goran
Carpe Scrotum - The only way to deal with your competition.
Besides, how do you explain "statistical intrusion detection" to the average home user who just wants to read e-mail and surf the Web?
Dunno. How did they explain to all their users that they had to have anti-virus software running at all times without explaining why? Considering the way people pay for BestBuy extended warranties, Microsoft should have no problem selling security. Hey, they could even charge more for the XP-Secure version.
- They should be blowing Linux and BSD and Mac out of the water with tight default firewalls, statistical intrusion detection, distributed monitoring, sandboxed executables, no executable mail attachments, modular software, and anything else short of palladium.
I think you've put your finger on it right there. After year after year of the dominant desktop being a security nightmare, Palladium, which will promise absoute security, will be an easy sell to a exploit weary community.Rinse. Blather. Repeat.
You know what?
Microsoft's attitude towards security merits either a feature on the comedy channel, or a visit from Homeland Security. Exposing 99.8% of the desktops in the world to malicious data thieves must surely be a violation of the Patriot Act. (Everything else is!)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
The reason is simple really. Microsoft is a consumer grade software company (trying to outgrow that, with rather iffy results so far)and is thus naturally market driven; and market driving.
"Consumer demand" (or what they can force the consumer into "demanding")is king. They aren't a technology company at all and claims they make of such are simply part of the marketing.
Security has no meaning to them other than as an advertisable "feature."
As such they have made certain decisions regarding the architecture of their operating systems that make no sense from a technological point of view.
Please note that even Ballmer's current vomiting up of "initiatives" is pure market speak and doesn't actually mean anything with regards to their software.
Fixing the situation isn't merely a matter of plugging the holes. It would take a true change of philosophy company wide, a complete restructuring of the OS and, most problematic of all, removing certain things that customers have come to expect as standard features and will bitch over losing.
"Hey, where did the autorun of executables from email go!?"
Go figure.
People want security, but not at the price of being secure. How many home users keep a box with sensitive data isolated from the net? That would require some disk swapping now and again. How inconvienient.
Let us not grow over snide in our disdain, however, and always keep as an object lesson in our minds that it was a ludicrous design decision in Gnu emacs that allowed the Lawrence Berkeley Labs network to be rooted.
We can all make mistakes.
Fotunately the Lawrence Livermore Labs ( where they keep all the "Nuclear Wessels") was isolated from the web and thus uneffected by the intrusion.
It's not a bad idea to take that as an object lesson as well.
KFG
it felt like trying to talk about genital warts or something.
That's what we need. Education. Public service ads that ask kids "Have you talked to your parents about viruses? Don't you think you should?" and say things like "Adults *want* internet boundries. Be a responsible teenager and punish them when they install malware."
"I assumed blithely that there were no elves out there in the darkness"
Next motivational internal show
<sweaty-armpits>
Security !
Security !
Security !
Security !
Security !
Security !
Security !
Security !
Security !
Security !
Security !
Security !
</sweaty-armpits>
Maybe before you start running your habitually complaining, slashdot party line spewing mouth, you should get your REAL facts straight.
In fact, yesterday there was an article RIGHT HERE featuring SAN's top ten security concerns on both Windows and Unix. And strangely enough, it was hard to tell which was 'worse', since both had flaws which, while patching would fix it, required the end user to actually DO it. So the real problem isnt in the OS, it lies between the chair and the keyboard.
Wake up to the truth- its out there. You need to take your "I hate M$" hat off, its cutting off the bloodflow to your brain.
What's the deal MS?
The deal is Windows Server 2003. The deal is also Software Update Services. The deal is also the tons of security bulletins, software patches, and technical resources *constantly* put out by MS. Anyone who knows the real deal certainly cant say MS isnt being dilligent about security or stability.
How about getting it right the first time!
Like who? Word Perfect? Puh-lease! Star Office? Dont make me laugh!
You guys need to wake up to the fact that EVERYTHING in the world is a work in progress. If you can show me one piece of software that is flawless right out of the gate, I'll eat my hat. BSD, Linux, Unix, etc, they ALL need to be patched. Nothing is perfect. NOTHING.
Microsoft needs to snap into action ASAP.
Stop being a shrill, whiny bitch and go look at Technet. Its obvious you can connect to the internet, so quit being so lazy. If you support the stuff, at least you can put an effort into figuring out how to do so effectively. Or would you rather just make baseless complaints in the comfort of Slashdot, the home of baseless MS criticism?
