Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Raises Security Game, Notes Shortcomings Elsewhere

Posted by CowboyNeal on from the redwood-roundup dept.

LMCBoy writes "Steve Ballmer recently told an industry conference that Microsoft software is more secure than Linux. PJ at Groklaw has a nice, thorough analysis of this dubious claim. She points out that not only are there vastly more Microsoft exploits reported, but that the exploits tend to be much more severe, involving remote administrator access." In related news, mhesseltine writes "According to an article from the Washington Post, in an unusually ironic twist, Microsoft has started talking smack about their own products, instead of those of their competitors. Bill Gates said of Office 'it's too hard to find things in e-mail' and described some features of Word as 'clunky.'"

20 of 490 comments (clear)

  1. Mistakes will be made by pheared · · Score: 4, Funny

    Microsoft has started talking smack about their own products, instead of those of their competitors

    I guess when you are so proficient at talking smack you are likely to hit one of your own at some point.

  2. Clunky... by daeley · · Score: 5, Funny

    Of course the clunkiest feature of Office is the part where you have pay several hundred dollars for it. I wish they'd get that bug ironed out already.

    --
    I watched C-beams glitter in the dark near the Tannhauser gate.
  3. FUD. by Eric_Cartman_South_P · · Score: 4, Insightful
    Even if the shit MS is shoveling was true, which it isn't, I'd rather have a system with 100 security holes a year that all get fixed in hours (think *BSD, Linux, and with a sprinkle of extra time even MasOS X) than a system with 10 security holes a year that get patched months later if at all (think Windowe).

    1. Re:FUD. by jridley · · Score: 4, Insightful

      I believe that this is a result of design. If you have a well designed system, then a vulnerability is probably a result of a simple programming flaw. Fixing such problems is usually just a matter of changing a few lines of code, or at most perhaps adding a layer of error checking.

      If you have a system designed like a Big Ball of Mud, then a vulnerability is likely to be the result of unanticipated interactions between different modules. When you try to fix that, then you are just changing to a different set of unanticipated interactions. Fixing such systems often involves making sweeping changes across all of the modules that you can think of that interact with the problem module.

      It's not surprising that "fixing" something in such a system breaks other things. All you can hope for is that you break less than you fix, and the breaks won't be discovered for a while.

  4. What a scoop! by stratjakt · · Score: 4, Funny

    Gates highlights improvements in Office 2003 over Office 2000 during the product launch!

    It's arma-fucking-geddon!

    --
    I don't need no instructions to know how to rock!!!!
  5. of course! by gTsiros · · Score: 4, Funny

    The programs we sell right now are not any good!

    So, as soon as the next version comes out, buy it! We will have everything fixed, honest!

    --
    Looking for people to chat about multicopters, coding, music. skype: gtsiros
  6. Nobody's ass on the line? by morven2 · · Score: 5, Insightful

    Ballmer states that there's "nobody who has his rear end on the line" with Linux.

    I posit that Linux developers have something rather important on the line; their reputations, professional and personal. When you ship open-source code, you are showing the world how good, or how bad, you are. Your reputation can be made or broken by the code you release.

    Contrast that with all too many developers in commercial shops, whose code is read by nobody but their immediate co-workers and nobody takes responsibility for bugs.

    If Microsoft employees' asses are on the line, show me a firing or two every time a security hole shows up. And not just the line programmers; bring me the heads of the designers who designed things badly, the project managers who made hitting deadline more important than getting it right, and the managers who let it all happen.

    I would say that in the vast majority of cases, commercial programmers' asses are NOT on the line, in terms of security problems. As long as you crank out code fast enough to keep up with your co-workers ...

    1. Re:Nobody's ass on the line? by rutledjw · · Score: 4, Insightful
      I disagree. People who contribute to the Linux kernel are PERSONALLY known. One can find out directly who implmented a particular module from pubilc records. Can you do that with MS or any commercial vendor?

      Further, Linus and others review code that's coming in, particularly from newbies. One has to earn the right to contribute.

      If you have examples of crap code, feel free to post them. Keep in mind that "not-as-good-as-I-would-do-it" isn't necesarily fair. Assuming you're a good/great coder (which I have no idea) someone may not be "as good" or may simply have a different view of an appropriate implementation. be careful with comments like that. It's a broad brush and that can misrepresent the current sitution...

      --

      Computer Science is Applied Philosophy
    2. Re:Nobody's ass on the line? by OglinTatas · · Score: 5, Insightful

      And who's ass is on the line when the EULA states that microsoft is not responsible for its own products?

