Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Affecting Microsoft's Bottom Line

Posted by CowboyNeal on from the choosy-admins-don't-choose-windows dept.

kidlinux writes "The Globe and Mail has an article discussing the impact of viruses and security flaws in Windows. Apparently Microsoft has bounties out on virus writers. 'The campaign reveals just how much of a threat to Microsoft's bottom line security flaws now represent.' The effects of various worms and security issues are becoming visible in financial terms - having to deal with the security issues keeps Microsoft from closing new deals, and governments and businesses are starting to look at the alternatives, such as Linux. 'For the first time, it seemed, flaws in Microsoft's software were translating into flaws in the company's business model.'"

12 of 416 comments (clear)

  1. time to protect the monolpoly by pohzer · · Score: 5, Insightful

    Time to protect the monopoly. Once in that phase, funds are diverted away from R&D and into protectionism -- the great money pit.

    Is it really easier or more cost-effective to change the world (pay bounties for crackers, lobby for prtctionist laws) than to change your business practices (write more secure software)?

    This had better be a temporary endeavor conducted in parallel with major shifts toward better busines practices, or MS is starting the downward spiral.

    1. Re:time to protect the monolpoly by Cid+Highwind · · Score: 5, Funny

      Is it really easier or more cost-effective to change the world than to change your business practices?

      Well, it seems to work for the RIAA...

      --
      0 1 - just my two bits
    2. Re:time to protect the monolpoly by Artifakt · · Score: 5, Interesting

      Fortunately, companies that size don't usually coast downhill gracefully for decades. A big corporation can bleed out with surprising speed. Look at the amounts involved in the IBM/SCO case, and imagine MS, with declining revenues, getting into lawsuit after lawsuit with stakes that big. What MS is spending on catching virus writers is actually reasonable. What they have spent encouraging SCO is less so, and what they are spending on lobbying governments to use windows, or on developing new lines such as console gaming or net server tech is worse, as little of it has shown any profit yet. When every new action starts costing them lots of extra money to fend off the consequences of the last ill advised plan or lawsuit, they will find themselves suddenly posting a multi-billion quarterly loss, and the deadline to go broke or smarten up will be a few months rather than a few decades away.

      --
      Who is John Cabal?
  2. It's the home users... by __aavhli5779 · · Score: 5, Insightful

    Security failures are beginning to hit Microsoft hard not because of the enterprise, but because of home/personal installations.

    Whereas a competent MCSE or IT director will have properly secured a corporation's machines against remote exploits (a properly designed network, even if none of the machines had been patched, should've been able to stay free of worms like Blaster and Welchia, for example), home users have been thrust into the unfortunate situation of running an enterprise OS (anything from the NT family), with no experience on securing it, and often, no knowledge that it needs to be secured at all.

    Windows NT-based operating systems listen on so many ports, and are designed so wide open, because they are meant to sit inside a secured corporate network. Though Microsoft's unification of the NT and personal trees of Windows starting with XP gave personal users much of the speed and stability they had been lacking for so long, it also gave them security issues they should not have been expected to deal with.

    This is why, though NT-based OSes have had widely publicized security flaws for years, their flaws are now in the spotlight.

    Microsoft's recent steps to finally globally disable the Windows Messenger service and enable the firewall by default are a late, but necessary, effort to help bridge this divide.

    1. Re:It's the home users... by ericman31 · · Score: 5, Informative

      Please show me this "properly designed network", that allows an unpatched Active Directory domain and blocks traffic on RPC ports.

      I've been hearing this bit of FUD for a while now about how it's not Microsoft's fault. If only all of these incompetent network and system administrators would patch their systems and maintain their firewalls how there wouldn't be any problem.

      Well, I'm here to tell you that I work for an organization with about 1500 employees. We process over a hundred million transactions annually in our systems. Our average system administrator or network engineer has about 7.5 years of experience in the IT industry, our security staff (I'm the security director) has an average of 9 years of IT industry experience. Except for the Windows administrators (our office automation network is Windows based), everyone comes from either a Unix or mainframe or both background. We know what we are doing, have a very good network and well maintained servers and appropriate security levels.

      And every damn Windows virus/worm that comes along impacts us, even our mainframes and unix boxes. Why? Cause the stupid things propagate with attack vectors that are ridiculous. Root exploits in a web browser or via an email message and you don't even have to execute the damn thing? RPC worms with multiple attack vectors (browser, file shares, mail, RPC)? Local user exploits using html pages and scripts that can bypass web browser security settings and then execute arbitrary code!