They need to send out CD's to every single customer who ever made the mistake of buying their product, which looks more like a beta version than a finished program
First, get off your lazy ass and get the patches from www.microsoft.com. Second, name the 'product' you are having so much trouble with. In my experience, especially regarding Microsoft, its a poor craftsman who blames his tools. I dont work with ANYTHING they currently make which performs like 'beta software'. Even their beta software performs better than that of most of their competitors. Do I love every design choice they made? Hell no! But those I dont like I just learn how to work around. And its entirely possible, given how they design their products.
MS designs FOR their customers. And thats a fact.
I will now be modded down to hell, since I have slaughtered every Slashdot sacred cow, but the real truth hurts.
Manipulate the moderator system! Mod someone as "overrated" today.
Edit XPSP1 so it doesn't require a valid (or hacked) registration code. You may not care about machines running pirated copies of Windows, but your customers care about the viruses and spam they shed once they've been taken over.
I posted this on another web forum, but I figured I'd re-post it here, too. I admit that I wasn't 100% open minded to this presentation, but I was willing to give the MS guy a break. However, I walked away from this presentation being very disenchanted, and I feel very uneasy about the whole MS-Security-Drumbeating festival that is going on these days.
Anayways, enjoy:
Thought I would pass on this story, as I found it a bit amusing. Today I went to a presentation at my school called "Security: Just Plain Good For You", sponsored by none other than Microsoft. The guy that was presenting it was a "Microsoft Product Evagelist" (yes, that was his actual job title), meaning that he was not paid to do any actual software development; his job was to give powerpoint presentations around the country. To be fair, this guy said he did have 14 years of background experience as an applications software developer.
At any rate, the presentation opened by the speaker admitting it had been a "rough month" for Microsoft. He acknowledged that MS security had been a bit lacking, but excused this by saying that even though Microsoft was spending more time and money on security, they were unable to keep up with the volume of attacks against MS boxes.
Then, he presented 2 types of "major" security vulnerabilities, and gave working examples of each. Although he -mentioned- buffer overflows in the beginning of his presentation, he chose instead to focus on the areas of SQL injection and cross-site scripting (XSS). So, we sat there for about 30 minutes while he demonstrated how you could make a web-based form display a java popup window and other such things.
When his presentation ended, he welcomed questions from the audience. I asked him that if MS touted the use of firewalls to protect a machine (a point he made several times in the presentation), then why wasn't XP's firewall enabled by default? He basically told me in so many words that XP's firewall is connection based, and isn't adequate for this task.
I also asked him if most of the MS security research centered around XSS and SQL injection exploitations, rather than core application or OS security. He said that security vulnerabilities like those he had discussed accounted for a good portion of research, but they were "also concentrating on OS security".
Additionally, we asked him why IIS runs in kernel space in Win2003 server, given that he not only bragged about 2003's security, but also noted that Microsoft's new security paradigm is to "put security before features". He acknowledged that having IIS running in kernel space was somewhat risky, but he assured us that "it was done very securely".
I have to admit that I went into this lecture a bit biased, but I came out of it far more fearful about Microsoft's approach to security. The MS rep seemed to justify Microsoft's lack of security by stating that "there are more Microsoft-installed computers on the internet than any other OS" (fair point), and that "put any other default install of an OS on the internet, and it'll be compromised in 30 minutes or less." (In case you were wondering, he specifically referred to only linux and freebsd here. No mention of Plan9 or OpenBSD or any others, and nobody brought it up in the Q&A session, either). Regardless of Microsoft's past track record, I have to say that this lecture made me slightly uneasy about MS's approach to secure software development. It seemed to me that more than anything else, they seem to be repeating the mantra "if we tell people it's secure, then it will be secure".
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
the new windows in not any better, and has MSIE 6 on it with the SAME holes as everyone else. Just finished installing the MOST recent Developer release of 2K3, don't hold your breath for this release to be ANY better than the previous one regarding security. In fact if the integration continues expect all the "BROWSER" based exploits to be migrated right into the local system without even a look backwards. So far beyond extended memory/proc support I fail to see any REAL improvements in 2K3, much GUI'fied updates, some useless moving ad renaming of function from one place to another, and some really lame shutdown documentation requirments. M$ just really doesn'tunderstand what people want, or even how to find out what their customers really see as the #1 prioroties....
errr....umm...*whooosh* *whoosh* Is this thing on ?
tar cvf /foo.tar ~ /foo.tar newmachine:/home /home && tar xvf foo.tar
scp
ssh newmachine
cd
Get your own free personal location tracker
For these reasons (trademark infringement, extortion), it would be completely within Microsoft's rights (and perhaps duties) to check for and remove such software as part of the normal update process.