      YOU are entirely responsible. Talk to your reseller for support, and if things break to an extent your business is damaged, don't expect more than a refund of the purchase price of the software. Same for open source, really. So what is Ballmer's point?

      to wit:

      " 5. PRODUCT SUPPORT. SOFTWARE support for the SOFTWARE is not provided by MS, Microsoft Corporation, or their affiliates or subsidiaries..."

      and:

      "EXCLUSION OF LIABILITY/DAMAGES. The following is without prejudice to any rights you may have at law which cannot legally be excluded or restricted. You acknowledge that no promise, representation, warranty or undertaking has been made or given by Manufacturer and/or Microsoft Corporation (or related company of either) to any person or company on its behalf in relation to the profitability of or any other consequences or benefits to be obtained from the delivery or use of the SOFTWARE and any accompanying Microsoft hardware, software, manuals or written materials. You have relied upon your own skill and judgement in deciding to acquire the SOFTWARE and any accompanying hardware, manuals and written materials for use by you. Except as and to the extent provided in this agreement, neither Manufacturer and/or Microsoft Corporation (or related company of either) will in any circumstances be liable for any other damages whatsoever (including, without limitation, damages for loss of business, business interruption, loss of business information or other indirect or consequential loss) arising out of the use or inability to use or supply or non-supply of the SOFTWARE and any accompanying hardware and written materials. Manufacturer's and/or Microsoft Corporation (or related company of either) total liability under any provision of this agreement is in any case limited to the amount actually paid by you for the SOFTWARE and/or Microsoft hardware."

      --
      More music, fewer hits
  7. Note the comparison to RH6! by Anonymous Coward · · Score: 5, Insightful

    Ballsack^H^H^H^Hmer said: "The data doesn't jibe with that. In the first 150 days after the release of Windows 2000, there were 17 critical vulnerabilities. For Windows Server 2003 there were four. For Red Hat (Linux) 6, they were five to ten times higher"

    Why don't we compare Windows Server 2003 to RedHat Enterprise v3? Or Windows 2000 to RedHat 9? RedHat 6? That's what, 3-4 years old now!

    And don't make me bring up WinME, Steverino.

  8. Ballmer's Personal Reality Field by Lord+Grey · · Score: 5, Insightful
    From the Groklaw article, quoting Steve Ballmer:
    "Should there be a reason to believe that code that comes from a variety of people around the world would be higher-quality than from people who do it professionally? ..."
    Why, yes there is, Mr. Ballmer. Among other reasons, there's vastly more people looking at the code and none of them having marketing directors breathing down their necks. Many more reasons, stated by many different people, can be found via Google in five minutes.
    "Why is its pedigree better than code done in a controlled fashion? I don't get that,' he said."
    You've just stated something that everyone knew long ago.
    "There is no road map for Linux, nobody who has his rear end on the line. We think it's an advantage a commercial company can bring--we provide a road map, indemnify customers. They know where to send e-mail. None of that is true in the other world. So far, I think our model works pretty well."
    Roadmaps make good software? Email answered by overworked and underpaid contractors make good software? Indemnification makes a Microsoft OS-based computer more secure, perhaps?

    No, no and no.

    --
    // Beyond Here Lie Dragons
    1. Re:Ballmer's Personal Reality Field by Groo+Wanderer · · Score: 4, Insightful

      There is one thing most people don't realize about the Young Frankenstein monster's attacks on linux, they are not off the cuff responses. MS does rather carefull studies on what 'resonates' with CxO level buyers and attacks on that.

      The last one of these had IP issues being the most scary to buyers, so they went after that, about the time the whole SCO thing surfaced. Before that. there were other avenues.

      Since the whole IP liability issue is being handled rather deftly by the community, there is little to attack on anymore, so they went polling for the next round. The roadmap issue is the next 'attack point'.

      Things like that don't get made up, it is not a broad enough topic to have been picked out of thin air. Expect to see a lot more of this in the near future, and when it gets summarily shot down, they will pay polsters and move on to the next topic. Same old same old. *YAWN*.

      -Charlie

  9. Re:Really? by digital+bath · · Score: 4, Funny

    Maybe he was talking about clippy. I bet clippy haunts old Bill's dreams at night.

    Bill: "WHY oh WHY did I ask for an animated paperclip????"
    Clippy: "It looks like you're suffering from a nervous breakdown. Press F2 for synonyms of 'nervous breakdown'."

    Clunkiest 'bug' I've ever seen in office.

    --
    find / -name "*.sig" | xargs rm
  10. Gates stupid like a fox by swordgeek · · Score: 4, Insightful

    "It's too hard to find things in e-mail." translation: "We're going to start the murmurings now for a proprietary database-backed email system, from back end to user interface."

    By making comments like this now, Bill will have leverage against the DoJ when they bring up the spectre of the anti-trust settlement. "It's a necessary feature--we recognised that back in 2003."

