Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Affecting Microsoft's Bottom Line

Posted by CowboyNeal on from the choosy-admins-don't-choose-windows dept.

kidlinux writes "The Globe and Mail has an article discussing the impact of viruses and security flaws in Windows. Apparently Microsoft has bounties out on virus writers. 'The campaign reveals just how much of a threat to Microsoft's bottom line security flaws now represent.' The effects of various worms and security issues are becoming visible in financial terms - having to deal with the security issues keeps Microsoft from closing new deals, and governments and businesses are starting to look at the alternatives, such as Linux. 'For the first time, it seemed, flaws in Microsoft's software were translating into flaws in the company's business model.'"

21 of 416 comments (clear)

  1. About time! by myov · · Score: 2, Interesting

    This is what happens when you let marketing run the company :) Shiny new graphics in this version! More features you don't need! Security? nope.

    If OpenBSD can produce a secure distro for FREE, why can't Microsoft with all the resources available to them? Marketing never thought that it was important. End users are finally starting to realize that it doesn't need to be this way.

    At this point, it's a little late to go back and design security into a system which never had it.

    Of course, there goes my job security...

    --
    I use Macs to up my productivity, so up yours Microsoft!
  2. A backwards solution... by Izago909 · · Score: 5, Interesting

    Instead of writing more secure code or locking down system services by default, MS is going after the people who write viri. How is this going to fix the (in)security problem? Do they think this is the last generation of assembly hackers? Bah. Every day I'm reminded of why the Voluntary Human Extinction Movement is a good idea. Just remember that one day MS will be one of the many corporations that provides sponsered funding for your child's or grandchild's school.

  3. Re:About. Bloody. Time! by jonbryce · · Score: 2, Interesting

    That's a difficult one.

    Stability used to be a major reason for avoiding MS operating systems. Win9x crashed frequently, others didn't.

    As of Windows 2000 SP1, they managed to pretty much eliminate that problem. It took them about 5 years, but they got there in the end.

    Possibly by the time Longhorn SP1 comes out, in about 2006, they will have pretty much sorted out the security problem. I guess it will still require stupid amounts of memory and CPI time compared to other systems, but that is becoming less of an issue as it gets cheaper.

  4. Security at last? by slayer99 · · Score: 1, Interesting
    Could this mean that Microsoft are, at long long last, taking security seriously? Windows "worm" traffic has now become the norm, not the exception, on our networks. I'm still seeing "code red" traffic some two years after the intense publicity.If this is serious, let's applaud Microsoft for once.

    --
    Martin Brooks / Slayer99 #linux / UIN 2178117
  5. Cheap security fixes? by 192939495969798999 · · Score: 2, Interesting

    I see the bounties as a cheap way to fix the security bugs... microsoft offers $500,000 for someone to find the author of the bug, then M$ gets them in a contract to either fix their software or go to jail... NICE!

    --
    stuff |
  6. Re:time to protect the monolpoly by Locutus · · Score: 1, Interesting

    What's interesting here is that this is mostly a DESKTOP problem. If it's hurting Microsofts sales is this only a delay in purchasing more buggy Microsoft software or is there REAL consideration from moving away from Microsoft on the desktop? If it's the latter, it shouldn't be long before we see alot more desktop LinixPC migration news.

    My thought is that Microsoft does not know how to satisfy it's customers with regards to security and with the next end-all OS releases not due til 2006, I doubt patching XP is going to be enough to satisfy those on the fence.

    I guess we'll have to wait one or two more quarters to see how Microsoft is going to cook it's books to cover this up. I just loved that excuse that the sales force was helping with network configuration so new contract sales were down. :)

    LoB

    --
    "Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
  7. This is great by Ann+Elk · · Score: 2, Interesting

    IMHO, this is a Good Thing (tm). If security issues start affecting the MS bottom line, then they will start taking security seriously. Microsoft is not evil, they're just greedy. Hit them in the bank account, and they will notice. Losing a few $100 million in random lawsuits is not a big deal to MS. Losing desktop market share (especially in the home market) is a huge deal.

