Slashdot Mirror
Gates: 'You don't need perfect code' for Security
securitas writes "ITBusiness has an interview from the Microsoft Professional Developers Conference where Bill Gates says 'You don't need perfect code to avoid security problems.' Instead he suggests that users acquire and properly configure firewalls and make sure that they keep their software patches up-to-date. Considering that Microsoft says it is focused on security, the comments from the Chief Software Architect aren't inspiring, especially beacuse the underlying attitude seems to contradict the idea of well-written, secure code. What kind of message does that send to the developers who work for Gates?"
The really great thing is we just had a Microsoft security speaker at the ACM Reflections|Projections conference at UIUC.
He was talking about how important it is to have secure code, and all the initiatives they have to fix security holes.
He also talked about how fast worms are spreading these days. Patching is not going to be sufficient - a bug discovered and posted will turn into a worm hours or days before Microsoft will respond with a patch. By then it'll be too late.
Slashdot Patriotism: We Support our Dupes!
From a military perspective, "patching" is equivalent to deploying your forces to protect against kids throwing rocks over the base fence. That won't help when an organized force attacks.
Plus to add what you said (which I agree with) Gates qualifies his statement by saying: "There are things we're doing that are making code closer to perfect, in terms of tools and security audits and things like that. But there are two other techniques: one is called firewalling and the other is called keeping the software up to date".
/. style. A developer trying his/her best to release perfect code is a good thing. But it must be backed up with local security and up to date software.
So he just said, yes we are trying our best, but it's not gonna be enough. That's a pretty fair statement regardless of the environment. Perfect code does not exist. You cannot prove perfection but you can prove that your app is secure within reasonable tolerances, which MS software of late has been anything but. They need to step up their efforts to keep up with their competitors, direct and indirect. But his statement was of course taken out of context in typical
It's roughly analogous to insisting that Unix permissions make harmful worms and viruses impossible, except less false.
What I'm listening to now on Pandora...
There is no such thing as being secure.
Well if you unplug the power from your computer that makes it pretty secure.
Technology, the cause of and solution to all of life's problems.
Gate's is, in a way, a perfect example to point to in security - a perfect example of what not to do!!!
Heaven forbid that anyone should read the article before posting.
Taken out of context, what Gates said sounds ludicrous. You also have to remember that this was an off the cuff remark. Read the whole article and it makes more sense. His point is that despite the holes in Windows code, patches were provided prior to the hole being exploited and the people who patched their systems and had reasonable security (i.e. many layers) in place had no problems.
My experience would seem to support this. I see a lot of networks in my travels. The folks who are on top of things don't seem to have a lot of problems. The folks who aren't have lots of problems, viruses and otherwise. I would say that the quality and quantity of the people involved is more important than the OS that you run at this point.
The biggest problem that I see is IT departments that have people with insufficient skills. The right person with the right skills can make all the difference in the world. Many companies deploy systems in a haphazard fashion without thinking about maintaining the systems. Before you know it they have a big stinking mess that is going to cost a lot of money to clean up when it could have all been avoided if the right people had been involved from the beginning. Once the mess is there, they can't afford to go back and fix it. They have systems everywhere that aren't patched and were never locked down properly anyway. They have no way to centrally manage the systems and don't monitor their network traffic.
If you have your shit together and pay attention to detail, you can maintain a pretty secure environment with Windows. I would say that this is the same for most major systems out there. Look at the security patches available for Linux, Apache, and most other software out there. If you are lax then you likely have security vulnerabilities no matter what you have installed. There is no perfect code out there. Any complex system is bound to have holes.
I think that it is unwise to underestimate Microsoft. In the past, stability was the main issue. They have come a long way in improving stability. Now the main issue is security. It is going to take a couple of years but I would say that you will see a level of improvement that is comparable to the stability improvements seen in NT. It won't be perfect but it will be good enough to keep people buying.
Since when is Bill Gates in expert in anything... besides being a theif.
Then there's the firwalls. I don't know about other ISPs, but firewalls wreak havoc on our connections. When a cust has a problem browsing, the first thing we do is blow away any software-based firewalls.
Perhaps Gates should stop victimizing the laymens by blaming his company's problems on them, and GET IT RIGHT!