Slashdot Mirror
Ballmer Touts Focus on Security
kevinvee writes "Microsoft's Steve Ballmer announced a renewed focus on security at the Worldwide Partner Conference yesterday. He recognizes the fatal user flaw of not applying patches and introduced an educational plan to help correct this. Also included in his statement was a response about computer researchers who publish flaws in Microsoft products, 'I wish those people just would be quiet.' The end of the article gives unbiased coverage of some people's opinions about the latest announcement."
He recognizes the fatal user flaw of not applying patches and introduced an educational plan to help correct this. Also included in his statement was a response about computer researchers who publish flaws in Microsoft products, 'I wish those people just would be quiet.' The end of the article gives unbiased coverage of some people's opinions about the latest announcement."
Yeah, and we wish that this gigantic wealthy company would just FIX THEIR SOFTWARE. But it ain't gonna happen.
I still can't figure out why a company with Microsoft's resources has such mediocre security. They should be blowing Linux and BSD and Mac out of the water with tight default firewalls, statistical intrusion detection, distributed monitoring, sandboxed executables, no executable mail attachments, modular software, and anything else short of palladium. Yet they don't. Why? Because they know if legislation is passed, they will be able to afford it and nobody else will? Because they know they have such a huge lock-in, managers will grumble but renew licenses anyway? What's the deal MS?
It bugs the hell out of me that they have the audacity to lock us into their products (which work okay most of the time, I'll give you that) yet can't give us the common courtesy to solve these problems. I really don't give a shit if Office 2003 is based on XML or EBCDIC, I just need the computer to be "Secretary-Proof" for at least a week or two after it's turned on. Monthly security updates? Good grief!! How about getting it right the first time!
Microsoft needs to snap into action ASAP. They need to fix the bugs, do whatever it takes, cut performance by 3/4 and run everything in a virtual machine, I don't care. They need to send out CD's to every single customer who ever made the mistake of buying their product, which looks more like a beta version than a finished program.
Or.. or.. well, okay you got me. We can't afford to switch from Windows. But it seems we can't afford to stay with it either!
And I would have gotten away with it too, if it weren't for you meddling kids!!!
Javascript + Nintendo DSi = DSiCade
Its not that the computer researchers who publish the flaws thats a problem, its the fact that the only way they can get Microsofts attention is to publish them!!! How many stories have we read about a 'researcher' finding an issue, and then spending 2 months trying to contact MS, before giving up and posting it in places like this!
They want to educate people but do not want the people who really know to talk about it? This seems a bit paternalistic even for microsoft. They want to be the ones who work with people to make updates but do not want anybody else to have a voice.
The semantics themselves are also a bit problematic. I'm assuming that he doesn't really want them to "shut-up" but rather not talk to people outside of the microsoft offices???
You wish people would not point out your flaws. No one ever likes their flaws being exposed, but it all a part of getting better. As a user, I want to know how insecure my important data is, and what I can do to fix it. MS and SunnComm both need a reality check. It goes something like this: If you fuck up and try to hide, when people notice, there will be hell to pay.
Next your going to say you dont want people pointing out your obvious personal flaws, just because it might hurt your feeling.
I swear, industries now of day are acting more and more like babies than professionals.
Notice Balmer's statement, 'I wish those people just would be quiet.'
He's not saying, "Please don't release the findings so that blackhats can't use the exploits."
He's not even saying, "Please delay telling the public about your findings so that we have a chance to fix the flaws."
He's saying, "I wish they would be quiet so that we don't have to spend the time/money/manpower to plug our holes. It's not our fault people are exploiting the holes, it's the people who release security reports."
I know, you're saying that it's obvious a company would want to help it's bottom line, but he didn't even have the decency to make his statement very cryptically.
I wish they didn't have anything to talk about.
Carousel is a lie!
'I wish those people just would be quiet.'