      It doesn't matter how well built your network is, if you are not running it like an NSA network, with no connectivity to the outside world, no email, no web browsing, no nothing, these damn Windows attacks are going to get in and cost money. I've lost more than a thousand work hours this year to dealing with SQL Slammer, MS Blaster and SoBig. Even if I got rid of all the Windows systems in my network, I'd still have a problem because the attacks would continue, and continue to affect me, although only at the boundaries, which would be better. Except for all the crap the mail servers have to deal with.

      --
      In my universe I'm perfectly normal, it's not my fault you don't live in my universe.
  3. A backwards solution... by Izago909 · · Score: 5, Interesting

    Instead of writing more secure code or locking down system services by default, MS is going after the people who write viri. How is this going to fix the (in)security problem? Do they think this is the last generation of assembly hackers? Bah. Every day I'm reminded of why the Voluntary Human Extinction Movement is a good idea. Just remember that one day MS will be one of the many corporations that provides sponsered funding for your child's or grandchild's school.

  4. Corporate Philosophy by Detritus · · Score: 5, Funny

    The article says that Microsoft need to put a priority on customer satisfaction. Is that really possible? Over the years, my experience with Microsoft is that they pride themselves on being a "take no prisoners" and "shoot the wounded" type of company, always looking forward to the next challenge, never taking time to fix and support older products. When I once asked when some severe bugs were going to be fixed in one of their current compilers, I was told that they were never going to be fixed, the programmers had already been reassigned to the next big project. From a bottom line point of view, it made sense, but it showed a total disregard for their customers.

    --
    Mea navis aericumbens anguillis abundat
  5. If MS were really serious by Anonymous Coward · · Score: 5, Insightful

    If Microsoft were really serious, they would pay the bounties to people who find their flaws.

  6. Re:Maybe that's why they coneived .NET by kfg · · Score: 5, Interesting

    Except that on an infection by infection basis most Windows exploits are based in the architecture, not faulty code, per se.

    Garbage collection is no cure for intentionally failing to follow secure practice by default in order to "enhance the user experience" or gain an apparent performance advantage over those systems that use some portion of machine capacity to maintain security.

    Ever denormalize a database to gain performance? Well, than you serve as an example yourself of the sort of thing Microsoft does. That performance increase came at the price of less secure data (in the sense that your data can become unintentionally corrupted).

    If you make choices of that nature in kernel space no programing enviroment in the world is going to save your security ass.

    KFG

  7. Re:They really are far overreacting about this. by Anonymous Coward · · Score: 5, Interesting

    I think you are underestimating this whole thing. Virus' and worms are a positive reason to use anything other than Microsoft.

    I have talked to many people who seriously were considering disconnecting from the internet due to worms. I suggested using something other than Outlook, and most of the problems would disappear. And don't use IE.

    There was a phone-in program on CBC the other day about this. There was an obvious chasm of experience between those who used Windows and those who didn't, ie Mac, linux, etc. It was amusing to hear a professor at a university say that he was moving away from using computers for sending stuff back and forth due to the instability of it all. Yes, and putting the blame squarely on Microsoft.

    Microsoft has a real serious problem here. The solution is very scary for them: put all their best and smartest programmers for the next 3 years on rewriting critical parts of their application stack. Will they be able to hold onto the market? Will they be able to hold on to their talent? All this to produce something that is unmarketable.

    It is very funny actually. Microsoft spent years building a marketplace that functions the way they want. Then some kid spends 15 minutes writing a script (yes, it is that easy) and the whole thing tumbles down.

    Derek

  8. Re:Why can't they just trash Windows and start ove by Pompatus · · Score: 5, Insightful

    Why don't they just go ahead and have a clean, reimplementation of Windows started while they work on Longhorn?

    2 reasons. First, support for legacy apps has to be included in any new OS Microsoft developes. Second, imagine how long that would take to complete. It took what, 5 or 6 years, for the NT kernel to be able to reliably run 95/98/ME apps. Imagine the press release, "Longhorn to arrive in 2009".

    Starting over would render close to a decade of work worthless. That kind of suggestion is hard to justify.

    --

    ----
    Squirrel ... It's not just for breakfast anymore
  9. Corporate deployments by dpilot · · Score: 5, Insightful

    Funny, my corporate deployed laptop, following standard practice, set ME up as admin. I understand this is standard practice for WinNT-family (mine is Win2k) deployments, in general.

    With that ONE practice, the single greatest/easiest chunk of security - separation of user from admin, is gone.

    From what I understand, quite a bit of Windows software actually depends on this practice, and can't run without admin priviledges. So regardless of who takes the blame, Microsoft or the Windows Culture that has grown up around their products, there's an architectural-level problem, here.

    --
    The living have better things to do than to continue hating the dead.