Please no! I already run into plenty of situations where updates cause problems of their own so the last thing I want is for MS to start making their updates more complex.
Three things Gentoo needs IMHO.
1. "cryptographically signed" updates, not simple MD5s.
2. A better way than their silly etc-update script for updating files
3. A "default", a "security", and a "bugfix" update tag, so I could choose to only have to update ebuilds on my machine when there was a security or bugfix related issue. I mean, if App v2 has a problem until 2.22.53, then I need to update it if I am running anything less, right? If it's just a newer version, I don't want to know about it.
Get your own free personal location tracker
[...] tight default firewalls, statistical intrusion detection, distributed monitoring, sandboxed executables, no executable mail attachments, modular software, and anything else short of palladium. Yet they don't. Why?
Would implementing any of those things make Microsoft more money than not implementing them? It's all about profit margins. Proactive development cuts into profitability, as does the practice of hiring experienced developers instead of fresh-faced children just out of engineering school who are willing to work twice as hard (although not twice as smart) in exchange for a free mountain bike and occasional use of the game room.
do whatever it takes, cut performance by 3/4 and run everything in a virtual machine, I don't care.
You may not, but all the rest of Microsoft's customers do. "Fast but wonky" is all too often perceived as preferable to "slow but bulletproof."
How about getting it right the first time!
Microsoft needs to snap into action ASAP.
You just have all the answers, don't you? Maybe Microsoft should hire a fresh new voice like you to oversee their development efforts.
Are you willing to work 60hr weeks for $55k and all the free Mountain Dew you can drink?
COMMENT: We can't afford to switch from Windows
RESPONSE: I know. If only Linux weren't so damn expensive.
But he mentioned the cost of switching from Windows. Switching to Linux CAN be pretty damn expensive, even if the cost of the OS itself is free.
'Switching to Linux' is a project, not a product.
After all, it's Sooooo much more difficult to click on a menu item under X than it is under Windows. And when they insert a CDROM, how will we ever train them that the window that pops open just like in windows works just like the one in windows?
In other words, there are a few differences here and there for the user, but nothing a chimp couldn't work out in a day or so. Admin and support is different (easier actually), but that's a small cost to retrain and will be made up for with their added productivity.
"One is frightened of what's around the next corner with Microsoft," he said. "You wake up the next day and suddenly something isn't working."
Hahahaha!
at least the first time. The second time, the villagers were a little more skeptical, and I'd bet fewer turned out. The third time, the kid was in deep doo-doo. The fourth time.... Wait, the fourth time was when the wolf actually showed up, wasn't it? That did not go well... for the boy.
So I figure we'll hear this same speech again next year, met with even deeper cynicism and skepticism. In 2005 we'll hear it _again_, but by then its credibility will be zero.
And the wolf showing up the fourth time was random chance. There won't actually be any more truth to the Imperial "security" PR the fourth time around.
Exceeding the recommended torque is not recommended.
'Switching to Linux' is a project, not a product
I know. I was making a joke, not trying to be +3 Informative.
On a serious note though, doesn't it take time and effort to upgrade to a newer version of Windows? (I am no admin so please correct me if I'm wrong).
Have you tried Linux yet?
$699 is pretty steep, yeah.
-- n
'I wish those people just would be quiet.'
I wish Steve "Developers" Ballmer just would be quiet.
I think if microsoft made it so all data from the outside was tainted and wouldn't run, few would complain, if it's a choice between that and self-propagating email worms.
That's called, "Pulling out the ethernet cable."
I think we can be a bit less extreme than that on the boxen we wish to have connected and I'd hazzard a guess that millions would complain if all data from outside was suddenly tainted and wouldn't run.
Email text itself is data from the outside.
Perhaps you meant something else?
That said I can't think of anyone I know who would honestly miss the autorun feature, marketers were the primary customer for that, but any number who would complain if they couldn't even click on things to run them from email.
It's "convienient".
And there's no real cure for social engineering. Kevin Mitnick proved that even IT professionals are highly susceptable to that.
KFG
This is why I run IPNetRouter on 9.2.2 as my Firewall/NAT!
Reading Slashdot is ruining my spelling and grammar.