I wish they would too. There is nothing worse than finding an exploit that gives me total access to any network I want, and then when some other chucklehead finds it, blabs all over the net, and then Network Administrators start locking down the ports I use to run willy-nilly through their network. I would have about another month to own their network before the patch comes out. But noooo, some jerkhead has to cut me off a month early. And I have to find an unknown exploit all over again.
Maybe I should post anonymously, nah to hell with it.
Yes this is deja vu.. How many times does Microsoft have to announce that they're refocusing on security. Either they repeatedly forget that security is important (seemingly every other month) or this is typical PR stunt to get critics off their back.
Sure they'll announce more security measures this month. The PHBs will get comfortable and clueless people will back off. Next month there will be another exploit (guaranteed). Businesses go down, networks get destroyed. PC-using schools are shut down, and Mac/Linux-using schools who aren't affected are ignored by the press. MS puts on the spin that hackers should be treated as terrorists. Clueless journalists blame it all on Windows popularity, rather than lack of a focus on security.
Then MS annouces once again a renewal on its focus on security.
Rinse. Repeat.
Those who laugh at you for you having a Mac.. are the people who constantly call you to fix their PC.
"It looks like you're writing a virus. Would you like to:
Like woodworking? Build your own picture frames.
..is, did Steve Ballmer jump around like a fricking idiot this time screaming "Developers, developers!" while announcing it?
If not... I don't buy his sincerity...
I wish they would not have to talk that much
Gartner echoes concerns on Microsoft reliance
A copy of the Gartner research note seen by CNET News.com mirrors the conclusions of seven prominent security researchers, who released a paper stating that Microsoft's dominance in software could have serious consequences for national cybersecurity. The Gartner report is scheduled to be published Friday.
(The point is not what they are saying, it who's saying it.)
Back in 2001, Microsoft's Steve Lipner said that code "Review is boring and time consuming, and it's hard,". They don't seem to understand that many people get a lot of satisfaction in doing that. Many people look for things to post to bugtraq because doing so is *fun* for them.
Steve Balmer's recent statement about vulnerability researchers - 'I wish those people just would be quiet' - is downright silly. They are the biggest company on the block right now, and there's always going to be someone who wants to make the big corporation look silly. Microsoft needs to wake up to the fact that there will *always* be someone who is a) bored, and b) wants to make them look bad.
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
.
.
"A microprocessor... is a terrible thing to waste." --
GeneralEmergency
- Often had official sounding names in the add/remove programs list like "MS Explorer update Q3395"
- Popped up five or six windows every time a link was clicked in IE, and inevitably one of the popups was for a service or program that claimed to "stop those annoying popups."
For these reasons (trademark infringement, extortion), it would be completely within Microsoft's rights (and perhaps duties) to check for and remove such software as part of the normal update process.If they don't do this already, Microsoft should set up a room full of computers with people just dredging the sleazier parts of the web and installing whatever the latest malicious spawn of Bonzi Buddy and Gator, etc. happen to be. They would have to have non-MS IP numbers, because that would be too easy to check for in one's malware.
Of course, I had a talk with my cousin about clicking "OK" to install every little thing that comes down the pipe, but it felt like trying to talk about genital warts or something.
taken! (by Davidleeroth) Thanks Bingo Foo!
I think the major problem is how patches are structured, i have no idea of how many and which patches i need to install because microsoft site is very confuse and there is always a new bug on the news
Another is the way microsoft sells their OS, the version i bought on store is the same of one year ago. So just after install i need to download and install tons of patches, this is a problem while handling several machines (or several installs on the same one
And there is another one ( i think that's the one i don't update
Examples are: MS WindowsMediaPlayer 6.x vs 7 and up, MSIexplorer 5.5 vs 6.x. I can't patch them, i need to install a new one (often the installing process says it's a patch but is just a install of a newer version).
As Schneier said later in the article, "Announcements never secured anything." This particular announcement, however, seems to indicate that they'll be securing even less than that.
