Slashdot Mirror
Security Affecting Microsoft's Bottom Line
kidlinux writes "The Globe and Mail has an article discussing the impact of viruses and security flaws in Windows. Apparently Microsoft has bounties out on virus writers. 'The campaign reveals just how much of a threat to Microsoft's bottom line security flaws now represent.' The effects of various worms and security issues are becoming visible in financial terms - having to deal with the security issues keeps Microsoft from closing new deals, and governments and businesses are starting to look at the alternatives, such as Linux. 'For the first time, it seemed, flaws in Microsoft's software were translating into flaws in the company's business model.'"
Microsoft has such ridiculous control over the market that it would take an act of God (namely Bill Gates) to bring it down. Like discontinuing support for its OS's. Commence flaming.
The Braying and Neighing of Barnyard Animals Follows.
Time to protect the monopoly. Once in that phase, funds are diverted away from R&D and into protectionism -- the great money pit.
Is it really easier or more cost-effective to change the world (pay bounties for crackers, lobby for prtctionist laws) than to change your business practices (write more secure software)?
This had better be a temporary endeavor conducted in parallel with major shifts toward better busines practices, or MS is starting the downward spiral.
Security failures are beginning to hit Microsoft hard not because of the enterprise, but because of home/personal installations.
Whereas a competent MCSE or IT director will have properly secured a corporation's machines against remote exploits (a properly designed network, even if none of the machines had been patched, should've been able to stay free of worms like Blaster and Welchia, for example), home users have been thrust into the unfortunate situation of running an enterprise OS (anything from the NT family), with no experience on securing it, and often, no knowledge that it needs to be secured at all.
Windows NT-based operating systems listen on so many ports, and are designed so wide open, because they are meant to sit inside a secured corporate network. Though Microsoft's unification of the NT and personal trees of Windows starting with XP gave personal users much of the speed and stability they had been lacking for so long, it also gave them security issues they should not have been expected to deal with.
This is why, though NT-based OSes have had widely publicized security flaws for years, their flaws are now in the spotlight.
Microsoft's recent steps to finally globally disable the Windows Messenger service and enable the firewall by default are a late, but necessary, effort to help bridge this divide.
If microsoft had put more of there bottom line in the past into the security of windows, this wouldn't be such a concern now, would it?
And why did you staple the trout to the RAM?
A lot of people realize that most of their new software will run on the .NET runtime virtually eliminating (probably) most of the programming vulnerabilities that exploits take advantage of (buffer overflows, unchecked casts, etc).
why run from Vincenzo?
Speaking about the "cash bounties" campaign Microsoft is offering:
The campaign reveals just how much of a threat to Microsoft's bottom line security flaws now represent.
The campaign reveals just how much extra cash Microsoft has lying around and is willing to put up to make the buying public think it gives two shits about security.
The reason BSD can produce a secure OS for free and MS can't is because MS focuses on usability. There is a reason most people haven't heard of BSD much less use it, and that is because it is extremely hard for the average person to use. Hell, it's hard for somewhat knowledgable people to use.
MS has made a decision to give people extremely usable products, and this comes at the cost of some security and reliability. They could make the most secure software around, but them it wouldn't be usable. They are now trying to balance their products more between security and usability because they have gone too far away from security. Security and usability are generally on 2 different ends of the spectrum. To make things easy to use, you have to give up security and vice-versa.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
If Microsoft were really serious, they would pay the bounties to people who find their flaws.
The impact on Microsoft's bottom line only reflects the impact on their customers' bottom lines. Well crafted EULAs may exempt MS from liability, but they can't exempt themselves from a deservedly bad rep created by poor security in their software.
If the wind blows right, sometimes shit does roll uphill.
What company do you work for?
0) you assume that a system admin has time to address the daily patches that were coming out at the peak.
1) patches take time to test and apply. You might be able to break a users computer (as long as it's not the company heads), but you can't break the server.
2) MS charges $$$$ for the systems which give you the ability to maintain many systems.
3) things get behind the firewall. Probably a lot less since these worms, but they do get behind the firewall.
MS is paying for bad decisions.
* Trust. Trust will work on the internet. Nobody would click ok without reading what the message says.