Microsoft software has never been designed with network security in mind. Usually the main focus was breaking interoperability with competing software, or adding features, or "ease of use," whatever that means.
So their code is a horrible, unfixable mess. I don't believe it's possible to add decent security without causing huge breakage to the many different versions of Windows and Office that are still supported and in wide use. Microsoft knows this, so it does what it thinks is the next best thing - trot out the VPs and CEOs and all the partners and they all join hands and say how happy they all are with all the great improvments, with all the (wait for it...) innovations that are just around the corner. Happy happy, joy joy.
Bleh.
its a poor craftsman who blames his tools
The poor craftsman always blames his tools.
The master craftsman blames his tools only when he is right.
Have you got your LWN subscription yet?
Oh, that's rich. But seriously, Mr. Balmer, I think I have something in my eye... ;o
I regularly report MSN spam to the Hotmail admins.
As computer security experts, hackers, whatever I believe it's our responsibility to reveal the flaws of Windows products otherwise nothing would be done about it. The only reason many patches even exist in the first place is because exploits have been publicly known. And it takes MS ofrever to release a fix for any problem but if nothing was said then they would not do anything about it! But bugs not being publicly known doesn't mean there are people out there who wouldn't know about them. Let's say no bugs were ever publicly revealed therefore MS never pathces them. Total caos.
I'm not anti-microsoft. I'm anti-bullshit. Which means I'm anti-microsoft.
Ballmer: "we are 100% focused on building products and technologies that are safe and secure"
-- January 2002
Ballmer: "security is tattooed on our brains
-- April 2003
Nash: "Computer security is without question the number one priority for the company"
-- October 2003
"If Ballmer told me that my pants were on fire AND I smelled smoke AND I felt my ass getting warm I still would not believe him. "
-- Unknown
With all of this attention to security can someone explain why there are still over 30 vulnerabilities in IE6, a piece of software that was released over two years ago?
Whenever the offence inspires less horror than the punishment, the rigour of penal law is obliged to give way...
Security is a feature, not something built-in that you can assume will be there. The auto industry's done a good job of educating users in this regard with the issue of reliability. Users appreciate that some cars are safer/more reliable than others, that there's a trade-off involved, and value the vehicle appropriately. Compare a Volvo coupe and a Ford mustang to understand what I mean - the Ford is sexier, faster, cheaper, less reliable, and less safe (even without Firestone tires). But _more drivers buy the Mustang than the C70_ (or whatever).
Somebody's undoubtedly going to respond "well, linux can." Bullshit. As Ballmer pointed out, Red Hat 9 had 43 security vulnerabilities in the first 150 days after release - Win Server 2k3 had 4. Yes, they're less serious, etc ... my point is that you can't "just fix all the bugs."
Now what if we point to OpenBSD? Even assuming that there aren't any bugs (and there have been, albeit not remote roots), that's a different sort of product, one with a much longer incubation time and less "new stuff" in each release. You can argue that Windows should do that, pare down the amount of "new stuff" (avoiding the term "innovation") to where it can be fixed ... but the reality is that that's not what customers pay for.
Sadly, that's what it ultimately comes back to - this is a system designed for customers, based on what customers want. Red Hat is a useful comparison in that regard because it's aimed at something closer to the "normal" (in the statistical sense) user.
Something interesting to think about that comes out of this whole issue is that, to some extent, we're hitting a turning point in computing. Users (the "normal" kind) are finally recognizing that they want security. They're pissed, because they hadn't realized that for all these years they've been trading security for features, but nonetheless *that's what the market has supported*.
We're hitting this very interesting inflection point where users are demanding security (and privacy, which is an interesting related point), but it's unclear the extent to which the market will pay for that security. The simplistic counter-argument would suggest that because of the outcry, customers are willing to pay for it ... but that's not really true if you drill down. OpenBSD, as we've discussed, is an option: if customers placed a sufficiently high value on security, they could migrate to OpenBSD. It would be extremely expensive, in hardware and software and (especially) retraining, but it could be done - and it isn't.
It's akin to privacy, where users say they want it, but if you offer them $0.15 back on a gallon of milk they'll gladly sell you that very data. Users say that it's important, but they're not necessarily willing to pay for either privacy or security - they want them both, free, now, without giving up anything. (Yeah, they're "entitled" to them, but you can't retrain your IT staff with entitlements).
Anyway, the point is just that the issue is an order of magnitude more complicated than "just get it right the first time." The sentiment is correct, but the issue itself is too complex for that kind of thinking. I don't mean to give MS a free pass or anything of the kind - the point is to elevate our thinking about the issue, not just fire off our sentiments.
