Gates: 'You don't need perfect code' for Security

securitas writes "ITBusiness has an interview from the Microsoft Professional Developers Conference where Bill Gates says 'You don't need perfect code to avoid security problems.' Instead he suggests that users acquire and properly configure firewalls and make sure that they keep their software patches up-to-date. Considering that Microsoft says it is focused on security, the comments from the Chief Software Architect aren't inspiring, especially beacuse the underlying attitude seems to contradict the idea of well-written, secure code. What kind of message does that send to the developers who work for Gates?"

What Bill Gates failed to mention...

[SpikyTux]

'You need to stay out of Windows to avoid a lot of security problems.'

Re:Since when is Bill Gates a security expert?

[ProtonMotiveForce]

Umm, design flaws - no. Windows has a vastly superior (and admittedly more complicated) security _model_ to Unix. This is not debatable. You not only don't have to run as 'root' (which is a Unix concept, not a Windows concept), you can revoke and grant specific priveleges.

Seriously, get a clue. Windows's security problems are related to application coding, not OS design. The design is far in advance of Unix.

Let's see.. I have root on a Unix WS. I have local Admin access on a windows workstation. Guess which OS grants me global access to network file systems? It ain't Windows.

Hint: 'sudo -u cat ~some_user/somePrivateFile'.

wow, another ms bashing story

[andih8u]

So does the company that runs slashdot have an obscene amount of stock in Redhat or something? This is like the fifth outright trolling news story they've had today. And yes, I know I'll get modded down to infinity for posting something that's not bashing MS or Gates or saying Torvalds can walk on water.

Re:Since when is Bill Gates a security expert?

[ProtonMotiveForce]

Wow, you're clueless aren't you. With standard NFS root can 100% impersonate any local user on a workstation.

NFS trusts local identification, hence root can 'become' anyone and access any file in NFS.

Re:Since when is Bill Gates a security expert?

[ProtonMotiveForce]

Of course you do anything on a local host. My point is that NFS is what most people use, and it's flawed.

The Anti-MS crowd must find it convenient to make these distinctions in one case, and ignore them in another.

NFS isn't Unix, but when the latest Outlook or IE flaw comes around it's all lumped in and they claim the OS itself has a bad design. How convenient.

NFS is the _main_ remote file system protocol in Unix. Put a map of of all Unix installations, throw a dart, and you will probably hit a site using good old NFS v2 or maybe v3.

I'm sure when there's a CIFS bug you're quick to point out that this doesn't reflect badly on Windows, it's only one of many filesystems available?

Pure hypocrisy. Unix has a terrible history of security flaws. Sendmail, X11 (still insecure), RPC, buffer overflows in miscellaneous applications, NFS, NIS, OpenSSL/SSH flaws that affect _multiple_ applications, setuid binary flaws, environment variable/LD_LIBRARY_PATH/LD_PRELOAD type flaws, apache bugs, the list does not end.

The Windows low level architecture is more powerful, you have more control over _everything_. In Unix you basically have "root" or "not root". And if you look at the contortions people have gone through to get around that flaw it's really humorous.

Windows's problems are more of common trend of sloppy programming in specific instances, not inherent design flaws. The same issues have plagued (and still plague) Unix for decades.

Re:Since when is Bill Gates a security expert?

[Jeremy+Allison+-+Sam]

No, not everything out there disagrees with what I say, only the text from Microsoft, and that written by authors who, like you, are just repeating what Microsoft tells then without actually writing code to *test* these claims.

They're lies. For example, the one that claims that even an Administrator cannot change ownership of a file from one user to another user without taking ownership first. Utter lies. Here's a hint, how do you think a restore from a backup can do this ?

You see, you don't code, you just read the propaganda and you're ignorant. You just believe what you're told. You don't have the skill to test it yourself, so you believe it when Microsoft tells you everything is fine, Windows is secure (if only people would apply those damn patches), and Linux has more security problems than Windows because Windows has a "secure design".

I suppose it's not your fault, but I hate willfull ignorance. If Windows were such a secure design, and there's no such thing as root why do you think there are so many viruses/worms that take over complete control of a machine ?

You remind me of the poor users who, in the early 90's, I ran into patiently waiting for "the Windows NT server to reboot". When I asked them why they weren't outraged by such poor service they replied "but that's what servers do !".

I have news for you, Microsoft *lies*. They lie to promote their own products, and they have convinced the gullable like you that mediocracy is acceptable in both design and implementation. Their security design is no different from UNIX. The reason you don't know that is because you're reading the wrong books.

I was amazed to see similar errors being made in O'Reillys recent book on secure code, in a discussion of the Windows security model. People don't bother to test, they just *assume*.

I don't assume. I have made my living writing code that *checks*. I can't assume what Microsoft says that Windows does is true, I have to interoperate on the wire. I actually have to write code that knows what Windows *does*. Go away and learn something.

Jeremy.