    --

    "People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
  11. Talking to Congress by sphealey · · Score: 4, Informative
    A comment on Groklaw (which I cannot find at the moment) made the point that Ballmer is probably talking to Congress: he is angling for a bill outlawing the GPL. Which I agree is a strong possibility.

    sPh

  12. Like shooting fish in a barrel by FunWithHeadlines · · Score: 4, Insightful
    Oh boy, this is too easy to dissect such naked, false, and desperate Microsoft FUD:

    "There is no road map for Linux, nobody who has his rear end on the line."

    Quick, alert Linus and the rest of the kernel maintainers and planners. Also, better not spread around the road map for Linux so Ballmer won't look like a fool.

    " We think it's an advantage a commercial company can bring--we provide a road map, indemnify customers."

    ROFL! Indemnify?! Ever read a Microsoft EULA? You're on your own, buddy. How stupid does he think people are? Never mind, don't answer that...

    " They know where to send e-mail. "

    Oh, puleeeze! Ever try to complain to Microsoft about a bug in their software? Now, take that to the next level. Ever try to complain to one of their software developers about a bug in the particular software they wrote? What's that? You have no idea who wrote that piece of software? And you have no way of finding out? So tell me again where the accountability is.

    "None of that is true in the other world. "

    Uh, precisely the opposite of what you said, but thanks for playing anyway. Tell Steve what he's won. Seriously, it really is just the opposite. Linux code comes with people's name on it. You want accountability? Put your name on software used by millions and put it out into the world to be dissected.

    "So far, I think our model works pretty well,"

    (Wiping the tears from my face while I shake with laughter) If the current mess of the state of Windows is his idea of things working "pretty well," oh never mind...This speech sure wasn't directed at the cluefull.

    That means, of course, that most reporters will report it verbatim and at face value. *sigh*

  13. Re:Sure Windows is more secure than Linux... by caluml · · Score: 4, Interesting

    Install Windows 2000 Advanced Server, and enable Terminal Services. Then post the IP address along with Administrator login, and password, and let Slashdot at it.
    Scared? ssh root@selinux.dev.gentoo.org with password gentoo then.

    --
    Get your own free personal location tracker
  14. Re:Really? by Rary · · Score: 5, Insightful
    Precisely.

    This is nothing new. Remember when Windows 2000 came out, and magazines were filled with all those Microsoft ads making fun of the Windows 98 BSOD?

    They trashed Win98 to sell Win2K. Why wouldn't they trash Office2K/XP to sell Office03?

    --

    "You cannot simultaneously prevent and prepare for war." -- Albert Einstein

  15. Re:More Slashdot bias by greenhide · · Score: 4, Interesting

    Do we really need another bash-Microsoft article obsessively dissecting one sentence Bill Gates made at some promotional speech or interview or whatever?

    Um, it was the Washington Post reporting on the "sentence" (although it was probably more on the orders of a paragraph or two), not Slashdot. We're not dissecting the sentence here. It's pretty clear that MS is going to have to make the sale based on overhyping the features of the new version and badmouthing the old. This sort of thing happens in companies all the time -- Clorox bleach had a big promo for powdered Bleach by badmouthing liquid bleach, their #1 product.

    Just like a site focusing on Green Party politics would be crazy not talking about news concerning the Bush administration, it's important to talk about Microsoft here because for the forseeable future it will be that 800-lb gorilla that affects everything else in the tech industry.

    If you really want to complain about excessive coverage, it seems like Apple has gotten more than its fair share of articles in the past week, too. Gee, maybe that's because there are a lot of newsworthy events going on with that company.

    Things are happening with both Microsoft and Apple this week; big news items ( horrible security exploits patched followed by big talk from Balmer, iTunes for Windows, a Mac-based cluster possibly making #4 or #5 of the top 500 supercomputers). Maybe some things are happening on the Linux front; maybe not. But Linux is based around a community of nerds, not on a corporation with a snazzy PR department.

    In a sense, this is exactly what makes Linux an ideal server platform: it's not "features" focused, and it's more into substance than style. It's also why it's less likely to break into the home desktop market any time soon (although it stands a chance in large-volume corporation and school environments).

    --
    Karma: Chevy Kavalierma.
  16. Re:More Slashdot bias by k12linux · · Score: 4, Insightful
    Do we really need another bash-Microsoft article

    No, you're right. We should leave poor MS alone. They're obviously confused. After all, this is the same company who during the antitrust trial, said they couldn't share their source code with anyone due to national security concerns if the code got into the wrong hands.

    Then later (2002) they told a federal court that sharing information with competitors could damage national security. And even said the code was so flawed it could not be safely disclosed.

    Then in early 2003, they agreed to share the source code with China.

    So it seems clear to me that they are confused and just need our sympathy. After all I'm sure they wouldn't intentionally risk our national security nor lie about the risks of sharing their source on the stand in federal court.