Is that how worms are spread in the MS Windows world? By getting the user to manually chmod +x MyWorm?
Naming a file worm.sh does not make it executable. Doesn't naming any file ???.bat make it executable?
"Only in their dreams can men truly be free 'twas always thus, and always thus will be."
--Tom Schulman
Security?? My employer has lost a lot of productivity and time chasing after the various worms. I can't say more.
It can be.
Boss: I have to LEARN!?!? You're fired!
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
apt-get update
apt-get dist-upgrade
I think the linux community likes linux because it's free and open source. Hence, nobody cares about an old operating system (that probably runs on strange hardware).
DEVELOPERS, developers, Developers, developers!
... where are they? We'll never know how much totally cool, incredible useful technology was left stillborn because of Microsoft. I suspect that it's a lot.
Maybe Microsoft needs an ounce of prevention to release more secure and robust systems in the future.
Not only that. What Microsoft needs is an ounce of competition. Every time they've had someone compete with them (take Netscape, for example), their own products did get better right up 'til the time when Microsoft was able to buy, steal, squelch or otherwise eliminate said competitor. It's a pattern. So, what Microsoft really needs is consistent competition in the desktop operating system and applications arena. Until that happens for real, Microsoft will continue to ship second-rate products with third-rate security.
For all Microsoft's wealth and power it is really a cut-rate software development house. Look at the number of technologically-superior operating systems that have come along and been marginalized or destroyed thanks to Microsoft. Microsoft is not a developer of innovative products, it is a den of thieves. It is not some national asset: it is a liability and every dime spent to support that company counts as overhead. Welfare, in a way, since they don't create any wealth for society and cost a lot of money to maintain.
Now, what is innovation? Microsoft likes to make a big deal over the value of its "innovations", and how it should be protected from competition so that it may continue to "innovate". It apparently likes to think of itself as a company that brings good things to life (sorry G.E.) In any event, here's how Webster's defines "innovator":
innovator n : someone who helps to open up a new line of research or technology or art [syn: pioneer]
Ballmer apparently doesn't understand the meaning of the word, unless he's applying it to monopoly-building techniques.
Every new feature or capability added to successive generations of Windows was done by someone else, probably years before, and done better. Most of us dislike co-workers that do the absolute minimum amount of work just to avoid getting fired. Compared to many of those companies that would like to earn some of Microsoft's market share, Microsoft is that employee. Hell, if it weren't for Linux on the server, Microsoft would still be shipping NT4 SP1 and telling everyone how it's better than Unix. Microsoft needs competition to keep it on its toes, but its leaders simply will not admit that.
Competition is the wellspring of innovation, my friends. Microsoft understands this all too clearly, and because they truly have no desire to innovate, they seek to suppress all possible contenders. The cost to society as a whole these past twenty-odd years has been incalculable. Bill Gates once said (during the antitrust trial) that he had several technological miracles cross his desk every week. Well
The higher the technology, the sharper that two-edged sword.
The typical way to provide "unbiased" coverage in mainstream media today is not to report objectively, but rather to get subjective reports from two extreme positions. As examples, watch pretty much any cable news show, or Hannity and Colmes in particular. The problem is, while it may be far more entertaining in a Jerry Springer 'oh-no-he-didn't!1!!' way to watch "spokespeople" (tools) from two sides flame and troll each other, the tools are pretty much never right and never admit to the slightest flaw in their reasoning. This sort of black-and-white fight, and the winner is right* approach to achieving objectivity is killing rational discourse in our society. If it ever existed.
*No, I am not Jesse Jackson.
It's nothing but crumpled porno and Ayn Rand.
It's your users you should be worrying about, not the outside world.
Remote roots are the least of your headaches. Escalating privileges of logged in users is a very real threat. When OpenBSD talks of "no remote exploits" you have to rememeber to add the caveat "in the default install" which paints a different picture.
Root considered harmful is more than a cute saying.
Root is a design choice and it is an achilles heel of the Unix family.
Likewise administrator, though Windows has a fair few more bad design choices from a security perspective.
And guess what? When the creators of Unix decided to take what they had learned and start again root was one of the first things to hit the bit bucket.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
If there are killer desktop apps that only run on a true 64-bit operating system, then many places will be replacing computers anyways and switching to a new totally different OS won't seem so bad.