* Sandbox, VB don't need no stinking sandbox
* No user permission separation
Instead of placing a bounty on virus writers why don't they take that money and give it out as a bonus to employs who find bugs and distribute important security patches? Wouldn't you work harder for a quarter million dollar bonus? Prevention is the key and this move seems like an attempt to clean the mess up after the fact. They've said security is #1 but what internal changes in staffing and spending support this claim?
(In this post, I am going to describe two or three reasons that I believe Microsoft will soon become a regular industry player, and will no longer rule at the top.)
Think that putting a bounty on virus writers is going to solve the problem? That's the trouble with you, billg, you think you can buy your way out of all your problems. Heck, if I had as much money as you, I could buy my way out of anything, too. The only trouble is that your mighty empire is slipping through your fingers, and because of what I'm about to say, you cannot fix it, no matter what you do.
Many companies have realized that using free software, and contributing to that software, both in fixes and in features, provides many advantages, such as independance from a vendor. If you think about it, suppose you get a contractor to add a room to your house and he does a crappy job. You could fire him and get someone else to do it. But when you use proprietary Microsoft programs, there is nobody but Microsoft that can fix them. While this may not have been an issue over the past 20 years or so, this is becoming a very critical issue.
Not only does the proprietary status of your software prevent others from finding and fixing its problems before they cost billions, but you continue to do everything in your power to isolate your software from anything else out there. Other companies want their software to interoperate with the competition, but you just want to embrace and extend. Why do you do that? If your software is so good, why can't you make it friendlier with your competitors' stuff? I know the answer: It's because you're insecure. You know that perhaps the biggest thing that kept people using your software was the fact that they were locked in to it and were forced to upgrade repeatedly.
By doing what I just described, you tightened your fist as much as you could on this software, but now governments, corporations, and individual users are beginning to look elsewhere in significant numbers. This is the beginning of the end of your monopoly. Soon, you will no longer rule at the top, but will be just another player in an industry. I'm sure it was fun while it lasted, though.
From the Slashdot story: "Apparently Microsoft has bounties out on virus writers."
Offering a bounty is no substitute for providing secure software. Maybe the OpenBSD team would help teach Microsoft how. Or, is someone in the U.S. government interested in having security vulnerabilities in the software everyone uses? There are just too many; is Microsoft really that sloppy?
Who was using Microsoft security vulnerabilities before they became public knowledge?
OpenBSD's motto: "Only one remote hole in the default install, in more than 7 years!"
Microsoft's motto: "Extremely serious flaws that allow an attacker complete control, every week."
Something is fishy about this. It is not that difficult to write secure software. If the extremely well-funded OpenBSD team can do it, the poor Microsoft people should be able to do it, too.
Rewards are a lot cheaper than devoting facilities to developing secure code.
Why don't they just go ahead and have a clean, reimplementation of Windows started while they work on Longhorn? By the time they have Longhorn out a clean reimplementation could be at least ready as an Alpha or maybe a Beta.
Click here or a puppy gets stomped!
MS kept going because their stock was high enough to attract people who thought mostly of making lots of money, integrity and skill be damned. They were happy to grind out feature after feature without worrying too much about how sloppy the feature itself was, or the code that implemented it. The high stock price also kept investors happy, knowing the value would go up and they coudl sell to the next greedy sumbitch. A nice pair of positive feedback circles.
... I did not anticipate the water temperature lowering the saturation limit. This is really interesting!
Sooner or later the stock would hit its limit, mainly because of market saturation. Then there would be no increasing revenues, investors would find it harder and harder to unload, and as the stock price stabilized, the opportunistic employees would bail, and new employees would be harder to get.
What amuses me is this new wrinkle, that crappy software has put an extra limit on their market, causing market saturation early. Like adding sugar to hot water, you can only get so much in before it saturates
In addition to investors and opportunistic employees both bailing because the stock price has stabilized, I bet there are a lot of employees who are not happy being assigned to the boring tedious job of auditing old code, hunting down security flaws, and so on. These people have gottne used to adding useless features without any concern for reality, and that was fun. Dredging the muck for security holes is not. I wonder how many employees are bailing because the work has changed.
A nice accelerator to the two feedback loopbacks. Just because feedback is reinforcingly negative does not mean the slope is uphill!