  8. Microsoft's Bag 'O Tricks by Newt-dog · · Score: 2, Interesting
    This is just a mere marketing scheme. $250,000 with strings attached! They couldn't have bought this much "good, warm & fuzzy" press with a quarter-mill. I can just imagine Sheriff Bill saying, "Round up the usual suspects and IF we can prosecute, I'll dish out the cash." The real reason for the announcement was/is to put the townspeople at ease -- without Microsoft actually have to DO anything about their flawed OS.

    Newt-dog

    --
    My Doctor prescribed daily nasal saline irrigation, hehe
  9. Re:Maybe that's why they coneived .NET by kfg · · Score: 5, Interesting

    Except that on an infection by infection basis most Windows exploits are based in the architecture, not faulty code, per se.

    Garbage collection is no cure for intentionally failing to follow secure practice by default in order to "enhance the user experience" or gain an apparent performance advantage over those systems that use some portion of machine capacity to maintain security.

    Ever denormalize a database to gain performance? Well, than you serve as an example yourself of the sort of thing Microsoft does. That performance increase came at the price of less secure data (in the sense that your data can become unintentionally corrupted).

    If you make choices of that nature in kernel space no programing enviroment in the world is going to save your security ass.

    KFG

  10. Re:They really are far overreacting about this. by Anonymous Coward · · Score: 5, Interesting

    I think you are underestimating this whole thing. Virus' and worms are a positive reason to use anything other than Microsoft.

    I have talked to many people who seriously were considering disconnecting from the internet due to worms. I suggested using something other than Outlook, and most of the problems would disappear. And don't use IE.

    There was a phone-in program on CBC the other day about this. There was an obvious chasm of experience between those who used Windows and those who didn't, ie Mac, linux, etc. It was amusing to hear a professor at a university say that he was moving away from using computers for sending stuff back and forth due to the instability of it all. Yes, and putting the blame squarely on Microsoft.

    Microsoft has a real serious problem here. The solution is very scary for them: put all their best and smartest programmers for the next 3 years on rewriting critical parts of their application stack. Will they be able to hold onto the market? Will they be able to hold on to their talent? All this to produce something that is unmarketable.

    It is very funny actually. Microsoft spent years building a marketplace that functions the way they want. Then some kid spends 15 minutes writing a script (yes, it is that easy) and the whole thing tumbles down.

    Derek

  11. Re:They really are far overreacting about this. by Anonymous Coward · · Score: 1, Interesting

    > the only people who are going to care about
    > vulernabilities are server admins not mr. pda user

    Until we start seeing widespread wireless technology in PDAs and someone decides to start going around infecting THOSE with something.

  12. Re:It's the home users... by Spoing · · Score: 2, Interesting
    "Enable the firewall by default"? Why not just disable the services by default?

    Exactly; 'process over product'. I try and drive this same idea home to people I talk with, and the few that get it truely get it. The rest are puzzled that enabling a firewall won't solve all security issues...or they are happy to leave it at "the firewall will protect us, right?".

    --
    A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
  13. Re:Maybe that's why they coneived .NET by EnigmaticSource · · Score: 3, Interesting

    A lot of people realize that most of their new software will run on the .NET runtime virtually eliminating (probably) most of the programming vulnerabilities that exploits take advantage of (buffer overflows, unchecked casts, etc).

    Hrm... with Microsoft's track record, and the Mono Projects [[really big]] gaping flaws... do you really belive that?

    Better Yet, lets imagine .NET becomes the de-facto API for programming... in the case that is [[probably is]] flawed, instead of having one or two gaping holes in a program/suite, every application suddenly takes on the attributes of IIS, Word, Outlook [Insert other Bad Program(s)].