This man has no ideas. He doesn't even have hair!
Let's not listen.
Maybe partying will help...
We can't afford to switch from Windows
I know. If only Linux weren't so damn expensive.
Have you tried Linux yet?
while microsoft focuses on security, they want all bug reports to silently go away.
somehow, i see steve ballmer walking around like elmer fudd, saying "shhhhh, be vewy vewy quiet, we're hunting bugs" -- with as much success as elmer has.
if they've been unable to find the bugs so far, and attempt to take the pressure off from those publicising the bugs, they run the risk of further, undetected, breakins. this is dangerous, and stupid.
but what else would you expect from a cartoon company?
There's an analogy in the article which explains this perfectly: "Computer security is almost like car insurance. Nobody wants it until their car gets totaled." Very few of MS' customers were asking for security features until recently (within the past two years or so) -- so MS didn't deliver them. Besides, how do you explain "statistical intrusion detection" to the average home user who just wants to read e-mail and surf the Web?
Maybe they should just tell M$ about the security flaws
That is exactly what most of them do, and they get ignored... After months of letting them know quietly, they realize the only way to get action is put MS under the gun (publish the fault). If MS fixed holes as they got reported to them rather than as they got reported to the public, Ballmer would have his wish...
"I'll have a Guinness, no wait, make that a Coors Light" -Grad student I work with, who shall remain anonymous...
Probably about the same way you explain TCP/IP to the average home user who just wants to read e-mail and surf the web. You don't. That doesn't mean it can't be of use to the user even if he or she doesn't understand it--or probably even knows it exists.
Every time someone discovers a security hole, Steve Ballmer will be dispatched to bellow, "SECURITY, SECURITY, SECURITY!!!" and get drops of perspiration all over any reporters who show up to cover the story.
That's "Mr. Soulless Automaton" to you, Bub.
I agree, things have to be published, unfortunately, for certain companies to get off their asses. Then there's microsoft, who whines and bitches about having to fix published flaws, yet at the same time manages to ignore others. Such as 31 in IE alone.
J
I guess the submitter's idea of "unbiased coverage" is "comments from people who have lots of reasons to dislike Microsoft."
It's almost impossible to avoid bias in anything, but this one is plain as day!
They already do that. Just about every vulnerability report about Microsoft has followed so-called responsible disclosure guidelines. First, the discoverer contacts the vendor. Vendor acknowledges the bug and discoverer waits a reasonable time while vendor comes up with patch. When the patch is ready discoverer and vendor announce it the same day, and vendor thanks so and so in the security bulletin for finding the bug.
There's still a time window to hack between the announcement of the bug and when most systems get patched. In the case of Blaster, the worm was release less than a month after the announcement.
The real danger with keeping quiet is the so-called 0-day exploits. If less ethical security researchers find vulnerabilities and not tell anybody, or if a vulnerability gets leaked before the official announcement, we're all worse off.
Yeah, you're right...in fact, if the app isn't signed by MS, then they should remove it, because you never know, it might be doing something "bad".
Problem is, you'd be screaming just as much about this "solution" as you are right now about the popups, etc. And you'd be perfectly justified in doing so.
If a MS OS is going to have the ability to run arbitrary executables (arguably the OS's most important job), then it can't be responsbile for what those apps do.
I'm not sure what the solution is, but one possibility might be to create two (or more) different versions of Windows. There could be:
WinXP for Business
- Only runs MS signed apps...anything else will refuse to install (maybe overridable by someone with administration ability?).
- Will actively search for "bad" apps like you described and remove them if they get installed somehow.
WinXP for Home
- Will run whatever you damn well chose, but it's your own fault when something goes wrong.
Actually maybe these are the same OS, just with different settings. Perhaps MS could make different default install configs depending on your setup.
MS did this last year.
Was there a dramatic decline in Remote root exploits? Sure didn't look like it to me.