Infuriate left and right
Why don't they just go ahead and have a clean, reimplementation of Windows started while they work on Longhorn?
2 reasons. First, support for legacy apps has to be included in any new OS Microsoft developes. Second, imagine how long that would take to complete. It took what, 5 or 6 years, for the NT kernel to be able to reliably run 95/98/ME apps. Imagine the press release, "Longhorn to arrive in 2009".
Starting over would render close to a decade of work worthless. That kind of suggestion is hard to justify.
----
Squirrel
What this means is
It's a great thing for them, it's a great thing for the RIAA, it's a great thing for the MPAA (sp?). It's a shit lousy thing for you. But they are going to give you a secure platform. Makes you wonder if they couldn't have planned things any better.
The difference between Canada and the USA is that in Canada healthcare is a right and gun ownership is a privilege.
The flaw in your argument comes when you realize that a company with the resources of Microsoft (money and personnel) should be able to realize that balance between usability and proper security in about one fiscal quarter.
Instead, for years and years, since there was little incentive for them to do anything about it due to their monopoly (and the tactics to keep it), nothing was done to make the software more secure. Even the normal "usability" features were largely unexciting past Windows 95.
So, in the 8 years since the release of 95 (wherein the current Windows user interface and experience was defined) the security problems have gotten quite a bit worse while the usability has been marginally increased. Some stability was added with the 2000 release, but with an even larger decrease in security.
This is why people hate MS so much (well, one of the reasons). Despite the fact that they COULD do better, and SHOULD do better, they don't. There is no excuse in the world why they couldn't have produced truly top notch software when companies working for free can.
I have something in common with Stephen Hawking...
They have $50 billion in the bank, as ready cash. There are a lot of unemployed programmers, and if they wanted to outsource to India and China, there are a whole lot more even cheaper.
It might take a year or two, but they could squash future bugs if they wanted to. And yes, I know about the mythical man month and adding manpower to a late project, but this is not a single project, it is hundreds of small projects.
Microsoft is still not serious about fixing security holes. They never will be.
Infuriate left and right
With the first machine, I connected to the Internet and was infected with Welchia about 24 minutes later.
With the second machine, it was FIVE MINUTES.
In neither case did I even have enough time to get the latest patches (over 25mb of standalone patches + IE SP1 + SP4) before I was infected with a virus.
It's just plain ridiculous -- What happens when Joe Average User connects his computer he just bought from a local computer store (who I doubt would have installed the patches on every machine going out the door)? How is he supposed to know what to do?
Wouldn't they be better off spending that $250,000 on another programmer-year or two of code audits?
This whole business with bounties for virus writers is just an attempt at misdirection: draw the public's attention to the people writing the viruses instead and away from the fundamental flaws they're exploiting.
It's important that the public realize that the security holes exploited by the virus writers are also exploited in less public and more nefarious ways.
--Bruce Fields
My first rule of software design: "Anything backwards compatible with a kluge is, by definition, a kluge." A secure reimplementation of Windows would, by necessity, break most existing software. Microsoft developers are not stupid; they have many top-notch technical people. Unfortunately they are hindered by their legacy architecture, and product design driven by Marketing, not Engineering. I beleive most of the security holes can be traced to product misfeatures, not programming bugs.
"Freedom means freedom for everybody" -- Dick Cheney
All you guys celebrating this release and thinking it marks the begining the end of for Microsoft have got your head in the clouds.
There is no way MS would publish this information unless doing so is in their interest. They could had have played the same old games with accountants and auditing, etc, etc to hide this information if they had wanted to.
But no, they pretty much came right out with it and most of you have been taken hook, line and sinker. All this is not about any real pain that MS is feeling. No, it is about providing another justification for Palladium aka NGSCB "enscub" aka Next Generation Secure Computing Base.
MS can now point to how a lack of security is hurting their bottom line so whater bogus Palladium schemes they come up with to sell as increasing security (rather than just stealing control of your computer and divvying it up between MS, the MPAA and the RIAA) so of course Palladium will really provide better, more secure system becaue MS's ass is on the line too, see it if even says so in their SEC filings!
When information is power, privacy is freedom.
