Slashdot Mirror
Security Affecting Microsoft's Bottom Line
kidlinux writes "The Globe and Mail has an article discussing the impact of viruses and security flaws in Windows. Apparently Microsoft has bounties out on virus writers. 'The campaign reveals just how much of a threat to Microsoft's bottom line security flaws now represent.' The effects of various worms and security issues are becoming visible in financial terms - having to deal with the security issues keeps Microsoft from closing new deals, and governments and businesses are starting to look at the alternatives, such as Linux. 'For the first time, it seemed, flaws in Microsoft's software were translating into flaws in the company's business model.'"
Time to protect the monopoly. Once in that phase, funds are diverted away from R&D and into protectionism -- the great money pit.
Is it really easier or more cost-effective to change the world (pay bounties for crackers, lobby for prtctionist laws) than to change your business practices (write more secure software)?
This had better be a temporary endeavor conducted in parallel with major shifts toward better busines practices, or MS is starting the downward spiral.
Security failures are beginning to hit Microsoft hard not because of the enterprise, but because of home/personal installations.
Whereas a competent MCSE or IT director will have properly secured a corporation's machines against remote exploits (a properly designed network, even if none of the machines had been patched, should've been able to stay free of worms like Blaster and Welchia, for example), home users have been thrust into the unfortunate situation of running an enterprise OS (anything from the NT family), with no experience on securing it, and often, no knowledge that it needs to be secured at all.
Windows NT-based operating systems listen on so many ports, and are designed so wide open, because they are meant to sit inside a secured corporate network. Though Microsoft's unification of the NT and personal trees of Windows starting with XP gave personal users much of the speed and stability they had been lacking for so long, it also gave them security issues they should not have been expected to deal with.
This is why, though NT-based OSes have had widely publicized security flaws for years, their flaws are now in the spotlight.
Microsoft's recent steps to finally globally disable the Windows Messenger service and enable the firewall by default are a late, but necessary, effort to help bridge this divide.
A lot of people realize that most of their new software will run on the .NET runtime virtually eliminating (probably) most of the programming vulnerabilities that exploits take advantage of (buffer overflows, unchecked casts, etc).
why run from Vincenzo?
Yes they have a lot of control over the desktop market, but not in the server market. They have pretty much saturated the desktop market. If they are going to grow like they have in the past, they need to find new markets and succeed in those markets like gaming consoles, server software, and embedded devices. So far they are not fairing that well in all of these markets.
Instead of writing more secure code or locking down system services by default, MS is going after the people who write viri. How is this going to fix the (in)security problem? Do they think this is the last generation of assembly hackers? Bah. Every day I'm reminded of why the Voluntary Human Extinction Movement is a good idea. Just remember that one day MS will be one of the many corporations that provides sponsered funding for your child's or grandchild's school.
Speaking about the "cash bounties" campaign Microsoft is offering:
The campaign reveals just how much of a threat to Microsoft's bottom line security flaws now represent.
The campaign reveals just how much extra cash Microsoft has lying around and is willing to put up to make the buying public think it gives two shits about security.
The article says that Microsoft need to put a priority on customer satisfaction. Is that really possible? Over the years, my experience with Microsoft is that they pride themselves on being a "take no prisoners" and "shoot the wounded" type of company, always looking forward to the next challenge, never taking time to fix and support older products. When I once asked when some severe bugs were going to be fixed in one of their current compilers, I was told that they were never going to be fixed, the programmers had already been reassigned to the next big project. From a bottom line point of view, it made sense, but it showed a total disregard for their customers.
Mea navis aericumbens anguillis abundat
The reason BSD can produce a secure OS for free and MS can't is because MS focuses on usability. There is a reason most people haven't heard of BSD much less use it, and that is because it is extremely hard for the average person to use. Hell, it's hard for somewhat knowledgable people to use.
MS has made a decision to give people extremely usable products, and this comes at the cost of some security and reliability. They could make the most secure software around, but them it wouldn't be usable. They are now trying to balance their products more between security and usability because they have gone too far away from security. Security and usability are generally on 2 different ends of the spectrum. To make things easy to use, you have to give up security and vice-versa.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
If Microsoft were really serious, they would pay the bounties to people who find their flaws.