If a competitor of MS wants to fight MS dominance, they should try to make great tools for making software for their emerging 64-bit OS (ideally cheap or free software tools) and offer a contest for new best of software in area they are not dominant in. Contest could award the top 20 eligible applications at the end of OS's 1 year anniversery and another reward for the top ten sold on the initial release date (this group is also in running for the other awards, to promote early releases). Additionally, if a company has a dominate lead in an area or idea that the company really wants the company could offer free computers to do the developement work for their OS (discretion left to company on awards) and possibly have time limits on progress stages of the software.
Too many individuals by now know how broken it is. It's not going away, as a matter of fact it's going to be stronger for at least two years coming. And yes, users will blame everything on MS whether justified or not so don't start your feeble contra arguments. They're not interesting.
/me (BTW I like BSD more than GPL but I do see its merits and failures where they occur ;-)
If you were ever wondering how is Windows ever going to leave the main stage, well it's because of their security track. People think differently about that compared to how they think about features (they forget those tomorrow but not the security bug which caused them overtime). This is not going to evaporate no matter how hard they (MS) hope it will. It'll stick into people's minds and trickle down for many years to come.
Most people *know* they're dependant on MS. If people know, would you really think companies don't. This causes a lot of bad PR latancy and MS knows just that and they fear it (together with the TCO story).
Regards from
Are you willing to work 60hr weeks for $55k and all the free Mountain Dew you can drink?
yes
You didn't say mirror the entire machine. You said move my files and settings. /home && tar xfv -" shows that you have plenty enough skills to work all this out for yourself :)
If you want to make machine b work exactly like machine a, one wonders what the point of it is? But if you really need to, backup, and restore on the new machine. Or put both hard drives in one machine, and dd if=/dev/hda of=/dev/hdb. Or rsync -va / root@newmachine:/ or one of lots of solutions.
And your tar cf - ~ | ssh newmachine "cd
Get your own free personal location tracker
The user doesn't know to do this. There is no package insert that educates him or her. A penny's worth of printed paper could do a lot to solve the problem.
The big problem for Linux on the desktop isn't usability. It's the lack of an application that can read and write every arcane and undocumented feature of .doc, .xls and .ppt files.
We all know that MS proprietary file formats are mostly a waste of bandwidth and/or disk space, and that they're the main transmission vector for viruses. But many people don't, and sometimes we still need to accept files from them. OpenOffice does a good job, but it isn't perfect, and MS keeps moving the goalposts.
If most people didnt want it, it wouldnt be there. I think if every Dell customer were shipped a computer pre-installed with Linux, they would both have a record number of complaints, and would also go out of business for not giving their customers what they wanted.
I hate to break it to you, but the majority of people dont WANT linux. They want Windows, because they know how to use it. You can twist that around any way you want, but 99% of the world doesnt want to have to relearn an OS (hell, 99% of the world doesnt even want to learn one OS).
Man, you are SO missing the point it's not even funny.
If your point is that a company shouldnt put out patches or security bulletins, than yes, I am missing your point. Especially considering Linux needs the exact same things (patches, security updates, etc). Personally, I like being able to go to Technet for all my answers rather than having to troll around newsgroups or waiting for somebody to post an answer to my problem.
If you dont want to keep up with your technology, you are probably in the wrong profession. Maybe you would be happier being a hair-dresser or a fashion designer. You may be happier bussing tables, or selling shoes. Those things dont really change so much, and dont require as much work to keep up to date. I keep saying that most of the people working in IT dont have the correct mindset for the profession. Get out of the field and make way for the people who do!
No, but I can show you one company that is capable of having a lot fewer bugs and design mistakes in their software. Don't you think it's a little weird that you can put MS and Linux on the same level, when MS is written by a huge company full of PhD's and cash, and Linux is written by VOLUNTEERS with no QA department?
Um, you are the one putting the two on the same level, not me. Linux is nowhere NEAR the level of Windows. First, MS has WAY better professional resources than linux. I can go to Technet with ANY problem I encounter, and get an answer. I may have to search, but its there (they DO need to improve their search ability). Also, you act like uneducated dolts are writing Linux, and that they dont have a beta period. Finally, you are acting like Linux even approaches the flexibility of the Windows platform. You are wrong on all counts.