    In short, dream on.
    ----
    Homogenius computing is a dream for those who don't know better. Diversity is the key to a reliable, secure system
    ----
    --
    The Geek in Black
    I know my BCD's (when I'm Sober)
  14. Re:They really are far overreacting about this. by cmacb · · Score: 4, Interesting

    "The embedded market is much larger than the PDA market. Think cellphones. Think consumer electronics, connected DVD players, industrial products, etc."

    Yeah, I just found my next PDA (if my old Pilot III ever wears out) at Costco. From Sharp. Looks like a Palm Pilot to me. Has all the USEFUL functionality of a Palmtop. Can sync with a PC etc. $25.

    My last two cell phone were free. One as a "Good Customer Bonus" from AT&T, and the other as a Sign-up reward from Verizon. You CAN pay a lot for a cell phone, but the vast majority of users won't.

    A $200 operating system for my microwave? Hmmm I don't think so.

    I'm not saying the embedded market isn't important. It will be at the heart of everything we do with electronics. I'm just not sure that Microsoft is prepared to only make two dollars a pop on Windows CE. This is not how they are going to achieve new market share. That is, unless they decide to merge with Sony or something in which case they will soon cease to be Microsoft as we know it an will become a part of a much more intricate Borg.

  15. Re:time to protect the monolpoly by Artifakt · · Score: 5, Interesting

    Fortunately, companies that size don't usually coast downhill gracefully for decades. A big corporation can bleed out with surprising speed. Look at the amounts involved in the IBM/SCO case, and imagine MS, with declining revenues, getting into lawsuit after lawsuit with stakes that big. What MS is spending on catching virus writers is actually reasonable. What they have spent encouraging SCO is less so, and what they are spending on lobbying governments to use windows, or on developing new lines such as console gaming or net server tech is worse, as little of it has shown any profit yet. When every new action starts costing them lots of extra money to fend off the consequences of the last ill advised plan or lawsuit, they will find themselves suddenly posting a multi-billion quarterly loss, and the deadline to go broke or smarten up will be a few months rather than a few decades away.

    --
    Who is John Cabal?
  16. Re:What does Microsoft R&D do? by stox · · Score: 2, Interesting

    I have. Compare them to AT&T Research Labs, Bell Labs, or some of IBM's facilities. and I am not exactly impressed by the quantity or quality of the work I see on Microsoft's R&D site. Compare the budgets of those organizations. Where does all that money go? Are they the most inefficient R&D organization on the planet?

    Also, I am less than pleased about the P/R regarding the Sloan Digital Sky Survey. Yes, Microsoft has made some significant contributions for presentation of the data gathered by the project. Nice spin for P/R purposes, but where were they the first 5+ years of the project? All of the processing, in that time period, was done by Alpha's running Digital Unix at Fermilab.

    --
    "To those who are overly cautious, everything is impossible. "
  17. FreeBSD is very popular for servers. by Futurepower(R) · · Score: 2, Interesting


    The most popular server software for ISPs is FreeBSD, a BSD variant. It's great software, and very capable.

    One company uses NetBSD for dedicated mail servers.

    We don't hear much about these uses, because the software just works. That's why it is seldom in the news.

  18. Re:Why is patching systems so hard? by TrancePhreak · · Score: 3, Interesting

    There is a program that allows you to remotely install patches across your domain, and guess what, it's free from MS. I'd say most intelligent MS trained IT personell should know about it.

    Quite frankly I don't think an IT person should be patching a system in another state. What happens if it goes down? Do they have to fly out or is there someone else they have on staff to fix it?

    --

    -]Phreak Out[-
  19. Re:Why Microsoft's rule is beginning to wane. by dominion · · Score: 2, Interesting

    [commence shit-talking]

    Hey dumbass, you think the top brass at MS is sitting around a table thinking that ONE solution will fix their problem? Of course not.

    Hey dumbass, you think the top brass at Microsoft are sitting around a table, thinking? They don't get paid to think. They get paid to write memos.

    Why are they so big? Two words: Inertia, and cunning. Business decisions are what got them where they are, not adequate development strategies. Otherwise, they wouldn't be in this mess.