The impact on Microsoft's bottom line only reflects the impact on their customers' bottom lines. Well crafted EULAs may exempt MS from liability, but they can't exempt themselves from a deservedly bad rep created by poor security in their software.
If the wind blows right, sometimes shit does roll uphill.
What company do you work for?
0) you assume that a system admin has time to address the daily patches that were coming out at the peak.
1) patches take time to test and apply. You might be able to break a users computer (as long as it's not the company heads), but you can't break the server.
2) MS charges $$$$ for the systems which give you the ability to maintain many systems.
3) things get behind the firewall. Probably a lot less since these worms, but they do get behind the firewall.
MS is paying for bad decisions.
* Trust. Trust will work on the internet. Nobody would click ok without reading what the message says.
* Sandbox, VB don't need no stinking sandbox
* No user permission separation
(In this post, I am going to describe two or three reasons that I believe Microsoft will soon become a regular industry player, and will no longer rule at the top.)
Think that putting a bounty on virus writers is going to solve the problem? That's the trouble with you, billg, you think you can buy your way out of all your problems. Heck, if I had as much money as you, I could buy my way out of anything, too. The only trouble is that your mighty empire is slipping through your fingers, and because of what I'm about to say, you cannot fix it, no matter what you do.
Many companies have realized that using free software, and contributing to that software, both in fixes and in features, provides many advantages, such as independance from a vendor. If you think about it, suppose you get a contractor to add a room to your house and he does a crappy job. You could fire him and get someone else to do it. But when you use proprietary Microsoft programs, there is nobody but Microsoft that can fix them. While this may not have been an issue over the past 20 years or so, this is becoming a very critical issue.
Not only does the proprietary status of your software prevent others from finding and fixing its problems before they cost billions, but you continue to do everything in your power to isolate your software from anything else out there. Other companies want their software to interoperate with the competition, but you just want to embrace and extend. Why do you do that? If your software is so good, why can't you make it friendlier with your competitors' stuff? I know the answer: It's because you're insecure. You know that perhaps the biggest thing that kept people using your software was the fact that they were locked in to it and were forced to upgrade repeatedly.
By doing what I just described, you tightened your fist as much as you could on this software, but now governments, corporations, and individual users are beginning to look elsewhere in significant numbers. This is the beginning of the end of your monopoly. Soon, you will no longer rule at the top, but will be just another player in an industry. I'm sure it was fun while it lasted, though.
I think you are underestimating this whole thing. Virus' and worms are a positive reason to use anything other than Microsoft.
I have talked to many people who seriously were considering disconnecting from the internet due to worms. I suggested using something other than Outlook, and most of the problems would disappear. And don't use IE.
There was a phone-in program on CBC the other day about this. There was an obvious chasm of experience between those who used Windows and those who didn't, ie Mac, linux, etc. It was amusing to hear a professor at a university say that he was moving away from using computers for sending stuff back and forth due to the instability of it all. Yes, and putting the blame squarely on Microsoft.
Microsoft has a real serious problem here. The solution is very scary for them: put all their best and smartest programmers for the next 3 years on rewriting critical parts of their application stack. Will they be able to hold onto the market? Will they be able to hold on to their talent? All this to produce something that is unmarketable.
It is very funny actually. Microsoft spent years building a marketplace that functions the way they want. Then some kid spends 15 minutes writing a script (yes, it is that easy) and the whole thing tumbles down.
Derek
Why don't they just go ahead and have a clean, reimplementation of Windows started while they work on Longhorn?
2 reasons. First, support for legacy apps has to be included in any new OS Microsoft developes. Second, imagine how long that would take to complete. It took what, 5 or 6 years, for the NT kernel to be able to reliably run 95/98/ME apps. Imagine the press release, "Longhorn to arrive in 2009".
Starting over would render close to a decade of work worthless. That kind of suggestion is hard to justify.
----
Squirrel
The flaw in your argument comes when you realize that a company with the resources of Microsoft (money and personnel) should be able to realize that balance between usability and proper security in about one fiscal quarter.