Every time there is a Security patch, I get an email. I can then evaluate it for how dangerous it is in my circumstance (which it generally isnt. Most patches concern IE, which isnt a big concern on a server which shouldnt be logged in anyway). Next, I just download the patch and test it. Once it checks out (which I have personally never had a patch mess up on me, probably because I dont have to update the second it comes out), I download it and put it on my network's server running the free Software Update Service, which then lets all the 2000/XP computers on my network pull it down and install it (without ANY user interaction). THIS is how a corporate network is run; that you dont know this is telling about your level of expertise (or lack thereof).
Yeah, silly me, trying to solve my customer's business problems instead of running around patching Windows a couple times a week and explaining "what went wrong this time". Maybe 10 hours a day isn't enough, I need to schedule more quality Microsoft time ... ha! I dont have to patch several times a week. First, there arent patches coming out several times a week, and second, there are tools that do the patching for me. The network does the work for me, not the other way around.
Next, I am solving problems myself, because I design the network well. If you cant, then you just dont have the crazy mad skills that I must possess. Sucks to be you.
Finally, my network never goes down, so I dont know where you get this "what went wrong this time" stuff. Must be a misconception of so
Manipulate the moderator system! Mod someone as "overrated" today.
Throw in some pretzels and it's a deal.
true, that is why open source is so effective ;)
You spoiled little brat. More than 70% of US citizens (who are paid drastically more than those in pretty much all other nations) make less than $55k/year! Of the 30% who make that much or more I'd be willing to wager at least 25% of them have to work 60+hr weeks.
The other 5% make more money altogether than the bottom 60% of the entire US population!!! These numbers according to the IRS. Look it up yourself.
If you find 50k+ a yr to be chump change perhaps you should drop your own salary a bit to make way for the experienced and unemployed masses out there who would be happy to have it. Of course some of those masses are people like you, who are unemployed because they felt faint at the prospect of *gasp* having to feed their wife and dog on a mere 55k/yr!
Which came first DDR or Balmer?
God spoke to me
When they fix one problem and create three more, it's not worthit for most people to mess with it. The average user can't keep up with the endless stream.
don't knock MS, who else gets people to pay them to be beta testers?
Professional Politicians are not the solution, they ARE the problem.
"I know. If only Linux weren't so damn expensive."
It cost us roughly $60,000 a year. Once we switched to Linux, we needed a system administrator.
"Derp de derp."
"It cost us roughly $60,000 a year. Once we switched to Linux, we needed a system administrator."
I work with NG, and I'd like to clarify what he said here. We work at a small company of about 20 people. We used to be primarily a Windows 2000 shop. NG used to be the acting sysadmin here, then I took over. He's an artist, but a portion of his day was dedicated to maintaining the network, the servers, and the workstations. In the Windows days, we didn't need a full time guy doing the administration stuff. We weren't having constant meltdowns or viruses or any of the stuff a lot of you associate with being a Windows shop.
What happened was we were contracted to make a product based on Linux. (Good choice btw, Windows could not have done what we're doing with Linux.) So engineering migrated over to Linux. The transition was painful so we had to hire a talented Admin who's good with Linux. We still need him, as things break, yadda yadda yadda.
There is some truth to the claims that Linux has hidden costs, though I think NG's being a little bit of a troll with his comment. I can't say I blame him. Both he and I have taken flak for not hating Windows. Every day we're told that Linux'd be a better solution for us. We both have our reasons why we don't want to switch. (though mine are melting away fast, his are still very strong.) Nobody seems to care that we made intelligent decisions about what platform we're on, so I imagine he's a little on the disgruntled side here. I know I'm not looking forward to being told I'm wrong after I post this.
"Getting it right the first time" is extraordinarily difficult ... I'd say conservatively that the difficulty varies with the square of the size of the product. WinXP was 50 million lines. You simply cannot build something that large, with no bugs in it, within the lifetime of any single programmer.
Yes, there will be bugs. But this should be taken into account in the system design, not used as an excuse after the fact. Bugs are not created equal and their consequences vary enormously. Designing software that assumes everything else is perfect seems somehow suicidal.
Red Hat 9 had 43 security vulnerabilities in the first 150 days after release - Win Server 2k3 had 4.
Hmmmm, Microsoft has a security problem. Red Hat does not. Somebody's looking in the wrong place.
I find it amazing that with such focus and emphasis on security by Microsoft that its products are still as insecure and vulnerable as ever. Maybe people accept talk of action and press releases as actual movement in that direction. As far as I'm concerned talk is just talk. Maybe they can earn my respect when they actually DO something instead of drafting press releases or issuing last minute 'duct tape' fixes.
Securing the perimeter is not just guarding the gates. Any crack anywhere will do.