Funny, my corporate deployed laptop, following standard practice, set ME up as admin. I understand this is standard practice for WinNT-family (mine is Win2k) deployments, in general.
With that ONE practice, the single greatest/easiest chunk of security - separation of user from admin, is gone.
From what I understand, quite a bit of Windows software actually depends on this practice, and can't run without admin priviledges. So regardless of who takes the blame, Microsoft or the Windows Culture that has grown up around their products, there's an architectural-level problem, here.
The living have better things to do than to continue hating the dead.
The famous MS instability is often a fault of the insane amount of crappy obsolete hardware that is still attached to machines. I recently heard someone bitch on how none of the P4 boards had an ISA slot for his modem and now he had to upgrade and he didn't want to. (oh and they exist)
Was he right? Well according to MS and linux and the makers of that board, yes. (don't know about the bsd's) People should be able to use old software from the dos era and hardware that belonged in a pc two generations old. (human generations). Apple would have told him to get stuffed.
Who is right?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
there wouldnt be anywhere near as many virii and worms and crap about.
The design of windows means that it is insecure.
A really great way to make windows more secure:
Make it so that by default, windows is installed with an administrator (who you cant actually login to from the login prompt without extra effort) and 1 or more "regular users".
a "regular user" basicly has access to all normal stuff (i.e. anything thats not a risk to the system) but if they want to do something thats "risky" (e.g. if they or something they are running wants to add something to "load this at startup") they need to enter the Administrator password first. If they dont, the action is denied (for example, windows returns a "cant open file for writing error" or a "cant write registry key error" or whatever as appropriate.
Some things that should be "restricted":
1.putting any file in c:\windows\system or its sub-folders (such as c:\windows\system\drivers). Also modifying, deleting, changing etc those same files.
2.adding a program to the "this program starts at startup" list (this would also cover drivers, services etc)
3.modifying key Windows Sockets settings (for example, like how some Spyware inserts itself into those places to hook winsock)
4.perhaps there are other key settings that could be blocked (for example, access to certain control panels or changing the display settings or whatever)
and 5.there should be a way for someone (with the administrator password) to specificly add extra things to the "block list" (e.g. someone could show settings as to how to stop spyware crap from changing the homepage of M$IE)
Some benifits:
1.Viruses, Worms, Trojan Horses and other crap wouldnt be able to just "silently" install themselves (since it would say "c:\documents\your settings\temp\abc123.tmp.pif wants to write to c:\windows\system\dontdeletethisorwindowswontwork. exe. If you want to allow this, type in the administrator password"
2.Spyware (e.g. Gator, New.Net etc) wouldnt be able to install without specific authorization (for example it would say "c:\downloaded files\newnetinstaller.exe wants to modify winsock settings and install its own custom crap. If you want to allow this, type in the administrator password"
3.On shared computers (e.g. family PCs or kids PCs), the parents could be the only ones that know the administrator password (and therefore prevent the kids from changing the settings)
4.On computers e.g. work machines or machines in labs at schools, the sysadmin would be the only one that knows the administrator password and therefore e.g. you dont get people installing kazza or whatever.
Thats not to say that my system would prevent installing new software, it would only prevent it if:
1.the new software wants to modify important windows settings.
2.you dont have the administrator password.
and 3.when the install program gets the error back from windows "cant open file" or whatever, the install will fail in a way that makes the program unusable.
Basicly, this would be a benifit since:
1.if some program wants to do something behind your back (e.g. virus or spyware), you can be notified and more importantly block it.
and 2.you can be sure that the users of your machine arent installing anything that messes with the settings or messing with them themselves.
Some might say it would cause problems but I dont believe so.
For example, if a kid brings home a new game from school (that he has "borrowed" off a mate or more likely these days gotten that mate to burn him a copy of) and wants to install it, the kid puts the disk in and runs the installer. Then, if it needs to install system things (for example, new DirectX), the box asking for the password will come up and the kid will have to wait for the parents to give the OK before it can be run.
Another benifit is that if the user has to enter the password, its likely that (unless they are so cluless that they think that the "any" key is the
If non-computer people can corrupt the usage of hacking, then non-medical people can corrupt medical terminology to their own purposes.
Besides, you understood what was meant, so where is the problem?