Explain to me again, why we should believe in it this time?
MS is a day late and a dollar short. Security hasn't been a marketable feature, according to MS. Thus, they haven't done much with it.
Now it's too late. MS is known as a broken dick dog on security. They are not going to lose that reputation for years.
Good luck Steve. Your company sucks.
Cheers,
Greg
Lets just do the math.
Could we assume that the cost of really hardening Windows and the other core products should cost less than one billion dollars? (I'd certainly hope so.)
So, for 1/40th of MS's cash, or way less than the cost from all the worm/virus outbreaks, we could fix windows.
Lets see. Programmers cost $100K a year. (They should be serious kick ass programmers.) Lets also assume 25% of all costs are overhead and non-salary costs.
Thus, for $500,000,000 we should be able to hire 7500 programmers to fix the problem in 12 months.
Given these facts, it's clear that fixing the problem is really quite trivial, provided there is some real desire to do so. The obvious conclusion I reach, there is no real desire to fix things.
Thus, things will continue as they have. It's easier and cheaper to snow people with press-releases and speeches than actually doing anything.
Isn't that the ultimate PHB approach?
Cheers,
Greg
Having just helped someone put WindowsXP on a laptop last night I easily say the flaw is not on the user end. There's a hojillion security vulnerabilities in WindowsXP. Most people do not have broadband. Lacking broadband makes it really damn difficult to keep up with patches. The fresh WindowsXP install that went on the laptop couldn't even connect to the internet for five minutes without being hit by MSBlaster. Five minutes. That's ridiculous. The user is not at fault in a situation like that, Microsoft is.
Ballmer can blame users all he wants. It comes down to Microsoft having a crappy security model and poor development practices. Having a bunch of temporary employees programming black boxes gets them into a lot of trouble. So does having DCOM services a majority of users will never need or use enabled by default. A WindowsXP Pro system shouldn't be listening to RPCs from the internet.
Ballmer needs to have his developers look more closely at how they are designing their systems. Windows shouldn't have a broadband connection as part of the damn system requirements. Even with an automagic updater people without fast persistant connections will still run around without the proper patches. Maybe Microsoft needs an ounce of prevention to release more secure and robust systems in the future.
I'm a loner Dottie, a Rebel.
Rinse. Blather. Repeat.
You know what?
The reason is simple really. Microsoft is a consumer grade software company (trying to outgrow that, with rather iffy results so far)and is thus naturally market driven; and market driving.
"Consumer demand" (or what they can force the consumer into "demanding")is king. They aren't a technology company at all and claims they make of such are simply part of the marketing.
Security has no meaning to them other than as an advertisable "feature."
As such they have made certain decisions regarding the architecture of their operating systems that make no sense from a technological point of view.
Please note that even Ballmer's current vomiting up of "initiatives" is pure market speak and doesn't actually mean anything with regards to their software.
Fixing the situation isn't merely a matter of plugging the holes. It would take a true change of philosophy company wide, a complete restructuring of the OS and, most problematic of all, removing certain things that customers have come to expect as standard features and will bitch over losing.
"Hey, where did the autorun of executables from email go!?"
Go figure.
People want security, but not at the price of being secure. How many home users keep a box with sensitive data isolated from the net? That would require some disk swapping now and again. How inconvienient.
Let us not grow over snide in our disdain, however, and always keep as an object lesson in our minds that it was a ludicrous design decision in Gnu emacs that allowed the Lawrence Berkeley Labs network to be rooted.
We can all make mistakes.
Fotunately the Lawrence Livermore Labs ( where they keep all the "Nuclear Wessels") was isolated from the web and thus uneffected by the intrusion.
It's not a bad idea to take that as an object lesson as well.