    The virus bounty is one possible solution, and while they don't expect it to fix everything, they know it will put fear into some malicious virus writers out there.

    Right, like five years in a federal pound-me-in-the-ass prison isn't a deterrence.

    Virus writers, like most criminals, don't care. And especially when it comes to really fucking smart criminals, they really don't care.

    Honestly, for somebody who's in it for the notoriety, a bounty on your head is a prize to claim, not a reason to throw in your gloves and join middle management.

    They are also doing other things, such as providing free update services, as well as others such as Software Update Services, which can really streamline the update process if it is installed correctly.

    The fact is, free software is calling MS out as punk-ass chumps at every available opportunity. And MS doesn't have enough moxie to sit back and fix the damn mistakes in their architecture and design, because they'd rather throw money at the problem. Just like spoiled rich kids who pay somebody to beat up the tough motherfucker who they just pissed off.

    It is things such as this that will either make or break the company, and I personally feel it will only make MS and their products stronger in the long run.

    Today's empire, tomorrow's ashes.

    SCO used to be a big kid on the block, didn't it? Now they're out robbing people just to get by.

  20. Home computer hit by rjamestaylor · · Score: 3, Interesting
    My home computer, used by my 4 year old for educational games and web sites and by my non-technical wife to check email, look at her personalized MyYahoo page, and other surfing runs Windows XP Home. All patches in place, the family all have their own accounts with reduced privileges (no passwords and we have fast user switching enabled, but Daddy is the Administrator account) and the system is sitting behind a Toshiba Magnia SG20 (running a modified Redhat 7.3) firewall/router. I didn't get anti-virus software, though.

    For an email client my wife uses Outlook Express and has a Hotmail account. She gets very little mail and almost no spam -- maybe one a month and it goes to the Junk Mail folder (my Hotmail account fills with email worm infection attempts every 2 to 3 hours, which is the price I pay for redirecting all incoming mail to "slashdot@rjamestaylor.com" to my Hotmail account. I figured if a worm went through Hotmail it would be checked for viruses. Unfortunately, that is true ONLY if you are using the Web Client to attempt to download an attachment. If you use OE, they don't bother to check the attachments.

    Earlier this week my wife told me the computer is running really slow. I told her to press Ctrl-Shift-Esc to bring up the Windows Task Manager and she replied "something popped up but went away." I told her not to hit Esc twice (my assumption being that she had). She tried it again -- "nothing happened this time." Crap I thought - we've got Klez, or some other virus that kills WTM and other attempts someone may use to discover/remove it.

    Turns out she received a spam that had Kelz and also used the iframe expoit -- and when the email was displayed in the Preview folder, *splat*, Agent Smith began infecting our machine's programs.

    So, on my weekend I get to disinfect my home computer because I failed to install an Anti-Virus program. But really, I was let down by Microsoft 3 times:

    1. Windows is architected for ease of development and not security in the Internet{worked} Age
    2. Windows XP Home, which required a huge series of patches to be installed upon initial installation (I bought the full version for my OS-less homebuilt PC), yet did not have anything to stop Klez. (In fact, this is puzzling -- I thought a patch fized the iFrame exploit...and my system was and is fully pached. ???)
    3. MSN Hotmail doesn't check attachments as they arrive, only when yoy request the emal for download in the Web client. But OE is made to interface directly with Hotmail!
    I am in the process of downloading Lycoris. Maybe Lindows. Probably WineX and Cross-over plugins, too. (Yes, I'll pay.) I'm going to test those two distributions on my wife and son. If either pass the test, that will be our OS at home on the desktop. I may try SuSE and Mandrake, but I like Lycoris/Lindows' "KISS & MAKEUP" (Keep It Simple Stupid and Make it Act Kinda Equivelent to Understood Patterns).
    --
    -- @rjamestaylor on Ello
  21. Re:Why is patching systems so hard? by Stevedust · · Score: 2, Interesting

    Three words:

    Software Update Services