And even more, I think it was Andrew Jackson, President of the US around 1820 or 1830, who said "It's a poor mind that can only think of one way to spell a word."
Infuriate left and right
I doubt it. A complete rewrite is the only way to clean up the cobled together mess of intentionally spagetti coded junk they have purchased and stolen. The might be able to do that in a year or so, but it would not be Windblows it would be OSX1 or some other varient of BSD with an ugly and non-intuitive Redmond themed desktop.
They can complain all they want about it not being cost effective to fix bugs. I think they are going to find out the hard way that it's not cost effective to own crap.
Friends don't help friends install M$ junk.
Windows Update is fine if you've just got 1 system. Now, imagine you've got to patch 30,000 systems in 700 offices in 43 states, and you don't have any access to the main keyboard. And you can't use automatic updates because IT has to vet the patches before they're installed to make sure they won't make inoperable third-party software which your business depends on being operational.
You make excellent points.
However, how often do Microsoft patches break third-party software? This is a serious question, because I have no idea. Is it a common occurance?
I would have suspected that Microsoft tests their own patches comprehensivly before releasing them so they would be ready for immediate deployment.
Well said Dirk Diggler. And I may add to what you just said, that there is one company that has taken most others to school on how to design a proper as well as a usable OS - it's Mac OS X. I hate to say it, as I do most of my work on Linux, but I did swing by the Mac store in San Diego not too long ago, just to fuck around with some of the Mac OS X GUI, to see what it's all about.. talk about an intuitive, easy to use GUI... Everything that KDE and GNOME want to accomplish, is more or less done on Mac OS X, the simplicity, ease of use, lot of graphic pizzazz, Aqua/OpenGL shit.... Add to that a usable MS Office suite (which I find to be a killer app, in spite of my embedded hatred toward Microsoft Operating Systems), I was impressed to the point where I am considering buying a Mac OS X laptop in the next 6-12 months. What is really amazing is that I never really thought of Macs much up till not too long ago... and then it became apparent to me that they've done a lot of what others are immitating on e.g. Linux desktops (not that there's anything wrong with that) for the average end user...
:).
If Linux can put together a GUI such as the one on OS X, then you're looking at the next desktop revolution, and hopefully the death of Windows! Oh and about the only other objection I have about Mac is that they're so damn pricey (hardware-wise).. Indeed this may be well deserved, considering what you're getting.. but hey.. the bottom line's my wallet
'A lie if repeated often enough, becomes the truth.' - Goebbels
Look at Apache's popularity, yet it doesn't even come close to the security nightmare IIS is. Yes, popularity is part of the problem but it certainly isn't the main or only factor.
There's been a lot of MS bashing in this thread; some justified and most just pure bile. A lot of people have pointed out that Linux systems are not vulnerable in the same manner that MS systems are, and that it's all due to bad code design and terrible programmers who steamrolled security in the name of features.
.conf files, no having to know things like DNS servers or what display adapters work in X and all them "whatchamacallits."
I think in many of the arguments here, a critical fact has been overlooked. Users of MS products generally want the features that allow for the problems we've seen in the past to crop up. The average user wants automation; they don't want to configure software, or have to understand how the system does what it does, they (here it comes) just want it to work. It's this attitude that has fueled MS' design process; they build software that the end user can turn on and have "just work." No fiddling, no
I think that if similar products existed in a Linux environment, we'd still be seeing a lot of the same problems, simply because the level of automation required to satisfy the typical user is inherently insecure. I am willing to concede that a suite of applications built on Linux could be more secure, and that Microsoft definitely has a problem in that the flaws in their system are very deep, however: I can recall a number of occasions where I've seen articles here on Slashdot that announce "security hole in (whatever) allows root access! Come get your patches...." If Linux held sway in the desktop world, why would we expect the typical user to be any more willing or able to patch their OS than if they were using MS systems? Granted, there's fewer holes, but they're still there. If typical user never patches their default OS install, then why shouldn't we expect mass root exploits?
Don't get me wrong; I'm not wholeheartedly defending MS. They could have done things better, but I'm not ready to jump on the "Linux is more secure" bandwagon. I firmly believe that if similar applications had been developed for Linux to meet the same demands that MS has answered, we'd still be seeing problems.