KFG
the new windows in not any better, and has MSIE 6 on it with the SAME holes as everyone else. Just finished installing the MOST recent Developer release of 2K3, don't hold your breath for this release to be ANY better than the previous one regarding security. In fact if the integration continues expect all the "BROWSER" based exploits to be migrated right into the local system without even a look backwards. So far beyond extended memory/proc support I fail to see any REAL improvements in 2K3, much GUI'fied updates, some useless moving ad renaming of function from one place to another, and some really lame shutdown documentation requirments. M$ just really doesn'tunderstand what people want, or even how to find out what their customers really see as the #1 prioroties....
errr....umm...*whooosh* *whoosh* Is this thing on ?
Windows XP includes an "Internet Connection Firewall" that acts like a basic deny-all inbound firewall. It's probably not as customizable or tweakable as ipfw or pf.
For these reasons (trademark infringement, extortion), it would be completely within Microsoft's rights (and perhaps duties) to check for and remove such software as part of the normal update process.
Please no! I already run into plenty of situations where updates cause problems of their own so the last thing I want is for MS to start making their updates more complex.
[...] tight default firewalls, statistical intrusion detection, distributed monitoring, sandboxed executables, no executable mail attachments, modular software, and anything else short of palladium. Yet they don't. Why?
Would implementing any of those things make Microsoft more money than not implementing them? It's all about profit margins. Proactive development cuts into profitability, as does the practice of hiring experienced developers instead of fresh-faced children just out of engineering school who are willing to work twice as hard (although not twice as smart) in exchange for a free mountain bike and occasional use of the game room.
do whatever it takes, cut performance by 3/4 and run everything in a virtual machine, I don't care.
You may not, but all the rest of Microsoft's customers do. "Fast but wonky" is all too often perceived as preferable to "slow but bulletproof."
How about getting it right the first time!
Microsoft needs to snap into action ASAP.
You just have all the answers, don't you? Maybe Microsoft should hire a fresh new voice like you to oversee their development efforts.
Are you willing to work 60hr weeks for $55k and all the free Mountain Dew you can drink?
According to this, it was September 16, 2003.
0 03 -09-13/2003-09-19/0
http://www.securityfocus.com/archive/1/337662/2
Any other questions?
Can I get an eye poke?
Dog House Forum
The reason Microsoft has $40 billion in cash on hand is because they keep it on hand insteading of spending it on things like a building full of security experts constantly reviewing their code.
They use 50% contractors so they can lay people off at the drop of a hat and never take a PR hit for layoffs. When I worked there, they laid off half of our QA people even though they were annoucning record profits. Why did they lay them off? Cost cutting.
They also don't pay their developers anywhere near what Apple pays. That's why their OS is still way behind MacOS X. It will continue to be behind Apple in terms of features, innovation, and quality as long as that is true. The people they recruit tend to be average developers. Most of the devs I've met from Apple tended to be really brilliant.
And Microsoft doesn't care. They consider Apple to be no threat to them and to be sort of their "research arm". And that's likely to continue to be the case as long as Apple's at a strategic disadvantage - which they definately in. As long as something doesn't cause the equilibrium to change, Apple can continue to have 3-5% marketshare and can continue to produce a higher quality, more expensive computer that will appeal to some folks.
Microsoft is obviously much more worried about Linux. From a strategic point of view, Linux is a good OS, it runs on x86 hardware, and there's not much stopping PC manufacturers from putting pre-loading Linux instead of Windows. Right now, its just customer expectation and ease of use. What I think they are afraid of is some leader emerging who will go through the time and effort of ironing out some of the usability problems that Linux has and using it as a club to beat microsoft to death. Who could do that? Maybe IBM?
Have the security problems cost them marketshare? Maybe some sales in servers went to Linux, so their turning on the PR machine and they are doing things internally to address security. (I hear this from friends who still work there.) Meanwhile, Longhorn's new graphics engine gets features Apple put into Quartz 3 years ago.
Average users just want to run Word and surf for pr0n and they can do that with Windows.
For me, I'll stick with the Mac.
Avoid Missing Ball for High Score