Sure. I recently graduated and can't find a job. Where do I sign up?
-- Political fascism requires a Fuhrer.
"Theory is when eveything is known and nothing works. Practice is when everything works and nobody knows why. At Microsoft, theory and practice are united: nothing works and nobody knows why"
from an instant message quote from my supervisors at work, who got it from somewhere else.
-- Having a Creationist Museum is like having an Atheist place of worship
Funny, I have a laundry list of software I have to install on a WinXP box before it's usable for me. (Firebird, PuTTY, XEmacs, Cygwin, TweakUI, Python, etc) The default Windows environment is hardly usable out of the box, at least for me.
I think the whole "sync up files and apps" is a wash. It's work you have to do on either system when you move to a different computer.
--Bander
What we need more of is science!
To: "Brown, Bobby (US - Hermitage)"
CC: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, full-disclosure-admin@lists.netsys.com, NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM, Secure@microsoft.com
Date: Today 14:37:47
Not much info on the page but here goes the juicy part.
Exploit: http://www.securitylab.ru/_exploits/rpc2.c.txt
Shellcode: http://www.securitylab.ru/_exploits/shell.asm.txt
Based on user responses, this is, in fact, working exploit that will work on already patched systems. It's only a matter of time for compiled binary to surface.
Dimitri
"Flyin' in just a sweet place,
Never been known to fail..."
You spoiled little brat. More than 70% of US citizens (who are paid drastically more than those in pretty much all other nations) make less than $55k/year!
And more than 70% of US citizens don't live in the rather damn expensive Seattle Metropolitan Area.
Look, if you were paid $55k/yr in Southern California, you'd be commuting for 3 hours a day to work. It's all relative. $55k is about the lowest you want to go in the Seattle area and have any kind of independence. Lower than that, and you're talking roommates.
Coming soon - pyrogyra
Is it me or does Microsoft state this every year?
30% off web hosting. Coupon code "SLASHDOT".
Proactive development cuts into profitability, as does the practice of hiring experienced developers instead of fresh-faced children just out of engineering school who are willing to work twice as hard (although not twice as smart) in exchange for a free mountain bike and occasional use of the game room.
Hear hear. And it might be added that the security experts are not the problem, as Thade has implied. Microsoft is the problem. No one wanted their Blaster patch because they'd crashed 600,000 two months earlier.
And why? The above quote tells all. Microsoft do not have a cult of excellence.
radsoft.net
You just have to face the fact, which is that the only solution to Microsofts' security problems in Windows is:
A COMPLETE RE-WRITE.
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
I'm guessing Bummer has drones to do updates on his PC before he gets in to work. Or maybe he just uses paper and crayons. Because if he used XP which continuously prompts to update the latest patch then he would have realised a year ago that the Grand Security Edict hadn't really got to the troops. Maybe there is a internal version of XP that always silently updated the PC anyway.
Who's Ballmer's public speaking coach? Hats off to them anyway, I don't think I've heard something that manages to be simultaneously so wrong and inflammatory at the same time.
The end of the article gives unbiased coverage of some people's opinions about the latest announcement.
Here's my biased opinion, based on the fact that I have wasted countless hours cleaning up after outlook viruses at work - Steve, it's time that your organisation started to take some responsibility for it's lousy product.
But many people don't, and sometimes we still need to accept files from them.
We use OpenOffice exclusively at work and in 2 years, only one single document came in that it couldn't open. We asked the sender to save it in an older format and the problem went away.
That seems like an acceptable level of inconvieniance for saving thousands of dollars in licencing and many more thousands in virus cleanup that hasn't had to happen.
For larger companies, a single box running windows (or a designated Linux box running vmware) could be used for doing that sort of conversion when required. Just one would be enough for a large office. Meanwhile, save tens of thousands of dollars on 100 seats of Linux with OpenOfice for everyone else.
"You need someone to monitor Windows machines and make sure they stay up. "
Not for the servers, no.
"You need to reformat every 6-12 months. "
Not for the servers, no.
"You need to constantly defrag the hard disk."
Not for the servers, no.
Can't really say I had to worry about any of those on the workstations either.
"Derp de derp."
I still can't figure out why a company with Microsoft's resources has such mediocre security. They should be blowing Linux and BSD and Mac out of the water with...
But they don't want to fix these problems in the current incarnations of their operating systems. Because then they wouldn't be able to sell as many of the next version with DRM, TCPA compliance, etc.
Graham
Graham