Instead, for years and years, since there was little incentive for them to do anything about it due to their monopoly (and the tactics to keep it), nothing was done to make the software more secure. Even the normal "usability" features were largely unexciting past Windows 95.
So, in the 8 years since the release of 95 (wherein the current Windows user interface and experience was defined) the security problems have gotten quite a bit worse while the usability has been marginally increased. Some stability was added with the 2000 release, but with an even larger decrease in security.
This is why people hate MS so much (well, one of the reasons). Despite the fact that they COULD do better, and SHOULD do better, they don't. There is no excuse in the world why they couldn't have produced truly top notch software when companies working for free can.
I have something in common with Stephen Hawking...
They have $50 billion in the bank, as ready cash. There are a lot of unemployed programmers, and if they wanted to outsource to India and China, there are a whole lot more even cheaper.
It might take a year or two, but they could squash future bugs if they wanted to. And yes, I know about the mythical man month and adding manpower to a late project, but this is not a single project, it is hundreds of small projects.
Microsoft is still not serious about fixing security holes. They never will be.
Infuriate left and right
Funny, my corporate deployed laptop, following standard practice, set ME up as admin. I understand this is standard practice for WinNT-family (mine is Win2k) deployments, in general.
With that ONE practice, the single greatest/easiest chunk of security - separation of user from admin, is gone.
From what I understand, quite a bit of Windows software actually depends on this practice, and can't run without admin priviledges. So regardless of who takes the blame, Microsoft or the Windows Culture that has grown up around their products, there's an architectural-level problem, here.
The living have better things to do than to continue hating the dead.
"The embedded market is much larger than the PDA market. Think cellphones. Think consumer electronics, connected DVD players, industrial products, etc."
Yeah, I just found my next PDA (if my old Pilot III ever wears out) at Costco. From Sharp. Looks like a Palm Pilot to me. Has all the USEFUL functionality of a Palmtop. Can sync with a PC etc. $25.
My last two cell phone were free. One as a "Good Customer Bonus" from AT&T, and the other as a Sign-up reward from Verizon. You CAN pay a lot for a cell phone, but the vast majority of users won't.
A $200 operating system for my microwave? Hmmm I don't think so.
I'm not saying the embedded market isn't important. It will be at the heart of everything we do with electronics. I'm just not sure that Microsoft is prepared to only make two dollars a pop on Windows CE. This is not how they are going to achieve new market share. That is, unless they decide to merge with Sony or something in which case they will soon cease to be Microsoft as we know it an will become a part of a much more intricate Borg.
Windows Update is fine if you've just got 1 system. Now, imagine you've got to patch 30,000 systems in 700 offices in 43 states, and you don't have any access to the main keyboard. And you can't use automatic updates because IT has to vet the patches before they're installed to make sure they won't make inoperable third-party software which your business depends on being operational.
...but the only people who are going to care about vulernabilities are server admins not mr. pda user
Actually, since Microsoft has stated one of its ultimate goals is to have only one codebase for all of their versions of OS, mr. PDA had damned well better be concerned about the same vulnerabilities the "server admins" are concerned about. Search Microsoft's web site for their version of the "smart" home. Then, think to yourself, if my entire home is running Microsoft OS, and MS has achieved their goal of every appliance being internet enabled, what happens when the Slammer2008 (or whatever) worm hits? It won't be just you locked out of your PC, but you locked out of your home. It won't be a matter of your e-mail client filling up, and annoying you with 600+ "emails" an hour, it will be your house cooking every bit of food you have stored, at 500 degrees, all afternoon while you're at work. I could go on, but what's the point? Call me a paranoid, but I have a cabin in the hills, which will not be automated.
As an interesting side note, Microsoft has stated they could not afford (even with >$50BILLION) to go back to the drawing board and rewrite their OS in a modern and secure manner. They are now telling AMD and Intel to enable code security in the CPU. Must be nice to make others clean up your own mess all the time, huh?
For those who describe their systems as 'boxen', do you order multiple 'boxen' of corn flakes also?